@timber-js/app 0.2.0-alpha.98 → 0.2.0-alpha.99

package/src/server/cookie-parsing.ts

@@ -0,0 +1,135 @@
+/**
+ * Cookie parsing and serialization helpers — pure string ↔ structure
+ * functions with no ALS dependency. Split out of `cookie-context.ts`
+ * (TIM-853) so the API surface and the wire-format codecs can each be
+ * read on their own.
+ *
+ * The functions in this module are total over arbitrary input. They
+ * never throw and never call `assertValid*` (the security validators
+ * live in the API surface — `cookie-context.ts` invokes them at every
+ * jar entry point so the smuggling-primitive invariant from TIM-868
+ * is enforced regardless of which path produced the bytes).
+ */
+
+import type { CookieEntry } from './als-registry.js';
+import type { CookieOptions } from './cookie-context.js';
+
+/**
+ * Parse a Cookie header string into a Map of name → value pairs.
+ * Follows RFC 6265 §4.2.1: cookies are semicolon-separated key=value pairs.
+ *
+ * Values are auto-decoded with `decodeURIComponent` so they round-trip
+ * losslessly with `getCookies().set()` (which auto-encodes). Malformed
+ * `%`-escapes from third-party cookies fall back to the raw byte sequence
+ * — the parser must be total over arbitrary inbound headers, including
+ * non-conforming values from other servers, browser extensions, etc.
+ */
+export function parseCookieHeader(header: string): Map<string, string> {
+  const map = new Map<string, string>();
+  if (!header) return map;
+
+  for (const pair of header.split(';')) {
+    const eqIndex = pair.indexOf('=');
+    if (eqIndex === -1) continue;
+    const name = pair.slice(0, eqIndex).trim();
+    const value = pair.slice(eqIndex + 1).trim();
+    if (name) {
+      map.set(name, safeDecodeCookieValue(value));
+    }
+  }
+
+  return map;
+}
+
+/**
+ * Decode a single cookie value with `decodeURIComponent`, falling back to
+ * the raw byte sequence if the input contains a malformed `%`-escape.
+ *
+ * Used by both `parseCookieHeader` (incoming Cookie: header) and the
+ * `setRaw` forwarding path (outgoing Set-Cookie from upstream services).
+ * Total — never throws.
+ */
+export function safeDecodeCookieValue(raw: string): string {
+  try {
+    return decodeURIComponent(raw);
+  } catch {
+    return raw;
+  }
+}
+
+/** Serialize a CookieEntry into a Set-Cookie header value. */
+export function serializeCookieEntry(entry: CookieEntry): string {
+  const parts = [`${entry.name}=${entry.value}`];
+  const opts = entry.options;
+
+  if (opts.domain) parts.push(`Domain=${opts.domain}`);
+  if (opts.path) parts.push(`Path=${opts.path}`);
+  if (opts.expires) parts.push(`Expires=${opts.expires.toUTCString()}`);
+  if (opts.maxAge !== undefined) parts.push(`Max-Age=${opts.maxAge}`);
+  if (opts.httpOnly) parts.push('HttpOnly');
+  if (opts.secure) parts.push('Secure');
+  if (opts.sameSite) {
+    parts.push(`SameSite=${opts.sameSite.charAt(0).toUpperCase()}${opts.sameSite.slice(1)}`);
+  }
+  if (opts.partitioned) parts.push('Partitioned');
+
+  return parts.join('; ');
+}
+
+/**
+ * Parse a raw `Set-Cookie` header string into name, value, and options.
+ * Handles all standard attributes: Path, Domain, Max-Age, Expires,
+ * SameSite, Secure, HttpOnly, Partitioned.
+ *
+ * Does NOT apply DEFAULT_COOKIE_OPTIONS — the caller decides whether
+ * to merge defaults (e.g. `set()` does, but `setRaw()` should preserve
+ * the original header's intent).
+ */
+export function parseSetCookie(
+  header: string
+): { name: string; value: string; options: CookieOptions } | null {
+  const segments = header.split(';');
+  const nameValue = segments[0];
+  const eqIdx = nameValue.indexOf('=');
+  if (eqIdx <= 0) return null;
+
+  const name = nameValue.slice(0, eqIdx).trim();
+  const value = nameValue.slice(eqIdx + 1).trim();
+  const options: CookieOptions = {};
+
+  for (let i = 1; i < segments.length; i++) {
+    const seg = segments[i].trim();
+    if (!seg) continue;
+    const [attrName, ...rest] = seg.split('=');
+    const key = attrName.trim().toLowerCase();
+    const val = rest.join('=').trim();
+    switch (key) {
+      case 'path':
+        options.path = val || '/';
+        break;
+      case 'domain':
+        options.domain = val;
+        break;
+      case 'max-age':
+        options.maxAge = Number(val);
+        break;
+      case 'expires':
+        options.expires = new Date(val);
+        break;
+      case 'samesite':
+        options.sameSite = val.toLowerCase() as 'strict' | 'lax' | 'none';
+        break;
+      case 'secure':
+        options.secure = true;
+        break;
+      case 'httponly':
+        options.httpOnly = true;
+        break;
+      case 'partitioned':
+        options.partitioned = true;
+        break;
+    }
+  }
+
+  return { name, value, options };
+}

