npm - goscript - Versions diffs - 0.1.4 → 0.2.0 - Mend

goscript 0.1.4 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (270) hide show

package/README.md +5 -2
package/cmd/go_js_wasm_exec/main.go +201 -0
package/cmd/go_js_wasm_exec/main_test.go +83 -0
package/cmd/goscript/{cmd_compile.go → cmd-compile.go} +7 -0
package/cmd/goscript/cmd-test.go +14 -0
package/cmd/goscript/cmd-test_test.go +1 -1
package/compiler/compile-request.go +12 -9
package/compiler/compliance_test.go +0 -1
package/compiler/config.go +2 -0
package/compiler/gotest/request.go +28 -0
package/compiler/gotest/runner.go +353 -27
package/compiler/gotest/runner_test.go +273 -1
package/compiler/gotest/testdata/browserapi/browserapi_test.go +20 -0
package/compiler/gotest/testdata/browserapi/go.mod +3 -0
package/compiler/lowered-program.go +24 -17
package/compiler/lowering.go +392 -127
package/compiler/lowering_bench_test.go +41 -27
package/compiler/override-facts.go +15 -0
package/compiler/override-parity-verifier.go +450 -0
package/compiler/override-parity.go +122 -0
package/compiler/override-registry_test.go +559 -0
package/compiler/protobuf-ts-binding.go +514 -0
package/compiler/protobuf-ts-binding_test.go +172 -0
package/compiler/semantic-model-types.go +9 -4
package/compiler/semantic-model.go +282 -70
package/compiler/semantic-model_test.go +82 -1
package/compiler/service.go +20 -1
package/compiler/skeleton_test.go +62 -8
package/compiler/typescript-emitter.go +128 -13
package/dist/gs/builtin/slice.d.ts +2 -1
package/dist/gs/builtin/slice.js +29 -4
package/dist/gs/builtin/slice.js.map +1 -1
package/dist/gs/builtin/type.d.ts +13 -5
package/dist/gs/builtin/type.js +153 -60
package/dist/gs/builtin/type.js.map +1 -1
package/dist/gs/builtin/varRef.d.ts +11 -0
package/dist/gs/builtin/varRef.js +57 -2
package/dist/gs/builtin/varRef.js.map +1 -1
package/dist/gs/bytes/buffer.gs.js +1 -1
package/dist/gs/bytes/buffer.gs.js.map +1 -1
package/dist/gs/bytes/reader.gs.js +1 -1
package/dist/gs/bytes/reader.gs.js.map +1 -1
package/dist/gs/compress/zlib/index.d.ts +10 -3
package/dist/gs/compress/zlib/index.js +50 -16
package/dist/gs/compress/zlib/index.js.map +1 -1
package/dist/gs/encoding/json/index.d.ts +114 -0
package/dist/gs/encoding/json/index.js +544 -36
package/dist/gs/encoding/json/index.js.map +1 -1
package/dist/gs/github.com/aperturerobotics/protobuf-go-lite/index.d.ts +100 -0
package/dist/gs/github.com/aperturerobotics/protobuf-go-lite/index.js +564 -0
package/dist/gs/github.com/aperturerobotics/protobuf-go-lite/index.js.map +1 -1
package/dist/gs/github.com/pkg/errors/errors.js +54 -30
package/dist/gs/github.com/pkg/errors/errors.js.map +1 -1
package/dist/gs/go/scanner/index.d.ts +2 -0
package/dist/gs/go/scanner/index.js +29 -5
package/dist/gs/go/scanner/index.js.map +1 -1
package/dist/gs/go/token/index.js +22 -6
package/dist/gs/go/token/index.js.map +1 -1
package/dist/gs/hash/index.d.ts +6 -0
package/dist/gs/hash/index.js +20 -0
package/dist/gs/hash/index.js.map +1 -1
package/dist/gs/internal/goarch/index.d.ts +43 -3
package/dist/gs/internal/goarch/index.js +42 -10
package/dist/gs/internal/goarch/index.js.map +1 -1
package/dist/gs/io/fs/fs.js +26 -14
package/dist/gs/io/fs/fs.js.map +1 -1
package/dist/gs/io/fs/readdir.js +4 -2
package/dist/gs/io/fs/readdir.js.map +1 -1
package/dist/gs/io/fs/sub.js +8 -1
package/dist/gs/io/fs/sub.js.map +1 -1
package/dist/gs/io/io.d.ts +2 -0
package/dist/gs/io/io.js.map +1 -1
package/dist/gs/math/bits/index.d.ts +5 -0
package/dist/gs/math/bits/index.js +16 -4
package/dist/gs/math/bits/index.js.map +1 -1
package/dist/gs/mime/index.d.ts +16 -0
package/dist/gs/mime/index.js +315 -6
package/dist/gs/mime/index.js.map +1 -1
package/dist/gs/net/http/httptest/index.d.ts +12 -0
package/dist/gs/net/http/httptest/index.js +85 -6
package/dist/gs/net/http/httptest/index.js.map +1 -1
package/dist/gs/net/http/index.d.ts +300 -5
package/dist/gs/net/http/index.js +1598 -58
package/dist/gs/net/http/index.js.map +1 -1
package/dist/gs/os/dir_unix.gs.js +1 -1
package/dist/gs/os/dir_unix.gs.js.map +1 -1
package/dist/gs/os/error.gs.js +1 -1
package/dist/gs/os/error.gs.js.map +1 -1
package/dist/gs/os/exec.gs.d.ts +1 -0
package/dist/gs/os/exec.gs.js +4 -8
package/dist/gs/os/exec.gs.js.map +1 -1
package/dist/gs/os/exec_posix.gs.js +1 -1
package/dist/gs/os/exec_posix.gs.js.map +1 -1
package/dist/gs/os/index.d.ts +1 -1
package/dist/gs/os/index.js +1 -1
package/dist/gs/os/index.js.map +1 -1
package/dist/gs/os/proc.gs.d.ts +4 -0
package/dist/gs/os/proc.gs.js +12 -6
package/dist/gs/os/proc.gs.js.map +1 -1
package/dist/gs/os/root_js.gs.js +1 -1
package/dist/gs/os/root_js.gs.js.map +1 -1
package/dist/gs/os/types.gs.js +1 -1
package/dist/gs/os/types.gs.js.map +1 -1
package/dist/gs/os/types_js.gs.js +1 -1
package/dist/gs/os/types_js.gs.js.map +1 -1
package/dist/gs/os/types_unix.gs.js +1 -1
package/dist/gs/os/types_unix.gs.js.map +1 -1
package/dist/gs/path/path.js +11 -7
package/dist/gs/path/path.js.map +1 -1
package/dist/gs/reflect/index.d.ts +5 -4
package/dist/gs/reflect/index.js +4 -3
package/dist/gs/reflect/index.js.map +1 -1
package/dist/gs/reflect/map.js +15 -0
package/dist/gs/reflect/map.js.map +1 -1
package/dist/gs/reflect/type.d.ts +25 -6
package/dist/gs/reflect/type.js +1418 -228
package/dist/gs/reflect/type.js.map +1 -1
package/dist/gs/reflect/types.d.ts +14 -6
package/dist/gs/reflect/types.js +35 -1
package/dist/gs/reflect/types.js.map +1 -1
package/dist/gs/reflect/value.d.ts +1 -0
package/dist/gs/reflect/value.js +83 -41
