@vertz/core 0.2.1 → 0.2.4

package/dist/index.d.ts

@@ -39,172 +39,6 @@ declare function createMiddleware<
 	TRequires extends Record<string, unknown> = Record<string, unknown>,
 	TProvides extends Record<string, unknown> = Record<string, unknown>
 >(def: NamedMiddlewareDef<TRequires, TProvides>): NamedMiddlewareDef<TRequires, TProvides>;
-import { Schema as Schema2 } from "@vertz/schema";
-interface ModuleDef<
-	TImports extends Record<string, unknown> = Record<string, unknown>,
-	TOptions extends Record<string, unknown> = Record<string, unknown>
-> {
-	name: string;
-	imports?: TImports;
-	options?: Schema2<TOptions>;
-}
-interface ServiceDef<
-	TDeps = unknown,
-	TState = unknown,
-	TMethods = unknown,
-	TOptions extends Record<string, unknown> = Record<string, unknown>,
-	TEnv extends Record<string, unknown> = Record<string, unknown>
-> {
-	inject?: Record<string, unknown>;
-	options?: Schema2<TOptions>;
-	env?: Schema2<TEnv>;
-	onInit?: (deps: TDeps, opts: TOptions, env: TEnv) => Promise<TState> | TState;
-	methods: (deps: TDeps, state: TState, opts: TOptions, env: TEnv) => TMethods;
-	onDestroy?: (deps: TDeps, state: TState) => Promise<void> | void;
-}
-interface RouterDef<TInject extends Record<string, unknown> = Record<string, unknown>> {
-	prefix: string;
-	inject?: TInject;
-}
-interface Module<TDef extends ModuleDef = ModuleDef> {
-	definition: TDef;
-	services: ServiceDef[];
-	routers: RouterDef[];
-	exports: ServiceDef[];
-}
-type Primitive = string | number | boolean | bigint | symbol | undefined | null;
-type BuiltinObject = Date | RegExp | Error | Map<unknown, unknown> | Set<unknown> | WeakMap<object, unknown> | WeakSet<object> | Promise<unknown> | Request | Response | Headers | ReadableStream | WritableStream;
-type DeepReadonly<T> = unknown extends T ? T : T extends Primitive ? T : T extends BuiltinObject ? T : T extends (...args: infer A) => infer R ? (...args: A) => R : T extends ReadonlyArray<infer U> ? ReadonlyArray<DeepReadonly<U>> : T extends Array<infer U> ? ReadonlyArray<DeepReadonly<U>> : { readonly [K in keyof T] : DeepReadonly<T[K]> };
-interface RawRequest {
-	readonly request: Request;
-	readonly method: string;
-	readonly url: string;
-	readonly headers: Headers;
-}
-interface HandlerCtx {
-	params: Record<string, unknown>;
-	body: unknown;
-	query: Record<string, string>;
-	headers: Record<string, unknown>;
-	raw: RawRequest;
-	options: Record<string, unknown>;
-	env: Record<string, unknown>;
-	[key: string]: unknown;
-}
-type Deps<T extends Record<string, unknown>> = DeepReadonly<T>;
-type Ctx<T extends Record<string, unknown>> = DeepReadonly<T>;
-interface NamedServiceDef<
-	TDeps = unknown,
-	TState = unknown,
-	TMethods = unknown,
-	TOptions extends Record<string, unknown> = Record<string, unknown>,
-	TEnv extends Record<string, unknown> = Record<string, unknown>
-> extends ServiceDef<TDeps, TState, TMethods, TOptions, TEnv> {
-	moduleName: string;
-}
-type InferOutput<
-	T,
-	TDefault = unknown
-> = T extends {
-	_output: infer O;
-} ? O : T extends {
-	parse(v: unknown): infer P;
-} ? P : TDefault;
-type TypedHandlerCtx<
-	TParams = unknown,
-	TQuery = unknown,
-	THeaders = unknown,
-	TBody = unknown,
-	TMiddleware extends Record<string, unknown> = Record<string, unknown>
-> = Omit<HandlerCtx, "params" | "query" | "headers" | "body"> & {
-	params: TParams;
-	query: TQuery;
-	headers: THeaders;
-	body: TBody;
-} & TMiddleware;
-interface RouteConfig<
-	TParams = unknown,
-	TQuery = unknown,
-	THeaders = unknown,
-	TBody = unknown,
-	TMiddleware extends Record<string, unknown> = Record<string, unknown>
-> {
-	params?: TParams;
-	body?: TBody;
-	query?: TQuery;
-	response?: unknown;
-	/** Error schemas for errors-as-values pattern. Keys are HTTP status codes. */
-	errors?: Record<number, unknown>;
-	headers?: THeaders;
-	middlewares?: unknown[];
-	handler: (ctx: TypedHandlerCtx<InferOutput<TParams>, InferOutput<TQuery, Record<string, string>>, InferOutput<THeaders>, InferOutput<TBody>, TMiddleware>) => unknown;
-}
-interface Route {
-	method: string;
-	path: string;
-	config: RouteConfig<unknown, unknown, unknown, unknown, Record<string, unknown>>;
-}
-/**
-* Extracts the TMethods type from a NamedServiceDef or ServiceDef.