package/src/server/{deny-page-resolver.ts → deny-boundary.ts}

@@ -1,23 +1,41 @@
 /**
- * Deny Page Resolver — resolves status-code file components for in-tree deny handling.
+ * Deny boundary subsystem — the in-tree DenySignal flow.
  *
- * When AccessGate or PageDenyBoundary catches a DenySignal, they need to
- * render the matching deny page (403.tsx, 4xx.tsx, error.tsx) as a normal
- * element in the React tree. This module resolves the deny page chain from
- * the segment chain — a list of fallback components ordered by specificity.
+ * Three things live together here because they form a single flow:
  *
- * The chain is built during buildRouteElement and passed as a prop to
- * AccessGate and PageDenyBoundary. At catch time, the first matching
- * component is rendered.
+ * 1. **Chain construction** (`buildDenyPageChain`) — walks the matched
+ *    segment chain at element-tree build time and produces a list of
+ *    `DenyPageEntry` records ordered by specificity (specific status →
+ *    category catch-all → `error.tsx`).
  *
- * See design/10-error-handling.md §"Status-Code Files", TIM-666.
+ * 2. **Runtime matching** (`renderMatchingDenyPage`) — picks the first
+ *    chain entry whose status filter matches the thrown DenySignal and
+ *    returns a React element for the matching component. Used by
+ *    `AccessGate` and `PageDenyBoundary` when they catch a deny.
+ *
+ * 3. **The page boundary itself** (`PageDenyBoundary`) — the async server
+ *    component that wraps a server-component page, calls it, and catches
+ *    `DenySignal` so the deny page renders in-tree (no throw reaches
+ *    React Flight, single render pass).
+ *
+ * Plus the ALS helpers (`setDenyStatus` / `getDenyStatus`) the boundary
+ * uses to thread the matched status code back to the pipeline so the
+ * HTTP status reflects the deny.
+ *
+ * Folded into one module from the former `deny-page-resolver.ts` and
+ * `page-deny-boundary.tsx` (TIM-853) — the names were misleading and the
+ * three pieces only made sense together.
+ *
+ * See design/04-authorization.md, design/10-error-handling.md, TIM-666.
  */
 
 import { createElement } from 'react';
 
-import type { ManifestSegmentNode } from './route-matcher.js';
-import { loadModule } from './safe-load.js';
 import { requestContextAls } from './als-registry.js';
+import { DenySignal } from './primitives.js';
+import { loadModule } from './safe-load.js';
+import { withSpan } from './tracing.js';
+import type { ManifestSegmentNode } from './route-matcher.js';
 
 // ─── Types ────────────────────────────────────────────────────────────────
 
@@ -29,7 +47,7 @@ export interface DenyPageEntry {
   component: (...args: unknown[]) => unknown;
 }
 
-// ─── Resolver ─────────────────────────────────────────────────────────────
+// ─── Chain Construction ──────────────────────────────────────────────────
 
 /**
  * Build the deny page fallback chain from the segment chain.
@@ -101,7 +119,7 @@ export async function buildDenyPageChain(
   return chain;
 }
 
-// ─── Matcher ──────────────────────────────────────────────────────────────
+// ─── Runtime Matcher ──────────────────────────────────────────────────────
 
 /**
  * Find the first deny page in the chain that matches the given status code.
@@ -131,7 +149,53 @@ export function renderMatchingDenyPage(
   return null;
 }
 
