keryx 0.29.10 → 0.29.11

package/actions/swagger.ts

@@ -62,10 +62,10 @@ export class Swagger implements Action {
   web = { route: "/swagger", method: HTTP_METHOD.GET };
 
   async run() {
-    const paths: Record<string, any> = {};
+    const paths: Record<string, Record<string, unknown>> = {};
     const components: {
-      schemas: Record<string, any>;
-      securitySchemes?: Record<string, any>;
+      schemas: Record<string, unknown>;
+      securitySchemes?: Record<string, unknown>;
     } = {
       schemas: {},
       securitySchemes: {
@@ -94,21 +94,23 @@ export class Swagger implements Action {
       const description = action.description;
 
       // Extract path parameters from the original route
-      const parameters: any[] = [];
+      const parameters: Array<Record<string, unknown>> = [];
       const pathParamMatches = action.web.route.match(/:\w+/g) || [];
       const pathParamNames = new Set<string>();
 
       // Pre-compute Zod JSON Schema for enriching path param types
-      let zodProperties: Record<string, any> = {};
+      let zodProperties: Record<string, Record<string, unknown>> = {};
       let zodDescriptions: Record<string, string> = {};
       if (action.inputs && typeof action.inputs.parse === "function") {
         const jsonSchema = z.toJSONSchema(action.inputs, {
           io: "input",
           unrepresentable: "any",
-        }) as any;
-        zodProperties = jsonSchema.properties ?? {};
-        for (const [name, propSchema] of Object.entries<any>(zodProperties)) {
-          if (propSchema.description) {
+        }) as Record<string, unknown>;
+        zodProperties =
+          (jsonSchema.properties as Record<string, Record<string, unknown>>) ??
+          {};
+        for (const [name, propSchema] of Object.entries(zodProperties)) {
+          if (typeof propSchema.description === "string") {
             zodDescriptions[name] = propSchema.description;
           }
         }
@@ -135,16 +137,18 @@ export class Swagger implements Action {
         const fullSchema = z.toJSONSchema(action.inputs!, {
           io: "input",
           unrepresentable: "any",
-        }) as any;
-        const requiredFields = new Set<string>(fullSchema.required ?? []);
-        for (const [name, propSchema] of Object.entries<any>(zodProperties)) {
+        }) as Record<string, unknown>;
+        const requiredFields = new Set<string>(
+          (fullSchema.required as string[] | undefined) ?? [],
+        );
+        for (const [name, propSchema] of Object.entries(zodProperties)) {
           if (pathParamNames.has(name)) continue; // already a path param
           parameters.push({
             name,
             in: "query",
             required: requiredFields.has(name),
             schema: propSchema,
-            ...(propSchema.description
+            ...(typeof propSchema.description === "string"
               ? { description: propSchema.description }
               : {}),
           });
@@ -152,7 +156,7 @@ export class Swagger implements Action {
       }
 
       // Build requestBody if Zod inputs exist and method supports body
-      let requestBody: any = undefined;
+      let requestBody: Record<string, unknown> | undefined = undefined;
       if (
         action.inputs &&
         typeof action.inputs.parse === "function" &&
@@ -166,9 +170,9 @@ export class Swagger implements Action {
         const jsonSchema = z.toJSONSchema(zodSchema, {
           io: "input",
           unrepresentable: "any",
-        });
+        }) as Record<string, unknown>;
         // Remove $schema from component schemas (not needed in OpenAPI)
-        const { $schema, ...schemaWithout$schema } = jsonSchema as any;
+        const { $schema, ...schemaWithout$schema } = jsonSchema;
         components.schemas[schemaName] = schemaWithout$schema;
         requestBody = {
           required: true,
@@ -181,7 +185,9 @@ export class Swagger implements Action {
       }
 
       // Build responses - use generated schema if available
-      const responses = JSON.parse(JSON.stringify(swaggerResponses));
+      const responses: Record<string, unknown> = JSON.parse(
+        JSON.stringify(swaggerResponses),
+      );
 
       if (action.web?.streaming) {
         // Streaming endpoints return SSE

package/config/server/web.ts

@@ -70,7 +70,7 @@ export const configServerWeb = {
   compression: {
     enabled: await loadFromEnvIfSet("WEB_COMPRESSION_ENABLED", true),
     threshold: await loadFromEnvIfSet("WEB_COMPRESSION_THRESHOLD", 1024),
-    encodings: ["br", "gzip"] as ("br" | "gzip")[],
+    encodings: ["gzip"] as "gzip"[],
   },
   correlationId: {
     header: await loadFromEnvIfSet("WEB_CORRELATION_ID_HEADER", "X-Request-Id"),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "keryx",
-  "version": "0.29.10",
+  "version": "0.29.11",
   "module": "index.ts",
   "type": "module",
   "license": "MIT",

package/util/config.ts

@@ -1,10 +1,11 @@
 type MergeMode = "overwrite" | "defaults";
 
