bunsane 0.2.9 → 0.3.0

package/gql/complexityLimit.ts

@@ -0,0 +1,95 @@
+import {
+    type ASTVisitor,
+    type DocumentNode,
+    type FragmentDefinitionNode,
+    type ValidationContext,
+    GraphQLError,
+    Kind,
+} from "graphql";
+
+/**
+ * Lightweight GraphQL query complexity validator. Assigns each selected field
+ * a base cost of 1, multiplied by the value of a `first` / `limit` / `take`
+ * argument when present. Nested selections contribute their (multiplied) cost.
+ * Fragments are followed and deduped. Introspection queries are exempt.
+ *
+ * Not as expressive as `graphql-query-complexity` (no per-field estimators,
+ * no custom weights). Enough to block obviously abusive nested archetype
+ * relations without a heavyweight dep.
+ */
+export function complexityLimitRule(maxComplexity: number) {
+    return function ComplexityLimitValidationRule(
+        context: ValidationContext,
+    ): ASTVisitor {
+        const document: DocumentNode = context.getDocument();
+
+        const fragments = new Map<string, FragmentDefinitionNode>();
+        for (const def of document.definitions) {
+            if (def.kind === Kind.FRAGMENT_DEFINITION) {
+                fragments.set(def.name.value, def);
+            }
+        }
+
+        const MULTIPLIER_ARGS = new Set(["first", "limit", "take"]);
+
+        function readMultiplier(args: readonly any[] | undefined): number {
+            if (!args) return 1;
+            for (const arg of args) {
+                if (!MULTIPLIER_ARGS.has(arg.name.value)) continue;
+                const v = arg.value;
+                if (v.kind === Kind.INT) {
+                    const n = parseInt(v.value, 10);
+                    if (Number.isFinite(n) && n > 0) return n;
+                }
+            }
+            return 1;
+        }
+
+        function cost(
+            node: { selectionSet?: { selections: readonly any[] } },
+            visited: Set<string>,
+        ): number {
+            if (!node.selectionSet) return 0;
+
+            let total = 0;
+            for (const selection of node.selectionSet.selections) {
+                if (selection.kind === Kind.FIELD) {
+                    const multiplier = readMultiplier(selection.arguments);
+                    const childCost = cost(selection, visited);
+                    total += multiplier * (1 + childCost);
+                } else if (selection.kind === Kind.INLINE_FRAGMENT) {
+                    total += cost(selection, visited);
+                } else if (selection.kind === Kind.FRAGMENT_SPREAD) {
+                    const name = selection.name.value;
+                    if (visited.has(name)) continue;
+                    visited.add(name);
+                    const fragment = fragments.get(name);
+                    if (fragment) total += cost(fragment, visited);
+                }
+            }
+            return total;
+        }
+
+        return {
+            OperationDefinition(node) {
+                if (node.selectionSet) {
+                    const isIntrospection = node.selectionSet.selections.every(
+                        (sel) =>
+                            sel.kind === Kind.FIELD &&
+                            sel.name.value.startsWith("__"),
+                    );
+                    if (isIntrospection) return;
+                }
+
+                const total = cost(node, new Set());
+                if (total > maxComplexity) {
+                    context.reportError(
+                        new GraphQLError(
+                            `Query complexity ${total} exceeds maximum allowed complexity of ${maxComplexity}`,
+                        ),
+                    );
+                }
+            },
+        };
+    };
+}

package/gql/index.ts

@@ -2,6 +2,7 @@ import {createSchema, createYoga, type Plugin} from 'graphql-yoga';
 import { useValidationRule } from '@envelop/core';
 import { GraphQLSchema, GraphQLError } from 'graphql';
 import { depthLimitRule } from './depthLimit';
+import { complexityLimitRule } from './complexityLimit';
 import { GraphQLObjectType, GraphQLField, GraphQLOperation, GraphQLScalarType, GraphQLSubscription } from './Generator';
 import {GraphQLFieldTypes} from "./types"
 import {logger as MainLogger} from "../core/Logger"
@@ -144,6 +145,8 @@ export interface YogaInstanceOptions {
         methods?: string[];
     };
     maxDepth?: number;
+    /** Maximum query complexity (default: 1000). 0 disables. */
+    maxComplexity?: number;
 }
 
