keryx 0.29.10 → 0.30.0

package/actions/swagger.ts

@@ -62,10 +62,10 @@ export class Swagger implements Action {
   web = { route: "/swagger", method: HTTP_METHOD.GET };
 
   async run() {
-    const paths: Record<string, any> = {};
+    const paths: Record<string, Record<string, unknown>> = {};
     const components: {
-      schemas: Record<string, any>;
-      securitySchemes?: Record<string, any>;
+      schemas: Record<string, unknown>;
+      securitySchemes?: Record<string, unknown>;
     } = {
       schemas: {},
       securitySchemes: {
@@ -94,21 +94,23 @@ export class Swagger implements Action {
       const description = action.description;
 
       // Extract path parameters from the original route
-      const parameters: any[] = [];
+      const parameters: Array<Record<string, unknown>> = [];
       const pathParamMatches = action.web.route.match(/:\w+/g) || [];
       const pathParamNames = new Set<string>();
 
       // Pre-compute Zod JSON Schema for enriching path param types
-      let zodProperties: Record<string, any> = {};
+      let zodProperties: Record<string, Record<string, unknown>> = {};
       let zodDescriptions: Record<string, string> = {};
       if (action.inputs && typeof action.inputs.parse === "function") {
         const jsonSchema = z.toJSONSchema(action.inputs, {
           io: "input",
           unrepresentable: "any",
-        }) as any;
-        zodProperties = jsonSchema.properties ?? {};
-        for (const [name, propSchema] of Object.entries<any>(zodProperties)) {
-          if (propSchema.description) {
+        }) as Record<string, unknown>;
+        zodProperties =
+          (jsonSchema.properties as Record<string, Record<string, unknown>>) ??
+          {};
+        for (const [name, propSchema] of Object.entries(zodProperties)) {
+          if (typeof propSchema.description === "string") {
             zodDescriptions[name] = propSchema.description;
           }
         }
@@ -135,16 +137,18 @@ export class Swagger implements Action {
         const fullSchema = z.toJSONSchema(action.inputs!, {
           io: "input",
           unrepresentable: "any",
-        }) as any;
-        const requiredFields = new Set<string>(fullSchema.required ?? []);
-        for (const [name, propSchema] of Object.entries<any>(zodProperties)) {
+        }) as Record<string, unknown>;
+        const requiredFields = new Set<string>(
+          (fullSchema.required as string[] | undefined) ?? [],
+        );
+        for (const [name, propSchema] of Object.entries(zodProperties)) {
           if (pathParamNames.has(name)) continue; // already a path param
           parameters.push({
             name,
             in: "query",
             required: requiredFields.has(name),
             schema: propSchema,
-            ...(propSchema.description
+            ...(typeof propSchema.description === "string"
               ? { description: propSchema.description }
               : {}),
           });
@@ -152,7 +156,7 @@ export class Swagger implements Action {
       }
 
       // Build requestBody if Zod inputs exist and method supports body
-      let requestBody: any = undefined;
+      let requestBody: Record<string, unknown> | undefined = undefined;
       if (
         action.inputs &&
         typeof action.inputs.parse === "function" &&
@@ -166,9 +170,9 @@ export class Swagger implements Action {
         const jsonSchema = z.toJSONSchema(zodSchema, {
           io: "input",
           unrepresentable: "any",
-        });
+        }) as Record<string, unknown>;
         // Remove $schema from component schemas (not needed in OpenAPI)
-        const { $schema, ...schemaWithout$schema } = jsonSchema as any;
+        const { $schema, ...schemaWithout$schema } = jsonSchema;
         components.schemas[schemaName] = schemaWithout$schema;
         requestBody = {
           required: true,
@@ -181,7 +185,9 @@ export class Swagger implements Action {
       }
 