-* Returns `unknown` for non-service types.
-*/
-type ExtractMethods<T> = T extends NamedServiceDef<any, any, infer M> ? M : T extends ServiceDef<any, any, infer M> ? M : unknown;
-/**
-* Resolves an inject map by extracting TMethods from each NamedServiceDef value.
-* Given `{ userService: NamedServiceDef<..., ..., UserMethods> }`,
-* produces `{ userService: UserMethods }`.
-*/
-type ResolveInjectMap<T extends Record<string, unknown>> = { [K in keyof T] : ExtractMethods<T[K]> };
-type HttpMethodFn<
-	TMiddleware extends Record<string, unknown> = Record<string, unknown>,
-	TInject extends Record<string, unknown> = Record<string, unknown>
-> = <
-	TParams,
-	TQuery,
-	THeaders,
-	TBody
->(path: `/${string}`, config: RouteConfig<TParams, TQuery, THeaders, TBody, TMiddleware & ResolveInjectMap<TInject>>) => NamedRouterDef<TMiddleware, TInject>;
-interface NamedRouterDef<
-	TMiddleware extends Record<string, unknown> = Record<string, unknown>,
-	TInject extends Record<string, unknown> = Record<string, unknown>
-> extends RouterDef<TInject> {
-	moduleName: string;
-	routes: Route[];
-	get: HttpMethodFn<TMiddleware, TInject>;
-	post: HttpMethodFn<TMiddleware, TInject>;
-	put: HttpMethodFn<TMiddleware, TInject>;
-	patch: HttpMethodFn<TMiddleware, TInject>;
-	delete: HttpMethodFn<TMiddleware, TInject>;
-	head: HttpMethodFn<TMiddleware, TInject>;
-}
-interface NamedModuleDef<
-	TImports extends Record<string, unknown> = Record<string, unknown>,
-	TOptions extends Record<string, unknown> = Record<string, unknown>,
-	TMiddleware extends Record<string, unknown> = Record<string, unknown>
-> extends ModuleDef<TImports, TOptions> {
-	service: <
-		TDeps,
-		TState,
-		TMethods
-	>(config: ServiceDef<TDeps, TState, TMethods>) => NamedServiceDef<TDeps, TState, TMethods>;
-	router: <TInject extends Record<string, unknown> = Record<string, unknown>>(config: RouterDef<TInject>) => NamedRouterDef<TMiddleware, TInject>;
-}
-declare function createModuleDef<
-	TImports extends Record<string, unknown> = Record<string, unknown>,
-	TOptions extends Record<string, unknown> = Record<string, unknown>,
-	TMiddleware extends Record<string, unknown> = Record<string, unknown>
->(config: ModuleDef<TImports, TOptions>): NamedModuleDef<TImports, TOptions, TMiddleware>;
-interface NamedModule {
-	definition: NamedModuleDef;
-	services: NamedServiceDef[];
-	routers: NamedRouterDef<any, any>[];
-	exports: NamedServiceDef[];
-}
-declare function createModule(definition: NamedModuleDef, config: {
-	services: NamedServiceDef[];
-	routers: NamedRouterDef<any, any>[];
-	exports: NamedServiceDef[];
-}): NamedModule;
 interface CorsConfig {
 	origins?: string | string[] | boolean;
 	methods?: string[];
@@ -223,6 +57,13 @@ interface EntityDefinition {
 	readonly actions: Record<string, unknown>;
 	readonly relations: Record<string, unknown>;
 }
+type SchemaLike = {
+	parse(value: unknown): {
+		ok: boolean;
+		data?: unknown;
+		error?: unknown;
+	};
+};
 /**
 * An entity route entry generated by @vertz/server's route generator.