 export function createYogaInstance(
@@ -152,10 +155,19 @@ export function createYogaInstance(
     contextFactory?: (context: any) => any,
     options?: YogaInstanceOptions
 ) {
-    // Prepend depth limit plugin if configured
+    // Prepend depth limit plugin. Enforce a hard minimum so maxDepth: 0 or
+    // undefined cannot silently disable the guard (C06). If a deployment
+    // explicitly needs a higher bound, raise it — but we never allow it off.
+    const HARD_MIN_DEPTH = 15;
+    const effectiveDepth = Math.max(options?.maxDepth ?? HARD_MIN_DEPTH, HARD_MIN_DEPTH);
     const allPlugins: Plugin[] = [];
-    if (options?.maxDepth) {
-        allPlugins.push(useValidationRule(depthLimitRule(options.maxDepth)) as Plugin);
+    allPlugins.push(useValidationRule(depthLimitRule(effectiveDepth)) as Plugin);
+
+    // Complexity budget: count per-field cost with `first`/`limit`/`take`
+    // multipliers. 0 disables, undefined defaults to 1000.
+    const complexityBudget = options?.maxComplexity ?? 1000;
+    if (complexityBudget > 0) {
+        allPlugins.push(useValidationRule(complexityLimitRule(complexityBudget)) as Plugin);
     }
     allPlugins.push(...plugins);
 

package/gql/visitors/ResolverGeneratorVisitor.ts

@@ -1,6 +1,8 @@
 import { GraphVisitor } from "./GraphVisitor";
 import { TypeNode, OperationNode, FieldNode, InputNode, ScalarNode } from "../graph/GraphNode";
 import { ResolverBuilder } from "../builders/ResolverBuilder";
+import { isSchemaInput } from "../schema";
+import * as z from "zod";
 import { logger } from "../../core/Logger";
 
 /**
@@ -54,9 +56,21 @@ export class ResolverGeneratorVisitor extends GraphVisitor {
 
         const type = node.operationType.charAt(0).toUpperCase() + node.operationType.slice(1).toLowerCase() as "Query" | "Mutation" | "Subscription";
 
-        // Extract Zod schema from input if it's a Zod type (check for '_def' property)
+        // Extract Zod schema from input. If it's already a Zod type (`_def`),
+        // use directly. If it's a Schema DSL input (`t.` API), convert each
+        // field `.toZod()` into a Zod object so the resolver validates it
+        // instead of passing raw args through (H-GQL-4).
         const input = node.metadata.input;
-        const zodSchema = (input && typeof input === 'object' && '_def' in input) ? input as any : null;
+        let zodSchema: any = null;
+        if (input && typeof input === 'object' && '_def' in input) {
+            zodSchema = input;
+        } else if (isSchemaInput(input)) {
+            const zodShape: Record<string, z.ZodType> = {};
+            for (const [key, field] of Object.entries(input)) {
+                zodShape[key] = (field as any).toZod();
+            }
+            zodSchema = z.object(zodShape);
+        }
 
         // Create resolver definitions for operations
         const resolverDef = {

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "bunsane",
-    "version": "0.2.9",
+    "version": "0.3.0",
     "author": {
         "name": "yaaruu"
     },

package/query/ComponentInclusionNode.ts

@@ -5,6 +5,7 @@ import { shouldUseLateralJoins, shouldUseDirectPartition } from "../core/Config"
 import { FilterBuilderRegistry } from "./FilterBuilderRegistry";
 import { ComponentRegistry } from "../core/components";
 import { getMetadataStorage } from "../core/metadata";
+import { assertIdentifier } from "./SqlIdentifier";
 
 /**
  * Check if a component property is numeric based on metadata
@@ -331,12 +332,16 @@ export class ComponentInclusionNode extends QueryNode {
             const sortComponentTableName = this.getComponentTableName(typeId);
             const nullsClause = sortOrder.nullsFirst ? 'NULLS FIRST' : 'NULLS LAST';
             const isNumeric = isNumericProperty(sortOrder.component, sortOrder.property);
+            // Validate property name before interpolating into JSON path.
+            // Without this, a malicious or malformed sortOrder.property could
+            // inject SQL through the template (C08).
+            const safeProperty = assertIdentifier(sortOrder.property, 'sortOrder.property');
 
