@rexeus/typeweaver-server 0.10.3 → 0.10.5

package/README.md

@@ -294,10 +294,10 @@ Each middleware is documented in detail — click the links above.
 
 `TypeweaverApp` accepts an optional options object:
 
-| Option        | Type                       | Default            | Description                                                 |
-| ------------- | -------------------------- | ------------------ | ----------------------------------------------------------- |
-| `maxBodySize` | `number`                   | `1_048_576` (1 MB) | Max request body size in bytes. Exceeding returns `413`.    |
-| `onError`     | `(error: unknown) => void` | `console.error`    | Error callback. Falls back to `console.error` if it throws. |
+| Option        | Type                       | Default            | Description                                                                                                           |
+| ------------- | -------------------------- | ------------------ | --------------------------------------------------------------------------------------------------------------------- |
+| `maxBodySize` | `number`                   | `1_048_576` (1 MB) | Max request body size in bytes. Exceeding returns `413`.                                                              |
+| `onError`     | `(error: unknown) => void` | `console.error`    | Reports errors from the default unknown handler and top-level safety net. Falls back to `console.error` if it throws. |
 
 ```ts
 const app = new TypeweaverApp({
@@ -325,7 +325,7 @@ errors fall through to the next handler in the chain (except `handleResponseVali
 `false` means the invalid response is returned as-is — validation still runs for field stripping,
 but invalid responses pass through unchanged). When set to a function, it receives the error and
 `ServerContext` and must return an `IHttpResponse`. If a custom error handler throws, the framework
-catches the exception and falls through gracefully to the next handler.
+reports that handler failure through `onError` and falls through gracefully to the next handler.
 
 ### 🚨 Error Handling
 
@@ -431,6 +431,12 @@ new UserRouter({
 });
 ```
 
+The default unknown-error handler calls `onError` before returning a sanitized 500 response. A
+custom `handleUnknownErrors` function replaces that default reporting strategy; if you need logging
+or metrics with a custom unknown handler, perform that reporting inside the custom handler. If the
+custom unknown handler throws, Typeweaver reports the handler failure through `onError` and then
+falls through to the top-level safety net.
+
 ### 📋 Error Responses
 
 | Status | Code                    | When                                                                 |

package/dist/index.cjs

@@ -61,10 +61,12 @@ function writeRouter(resource, templateFile, context) {
 function createOperationData(operation) {
 	const operationId = operation.operationId;
 	const className = (0, polycase.pascalCase)(operationId);
+	const jsDoc = (0, _rexeus_typeweaver_gen.createJSDocComment)(operation.summary, { indentation: "  " });
 	return {
 		operationId,
 		className,
 		handlerName: `handle${className}Request`,
+		...jsDoc ? { jsDoc } : {},
 		method: operation.method,
 		path: operation.path
 	};

package/dist/index.mjs

@@ -1,6 +1,6 @@
 import path from "node:path";
 import { fileURLToPath } from "node:url";
-import { BasePlugin, compareRoutes, relative } from "@rexeus/typeweaver-gen";
+import { BasePlugin, compareRoutes, createJSDocComment, relative } from "@rexeus/typeweaver-gen";
 import { HttpMethod } from "@rexeus/typeweaver-core";
 import { pascalCase } from "polycase";
 //#region src/routerGenerator.ts
@@ -37,10 +37,12 @@ function writeRouter(resource, templateFile, context) {
 function createOperationData(operation) {
 	const operationId = operation.operationId;
 	const className = pascalCase(operationId);
+	const jsDoc = createJSDocComment(operation.summary, { indentation: "  " });
 	return {
 		operationId,
 		className,
 		handlerName: `handle${className}Request`,
+		...jsDoc ? { jsDoc } : {},
 		method: operation.method,
 		path: operation.path
 	};