package/dist/gs/reflect/value.js.map +1 -1
package/dist/gs/reflect/visiblefields.js +4 -140
package/dist/gs/reflect/visiblefields.js.map +1 -1
package/dist/gs/runtime/pprof/index.d.ts +8 -2
package/dist/gs/runtime/pprof/index.js +50 -30
package/dist/gs/runtime/pprof/index.js.map +1 -1
package/dist/gs/runtime/runtime.js +5 -4
package/dist/gs/runtime/runtime.js.map +1 -1
package/dist/gs/runtime/trace/index.js +5 -19
package/dist/gs/runtime/trace/index.js.map +1 -1
package/dist/gs/strconv/atoi.gs.js +1 -1
package/dist/gs/strconv/atoi.gs.js.map +1 -1
package/dist/gs/strconv/complex.gs.d.ts +3 -0
package/dist/gs/strconv/complex.gs.js +148 -0
package/dist/gs/strconv/complex.gs.js.map +1 -0
package/dist/gs/strconv/index.d.ts +1 -0
package/dist/gs/strconv/index.js +1 -0
package/dist/gs/strconv/index.js.map +1 -1
package/dist/gs/strings/builder.js +1 -1
package/dist/gs/strings/reader.js +9 -5
package/dist/gs/strings/reader.js.map +1 -1
package/dist/gs/strings/replace.js +15 -7
package/dist/gs/strings/replace.js.map +1 -1
package/dist/gs/strings/strings.d.ts +5 -0
package/dist/gs/strings/strings.js +57 -5
package/dist/gs/strings/strings.js.map +1 -1
package/dist/gs/sync/atomic/type.gs.js +9 -9
package/dist/gs/sync/atomic/type.gs.js.map +1 -1
package/dist/gs/sync/atomic/value.gs.js +2 -2
package/dist/gs/sync/atomic/value.gs.js.map +1 -1
package/dist/gs/syscall/env.js +22 -14
package/dist/gs/syscall/env.js.map +1 -1
package/dist/gs/testing/testing.js +55 -13
package/dist/gs/testing/testing.js.map +1 -1
package/dist/gs/time/time.d.ts +24 -1
package/dist/gs/time/time.js +43 -3
package/dist/gs/time/time.js.map +1 -1
package/dist/gs/unique/index.js +7 -1
package/dist/gs/unique/index.js.map +1 -1
package/go.mod +3 -3
package/go.sum +16 -0
package/gs/builtin/runtime-contract.test.ts +218 -21
package/gs/builtin/slice.ts +44 -4
package/gs/builtin/type.ts +226 -59
package/gs/builtin/varRef.ts +85 -2
package/gs/bytes/buffer.gs.ts +1 -1
package/gs/bytes/reader.gs.ts +1 -1
package/gs/compress/zlib/index.test.ts +62 -1
package/gs/compress/zlib/index.ts +53 -16
package/gs/compress/zlib/parity.json +51 -0
package/gs/encoding/json/index.test.ts +360 -6
package/gs/encoding/json/index.ts +679 -38
package/gs/encoding/json/parity.json +81 -0
package/gs/github.com/aperturerobotics/protobuf-go-lite/index.test.ts +211 -3
package/gs/github.com/aperturerobotics/protobuf-go-lite/index.ts +857 -1
package/gs/github.com/pkg/errors/errors.ts +54 -30
package/gs/go/scanner/index.test.ts +39 -56
package/gs/go/scanner/index.ts +33 -5
package/gs/go/scanner/parity.json +27 -0
package/gs/go/token/index.ts +22 -6
package/gs/hash/index.test.ts +20 -33
package/gs/hash/index.ts +28 -0
package/gs/hash/parity.json +21 -0
package/gs/internal/goarch/index.test.ts +32 -0
package/gs/internal/goarch/index.ts +45 -13
package/gs/internal/goarch/parity.json +144 -0
package/gs/io/fs/fs.ts +26 -14
package/gs/io/fs/readdir.ts +4 -4
package/gs/io/fs/sub.ts +8 -1
package/gs/io/io.ts +1 -0
package/gs/io/parity.json +162 -0
package/gs/math/bits/index.test.ts +14 -1
package/gs/math/bits/index.ts +23 -4
package/gs/math/bits/parity.json +156 -0
package/gs/mime/index.test.ts +90 -0
package/gs/mime/index.ts +369 -6
package/gs/mime/parity.json +36 -0
package/gs/net/http/httptest/index.test.ts +98 -2
package/gs/net/http/httptest/index.ts +101 -6
package/gs/net/http/httptest/parity.json +15 -0
package/gs/net/http/index.test.ts +781 -12
package/gs/net/http/index.ts +1860 -139
package/gs/net/http/meta.json +16 -1
package/gs/net/http/parity.json +193 -0
package/gs/os/dir_unix.gs.ts +1 -1
package/gs/os/error.gs.ts +1 -1
package/gs/os/exec.gs.ts +4 -8
package/gs/os/exec_posix.gs.ts +1 -1
package/gs/os/index.test.ts +9 -0
package/gs/os/index.ts +1 -0
package/gs/os/parity.json +9 -0
package/gs/os/proc.gs.ts +18 -5
package/gs/os/proc.test.ts +26 -0
package/gs/os/root_js.gs.ts +1 -1
package/gs/os/types.gs.ts +1 -1
package/gs/os/types_js.gs.ts +1 -1
package/gs/os/types_unix.gs.ts +1 -1
package/gs/path/path.ts +11 -7
package/gs/reflect/field.test.ts +37 -15
package/gs/reflect/function-types.test.ts +518 -22
package/gs/reflect/index.ts +8 -6
package/gs/reflect/map.ts +20 -0
package/gs/reflect/meta.json +6 -4
package/gs/reflect/parity.json +234 -0
package/gs/reflect/sliceat.test.ts +156 -0
package/gs/reflect/structof.test.ts +401 -0
package/gs/reflect/type.ts +1897 -317
package/gs/reflect/typefor.test.ts +510 -10
package/gs/reflect/types.ts +43 -18
package/gs/reflect/value.ts +105 -45
package/gs/reflect/visiblefields.ts +5 -168
package/gs/runtime/parity.json +24 -0
package/gs/runtime/pprof/index.test.ts +29 -7
package/gs/runtime/pprof/index.ts +56 -30
package/gs/runtime/pprof/parity.json +27 -0
package/gs/runtime/runtime.test.ts +3 -1
package/gs/runtime/runtime.ts +4 -3
package/gs/runtime/trace/index.test.ts +5 -3
package/gs/runtime/trace/index.ts +8 -20
package/gs/runtime/trace/parity.json +36 -0
package/gs/strconv/atoi.gs.ts +1 -1
package/gs/strconv/complex.gs.ts +174 -0
package/gs/strconv/complex.test.ts +65 -0
package/gs/strconv/index.ts +1 -0
package/gs/strconv/parity.json +120 -0
package/gs/strings/builder.ts +1 -1
package/gs/strings/parity.json +186 -0
package/gs/strings/reader.ts +9 -5
package/gs/strings/replace.ts +15 -7
package/gs/strings/strings.test.ts +22 -2
package/gs/strings/strings.ts +64 -6
package/gs/sync/atomic/type.gs.ts +9 -9
package/gs/sync/atomic/value.gs.ts +2 -2
package/gs/syscall/env.ts +29 -14
package/gs/testing/testing.test.ts +67 -0