-function mergeWith<T extends Record<string, any>>(
+function mergeWith<T extends Record<string, unknown>>(
   target: T,
-  source: Record<string, any>,
+  source: Record<string, unknown>,
   mode: MergeMode,
 ): T {
+  const writable = target as Record<string, unknown>;
   for (const key of Object.keys(source)) {
     const targetVal = target[key];
     const sourceVal = source[key];
@@ -17,9 +18,13 @@ function mergeWith<T extends Record<string, any>>(
       !Array.isArray(sourceVal);
 
     if (bothPlainObjects) {
-      mergeWith(targetVal, sourceVal, mode);
+      mergeWith(
+        targetVal as Record<string, unknown>,
+        sourceVal as Record<string, unknown>,
+        mode,
+      );
     } else if (mode === "overwrite" || !(key in target)) {
-      (target as any)[key] = sourceVal;
+      writable[key] = sourceVal;
     }
   }
 
@@ -30,9 +35,9 @@ function mergeWith<T extends Record<string, any>>(
 Deep-merges source into target, mutating target in place.
 Only plain objects are recursively merged; arrays and primitives are overwritten.
 */
-export function deepMerge<T extends Record<string, any>>(
+export function deepMerge<T extends Record<string, unknown>>(
   target: T,
-  source: Record<string, any>,
+  source: Record<string, unknown>,
 ): T {
   return mergeWith(target, source, "overwrite");
 }
@@ -41,9 +46,9 @@ export function deepMerge<T extends Record<string, any>>(
  * Like `deepMerge`, but only sets values that don't already exist in target.
  * Useful for applying plugin config defaults without overwriting user-set values.
  */
-export function deepMergeDefaults<T extends Record<string, any>>(
+export function deepMergeDefaults<T extends Record<string, unknown>>(
   target: T,
-  source: Record<string, any>,
+  source: Record<string, unknown>,
 ): T {
   return mergeWith(target, source, "defaults");
 }

package/util/mcpServer.ts

@@ -3,6 +3,11 @@ import {
   ResourceTemplate,
 } from "@modelcontextprotocol/sdk/server/mcp.js";
 import type { WebStandardStreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js";
+import type { RequestHandlerExtra } from "@modelcontextprotocol/sdk/shared/protocol.js";
+import type {
+  ServerNotification,
+  ServerRequest,
+} from "@modelcontextprotocol/sdk/types.js";
 import { randomUUID } from "crypto";
 import * as z4mini from "zod/v4-mini";
 import { api, logger } from "../api";
@@ -159,7 +164,10 @@ function registerTools(mcpServer: McpServer) {
     mcpServer.registerTool(
       toolName,
       toolConfig,
-      async (args: any, extra: any) => {
+      async (
+        args: Record<string, unknown>,
+        extra: RequestHandlerExtra<ServerRequest, ServerNotification>,
+      ) => {
         const mcpSessionId = extra.sessionId || "";
         const connection = await createMcpConnection(extra);
 

package/util/oauth.ts

@@ -40,23 +40,14 @@ export function validateRedirectUri(uri: string): {
 }
 
 /**
- * Compare two redirect URIs by origin and pathname (ignoring query params).
- * Returns `false` if either URI is malformed.
+ * Compare two redirect URIs with exact string matching, as required by
+ * RFC 6749 §3.1.2.3 and RFC 8252 §8.4.
  */
 export function redirectUrisMatch(
   registeredUri: string,
   requestedUri: string,
 ): boolean {
-  try {
-    const registered = new URL(registeredUri);
-    const requested = new URL(requestedUri);
-    return (
-      registered.origin === requested.origin &&
-      registered.pathname === requested.pathname
-    );
-  } catch {
-    return false;
-  }
+  return registeredUri === requestedUri;
 }
 
 /** Encode a byte array as a URL-safe base64 string (no padding). Used for PKCE code challenges. */

package/util/webCompression.ts

@@ -37,7 +37,7 @@ function parseAcceptEncoding(header: string): Set<string> {
 /**
  * Pick the best encoding based on server preference order and client support.
  */
-function selectEncoding(clientEncodings: Set<string>): "br" | "gzip" | null {
+function selectEncoding(clientEncodings: Set<string>): "gzip" | null {
   for (const encoding of config.server.web.compression.encodings) {
     if (clientEncodings.has(encoding)) return encoding;
   }
@@ -53,6 +53,24 @@ function isIncompressible(contentType: string | null): boolean {
   return INCOMPRESSIBLE_TYPES.has(mimeType);
 }
 
