resplite 1.5.0 → 1.5.4

package/README.md

@@ -62,6 +62,10 @@ const log = new LemonLog('RESPlite');
 const srv = await createRESPlite({
   port: 6380,
   db: './data.db',
+  commandPolicy: {
+    rename: { KEYS: 'SAFE_KEYS' }, // original KEYS is blocked
+    disabled: ['MONITOR'],         // blocked as unsupported
+  },
   hooks: {
     onUnknownCommand({ command, argv, clientAddress }) {
       log.warn({ command, argv, clientAddress }, 'unsupported command');
@@ -84,6 +88,28 @@ Available hooks:
 
 If you want a tiny in-process smoke test that starts RESPLite and connects with the `redis` client in the same script, see [Minimal embedded example](#minimal-embedded-example) below.
 
+### Command hardening (rename/disable)
+
+You can harden the command surface by renaming sensitive commands and/or disabling them:
+
+```javascript
+const srv = await createRESPlite({
+  db: './secure.db',
+  commandPolicy: {
+    rename: {
+      KEYS: 'SAFE_KEYS',
+      DEL: 'RMDEL',
+    },
+    disabled: ['MONITOR', 'CLIENT'],
+  },
+});
+```
+
+Behavior:
+- `rename`: only the new alias is accepted; the original command name is blocked.
+- `disabled`: command is blocked and replies with `ERR command not supported yet`.
+- `COMMAND`, `COMMAND COUNT`, and `COMMAND INFO` expose only visible commands (including aliases, excluding blocked names).
+
 ## Migration from Redis
 
 RESPLite is a good fit for migrating **non-replicated Redis** instances that have **grown large** (e.g. tens of GB) and where RESPLite's latency is acceptable. The recommended path is to drive the migration from a Node.js script via `resplite/migration`, keeping preflight, dirty tracking, bulk import, cutover, and verification in one place.
@@ -574,7 +600,7 @@ To reproduce the benchmark, run `npm run benchmark -- --template default`. Numbe
 | **Connection** | PING, ECHO, QUIT |
 | **Strings** | GET, SET, MGET, MSET, DEL, EXISTS, INCR, DECR, INCRBY, DECRBY, STRLEN |
 | **TTL** | EXPIRE, PEXPIRE, TTL, PTTL, PERSIST |
-| **Hashes** | HSET, HGET, HMGET, HGETALL, HKEYS, HVALS, HDEL, HEXISTS, HINCRBY |
+| **Hashes** | HSET, HGET, HMGET, HGETALL, HKEYS, HVALS, HDEL, HEXISTS, HINCRBY, HEXPIRE, HTTL, HPERSIST |
 | **Sets** | SADD, SREM, SMEMBERS, SISMEMBER, SCARD, SPOP, SRANDMEMBER |
 | **Lists** | LPUSH, RPUSH, LLEN, LRANGE, LINDEX, LPOP, RPOP, LSET, LTRIM, BLPOP, BRPOP |
 | **Sorted sets** | ZADD, ZREM, ZCARD, ZSCORE, ZRANGE, ZREVRANGE, ZRANGEBYSCORE, ZREVRANGEBYSCORE, ZRANK, ZREVRANK, ZCOUNT, ZINCRBY, ZREMRANGEBYRANK, ZREMRANGEBYSCORE |

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "resplite",
-  "version": "1.5.0",
+  "version": "1.5.4",
   "description": "A RESP2 server with practical Redis compatibility, backed by SQLite",
   "type": "module",
   "main": "src/index.js",

package/scripts/benchmark-redis-vs-resplite.js

@@ -98,9 +98,13 @@ function spawnResplite(templateName, port, dbPath) {
 }
 
 function formatNum(n) {
+  if (!Number.isFinite(n)) return '—';
   if (n >= 1e6) return (n / 1e6).toFixed(2) + 'M';
   if (n >= 1e3) return (n / 1e3).toFixed(2) + 'K';
-  return String(n);
+  if (n >= 100) return n.toFixed(2);
+  if (n >= 10) return n.toFixed(2);
+  if (n >= 1) return n.toFixed(2);
+  return n.toFixed(3);
 }
 
 function formatMs(ms) {
@@ -603,23 +607,41 @@ async function main() {
   for (const { client } of respliteClients) await client.quit();
   for (const { child } of children) child.kill();
 
