bunsane 0.2.10 → 0.3.1

package/gql/visitors/ResolverGeneratorVisitor.ts

@@ -1,6 +1,8 @@
 import { GraphVisitor } from "./GraphVisitor";
 import { TypeNode, OperationNode, FieldNode, InputNode, ScalarNode } from "../graph/GraphNode";
 import { ResolverBuilder } from "../builders/ResolverBuilder";
+import { isSchemaInput } from "../schema";
+import * as z from "zod";
 import { logger } from "../../core/Logger";
 
 /**
@@ -54,9 +56,21 @@ export class ResolverGeneratorVisitor extends GraphVisitor {
 
         const type = node.operationType.charAt(0).toUpperCase() + node.operationType.slice(1).toLowerCase() as "Query" | "Mutation" | "Subscription";
 
-        // Extract Zod schema from input if it's a Zod type (check for '_def' property)
+        // Extract Zod schema from input. If it's already a Zod type (`_def`),
+        // use directly. If it's a Schema DSL input (`t.` API), convert each
+        // field `.toZod()` into a Zod object so the resolver validates it
+        // instead of passing raw args through (H-GQL-4).
         const input = node.metadata.input;
-        const zodSchema = (input && typeof input === 'object' && '_def' in input) ? input as any : null;
+        let zodSchema: any = null;
+        if (input && typeof input === 'object' && '_def' in input) {
+            zodSchema = input;
+        } else if (isSchemaInput(input)) {
+            const zodShape: Record<string, z.ZodType> = {};
+            for (const [key, field] of Object.entries(input)) {
+                zodShape[key] = (field as any).toZod();
+            }
+            zodSchema = z.object(zodShape);
+        }
 
         // Create resolver definitions for operations
         const resolverDef = {

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "bunsane",
-    "version": "0.2.10",
+    "version": "0.3.1",
     "author": {
         "name": "yaaruu"
     },

package/query/ComponentInclusionNode.ts

@@ -5,6 +5,7 @@ import { shouldUseLateralJoins, shouldUseDirectPartition } from "../core/Config"
 import { FilterBuilderRegistry } from "./FilterBuilderRegistry";
 import { ComponentRegistry } from "../core/components";
 import { getMetadataStorage } from "../core/metadata";
+import { assertIdentifier } from "./SqlIdentifier";
 
 /**
  * Check if a component property is numeric based on metadata
@@ -331,12 +332,16 @@ export class ComponentInclusionNode extends QueryNode {
             const sortComponentTableName = this.getComponentTableName(typeId);
             const nullsClause = sortOrder.nullsFirst ? 'NULLS FIRST' : 'NULLS LAST';
             const isNumeric = isNumericProperty(sortOrder.component, sortOrder.property);
+            // Validate property name before interpolating into JSON path.
+            // Without this, a malicious or malformed sortOrder.property could
+            // inject SQL through the template (C08).
+            const safeProperty = assertIdentifier(sortOrder.property, 'sortOrder.property');
 
             // Build scalar subquery to get sort value for each entity
             // This avoids nested loop join by forcing row-by-row evaluation
             const sortExpr = isNumeric
-                ? `(sort_c.data->>'${sortOrder.property}')::numeric`
-                : `sort_c.data->>'${sortOrder.property}'`;
+                ? `(sort_c.data->>'${safeProperty}')::numeric`
+                : `sort_c.data->>'${safeProperty}'`;
 
             const subquery = `(
                 SELECT ${sortExpr}
@@ -454,9 +459,10 @@ export class ComponentInclusionNode extends QueryNode {
 
         const nullsClause = sortOrder.nullsFirst ? 'NULLS FIRST' : 'NULLS LAST';
         const isNumeric = isNumericProperty(sortOrder.component, sortOrder.property);
+        const safeProperty = assertIdentifier(sortOrder.property, 'sortOrder.property');
         const sortExpr = isNumeric
-            ? `(c.data->>'${sortOrder.property}')::numeric`
-            : `c.data->>'${sortOrder.property}'`;
+            ? `(c.data->>'${safeProperty}')::numeric`
+            : `c.data->>'${safeProperty}'`;
 