             // Build scalar subquery to get sort value for each entity
             // This avoids nested loop join by forcing row-by-row evaluation
             const sortExpr = isNumeric
-                ? `(sort_c.data->>'${sortOrder.property}')::numeric`
-                : `sort_c.data->>'${sortOrder.property}'`;
+                ? `(sort_c.data->>'${safeProperty}')::numeric`
+                : `sort_c.data->>'${safeProperty}'`;
 
             const subquery = `(
                 SELECT ${sortExpr}
@@ -454,9 +459,10 @@ export class ComponentInclusionNode extends QueryNode {
 
         const nullsClause = sortOrder.nullsFirst ? 'NULLS FIRST' : 'NULLS LAST';
         const isNumeric = isNumericProperty(sortOrder.component, sortOrder.property);
+        const safeProperty = assertIdentifier(sortOrder.property, 'sortOrder.property');
         const sortExpr = isNumeric
-            ? `(c.data->>'${sortOrder.property}')::numeric`
-            : `c.data->>'${sortOrder.property}'`;
+            ? `(c.data->>'${safeProperty}')::numeric`
+            : `c.data->>'${safeProperty}'`;
 
         let sql: string;
         if (useDirectPartition) {
@@ -508,9 +514,10 @@ export class ComponentInclusionNode extends QueryNode {
 
         const nullsClause = sortOrder.nullsFirst ? 'NULLS FIRST' : 'NULLS LAST';
         const isNumeric = isNumericProperty(sortOrder.component, sortOrder.property);
+        const safeProperty = assertIdentifier(sortOrder.property, 'sortOrder.property');
         const sortExpr = isNumeric
-            ? `(sort_c.data->>'${sortOrder.property}')::numeric`
-            : `sort_c.data->>'${sortOrder.property}'`;
+            ? `(sort_c.data->>'${safeProperty}')::numeric`
+            : `sort_c.data->>'${safeProperty}'`;
 
         // Use scalar subquery to avoid cartesian product explosion
         // This forces PostgreSQL to evaluate sort value per-entity, preventing

package/query/OrNode.ts

@@ -305,15 +305,13 @@ export class OrNode extends QueryNode {
     public execute(context: QueryContext): QueryResult {
         // Try optimized UNION ALL path for direct partition access
         // This avoids the slow multi-partition scanning by querying each partition directly
+        // (Verbose console.log debug traces removed — H-QUERY-2. Re-enable via
+        // a framework logger at debug level if needed.)
         const canUseOptimized = this.canUseUnionAllOptimization() && this.dependencies.length === 0;
-        console.log(`OrNode: Using optimized path: ${canUseOptimized}, dependencies: ${this.dependencies.length}, direct partition: ${require("../core/Config").shouldUseDirectPartition()}`);
-        console.log(`OrNode: Component types:`, Array.from(this.orQuery.getComponentTypes()));
 
         if (canUseOptimized) {
-            console.log("OrNode: Using optimized UNION path");
             return this.executeUnionAllOptimized(context);
         }
-        console.log("OrNode: Using fallback path");
 
         // Fall back to original implementation for:
         // - HASH partitioning (no direct partition access)

package/query/Query.ts

@@ -12,6 +12,7 @@ import { getMetadataStorage } from "../core/metadata";
 import { shouldUseDirectPartition } from "../core/Config";
 import type { SQL } from "bun";
 import type { ComponentConstructor, TypedEntity, ComponentRecord } from "../types/query.types";
+import { assertComponentTableName, assertFieldPath } from "./SqlIdentifier";
 
 export type FilterOperator = "=" | ">" | "<" | ">=" | "<=" | "!=" | "LIKE" | "ILIKE" | "IN" | "NOT IN" | string;
 
@@ -338,7 +339,13 @@ class Query<TComponents extends readonly ComponentConstructor[] = []> {
             throw new Error(`Component ${component.name} not registered`);
         }
 
