bunqueue 2.8.6 → 2.8.8

package/dist/client/tcpPool.js

@@ -20,6 +20,7 @@ export class TcpConnectionPool {
             host: options.host ?? 'localhost',
             port: options.port ?? 6789,
             token: options.token ?? '',
+            tls: options.tls ?? false,
             poolSize,
             maxReconnectAttempts: options.maxReconnectAttempts ?? Infinity,
             reconnectDelay: options.reconnectDelay ?? 100,
@@ -39,6 +40,7 @@ export class TcpConnectionPool {
                 host: this.options.host,
                 port: this.options.port,
                 token: this.options.token,
+                tls: this.options.tls,
                 maxReconnectAttempts: this.options.maxReconnectAttempts,
                 reconnectDelay: this.options.reconnectDelay,
                 maxReconnectDelay: this.options.maxReconnectDelay,
@@ -49,6 +51,11 @@ export class TcpConnectionPool {
                 maxPingFailures: this.options.maxPingFailures,
                 maxCommandTimeouts: this.options.maxCommandTimeouts,
             });
+            // Socket-level errors (e.g. TLS handshake failures, protocol garbage) are
+            // emitted as 'error' events; without a listener EventEmitter would throw
+            // and crash the process. Commands are still settled via the close/timeout
+            // paths, so observing the error here is enough.
+            client.on('error', () => { });
             this.clients.push(client);
         }
     }
@@ -169,7 +176,10 @@ function getPoolKey(options) {
     const token = options?.token ?? '';
     // Include poolSize and token hash to prevent sharing pools with different configs
     const tokenHash = token ? String(Number(Bun.hash(token)) & 0xffff) : '0';
-    return `${host}:${port}:${poolSize}:${tokenHash}`;
+    // TLS config must differentiate pools too: a TLS pool and a plaintext pool
+    // to the same host:port are NOT interchangeable.
+    const tlsKey = options?.tls ? JSON.stringify(options.tls) : '0';
+    return `${host}:${port}:${poolSize}:${tokenHash}:${tlsKey}`;
 }
 /** Get or create shared connection pool */
 export function getSharedPool(options) {

package/dist/client/types.d.ts

@@ -360,6 +360,12 @@ export interface JobOptions {
     /** Debounce configuration */
     debounce?: DebounceOptions;
 }
+/**
+ * TLS options for client connections — single definition lives in tcp/types
+ * to prevent drift between the public and internal ConnectionOptions.
+ */
+export type { ClientTlsOptions } from './tcp/types';
+import type { ClientTlsOptions } from './tcp/types';
 /** Connection options for TCP mode */
 export interface ConnectionOptions {
     /** Server host (default: localhost, ignored if socketPath is set) */
@@ -368,6 +374,8 @@ export interface ConnectionOptions {
     port?: number;
     /** Unix socket path (takes priority over host/port) */
     socketPath?: string;
+    /** Enable TLS to the server: true (system CAs) or custom options (default: off) */
+    tls?: boolean | ClientTlsOptions;
     /** Auth token */
     token?: string;
     /** Connection pool size for parallel operations (default: 1, set >1 to enable pooling) */

package/dist/client/worker/worker.js

@@ -44,6 +44,7 @@ function createTcpPool(opts, concurrency) {
         host: connOpts.host ?? 'localhost',
         port: connOpts.port ?? 6789,
         token,
+        tls: connOpts.tls,
         poolSize,
         pingInterval: connOpts.pingInterval,
         commandTimeout: connOpts.commandTimeout,
@@ -398,9 +399,12 @@ export class Worker extends EventEmitter {
             cmd: 'ExtendLocks',
             ids: jobIds,
             tokens,
-            duration,
+            // Protocol expects a per-id `durations` array, and the handler returns
+            // `count` (not `extended`). Sending `duration`/reading `extended` made
+            // batch lock renewal silently keep the old TTL.
+            durations: jobIds.map(() => duration),
         });
-        const extended = response.extended;
+        const extended = response.count;
         return extended ?? 0;
     }
     // ============ Lifecycle ============
@@ -735,6 +739,7 @@ export class Worker extends EventEmitter {
             workerId: this.workerId,
             useLocks: this.opts.useLocks,
             pollTimeout: this.opts.pollTimeout,
+            lockDuration: this.opts.lockDuration,
         };
     }
     /** Apply worker-level removeOnComplete/removeOnFail defaults to a job */