package/gs/testing/testing.ts +87 -19
package/gs/time/parity.json +225 -0
package/gs/time/time.test.ts +20 -2
package/gs/time/time.ts +49 -7
package/gs/unique/index.ts +7 -1
package/package.json +4 -2
package/dist/gs/github.com/aperturerobotics/starpc/srpc/index.d.ts +0 -217
package/dist/gs/github.com/aperturerobotics/starpc/srpc/index.js +0 -926
package/dist/gs/github.com/aperturerobotics/starpc/srpc/index.js.map +0 -1
package/gs/github.com/aperturerobotics/starpc/srpc/index.test.ts +0 -38
package/gs/github.com/aperturerobotics/starpc/srpc/index.ts +0 -1361
package/gs/github.com/aperturerobotics/starpc/srpc/meta.json +0 -46
/package/compiler/{wasm_api.go → wasm-api.go} +0 -0

package/gs/net/http/index.test.ts CHANGED Viewed

@@ -1,25 +1,72 @@
-import { describe, expect, it } from 'vitest'
+import { afterEach, describe, expect, it } from 'vitest'
 import { varRef } from '../../builtin/varRef.js'
+import * as $ from '../../builtin/index.js'
+import * as bytes from '../../bytes/index.js'
+import * as context from '../../context/index.js'
+import * as io from '../../io/index.js'
+import * as strings from '../../strings/index.js'
 import {
+  CanonicalHeaderKey,
   Client,
+  Cookie,
+  DefaultClient,
+  DefaultMaxHeaderBytes,
+  DefaultMaxIdleConnsPerHost,
+  DefaultServeMux,
   DefaultTransport,
+  DetectContentType,
+  ErrNotSupported,
+  ErrServerClosed,
   File,
+  FileServer,
   FileSystem,
+  FS,
+  Get,
+  Handle,
   Header,
   Header_Add,
+  Header_Clone,
   Header_Del,
   Header_Get,
   Header_Set,
+  Header_Values,
+  Header_Write,
   HandlerFunc_ServeHTTP,
-  Get,
+  ListenAndServe,
+  MaxBytesError,
+  MaxBytesHandler,
+  MaxBytesReader,
+  NewFileTransport,
+  MethodGet,
+  MethodHead,
+  MethodOptions,
   MethodPost,
   MethodDelete,
+  MethodPatch,
+  MethodPut,
+  NewCrossOriginProtection,
   NewRequest,
+  NewRequestWithContext,
+  NewResponseController,
+  NoBody,
   NotFound,
+  NotFoundHandler,
+  ParseCookie,
+  ParseHTTPVersion,
+  ParseSetCookie,
   ParseTime,
+  PostForm,
+  Protocols,
+  RegisterInProcessServer,
+  SameSiteStrictMode,
+  SetCookie,
+  StatusBadGateway,
+  Request,
   Response,
   ResponseWriter,
+  ServeContent,
+  ServeFile,
   Server,
   StatusCreated,
   StatusForbidden,
@@ -32,9 +79,42 @@ import {
   StatusTooManyRequests,
   StatusUnauthorized,
   StatusUnsupportedMediaType,
+  StatusNetworkAuthenticationRequired,
+  TimeFormat,
+  TrailerPrefix,
+  Transport,
+  UnregisterInProcessServer,
 } from './index.js'
+const originalFetch = globalThis.fetch
+class testResponseWriter implements ResponseWriter {
+  public Code = 0
+  public Body = new bytes.Buffer()
+  private headerMap = new Header()
+  public Header(): Header {
+    return this.headerMap
+  }
+  public Write(p: $.Slice<number>): [number, $.GoError] {
+    return this.Body.Write(p)
+  }
+  public WriteHeader(statusCode: number): void {
+    this.Code = statusCode
+  }
+}
 describe('net/http override', () => {
+  afterEach(() => {
+    Object.defineProperty(globalThis, 'fetch', {
+      configurable: true,
+      writable: true,
+      value: originalFetch,
+    })
+  })
   it('exports response status helpers', () => {
     const resp = new Response({ StatusCode: StatusOK })
@@ -47,29 +127,312 @@ describe('net/http override', () => {
     expect(StatusText(StatusUnsupportedMediaType)).toBe('Unsupported Media Type')
     expect(StatusText(StatusTeapot)).toBe("I'm a teapot")
     expect(StatusText(StatusTooManyRequests)).toBe('Too Many Requests')
+    expect(StatusText(StatusBadGateway)).toBe('Bad Gateway')
     expect(StatusText(StatusServiceUnavailable)).toBe('Service Unavailable')
+    expect(StatusText(StatusNetworkAuthenticationRequired)).toBe('Network Authentication Required')
     expect(StatusText(599)).toBe('')
+    Header_Set(resp.Header, 'X-Test', 'ok')
+    resp.Body = io.NopCloser(bytes.NewReader($.stringToBytes('body')))
+    const written = new bytes.Buffer()
+    expect(resp.Write(written)).toBeNull()
+    expect(Buffer.from(written.Bytes()).toString('utf8')).toBe(
+      'HTTP/1.1 200 OK\r\nX-Test: ok\r\n\r\nbody',
+    )
+    expect(MethodGet).toBe('GET')
+    expect(MethodHead).toBe('HEAD')
     expect(MethodPost).toBe('POST')
+    expect(MethodPut).toBe('PUT')
+    expect(MethodPatch).toBe('PATCH')
     expect(MethodDelete).toBe('DELETE')
     expect(StatusCreated).toBe(201)
+    expect(DefaultMaxHeaderBytes).toBe(1 << 20)
+    expect(DefaultMaxIdleConnsPerHost).toBe(2)
+    expect(TimeFormat).toBe('Mon, 02 Jan 2006 15:04:05 GMT')
+    expect(TrailerPrefix).toBe('Trailer:')
+    expect(ErrServerClosed.Error()).toBe('http: Server closed')
   })
-  it('returns an explicit unsupported error for Get', () => {
-    const [resp, err] = Get('https://example.invalid')
+  it('exports common header and protocol utility surfaces', () => {
+    const header = new Header()
+    Header_Add(header, 'content-type', 'text/plain')
+    Header_Add(header, 'Content-Type', 'charset=utf-8')
+    const cloned = Header_Clone(header)
+    Header_Add(cloned, 'Content-Type', 'copy')
-    expect(resp).toBeNull()
-    expect(err?.Error()).toBe('net/http: Get is not implemented in GoScript')
+    expect(CanonicalHeaderKey('content-type')).toBe('Content-Type')
+    expect(Array.from(Header_Values(header, 'CONTENT-TYPE') ?? [])).toEqual([
+      'text/plain',
+      'charset=utf-8',
+    ])
+    expect(Array.from(Header_Values(cloned, 'Content-Type') ?? [])).toContain('copy')