-        const tableName = ComponentRegistry.getPartitionTableName(typeId);
+        // Validate the resolved partition table name against the component
+        // table allow-list before passing to pg_class lookup. Although
+        // `relname` here is a bound parameter ($1) and cannot inject SQL
+        // directly, we still reject unexpected names so a registry
+        // poisoning bug cannot query arbitrary tables.
+        const rawTableName = ComponentRegistry.getPartitionTableName(typeId);
+        const tableName = rawTableName ? assertComponentTableName(rawTableName, 'estimatedCount.tableName') : null;
         const dbConn = this.getDb();
 
         // Use PostgreSQL's statistics for fast count estimate
@@ -557,10 +564,17 @@ class Query<TComponents extends readonly ComponentConstructor[] = []> {
         // Execute the DAG to get the base query
         const result = dag.execute(this.context);
 
-        // Determine the component table name
-        const componentTableName = shouldUseDirectPartition()
+        // Determine the component table name. Validate against allow-list so
+        // a poisoned registry cannot inject SQL through the embedded name.
+        const rawComponentTableName = shouldUseDirectPartition()
             ? (ComponentRegistry.getPartitionTableName(typeId) || 'components')
             : 'components';
+        const componentTableName = assertComponentTableName(rawComponentTableName, 'doAggregate.componentTableName');
+
+        // Validate the field path — each dotted segment must be a safe
+        // identifier. Without this, a caller-supplied field with quote or
+        // `->` metacharacters would corrupt the JSON path expression (C08).
+        assertFieldPath(field, 'doAggregate.field');
 
         // Build the JSON path for the field
         let jsonPath: string;
@@ -641,6 +655,19 @@ AND c.deleted_at IS NULL`;
      */
     @timed("Query.exec")
     public async exec(): Promise<TypedEntity<TComponents>[]> {
+        // Apply default LIMIT so unbounded queries cannot load entire tables
+        // into memory. Configurable via BUNSANE_DEFAULT_QUERY_LIMIT, 0 to
+        // disable. When the default is applied without an explicit .take(),
+        // warn once at execution so developers notice runaway queries
+        // (H-QUERY-1).
+        if (this.context.limit === null || this.context.limit === undefined) {
+            const envLimit = parseInt(process.env.BUNSANE_DEFAULT_QUERY_LIMIT ?? '10000', 10);
+            if (envLimit > 0) {
+                this.context.limit = envLimit;
+                logger.warn({ scope: 'Query.exec', defaultLimit: envLimit }, 'Query executed without explicit .take() — applying framework default LIMIT. Call .take(N) to suppress this warning.');
+            }
+        }
+
         return new Promise<TypedEntity<TComponents>[]>((resolve, reject) => {
             // Add timeout to prevent hanging queries
             const timeout = setTimeout(() => {