         let sql: string;
         if (useDirectPartition) {
@@ -508,9 +514,10 @@ export class ComponentInclusionNode extends QueryNode {
 
         const nullsClause = sortOrder.nullsFirst ? 'NULLS FIRST' : 'NULLS LAST';
         const isNumeric = isNumericProperty(sortOrder.component, sortOrder.property);
+        const safeProperty = assertIdentifier(sortOrder.property, 'sortOrder.property');
         const sortExpr = isNumeric
-            ? `(sort_c.data->>'${sortOrder.property}')::numeric`
-            : `sort_c.data->>'${sortOrder.property}'`;
+            ? `(sort_c.data->>'${safeProperty}')::numeric`
+            : `sort_c.data->>'${safeProperty}'`;
 
         // Use scalar subquery to avoid cartesian product explosion
         // This forces PostgreSQL to evaluate sort value per-entity, preventing
@@ -599,11 +606,11 @@ export class ComponentInclusionNode extends QueryNode {
                     condition = result.sql;
                     // Note: custom builder is responsible for adding parameters via context.addParam()
                 } else {
-                    // Default filter logic
-                    // Validate filter value to prevent PostgreSQL UUID parsing errors
-                    if (filter.value === '' || (typeof filter.value === 'string' && filter.value.trim() === '')) {
-                        throw new Error(`Filter value for field "${filter.field}" is an empty string. This would cause PostgreSQL UUID parsing errors.`);
-                    }
+                    // Default filter logic. Empty-string values are permitted
+                    // here — `c.data->>'field'` extracts text, so `=`/`!=`/
+                    // `LIKE` against '' is legitimate. The UUID-cast path
+                    // below is gated on a regex that empty string cannot
+                    // match, so unsafe casts never fire.
 
                     // Check if value looks like a UUID (case-insensitive, with or without hyphens)
                     const valueStr = String(filter.value);

package/query/OrNode.ts

@@ -305,15 +305,13 @@ export class OrNode extends QueryNode {
     public execute(context: QueryContext): QueryResult {
         // Try optimized UNION ALL path for direct partition access
         // This avoids the slow multi-partition scanning by querying each partition directly
+        // (Verbose console.log debug traces removed — H-QUERY-2. Re-enable via
+        // a framework logger at debug level if needed.)
         const canUseOptimized = this.canUseUnionAllOptimization() && this.dependencies.length === 0;
-        console.log(`OrNode: Using optimized path: ${canUseOptimized}, dependencies: ${this.dependencies.length}, direct partition: ${require("../core/Config").shouldUseDirectPartition()}`);
-        console.log(`OrNode: Component types:`, Array.from(this.orQuery.getComponentTypes()));
 
         if (canUseOptimized) {
-            console.log("OrNode: Using optimized UNION path");
             return this.executeUnionAllOptimized(context);
         }
-        console.log("OrNode: Using fallback path");
 
         // Fall back to original implementation for:
         // - HASH partitioning (no direct partition access)

package/query/Query.ts

@@ -12,6 +12,7 @@ import { getMetadataStorage } from "../core/metadata";
 import { shouldUseDirectPartition } from "../core/Config";
 import type { SQL } from "bun";
 import type { ComponentConstructor, TypedEntity, ComponentRecord } from "../types/query.types";
+import { assertComponentTableName, assertFieldPath } from "./SqlIdentifier";
 
 export type FilterOperator = "=" | ">" | "<" | ">=" | "<=" | "!=" | "LIKE" | "ILIKE" | "IN" | "NOT IN" | string;
 
@@ -338,7 +339,13 @@ class Query<TComponents extends readonly ComponentConstructor[] = []> {
             throw new Error(`Component ${component.name} not registered`);
         }
 
