@suveren/gateway 0.2.2 → 0.2.4

package/node_modules/eventsource-parser/src/stream.ts

@@ -31,6 +31,17 @@ export interface StreamOptions {
    * @param comment - The comment encountered in the stream.
    */
   onComment?: ((comment: string) => void) | undefined
+
+  /**
+   * Maximum number of characters the parser is allowed to buffer across calls to `feed()`.
+   * See {@link ParserConfig.maxBufferSize} for details.
+   *
+   * When the limit is exceeded, the stream is always errored (regardless of the `onError`
+   * setting) since the underlying parser is unrecoverable without a `reset()`.
+   *
+   * @defaultValue `undefined` (unbounded)
+   */
+  maxBufferSize?: number | undefined
 }
 
 /**
@@ -49,13 +60,13 @@ export interface StreamOptions {
  * const eventStream =
  *  response.body
  *   .pipeThrough(new TextDecoderStream())
- *   .pipeThrough(new EventSourceParserStream({terminateOnError: true}))
+ *   .pipeThrough(new EventSourceParserStream({onError: 'terminate'}))
  * ```
  *
  * @public
  */
 export class EventSourceParserStream extends TransformStream<string, EventSourceMessage> {
-  constructor({onError, onRetry, onComment}: StreamOptions = {}) {
+  constructor({onError, onRetry, onComment, maxBufferSize}: StreamOptions = {}) {
     let parser!: EventSourceParser
 
     super({
@@ -65,16 +76,24 @@ export class EventSourceParserStream extends TransformStream<string, EventSource
             controller.enqueue(event)
           },
           onError(error) {
-            if (onError === 'terminate') {
-              controller.error(error)
-            } else if (typeof onError === 'function') {
+            if (typeof onError === 'function') {
               onError(error)
             }
 
+            // `max-buffer-size-exceeded` is fatal — the parser is unusable until
+            // `reset()`, which the stream wrapper has no way to call. Always
+            // terminate the stream in that case so consumers see the meaningful
+            // `ParseError` instead of an opaque "cannot feed terminated parser"
+            // throw from the next chunk.
+            if (onError === 'terminate' || error.type === 'max-buffer-size-exceeded') {
+              controller.error(error)
+            }
+
             // Ignore by default
           },
           onRetry,
           onComment,
+          maxBufferSize,
         })
       },
       transform(chunk) {

package/node_modules/eventsource-parser/src/types.ts

@@ -95,3 +95,28 @@ export interface ParserCallbacks {
    */
   onError?: ((error: ParseError) => void) | undefined
 }
+
+/**
+ * Configuration accepted by {@link createParser}. Extends {@link ParserCallbacks} with
+ * additional options that control parser behavior.
+ *
+ * @public
+ */
+export interface ParserConfig extends ParserCallbacks {
+  /**
+   * Maximum number of characters the parser is allowed to buffer across calls to `feed()`.
+   *
+   * Two unbounded surfaces exist in a streaming SSE parser:
+   * - A partial line that has not yet been terminated by `\n`, `\r`, or `\r\n`.
+   * - A multi-line event whose terminating blank line has not yet arrived (each `data:`
+   *   field gets appended to the buffered event).
+   *
+   * When the combined size of these buffers exceeds `maxBufferSize`, the parser emits a
+   * `ParseError` with `type: 'max-buffer-size-exceeded'` to `onError` and becomes
+   * terminated — subsequent calls to `feed()` will throw until `reset()` is called.
+   * This protects against unbounded memory growth from malformed or malicious streams.
+   *
+   * @defaultValue `undefined` (unbounded)
+   */
+  maxBufferSize?: number | undefined
+}

package/node_modules/hasown/CHANGELOG.md

@@ -5,6 +5,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [v2.0.4](https://github.com/inspect-js/hasOwn/compare/v2.0.3...v2.0.4) - 2026-05-28
+
+### Commits
+
+- [types] drop the dead key-narrowing overload [`fdab00e`](https://github.com/inspect-js/hasOwn/commit/fdab00e2703e65411424e19bf86a7e72a8f10da9)
+- [Dev Deps] update `@ljharb/eslint-config`, `auto-changelog`, `eslint` [`91f6247`](https://github.com/inspect-js/hasOwn/commit/91f624768dd0f7db0d019b89d4d86bd66e20ec30)
+
 ## [v2.0.3](https://github.com/inspect-js/hasOwn/compare/v2.0.2...v2.0.3) - 2026-04-17
 
 ### Commits

package/node_modules/hasown/index.d.ts

@@ -1,4 +1,3 @@
-declare function hasOwn<O, K extends PropertyKey>(o: O, p: K): p is K & keyof O;
 declare function hasOwn<O, K extends PropertyKey, V = unknown>(o: O, p: K): o is O & Record<K, V>;
 
 export = hasOwn;

package/node_modules/hasown/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "hasown",
-	"version": "2.0.3",
+	"version": "2.0.4",
 	"description": "A robust, ES3 compatible, \"has own property\" predicate.",
 	"main": "index.js",
 	"exports": {
@@ -52,13 +52,12 @@
 	},
 	"devDependencies": {
 		"@arethetypeswrong/cli": "^0.18.2",
-		"@ljharb/eslint-config": "^22.2.2",
+		"@ljharb/eslint-config": "^22.2.3",
 		"@ljharb/tsconfig": "^0.3.2",
 		"@types/function-bind": "^1.1.10",
 		"@types/tape": "^5.8.1",
-		"auto-changelog": "^2.5.0",
-		"encoding": "^0.1.13",
-		"eslint": "^10.2.0",
+		"auto-changelog": "^2.5.1",
+		"eslint": "^10.4.0",
 		"evalmd": "^0.0.19",
 		"in-publish": "^2.0.1",
 		"jiti": "^0.0.0",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@suveren/gateway",
-  "version": "0.2.2",
+  "version": "0.2.4",
   "description": "Suveren gateway — local agent gateway built in compliance with the Human Agency Protocol (HAP). Runs the UI, control plane, and MCP server in one Node process.",
   "type": "module",
   "main": "server.js",
@@ -26,7 +26,7 @@
     "@hpke/core": "^1.9.0",
     "express": "^4.18.0",
     "http-proxy-middleware": "^3.0.0",
-    "@hap/core": "npm:@humanagencyp/hap-core@^0.4.6",
+    "@hap/core": "npm:@humanagencyp/hap-core@^0.5.0",
     "@modelcontextprotocol/sdk": "^1.12.1",
     "zod": "^3.22.0"
   },