-  const colWidth = 10;
   const headerCols = ['Suite', 'Redis', ...templateNames];
-  const sep = headerCols.map((_, i) => (i === 0 ? '-'.repeat(18) : '-'.repeat(colWidth))).join('|');
-  console.log('');
-  console.log('--- Summary (ops/sec) ---');
-  console.log(headerCols.map((h, i) => (i === 0 ? h.padEnd(18) : h.padStart(colWidth))).join(' | '));
-  console.log(sep);
-  for (const r of results) {
-    if (r.error) {
-      console.log(`${r.suite.padEnd(18)} | ERROR: ${r.error}`);
-      continue;
-    }
+  const summaryRows = results.map((r) => {
+    if (r.error) return { suite: r.suite, values: [`ERROR: ${r.error}`] };
     const redisVal = r.redis.error ? '—' : formatNum(r.redis.opsPerSec);
     const templateVals = templateNames.map((t) => (r.templates[t]?.error ? '—' : formatNum(r.templates[t]?.opsPerSec)));
-    console.log(
-      [r.suite.padEnd(18), redisVal.padStart(colWidth), ...templateVals.map((v) => v.padStart(colWidth))].join(' | ')
-    );
+    return { suite: r.suite, values: [redisVal, ...templateVals] };
+  });
+
+  const suiteWidth = Math.max(
+    headerCols[0].length,
+    ...summaryRows.map((r) => r.suite.length)
+  );
+  const valueWidths = headerCols.slice(1).map((h, idx) =>
+    Math.max(
+      h.length,
+      ...summaryRows.map((r) => (r.values[idx] || '').length)
+    )
+  );
+
+  console.log('');
+  console.log('--- Summary (ops/sec) ---');
+  console.log([
+    headerCols[0].padEnd(suiteWidth),
+    ...headerCols.slice(1).map((h, idx) => h.padStart(valueWidths[idx])),
+  ].join(' | '));
+  console.log([
+    '-'.repeat(suiteWidth),
+    ...valueWidths.map((w) => '-'.repeat(w)),
+  ].join('-|-'));
+
+  for (const row of summaryRows) {
+    console.log([
+      row.suite.padEnd(suiteWidth),
+      ...row.values.map((v, idx) => v.padStart(valueWidths[idx])),
+    ].join(' | '));
   }
 
   console.log('');