-        const tableName = ComponentRegistry.getPartitionTableName(typeId);
+        // Validate the resolved partition table name against the component
+        // table allow-list before passing to pg_class lookup. Although
+        // `relname` here is a bound parameter ($1) and cannot inject SQL
+        // directly, we still reject unexpected names so a registry
+        // poisoning bug cannot query arbitrary tables.
+        const rawTableName = ComponentRegistry.getPartitionTableName(typeId);
+        const tableName = rawTableName ? assertComponentTableName(rawTableName, 'estimatedCount.tableName') : null;
         const dbConn = this.getDb();
 
         // Use PostgreSQL's statistics for fast count estimate
@@ -423,14 +430,11 @@ class Query<TComponents extends readonly ComponentConstructor[] = []> {
             console.log('---');
         }
 
-        // Validate params before execution to catch UUID errors early
-        for (let i = 0; i < result.params.length; i++) {
-            const param = result.params[i];
-            if (param === '' || (typeof param === 'string' && param.trim() === '')) {
-                logger.error(`Empty string parameter detected at position ${i + 1} in count query`);
-                throw new Error(`Query count parameter $${i + 1} is an empty string. This will cause PostgreSQL UUID parsing errors.`);
-            }
-        }
+        // Empty-string params are legitimate for text-field filters
+        // (`c.data->>'field' = ''`). UUID-typed params never reach this
+        // point empty — findById guards at entry; cursor/excluded IDs come
+        // from saved entities. PG emits a clear error if a UUID cast meets
+        // an empty string at execution time.
 
         // Safely extract count from result - handle undefined/null cases
         if (!countResult || countResult.length === 0 || countResult[0] === undefined) {
@@ -557,10 +561,17 @@ class Query<TComponents extends readonly ComponentConstructor[] = []> {
         // Execute the DAG to get the base query
         const result = dag.execute(this.context);
 
-        // Determine the component table name
-        const componentTableName = shouldUseDirectPartition()
+        // Determine the component table name. Validate against allow-list so
+        // a poisoned registry cannot inject SQL through the embedded name.
+        const rawComponentTableName = shouldUseDirectPartition()
             ? (ComponentRegistry.getPartitionTableName(typeId) || 'components')
             : 'components';
+        const componentTableName = assertComponentTableName(rawComponentTableName, 'doAggregate.componentTableName');
+
+        // Validate the field path — each dotted segment must be a safe
+        // identifier. Without this, a caller-supplied field with quote or
+        // `->` metacharacters would corrupt the JSON path expression (C08).
+        assertFieldPath(field, 'doAggregate.field');
 
         // Build the JSON path for the field
         let jsonPath: string;
@@ -609,14 +620,8 @@ AND c.deleted_at IS NULL`;
             console.log('---');
         }
 
-        // Validate params
-        for (let i = 0; i < result.params.length; i++) {
-            const param = result.params[i];
-            if (param === '' || (typeof param === 'string' && param.trim() === '')) {
-                logger.error(`Empty string parameter detected at position ${i + 1} in ${aggregateType} query`);
-                throw new Error(`Query ${aggregateType} parameter $${i + 1} is an empty string.`);
-            }
-        }
+        // Empty-string params are legitimate for text-field filters; see
+        // comment above in doCount.
 
         // Extract result
         if (!aggregateResult || aggregateResult.length === 0 || aggregateResult[0] === undefined) {
@@ -641,6 +646,19 @@ AND c.deleted_at IS NULL`;
      */
     @timed("Query.exec")
     public async exec(): Promise<TypedEntity<TComponents>[]> {
+        // Apply default LIMIT so unbounded queries cannot load entire tables
+        // into memory. Configurable via BUNSANE_DEFAULT_QUERY_LIMIT, 0 to
+        // disable. When the default is applied without an explicit .take(),
+        // warn once at execution so developers notice runaway queries
+        // (H-QUERY-1).
+        if (this.context.limit === null || this.context.limit === undefined) {
+            const envLimit = parseInt(process.env.BUNSANE_DEFAULT_QUERY_LIMIT ?? '10000', 10);
+            if (envLimit > 0) {
+                this.context.limit = envLimit;
+                logger.warn({ scope: 'Query.exec', defaultLimit: envLimit }, 'Query executed without explicit .take() — applying framework default LIMIT. Call .take(N) to suppress this warning.');
+            }
+        }
+
         return new Promise<TypedEntity<TComponents>[]>((resolve, reject) => {
             // Add timeout to prevent hanging queries
             const timeout = setTimeout(() => {
@@ -767,14 +785,11 @@ AND c.deleted_at IS NULL`;
             console.log('---');
         }
 