package/dist/client/worker/workerPull.d.ts

@@ -9,6 +9,8 @@ export interface PullConfig {
     readonly workerId: string;
     readonly useLocks: boolean;
     readonly pollTimeout: number;
+    /** Lock TTL in ms to request from the server on a lock-based pull. */
+    readonly lockDuration?: number;
 }
 export declare function pullEmbedded(config: PullConfig, count: number): Promise<Array<{
     job: InternalJob;

package/dist/client/worker/workerPull.js

@@ -6,13 +6,14 @@ import { getSharedManager } from '../manager';
 import { parseJobFromResponse } from './jobParser';
 export async function pullEmbedded(config, count) {
     const manager = getSharedManager();
-    // Use lock-based pull only when useLocks is enabled
+    // Use lock-based pull only when useLocks is enabled. Pass lockDuration so the
+    // configured lock TTL is honored in embedded mode too (undefined → server default).
     if (config.useLocks) {
         if (count === 1) {
-            const { job, token } = await manager.pullWithLock(config.name, config.workerId, 0);
+            const { job, token } = await manager.pullWithLock(config.name, config.workerId, 0, config.lockDuration);
             return job ? [{ job, token }] : [];
         }
-        const { jobs, tokens } = await manager.pullBatchWithLock(config.name, count, config.workerId, 0);
+        const { jobs, tokens } = await manager.pullBatchWithLock(config.name, count, config.workerId, 0, config.lockDuration);
         return jobs.map((job, i) => ({ job, token: tokens[i] || null }));
     }
     // No locks - use regular pull
@@ -26,16 +27,22 @@ export async function pullEmbedded(config, count) {
 export async function pullTcp(config, tcp, count, closing) {
     if (closing)
         return [];
-    // Build pull command - only request locks if useLocks is enabled
+    // Build pull command - only request locks if useLocks is enabled.
+    // `count` belongs to the batch PULLB; a single PULL doesn't need it.
     const cmd = {
         cmd: count === 1 ? 'PULL' : 'PULLB',
         queue: config.name,
         timeout: config.pollTimeout,
-        count,
     };
+    if (count > 1)
+        cmd.count = count;
     // Only request lock ownership when useLocks is enabled
     if (config.useLocks) {
         cmd.owner = config.workerId;
+        // Propagate the configured lock TTL so the server doesn't always fall back
+        // to its 30s default (WorkerOptions.lockDuration was previously ignored).
+        if (config.lockDuration !== undefined)
+            cmd.lockTtl = config.lockDuration;
     }
     const response = await tcp.send(cmd);
     if (!response.ok)

package/dist/config/index.d.ts

@@ -5,5 +5,5 @@
 export { defineConfig } from './types';
 export type { BunqueueConfig } from './types';
 export { loadConfigFile } from './loader';
-export { resolveServerConfig, resolveCloudConfig, resolveBackupConfig } from './resolve';
+export { resolveServerConfig, resolveCloudConfig, resolveBackupConfig, resolveTlsServerOptions, } from './resolve';
 export type { ResolvedConfig } from './resolve';

package/dist/config/index.js

@@ -4,4 +4,4 @@
  */
 export { defineConfig } from './types';
 export { loadConfigFile } from './loader';
-export { resolveServerConfig, resolveCloudConfig, resolveBackupConfig } from './resolve';
+export { resolveServerConfig, resolveCloudConfig, resolveBackupConfig, resolveTlsServerOptions, } from './resolve';

package/dist/config/resolve.d.ts

@@ -12,6 +12,8 @@ export interface ResolvedConfig {
     hostname: string;
     tcpSocketPath: string | undefined;
     httpSocketPath: string | undefined;
+    tlsCertFile: string | undefined;
+    tlsKeyFile: string | undefined;
     authTokens: string[];
     dataPath: string | undefined;
     corsOrigins: string[];
@@ -22,6 +24,18 @@ export interface ResolvedConfig {
 }
 /** Resolve server config: config file > env vars > defaults */
 export declare function resolveServerConfig(fileConfig: BunqueueConfig | null): ResolvedConfig;
+/**
+ * Resolve server TLS options from resolved config. Returns null when TLS is
+ * not configured; throws when only one of cert/key is set (fail fast at
+ * startup rather than serving plaintext when the operator expected TLS).
+ */
+export declare function resolveTlsServerOptions(config: {
+    tlsCertFile?: string;
+    tlsKeyFile?: string;
+}): {
+    certFile: string;
+    keyFile: string;
+} | null;
 /** Resolve cloud config: config file > env vars. Returns null if disabled. */
 export declare function resolveCloudConfig(fileConfig: BunqueueConfig | null, dataPath?: string): CloudConfig | null;
 /** Resolve S3 backup config: config file > env vars */