package/dist/index.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"index.mjs","names":[],"sources":["../src/routerGenerator.ts","../src/index.ts"],"sourcesContent":["import path from \"node:path\";\nimport { fileURLToPath } from \"node:url\";\nimport { HttpMethod } from \"@rexeus/typeweaver-core\";\nimport { compareRoutes, relative } from \"@rexeus/typeweaver-gen\";\nimport type {\n  GeneratorContext,\n  NormalizedOperation,\n  NormalizedResource,\n} from \"@rexeus/typeweaver-gen\";\nimport { pascalCase } from \"polycase\";\n\ntype OperationData = {\n  readonly operationId: string;\n  readonly className: string;\n  readonly handlerName: string;\n  readonly method: string;\n  readonly path: string;\n};\n\n/**\n * Generates TypeweaverRouter subclasses from API definitions.\n *\n * For each resource (e.g., `Todo`, `Account`), produces a `<ResourceName>Router.ts`\n * file that extends `TypeweaverRouter` and registers all operations as routes.\n */\n\n/**\n * Generates router files for all resources in the given context.\n *\n * @param context - The generator context containing resources, templates, and output configuration\n */\nexport function generate(context: GeneratorContext): void {\n  const moduleDir = path.dirname(fileURLToPath(import.meta.url));\n  const templateFile = path.join(moduleDir, \"templates\", \"Router.ejs\");\n\n  for (const resource of context.normalizedSpec.resources) {\n    writeRouter(resource, templateFile, context);\n  }\n}\n\nfunction writeRouter(\n  resource: NormalizedResource,\n  templateFile: string,\n  context: GeneratorContext\n): void {\n  const pascalCaseEntityName = pascalCase(resource.name);\n  const outputDir = context.getResourceOutputDir(resource.name);\n  const outputPath = path.join(outputDir, `${pascalCaseEntityName}Router.ts`);\n\n  const operations = resource.operations\n    .filter(operation => operation.method !== HttpMethod.HEAD)\n    .map(operation => createOperationData(operation))\n    .sort((a, b) => compareRoutes(a, b));\n\n  const content = context.renderTemplate(templateFile, {\n    coreDir: relative(outputDir, context.outputDir),\n    entityName: resource.name,\n    pascalCaseEntityName,\n    operations,\n  });\n\n  const relativePath = path.relative(context.outputDir, outputPath);\n  context.writeFile(relativePath, content);\n}\n\nfunction createOperationData(operation: NormalizedOperation): OperationData {\n  const operationId = operation.operationId;\n  const className = pascalCase(operationId);\n\n  return {\n    operationId,\n    className,\n    handlerName: `handle${className}Request`,\n    method: operation.method,\n    path: operation.path,\n  };\n}\n","import path from \"node:path\";\nimport { fileURLToPath } from \"node:url\";\nimport { BasePlugin } from \"@rexeus/typeweaver-gen\";\nimport type { GeneratorContext } from \"@rexeus/typeweaver-gen\";\nimport { generate as generateRouters } from \"./routerGenerator.js\";\n\nconst moduleDir = path.dirname(fileURLToPath(import.meta.url));\n\n/**\n * Typeweaver plugin that generates a lightweight, dependency-free server\n * with built-in routing and middleware support.\n *\n * Copies the runtime library files (`TypeweaverApp`, `TypeweaverRouter`, `Router`,\n * `Middleware`, etc.) and generates typed router classes for each resource.