       // Build responses - use generated schema if available
-      const responses = JSON.parse(JSON.stringify(swaggerResponses));
+      const responses: Record<string, unknown> = JSON.parse(
+        JSON.stringify(swaggerResponses),
+      );
 
       if (action.web?.streaming) {
         // Streaming endpoints return SSE

package/api.ts

@@ -17,7 +17,7 @@ export {
   type ChannelConstructorInputs,
   type ChannelMiddleware,
 } from "./classes/Channel";
-export { Connection } from "./classes/Connection";
+export { CONNECTION_TYPE, Connection } from "./classes/Connection";
 export { Initializer } from "./classes/Initializer";
 export { LogFormat, Logger } from "./classes/Logger";
 export { Server } from "./classes/Server";

package/classes/Connection.ts

@@ -63,6 +63,26 @@ type ActionParamsState = {
   value: Record<string, unknown>;
 };
 
+/**
+ * The transport that originated a {@link Connection}. Use these constants
+ * instead of bare strings when checking `connection.type` so the value is
+ * consistent across the framework, plugins, and middleware.
+ */
+export enum CONNECTION_TYPE {
+  /** HTTP request handled by the web server. */
+  WEB = "web",
+  /** WebSocket message handled by the web server's `Bun.serve` upgrade. */
+  WEBSOCKET = "websocket",
+  /** Action invoked from the CLI runner. */
+  CLI = "cli",
+  /** Action invoked through the MCP transport. */
+  MCP = "mcp",
+  /** Action running as a Resque background task. */
+  TASK = "task",
+  /** Action invoked from the OAuth login/signup flow. */
+  OAUTH = "oauth",
+}
+
 /**
  * Represents a client connection to the server — HTTP request, WebSocket, or internal caller.
  * Each connection tracks its own session, channel subscriptions, and rate-limit state.
@@ -75,8 +95,8 @@ export class Connection<
   T extends Record<string, any> = Record<string, any>,
   TMeta extends Record<string, any> = Record<string, any>,
 > {
-  /** Transport type identifier (e.g., `"web"`, `"websocket"`). */
-  type: string;
+  /** Transport that originated this connection. */
+  type: CONNECTION_TYPE;
   /** A human-readable identifier for the connection, typically the remote IP or a session key. */
   identifier: string;
   /** Unique connection ID (UUID by default). Used as the key in `api.connections`. */
@@ -103,14 +123,14 @@ export class Connection<
   /**
    * Create a new connection and register it in `api.connections`.
    *
-   * @param type - Transport type (e.g., `"web"`, `"websocket"`).
+   * @param type - Transport that originated this connection.
    * @param identifier - Human-readable identifier, typically the remote IP address.
    * @param id - Unique connection ID. Defaults to a random UUID.
    * @param rawConnection - The underlying transport handle (e.g., Bun `ServerWebSocket`).
    * @param sessionId - Session ID for Redis session lookup. Defaults to `id`. Use a different value when the connection map key should differ from the session cookie (e.g., WebSocket connections).
    */
   constructor(
-    type: string,
+    type: CONNECTION_TYPE,
     identifier: string,
     id = randomUUID() as string,
     rawConnection: any = undefined,

package/config/server/web.ts

@@ -70,7 +70,7 @@ export const configServerWeb = {
   compression: {
     enabled: await loadFromEnvIfSet("WEB_COMPRESSION_ENABLED", true),
     threshold: await loadFromEnvIfSet("WEB_COMPRESSION_THRESHOLD", 1024),
-    encodings: ["br", "gzip"] as ("br" | "gzip")[],
+    encodings: ["gzip"] as "gzip"[],
   },
   correlationId: {
     header: await loadFromEnvIfSet("WEB_CORRELATION_ID_HEADER", "X-Request-Id"),

package/index.ts

@@ -29,7 +29,7 @@ export type {
   AfterActHook,
   BeforeActHook,
 } from "./classes/Connection";
-export { Connection } from "./classes/Connection";
+export { CONNECTION_TYPE, Connection } from "./classes/Connection";
 export { LogLevel } from "./classes/Logger";
 export type { KeryxPlugin, PluginGenerator } from "./classes/Plugin";
 export { SSEResponse, StreamingResponse } from "./classes/StreamingResponse";
@@ -65,6 +65,7 @@ export { deepMerge, deepMergeDefaults, loadFromEnvIfSet } from "./util/config";
 export { getValidTypes } from "./util/generate";
 export { globLoader } from "./util/glob";
 export { type PaginatedResult, paginate } from "./util/pagination";
+export { safeCompare } from "./util/safeCompare";
 export type { JSONSchema } from "./util/swaggerSchemaGenerator";
 export {
   computeActionsHash,

