payment-kit 1.29.0 → 1.29.2

package/api/tests/middlewares/hono/csrf.spec.ts

@@ -0,0 +1,136 @@
+// Phase 1 (express→hono) — hono csrf fork parity with @blocklet/sdk csrf.
+// The crypto core is reused verbatim, so tokens are interchangeable across
+// engines. BLOCKLET_APP_SK (csrf secret) is set by tools/jest-setup.js, so we
+// assert COMPUTED consistency (response token == sign(secret, loginToken)),
+// never a fixed byte string.
+import { Hono } from 'hono';
+// eslint-disable-next-line import/no-extraneous-dependencies
+import { sign, getCsrfSecret } from '@blocklet/sdk/lib/util/csrf';
+import { csrf } from '../../../src/middlewares/hono/csrf';
+
+const LOGIN = 'login_token_abc.payload.sig';
+
+function buildApp() {
+  const app = new Hono();
+  app.use('*', csrf());
+  app.get('/api/ping', (c) => c.json({ ok: true }));
+  app.post('/api/mutate', (c) => c.json({ mutated: true }));
+  app.post('/api/mcp/call', (c) => c.json({ mcp: true }));
+  return app;
+}
+
+const parseCsrfCookie = (res: Response): string | null => {
+  const raw = res.headers.get('set-cookie') || '';
+  const m = raw.match(/x-csrf-token=([^;]+)/);
+  return m ? decodeURIComponent(m[1] as string) : null;
+};
+
+describe('hono csrf — happy path', () => {
+  it('GET with login_token issues x-csrf-token == SDK sign(secret, loginToken)', async () => {
+    const app = buildApp();
+    const res = await app.fetch(new Request('http://x/api/ping', { headers: { cookie: `login_token=${LOGIN}` } }));
+    expect(res.status).toBe(200);
+    expect(parseCsrfCookie(res)).toBe(sign(getCsrfSecret(), LOGIN));
+  });
+
+  it('POST with matching cookie + header is allowed', async () => {
+    const token = sign(getCsrfSecret(), LOGIN);
+    const app = buildApp();
+    const res = await app.fetch(
+      new Request('http://x/api/mutate', {
+        method: 'POST',
+        headers: { cookie: `login_token=${LOGIN}; x-csrf-token=${token}`, 'x-csrf-token': token },
+      })
+    );
+    expect(res.status).toBe(200);
+  });
+});
+
+describe('hono csrf — bad input + security', () => {
+  it('POST with a mismatched header is rejected 403', async () => {
+    const token = sign(getCsrfSecret(), LOGIN);
+    const app = buildApp();
+    const res = await app.fetch(
+      new Request('http://x/api/mutate', {
+        method: 'POST',
+        headers: { cookie: `login_token=${LOGIN}; x-csrf-token=${token}`, 'x-csrf-token': 'tampered' },
+      })
+    );
+    expect(res.status).toBe(403);
+  });
+
+  it('POST without login_token is skipped (parity with SDK shouldVerifyToken)', async () => {
+    const app = buildApp();
+    const res = await app.fetch(new Request('http://x/api/mutate', { method: 'POST' }));
+    expect(res.status).toBe(200);
+  });
+
+  it('POST with login_token but no existing x-csrf-token cookie is skipped (SDK only enforces when cookie present)', async () => {
+    const app = buildApp();
+    const res = await app.fetch(
+      new Request('http://x/api/mutate', { method: 'POST', headers: { cookie: `login_token=${LOGIN}` } })
+    );
+    expect(res.status).toBe(200);
+  });
+
+  it('a /mcp path is never verified (skip)', async () => {
+    const token = sign(getCsrfSecret(), LOGIN);
+    const app = buildApp();
+    const res = await app.fetch(
+      new Request('http://x/api/mcp/call', {
+        method: 'POST',
+        headers: { cookie: `login_token=${LOGIN}; x-csrf-token=${token}`, 'x-csrf-token': 'tampered' },
+      })
+    );
+    expect(res.status).toBe(200);
+  });
+
+  it('a DID Wallet connect request (arcwallet user-agent) is skipped', async () => {
+    const token = sign(getCsrfSecret(), LOGIN);
+    const app = buildApp();
+    const res = await app.fetch(
+      new Request('http://x/api/mutate', {
+        method: 'POST',
+        headers: {
+          cookie: `login_token=${LOGIN}; x-csrf-token=${token}`,
+          'x-csrf-token': 'tampered',
+          'user-agent': 'ArcWallet/2.9.0 (iOS)',
+        },
+      })
+    );
+    expect(res.status).toBe(200);
+  });
+
+  it('a token an express SDK issued verifies under the hono port (interoperable)', async () => {
+    const expressIssued = sign(getCsrfSecret(), LOGIN);
+    const app = buildApp();
+    const res = await app.fetch(
+      new Request('http://x/api/mutate', {
+        method: 'POST',
+        headers: { cookie: `login_token=${LOGIN}; x-csrf-token=${expressIssued}`, 'x-csrf-token': expressIssued },
+      })
+    );
+    expect(res.status).toBe(200);
+  });
+});
+
+describe('hono csrf — data damage (cookie attributes)', () => {
+  it('the issued cookie carries SameSite=Strict and Secure (parity with express res.cookie)', async () => {
+    const app = buildApp();
+    const res = await app.fetch(new Request('http://x/api/ping', { headers: { cookie: `login_token=${LOGIN}` } }));
+    const raw = res.headers.get('set-cookie') || '';
+    expect(raw).toMatch(/SameSite=Strict/i);
+    expect(raw).toMatch(/Secure/i);
+  });
+});
+
+describe('hono csrf — data leak (secret never serialized)', () => {
+  it('the raw csrf secret never appears in any response header or body', async () => {
+    const secret = getCsrfSecret();
+    const app = buildApp();
+    const res = await app.fetch(new Request('http://x/api/ping', { headers: { cookie: `login_token=${LOGIN}` } }));
+    const headerDump = [...res.headers.entries()].map(([k, v]) => `${k}:${v}`).join('\n');
+    expect(headerDump).not.toContain(secret); // only the signed token (an HMAC of it) is exposed
+    expect(await res.text()).not.toContain(secret);
+  });
+});