+    expect(Array.from(Header_Values(header, 'Content-Type') ?? [])).not.toContain('copy')
+    const written = new bytes.Buffer()
+    expect(Header_Write(header, written)).toBeNull()
+    expect(Buffer.from(written.Bytes()).toString('utf8')).toContain('Content-Type: text/plain\r\n')
+    expect(ParseHTTPVersion('HTTP/2.0')).toEqual([2, 0, true])
+    expect(ParseHTTPVersion('h2')).toEqual([0, 0, false])
+    const protocols = new Protocols()
+    protocols.SetHTTP1(true)
+    protocols.SetUnencryptedHTTP2(true)
+    expect(protocols.HTTP1()).toBe(true)
+    expect(protocols.HTTP2()).toBe(false)
+    expect(protocols.String()).toBe('{HTTP1,UnencryptedHTTP2}')
+  })
+  it('validates outgoing request construction', () => {
+    const [req, reqErr] = NewRequestWithContext(
+      context.Background(),
+      '',
+      'https://example.invalid/path?q=1',
+      null,
+    )
+    expect(reqErr).toBeNull()
+    expect(req?.Method).toBe(MethodGet)
+    expect(req?.Host).toBe('example.invalid')
+    expect(req?.URL?.Path).toBe('/path')
+    expect(req?.URL?.RawQuery).toBe('q=1')
+    expect(NewRequestWithContext(context.Background(), 'bad method', 'https://example.invalid/', null)[1]?.Error()).toBe(
+      'net/http: invalid method "bad method"',
+    )
+    expect(NewRequestWithContext(null, MethodGet, 'https://example.invalid/', null)[1]?.Error()).toBe(
+      'net/http: nil Context',
+    )
+    expect(NewRequestWithContext(context.Background(), MethodGet, 'http://[::1', null)[1]).not.toBeNull()
+    expect(NewRequestWithContext(context.Background(), MethodGet, 'http://x/%zz', null)[1]).not.toBeNull()
+    const [bodyReq, bodyReqErr] = NewRequest(MethodPost, 'https://example.invalid/upload', bytes.NewReader($.stringToBytes('abc')))
+    expect(bodyReqErr).toBeNull()
+    expect(bodyReq?.ContentLength).toBe(3)
+    const [stringReq, stringReqErr] = NewRequest(MethodPost, 'https://example.invalid/upload', strings.NewReader('abcd'))
+    expect(stringReqErr).toBeNull()
+    expect(stringReq?.ContentLength).toBe(4)
+    const [noBodyReq, noBodyErr] = NewRequest(MethodPost, 'https://example.invalid/upload', NoBody)
+    expect(noBodyErr).toBeNull()
+    expect(noBodyReq?.ContentLength).toBe(0)
+    expect(noBodyReq?.Body).toBe(NoBody)
+  })
+  it('applies cross-origin protection checks', () => {
+    const protection = NewCrossOriginProtection()
+    const [sameOrigin] = NewRequest(MethodPost, 'https://example.invalid/update', null)
+    Header_Set(sameOrigin!.Header, 'Sec-Fetch-Site', 'same-origin')
+    expect(protection.Check(sameOrigin)).toBeNull()
+    const [noHeaders] = NewRequest(MethodPost, 'https://example.invalid/update', null)
+    expect(protection.Check(noHeaders)).toBeNull()
+    const [safe] = NewRequest(MethodOptions, 'https://example.invalid/update', null)
+    Header_Set(safe!.Header, 'Sec-Fetch-Site', 'cross-site')
+    expect(protection.Check(safe)).toBeNull()
+    const [matchingOrigin] = NewRequest(MethodPost, 'https://example.invalid/update', null)
+    Header_Set(matchingOrigin!.Header, 'Origin', 'https://example.invalid')
+    expect(protection.Check(matchingOrigin)).toBeNull()
+    const [crossSite] = NewRequest(MethodPost, 'https://example.invalid/update', null)
+    Header_Set(crossSite!.Header, 'Sec-Fetch-Site', 'cross-site')
+    expect(protection.Check(crossSite)?.Error()).toContain('Sec-Fetch-Site')
+    const [oldBrowser] = NewRequest(MethodPost, 'https://example.invalid/update', null)
+    Header_Set(oldBrowser!.Header, 'Origin', 'https://attacker.invalid')
+    expect(protection.Check(oldBrowser)?.Error()).toContain('Origin does not match Host')
+    expect(protection.AddTrustedOrigin('https://trusted.invalid')).toBeNull()
+    expect(protection.AddTrustedOrigin('https://trusted.invalid/')).not.toBeNull()
+    const [trusted] = NewRequest(MethodPost, 'https://example.invalid/update', null)
+    Header_Set(trusted!.Header, 'Origin', 'https://trusted.invalid')
+    Header_Set(trusted!.Header, 'Sec-Fetch-Site', 'cross-site')
+    expect(protection.Check(trusted)).toBeNull()
+    protection.AddInsecureBypassPattern('/bypass/')
+    protection.AddInsecureBypassPattern('POST /post-only/')
+    const [bypass] = NewRequest(MethodPost, 'https://example.invalid/bypass/ok', null)
+    Header_Set(bypass!.Header, 'Origin', 'https://attacker.invalid')
+    Header_Set(bypass!.Header, 'Sec-Fetch-Site', 'cross-site')
+    expect(protection.Check(bypass)).toBeNull()
+    const [methodBypass] = NewRequest(MethodPost, 'https://example.invalid/post-only/', null)
+    Header_Set(methodBypass!.Header, 'Origin', 'https://attacker.invalid')
+    expect(protection.Check(methodBypass)).toBeNull()
+  })
+  it('routes cross-origin protection handlers through deny and success paths', () => {
+    const protection = NewCrossOriginProtection()
+    let served = false
+    const handler = protection.Handler({
+      ServeHTTP(w) {
+        served = true
+        w?.WriteHeader(StatusOK)
+      },
+    })
+    const [blocked] = NewRequest(MethodPost, 'https://example.invalid/update', null)
+    Header_Set(blocked!.Header, 'Sec-Fetch-Site', 'cross-site')
+    const blockedWriter = new testResponseWriter()
+    handler.ServeHTTP(blockedWriter, blocked)
+    expect(served).toBe(false)
+    expect(blockedWriter.Code).toBe(StatusForbidden)
+    protection.SetDenyHandler({
+      ServeHTTP(w) {
+        w?.WriteHeader(StatusTeapot)
+      },
+    })
+    const deniedWriter = new testResponseWriter()
+    handler.ServeHTTP(deniedWriter, blocked)