package/query/SqlIdentifier.ts

@@ -0,0 +1,105 @@
+/**
+ * SQL identifier sanitization helpers.
+ *
+ * These helpers prevent SQL injection when interpolating caller-supplied or
+ * metadata-derived strings into SQL via `db.unsafe(...)` or template literals.
+ * Parameter binding (`$1`, `$2`) is always preferred for values, but column
+ * names, table names, ORDER BY fields, and JSON path segments cannot be
+ * parameterized — they are sanitized against a strict allow-list instead.
+ *
+ * Ticket C08.
+ */
+
+/** Matches a safe identifier: letter/underscore followed by letters/digits/underscores. */
+const IDENT_RE = /^[A-Za-z_][A-Za-z0-9_]*$/;
+
+/** Matches a safe component table name: `components` or `components_<ident>`. */
+const COMPONENT_TABLE_RE = /^components(?:_[a-z0-9_]+)?$/;
+
+/**
+ * PostgreSQL text-search languages supported by `to_tsvector(config, ...)`.
+ * Extend as needed for deployments with additional dictionaries installed.
+ */
+const ALLOWED_TS_LANGUAGES = new Set<string>([
+    'simple',
+    'english',
+    'french',
+    'german',
+    'spanish',
+    'italian',
+    'portuguese',
+    'dutch',
+    'russian',
+    'swedish',
+    'norwegian',
+    'danish',
+    'finnish',
+    'turkish',
+    'hungarian',
+    'arabic',
+    'indonesian',
+    'irish',
+    'lithuanian',
+    'nepali',
+    'romanian',
+    'tamil',
+    'yiddish',
+]);
+
+/**
+ * Assert a string is a safe SQL identifier (column name, alias). Throws
+ * `InvalidIdentifierError` if not.
+ */
+export function assertIdentifier(value: unknown, context: string): string {
+    if (typeof value !== 'string' || !IDENT_RE.test(value)) {
+        throw new InvalidIdentifierError(context, String(value));
+    }
+    return value;
+}
+
+/**
+ * Assert a string is a safe component table name (e.g. `components`,
+ * `components_user`). Throws if not.
+ */
+export function assertComponentTableName(value: unknown, context: string): string {
+    if (typeof value !== 'string' || !COMPONENT_TABLE_RE.test(value)) {
+        throw new InvalidIdentifierError(context, String(value));
+    }
+    return value;
+}
+
+/**
+ * Assert a dotted JSON field path is safe. Each segment must be a valid
+ * identifier. Empty paths / empty segments are rejected.
+ */
+export function assertFieldPath(value: unknown, context: string): string {
+    if (typeof value !== 'string' || value.length === 0) {
+        throw new InvalidIdentifierError(context, String(value));
+    }
+    const parts = value.split('.');
+    for (const p of parts) {
+        if (!IDENT_RE.test(p)) {
+            throw new InvalidIdentifierError(context, value);
+        }
+    }
+    return value;
+}
+
+/**
+ * Assert a text-search language is in the allow-list. Defaults to `simple`
+ * when undefined (behavior preserved from the prior implementation).
+ */
+export function assertTsLanguage(value: unknown, context: string = 'tsLanguage'): string {
+    if (value === undefined || value === null) return 'simple';
+    if (typeof value !== 'string' || !ALLOWED_TS_LANGUAGES.has(value.toLowerCase())) {
+        throw new InvalidIdentifierError(context, String(value));
+    }
+    return value.toLowerCase();
+}
+
+export class InvalidIdentifierError extends Error {
+    constructor(context: string, value: string) {
+        super(`Invalid SQL identifier in ${context}: ${JSON.stringify(value)}`);
+        this.name = 'InvalidIdentifierError';
+    }
+}

package/query/builders/FullTextSearchBuilder.ts

@@ -8,6 +8,7 @@
 import type { FilterBuilder, FilterBuilderOptions } from "../FilterBuilder";
 import type { QueryFilter } from "../QueryContext";
 import type { QueryContext } from "../QueryContext";
+import { assertTsLanguage, assertFieldPath } from "../SqlIdentifier";
 
 /**
  * Full-text search filter value interface
@@ -68,12 +69,16 @@ export const fullTextSearchBuilder: FilterBuilder = (
     const value = filter.value as FullTextFilterValue;
     const { query, language = 'english', type = 'plain' } = value;
 
+    // Validate identifiers (C08).
+    const safeLanguage = assertTsLanguage(language, 'fullTextSearchBuilder.language');
+    assertFieldPath(filter.field, 'fullTextSearchBuilder.field');
+
     // Build the text search vector from the specified field
     const fieldPath = filter.field.includes('.')
         ? filter.field.split('.').map(p => `'${p}'`).join('->')
         : `'${filter.field}'`;
 
-    const vectorSql = `to_tsvector('${language}', ${alias}.data->${fieldPath})`;
+    const vectorSql = `to_tsvector('${safeLanguage}', ${alias}.data->${fieldPath})`;
 
     // Choose the appropriate query function based on type
     let queryFunction: string;
@@ -93,7 +98,7 @@ export const fullTextSearchBuilder: FilterBuilder = (
             break;
     }
 