\n */\nexport class ServerPlugin extends BasePlugin {\n  public name = \"server\";\n  public override depends = [\"types\"];\n\n  /**\n   * Generates the server runtime and typed routers for all resources.\n   *\n   * @param context - The generator context\n   */\n  public override generate(context: GeneratorContext): void {\n    const libSourceDir = path.join(moduleDir, \"lib\");\n    this.copyLibFiles(context, libSourceDir, this.name);\n\n    generateRouters(context);\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;AA+BA,SAAgB,SAAS,SAAiC;CACxD,MAAM,YAAY,KAAK,QAAQ,cAAc,OAAO,KAAK,IAAI,CAAC;CAC9D,MAAM,eAAe,KAAK,KAAK,WAAW,aAAa,aAAa;AAEpE,MAAK,MAAM,YAAY,QAAQ,eAAe,UAC5C,aAAY,UAAU,cAAc,QAAQ;;AAIhD,SAAS,YACP,UACA,cACA,SACM;CACN,MAAM,uBAAuB,WAAW,SAAS,KAAK;CACtD,MAAM,YAAY,QAAQ,qBAAqB,SAAS,KAAK;CAC7D,MAAM,aAAa,KAAK,KAAK,WAAW,GAAG,qBAAqB,WAAW;CAE3E,MAAM,aAAa,SAAS,WACzB,QAAO,cAAa,UAAU,WAAW,WAAW,KAAK,CACzD,KAAI,cAAa,oBAAoB,UAAU,CAAC,CAChD,MAAM,GAAG,MAAM,cAAc,GAAG,EAAE,CAAC;CAEtC,MAAM,UAAU,QAAQ,eAAe,cAAc;EACnD,SAAS,SAAS,WAAW,QAAQ,UAAU;EAC/C,YAAY,SAAS;EACrB;EACA;EACD,CAAC;CAEF,MAAM,eAAe,KAAK,SAAS,QAAQ,WAAW,WAAW;AACjE,SAAQ,UAAU,cAAc,QAAQ;;AAG1C,SAAS,oBAAoB,WAA+C;CAC1E,MAAM,cAAc,UAAU;CAC9B,MAAM,YAAY,WAAW,YAAY;AAEzC,QAAO;EACL;EACA;EACA,aAAa,SAAS,UAAU;EAChC,QAAQ,UAAU;EAClB,MAAM,UAAU;EACjB;;;;ACrEH,MAAM,YAAY,KAAK,QAAQ,cAAc,OAAO,KAAK,IAAI,CAAC;;;;;;;;AAS9D,IAAa,eAAb,cAAkC,WAAW;CAC3C,OAAc;CACd,UAA0B,CAAC,QAAQ;;;;;;CAOnC,SAAyB,SAAiC;EACxD,MAAM,eAAe,KAAK,KAAK,WAAW,MAAM;AAChD,OAAK,aAAa,SAAS,cAAc,KAAK,KAAK;AAEnD,WAAgB,QAAQ"}
+{"version":3,"file":"index.mjs","names":[],"sources":["../src/routerGenerator.ts","../src/index.ts"],"sourcesContent":["import path from \"node:path\";\nimport { fileURLToPath } from \"node:url\";\nimport { HttpMethod } from \"@rexeus/typeweaver-core\";\nimport {\n  compareRoutes,\n  createJSDocComment,\n  relative,\n} from \"@rexeus/typeweaver-gen\";\nimport type {\n  GeneratorContext,\n  NormalizedOperation,\n  NormalizedResource,\n} from \"@rexeus/typeweaver-gen\";\nimport { pascalCase } from \"polycase\";\n\nexport type RouterGenerationContext = Pick<\n  GeneratorContext,\n  | \"normalizedSpec\"\n  | \"outputDir\"\n  | \"getResourceOutputDir\"\n  | \"renderTemplate\"\n  | \"writeFile\"\n>;\n\ntype OperationData = {\n  readonly operationId: string;\n  readonly className: string;\n  readonly handlerName: string;\n  readonly jsDoc?: string;\n  readonly method: string;\n  readonly path: string;\n};\n\n/**\n * Generates TypeweaverRouter subclasses from API definitions.\n *\n * For each resource (e.g., `Todo`, `Account`), produces a `<ResourceName>Router.ts`\n * file that extends `TypeweaverRouter` and registers all operations as routes.\n */\n\n/**\n * Generates router files for all resources in the given context.\n *\n * @param context - The generator context containing resources, templates, and output configuration\n */\nexport function generate(context: RouterGenerationContext): void {\n  const moduleDir = path.dirname(fileURLToPath(import.meta.url));\n  const templateFile = path.join(moduleDir, \"templates\", \"Router.ejs\");\n\n  for (const resource of context.normalizedSpec.resources) {\n    writeRouter(resource, templateFile, context);\n  }\n}\n\nfunction writeRouter(\n  resource: NormalizedResource,\n  templateFile: string,\n  context: RouterGenerationContext\n): void {\n  const pascalCaseEntityName = pascalCase(resource.name);\n  const outputDir = context.getResourceOutputDir(resource.name);\n  const outputPath = path.join(outputDir, `${pascalCaseEntityName}Router.ts`);\n\n  const operations = resource.operations\n    .filter(operation => operation.method !