package/src/commands/command.js

@@ -15,42 +15,42 @@ const WRITE_COMMANDS = new Set([
  * @param {string} name - Command name (lowercase for reply).
  * @returns {Array<string|number|string[]>}
  */
-function docFor(name) {
+function docFor(name, canonicalName = name) {
   const lower = name.toLowerCase();
-  const flags = WRITE_COMMANDS.has(name) ? ['write', 'fast'] : ['readonly', 'fast'];
+  const flags = WRITE_COMMANDS.has(canonicalName) ? ['write', 'fast'] : ['readonly', 'fast'];
   let arity = 2;
   let firstKey = 1;
   let lastKey = 1;
   let step = 1;
-  if (['MGET', 'MSET', 'DEL', 'UNLINK', 'EXISTS', 'KEYS', 'SCAN', 'PING', 'ECHO', 'QUIT', 'TYPE', 'OBJECT', 'SQLITE.INFO', 'CACHE.INFO', 'MEMORY.INFO', 'COMMAND', 'MONITOR', 'CLIENT'].includes(name)) {
-    if (['PING', 'ECHO', 'QUIT', 'COMMAND', 'MONITOR'].includes(name)) {
+  if (['MGET', 'MSET', 'DEL', 'UNLINK', 'EXISTS', 'KEYS', 'SCAN', 'PING', 'ECHO', 'QUIT', 'TYPE', 'OBJECT', 'SQLITE.INFO', 'CACHE.INFO', 'MEMORY.INFO', 'COMMAND', 'MONITOR', 'CLIENT'].includes(canonicalName)) {
+    if (['PING', 'ECHO', 'QUIT', 'COMMAND', 'MONITOR'].includes(canonicalName)) {
       firstKey = 0;
       lastKey = 0;
       step = 0;
-      arity = name === 'COMMAND' ? -1 : (name === 'ECHO' ? 2 : 1);
-    } else if (['MGET', 'EXISTS', 'KEYS', 'SCAN'].includes(name)) {
+      arity = canonicalName === 'COMMAND' ? -1 : (canonicalName === 'ECHO' ? 2 : 1);
+    } else if (['MGET', 'EXISTS', 'KEYS', 'SCAN'].includes(canonicalName)) {
       arity = -2;
       lastKey = -1;
-    } else if (name === 'MSET') {
+    } else if (canonicalName === 'MSET') {
       arity = -3;
       lastKey = -1;
       step = 2;
-    } else if (['DEL', 'UNLINK'].includes(name)) {
+    } else if (['DEL', 'UNLINK'].includes(canonicalName)) {
       arity = -2;
       lastKey = -1;
     }
-  } else if (name.startsWith('FT.') || name.startsWith('SQLITE.') || name.startsWith('CACHE.') || name.startsWith('MEMORY.')) {
+  } else if (canonicalName.startsWith('FT.') || canonicalName.startsWith('SQLITE.') || canonicalName.startsWith('CACHE.') || canonicalName.startsWith('MEMORY.')) {
     firstKey = 0;
     lastKey = 0;
     step = 0;
     arity = -2;
-  } else if (['BLPOP', 'BRPOP'].includes(name)) {
+  } else if (['BLPOP', 'BRPOP'].includes(canonicalName)) {
     arity = -3;
     lastKey = -1;
     step = 1;
-  } else if (['HMGET', 'HGETALL', 'HGET', 'HSET', 'HDEL', 'HEXISTS', 'HINCRBY', 'HLEN'].includes(name)) {
-    arity = (name === 'HGET' || name === 'HLEN' || name === 'HEXISTS') ? 3 : -3;
-  } else if (name === 'SETEX') {
+  } else if (['HMGET', 'HGETALL', 'HGET', 'HSET', 'HDEL', 'HEXISTS', 'HINCRBY', 'HLEN'].includes(canonicalName)) {
+    arity = (canonicalName === 'HGET' || canonicalName === 'HLEN' || canonicalName === 'HEXISTS') ? 3 : -3;
+  } else if (canonicalName === 'SETEX') {
     arity = 4;
   }
   return [lower, arity, flags, firstKey, lastKey, step, []];
@@ -63,10 +63,13 @@ function docFor(name) {
  */
 export function handleCommand(engine, args, context) {
   const allNames = context?.getCommandNames ? context.getCommandNames() : [];
+  const resolveCanonical = context?.resolveCommandForIntrospection
+    ? (name) => context.resolveCommandForIntrospection(name)
+    : (name) => name;
   const sub = (args && args.length > 0 && Buffer.isBuffer(args[0])) ? args[0].toString('utf8').toUpperCase() : '';
 
   if (!sub || sub === '') {
-    const reply = allNames.map((n) => docFor(n));
+    const reply = allNames.map((n) => docFor(n, resolveCanonical(n)));
     return reply;
   }
   if (sub === 'COUNT') {
@@ -75,7 +78,7 @@ export function handleCommand(engine, args, context) {
   if (sub === 'INFO') {
     const names = (args.slice(1) || []).map((b) => (Buffer.isBuffer(b) ? b.toString('utf8') : String(b)).toUpperCase());
     const set = new Set(allNames);
-    const reply = names.map((n) => set.has(n) ? docFor(n) : null).filter((x) => x != null);
+    const reply = names.map((n) => set.has(n) ? docFor(n, resolveCanonical(n)) : null).filter((x) => x != null);
     return reply;
   }
 

package/src/commands/registry.js

@@ -91,6 +91,8 @@ import * as monitor from './monitor.js';
 import * as client from './client.js';
 import * as command from './command.js';
 
+const COMPILED_POLICY_TAG = Symbol('compiled-command-policy');
+
 const HANDLERS = new Map([
   ['PING', (e, a) => ping.handlePing()],
   ['ECHO', (e, a) => echo.handleEcho(a)],
@@ -181,6 +183,100 @@ const HANDLERS = new Map([
   ['COMMAND', (e, a, ctx) => command.handleCommand(e, a, ctx)],
 ]);
 