-    const querySql = `${queryFunction}('${language}', $${context.addParam(query)})`;
+    const querySql = `${queryFunction}('${safeLanguage}', $${context.addParam(query)})`;
 
     return {
         sql: `${vectorSql} @@ ${querySql}`,
@@ -120,12 +125,16 @@ export const fullTextSearchWithRankBuilder: FilterBuilder = (
     const value = filter.value as FullTextFilterValue;
     const { query, language = 'english', type = 'plain' } = value;
 
+    // Validate identifiers (C08).
+    const safeLanguage = assertTsLanguage(language, 'fullTextSearchWithRankBuilder.language');
+    assertFieldPath(filter.field, 'fullTextSearchWithRankBuilder.field');
+
     // Build the text search vector from the specified field
     const fieldPath = filter.field.includes('.')
         ? filter.field.split('.').map(p => `'${p}'`).join('->')
         : `'${filter.field}'`;
 
-    const vectorSql = `to_tsvector('${language}', ${alias}.data->${fieldPath})`;
+    const vectorSql = `to_tsvector('${safeLanguage}', ${alias}.data->${fieldPath})`;
 
     // Choose the appropriate query function based on type
     let queryFunction: string;
@@ -145,7 +154,7 @@ export const fullTextSearchWithRankBuilder: FilterBuilder = (
             break;
     }
 
-    const querySql = `${queryFunction}('${language}', $${context.addParam(query)})`;
+    const querySql = `${queryFunction}('${safeLanguage}', $${context.addParam(query)})`;
 
     // Include ranking in the condition (can be used for ordering)
     const rankSql = `ts_rank(${vectorSql}, ${querySql})`;
@@ -187,16 +196,20 @@ export function createFullTextSearchBuilder(
     language: string = 'english',
     searchType: 'plain' | 'phrase' | 'web' | 'tsquery' = 'plain'
 ): { builder: FilterBuilder; options: FilterBuilderOptions } {
+    // Validate the language at factory-construction time so callers get an
+    // immediate error on invalid input rather than a runtime SQL error.
+    const safeLanguage = assertTsLanguage(language, 'createFullTextSearchBuilder.language');
     const builder: FilterBuilder = (filter: QueryFilter, alias: string, context: QueryContext) => {
         const value = filter.value as FullTextFilterValue;
         const query = value.query;
+        assertFieldPath(filter.field, 'createFullTextSearchBuilder.field');
 
         // Build the text search vector from the specified field
         const fieldPath = filter.field.includes('.')
             ? filter.field.split('.').map(p => `'${p}'`).join('->')
             : `'${filter.field}'`;
 
-        const vectorSql = `to_tsvector('${language}', ${alias}.data->${fieldPath})`;
+        const vectorSql = `to_tsvector('${safeLanguage}', ${alias}.data->${fieldPath})`;
 
         // Choose the appropriate query function based on type
         let queryFunction: string;
@@ -216,7 +229,7 @@ export function createFullTextSearchBuilder(
                 break;
         }
 
-        const querySql = `${queryFunction}('${language}', $${context.addParam(query)})`;
+        const querySql = `${queryFunction}('${safeLanguage}', $${context.addParam(query)})`;
 
         return {
             sql: `${vectorSql} @@ ${querySql}`,

package/service/ServiceRegistry.ts

@@ -1,5 +1,5 @@
 import type BaseService from "./Service";
-import ApplicationLifecycle, {ApplicationPhase} from "../core/ApplicationLifecycle";
+import ApplicationLifecycle, {ApplicationPhase, type PhaseChangeEvent} from "../core/ApplicationLifecycle";
 import { generateGraphQLSchemaV2 } from "../gql";
 import { GraphQLSchema } from "graphql";
 