== HttpMethod.HEAD)\n    .map(operation => createOperationData(operation))\n    .sort((a, b) => compareRoutes(a, b));\n\n  const content = context.renderTemplate(templateFile, {\n    coreDir: relative(outputDir, context.outputDir),\n    entityName: resource.name,\n    pascalCaseEntityName,\n    operations,\n  });\n\n  const relativePath = path.relative(context.outputDir, outputPath);\n  context.writeFile(relativePath, content);\n}\n\nfunction createOperationData(operation: NormalizedOperation): OperationData {\n  const operationId = operation.operationId;\n  const className = pascalCase(operationId);\n  const jsDoc = createJSDocComment(operation.summary, { indentation: \"  \" });\n\n  return {\n    operationId,\n    className,\n    handlerName: `handle${className}Request`,\n    ...(jsDoc ? { jsDoc } : {}),\n    method: operation.method,\n    path: operation.path,\n  };\n}\n","import path from \"node:path\";\nimport { fileURLToPath } from \"node:url\";\nimport { BasePlugin } from \"@rexeus/typeweaver-gen\";\nimport type { GeneratorContext } from \"@rexeus/typeweaver-gen\";\nimport { generate as generateRouters } from \"./routerGenerator.js\";\n\nconst moduleDir = path.dirname(fileURLToPath(import.meta.url));\n\n/**\n * Typeweaver plugin that generates a lightweight, dependency-free server\n * with built-in routing and middleware support.\n *\n * Copies the runtime library files (`TypeweaverApp`, `TypeweaverRouter`, `Router`,\n * `Middleware`, etc.) and generates typed router classes for each resource.\n */\nexport class ServerPlugin extends BasePlugin {\n  public name = \"server\";\n  public override depends = [\"types\"];\n\n  /**\n   * Generates the server runtime and typed routers for all resources.\n   *\n   * @param context - The generator context\n   */\n  public override generate(context: GeneratorContext): void {\n    const libSourceDir = path.join(moduleDir, \"lib\");\n    this.copyLibFiles(context, libSourceDir, this.name);\n\n    generateRouters(context);\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;AA6CA,SAAgB,SAAS,SAAwC;CAC/D,MAAM,YAAY,KAAK,QAAQ,cAAc,OAAO,KAAK,IAAI,CAAC;CAC9D,MAAM,eAAe,KAAK,KAAK,WAAW,aAAa,aAAa;AAEpE,MAAK,MAAM,YAAY,QAAQ,eAAe,UAC5C,aAAY,UAAU,cAAc,QAAQ;;AAIhD,SAAS,YACP,UACA,cACA,SACM;CACN,MAAM,uBAAuB,WAAW,SAAS,KAAK;CACtD,MAAM,YAAY,QAAQ,qBAAqB,SAAS,KAAK;CAC7D,MAAM,aAAa,KAAK,KAAK,WAAW,GAAG,qBAAqB,WAAW;CAE3E,MAAM,aAAa,SAAS,WACzB,QAAO,cAAa,UAAU,WAAW,WAAW,KAAK,CACzD,KAAI,cAAa,oBAAoB,UAAU,CAAC,CAChD,MAAM,GAAG,MAAM,cAAc,GAAG,EAAE,CAAC;CAEtC,MAAM,UAAU,QAAQ,eAAe,cAAc;EACnD,SAAS,SAAS,WAAW,QAAQ,UAAU;EAC/C,YAAY,SAAS;EACrB;EACA;EACD,CAAC;CAEF,MAAM,eAAe,KAAK,SAAS,QAAQ,WAAW,WAAW;AACjE,SAAQ,UAAU,cAAc,QAAQ;;AAG1C,SAAS,oBAAoB,WAA+C;CAC1E,MAAM,cAAc,UAAU;CAC9B,MAAM,YAAY,WAAW,YAAY;CACzC,MAAM,QAAQ,mBAAmB,UAAU,SAAS,EAAE,aAAa,MAAM,CAAC;AAE1E,QAAO;EACL;EACA;EACA,aAAa,SAAS,UAAU;EAChC,GAAI,QAAQ,EAAE,OAAO,GAAG,EAAE;EAC1B,QAAQ,UAAU;EAClB,MAAM,UAAU;EACjB;;;;ACrFH,MAAM,YAAY,KAAK,QAAQ,cAAc,OAAO,KAAK,IAAI,CAAC;;;;;;;;AAS9D,IAAa,eAAb,cAAkC,WAAW;CAC3C,OAAc;CACd,UAA0B,CAAC,QAAQ;;;;;;CAOnC,SAAyB,SAAiC;EACxD,MAAM,eAAe,KAAK,KAAK,WAAW,MAAM;AAChD,OAAK,aAAa,SAAS,cAAc,KAAK,KAAK;AAEnD,WAAgB,QAAQ"}