 * Core doesn't know about entity internals — it just registers these as handlers.
@@ -230,7 +71,13 @@ interface EntityDefinition {
 interface EntityRouteEntry {
 	method: string;
 	path: string;
-	handler: (ctx: Record<string, unknown>) => Promise<Response>;
+	handler: (ctx: Record<string, unknown>) => unknown;
+	paramsSchema?: SchemaLike;
+	bodySchema?: SchemaLike;
+	querySchema?: SchemaLike;
+	headersSchema?: SchemaLike;
+	responseSchema?: SchemaLike;
+	errorsSchema?: Record<number, SchemaLike>;
 }
 interface AppConfig {
 	basePath?: string;
@@ -263,8 +110,7 @@ interface RouteInfo {
 	method: string;
 	path: string;
 }
-interface AppBuilder<TMiddlewareCtx extends Record<string, unknown> = Record<string, unknown>> {
-	register(module: NamedModule, options?: Record<string, unknown>): AppBuilder<TMiddlewareCtx>;
+interface AppBuilder<_TMiddlewareCtx extends Record<string, unknown> = Record<string, unknown>> {
 	middlewares<const M extends readonly NamedMiddlewareDef<any, any>[]>(list: M): AppBuilder<AccumulateProvides<M>>;
 	readonly handler: (request: Request) => Promise<Response>;
 	listen(port?: number, options?: ListenOptions): Promise<ServerHandle>;
@@ -274,36 +120,31 @@ interface AppBuilder<TMiddlewareCtx extends Record<string, unknown> = Record<str
 	};
 }
 declare function createApp(config: AppConfig): AppBuilder;
-type ServiceFactory<
-	TDeps = unknown,
-	TState = unknown,
-	TMethods = unknown,
-	TOptions extends Record<string, unknown> = Record<string, unknown>,
-	TEnv extends Record<string, unknown> = Record<string, unknown>
-> = ServiceDef<TDeps, TState, TMethods, TOptions, TEnv>;
-interface ServiceBootInstruction {
-	type: "service";
-	id: string;
-	deps: string[];
-	factory: ServiceFactory;
-	options?: Record<string, unknown>;
-	env?: Record<string, unknown>;
-}
-interface ModuleBootInstruction {
-	type: "module";
-	id: string;
-	services: string[];
-	options?: Record<string, unknown>;
+type Primitive = string | number | boolean | bigint | symbol | undefined | null;
+type BuiltinObject = Date | RegExp | Error | Map<unknown, unknown> | Set<unknown> | WeakMap<object, unknown> | WeakSet<object> | Promise<unknown> | Request | Response | Headers | ReadableStream | WritableStream;
+type DeepReadonly<T> = unknown extends T ? T : T extends Primitive ? T : T extends BuiltinObject ? T : T extends (...args: infer A) => infer R ? (...args: A) => R : T extends ReadonlyArray<infer U> ? ReadonlyArray<DeepReadonly<U>> : T extends Array<infer U> ? ReadonlyArray<DeepReadonly<U>> : { readonly [K in keyof T] : DeepReadonly<T[K]> };
+interface RawRequest {
+	readonly request: Request;
+	readonly method: string;
+	readonly url: string;
+	readonly headers: Headers;
 }
-type BootInstruction = ServiceBootInstruction | ModuleBootInstruction;
-interface BootSequence {
-	instructions: BootInstruction[];
-	shutdownOrder: string[];
+interface HandlerCtx {
+	params: Record<string, unknown>;
+	body: unknown;
+	query: Record<string, string>;
+	headers: Record<string, unknown>;
+	raw: RawRequest;
+	options: Record<string, unknown>;
+	env: Record<string, unknown>;
+	[key: string]: unknown;
 }
-import { Schema as Schema3 } from "@vertz/schema";
+type Deps<T extends Record<string, unknown>> = DeepReadonly<T>;
+type Ctx<T extends Record<string, unknown>> = DeepReadonly<T>;
+import { Schema as Schema2 } from "@vertz/schema";
 interface EnvConfig<T = unknown> {
 	load?: string[];
-	schema: Schema3<T>;
+	schema: Schema2<T>;
 	env?: Record<string, string | undefined>;
 }
 type HttpMethod = "GET" | "POST" | "PUT" | "PATCH" | "DELETE" | "HEAD" | "OPTIONS";