+    expect(deniedWriter.Code).toBe(StatusTeapot)
+    const [safe] = NewRequest(MethodGet, 'https://example.invalid/update', null)
+    const allowedWriter = new testResponseWriter()
+    handler.ServeHTTP(allowedWriter, safe)
+    expect(served).toBe(true)
+    expect(allowedWriter.Code).toBe(StatusOK)
+  })
+  it('parses cookies and reports syntax errors', () => {
+    const [cookies, cookieErr] = ParseCookie('Cookie-1="v$1"; c2=v2')
+    expect(cookieErr).toBeNull()
+    expect(cookies?.[0]?.Name).toBe('Cookie-1')
+    expect(cookies?.[0]?.Value).toBe('v$1')
+    expect(cookies?.[0]?.Quoted).toBe(true)
+    expect(cookies?.[1]?.Name).toBe('c2')
+    expect(cookies?.[1]?.Value).toBe('v2')
+    expect(ParseCookie('')[1]?.Error()).toBe('http: blank cookie')
+    expect(ParseCookie('missing-equals')[1]?.Error()).toBe("http: '=' not found in cookie")
+    expect(ParseCookie('=v1')[1]?.Error()).toBe('http: invalid cookie name')
+    expect(ParseCookie('k1=\\')[1]?.Error()).toBe('http: invalid cookie value')
+    const [setCookie, setErr] = ParseSetCookie(
+      'sid=abc; Path=/app; Domain=example.invalid; HttpOnly; Secure; SameSite=Strict; Max-Age=60; Partitioned',
+    )
+    expect(setErr).toBeNull()
+    expect(setCookie?.Name).toBe('sid')
+    expect(setCookie?.Value).toBe('abc')
+    expect(setCookie?.Path).toBe('/app')
+    expect(setCookie?.Domain).toBe('example.invalid')
+    expect(setCookie?.HttpOnly).toBe(true)
+    expect(setCookie?.Secure).toBe(true)
+    expect(setCookie?.SameSite).toBe(SameSiteStrictMode)
+    expect(setCookie?.MaxAge).toBe(60)
+    expect(setCookie?.Partitioned).toBe(true)
+    expect(setCookie?.Raw).toContain('sid=abc')
+    const [spaced, spacedErr] = ParseSetCookie('special-9 =","')
+    expect(spacedErr).toBeNull()
+    expect(spaced?.Name).toBe('special-9')
+    expect(spaced?.Value).toBe(',')
+    expect(spaced?.Quoted).toBe(true)
+    expect(ParseSetCookie('')[1]?.Error()).toBe('http: blank cookie')
+    expect(ParseSetCookie('missing-equals')[1]?.Error()).toBe("http: '=' not found in cookie")
+    expect(ParseSetCookie('=v1')[1]?.Error()).toBe('http: invalid cookie name')
+    expect(ParseSetCookie('k1=\\')[1]?.Error()).toBe('http: invalid cookie value')
+  })
+  it('exports no-body, limit-reader, and unsupported controller surfaces', async () => {
+    const empty = new Uint8Array(1)
+    const [n, err] = NoBody.Read(empty)
+    expect(n).toBe(0)
+    expect(err).toBe(io.EOF)
+    expect(NoBody.Close()).toBeNull()
+    const limited = MaxBytesReader(null, {
+      Read: (p: Uint8Array) => {
+        p[0] = 1
+        if (p.length > 1) {
+          p[1] = 2
+        }
+        return [1, null]
+      },
+      Close: () => null,
+    }, 1)
+    const limitedBuf = new Uint8Array(2)
+    expect(limited.Read(limitedBuf)).toEqual([1, null])
+    expect(limitedBuf[0]).toBe(1)
+    const [, limitErr] = limited.Read(new Uint8Array(1))
+    expect(limitErr).toBeInstanceOf(MaxBytesError)
+    const exactReader = MaxBytesReader(null, io.NopCloser(bytes.NewReader($.stringToBytes('ok'))), 2)
+    const [exactData, exactErr] = await io.ReadAll(exactReader)
+    expect(exactErr).toBeNull()
+    expect(Buffer.from(exactData ?? []).toString('utf8')).toBe('ok')
+    const tooLarge = MaxBytesReader(null, io.NopCloser(bytes.NewReader($.stringToBytes('toolarge'))), 2)
+    const tooLargeBuf = new Uint8Array(8)
+    const [tooLargeN, tooLargeErr] = tooLarge.Read(tooLargeBuf)
+    expect(tooLargeN).toBe(2)
+    expect(tooLargeErr).toBeInstanceOf(MaxBytesError)
+    expect((tooLargeErr as MaxBytesError).Limit).toBe(2)
+    expect(Buffer.from(tooLargeBuf.slice(0, tooLargeN)).toString('utf8')).toBe('to')
+    const controller = NewResponseController(null)
+    expect(controller.Hijack()[2]).toBe(ErrNotSupported)
+    expect(controller.SetReadDeadline({} as any)).toBe(ErrNotSupported)
+    expect(ListenAndServe(':0', null)).toBe(ErrNotSupported)
+    expect(new Transport().Clone()).toBeInstanceOf(Transport)
+  })
+  it('wraps a cloned request body in MaxBytesHandler', () => {
+    const body = io.NopCloser(bytes.NewReader($.stringToBytes('ok')))
+    const [req] = NewRequest(MethodPost, 'http://example.invalid/upload', body)
+    let servedReq: any = null
+    const handler = MaxBytesHandler({
+      ServeHTTP(_w, r) {
+        servedReq = $.pointerValue(r)
+        Header_Set(servedReq.Header, 'X-Shared', 'true')
+      },
+    }, 1)
+    handler.ServeHTTP(null, req)
+    expect(servedReq).not.toBe(req)
+    expect(servedReq.Body).not.toBe(body)
+    expect(req!.Body).toBe(body)
+    expect(Header_Get(req!.Header, 'X-Shared')).toBe('true')
+  })
+  it('routes Get through fetch-backed DefaultTransport', async () => {
+    Object.defineProperty(globalThis, 'fetch', {
+      configurable: true,
+      writable: true,
+      value: async () =>
+        new globalThis.Response('hello', {
+          status: StatusOK,
+          statusText: 'OK',
+          headers: { 'Content-Length': '5', 'X-Test': 'ok' },
+        }),
+    })
+    const [resp, err] = await Get('https://example.invalid')
+    expect(err).toBeNull()
+    expect(resp?.StatusCode).toBe(StatusOK)
+    expect(Header_Get(resp!.Header, 'x-test')).toBe('ok')
   })
   it('accepts VarRef requests for client calls', async () => {
+    Object.defineProperty(globalThis, 'fetch', {
+      configurable: true,
+      writable: true,
+      value: async () => {
+        throw new Error('network down')
+      },
+    })