package/dist/lib/BodyLimitPolicy.ts

@@ -34,6 +34,8 @@ const FETCH_BODY_LIMIT_CAPABILITY: BodyLimitCapability =
 const NODE_BODY_LIMIT_CAPABILITY: BodyLimitCapability =
   "prevalidated-request-body";
 
+const CONTENT_LENGTH_HEADER_PATTERN = /^\d+$/;
+
 export function createFetchBodyLimitPolicy(
   maxBodySize?: number
 ): BodyLimitPolicy {
@@ -64,7 +66,12 @@ export function parseContentLength(
     return undefined;
   }
 
-  const contentLength = Number(rawValue);
+  const trimmedValue = rawValue.trim();
+  if (!CONTENT_LENGTH_HEADER_PATTERN.test(trimmedValue)) {
+    return undefined;
+  }
+
+  const contentLength = Number(trimmedValue);
   if (!Number.isFinite(contentLength) || contentLength < 0) {
     return undefined;
   }

package/dist/lib/FetchApiAdapter.ts

@@ -326,7 +326,11 @@ export class FetchApiAdapter {
     if (body instanceof Blob) return body;
 
     try {
-      return JSON.stringify(body);
+      const serializedBody = JSON.stringify(body);
+      if (serializedBody === undefined) {
+        throw new TypeError("Response body cannot be serialized to JSON");
+      }
+      return serializedBody;
     } catch (error) {
       throw new ResponseSerializationError(
         "Failed to serialize response body to JSON",

package/dist/lib/Middleware.ts

@@ -6,6 +6,7 @@
  */
 
 import type { IHttpResponse } from "@rexeus/typeweaver-core";
+import { MiddlewareNextAlreadyCalledError } from "./errors/index.js";
 import type { ServerContext } from "./ServerContext.js";
 
 /**
@@ -52,7 +53,7 @@ export async function executeMiddlewarePipeline(
 
       return middlewares[currentIndex]!(ctx, async state => {
         if (called) {
-          throw new Error("next() called multiple times");
+          throw new MiddlewareNextAlreadyCalledError(currentIndex);
         }
         called = true;
 

package/dist/lib/NodeAdapter.ts

@@ -6,6 +6,7 @@
  */
 
 import {
+  badRequestDefaultError,
   createDefaultErrorBody,
   internalServerErrorDefaultError,
   payloadTooLargeDefaultError,
@@ -18,8 +19,10 @@ import {
 } from "./BodyLimitPolicy.js";
 import {
   PayloadTooLargeError,
+  RequestBodyClosedBeforeEndError,
   RequestBodyDrainTimeoutError,
-} from "./Errors.js";
+  RequestBodyReadAbortedError,
+} from "./errors/index.js";
 import {
   getTypeweaverAppErrorReporter,
   getTypeweaverAppRuntimeContext,
@@ -39,6 +42,15 @@ type DrainRequestOptions = {
 };
 
 const REQUEST_DRAIN_TIMEOUT_MS = 5_000;
+const ORIGIN_FORM_BASE_URL_PROTOCOL = "http:";
+const AUTHORITY_LIKE_REQUEST_TARGET_PREFIX = /^[\\/]{2}/;
+const ASTERISK_FORM_REQUEST_TARGET = "*";
+
+type ParsedAuthority = {
+  readonly host: string;
+  readonly hostname: string;
+  readonly port: string;
+};
 
 /**
  * Adapts a `TypeweaverApp` to Node.js `http.createServer`.
@@ -82,12 +94,16 @@ async function handleRequest(
   reportError: (error: unknown) => void
 ): Promise<void> {
   try {
-    const url = new URL(req.url ?? "/", `http://${req.headers.host}`);
+    const url = createRequestUrl(req);
+    if (url === undefined) {
+      writeBadRequestResponse(req, res, bodyLimitPolicy.maxBodySize);
+      return;
+    }
     const shouldValidateBody = shouldValidateRequestBody(req.method);
 
     enforceContentLengthLimit(req, bodyLimitPolicy.maxBodySize);
 
-    if (!shouldValidateBody) {
+    if (!shouldValidateBody && hasReadableRequestBody(req)) {
       const drainResult = await drainRequest(req, bodyLimitPolicy.maxBodySize, {
         destroyOnLimitExceeded: false,
       });
@@ -111,7 +127,7 @@ async function handleRequest(
 
     const request = new Request(url, {
       method: req.method,
-      headers: req.headers as Record<string, string>,
+      headers: createRequestHeaders(req.headers),
       body,
     });
     if (shouldValidateBody) {
@@ -119,6 +135,11 @@ async function handleRequest(
     }
 
     const response = await app.fetch(request);
+    const responseBody = await readWritableResponseBody(
+      req.method,
+      response,
+      reportError
+    );
 
     response.headers.forEach((value, key) => {
       if (key.toLowerCase() !== "set-cookie") {
@@ -130,20 +151,193 @@ async function handleRequest(
       res.setHeader("set-cookie", cookies);
     }
     res.writeHead(response.status);
-    res.end(Buffer.from(await response.arrayBuffer()));
+    res.end(responseBody);
   } catch (error) {
     reportError(error);
 
     if (isRequestBodyLimitError(error)) {
-      writeDefaultErrorResponse(res, payloadTooLargeDefaultError, () => {
-        void drainRequest(req, bodyLimitPolicy.maxBodySize, {
-          destroyOnLimitExceeded: true,
-        });
+      writeDefaultErrorResponse(res, payloadTooLargeDefaultError, {
+        method: req.method,
+        onFinished: () => {
+          void drainRequest(req, bodyLimitPolicy.maxBodySize, {
+            destroyOnLimitExceeded: true,
+          });
+        },
       });
       return;
     }
 