@@ -370,8 +211,6 @@ declare function makeImmutable<T extends object>(obj: T, contextName: string): D
 declare const vertz: {
 	readonly env: typeof createEnv;
 	readonly middleware: typeof createMiddleware;
-	readonly moduleDef: typeof createModuleDef;
-	readonly module: typeof createModule;
 	readonly app: typeof createApp;
 	/** @since 0.2.0 — preferred alias for `app` */
 	readonly server: typeof createApp;
@@ -385,4 +224,4 @@ declare const createServer: (config: AppConfig) => AppBuilder;
 * @deprecated Use `createServer` instead. `createApp` will be removed in v0.3.0.
 */
 declare const createApp2: (config: AppConfig) => AppBuilder;
-export { vertz, makeImmutable, deepFreeze, createServer, createModuleDef, createModule, createMiddleware, createImmutableProxy, createEnv, createApp2 as createApp, VertzException, ValidationException, UnauthorizedException, ServiceUnavailableException, ServiceFactory, ServiceDef, ServiceBootInstruction, ServerHandle, ServerAdapter, RouterDef, RouteInfo, ResolveInjectMap, RawRequest, NotFoundException, NamedServiceDef, NamedRouterDef, NamedModuleDef, NamedModule, NamedMiddlewareDef, ModuleDef, ModuleBootInstruction, Module, MiddlewareDef, ListenOptions, InternalServerErrorException, Infer2 as InferSchema, Infer, HttpStatusCode, HttpMethod, HandlerCtx, ForbiddenException, ExtractMethods, EnvConfig, EntityRouteEntry, Deps, DeepReadonly, Ctx, CorsConfig, ConflictException, BootSequence, BootInstruction, BadRequestException, AppConfig, AppBuilder, AccumulateProvides };
+export { vertz, makeImmutable, deepFreeze, createServer, createMiddleware, createImmutableProxy, createEnv, createApp2 as createApp, VertzException, ValidationException, UnauthorizedException, ServiceUnavailableException, ServerHandle, ServerAdapter, RouteInfo, RawRequest, NotFoundException, NamedMiddlewareDef, MiddlewareDef, ListenOptions, InternalServerErrorException, Infer2 as InferSchema, Infer, HttpStatusCode, HttpMethod, HandlerCtx, ForbiddenException, EnvConfig, EntityRouteEntry, Deps, DeepReadonly, Ctx, CorsConfig, ConflictException, BadRequestException, AppConfig, AppBuilder, AccumulateProvides };

package/dist/index.js

@@ -18,7 +18,7 @@ import {
   parseBody,
   parseRequest,
   runMiddlewareChain
-} from "./shared/chunk-k596zpc6.js";
+} from "./shared/chunk-m3w3ytn5.js";
 
 // src/result.ts
 var RESULT_BRAND = Symbol.for("vertz.result");
@@ -49,27 +49,34 @@ function resolveOrigin(config, requestOrigin) {
   return null;
 }
 function handleCors(config, request) {
+  if (config.credentials && (config.origins === true || config.origins === "*")) {
+    throw new Error("CORS misconfiguration: credentials cannot be used with wildcard origins. " + "Browsers will reject the response. Use an explicit origin allowlist instead.");
+  }
   const requestOrigin = request.headers.get("origin");
   const origin = resolveOrigin(config, requestOrigin);
   if (request.method === "OPTIONS") {
     const headers = {};
-    if (origin)
+    if (origin) {
       headers["access-control-allow-origin"] = origin;
-    const methods = config.methods ?? DEFAULT_METHODS;
-    headers["access-control-allow-methods"] = methods.join(", ");
-    const allowHeaders = config.headers ?? DEFAULT_HEADERS;
-    headers["access-control-allow-headers"] = allowHeaders.join(", ");
-    if (config.maxAge !== undefined) {
-      headers["access-control-max-age"] = String(config.maxAge);
-    }
-    if (config.credentials) {
-      headers["access-control-allow-credentials"] = "true";
+      const methods = config.methods ?? DEFAULT_METHODS;
+      headers["access-control-allow-methods"] = methods.join(", ");