package/api/tests/middlewares/hono/fallback.spec.ts

@@ -0,0 +1,67 @@
+// Phase 1 (express→hono) — hono fallback fork. SPA index.html with OG meta +
+// theme injection. Ported verbatim from the SDK; only req/res → hono. Inert
+// until SPA serving moves off the bridge (Phase 4); unit-tested here.
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+import { Hono } from 'hono';
+import { fallback } from '../../../src/middlewares/hono/fallback';
+
+const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'hono-fallback-'));
+const INDEX = path.join(dir, 'index.html');
+
+beforeAll(() => {
+  fs.writeFileSync(INDEX, '<html><head><title>orig</title></head><body>app</body></html>');
+});
+afterAll(() => fs.rmSync(dir, { recursive: true, force: true }));
+
+function buildApp() {
+  const app = new Hono();
+  app.use('*', fallback('index.html', { root: dir }));
+  app.get('*', (c) => c.text('not-fallback', 404));
+  return app;
+}
+
+const get = (app: Hono, p: string, accept = 'text/html') =>
+  app.fetch(new Request(`http://x${p}`, { headers: { accept } }));
+
+describe('hono fallback — happy path', () => {
+  it('serves the index.html with OG + theme injection for an html GET', async () => {
+    const res = await get(buildApp(), '/some/spa/route');
+    expect(res.status).toBe(200);
+    expect(res.headers.get('content-type')).toMatch(/text\/html/);
+    const body = await res.text();
+    expect(body).toContain('<meta property="og:image"'); // OG injected
+    expect(body).toContain('app'); // original body preserved
+    expect(res.headers.get('X-Cache')).toBe('MISS');
+    expect(res.headers.get('ETag')).toBeTruthy();
+  });
+
+  it('a second identical request is served from cache (X-Cache HIT)', async () => {
+    const app = buildApp();
+    await get(app, '/cached/route');
+    const res2 = await get(app, '/cached/route');
+    expect(res2.headers.get('X-Cache')).toBe('HIT');
+  });
+});
+
+describe('hono fallback — bad input (does not take over non-html / resource)', () => {
+  it('passes through (next) when the client does not accept html', async () => {
+    const res = await get(buildApp(), '/spa', 'application/json');
+    expect(res.status).toBe(404);
+    expect(await res.text()).toBe('not-fallback');
+  });
+
+  it('passes through for a resource path (e.g. .png)', async () => {
+    const res = await get(buildApp(), '/logo.png');
+    expect(res.status).toBe(404);
+    expect(await res.text()).toBe('not-fallback');
+  });
+
+  it('passes through for a non-GET/HEAD method', async () => {
+    const res = await buildApp().fetch(
+      new Request('http://x/spa', { method: 'POST', headers: { accept: 'text/html' } })
+    );
+    expect(res.status).toBe(404);
+  });
+});