-    writeDefaultErrorResponse(res, internalServerErrorDefaultError);
+    writeDefaultErrorResponse(res, internalServerErrorDefaultError, {
+      method: req.method,
+    });
+  }
+}
+
+function createRequestUrl(req: IncomingMessage): URL | undefined {
+  const rawUrl = req.url ?? "/";
+
+  if (rawUrl === ASTERISK_FORM_REQUEST_TARGET) {
+    return createAsteriskFormRequestUrl(req);
+  }
+
+  if (hasAuthorityLikeRequestTargetPrefix(rawUrl)) {
+    return undefined;
+  }
+
+  try {
+    const url = new URL(rawUrl);
+    return isAbsoluteRequestHostAllowed(url, req) ? url : undefined;
+  } catch (error) {
+    if (!(error instanceof TypeError) || !rawUrl.startsWith("/")) {
+      throw error;
+    }
+  }
+
+  const host = parseRequestHostHeader(req, ORIGIN_FORM_BASE_URL_PROTOCOL);
+  if (host === undefined) {
+    return undefined;
+  }
+
+  return new URL(rawUrl, `${ORIGIN_FORM_BASE_URL_PROTOCOL}//${host.host}`);
+}
+
+function createAsteriskFormRequestUrl(req: IncomingMessage): URL | undefined {
+  if (req.method !== "OPTIONS") {
+    return undefined;
+  }
+
+  const host = parseRequestHostHeader(req, ORIGIN_FORM_BASE_URL_PROTOCOL);
+  if (host === undefined) {
+    return undefined;
+  }
+
+  return new URL(
+    ASTERISK_FORM_REQUEST_TARGET,
+    `${ORIGIN_FORM_BASE_URL_PROTOCOL}//${host.host}/`
+  );
+}
+
+function hasAuthorityLikeRequestTargetPrefix(rawUrl: string): boolean {
+  return AUTHORITY_LIKE_REQUEST_TARGET_PREFIX.test(rawUrl);
+}
+
+function isAbsoluteRequestHostAllowed(url: URL, req: IncomingMessage): boolean {
+  const host = parseRequestHostHeader(req, url.protocol);
+  if (host === undefined) {
+    return false;
+  }
+
+  const urlAuthority = getUrlAuthority(url);
+  return (
+    host.hostname.toLowerCase() === urlAuthority.hostname.toLowerCase() &&
+    host.port === urlAuthority.port
+  );
+}
+
+function parseRequestHostHeader(
+  req: IncomingMessage,
+  protocol: string
+): ParsedAuthority | undefined {
+  if (!hasExactlyOneHostHeaderLine(req)) {
+    return undefined;
+  }
+
+  return parseHostHeader(req.headers.host, protocol);
+}
+
+function hasExactlyOneHostHeaderLine(req: IncomingMessage): boolean {
+  const headersDistinctHostCount = getHeadersDistinctHostCount(req);
+  if (
+    headersDistinctHostCount !== undefined &&
+    headersDistinctHostCount !== 1
+  ) {
+    return false;
+  }
+
+  const rawHostHeaderCount = countRawHostHeaderLines(req.rawHeaders);
+  if (rawHostHeaderCount > 0) {
+    return rawHostHeaderCount === 1;
+  }
+
+  return headersDistinctHostCount === 1;
+}
+
+function getHeadersDistinctHostCount(req: IncomingMessage): number | undefined {
+  const hostHeader = req.headersDistinct?.host;
+  if (hostHeader === undefined) {
+    return undefined;
+  }
+
+  return Array.isArray(hostHeader) ? hostHeader.length : 1;
+}
+
+function countRawHostHeaderLines(rawHeaders: readonly string[]): number {
+  let count = 0;
+
+  for (let index = 0; index < rawHeaders.length; index += 2) {
+    if (rawHeaders[index]?.toLowerCase() === "host") {
+      count += 1;
+    }
+  }
+
+  return count;
+}
+
+function parseHostHeader(
+  hostHeader: IncomingMessage["headers"]["host"],
+  protocol: string
+): ParsedAuthority | undefined {
+  if (hostHeader === undefined || Array.isArray(hostHeader)) {
+    return undefined;
+  }
+
+  const host = hostHeader.trim();
+  if (host === "" || host !== hostHeader) {
+    return undefined;
+  }
+
+  try {
+    const parsed = new URL(`${protocol}//${host}`);
+    if (
+      parsed.username !== "" ||
+      parsed.password !== "" ||
+      parsed.pathname !== "/" ||
+      parsed.search !== "" ||
+      parsed.hash !== ""
+    ) {
+      return undefined;
+    }
+
+    return getUrlAuthority(parsed);
+  } catch {
+    return undefined;
+  }
+}
+
+function getUrlAuthority(url: URL): ParsedAuthority {
+  return {
+    host: url.host,
+    hostname: url.hostname,
+    port: getEffectivePort(url),
+  };
+}
+
+function getEffectivePort(url: URL): string {
+  return url.port === "" ? getDefaultPort(url.protocol) : url.port;
+}
+
+function getDefaultPort(protocol: string): string {
+  switch (protocol) {
+    case "http:":
+    case "ws:":
+      return "80";
+    case "https:":
+    case "wss:":
+      return "443";
+    case "ftp:":
+      return "21";
+    default:
+      return "";
   }
 }
 