+      const allowHeaders = config.headers ?? DEFAULT_HEADERS;
+      headers["access-control-allow-headers"] = allowHeaders.join(", ");
+      if (config.maxAge !== undefined) {
+        headers["access-control-max-age"] = String(config.maxAge);
+      }
+      if (config.credentials) {
+        headers["access-control-allow-credentials"] = "true";
+      }
     }
     return new Response(null, { status: 204, headers });
   }
   return null;
 }
 function applyCorsHeaders(config, request, response) {
+  if (config.credentials && (config.origins === true || config.origins === "*")) {
+    throw new Error("CORS misconfiguration: credentials cannot be used with wildcard origins. " + "Browsers will reject the response. Use an explicit origin allowlist instead.");
+  }
   const requestOrigin = request.headers.get("origin");
   const origin = resolveOrigin(config, requestOrigin);
   if (!origin)
@@ -97,35 +104,41 @@ function createResponseWithCors(data, status, config, request) {
   }
   return response;
 }
+var INTERNAL_DETAIL_PATTERNS = [
+  /(?:^|[\s:])\/[\w./-]+/,
+  /[A-Z]:\\[\w\\.-]+/,
+  /node_modules/,
+  /at\s+\w+\s+\(/,
+  /\.ts:\d+:\d+/,
+  /\.js:\d+:\d+/
+];
+function sanitizeValidationMessage(error, label) {
+  if (error != null && typeof error === "object" && "issues" in error && Array.isArray(error.issues)) {
+    const issues = error.issues;
+    const messages = issues.map((issue) => typeof issue.message === "string" ? issue.message : "").filter(Boolean);
+    if (messages.length > 0) {
+      return messages.join(", ");
+    }
+  }
+  const message = error instanceof Error ? error.message : "";
+  if (!message) {
+    return `Invalid ${label}`;
+  }
+  for (const pattern of INTERNAL_DETAIL_PATTERNS) {
+    if (pattern.test(message)) {
+      return `Invalid ${label}`;
+    }
+  }
+  return message;
+}
 function validateSchema(schema, value, label) {
   const result = schema.parse(value);
   if (!result.ok) {
-    const message = result.error instanceof Error ? result.error.message : `Invalid ${label}`;
+    const message = sanitizeValidationMessage(result.error, label);
     throw new BadRequestException(message);
   }
   return result.data;
 }
-function resolveServices(registrations) {
-  const serviceMap = new Map;
-  for (const { module, options } of registrations) {
-    for (const service of module.services) {
-      if (!serviceMap.has(service)) {
-        let parsedOptions = {};
-        if (service.options && options) {
-          const parsed = service.options.safeParse(options);
-          if (parsed.ok) {
-            parsedOptions = parsed.data;
-          } else {
-            throw new Error(`Invalid options for service ${service.moduleName}: ${parsed.error.issues.map((i) => i.message).join(", ")}`);
-          }
-        }
-        const env = {};
-        serviceMap.set(service, service.methods({}, undefined, parsedOptions, env));
-      }
-    }
-  }
-  return serviceMap;
-}
 function resolveMiddlewares(globalMiddlewares) {
   return globalMiddlewares.map((mw) => ({
     name: mw.name,
@@ -133,58 +146,22 @@ function resolveMiddlewares(globalMiddlewares) {
     resolvedInject: {}
   }));
 }
-function resolveRouterServices(inject, serviceMap) {
-  if (!inject)
-    return {};
-  const resolved = {};
-  for (const [name, serviceDef] of Object.entries(inject)) {
-    const methods = serviceMap.get(serviceDef);
-    if (methods)
-      resolved[name] = methods;
-  }
-  return resolved;
-}
-function registerRoutes(trie, basePath, registrations, serviceMap) {
-  for (const { module, options } of registrations) {
-    for (const router of module.routers) {