package/initializers/resque.ts

@@ -10,6 +10,7 @@ import {
   Action,
   type ActionParams,
   api,
+  CONNECTION_TYPE,
   Connection,
   config,
   logger,
@@ -337,7 +338,7 @@ export class Resque extends Initializer {
           | undefined;
 
         const connection = new Connection(
-          "task",
+          CONNECTION_TYPE.TASK,
           `job:${api.process.name}:${SERVER_JOB_COUNTER++}`,
         );
         if (propagatedCorrelationId) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "keryx",
-  "version": "0.29.10",
+  "version": "0.30.0",
   "module": "index.ts",
   "type": "module",
   "license": "MIT",

package/servers/web.ts

@@ -3,7 +3,7 @@ import { parse } from "node:url";
 import type { ServerWebSocket } from "bun";
 import { api, logger } from "../api";
 import { type HTTP_METHOD } from "../classes/Action";
-import { Connection } from "../classes/Connection";
+import { CONNECTION_TYPE, Connection } from "../classes/Connection";
 import { Server } from "../classes/Server";
 import { StreamingResponse } from "../classes/StreamingResponse";
 import { ErrorStatusCodes, ErrorType, TypedError } from "../classes/TypedError";
@@ -28,6 +28,7 @@ import {
   handleWebsocketSubscribe,
   handleWebsocketUnsubscribe,
 } from "../util/webSocket";
+import { shouldWarnStackLeak } from "../util/webStackLeakWarning";
 import { handleStaticFile } from "../util/webStaticFiles";
 
 /**
@@ -151,6 +152,12 @@ export class WebServer extends Server<ReturnType<typeof Bun.serve>> {
       this.url = `http://${config.server.web.host}:${this.port}`;
       const startMessage = `started server @ ${this.url}`;
       logger.info(logger.colorize ? ansi.bgBlue(startMessage) : startMessage);
+
+      const stackLeakWarning = shouldWarnStackLeak(
+        config.server.web.host,
+        config.server.web.includeStackInErrors,
+      );
+      if (stackLeakWarning) logger.warn(stackLeakWarning);
     } catch (e) {
       await Bun.sleep(1000);
       startupAttempts++;
@@ -164,7 +171,10 @@ export class WebServer extends Server<ReturnType<typeof Bun.serve>> {
       // Send close frame to all WebSocket connections
       const wsConnections: ServerWebSocket[] = [];
       for (const connection of api.connections.connections.values()) {
-        if (connection.type === "websocket" && connection.rawConnection) {
+        if (
+          connection.type === CONNECTION_TYPE.WEBSOCKET &&
+          connection.rawConnection
+        ) {
           wsConnections.push(connection.rawConnection);
         }
       }
@@ -187,7 +197,7 @@ export class WebServer extends Server<ReturnType<typeof Bun.serve>> {
         const deadline = Date.now() + drainTimeout;
         while (Date.now() < deadline) {
           const remaining = [...api.connections.connections.values()].filter(
-            (c) => c.type === "websocket",
+            (c) => c.type === CONNECTION_TYPE.WEBSOCKET,
           );
           if (remaining.length === 0) break;
           await Bun.sleep(50);
@@ -195,7 +205,7 @@ export class WebServer extends Server<ReturnType<typeof Bun.serve>> {
 