@@ -151,6 +345,86 @@ function shouldValidateRequestBody(method?: string): boolean {
   return method !== "GET" && method !== "HEAD";
 }
 
+function shouldWriteResponseBody(
+  method: string | undefined,
+  status: number
+): boolean {
+  return method !== "HEAD" && status !== 204 && status !== 304;
+}
+
+async function readWritableResponseBody(
+  method: string | undefined,
+  response: Response,
+  reportError: (error: unknown) => void
+): Promise<Buffer | undefined> {
+  if (shouldWriteResponseBody(method, response.status)) {
+    return Buffer.from(await response.arrayBuffer());
+  }
+
+  cancelSuppressedResponseBody(response, reportError);
+  return undefined;
+}
+
+function cancelSuppressedResponseBody(
+  response: Response,
+  reportError: (error: unknown) => void
+): void {
+  try {
+    void response.body?.cancel().catch(error => {
+      reportSuppressedResponseBodyCancelError(error, reportError);
+    });
+  } catch (error) {
+    reportSuppressedResponseBodyCancelError(error, reportError);
+  }
+}
+
+function reportSuppressedResponseBodyCancelError(
+  error: unknown,
+  reportError: (error: unknown) => void
+): void {
+  try {
+    reportError(error);
+  } catch (onErrorFailure) {
+    console.error(
+      "TypeweaverApp: onError callback threw while handling error",
+      { onErrorFailure, originalError: error }
+    );
+  }
+}
+
+function hasReadableRequestBody(req: IncomingMessage): boolean {
+  return (
+    req.headers["content-length"] !== undefined ||
+    req.headers["transfer-encoding"] !== undefined
+  );
+}
+
+function createRequestHeaders(headers: IncomingMessage["headers"]): Headers {
+  const requestHeaders = new Headers();
+
+  for (const [name, value] of Object.entries(headers)) {
+    if (value === undefined) {
+      continue;
+    }
+
+    if (Array.isArray(value)) {
+      if (name.toLowerCase() === "cookie") {
+        requestHeaders.set(name, value.join("; "));
+        continue;
+      }
+
+      for (const item of value) {
+        requestHeaders.append(name, item);
+      }
+      continue;
+    }
+
+    requestHeaders.set(name, value);
+  }
+
+  return requestHeaders;
+}
+
 function isRequestBodyLimitError(
   error: unknown
 ): error is PayloadTooLargeError | RequestBodyDrainTimeoutError {
@@ -177,9 +451,13 @@ function enforceContentLengthLimit(
 function writeDefaultErrorResponse(
   res: ServerResponse,
   error:
+    | typeof badRequestDefaultError
     | typeof payloadTooLargeDefaultError
     | typeof internalServerErrorDefaultError,
-  onFinished?: () => void
+  options: {
+    readonly method?: string;
+    readonly onFinished?: () => void;
+  } = {}
 ): void {
   if (!res.headersSent) {
     res.writeHead(error.statusCode, {
@@ -187,11 +465,47 @@ function writeDefaultErrorResponse(
     });
   }
 
-  if (onFinished !== undefined) {
-    res.once("finish", onFinished);
+  if (options.onFinished !== undefined) {
+    res.once("finish", options.onFinished);
+  }
+
+  const body = shouldWriteResponseBody(options.method, error.statusCode)
+    ? JSON.stringify(createDefaultErrorBody(error))
+    : undefined;
+  res.end(body);
+}
+
+function writeBadRequestResponse(
+  req: IncomingMessage,
+  res: ServerResponse,
+  maxBodySize: number
+): void {
+  writeDefaultErrorResponse(res, badRequestDefaultError, {
+    method: req.method,
+    onFinished: createRejectedRequestBodyCleanup(req, maxBodySize),
+  });
+}
+
+function createRejectedRequestBodyCleanup(
+  req: IncomingMessage,
+  maxBodySize: number
+): (() => void) | undefined {
+  if (!hasReadableRequestBody(req)) {
+    return undefined;
   }
 