-// ─── ALS Helper ───────────────────────────────────────────────────────────
+// ─── Page Boundary ────────────────────────────────────────────────────────
+
+/**
+ * Async server component that wraps a page call with DenySignal catching.
+ *
+ * Calls the page component as an async function (the same thing React
+ * Flight does internally), awaits it, and catches DenySignal. On catch,
+ * renders the matching deny page in-tree. On success, returns the page's
+ * rendered output normally.
+ *
+ * Client component pages ('use client') are NOT wrapped — they can't call
+ * deny() (server-only API) and must go through createElement normally.
+ *
+ * No error reaches React Flight — the Flight stream is clean, SSR succeeds,
+ * and the entire request uses a single renderToReadableStream call.
+ */
+export async function PageDenyBoundary({
+  Page,
+  route,
+  denyPages,
+}: {
+  /** The page server component function. */
+  Page: (...args: unknown[]) => unknown;
+  /** Route path for OTEL tracing. */
+  route: string;
+  /** Deny page fallback chain from the segment chain. */
+  denyPages: DenyPageEntry[];
+}): Promise<React.ReactElement> {
+  try {
+    // Call the page as an async function — same as React Flight does.
+    // Wrap in OTEL span for tracing (replaces the TracedPage wrapper).
+    const result = await withSpan('timber.page', { 'timber.route': route }, () => Page({}));
+    return result as React.ReactElement;
+  } catch (error: unknown) {
+    if (error instanceof DenySignal) {
+      const denyElement = renderMatchingDenyPage(denyPages, error.status, error.data);
+      if (denyElement) {
+        setDenyStatus(error.status);
+        return denyElement;
+      }
+    }
+    // Non-deny errors (RedirectSignal, runtime errors) propagate normally.
+    throw error;
+  }
+}
+
+// ─── ALS Helpers ──────────────────────────────────────────────────────────
 
 /**
  * Set the deny status in the request context ALS.

package/src/server/deny-renderer.ts

@@ -22,6 +22,7 @@ import { DenySignal } from './primitives.js';
 import { logRenderError } from './logger.js';
 import { loadModule } from './safe-load.js';
 import { isDebug } from './debug.js';
+import { escapeHtml } from './utils/escape-html.js';
 import { resolveMetadata, renderMetadataToElements } from './metadata.js';
 import { resolveStatusFile } from './status-code-resolver.js';
 import type { ManifestSegmentNode } from './route-matcher.js';
@@ -280,10 +281,4 @@ function bareJsonResponse(status: number, responseHeaders: Headers): Response {
   });
 }
 
-function escapeHtml(str: string): string {
-  return str
-    .replace(/&/g, '&')
-    .replace(/</g, '&lt;')
-    .replace(/>/g, '&gt;')
-    .replace(/"/g, '&quot;');
-}
+// escapeHtml imported from server/utils/escape-html.ts

package/src/server/early-hints-sender.ts

@@ -19,6 +19,7 @@
  */
 
 import { earlyHintsSenderAls } from './als-registry.js';
+import { swallow } from './logger.js';
 
 /** Function that sends Link header values as a 103 Early Hints response. */
 export type EarlyHintsSenderFn = (links: string[]) => void;
@@ -47,7 +48,7 @@ export function sendEarlyHints103(links: string[]): void {
   if (!sender) return;
   try {
     sender(links);
-  } catch {
-    // Sending 103 is best-effort — failure never blocks the request.
+  } catch (err) {
+    swallow(err, 'early hints 103 send failed');
   }
 }

package/src/server/fallback-error.ts

@@ -98,7 +98,7 @@ export async function renderDevErrorPage(error: unknown, projectRoot?: string):
   try {
     // Dynamic import — keeps dev-error-page.ts and its transitive deps
     // (dev-error-overlay.ts, @jridgewell/trace-mapping) out of production bundles.
-    const { generateDevErrorPage } = await import('../plugins/dev-error-page.js');
+    const { generateDevErrorPage } = await import('../dev-tools/error-page.js');
     html = generateDevErrorPage(err, 'render', root);
     // Inject Vite client script so the error overlay fires when HMR connects.
     html = html.replace(

package/src/server/index.ts

@@ -7,20 +7,18 @@
 export type { AccessContext } from './types';
 export type { MiddlewareContext } from './types';
 export type { RouteContext } from './types';
-export type { Metadata, MetadataRoute } from './types';
+export type { Metadata, MetadataRoute, MetadataHandler, MetadataResult } from './types';
 