         // Force-destroy any lingering WebSocket connections
         const lingering = [...api.connections.connections.values()].filter(
-          (c) => c.type === "websocket",
+          (c) => c.type === CONNECTION_TYPE.WEBSOCKET,
         );
         for (const connection of lingering) {
           connection.destroy();
@@ -367,7 +377,13 @@ export class WebServer extends Server<ReturnType<typeof Bun.serve>> {
   async handleWebSocketConnectionOpen(ws: ServerWebSocket) {
     //@ts-expect-error (ws.data is not defined in the bun types)
     const { ip, id, wsConnectionId } = ws.data;
-    const connection = new Connection("websocket", ip, wsConnectionId, ws, id);
+    const connection = new Connection(
+      CONNECTION_TYPE.WEBSOCKET,
+      ip,
+      wsConnectionId,
+      ws,
+      id,
+    );
     connection.onBroadcastMessageReceived = function (payload: PubSubMessage) {
       ws.send(JSON.stringify({ message: payload }));
     };
@@ -513,7 +529,7 @@ export class WebServer extends Server<ReturnType<typeof Bun.serve>> {
     let errorStatusCode = 500;
     const httpMethod = req.method?.toUpperCase() as HTTP_METHOD;
 
-    const connection = new Connection("web", ip, id);
+    const connection = new Connection(CONNECTION_TYPE.WEB, ip, id);
 
     if (
       config.server.web.correlationId.header &&

package/util/cli.ts

@@ -1,7 +1,7 @@
 import os from "node:os";
 import { Command } from "commander";
 import path from "path";
-import { Action, api, Connection, RUN_MODE } from "../api";
+import { Action, api, CONNECTION_TYPE, Connection, RUN_MODE } from "../api";
 import { ExitCode } from "./../classes/ExitCode";
 import { TypedError } from "./../classes/TypedError";
 import { config } from "../config";
@@ -274,7 +274,7 @@ async function runActionViaCLI(options: Record<string, string>, command: any) {
   await api.start(RUN_MODE.CLI);
 
   const id = "cli:" + os.userInfo().username;
-  const connection = new Connection("cli", id);
+  const connection = new Connection(CONNECTION_TYPE.CLI, id);
   const params: Record<string, unknown> = { ...options };
 
   const { response, error } = await connection.act(actionName, params);

package/util/config.ts

@@ -1,10 +1,11 @@
 type MergeMode = "overwrite" | "defaults";
 
-function mergeWith<T extends Record<string, any>>(
+function mergeWith<T extends Record<string, unknown>>(
   target: T,
-  source: Record<string, any>,
+  source: Record<string, unknown>,
   mode: MergeMode,
 ): T {
+  const writable = target as Record<string, unknown>;
   for (const key of Object.keys(source)) {
     const targetVal = target[key];
     const sourceVal = source[key];
@@ -17,9 +18,13 @@ function mergeWith<T extends Record<string, any>>(
       !Array.isArray(sourceVal);
 
     if (bothPlainObjects) {
-      mergeWith(targetVal, sourceVal, mode);
+      mergeWith(
+        targetVal as Record<string, unknown>,
+        sourceVal as Record<string, unknown>,
+        mode,
+      );
     } else if (mode === "overwrite" || !(key in target)) {
-      (target as any)[key] = sourceVal;
+      writable[key] = sourceVal;
     }
   }
 
@@ -30,9 +35,9 @@ function mergeWith<T extends Record<string, any>>(
 Deep-merges source into target, mutating target in place.
 Only plain objects are recursively merged; arrays and primitives are overwritten.
 */
-export function deepMerge<T extends Record<string, any>>(
+export function deepMerge<T extends Record<string, unknown>>(
   target: T,
-  source: Record<string, any>,
+  source: Record<string, unknown>,
 ): T {
   return mergeWith(target, source, "overwrite");
 }
@@ -41,9 +46,9 @@ export function deepMerge<T extends Record<string, any>>(
  * Like `deepMerge`, but only sets values that don't already exist in target.
  * Useful for applying plugin config defaults without overwriting user-set values.
  */
-export function deepMergeDefaults<T extends Record<string, any>>(
+export function deepMergeDefaults<T extends Record<string, unknown>>(
   target: T,
-  source: Record<string, any>,
+  source: Record<string, unknown>,
 ): T {
   return mergeWith(target, source, "defaults");
 }