-        // Validate params before execution to catch UUID errors early
-        for (let i = 0; i < result.params.length; i++) {
-            const param = result.params[i];
-            if (param === '' || (typeof param === 'string' && param.trim() === '')) {
-                logger.error(`Empty string parameter detected at position ${i + 1}: SQL=${result.sql.substring(0, 200)}`);
-                throw new Error(`Query parameter $${i + 1} is an empty string. This will cause PostgreSQL UUID parsing errors. SQL: ${result.sql.substring(0, 100)}...`);
-            }
-        }
+        // Empty-string params are legitimate for text-field filters
+        // (`c.data->>'field' = ''`). UUID-typed params never reach this
+        // point empty — findById guards at entry; cursor/excluded IDs
+        // originate from saved entities. PG emits a clear error at
+        // execution time if a UUID cast meets an empty string.
 
         // Validate parameters before execution
         for (let i = 0; i < result.params.length; i++) {
@@ -994,10 +1009,6 @@ AND c.deleted_at IS NULL`;
     static filterOp = FilterOp;
 
     public static filter(field: string, operator: FilterOperator, value: any): QueryFilter {
-        // Validate value to catch empty strings early
-        if (value === '' || (typeof value === 'string' && value.trim() === '')) {
-            throw new Error(`Query.filter: Cannot create filter for field "${field}" with empty string value. This would cause PostgreSQL UUID parsing errors.`);
-        }
         return { field, operator, value };
     }
 

package/query/SqlIdentifier.ts

@@ -0,0 +1,105 @@
+/**
+ * SQL identifier sanitization helpers.
+ *
+ * These helpers prevent SQL injection when interpolating caller-supplied or
+ * metadata-derived strings into SQL via `db.unsafe(...)` or template literals.
+ * Parameter binding (`$1`, `$2`) is always preferred for values, but column
+ * names, table names, ORDER BY fields, and JSON path segments cannot be
+ * parameterized — they are sanitized against a strict allow-list instead.
+ *
+ * Ticket C08.
+ */
+
+/** Matches a safe identifier: letter/underscore followed by letters/digits/underscores. */
+const IDENT_RE = /^[A-Za-z_][A-Za-z0-9_]*$/;
+
+/** Matches a safe component table name: `components` or `components_<ident>`. */
+const COMPONENT_TABLE_RE = /^components(?:_[a-z0-9_]+)?$/;
+
+/**
+ * PostgreSQL text-search languages supported by `to_tsvector(config, ...)`.
+ * Extend as needed for deployments with additional dictionaries installed.
+ */
+const ALLOWED_TS_LANGUAGES = new Set<string>([
+    'simple',
+    'english',
+    'french',
+    'german',
+    'spanish',
+    'italian',
+    'portuguese',
+    'dutch',
+    'russian',
+    'swedish',
+    'norwegian',
+    'danish',
+    'finnish',
+    'turkish',
+    'hungarian',
+    'arabic',
+    'indonesian',
+    'irish',
+    'lithuanian',
+    'nepali',
+    'romanian',
+    'tamil',
+    'yiddish',
+]);
+
+/**
+ * Assert a string is a safe SQL identifier (column name, alias). Throws
+ * `InvalidIdentifierError` if not.
+ */
+export function assertIdentifier(value: unknown, context: string): string {
+    if (typeof value !== 'string' || !IDENT_RE.test(value)) {
+        throw new InvalidIdentifierError(context, String(value));
+    }
+    return value;
+}
+
+/**
+ * Assert a string is a safe component table name (e.g. `components`,
+ * `components_user`). Throws if not.
+ */
+export function assertComponentTableName(value: unknown, context: string): string {
+    if (typeof value !== 'string' || !COMPONENT_TABLE_RE.test(value)) {
+        throw new InvalidIdentifierError(context, String(value));
+    }
+    return value;
+}
+
+/**
+ * Assert a dotted JSON field path is safe. Each segment must be a valid
+ * identifier. Empty paths / empty segments are rejected.
+ */
+export function assertFieldPath(value: unknown, context: string): string {
+    if (typeof value !== 'string' || value.length === 0) {
+        throw new InvalidIdentifierError(context, String(value));
+    }
+    const parts = value.split('.');
+    for (const p of parts) {
+        if (!IDENT_RE.test(p)) {
+            throw new InvalidIdentifierError(context, value);
+        }
+    }
+    return value;
+}
+
+/**
+ * Assert a text-search language is in the allow-list. Defaults to `simple`
+ * when undefined (behavior preserved from the prior implementation).
+ */
+export function assertTsLanguage(value: unknown, context: string = 'tsLanguage'): string {
+    if (value === undefined || value === null) return 'simple';
+    if (typeof value !== 'string' || !ALLOWED_TS_LANGUAGES.has(value.toLowerCase())) {
+        throw new InvalidIdentifierError(context, String(value));
+    }
+    return value.toLowerCase();
+}
+
+export class InvalidIdentifierError extends Error {
+    constructor(context: string, value: string) {
+        super(`Invalid SQL identifier in ${context}: ${JSON.stringify(value)}`);
+        this.name = 'InvalidIdentifierError';
+    }
+}