-// Request Context — ALS-backed getHeaders(), getCookies(), and getSearchParams()
+// Request Context — ALS-backed accessors (all sync)
+// Prefer defineSearchParams().get() and defineSegmentParams().get() for typed access.
 // Design doc: design/04-authorization.md §"AccessContext does not include cookies or headers"
-// Design doc: design/23-search-params.md §"Server Integration"
-export {
-  getHeaders,
-  getHeader,
-  getCookies,
-  getCookie,
-  getSearchParams,
-  getSegmentParams,
-} from './request-context';
-export type { ReadonlyHeaders, RequestCookies, CookieOptions } from './request-context';
+export { getHeaders, getSegmentParams } from './request-context';
+export type { ReadonlyHeaders } from './request-context';
+
+// Cookie Context — ALS-backed getCookieJar() escape hatch
+// Design doc: design/29-cookies.md
+export { getCookieJar } from './cookie-context';
+export type { RequestCookies, CookieOptions, SetCookieOptions } from './cookie-context';
 
 // Runtime primitives
 export {
@@ -52,8 +50,9 @@ export type {
   ValidationErrors,
 } from './action-client';
 
-// FormData Preprocessing
-export { parseFormData, coerce } from './form-data';
+// FormData Preprocessing — internal only, not part of public API.
+// Schema libraries (Zod z.coerce.*, Valibot v.transform(), ArkType morphs)
+// handle form coercion. Kept for action-client/action-handler internals.
 
 // Form Flash (no-JS error round-trip)
 export { getFormFlash } from './form-flash';

package/src/server/internal.ts

@@ -13,12 +13,18 @@
 
 // ── Request Context internals ────────────────────────────────────────────
 export {
+  getSearchParams,
+  getSegmentParams,
+  getHeader,
   setSegmentParams,
   runWithRequestContext,
   setMutableCookieContext,
   markResponseFlushed,
-  getSetCookieHeaders,
 } from './request-context.js';
+export { getCookie, getSetCookieHeaders } from './cookie-context.js';
+
+// ── Form-data coercion (internal) ────────────────────────────────────────
+export { coerce } from './form-data.js';
 
 // ── Signal classes (instanceof targets for pipeline catch logic) ──────────
 export { DenySignal, RedirectSignal, RenderError } from './primitives.js';
@@ -60,6 +66,7 @@ export type {
   TreeBuilderConfig,
   TreeBuildResult,
   LoadedModule,
+  LoadedComponent,
   ModuleLoader,
   AccessGateProps,
   SlotAccessGateProps,
@@ -157,8 +164,8 @@ export {
   warnSlowSlotWithoutSuspense,
   setViteServer,
   WarningId,
-} from './dev-warnings.js';
-export type { DevWarningConfig } from './dev-warnings.js';
+} from '../dev-tools/warnings.js';
+export type { DevWarningConfig } from '../dev-tools/warnings.js';
 
 // ── Route Handler ────────────────────────────────────────────────────────
 export { handleRouteRequest, resolveAllowedMethods } from './route-handler.js';

package/src/server/logger.ts

@@ -10,6 +10,7 @@
 
 import { getTraceStore } from './tracing.js';
 import { createDefaultLogger } from './default-logger.js';
+import { isDevMode } from './debug.js';
 
 // ─── Logger Interface ─────────────────────────────────────────────────────
 
@@ -156,3 +157,25 @@ export function logSwrRefetchFailed(data: { cacheKey: string; error: unknown }):
 export function logCacheMiss(data: { cacheKey: string }): void {
   _logger.debug('timber.cache MISS', withTraceContext(data));
 }
+
+// ─── Swallow Helper ───────────────────────────────────────────────────────
+
+/**
+ * Log an intentionally swallowed error. Provides observability into catch
+ * blocks that are deliberately empty — the error is consumed, never rethrown.
+ *
+ * Default level: `warn` in dev (so the overlay surfaces patterns), `debug`
+ * in production (low noise unless TIMBER_DEBUG is set). Pass `opts.level`
+ * to override.
+ *
+ * **Infallible** — swallow() itself never throws, even if the logger is
+ * broken. A thrown swallow would turn a benign catch into a crash.
+ */
+export function swallow(err: unknown, reason: string, opts?: { level?: 'debug' | 'warn' }): void {
+  try {
+    const level = opts?.level ?? (isDevMode() ? 'warn' : 'debug');
+    _logger[level](`swallowed: ${reason}`, withTraceContext({ error: err }));
+  } catch {
+    // swallow() must never throw.
+  }
+}