-      const resolvedServices = resolveRouterServices(router.inject, serviceMap);
-      for (const route of router.routes) {
-        const fullPath = basePath + router.prefix + route.path;
-        const routeMiddlewares = (route.config.middlewares ?? []).map((mw) => ({
-          name: mw.name,
-          handler: mw.handler,
-          resolvedInject: {}
-        }));
-        const entry = {
-          handler: route.config.handler,
-          options: options ?? {},
-          services: resolvedServices,
-          middlewares: routeMiddlewares,
-          paramsSchema: route.config.params,
-          bodySchema: route.config.body,
-          querySchema: route.config.query,
-          headersSchema: route.config.headers,
-          responseSchema: route.config.response,
-          errorsSchema: route.config.errors
-        };
-        trie.add(route.method, fullPath, entry);
-      }
-    }
-  }
-}
-function buildHandler(config, registrations, globalMiddlewares) {
+function buildHandler(config, globalMiddlewares) {
   const trie = new Trie;
-  const basePath = config.basePath ?? "";
   const resolvedMiddlewares = resolveMiddlewares(globalMiddlewares);
-  const serviceMap = resolveServices(registrations);
-  registerRoutes(trie, basePath, registrations, serviceMap);
   if (config._entityRoutes) {
     for (const route of config._entityRoutes) {
       const entry = {
         handler: route.handler,
         options: {},
         services: {},
-        middlewares: []
+        middlewares: [],
+        paramsSchema: route.paramsSchema,
+        bodySchema: route.bodySchema,
+        querySchema: route.querySchema,
+        headersSchema: route.headersSchema,
+        responseSchema: route.responseSchema,
+        errorsSchema: route.errorsSchema
       };
       trie.add(route.method, route.path, entry);
     }
@@ -224,7 +201,11 @@ function buildHandler(config, registrations, globalMiddlewares) {
       if (entry.middlewares.length > 0) {
         const routeCtx = { ...requestCtx, ...middlewareState };
         const routeState = await runMiddlewareChain(entry.middlewares, routeCtx);
-        Object.assign(middlewareState, routeState);
+        for (const key of Object.keys(routeState)) {
+          if (key !== "__proto__" && key !== "constructor" && key !== "prototype") {
+            middlewareState[key] = routeState[key];
+          }
+        }
       }
       const validatedParams = entry.paramsSchema ? validateSchema(entry.paramsSchema, match.params, "params") : match.params;
       const validatedBody = entry.bodySchema ? validateSchema(entry.bodySchema, body, "body") : body;
@@ -320,27 +301,6 @@ function detectAdapter(hints) {
 }
 
 // src/app/route-log.ts
-function normalizePath(path) {
-  let normalized = path.replace(/\/+/g, "/");
-  if (normalized.length > 1 && normalized.endsWith("/")) {
-    normalized = normalized.slice(0, -1);
-  }
-  return normalized || "/";
-}
-function collectRoutes(basePath, registrations) {
-  const routes = [];
-  for (const { module } of registrations) {
-    for (const router of module.routers) {
-      for (const route of router.routes) {
-        routes.push({
-          method: route.method,
-          path: normalizePath(basePath + router.prefix + route.path)
-        });
-      }
-    }
-  }
-  return routes;
-}
 function formatRouteLog(listenUrl, routes) {
   const header = `vertz server listening on ${listenUrl}`;
   if (routes.length === 0) {
@@ -360,29 +320,18 @@ function formatRouteLog(listenUrl, routes) {
 // src/app/app-builder.ts
 var DEFAULT_PORT = 3000;
 function createApp(config) {