+/**
+ * Pipe a body through a gzip `CompressionStream` and build a new `Response` carrying the
+ * compression headers (`Content-Encoding`, appended `Vary`, removed `Content-Length`).
+ */
+function compressBody(body: ReadableStream, response: Response): Response {
+  const compressionStream = new CompressionStream("gzip");
+  // @ts-ignore Bun's ReadableStream type is incompatible with Node/DOM ReadableStream
+  const stream = body.pipeThrough(compressionStream);
+
+  const headers = new Headers(response.headers);
+  headers.set("Content-Encoding", "gzip");
+  headers.append("Vary", "Accept-Encoding");
+  headers.delete("Content-Length");
+
+  // @ts-ignore Bun's ReadableStream type is incompatible with Node/DOM ReadableStream
+  return new Response(stream, { status: response.status, headers });
+}
+
 /**
  * Conditionally compress an HTTP response based on the client's `Accept-Encoding` header,
  * the response content type, and the configured compression threshold.
@@ -86,8 +104,7 @@ export async function compressResponse(
   if (!acceptEncoding) return response;
 
   const clientEncodings = parseAcceptEncoding(acceptEncoding);
-  const encoding = selectEncoding(clientEncodings);
-  if (!encoding) return response;
+  if (!selectEncoding(clientEncodings)) return response;
 
   // Skip incompressible content types
   if (isIncompressible(response.headers.get("Content-Type"))) return response;
@@ -112,40 +129,9 @@ export async function compressResponse(
       });
     }
 
-    // Compress the buffered body
-    const format: Bun.CompressionFormat = encoding === "br" ? "brotli" : "gzip";
-    // @ts-ignore Bun supports "brotli" as CompressionFormat but DOM lib does not
-    const compressionStream = new CompressionStream(format);
-    // @ts-ignore Bun's ReadableStream type is incompatible with Node/DOM ReadableStream
-    const stream = new Blob([body]).stream().pipeThrough(compressionStream);
-
-    const headers = new Headers(response.headers);
-    headers.set("Content-Encoding", encoding);
-    headers.append("Vary", "Accept-Encoding");
-    headers.delete("Content-Length");
-
-    // @ts-ignore Bun's ReadableStream type is incompatible with Node/DOM ReadableStream
-    return new Response(stream, {
-      status: response.status,
-      headers,
-    });
+    return compressBody(new Blob([body]).stream(), response);
   }
 
   // Content-Length is present and above threshold — stream-compress
-  const format: Bun.CompressionFormat = encoding === "br" ? "brotli" : "gzip";
-  // @ts-ignore Bun supports "brotli" as CompressionFormat but DOM lib does not
-  const compressionStream = new CompressionStream(format);
-  // @ts-ignore Bun's ReadableStream type is incompatible with Node/DOM ReadableStream
-  const stream = response.body.pipeThrough(compressionStream);
-
-  const headers = new Headers(response.headers);
-  headers.set("Content-Encoding", encoding);
-  headers.append("Vary", "Accept-Encoding");
-  headers.delete("Content-Length");
-
-  // @ts-ignore Bun's ReadableStream type is incompatible with Node/DOM ReadableStream
-  return new Response(stream, {
-    status: response.status,
-    headers,
-  });
+  return compressBody(response.body, response);
 }

package/util/zodMixins.ts

@@ -1,4 +1,4 @@
-import { eq } from "drizzle-orm";
+import { type AnyColumn, eq, type Table } from "drizzle-orm";
 import { z } from "zod/v4";
 import { api } from "../api";
 import { ErrorType, TypedError } from "../classes/TypedError";
@@ -79,9 +79,6 @@ export function paginationInputs(options?: {
   });
 }
 
-// Type for Drizzle tables with an id column
-type TableWithId = { id: any; $inferSelect: any };
-
 /**
  * Generic factory to create a Zod schema that accepts either an ID or a model object.
  * If an ID is provided, it resolves to the full model via database lookup.
@@ -91,8 +88,8 @@ type TableWithId = { id: any; $inferSelect: any };
  * @param isModel - Type guard function to check if value is already a model
  * @param entityName - Human-readable name for error messages
  */
-export function zIdOrModel<TTable extends TableWithId, TModel>(
-  table: TTable,
+export function zIdOrModel<TModel>(
+  table: Table & { id: AnyColumn },
   modelSchema: z.ZodType<TModel>,
   isModel: (val: unknown) => val is TModel,
   entityName: string,
@@ -105,8 +102,8 @@ export function zIdOrModel<TTable extends TableWithId, TModel>(
       }
       const [record] = await api.db.db
         .select()
-        .from(table as any)
-        .where(eq((table as any).id, val))
+        .from(table)
+        .where(eq(table.id, val))
         .limit(1);
 
       if (!record) {