@@ -8,28 +8,41 @@ class ServiceRegistry {
 
     private services: Map<string, BaseService> = new Map();
     private schema: GraphQLSchema | null = null;
+    private phaseListener: ((event: PhaseChangeEvent) => void) | null = null;
 
 
     constructor() {
-        
+
     }
 
     public init() {
-        ApplicationLifecycle.addPhaseListener((event) => {
+        // Remove previous listener if re-init (tests) to prevent listener stacking.
+        if (this.phaseListener) {
+            ApplicationLifecycle.removePhaseListener(this.phaseListener);
+        }
+        this.phaseListener = (event: PhaseChangeEvent) => {
             switch(event.detail) {
                 case ApplicationPhase.SYSTEM_REGISTERING: {
                     const servicesArray = Array.from(this.services.values());
-                    
-                    const result = generateGraphQLSchemaV2(servicesArray, { 
-                        enableArchetypeOperations: false 
+
+                    const result = generateGraphQLSchemaV2(servicesArray, {
+                        enableArchetypeOperations: false
                     });
-                    
+
                     this.schema = result.schema;
                     ApplicationLifecycle.setPhase(ApplicationPhase.SYSTEM_READY);
                     break;
                 };
             }
-        });
+        };
+        ApplicationLifecycle.addPhaseListener(this.phaseListener);
+    }
+
+    public dispose(): void {
+        if (this.phaseListener) {
+            ApplicationLifecycle.removePhaseListener(this.phaseListener);
+            this.phaseListener = null;
+        }
     }
 
 

package/storage/LocalStorageProvider.ts

@@ -1,4 +1,6 @@
 import fs from "fs";
+import { pipeline } from "stream/promises";
+import { Readable } from "stream";
 import path from "path";
 import { StorageProvider } from "./StorageProvider";
 import type { UploadConfiguration, StorageResult, FileMetadata } from "../types/upload.types";
@@ -51,9 +53,16 @@ export class LocalStorageProvider extends StorageProvider {
                 fs.mkdirSync(uploadDir, { recursive: true });
             }
 
-            // Write file to disk
-            const buffer = Buffer.from(await file.arrayBuffer());
-            fs.writeFileSync(fullPath, buffer);
+            // Stream File → disk to avoid full in-memory buffering of large uploads.
+            const writeStream = fs.createWriteStream(fullPath);
+            try {
+                const webStream = file.stream() as ReadableStream<Uint8Array>;
+                const nodeStream = Readable.fromWeb(webStream as any);
+                await pipeline(nodeStream, writeStream);
+            } catch (streamError) {
+                try { fs.unlinkSync(fullPath); } catch { /* best-effort cleanup */ }
+                throw streamError;
+            }
 
             // Generate URL
             const url = this.buildUrl(relativePath);

package/storage/S3StorageProvider.ts

@@ -213,11 +213,11 @@ export class S3StorageProvider extends StorageProvider {
         const destKey = this.resolveKey(destinationPath);
 
         try {
-            const [data, stat] = await Promise.all([
-                this.client.file(sourceKey).arrayBuffer(),
-                this.client.stat(sourceKey),
-            ]);
-            await this.client.write(destKey, data, {
+            const stat = await this.client.stat(sourceKey);
+            const sourceFile = this.client.file(sourceKey);
+            // Pass the S3File directly so Bun streams bytes rather than loading
+            // the entire object into memory (previously `arrayBuffer()`).
+            await this.client.write(destKey, sourceFile, {
                 type: stat.type,
                 acl: this.acl,
             });
@@ -226,7 +226,7 @@ export class S3StorageProvider extends StorageProvider {
         } catch (error) {
             const msg =
                 error instanceof Error ? error.message : "Unknown error";
-            logger.error({ sourceKey, destKey }, "Failed to copy file");
+            logger.error({ sourceKey, destKey, err: msg }, "Failed to copy file");
             return false;
         }
     }

package/tests/e2e/http.test.ts

@@ -76,8 +76,12 @@ describe("E2E HTTP Routes", () => {
 
     it("OPTIONS /health returns 204 when CORS configured", async () => {
         app.setCors({ origin: "*" });
-        // Re-compose middleware chain not needed — CORS headers are added per-request in handleRequest
-        const res = await fetch(`${BASE}/health`, { method: "OPTIONS" });
+        // Preflight must carry Origin header per CORS spec; otherwise the
+        // server emits no Access-Control-Allow-Origin (no `|| '*'` fallback).
+        const res = await fetch(`${BASE}/health`, {
+            method: "OPTIONS",
+            headers: { Origin: "https://client.example" },
+        });
         expect(res.status).toBe(204);
         expect(res.headers.get("Access-Control-Allow-Origin")).toBe("*");
     });