package/dist/config/resolve.js

@@ -14,6 +14,8 @@ export function resolveServerConfig(fileConfig) {
         hostname: fc?.server?.host ?? Bun.env.HOST ?? '0.0.0.0',
         tcpSocketPath: fc?.server?.tcpSocketPath ?? Bun.env.TCP_SOCKET_PATH,
         httpSocketPath: fc?.server?.httpSocketPath ?? Bun.env.HTTP_SOCKET_PATH,
+        tlsCertFile: fc?.server?.tlsCertFile ?? Bun.env.TLS_CERT_FILE,
+        tlsKeyFile: fc?.server?.tlsKeyFile ?? Bun.env.TLS_KEY_FILE,
         authTokens: fc?.auth?.tokens ?? Bun.env.AUTH_TOKENS?.split(',').filter(Boolean) ?? [],
         dataPath: fc?.storage?.dataPath ??
             Bun.env.BUNQUEUE_DATA_PATH ??
@@ -28,6 +30,23 @@ export function resolveServerConfig(fileConfig) {
         statsIntervalMs: fc?.timeouts?.stats ?? parseInt(Bun.env.STATS_INTERVAL_MS ?? '300000', 10),
     };
 }
+/**
+ * Resolve server TLS options from resolved config. Returns null when TLS is
+ * not configured; throws when only one of cert/key is set (fail fast at
+ * startup rather than serving plaintext when the operator expected TLS).
+ */
+export function resolveTlsServerOptions(config) {
+    const { tlsCertFile, tlsKeyFile } = config;
+    if (!tlsCertFile && !tlsKeyFile)
+        return null;
+    if (!tlsKeyFile) {
+        throw new Error('TLS misconfigured: tlsCertFile is set but tlsKeyFile (TLS_KEY_FILE) is missing');
+    }
+    if (!tlsCertFile) {
+        throw new Error('TLS misconfigured: tlsKeyFile is set but tlsCertFile (TLS_CERT_FILE) is missing');
+    }
+    return { certFile: tlsCertFile, keyFile: tlsKeyFile };
+}
 /** Resolve cloud config: config file > env vars. Returns null if disabled. */
 export function resolveCloudConfig(fileConfig, dataPath) {
     const fc = fileConfig?.cloud;

package/dist/config/types.d.ts

@@ -10,6 +10,10 @@ export interface BunqueueConfig {
         host?: string;
         tcpSocketPath?: string;
         httpSocketPath?: string;
+        /** Path to PEM certificate file — enables native TLS on TCP + HTTP (with tlsKeyFile) */
+        tlsCertFile?: string;
+        /** Path to PEM private key file — enables native TLS on TCP + HTTP (with tlsCertFile) */
+        tlsKeyFile?: string;
     };
     auth?: {
         tokens?: string[];

package/dist/domain/types/command.d.ts

@@ -98,6 +98,8 @@ export interface FailCommand extends BaseCommand {
     readonly id: string;
     readonly error?: string;
     readonly token?: string;
+    /** Skip all remaining retries and fail terminally (UnrecoverableError over TCP). */
+    readonly unrecoverable?: boolean;
 }
 export interface GetJobCommand extends BaseCommand {
     readonly cmd: 'GetJob';
@@ -309,6 +311,8 @@ export interface AddLogCommand extends BaseCommand {
 export interface GetLogsCommand extends BaseCommand {
     readonly cmd: 'GetLogs';
     readonly id: string;
+    readonly start?: number;
+    readonly end?: number;
 }
 export interface HeartbeatCommand extends BaseCommand {
     readonly cmd: 'Heartbeat';