package/util/mcpServer.ts

@@ -3,12 +3,17 @@ import {
   ResourceTemplate,
 } from "@modelcontextprotocol/sdk/server/mcp.js";
 import type { WebStandardStreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js";
+import type { RequestHandlerExtra } from "@modelcontextprotocol/sdk/shared/protocol.js";
+import type {
+  ServerNotification,
+  ServerRequest,
+} from "@modelcontextprotocol/sdk/types.js";
 import { randomUUID } from "crypto";
 import * as z4mini from "zod/v4-mini";
 import { api, logger } from "../api";
 import type { Action } from "../classes/Action";
 import { MCP_RESPONSE_FORMAT } from "../classes/Action";
-import { Connection } from "../classes/Connection";
+import { CONNECTION_TYPE, Connection } from "../classes/Connection";
 import { StreamingResponse } from "../classes/StreamingResponse";
 import { ErrorType, TypedError } from "../classes/TypedError";
 import { config } from "../config";
@@ -55,7 +60,7 @@ export async function createMcpConnection(extra: {
   const authInfo = extra.authInfo;
   const clientIp = (authInfo?.extra?.ip as string) || "unknown";
   const connection = new Connection(
-    "mcp",
+    CONNECTION_TYPE.MCP,
     clientIp,
     randomUUID(),
     undefined,
@@ -159,7 +164,10 @@ function registerTools(mcpServer: McpServer) {
     mcpServer.registerTool(
       toolName,
       toolConfig,
-      async (args: any, extra: any) => {
+      async (
+        args: Record<string, unknown>,
+        extra: RequestHandlerExtra<ServerRequest, ServerNotification>,
+      ) => {
         const mcpSessionId = extra.sessionId || "";
         const connection = await createMcpConnection(extra);
 

package/util/oauth.ts

@@ -40,23 +40,14 @@ export function validateRedirectUri(uri: string): {
 }
 
 /**
- * Compare two redirect URIs by origin and pathname (ignoring query params).
- * Returns `false` if either URI is malformed.
+ * Compare two redirect URIs with exact string matching, as required by
+ * RFC 6749 §3.1.2.3 and RFC 8252 §8.4.
  */
 export function redirectUrisMatch(
   registeredUri: string,
   requestedUri: string,
 ): boolean {
-  try {
-    const registered = new URL(registeredUri);
-    const requested = new URL(requestedUri);
-    return (
-      registered.origin === requested.origin &&
-      registered.pathname === requested.pathname
-    );
-  } catch {
-    return false;
-  }
+  return registeredUri === requestedUri;
 }
 
 /** Encode a byte array as a URL-safe base64 string (no padding). Used for PKCE code challenges. */

package/util/oauthHandlers/authorize.ts

@@ -1,7 +1,7 @@
 import { randomUUID } from "crypto";
 import { api } from "../../api";
 import type { Action, OAuthActionResponse } from "../../classes/Action";
-import { Connection } from "../../classes/Connection";
+import { CONNECTION_TYPE, Connection } from "../../classes/Connection";
 import { config } from "../../config";
 import { redirectUrisMatch } from "../oauth";
 import {
@@ -78,7 +78,7 @@ async function runAuthAction(
   }
 
   const connection = new Connection(
-    "oauth",
+    CONNECTION_TYPE.OAUTH,
     isSignup ? "oauth-signup" : "oauth-login",
   );
   try {

package/util/safeCompare.ts

@@ -0,0 +1,24 @@
+import { timingSafeEqual } from "node:crypto";
+
+/**
+ * Constant-time UTF-8 string comparison. Pads both inputs to a common length
+ * before delegating to `crypto.timingSafeEqual` so the comparison time does
+ * not leak the expected length via early-return, then verifies the original
+ * lengths matched. Use this whenever you compare a user-supplied secret
+ * (password, API key, CSRF token, signed cookie value, …) against an expected
+ * value — naive `===` leaks bytes via short-circuit timing.
+ *
+ * @param a - First string.
+ * @param b - Second string.
+ * @returns `true` when the strings are byte-identical, `false` otherwise.
+ */
+export function safeCompare(a: string, b: string): boolean {
+  const aBuf = Buffer.from(a, "utf8");
+  const bBuf = Buffer.from(b, "utf8");
+  const len = Math.max(aBuf.length, bBuf.length, 1);
+  const aPadded = Buffer.alloc(len);
+  const bPadded = Buffer.alloc(len);
+  aBuf.copy(aPadded);
+  bBuf.copy(bPadded);
+  return timingSafeEqual(aPadded, bPadded) && aBuf.length === bBuf.length;
+}