     const [req, reqErr] = NewRequest(MethodPost, 'https://example.invalid', null)
     expect(reqErr).toBeNull()
     expect((req!.URL as any).Path).toBe('/')
-    expect(req!.RequestURI).toBe('/')
+    expect(req!.Host).toBe('example.invalid')
+    expect(req!.RequestURI).toBe('')
     const [resp, err] = await new Client().Do(varRef(req!))
     expect(resp).toBeNull()
-    expect(err?.Error()).toBe('net/http: Client.Do is not implemented in GoScript')
+    expect(err?.Error()).toContain('network down')
   })
   it('wraps request body readers and keeps response metadata', () => {
@@ -88,13 +451,197 @@ describe('net/http override', () => {
     expect((resp.Request as any).value).toBe(req)
   })
-  it('exports the default transport surface', async () => {
-    const [req] = NewRequest(MethodPost, 'https://example.invalid', null)
+  it('exports fetch-backed default transport surface', async () => {
+    let requestBodyClosed = false
+    Object.defineProperty(globalThis, 'fetch', {
+      configurable: true,
+      writable: true,
+      value: async (input: RequestInfo | URL, init?: RequestInit) => {
+        expect(String(input)).toBe('https://example.invalid/upload')
+        expect(init?.method).toBe(MethodPost)
+        const headers = init?.headers as Headers
+        expect(headers.get('Range')).toBe('bytes=0-9')
+        expect(headers.get('Authorization')).toBe('Bearer test')
+        expect(Buffer.from((init?.body as Uint8Array) ?? []).toString('utf8')).toBe('payload')
+        return new globalThis.Response('accepted', {
+          status: StatusCreated,
+          statusText: 'Created',
+          headers: { 'Content-Length': '8', 'X-Reply': 'yes' },
+        })
+      },
+    })
+    const payload = bytes.NewReader($.stringToBytes('payload'))
+    const requestBody = {
+      Read: payload.Read.bind(payload),
+      Close: () => {
+        requestBodyClosed = true
+        return null
+      },
+    }
+    const [req] = NewRequest(MethodPost, 'https://example.invalid/upload', requestBody)
+    Header_Set(req!.Header, 'Range', 'bytes=0-9')
+    Header_Set(req!.Header, 'Authorization', 'Bearer test')
+    const [resp, err] = await DefaultTransport.RoundTrip(req)
+    expect(err).toBeNull()
+    expect(resp?.StatusCode).toBe(StatusCreated)
+    expect(resp?.ContentLength).toBe(8)
+    expect(Header_Get(resp!.Header, 'x-reply')).toBe('yes')
+    expect(requestBodyClosed).toBe(true)
+  })
+  it('closes request bodies when fetch body reads fail', async () => {
+    let requestBodyClosed = false
+    Object.defineProperty(globalThis, 'fetch', {
+      configurable: true,
+      writable: true,
+      value: async () => {
+        throw new Error('fetch should not run')
+      },
+    })
+    const readErr = $.newError('read failed')
+    const [req] = NewRequest(MethodPost, 'https://example.invalid/upload', {
+      Read: () => [0, readErr],
+      Close: () => {
+        requestBodyClosed = true
+        return null
+      },
+    })
     const [resp, err] = await DefaultTransport.RoundTrip(req)
     expect(resp).toBeNull()
-    expect(err?.Error()).toBe('net/http: Client.Do is not implemented in GoScript')
+    expect(err).toBe(readErr)
+    expect(requestBodyClosed).toBe(true)
+  })
+  it('closes request bodies before unsupported and canceled requests return', async () => {
+    let unsupportedClosed = false
+    Object.defineProperty(globalThis, 'fetch', {
+      configurable: true,
+      writable: true,
+      value: undefined,
+    })
+    const [unsupportedReq] = NewRequest(MethodPost, 'https://example.invalid/upload', {
+      Read: () => [0, null],
+      Close: () => {
+        unsupportedClosed = true
+        return null
+      },
+    })
+    const [unsupportedResp, unsupportedErr] = await DefaultTransport.RoundTrip(unsupportedReq)
+    expect(unsupportedResp).toBeNull()
+    expect(unsupportedErr?.Error()).toContain('Client.Do is not implemented')
+    expect(unsupportedClosed).toBe(true)
+    let canceledClosed = false
+    Object.defineProperty(globalThis, 'fetch', {
+      configurable: true,
+      writable: true,
+      value: async () => {
+        throw new Error('fetch should not run')
+      },
+    })
+    const [ctx, cancel] = context.WithCancel(context.Background())
+    cancel?.()
+    const [canceledReq] = NewRequest(MethodPost, 'https://example.invalid/upload', {
+      Read: () => [0, null],
+      Close: () => {
+        canceledClosed = true
+        return null
+      },
+    })
+    const [canceledResp, canceledErr] = await DefaultTransport.RoundTrip(canceledReq!.WithContext(ctx))
+    expect(canceledResp).toBeNull()
+    expect(canceledErr).toBe(context.Canceled)
+    expect(canceledClosed).toBe(true)
+  })
+  it('closes request bodies for methods that do not send a fetch body', async () => {
+    let requestBodyClosed = false
+    Object.defineProperty(globalThis, 'fetch', {
+      configurable: true,
+      writable: true,
+      value: async (_input: RequestInfo | URL, init?: RequestInit) => {
+        expect(init?.method).toBe(MethodGet)
+        expect(init?.body).toBeUndefined()
+        return new globalThis.Response('ok', { status: StatusOK })
+      },
+    })
+    const [req] = NewRequest(MethodGet, 'https://example.invalid/read', {
+      Read: () => {
+        throw new Error('GET body should not be read')
+      },
+      Close: () => {
+        requestBodyClosed = true
+        return null
+      },
+    })
+    const [resp, err] = await DefaultTransport.RoundTrip(req)