package/query/builders/FullTextSearchBuilder.ts

@@ -8,6 +8,7 @@
 import type { FilterBuilder, FilterBuilderOptions } from "../FilterBuilder";
 import type { QueryFilter } from "../QueryContext";
 import type { QueryContext } from "../QueryContext";
+import { assertTsLanguage, assertFieldPath } from "../SqlIdentifier";
 
 /**
  * Full-text search filter value interface
@@ -68,12 +69,16 @@ export const fullTextSearchBuilder: FilterBuilder = (
     const value = filter.value as FullTextFilterValue;
     const { query, language = 'english', type = 'plain' } = value;
 
+    // Validate identifiers (C08).
+    const safeLanguage = assertTsLanguage(language, 'fullTextSearchBuilder.language');
+    assertFieldPath(filter.field, 'fullTextSearchBuilder.field');
+
     // Build the text search vector from the specified field
     const fieldPath = filter.field.includes('.')
         ? filter.field.split('.').map(p => `'${p}'`).join('->')
         : `'${filter.field}'`;
 
-    const vectorSql = `to_tsvector('${language}', ${alias}.data->${fieldPath})`;
+    const vectorSql = `to_tsvector('${safeLanguage}', ${alias}.data->${fieldPath})`;
 
     // Choose the appropriate query function based on type
     let queryFunction: string;
@@ -93,7 +98,7 @@ export const fullTextSearchBuilder: FilterBuilder = (
             break;
     }
 
-    const querySql = `${queryFunction}('${language}', $${context.addParam(query)})`;
+    const querySql = `${queryFunction}('${safeLanguage}', $${context.addParam(query)})`;
 
     return {
         sql: `${vectorSql} @@ ${querySql}`,
@@ -120,12 +125,16 @@ export const fullTextSearchWithRankBuilder: FilterBuilder = (
     const value = filter.value as FullTextFilterValue;
     const { query, language = 'english', type = 'plain' } = value;
 
+    // Validate identifiers (C08).
+    const safeLanguage = assertTsLanguage(language, 'fullTextSearchWithRankBuilder.language');
+    assertFieldPath(filter.field, 'fullTextSearchWithRankBuilder.field');
+
     // Build the text search vector from the specified field
     const fieldPath = filter.field.includes('.')
         ? filter.field.split('.').map(p => `'${p}'`).join('->')
         : `'${filter.field}'`;
 
-    const vectorSql = `to_tsvector('${language}', ${alias}.data->${fieldPath})`;
+    const vectorSql = `to_tsvector('${safeLanguage}', ${alias}.data->${fieldPath})`;
 