-  res.end(JSON.stringify(createDefaultErrorBody(error)));
+  return () => {
+    const contentLength = parseContentLength(req.headers["content-length"]);
+    if (
+      contentLength !== undefined &&
+      isBodySizeOverLimit(contentLength, maxBodySize)
+    ) {
+      req.destroy();
+      return;
+    }
+
+    void drainRequest(req, maxBodySize, { destroyOnLimitExceeded: true });
+  };
 }
 
 async function drainRequest(
@@ -336,12 +650,14 @@ function collectBody(
     };
 
     const handleAborted = (): void => {
-      rejectOnce(new Error("Request aborted while reading body"));
+      rejectOnce(new RequestBodyReadAbortedError(totalBytes, maxBodySize));
     };
 
     const handleClose = (): void => {
       if (!req.readableEnded) {
-        rejectOnce(new Error("Request closed before body was fully read"));
+        rejectOnce(
+          new RequestBodyClosedBeforeEndError(totalBytes, maxBodySize)
+        );
       }
     };
 

package/dist/lib/PathMatcher.ts

@@ -9,13 +9,17 @@
  * Creates a predicate that tests whether a request path matches a pattern.
  *
  * Supports three pattern types:
- * - **Exact match**: `"/users"` matches only `"/users"`
+ * - **Exact match**: `"/users"` matches `"/users"` and canonically
+ *   equivalent rooted paths such as `"/users/"` and `"/users//"`
  * - **Prefix match**: `"/users/*"` matches `"/users"` and any path beneath it
  *   (e.g. `"/users/123"`, `"/users/123/posts"`)
  * - **Parameterized segments**: `"/users/:id"` matches paths where `:id` stands
  *   for exactly one segment (e.g. `"/users/123"` but not `"/users/123/posts"`)
  *
  * Uses the same `:paramName` syntax as typeweaver route definitions.
+ * Rooted request paths are canonicalized with the same empty-segment
+ * filtering used by the router, so duplicate and trailing slashes match the
+ * route they dispatch to. Unrooted request paths do not match rooted patterns.
  *
  * @example
  * ```typescript
@@ -30,27 +34,67 @@
  * ```
  */
 export function pathMatcher(pattern: string): (path: string) => boolean {
+  const patternSegments = patternToSegments(pattern);
+
   if (pattern.endsWith("/*")) {
-    const prefix = pattern.slice(0, -2);
-    return path => path === prefix || path.startsWith(prefix + "/");
+    const prefixSegments = patternToSegments(pattern.slice(0, -2));
+
+    return path => {
+      const pathSegments = toSegments(path);
+      if (pathSegments === undefined) return false;
+      if (pathSegments.length < prefixSegments.length) return false;
+
+      return prefixSegments.every(
+        (segment, index) => pathSegments[index] === segment
+      );
+    };
   }
 
-  const segments = pattern.split("/");
-  const hasParams = segments.some(s => s.startsWith(":"));
+  const hasParams = patternSegments.some(s => s.startsWith(":"));
 
   if (!hasParams) {
-    return path => path === pattern;
+    return path => {
+      const pathSegments = toSegments(path);
+      if (pathSegments === undefined) return false;
+
+      return segmentsEqual(patternSegments, pathSegments);
+    };
   }
 
-  const segmentCount = segments.length;
-  const matchers = segments.map(s => (s.startsWith(":") ? null : s));
+  const segmentCount = patternSegments.length;
+  const matchers = patternSegments.map(s => (s.startsWith(":") ? null : s));
 
   return path => {
-    const parts = path.split("/");
+    const parts = toSegments(path);
+    if (parts === undefined) return false;
     if (parts.length !== segmentCount) return false;
+
     for (let i = 0; i < segmentCount; i++) {
-      if (matchers[i] !== null && matchers[i] !== parts[i]) return false;
+      if (matchers[i] === null) {
+        continue;
+      }
+
+      if (matchers[i] !== parts[i]) return false;
     }
     return true;
   };
 }
+
+function toSegments(path: string): readonly string[] | undefined {
+  if (!path.startsWith("/")) return undefined;
+
+  return patternToSegments(path);
+}
+
+function patternToSegments(path: string): readonly string[] {
+  return path.split("/").filter(segment => segment.length > 0);
+}
+
+function segmentsEqual(
+  left: readonly string[],
+  right: readonly string[]
+): boolean {
+  if (left.length !== right.length) return false;
+
+  return left.every((segment, index) => right[index] === segment);
+}