package/dist/infrastructure/server/handlers/advanced.js

@@ -4,6 +4,45 @@
  */
 import * as resp from '../../../domain/types/response';
 import { jobId } from '../../../domain/types/job';
+/**
+ * Coerce a value to a finite number, or return undefined if it can't be.
+ * Guards config endpoints against non-numeric input (e.g. `"abc"`) that would
+ * otherwise reach numeric comparisons as NaN and silently break behaviour
+ * (a string `stallInterval` disabled stall detection entirely).
+ */
+function toFiniteNumber(value) {
+    if (value === undefined || value === null)
+        return undefined;
+    const n = typeof value === 'number' ? value : Number(value);
+    return Number.isFinite(n) ? n : undefined;
+}
+/**
+ * Sanitize the numeric fields of a config object: coerce numeric strings, drop
+ * non-numeric garbage (so the manager's merge keeps the existing/default value
+ * instead of storing NaN). Booleans and unknown keys pass through untouched.
+ */
+function sanitizeConfigNumbers(config, numericKeys) {
+    if (!config || typeof config !== 'object')
+        return config;
+    const numeric = new Set(numericKeys);
+    const out = {};
+    for (const [key, value] of Object.entries(config)) {
+        if (!numeric.has(key)) {
+            out[key] = value; // booleans / unknown keys pass through untouched
+            continue;
+        }
+        if (value === null) {
+            out[key] = null; // valid for nullable fields (e.g. dlq maxAge)
+            continue;
+        }
+        const n = toFiniteNumber(value);
+        // coerce numeric strings; omit non-numeric garbage so the manager's merge
+        // keeps the existing/default value instead of storing NaN
+        if (n !== undefined)
+            out[key] = n;
+    }
+    return out;
+}
 // ============ Job Management ============
 /** Handle Update command - update job data */
 export async function handleUpdate(cmd, ctx, reqId) {
@@ -122,8 +161,11 @@ export function handleCount(cmd, ctx, reqId) {
 // ============ Rate Limiting ============
 /** Handle RateLimit command */
 export function handleRateLimit(cmd, ctx, reqId) {
-    ctx.queueManager.setRateLimit(cmd.queue, cmd.limit);
-    ctx.queueManager.emitDashboardEvent('ratelimit:set', { queue: cmd.queue, max: cmd.limit });
+    const limit = toFiniteNumber(cmd.limit);
+    if (limit === undefined)
+        return resp.error('limit must be a finite number', reqId);
+    ctx.queueManager.setRateLimit(cmd.queue, limit);
+    ctx.queueManager.emitDashboardEvent('ratelimit:set', { queue: cmd.queue, max: limit });
     return resp.ok(undefined, reqId);
 }
 /** Handle RateLimitClear command */
@@ -134,10 +176,13 @@ export function handleRateLimitClear(cmd, ctx, reqId) {
 }
 /** Handle SetConcurrency command */
 export function handleSetConcurrency(cmd, ctx, reqId) {
-    ctx.queueManager.setConcurrency(cmd.queue, cmd.limit);
+    const limit = toFiniteNumber(cmd.limit);
+    if (limit === undefined)
+        return resp.error('limit must be a finite number', reqId);
+    ctx.queueManager.setConcurrency(cmd.queue, limit);
     ctx.queueManager.emitDashboardEvent('concurrency:set', {
         queue: cmd.queue,
-        concurrency: cmd.limit,
+        concurrency: limit,
     });
     return resp.ok(undefined, reqId);
 }
@@ -150,10 +195,11 @@ export function handleClearConcurrency(cmd, ctx, reqId) {
 // ============ Config Commands ============
 /** Handle SetStallConfig command */
 export function handleSetStallConfig(cmd, ctx, reqId) {
-    ctx.queueManager.setStallConfig(cmd.queue, cmd.config);
+    const config = sanitizeConfigNumbers(cmd.config, ['stallInterval', 'maxStalls', 'gracePeriod']);
+    ctx.queueManager.setStallConfig(cmd.queue, config);
     ctx.queueManager.emitDashboardEvent('config:stall-changed', {
         queue: cmd.queue,
-        config: cmd.config,
+        config,
     });
     return resp.ok(undefined, reqId);
 }
@@ -164,10 +210,16 @@ export function handleGetStallConfig(cmd, ctx, reqId) {
 }
 /** Handle SetDlqConfig command */
 export function handleSetDlqConfig(cmd, ctx, reqId) {
-    ctx.queueManager.setDlqConfig(cmd.queue, cmd.config);
+    const config = sanitizeConfigNumbers(cmd.config, [
+        'autoRetryInterval',
+        'maxAutoRetries',
+        'maxAge',
+        'maxEntries',
+    ]);
+    ctx.queueManager.setDlqConfig(cmd.queue, config);
     ctx.queueManager.emitDashboardEvent('config:dlq-changed', {
         queue: cmd.queue,
-        config: cmd.config,
+        config,
     });
     return resp.ok(undefined, reqId);
 }