     // Choose the appropriate query function based on type
     let queryFunction: string;
@@ -145,7 +154,7 @@ export const fullTextSearchWithRankBuilder: FilterBuilder = (
             break;
     }
 
-    const querySql = `${queryFunction}('${language}', $${context.addParam(query)})`;
+    const querySql = `${queryFunction}('${safeLanguage}', $${context.addParam(query)})`;
 
     // Include ranking in the condition (can be used for ordering)
     const rankSql = `ts_rank(${vectorSql}, ${querySql})`;
@@ -187,16 +196,20 @@ export function createFullTextSearchBuilder(
     language: string = 'english',
     searchType: 'plain' | 'phrase' | 'web' | 'tsquery' = 'plain'
 ): { builder: FilterBuilder; options: FilterBuilderOptions } {
+    // Validate the language at factory-construction time so callers get an
+    // immediate error on invalid input rather than a runtime SQL error.
+    const safeLanguage = assertTsLanguage(language, 'createFullTextSearchBuilder.language');
     const builder: FilterBuilder = (filter: QueryFilter, alias: string, context: QueryContext) => {
         const value = filter.value as FullTextFilterValue;
         const query = value.query;
+        assertFieldPath(filter.field, 'createFullTextSearchBuilder.field');
 
         // Build the text search vector from the specified field
         const fieldPath = filter.field.includes('.')
             ? filter.field.split('.').map(p => `'${p}'`).join('->')
             : `'${filter.field}'`;
 
-        const vectorSql = `to_tsvector('${language}', ${alias}.data->${fieldPath})`;
+        const vectorSql = `to_tsvector('${safeLanguage}', ${alias}.data->${fieldPath})`;
 
         // Choose the appropriate query function based on type
         let queryFunction: string;
@@ -216,7 +229,7 @@ export function createFullTextSearchBuilder(
                 break;
         }
 
-        const querySql = `${queryFunction}('${language}', $${context.addParam(query)})`;
+        const querySql = `${queryFunction}('${safeLanguage}', $${context.addParam(query)})`;
 
         return {
             sql: `${vectorSql} @@ ${querySql}`,

package/service/ServiceRegistry.ts

@@ -1,35 +1,54 @@
 import type BaseService from "./Service";
-import ApplicationLifecycle, {ApplicationPhase} from "../core/ApplicationLifecycle";
+import ApplicationLifecycle, {ApplicationPhase, type PhaseChangeEvent} from "../core/ApplicationLifecycle";
 import { generateGraphQLSchemaV2 } from "../gql";
 import { GraphQLSchema } from "graphql";
 
-class ServiceRegistry {
+/**
+ * ServiceRegistry is a singleton. The default export and the re-exported
+ * named `ServiceRegistry` from `service/index.ts` both resolve to the
+ * singleton instance (for backward compatibility). When you need the class
+ * itself (for typing or subclassing), import `ServiceRegistryClass`.
+ */
+export class ServiceRegistry {
     static #instance: ServiceRegistry;
 
     private services: Map<string, BaseService> = new Map();
     private schema: GraphQLSchema | null = null;
+    private phaseListener: ((event: PhaseChangeEvent) => void) | null = null;
 
 
     constructor() {
-        
+
     }
 
     public init() {
-        ApplicationLifecycle.addPhaseListener((event) => {
+        // Remove previous listener if re-init (tests) to prevent listener stacking.
+        if (this.phaseListener) {
+            ApplicationLifecycle.removePhaseListener(this.phaseListener);
+        }
+        this.phaseListener = (event: PhaseChangeEvent) => {
             switch(event.detail) {
                 case ApplicationPhase.SYSTEM_REGISTERING: {
                     const servicesArray = Array.from(this.services.values());
-                    
-                    const result = generateGraphQLSchemaV2(servicesArray, { 
-                        enableArchetypeOperations: false 
+
+                    const result = generateGraphQLSchemaV2(servicesArray, {
+                        enableArchetypeOperations: false
                     });
-                    
+
                     this.schema = result.schema;
                     ApplicationLifecycle.setPhase(ApplicationPhase.SYSTEM_READY);
                     break;
                 };
             }
-        });
+        };
+        ApplicationLifecycle.addPhaseListener(this.phaseListener);
+    }
+
+    public dispose(): void {
+        if (this.phaseListener) {
+            ApplicationLifecycle.removePhaseListener(this.phaseListener);
+            this.phaseListener = null;
+        }
     }
 