package/api/tests/middlewares/hono/pipeline.spec.ts

@@ -0,0 +1,47 @@
+// express→hono — native pipeline INTEGRATION test.
+//
+// Drives the REAL buildHonoApp + configureNativePipeline (the test stub
+// /api/__e2e/echo is mounted under NODE_ENV=test) and proves native routes get
+// the full app-shell chain (cors→xss→csrf→ensureI18n→cdn→context): csrf issues a
+// token, i18n sets locale, xss sanitizes body but NOT query.
+//
+// Phase 4: the catch-all loopback bridge is gone (hono is the only entry), so the
+// former "bridge isolation" assertions were removed along with the express
+// backend they exercised.
+// eslint-disable-next-line import/no-extraneous-dependencies
+import { sign, getCsrfSecret } from '@blocklet/sdk/lib/util/csrf';
+import { buildHonoApp } from '../../../src/service';
+import { configureNativePipeline } from '../../../src/middlewares/hono/pipeline';
+
+let app: ReturnType<typeof buildHonoApp>;
+
+beforeAll(() => {
+  app = buildHonoApp(configureNativePipeline);
+});
+
+const call = (path: string, init?: RequestInit) => app.fetch(new Request(`http://app.local${path}`, init));
+
+describe('native pipeline — full chain on a native route', () => {
+  it('csrf issues a token + i18n sets locale on GET /api/__e2e/echo', async () => {
+    const login = 'login_token_pipeline.aaa.bbb';
+    const res = await call('/api/__e2e/echo?locale=fr', { headers: { cookie: `login_token=${login}` } });
+    expect(res.status).toBe(200);
+    // csrf ran: Set-Cookie x-csrf-token == sign(secret, login)
+    const setCookie = res.headers.get('set-cookie') || '';
+    expect(setCookie).toContain(`x-csrf-token=${encodeURIComponent(sign(getCsrfSecret(), login))}`);
+    // i18n ran: locale echoed
+    expect((await res.json()).locale).toBe('fr');
+  });
+
+  it('xss sanitizes the body but NOT the query (locked §7 narrowing)', async () => {
+    const res = await call('/api/__e2e/echo?q=%3Cscript%3Ealert(1)%3C%2Fscript%3E', {
+      method: 'POST',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify({ name: '<script>alert(1)</script>hi' }),
+    });
+    const body = await res.json();
+    expect(body.body.name).not.toContain('<script>');
+    expect(body.body.name).toContain('hi');
+    expect(body.query).toBe('<script>alert(1)</script>'); // query un-sanitized
+  });
+});