+    expect(err).toBeNull()
+    expect(resp?.StatusCode).toBe(StatusOK)
+    expect(requestBodyClosed).toBe(true)
+  })
+  it('closes request bodies after in-process handlers return', async () => {
+    let handlerSawBody = false
+    let requestBodyClosed = false
+    const url = RegisterInProcessServer({
+      ServeHTTP: (w, r) => {
+        const req = $.pointerValue(r)
+        handlerSawBody = req?.Body != null
+        expect(req?.RequestURI).toBe('/close?q=1')
+        expect(req?.URL.Host).toBe('')
+        expect(req?.URL.Scheme).toBe('')
+        w?.WriteHeader(StatusOK)
+      },
+    })
+    try {
+      const [req] = NewRequest(MethodPost, url + '/close?q=1', {
+        Read: () => [0, null],
+        Close: () => {
+          requestBodyClosed = true
+          return null
+        },
+      })
+      const [resp, err] = await DefaultTransport.RoundTrip(req)
+      expect(err).toBeNull()
+      expect(resp?.StatusCode).toBe(StatusOK)
+      expect(handlerSawBody).toBe(true)
+      expect(requestBodyClosed).toBe(true)
+    } finally {
+      UnregisterInProcessServer(url)
+    }
+  })
+  it('suppresses in-process response bodies for HEAD requests', async () => {
+    const url = RegisterInProcessServer({
+      ServeHTTP(w) {
+        w?.WriteHeader(StatusOK)
+        w?.Write($.stringToBytes('hidden'))
+      },
+    })
+    try {
+      const [req] = NewRequest(MethodHead, url + '/head', null)
+      const [resp, err] = await new Transport().RoundTrip(req)
+      expect(err).toBeNull()
+      const [n, readErr] = resp!.Body!.Read(new Uint8Array(8))
+      expect(n).toBe(0)
+      expect(readErr).toBe(io.EOF)
+    } finally {
+      UnregisterInProcessServer(url)
+    }
   })
   it('delegates client calls through RoundTripper implementations', async () => {
@@ -109,7 +656,7 @@ describe('net/http override', () => {
           const request = (got as any).value ?? got
           expect(request.UserAgent()).toBe('goscript-test')
           expect(request.RemoteAddr).toBe('127.0.0.1:1234')
-          expect(request.RequestURI).toBe('/path')
+          expect(request.RequestURI).toBe('')
           expect(request.ContentLength).toBe(42)
           return [new Response({ StatusCode: StatusOK }), null]
         },
@@ -121,6 +668,39 @@ describe('net/http override', () => {
     expect(resp?.StatusCode).toBe(StatusOK)
   })
+  it('posts URL-encoded forms through clients and package helper', async () => {
+    const transport = {
+      async RoundTrip(got: Request | $.VarRef<Request> | null): Promise<[Response | null, $.GoError]> {
+        const request = $.pointerValue<Request>(got)
+        expect(request.Method).toBe(MethodPost)
+        expect(Header_Get(request.Header, 'Content-Type')).toBe('application/x-www-form-urlencoded')
+        const [data, err] = await io.ReadAll(request.Body!)
+        expect(err).toBeNull()
+        expect($.bytesToString(data)).toBe('a=one&a=two&space=x+y')
+        return [new Response({ StatusCode: StatusOK }), null]
+      },
+    }
+    const form = new Map<string, $.Slice<string>>([
+      ['space', $.arrayToSlice(['x y'])],
+      ['a', $.arrayToSlice(['one', 'two'])],
+    ])
+    const client = new Client({ Transport: transport })
+    const [clientResp, clientErr] = await client.PostForm('https://example.invalid/form', form)
+    expect(clientErr).toBeNull()
+    expect(clientResp?.StatusCode).toBe(StatusOK)
+    const oldTransport = DefaultClient.Transport
+    DefaultClient.Transport = transport
+    try {
+      const [resp, err] = await PostForm('https://example.invalid/form', form)
+      expect(err).toBeNull()
+      expect(resp?.StatusCode).toBe(StatusOK)
+    } finally {
+      DefaultClient.Transport = oldTransport
+    }
+  })
   it('canonicalizes header keys for case-insensitive lookup', () => {
     const header = new Header()
@@ -169,11 +749,83 @@ describe('net/http override', () => {
     expect(writes).toEqual(['status:404', '404 page not found\n'])
   })
+  it('routes through default mux and handler helper exports', () => {
+    const writes: string[] = []
+    const writer: ResponseWriter = {
+      Header: () => new Header(),
+      Write: (p) => {
+        writes.push(Buffer.from(p ?? []).toString('utf8'))
+        return [p?.length ?? 0, null]
+      },
+      WriteHeader: (code) => writes.push(`status:${code}`),
+    }
+    const [req] = NewRequest(MethodGet, 'https://example.invalid/default', null)
+    Handle('/default', {
+      ServeHTTP(w) {
+        w!.WriteHeader(StatusOK)
+        w!.Write($.stringToBytes('default mux'))
+      },
+    })
+    DefaultServeMux.ServeHTTP(writer, req)
+    NotFoundHandler().ServeHTTP(writer, req)
+    expect(writes).toEqual([
+      'status:200',
+      'default mux',
+      'status:404',
+      '404 page not found\n',
+    ])
+  })
+  it('formats Set-Cookie headers for browser bootstrap routes', () => {
+    const header = new Header()
+    const writer: ResponseWriter = {
+      Header: () => header,
+      Write: (p) => [p?.length ?? 0, null],
+      WriteHeader: () => undefined,
+    }
+    SetCookie(writer, new Cookie({
+      Name: 'spacewave_local_capability',
+      Value: 'token',
+      Path: '/',
+      MaxAge: 300,
+      HttpOnly: true,
+      Secure: true,
+      SameSite: SameSiteStrictMode,
+    }))
+    expect(Array.from(header.get('Set-Cookie') ?? [])).toEqual([
+      'spacewave_local_capability=token; Path=/; Max-Age=300; HttpOnly; Secure; SameSite=Strict',