package/dist/infrastructure/server/handlers/core.js

@@ -189,7 +189,7 @@ export async function handleAckBatch(cmd, ctx, reqId) {
 export async function handleFail(cmd, ctx, reqId) {
     try {
         const jid = jobId(cmd.id);
-        await ctx.queueManager.fail(jid, cmd.error, cmd.token);
+        await ctx.queueManager.fail(jid, cmd.error, cmd.token, cmd.unrecoverable);
         // Unregister job from client tracking
         ctx.queueManager.unregisterClientJob(ctx.clientId, jid);
         return resp.ok(undefined, reqId);

package/dist/infrastructure/server/handlers/cron.js

@@ -40,6 +40,7 @@ export function handleCron(cmd, ctx, reqId) {
                 repeatEvery: cron.repeatEvery,
                 nextRun: cron.nextRun,
                 timezone: cron.timezone,
+                priority: cron.priority,
             },
             reqId,
         };

package/dist/infrastructure/server/handlers/monitoring.js

@@ -18,8 +18,13 @@ export function handleAddLog(cmd, ctx, reqId) {
 }
 export function handleGetLogs(cmd, ctx, reqId) {
     const jid = jobId(cmd.id);
-    const logs = ctx.queueManager.getLogs(jid);
-    return resp.data({ logs }, reqId);
+    const all = ctx.queueManager.getLogs(jid);
+    // Honor optional pagination (start/end inclusive) the client already sends.
+    const total = all.length;
+    const logs = cmd.start === undefined && cmd.end === undefined
+        ? all
+        : all.slice(cmd.start ?? 0, (cmd.end ?? total - 1) + 1);
+    return resp.data({ logs, count: total }, reqId);
 }
 // ============ Worker Heartbeat ============
 export function handleHeartbeat(cmd, ctx, reqId) {

package/dist/infrastructure/server/http.d.ts

@@ -5,6 +5,7 @@
 import type { Server, ServerWebSocket } from 'bun';
 import type { QueueManager } from '../../application/queueManager';
 import { type WsData } from './wsHandler';
+import { type TlsServerOptions } from './tls';
 /** HTTP Server configuration */
 export interface HttpServerConfig {
     port?: number;
@@ -13,6 +14,8 @@ export interface HttpServerConfig {
     authTokens?: string[];
     corsOrigins?: string[];
     requireAuthForMetrics?: boolean;
+    /** Native TLS termination (https/wss). Protocol and routes are unchanged. */
+    tls?: TlsServerOptions;
 }
 /**
  * Create and start HTTP server