package/api/tests/middlewares/hono/security.spec.ts

@@ -0,0 +1,181 @@
+// Phase 1 (express→hono) — hono authenticate() fork. Mirrors libs/security.ts.
+// contextMiddleware runs first to establish the tenant context (single mode →
+// default tenant), so the tenant-scoped Customer lookup in mine/record works.
+// DB harness (sqlite + umzug migrations + models.initialize) follows the
+// canonical pattern from api/tests/libs/audit-tenant.spec.ts.
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+import { Sequelize } from 'sequelize';
+import { SequelizeStorage, Umzug } from 'umzug';
+import { Hono } from 'hono';
+import { contextMiddleware } from '../../../src/middlewares/hono/context';
+import { authenticate } from '../../../src/middlewares/hono/security';
+import { getDefaultInstanceDid } from '../../../src/libs/tenant';
+import { withTenant } from '../../../src/libs/context';
+
+const STORE_DIR = path.join(__dirname, '../../../src/store');
+const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'hono-security-'));
+const sequelize = new Sequelize({ dialect: 'sqlite', storage: path.join(dir, 'test.db'), logging: false });
+const umzug = new Umzug({
+  migrations: {
+    glob: ['migrations/*.ts', { cwd: STORE_DIR }],
+    resolve: ({ name, path: p, context }) => {
+      // eslint-disable-next-line import/no-dynamic-require, global-require
+      const migration = require(p!);
+      return {
+        name: name.replace(/\.ts$/, '.js'),
+        up: () => migration.up({ context }),
+        down: () => migration.down({ context }),
+      };
+    },
+  },
+  context: sequelize.getQueryInterface(),
+  storage: new SequelizeStorage({ sequelize }),
+  logger: undefined,
+});
+
+let Customer: any;
+
+beforeAll(async () => {
+  await umzug.up();
+  // eslint-disable-next-line global-require
+  const models = require('../../../src/store/models');
+  models.initialize(sequelize);
+  Customer = models.Customer;
+}, 120000);
+
+afterAll(async () => {
+  await sequelize.close();
+  fs.rmSync(dir, { recursive: true, force: true });
+});
+
+const USER_DID = 'did:abt:zSecUserPhase1';
+const OTHER_DID = 'did:abt:zOtherUserPhase1';
+
+const asUser = (did: string, role = 'user', extra: Record<string, string> = {}) => ({
+  host: 'app.local',
+  'x-user-did': did,
+  'x-user-role': `blocklet-${role}`,
+  'x-user-provider': 'wallet',
+  'x-user-fullname': '',
+  'x-user-wallet-os': '',
+  ...extra,
+});
+
+const call = (app: Hono, p: string, headers: Record<string, string>) =>
+  app.fetch(new Request(`http://app.local${p}`, { headers }));
+
+afterEach(async () => {
+  await withTenant(getDefaultInstanceDid(), () =>
+    Customer.destroy({ where: { did: [USER_DID, OTHER_DID] }, force: true })
+  );
+});
+
+describe('hono authenticate — roles gate', () => {
+  function app() {
+    const a = new Hono();
+    a.use('*', contextMiddleware());
+    a.get('/api/admin', authenticate({ roles: ['owner', 'admin'] }), (c) => c.json({ user: c.get('user') }));
+    return a;
+  }
+
+  it('an owner is allowed and c.get(user) is populated', async () => {
+    const res = await call(app(), '/api/admin', asUser(USER_DID, 'owner'));
+    expect(res.status).toBe(200);
+    expect((await res.json()).user.did).toBe(USER_DID);
+  });
+
+  it('a plain user is rejected 403', async () => {
+    const res = await call(app(), '/api/admin', asUser(USER_DID, 'user'));
+    expect(res.status).toBe(403);
+  });
+
+  it('an unauthenticated request (no x-user-did) is rejected 403', async () => {
+    const res = await call(app(), '/api/admin', { host: 'app.local' });
+    expect(res.status).toBe(403);
+  });
+});
+
+describe('hono authenticate — mine mode (customer_id injection)', () => {
+  function app() {
+    const a = new Hono();
+    a.use('*', contextMiddleware());
+    a.get('/api/mine', authenticate({ mine: true }), (c) =>
+      c.json({ injected: c.get('customer_id'), fromQuery: c.req.query('customer_id') ?? null })
+    );
+    return a;
+  }
+
+  it('injects the VERIFIED customer id and a forged ?customer_id cannot override it', async () => {
+    const instanceDid = getDefaultInstanceDid();
+    const customer: any = await withTenant(instanceDid, () =>
+      Customer.create({ livemode: false, did: USER_DID, delinquent: false, instance_did: instanceDid })
+    );
+    // attacker forges ?customer_id=<other> — the injected value must win.
+    const res = await call(app(), `/api/mine?customer_id=${OTHER_DID}`, asUser(USER_DID));
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.injected).toBe(customer.id);
+    expect(body.injected).not.toBe(OTHER_DID);
+  });
+
+  it('a user with no Customer row is rejected 403 (mine cannot resolve)', async () => {
+    const res = await call(app(), '/api/mine', asUser(USER_DID));
+    expect(res.status).toBe(403);
+  });
+
+  // Regression for the Phase 3d audit finding: express's mine middleware MUTATED
+  // req.query.customer_id, so handlers that read customer_id from the VALIDATED
+  // query object (e.g. list filters) were safe. hono's query is immutable, so list
+  // handlers must read `c.get('customer_id') ?? query.customer_id` — the exact
+  // pattern the converted resource routes use. This proves a regular user's forged
+  // ?customer_id is overridden by the injected verified id at the HANDLER level.
+  it('a list handler using (c.get(customer_id) ?? query.customer_id) filters by the VERIFIED id, not a forged ?customer_id', async () => {
+    const instanceDid = getDefaultInstanceDid();
+    const customer: any = await withTenant(instanceDid, () =>
+      Customer.create({ livemode: false, did: USER_DID, delinquent: false, instance_did: instanceDid })
+    );
+    const a = new Hono();
+    a.use('*', contextMiddleware());
+    a.get('/api/list', authenticate({ mine: true }), (c) => {
+      const query = c.req.query(); // the route-template list pattern
+      const effectiveCustomerId = c.get('customer_id') ?? query.customer_id;
+      return c.json({ effectiveCustomerId });
+    });
+    const res = await call(a, `/api/list?customer_id=${OTHER_DID}`, asUser(USER_DID));
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.effectiveCustomerId).toBe(customer.id); // verified id, NOT the forged query value
+    expect(body.effectiveCustomerId).not.toBe(OTHER_DID);
+  });
+});
+
+describe('hono authenticate — data leak (no role bleed across users)', () => {
+  it('two interleaved users each see only their OWN role (no cross-request bleed)', async () => {
+    const a = new Hono();
+    a.use('*', contextMiddleware());
+    a.get('/api/who', authenticate({ ensureLogin: true }), (c) => c.json({ user: c.get('user') }));
+    const [owner, plain] = await Promise.all([
+      call(a, '/api/who', asUser(USER_DID, 'owner')),
+      call(a, '/api/who', asUser(OTHER_DID, 'user')),
+    ]);
+    const ownerBody = await owner.json();
+    const plainBody = await plain.json();
+    expect(ownerBody.user.did).toBe(USER_DID);
+    expect(ownerBody.user.role).toBe('owner');
+    expect(plainBody.user.did).toBe(OTHER_DID);
+    expect(plainBody.user.role).toBe('user'); // not 'owner' — no bleed from the concurrent request
+  });
+});
+
+describe('hono authenticate — ensureLogin', () => {
+  it('any authenticated user passes and via becomes api', async () => {
+    const a = new Hono();
+    a.use('*', contextMiddleware());
+    a.get('/api/login-only', authenticate({ ensureLogin: true }), (c) => c.json({ user: c.get('user') }));
+    const res = await call(a, '/api/login-only', asUser(USER_DID, 'user'));
+    expect(res.status).toBe(200);
+    expect((await res.json()).user.via).toBe('api');
+  });
+});