 

package/service/index.ts

@@ -1,10 +1,12 @@
 import BaseService from "./Service";
-import  ServiceRegistry  from "./ServiceRegistry";
+import ServiceRegistry from "./ServiceRegistry";
+import { ServiceRegistry as ServiceRegistryClass } from "./ServiceRegistry";
 import { httpEndpoint } from "../rest";
 
 export {
     BaseService,
-    ServiceRegistry
+    ServiceRegistry,
+    ServiceRegistryClass,
 }
 
 // Shorthand decorators for HTTP methods

package/storage/LocalStorageProvider.ts

@@ -1,4 +1,6 @@
 import fs from "fs";
+import { pipeline } from "stream/promises";
+import { Readable } from "stream";
 import path from "path";
 import { StorageProvider } from "./StorageProvider";
 import type { UploadConfiguration, StorageResult, FileMetadata } from "../types/upload.types";
@@ -51,9 +53,16 @@ export class LocalStorageProvider extends StorageProvider {
                 fs.mkdirSync(uploadDir, { recursive: true });
             }
 
-            // Write file to disk
-            const buffer = Buffer.from(await file.arrayBuffer());
-            fs.writeFileSync(fullPath, buffer);
+            // Stream File → disk to avoid full in-memory buffering of large uploads.
+            const writeStream = fs.createWriteStream(fullPath);
+            try {
+                const webStream = file.stream() as ReadableStream<Uint8Array>;
+                const nodeStream = Readable.fromWeb(webStream as any);
+                await pipeline(nodeStream, writeStream);
+            } catch (streamError) {
+                try { fs.unlinkSync(fullPath); } catch { /* best-effort cleanup */ }
+                throw streamError;
+            }
 
             // Generate URL
             const url = this.buildUrl(relativePath);

package/storage/S3StorageProvider.ts

@@ -213,11 +213,11 @@ export class S3StorageProvider extends StorageProvider {
         const destKey = this.resolveKey(destinationPath);
 
         try {
-            const [data, stat] = await Promise.all([
-                this.client.file(sourceKey).arrayBuffer(),
-                this.client.stat(sourceKey),
-            ]);
-            await this.client.write(destKey, data, {
+            const stat = await this.client.stat(sourceKey);
+            const sourceFile = this.client.file(sourceKey);
+            // Pass the S3File directly so Bun streams bytes rather than loading
+            // the entire object into memory (previously `arrayBuffer()`).
+            await this.client.write(destKey, sourceFile, {
                 type: stat.type,
                 acl: this.acl,
             });
@@ -226,7 +226,7 @@ export class S3StorageProvider extends StorageProvider {
         } catch (error) {
             const msg =
                 error instanceof Error ? error.message : "Unknown error";
-            logger.error({ sourceKey, destKey }, "Failed to copy file");
+            logger.error({ sourceKey, destKey, err: msg }, "Failed to copy file");
             return false;
         }
     }

package/tests/e2e/http.test.ts

@@ -76,8 +76,12 @@ describe("E2E HTTP Routes", () => {
 
     it("OPTIONS /health returns 204 when CORS configured", async () => {
         app.setCors({ origin: "*" });
-        // Re-compose middleware chain not needed — CORS headers are added per-request in handleRequest
-        const res = await fetch(`${BASE}/health`, { method: "OPTIONS" });
+        // Preflight must carry Origin header per CORS spec; otherwise the
+        // server emits no Access-Control-Allow-Origin (no `|| '*'` fallback).
+        const res = await fetch(`${BASE}/health`, {
+            method: "OPTIONS",
+            headers: { Origin: "https://client.example" },
+        });
         expect(res.status).toBe(204);
         expect(res.headers.get("Access-Control-Allow-Origin")).toBe("*");
     });