+    ])
+  })
   it('parses HTTP dates', () => {
     const [parsed, err] = ParseTime('Sun, 06 Nov 1994 08:49:37 GMT')
     expect(err).toBeNull()
     expect(parsed.Unix()).toBe(784111777)
+    expect(DetectContentType($.stringToBytes('<HTML>ok'))).toBe('text/html; charset=utf-8')
+    expect(
+      DetectContentType(new Uint8Array([0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a])),
+    ).toBe('image/png')
+    expect(DetectContentType(new Uint8Array([0xff, 0xd8, 0xff, 0x00]))).toBe('image/jpeg')
+    expect(DetectContentType($.stringToBytes('%PDF-1.7'))).toBe('application/pdf')
+    expect(DetectContentType($.stringToBytes('RIFFxxxxWEBPVP'))).toBe('image/webp')
+    expect(DetectContentType($.stringToBytes('FORMxxxxAIFF'))).toBe('audio/aiff')
+    expect(DetectContentType($.stringToBytes('ID3payload'))).toBe('audio/mpeg')
+    expect(DetectContentType($.stringToBytes('wOFFpayload'))).toBe('font/woff')
+    expect(DetectContentType(new Uint8Array([
+      0x00, 0x00, 0x00, 0x18,
+      0x66, 0x74, 0x79, 0x70,
+      0x69, 0x73, 0x6f, 0x6d,
+      0x00, 0x00, 0x00, 0x00,
+      0x6d, 0x70, 0x34, 0x31,
+      0x00, 0x00, 0x00, 0x00,
+    ]))).toBe('video/mp4')
+    expect(DetectContentType(new Uint8Array([0x00, 0x01, 0x02]))).toBe('application/octet-stream')
+    expect(DetectContentType(new Uint8Array())).toBe('text/plain; charset=utf-8')
   })
   it('exports file server interface shapes', () => {
@@ -191,4 +843,121 @@ describe('net/http override', () => {
     expect(fsys.Open('ok')[0]).toBe(file)
     expect(fsys.Open('missing')[1]?.message).toBe('missing')
   })
+  it('serves files and omits HEAD response bodies', async () => {
+    const opened: string[] = []
+    const makeFile = () => {
+      const reader = bytes.NewReader($.stringToBytes('hello'))
+      return {
+        Close: () => null,
+        Read: (p: Uint8Array) => reader.Read(p),
+        Seek: (offset: number, whence: number) => reader.Seek(offset, whence),
+        Readdir: () => [null, null] as [null, null],
+        Stat: () => [
+          {
+            IsDir: () => false,
+            ModTime: () => null as never,
+            Mode: () => 0,
+            Name: () => 'file.txt',
+            Size: () => 5,
+            Sys: () => null,
+          },
+          null,
+        ] as const,
+      }
+    }
+    const root = FS({
+      Open: (name) => {
+        opened.push(name)
+        return name === 'file.txt' ? [makeFile(), null] : [null, new Error('missing')]
+      },
+    })
+    const writes: string[] = []
+    const header = new Header()
+    const writer: ResponseWriter = {
+      Header: () => header,
+      Write: (p) => {
+        writes.push(Buffer.from(p ?? []).toString('utf8'))
+        return [p?.length ?? 0, null]
+      },
+      WriteHeader: (code) => writes.push(`status:${code}`),
+    }
+    const handler = FileServer(root)
+    const [getReq] = NewRequest(MethodGet, 'http://example.invalid/../file.txt', null)
+    await handler.ServeHTTP(writer, getReq)
+    expect(opened).toEqual(['file.txt'])
+    expect(writes).toEqual(['status:200', 'hello'])
+    expect(Header_Get(header, 'Content-Length')).toBe('5')
+    writes.length = 0
+    opened.length = 0
+    const [headReq] = NewRequest(MethodHead, 'http://example.invalid/file.txt', null)
+    await handler.ServeHTTP(writer, headReq)
+    expect(opened).toEqual(['file.txt'])
+    expect(writes).toEqual(['status:200'])
+  })
+  it('awaits ServeContent writes before returning', async () => {
+    const writes: string[] = []
+    const writer: ResponseWriter = {
+      Header: () => new Header(),
+      Write: (p) => {
+        writes.push(Buffer.from(p ?? []).toString('utf8'))
+        return [p?.length ?? 0, null]
+      },
+      WriteHeader: (code) => writes.push(`status:${code}`),
+    }
+    const [req] = NewRequest(MethodGet, 'http://example.invalid/content.txt', null)
+    await ServeContent(writer, req, 'content.txt', null as never, bytes.NewReader($.stringToBytes('served')))
+    expect(writes).toEqual(['status:200', 'served'])
+    writes.length = 0
+    const [headReq] = NewRequest(MethodHead, 'http://example.invalid/content.txt', null)
+    await ServeContent(writer, headReq, 'content.txt', null as never, bytes.NewReader($.stringToBytes('hidden')))
+    expect(writes).toEqual(['status:200'])
+  })
+  it('closes request bodies after file transport requests', async () => {
+    const root = FS({
+      Open: () => [null, new Error('missing')],
+    })
+    let closed = false
+    const [req] = NewRequest(MethodGet, 'file:///missing.txt', {
+      Read: () => [0, io.EOF],
+      Close: () => {
+        closed = true
+        return null
+      },
+    })
+    const [resp, err] = await NewFileTransport(root).RoundTrip(req)
+    expect(err).toBeNull()
+    expect(resp?.StatusCode).toBe(StatusNotFound)
+    expect(closed).toBe(true)
+  })
+  it('exports ServeFile for browser builds without local filesystem access', () => {
+    const writes: string[] = []
+    const writer: ResponseWriter = {
+      Header: () => new Header(),
+      Write: (p) => {
+        writes.push(Buffer.from(p ?? []).toString('utf8'))
+        return [p?.length ?? 0, null]
+      },
+      WriteHeader: (code) => writes.push(`status:${code}`),
+    }
+    const [req] = NewRequest(MethodGet, 'http://example.invalid/eval/missing.js', null)
+    ServeFile(writer, req, '/host-only/missing.js')
+    expect(writes[0]).toBe('status:404')
+  })
 })