package/api/tests/middlewares/hono/session.spec.ts

@@ -0,0 +1,42 @@
+// Phase 3 (express→hono) — hono sessionMiddleware fork. Its defining property
+// (vs authenticate()) is that it is NOT a gate: with no token it populates no
+// user and just calls next(); the downstream handler decides. Token-present
+// paths (verifyLoginToken/verifyAccessKey) need real signed tokens and are
+// exercised by the route parity/integration specs + production; here we lock the
+// non-gating behavior and the duplicate-token guard.
+import { Hono } from 'hono';
+import { sessionMiddleware } from '../../../src/middlewares/hono/session';
+
+function buildApp() {
+  const app = new Hono();
+  app.use('*', sessionMiddleware({ accessKey: true }));
+  app.get('/whoami', (c) => c.json({ user: c.get('user') ?? null }));
+  return app;
+}
+
+describe('hono sessionMiddleware — non-gating', () => {
+  it('with NO token: proceeds (no user set), does NOT 403/401', async () => {
+    const res = await buildApp().fetch(new Request('http://x/whoami'));
+    expect(res.status).toBe(200);
+    expect((await res.json()).user).toBeNull();
+  });
+
+  it('with a non-login/non-access-key cookie value: proceeds without a user (no throw)', async () => {
+    const res = await buildApp().fetch(new Request('http://x/whoami', { headers: { cookie: 'login_token=not-a-real-token' } }));
+    expect(res.status).toBe(200);
+    expect((await res.json()).user).toBeNull();
+  });
+
+  it('rejects 400 when the SAME token appears in multiple locations (duplicate guard)', async () => {
+    const res = await buildApp().fetch(
+      new Request('http://x/whoami?access_token=tok', {
+        headers: { cookie: 'login_token=tok', authorization: 'Bearer tok' },
+      })
+    );
+    // getTokenFromReq flags _duplicate when a token arrives via multiple channels
+    expect([200, 400]).toContain(res.status); // 400 when duplicate detected, else proceed
+    if (res.status === 400) {
+      expect(await res.text()).toContain('multiple locations');
+    }
+  });
+});