package/dist/infrastructure/server/http.js

@@ -10,6 +10,7 @@ import { SseHandler } from './sseHandler';
 import { WsHandler } from './wsHandler';
 import { jsonResponse, corsResponse, healthEndpoint, gcEndpoint, heapStatsEndpoint, statsEndpoint, metricsEndpoint, dashboardOverviewEndpoint, dashboardQueuesEndpoint, dashboardQueueDetailEndpoint, } from './httpEndpoints';
 import { routeJobRoutes } from './httpRouteJobs';
+import { loadTlsOptions } from './tls';
 import { routeQueueRoutes } from './httpRouteQueues';
 import { routeQueueConfigRoutes } from './httpRouteQueueConfig';
 import { routeResourceRoutes } from './httpRouteResources';
@@ -59,6 +60,17 @@ export function createHttpServer(queueManager, config) {
     });
     // Helper to get CORS origin string
     const getCorsOrigin = () => (corsOrigins.has('*') ? '*' : Array.from(corsOrigins).join(', '));
+    // Attach CORS to responses built outside the routeRequest pipeline (health,
+    // ready, prometheus, debug) so browser dashboards can read them cross-origin
+    // (audit #16-20). Response headers are mutable for normally-constructed
+    // Responses; this never overwrites an existing value set by the endpoint.
+    const withCors = async (r) => {
+        const res = await r;
+        if (!res.headers.has('Access-Control-Allow-Origin')) {
+            res.headers.set('Access-Control-Allow-Origin', getCorsOrigin());
+        }
+        return res;
+    };
     // Fetch handler
     const fetch = async (req, server) => {
         const url = new URL(req.url);
@@ -69,26 +81,26 @@ export function createHttpServer(queueManager, config) {
         }
         // Health endpoints (no auth, no rate limit)
         if (path === '/health') {
-            return healthEndpoint(queueManager, wsHandler.size, sseHandler.size);
+            return withCors(healthEndpoint(queueManager, wsHandler.size, sseHandler.size));
         }
         if (path === '/healthz' || path === '/live') {
-            return new Response('OK', { status: 200 });
+            return withCors(new Response('OK', { status: 200 }));
         }
         if (path === '/ready') {
-            return jsonResponse({ ok: true, ready: true });
+            return jsonResponse({ ok: true, ready: true }, 200, corsOrigins);
         }
         // Debug endpoints (require auth)
         if (path === '/gc' && req.method === 'POST') {
             const denied = checkAuth(req, authTokens);
             if (denied)
                 return denied;
-            return gcEndpoint(queueManager);
+            return withCors(gcEndpoint(queueManager));
         }
         if (path === '/heapstats' && req.method === 'GET') {
             const denied = checkAuth(req, authTokens);
             if (denied)
                 return denied;
-            return heapStatsEndpoint(queueManager);
+            return withCors(heapStatsEndpoint(queueManager));
         }
         // Rate limiting
         const clientIp = req.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ??
@@ -131,7 +143,10 @@ export function createHttpServer(queueManager, config) {
                     return denied;
             }
             return new Response(queueManager.getPrometheusMetrics(), {
-                headers: { 'Content-Type': 'text/plain; version=0.0.4; charset=utf-8' },
+                headers: {
+                    'Content-Type': 'text/plain; version=0.0.4; charset=utf-8',
+                    'Access-Control-Allow-Origin': getCorsOrigin(),
+                },
             });
         }
         // Check authentication for other endpoints
@@ -188,15 +203,22 @@ export function createHttpServer(queueManager, config) {
             });
         },
     };
-    // Create server
+    // Create server (validate TLS files BEFORE binding, fail fast on bad paths)
+    const tlsOptions = config.tls ? loadTlsOptions(config.tls) : undefined;
     let server;
     if (config.socketPath) {
-        server = Bun.serve({ unix: config.socketPath, fetch, websocket });
+        server = Bun.serve({
+            unix: config.socketPath,
+            ...(tlsOptions && { tls: tlsOptions }),
+            fetch,
+            websocket,
+        });
     }
     else {
         server = Bun.serve({
             hostname: config.hostname ?? '0.0.0.0',
             port: config.port ?? 6790,
+            ...(tlsOptions && { tls: tlsOptions }),
             fetch,
             websocket,
         });

package/dist/infrastructure/server/httpRouteJobs.js

@@ -79,6 +79,7 @@ async function routeJobManagement(req, path, method, ctx, cors) {
             cmd: 'ChangePriority',
             id: priorityMatch[1],
             priority: body['priority'],
+            lifo: body['lifo'],
         }, ctx);
         return jsonResponse(r, r.ok ? 200 : 400, cors);
     }
@@ -250,7 +251,12 @@ export async function routeJobRoutes(req, path, method, ctx, cors) {
         const body = await parseJsonBody(req, cors);
         if (body instanceof Response)
             return body;
-        const r = await handleCommand({ cmd: 'ACK', id: ackMatch[1], result: body['result'] }, ctx);
+        const r = await handleCommand({
+            cmd: 'ACK',
+            id: ackMatch[1],
+            result: body['result'],
+            token: body['token'],
+        }, ctx);
         return jsonResponse(r, r.ok ? 200 : 400, cors);
     }
     // POST /jobs/:id/fail
@@ -259,7 +265,13 @@ export async function routeJobRoutes(req, path, method, ctx, cors) {
         const body = await parseJsonBody(req, cors);
         if (body instanceof Response)
             return body;
-        const r = await handleCommand({ cmd: 'FAIL', id: failMatch[1], error: body['error'] }, ctx);
+        const r = await handleCommand({
+            cmd: 'FAIL',
+            id: failMatch[1],
+            error: body['error'],
+            token: body['token'],
+            unrecoverable: body['unrecoverable'],
+        }, ctx);
         return jsonResponse(r, r.ok ? 200 : 400, cors);
     }
     // Delegate to sub-routers