-  const registrations = [];
   let globalMiddlewares = [];
   let cachedHandler = null;
   const registeredRoutes = [];
   const entityRoutes = [];
   const builder = {
-    register(module, options) {
-      registrations.push({ module, options });
-      for (const router of module.routers) {
-        for (const route of router.routes) {
-          registeredRoutes.push({ method: route.method, path: router.prefix + route.path });
-        }
-      }
-      cachedHandler = null;
-      return builder;
-    },
     middlewares(list) {
       globalMiddlewares = [...list];
       return builder;
     },
     get handler() {
       if (!cachedHandler) {
-        cachedHandler = buildHandler(config, registrations, globalMiddlewares);
+        cachedHandler = buildHandler(config, globalMiddlewares);
       }
       return cachedHandler;
     },
@@ -393,10 +342,8 @@ function createApp(config) {
       const adapter = detectAdapter();
       const serverHandle = await adapter.listen(port ?? DEFAULT_PORT, builder.handler, options);
       if (options?.logRoutes !== false) {
-        const moduleRoutes = collectRoutes(config.basePath ?? "", registrations);
-        const routes = [...moduleRoutes, ...entityRoutes];
         const url = `http://${serverHandle.hostname}:${serverHandle.port}`;
-        console.log(formatRouteLog(url, routes));
+        console.log(formatRouteLog(url, entityRoutes));
       }
       return serverHandle;
     }
@@ -443,72 +390,10 @@ ${result.error.message}`);
 function createMiddleware(def) {
   return deepFreeze(def);
 }
-// src/module/module.ts
-function validateOwnership(items, kind, expectedModule) {
-  for (const item of items) {
-    if (item.moduleName !== expectedModule) {
-      throw new Error(`${kind} belongs to module "${item.moduleName}", cannot add to module "${expectedModule}"`);
-    }
-  }
-}
-function createModule(definition, config) {
-  validateOwnership(config.services, "Service", definition.name);
-  validateOwnership(config.routers, "Router", definition.name);
-  for (const exp of config.exports) {
-    if (!config.services.includes(exp)) {
-      throw new Error("exports must be a subset of services");
-    }
-  }
-  return deepFreeze({
-    definition,
-    ...config
-  });
-}
-// src/module/router-def.ts
-var HTTP_METHODS = ["get", "post", "put", "patch", "delete", "head"];
-function createRouterDef(moduleName, config) {
-  const routes = [];
-  function addRoute(method, path, routeConfig) {
-    if (!path.startsWith("/")) {
-      throw new Error(`Route path must start with '/', got '${path}'`);
-    }
-    routes.push({ method, path, config: routeConfig });
-    return router;
-  }
-  const router = {
-    ...config,
-    moduleName,
-    routes
-  };
-  for (const method of HTTP_METHODS) {
-    router[method] = (path, cfg) => addRoute(method.toUpperCase(), path, cfg);
-  }
-  return router;
-}
-
-// src/module/service.ts
-function createServiceDef(moduleName, config) {
-  return deepFreeze({
-    ...config,
-    moduleName
-  });
-}
-
-// src/module/module-def.ts
-function createModuleDef(config) {
-  const def = {
-    ...config,
-    service: (serviceConfig) => createServiceDef(config.name, serviceConfig),
-    router: (routerConfig) => createRouterDef(config.name, routerConfig)
-  };
-  return deepFreeze(def);
-}
 // src/vertz.ts
 var vertz = /* @__PURE__ */ deepFreeze({
   env: createEnv,
   middleware: createMiddleware,
-  moduleDef: createModuleDef,
-  module: createModule,
   app: createApp,
   server: createApp
 });
@@ -524,8 +409,6 @@ export {
   makeImmutable,
   deepFreeze,
   createServer,