package/src/server/middleware-runner.ts

@@ -57,3 +57,47 @@ export async function runMiddlewareChain(
   }
   return undefined;
 }
+
+// ─── Per-Request Middleware Bypass ─────────────────────────────────────────
+
+/**
+ * Per-request marker for synthetic re-render requests that should NOT
+ * re-execute `middleware.ts`. The action-dispatch wrapper runs middleware
+ * once on the inbound action POST; when validation fails on the no-JS
+ * path, it builds a synthetic GET that flows through the normal pipeline
+ * to render the page with `getFormFlash()` data. Without this marker, the
+ * pipeline would run middleware a second time on that synthetic GET.
+ *
+ * The set is keyed by the synthetic Request object itself, so the entry
+ * lives exactly as long as the request and is garbage-collected with it.
+ * Cannot be set or detected by user code — there is no header, no URL
+ * parameter, nothing on the wire that an attacker could spoof.
+ *
+ * See TIM-871.
+ *
+ * @internal — framework use only.
+ */
+const middlewareBypassRequests = new WeakSet<Request>();
+
+/**
+ * Mark a request so the pipeline skips its middleware phase.
+ *
+ * Used by `wrap-action-dispatch.ts` for the no-JS form-rerender path.
+ *
+ * @internal
+ */
+export function markRequestBypassMiddleware(req: Request): void {
+  middlewareBypassRequests.add(req);
+}
+
+/**
+ * Check whether a request was marked to bypass middleware.
+ *
+ * Called by `handleRequest` in pipeline-phases.ts before invoking the
+ * middleware phase. Returns false for any request not explicitly marked.
+ *
+ * @internal
+ */
+export function shouldBypassMiddleware(req: Request): boolean {
+  return middlewareBypassRequests.has(req);
+}

package/src/server/param-coercion.ts

@@ -0,0 +1,76 @@
+/**
+ * Segment param coercion — runs the matched route's `params.ts` codecs
+ * over the raw matcher output before middleware and rendering.
+ *
+ * Lifted out of `pipeline-phases.ts` (TIM-853) so the coercer can be
+ * imported directly by other entry points (the action-dispatch wrapper,
+ * the revalidation renderer in `rsc-entry/index.ts`) without pulling
+ * the entire pipeline phase module along with it.
+ *
+ * The function throws `ParamCoercionError` from `route-element-builder.ts`
+ * on any codec failure; the pipeline catches that and dispatches to the
+ * 404 page. See design/07-routing.md §"Where Coercion Runs".
+ */
+
+import type { RouteMatch } from './pipeline.js';
+import { sanitizeParamValue } from './pipeline-helpers.js';
+import { loadModule } from './safe-load.js';
+import { ParamCoercionError } from './route-element-builder.js';
+
+/**
+ * Run segment param coercion on the matched route's segments.
+ *
+ * Loads params.ts modules from segments that have them, extracts the
+ * segmentParams definition, and coerces raw string params through codecs.
+ * Throws ParamCoercionError if any codec fails (→ 404).
+ *
+ * This runs BEFORE middleware, so ctx.segmentParams is already typed.
+ * See design/07-routing.md §"Where Coercion Runs"
+ */
+export async function coerceSegmentParams(match: RouteMatch): Promise<void> {
+  // Unconditionally install a null-prototype target so the invariant
+  // "match.segmentParams is null-prototype" holds from the first line,
+  // regardless of whether any segment has a codec.
+  const mergeTarget: Record<string, unknown> = Object.create(null);
+  for (const key of Object.keys(match.segmentParams)) {
+    if (key !== '__proto__') {
+      mergeTarget[key] = match.segmentParams[key as keyof typeof match.segmentParams];
+    }
+  }
+  match.segmentParams = mergeTarget as RouteMatch['segmentParams'];
+
+  for (const segment of match.segments) {
+    // Only process segments that have a params.ts convention file
+    if (!segment.params) continue;
+
+    let mod: Record<string, unknown>;
+    try {
+      mod = await loadModule(segment.params);
+    } catch (err) {
+      throw new ParamCoercionError(
+        `Failed to load params module for segment "${segment.segmentName}": ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+
+    const segmentParamsDef = mod.segmentParams as
+      | { parse(raw: Record<string, string | string[]>): Record<string, unknown> }
+      | undefined;
+
+    if (!segmentParamsDef || typeof segmentParamsDef.parse !== 'function') continue;
+
+    try {
+      const coerced = segmentParamsDef.parse(match.segmentParams);
+
+      // Deep-sanitize codec output: every nested plain object becomes
+      // null-prototype with dangerous keys stripped at every depth.
+      // See TIM-873, design/13-security.md
+      for (const key of Object.keys(coerced as Record<string, unknown>)) {
+        if (key !== '__proto__') {
+          mergeTarget[key] = sanitizeParamValue((coerced as Record<string, unknown>)[key]);
+        }
+      }
+    } catch (err) {
+      throw new ParamCoercionError(err instanceof Error ? err.message : String(err));
+    }
+  }
+}