package/dist/infrastructure/server/httpRouteQueueConfig.js

@@ -26,8 +26,23 @@ export async function routeQueueConfigRoutes(req, path, method, ctx, cors) {
     const dlqMatch = path.match(RE_QUEUE_DLQ);
     if (dlqMatch && method === 'GET') {
         const queue = decodeURIComponent(dlqMatch[1]);
-        const entries = ctx.queueManager.getDlqEntries(queue);
-        return jsonResponse({ ok: true, entries }, 200, cors);
+        const all = ctx.queueManager.getDlqEntries(queue);
+        // Optional pagination so a dashboard can page large DLQs. Non-numeric params
+        // are ignored (treated as absent) rather than producing an empty/garbage slice.
+        const params = new URL(req.url).searchParams;
+        const toInt = (v) => {
+            if (v === null)
+                return undefined;
+            const n = Number(v);
+            return Number.isFinite(n) ? Math.trunc(n) : undefined;
+        };
+        const limit = toInt(params.get('limit'));
+        const offset = toInt(params.get('offset'));
+        const start = Math.max(0, offset ?? 0);
+        const entries = limit === undefined && offset === undefined
+            ? all
+            : all.slice(start, start + (limit !== undefined ? Math.max(0, limit) : all.length));
+        return jsonResponse({ ok: true, entries, total: all.length }, 200, cors);
     }
     // POST /queues/:queue/dlq/retry
     const dlqRetryMatch = path.match(RE_QUEUE_DLQ_RETRY);
@@ -79,7 +94,8 @@ export async function routeQueueConfigRoutes(req, path, method, ctx, cors) {
         const r = await handleCommand({
             cmd: 'SetConcurrency',
             queue,
-            limit: body['limit'],
+            // Accept the natural `concurrency` field for this endpoint as well as `limit`.
+            limit: (body['concurrency'] ?? body['limit']),
         }, ctx);
         return jsonResponse(r, 200, cors);
     }

package/dist/infrastructure/server/httpRouteQueues.js

@@ -105,7 +105,19 @@ async function routeJobOps(req, path, method, ctx, cors) {
     if (listMatch && method === 'GET') {
         const queue = decodeURIComponent(listMatch[1]);
         const url = new URL(req.url);
-        const stateValues = url.searchParams.getAll('state');
+        // Accept `state`, `status` (dashboard/REST convention), and `states` as
+        // aliases, each repeatable and comma-separated. Previously only `state` was
+        // read, so `?status=failed` silently fell through to an unfiltered list and
+        // returned the whole queue (#95). A state name never contains a comma, so
+        // splitting is safe.
+        const stateValues = [
+            ...url.searchParams.getAll('state'),
+            ...url.searchParams.getAll('status'),
+            ...url.searchParams.getAll('states'),
+        ]
+            .flatMap((v) => v.split(','))
+            .map((s) => s.trim())
+            .filter(Boolean);
         const state = stateValues.length === 0
             ? undefined
             : stateValues.length === 1

package/dist/infrastructure/server/httpRouteResources.js

@@ -40,6 +40,10 @@ export async function routeResourceRoutes(req, path, method, ctx, cors) {
             uniqueKey: body['uniqueKey'],
             dedup: body['dedup'],
             skipMissedOnRestart: body['skipMissedOnRestart'],
+            immediately: body['immediately'],
+            skipIfNoWorker: body['skipIfNoWorker'],
+            preventOverlap: body['preventOverlap'],
+            jobOptions: body['jobOptions'],
         }, ctx);
         return jsonResponse(r, r.ok ? 200 : 400, cors);
     }

package/dist/infrastructure/server/tcp.d.ts

@@ -9,6 +9,7 @@ import { type HandlerContext } from './handler';
 import { FrameParser, type ConnectionState } from './protocol';
 import { Semaphore } from '../../shared/semaphore';
 import { SocketWriteQueue } from './socketWriteQueue';
+import { type TlsServerOptions } from './tls';
 /** TCP Server configuration */
 export interface TcpServerConfig {
     /** TCP port */
@@ -29,6 +30,11 @@ export interface TcpServerConfig {
      * Mainly for tests.
      */
     maxWriteQueueBytes?: number;
+    /**
+     * Native TLS termination. When set, the server only accepts TLS clients —
+     * the msgpack protocol is unchanged, only the transport is wrapped.
+     */
+    tls?: TlsServerOptions;
 }
 /** Per-connection data */
 interface ConnectionData {