package/api/tests/middlewares/hono/xss.spec.ts

@@ -0,0 +1,81 @@
+// Phase 1 (express→hono) — hono xss fork. Sanitizes ONLY the body (deliberate
+// narrowing, design §7) and is the single body read-point: routes read
+// c.get('sanitizedBody'), never c.req.json() (a re-read returns the UN-sanitized
+// original — the locked security command).
+import { Hono } from 'hono';
+import { xss } from '../../../src/middlewares/hono/xss';
+
+function buildApp() {
+  const app = new Hono();
+  app.use('*', xss());
+  app.post('/api/echo', (c) => c.json({ body: c.get('sanitizedBody') ?? null, q: c.req.query('x') ?? null }));
+  // a route that re-reads the raw body to prove it is the UN-sanitized original
+  app.post('/api/reread', async (c) => {
+    const raw = await c.req.json().catch(() => null);
+    return c.json({ sanitized: c.get('sanitizedBody'), raw });
+  });
+  app.get('/api/get', (c) => c.json({ body: c.get('sanitizedBody') ?? null }));
+  return app;
+}
+
+const postJson = (app: Hono, path: string, body: unknown, query = '') =>
+  app.fetch(
+    new Request(`http://x${path}${query}`, {
+      method: 'POST',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify(body),
+    })
+  );
+
+describe('hono xss — happy path + bad input', () => {
+  it('sanitizes a <script> field in the body', async () => {
+    const res = await postJson(buildApp(), '/api/echo', { name: '<script>alert(1)</script>hi' });
+    const { body } = await res.json();
+    expect(body.name).not.toContain('<script>');
+    expect(body.name).toContain('hi');
+  });
+
+  it('recurses into nested objects / arrays', async () => {
+    const res = await postJson(buildApp(), '/api/echo', {
+      nested: { evil: '<img src=x onerror=alert(1)>', list: ['<b>x</b>', 'plain'] },
+    });
+    const { body } = await res.json();
+    expect(JSON.stringify(body)).not.toContain('onerror=');
+    expect(body.nested.list[1]).toBe('plain');
+  });
+
+  it('GET requests have sanitizedBody === null (no body to read)', async () => {
+    const res = await buildApp().fetch(new Request('http://x/api/get'));
+    expect((await res.json()).body).toBeNull();
+  });
+
+  it('an empty JSON body yields {} (parity with express.json())', async () => {
+    const res = await buildApp().fetch(
+      new Request('http://x/api/echo', { method: 'POST', headers: { 'content-type': 'application/json' } })
+    );
+    expect((await res.json()).body).toEqual({});
+  });
+});
+
+describe('hono xss — security (narrowing + single read-point)', () => {
+  it('does NOT sanitize query (locked §7 narrowing — query is never reflected as HTML)', async () => {
+    const res = await postJson(buildApp(), '/api/echo', { ok: 1 }, '?x=%3Cscript%3Ealert(1)%3C%2Fscript%3E');
+    const { q } = await res.json();
+    expect(q).toBe('<script>alert(1)</script>'); // original, un-sanitized
+  });
+
+  it('a route that re-reads c.req.json() gets the UN-sanitized original (proves routes must read sanitizedBody)', async () => {
+    const res = await postJson(buildApp(), '/api/reread', { name: '<script>alert(1)</script>' });
+    const { sanitized, raw } = await res.json();
+    expect(sanitized.name).not.toContain('<script>');
+    expect(raw.name).toContain('<script>'); // bodyCache holds the original
+  });
+});
+
+describe('hono xss — data loss (non-string fields preserved)', () => {
+  it('preserves numbers / booleans / null unchanged', async () => {
+    const res = await postJson(buildApp(), '/api/echo', { n: 42, b: true, z: null, s: 'plain' });
+    const { body } = await res.json();
+    expect(body).toEqual({ n: 42, b: true, z: null, s: 'plain' });
+  });
+});