-  createModuleDef,
-  createModule,
   createMiddleware,
   createImmutableProxy,
   createEnv,

package/dist/internals.d.ts

@@ -53,7 +53,7 @@ interface ParsedRequest {
 	raw: Request;
 }
 declare function parseRequest(request: Request): ParsedRequest;
-declare function parseBody(request: Request): Promise<unknown>;
+declare function parseBody(request: Request, maxBodySize?: number): Promise<unknown>;
 declare function createJsonResponse(data: unknown, status?: number, headers?: Record<string, string>): Response;
 declare function createErrorResponse(error: unknown): Response;
 export { runMiddlewareChain, parseRequest, parseBody, createJsonResponse, createErrorResponse, buildCtx, Trie, ResolvedMiddleware };

package/dist/internals.js

@@ -6,7 +6,7 @@ import {
   parseBody,
   parseRequest,
   runMiddlewareChain
-} from "./shared/chunk-k596zpc6.js";
+} from "./shared/chunk-m3w3ytn5.js";
 export {
   runMiddlewareChain,
   parseRequest,

package/dist/shared/{chunk-k596zpc6.js → chunk-m3w3ytn5.js}

@@ -167,16 +167,24 @@ class ServiceUnavailableException extends VertzException {
   }
 }
 // src/middleware/middleware-runner.ts
+var DANGEROUS_KEYS = new Set(["__proto__", "constructor", "prototype"]);
 function isPlainObject(value) {
   return value !== null && typeof value === "object" && !Array.isArray(value);
 }
+function safeAssign(target, source) {
+  for (const key of Object.keys(source)) {
+    if (!DANGEROUS_KEYS.has(key)) {
+      target[key] = source[key];
+    }
+  }
+}
 async function runMiddlewareChain(middlewares, requestCtx) {
-  const accumulated = {};
+  const accumulated = Object.create(null);
   for (const mw of middlewares) {
     const ctx = { ...requestCtx, ...mw.resolvedInject, ...accumulated };
     const contribution = await mw.handler(ctx);
     if (isPlainObject(contribution)) {
-      Object.assign(accumulated, contribution);
+      safeAssign(accumulated, contribution);
     }
   }
   return accumulated;
@@ -300,11 +308,16 @@ function parseRequest(request) {
     method: request.method,
     path: url.pathname,
     query: Object.fromEntries(url.searchParams),
-    headers: Object.fromEntries(request.headers),
+    headers: Object.fromEntries([...request.headers].map(([k, v]) => [k.toLowerCase(), v])),
     raw: request
   };
 }
-async function parseBody(request) {
+var DEFAULT_MAX_BODY_SIZE = 10 * 1024 * 1024;
+async function parseBody(request, maxBodySize = DEFAULT_MAX_BODY_SIZE) {
+  const contentLength = parseInt(request.headers.get("content-length") ?? "0", 10);
+  if (maxBodySize && contentLength > maxBodySize) {
+    throw new BadRequestException("Request body too large");
+  }
   const contentType = request.headers.get("content-type") ?? "";
   if (contentType.includes("application/json")) {
     try {
@@ -328,7 +341,7 @@ function createJsonResponse(data, status = 200, headers) {
   return new Response(JSON.stringify(data), {
     status,
     headers: {
-      "content-type": "application/json",
+      "content-type": "application/json; charset=utf-8",
       ...headers
     }
   });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vertz/core",
-  "version": "0.2.1",
+  "version": "0.2.4",
   "type": "module",
   "license": "MIT",
   "description": "Vertz core framework primitives",
@@ -36,12 +36,12 @@
     "typecheck": "tsc --noEmit"
   },
   "dependencies": {
-    "@vertz/schema": "0.2.1"
+    "@vertz/schema": "0.2.2"
   },
   "devDependencies": {
     "@types/node": "^25.3.1",
     "@vitest/coverage-v8": "^4.0.18",
-    "bunup": "latest",
+    "bunup": "^0.16.31",
     "typescript": "^5.7.0",
     "vitest": "^4.0.18"
   },