package/util/webBasicAuth.ts

@@ -1,16 +1,4 @@
-import { timingSafeEqual } from "node:crypto";
-
-// Pads to a common length so we don't leak the expected length via early-return.
-function timingSafeStringEqual(a: string, b: string): boolean {
-  const aBuf = Buffer.from(a, "utf8");
-  const bBuf = Buffer.from(b, "utf8");
-  const len = Math.max(aBuf.length, bBuf.length, 1);
-  const aPadded = Buffer.alloc(len);
-  const bPadded = Buffer.alloc(len);
-  aBuf.copy(aPadded);
-  bBuf.copy(bPadded);
-  return timingSafeEqual(aPadded, bPadded) && aBuf.length === bBuf.length;
-}
+import { safeCompare } from "./safeCompare";
 
 /**
  * Verifies an HTTP Basic auth `Authorization` header against expected credentials
@@ -47,7 +35,7 @@ export function verifyBasicAuth(
   const user = decoded.slice(0, idx);
   const pass = decoded.slice(idx + 1);
 
-  const userOk = timingSafeStringEqual(user, expectedUsername);
-  const passOk = timingSafeStringEqual(pass, expectedPassword);
+  const userOk = safeCompare(user, expectedUsername);
+  const passOk = safeCompare(pass, expectedPassword);
   return userOk && passOk;
 }

package/util/webCompression.ts

@@ -37,7 +37,7 @@ function parseAcceptEncoding(header: string): Set<string> {
 /**
  * Pick the best encoding based on server preference order and client support.
  */
-function selectEncoding(clientEncodings: Set<string>): "br" | "gzip" | null {
+function selectEncoding(clientEncodings: Set<string>): "gzip" | null {
   for (const encoding of config.server.web.compression.encodings) {
     if (clientEncodings.has(encoding)) return encoding;
   }
@@ -53,6 +53,24 @@ function isIncompressible(contentType: string | null): boolean {
   return INCOMPRESSIBLE_TYPES.has(mimeType);
 }
 
+/**
+ * Pipe a body through a gzip `CompressionStream` and build a new `Response` carrying the
+ * compression headers (`Content-Encoding`, appended `Vary`, removed `Content-Length`).
+ */
+function compressBody(body: ReadableStream, response: Response): Response {
+  const compressionStream = new CompressionStream("gzip");
+  // @ts-ignore Bun's ReadableStream type is incompatible with Node/DOM ReadableStream
+  const stream = body.pipeThrough(compressionStream);
+
+  const headers = new Headers(response.headers);
+  headers.set("Content-Encoding", "gzip");
+  headers.append("Vary", "Accept-Encoding");
+  headers.delete("Content-Length");
+
+  // @ts-ignore Bun's ReadableStream type is incompatible with Node/DOM ReadableStream
+  return new Response(stream, { status: response.status, headers });
+}
+
 /**
  * Conditionally compress an HTTP response based on the client's `Accept-Encoding` header,
  * the response content type, and the configured compression threshold.
@@ -86,8 +104,7 @@ export async function compressResponse(
   if (!acceptEncoding) return response;
 
   const clientEncodings = parseAcceptEncoding(acceptEncoding);
-  const encoding = selectEncoding(clientEncodings);
-  if (!encoding) return response;
+  if (!selectEncoding(clientEncodings)) return response;
 
   // Skip incompressible content types
   if (isIncompressible(response.headers.get("Content-Type"))) return response;
@@ -112,40 +129,9 @@ export async function compressResponse(
       });
     }
 