package/src/server/pipeline-helpers.ts

@@ -10,33 +10,57 @@
  */
 
 import type { ProxyExport } from './proxy.js';
-import { getSetCookieHeaders } from './request-context.js';
+import { getSetCookieHeaders } from './cookie-context.js';
 import { callOnRequestError } from './instrumentation.js';
 import { getTraceId } from './tracing.js';
 import { RedirectSignal } from './primitives.js';
 import type { ProxyConfig } from './pipeline.js';
 
-// ─── Prototype-Pollution-Safe Merge ────────────────────────────────────────
+// ─── Prototype-Pollution-Safe Sanitizer ────────────────────────────────────
 
-/** Keys that must never be merged via Object.assign — they pollute Object.prototype. */
-const DANGEROUS_KEYS = new Set(['__proto__', 'constructor', 'prototype']);
+/**
+ * Only __proto__ needs stripping — it has a language-level setter that
+ * changes the prototype chain of spread copies. constructor and prototype
+ * are harmless own properties on null-prototype objects.
+ */
+const DANGEROUS_KEYS = new Set(['__proto__']);
 
 /**
- * Shallow merge that skips top-level prototype-polluting keys.
+ * Deep-walk a value returned by a segment param codec, producing a
+ * sanitized copy where every plain object is null-prototype and
+ * dangerous keys (__proto__, constructor, prototype) are stripped at
+ * every depth.
+ *
+ * Non-plain objects (Date, Map, class instances, etc.) are returned
+ * as-is — they cannot be poisoned by `{...x}` spread and may carry
+ * author-intended prototype methods.
+ *
+ * Arrays are walked element-wise.
  *
- * This is intentionally NOT a deep sanitizer. It only blocks shallow
- * pollution via top-level `__proto__` / `constructor` / `prototype`
- * keys. The deeper guarantee for segment params comes from merging
- * codec output into a null-prototype target inside coerceSegmentParams().
+ * Performance: URL params are bounded by URL length (~8 KB). Realistic
+ * trees are <1 KB. The recursive walk is sub-microsecond.
  *
- * See TIM-655, TIM-855, design/13-security.md
+ * See TIM-655, TIM-855, TIM-873, design/13-security.md
  */
-export function safeMerge(target: Record<string, unknown>, source: Record<string, unknown>): void {
-  for (const key of Object.keys(source)) {
+export function sanitizeParamValue(value: unknown): unknown {
+  if (value === null || typeof value !== 'object') return value;
+
+  if (Array.isArray(value)) {
+    return value.map(sanitizeParamValue);
+  }
+
+  // Only walk plain objects — anything with a custom prototype (Date, Map,
+  // class instances) is left untouched.
+  const proto = Object.getPrototypeOf(value);
+  if (proto !== Object.prototype && proto !== null) return value;
+
+  const out: Record<string, unknown> = Object.create(null);
+  for (const key of Object.keys(value as Record<string, unknown>)) {
     if (!DANGEROUS_KEYS.has(key)) {
-      target[key] = source[key];
+      out[key] = sanitizeParamValue((value as Record<string, unknown>)[key]);
     }
   }
+  return out;
 }
 
 // ─── Proxy Resolver ────────────────────────────────────────────────────────