-    // Compress the buffered body
-    const format: Bun.CompressionFormat = encoding === "br" ? "brotli" : "gzip";
-    // @ts-ignore Bun supports "brotli" as CompressionFormat but DOM lib does not
-    const compressionStream = new CompressionStream(format);
-    // @ts-ignore Bun's ReadableStream type is incompatible with Node/DOM ReadableStream
-    const stream = new Blob([body]).stream().pipeThrough(compressionStream);
-
-    const headers = new Headers(response.headers);
-    headers.set("Content-Encoding", encoding);
-    headers.append("Vary", "Accept-Encoding");
-    headers.delete("Content-Length");
-
-    // @ts-ignore Bun's ReadableStream type is incompatible with Node/DOM ReadableStream
-    return new Response(stream, {
-      status: response.status,
-      headers,
-    });
+    return compressBody(new Blob([body]).stream(), response);
   }
 
   // Content-Length is present and above threshold — stream-compress
-  const format: Bun.CompressionFormat = encoding === "br" ? "brotli" : "gzip";
-  // @ts-ignore Bun supports "brotli" as CompressionFormat but DOM lib does not
-  const compressionStream = new CompressionStream(format);
-  // @ts-ignore Bun's ReadableStream type is incompatible with Node/DOM ReadableStream
-  const stream = response.body.pipeThrough(compressionStream);
-
-  const headers = new Headers(response.headers);
-  headers.set("Content-Encoding", encoding);
-  headers.append("Vary", "Accept-Encoding");
-  headers.delete("Content-Length");
-
-  // @ts-ignore Bun's ReadableStream type is incompatible with Node/DOM ReadableStream
-  return new Response(stream, {
-    status: response.status,
-    headers,
-  });
+  return compressBody(response.body, response);
 }

package/util/webStackLeakWarning.ts

@@ -0,0 +1,23 @@
+/**
+ * Returns a warning message when the web server is configured to leak stack
+ * traces to remote callers, otherwise `null`. Stack traces in error responses
+ * leak deployment paths and code structure, which is fine on a developer's
+ * laptop but a footgun on a publicly reachable host.
+ */
+export function shouldWarnStackLeak(
+  host: string,
+  includeStackInErrors: boolean,
+): string | null {
+  if (!includeStackInErrors) return null;
+  const isLocalBind =
+    host === "localhost" ||
+    host === "127.0.0.1" ||
+    host === "::1" ||
+    host === "[::1]";
+  if (isLocalBind) return null;
+  return (
+    `⚠️  Stack traces are enabled in error responses (host=${host}). ` +
+    `This leaks internal paths and code structure. ` +
+    `Set NODE_ENV=production or WEB_SERVER_INCLUDE_STACK_IN_ERRORS=false before exposing this server publicly.`
+  );
+}

package/util/zodMixins.ts

@@ -1,4 +1,4 @@
-import { eq } from "drizzle-orm";
+import { type AnyColumn, eq, type Table } from "drizzle-orm";
 import { z } from "zod/v4";
 import { api } from "../api";
 import { ErrorType, TypedError } from "../classes/TypedError";
@@ -79,9 +79,6 @@ export function paginationInputs(options?: {
   });
 }
 
-// Type for Drizzle tables with an id column
-type TableWithId = { id: any; $inferSelect: any };
-
 /**
  * Generic factory to create a Zod schema that accepts either an ID or a model object.
  * If an ID is provided, it resolves to the full model via database lookup.
@@ -91,8 +88,8 @@ type TableWithId = { id: any; $inferSelect: any };
  * @param isModel - Type guard function to check if value is already a model
  * @param entityName - Human-readable name for error messages
  */
-export function zIdOrModel<TTable extends TableWithId, TModel>(
-  table: TTable,
+export function zIdOrModel<TModel>(
+  table: Table & { id: AnyColumn },
   modelSchema: z.ZodType<TModel>,
   isModel: (val: unknown) => val is TModel,
   entityName: string,
@@ -105,8 +102,8 @@ export function zIdOrModel<TTable extends TableWithId, TModel>(
       }
       const [record] = await api.db.db
         .select()
-        .from(table as any)
-        .where(eq((table as any).id, val))
+        .from(table)
+        .where(eq(table.id, val))
         .limit(1);
 
       if (!record) {