+function assertCommandName(value, field) {
+  if (typeof value !== 'string' || value.trim() === '') {
+    throw new Error(`invalid command policy: ${field} must be a non-empty string`);
+  }
+  return value.trim().toUpperCase();
+}
+
+function isCompiledPolicy(value) {
+  return !!(value && typeof value === 'object' && value[COMPILED_POLICY_TAG] === true);
+}
+
+export function compileCommandPolicy(policy = {}) {
+  if (policy == null) return null;
+  if (isCompiledPolicy(policy)) return policy;
+  if (typeof policy !== 'object') {
+    throw new Error('invalid command policy: expected an object');
+  }
+
+  const rename = policy.rename ?? {};
+  const disabled = policy.disabled ?? [];
+
+  if (rename == null || typeof rename !== 'object' || Array.isArray(rename)) {
+    throw new Error('invalid command policy: rename must be an object');
+  }
+  if (!Array.isArray(disabled)) {
+    throw new Error('invalid command policy: disabled must be an array');
+  }
+
+  const knownCommands = new Set(HANDLERS.keys());
+  const renamedOriginals = new Set();
+  const aliasToOriginal = new Map();
+
+  for (const [rawOriginal, rawAlias] of Object.entries(rename)) {
+    const original = assertCommandName(rawOriginal, 'rename key');
+    const alias = assertCommandName(rawAlias, `rename.${rawOriginal}`);
+    if (!knownCommands.has(original)) {
+      throw new Error(`invalid command policy: cannot rename unknown command "${original}"`);
+    }
+    if (alias === original) {
+      throw new Error(`invalid command policy: alias for "${original}" must be different`);
+    }
+    if (knownCommands.has(alias)) {
+      throw new Error(`invalid command policy: alias "${alias}" conflicts with existing command`);
+    }
+    if (aliasToOriginal.has(alias)) {
+      throw new Error(`invalid command policy: alias "${alias}" is duplicated`);
+    }
+    renamedOriginals.add(original);
+    aliasToOriginal.set(alias, original);
+  }
+
+  const disabledSet = new Set();
+  for (const rawName of disabled) {
+    const name = assertCommandName(rawName, 'disabled[] item');
+    disabledSet.add(name);
+  }
+
+  return {
+    [COMPILED_POLICY_TAG]: true,
+    disabledSet,
+    aliasToOriginal,
+    renamedOriginals,
+  };
+}
+
+function listVisibleCommandNames(policy) {
+  const names = [];
+  for (const name of HANDLERS.keys()) {
+    if (policy?.renamedOriginals?.has(name)) continue;
+    if (policy?.disabledSet?.has(name)) continue;
+    names.push(name);
+  }
+  if (policy?.aliasToOriginal) {
+    for (const [alias] of policy.aliasToOriginal.entries()) {
+      if (policy.disabledSet.has(alias)) continue;
+      names.push(alias);
+    }
+  }
+  return names;
+}
+
+function resolveIncomingCommand(inputCommand, policy) {
+  if (!policy) return { blocked: false, resolvedCommand: inputCommand };
+  if (policy.disabledSet.has(inputCommand)) {
+    return { blocked: true, resolvedCommand: inputCommand };
+  }
+  const target = policy.aliasToOriginal.get(inputCommand);
+  if (target) return { blocked: false, resolvedCommand: target };
+  if (policy.renamedOriginals.has(inputCommand)) {
+    return { blocked: true, resolvedCommand: inputCommand };
+  }
+  return { blocked: false, resolvedCommand: inputCommand };
+}
+
 /**
  * Dispatch command. Full argv: [commandNameBuf, ...argBuffers].
  * @param {object} engine
@@ -195,8 +291,27 @@ export function dispatch(engine, argv, context) {
   const cmd = (Buffer.isBuffer(argv[0]) ? argv[0].toString('utf8') : String(argv[0])).toUpperCase();
   const args = argv.slice(1);
   const argvStrings = argv.map((b) => (Buffer.isBuffer(b) ? b.toString('utf8') : String(b)));
-  if (context) context.getCommandNames = () => Array.from(HANDLERS.keys());
-  const handler = HANDLERS.get(cmd);
+  const policy = compileCommandPolicy(context?.commandPolicy);
+  const commandResolution = resolveIncomingCommand(cmd, policy);
+  if (commandResolution.blocked) {
+    context?.onUnknownCommand?.({
+      command: cmd,
+      argsCount: args.length,
+      argv: argvStrings ?? [cmd],
+      clientAddress: context?.clientAddress ?? '',
+      connectionId: context?.connectionId ?? 0,
+    });
+    return { error: unsupported() };
+  }
+  const resolvedCommand = commandResolution.resolvedCommand;
+  if (context) {
+    context.getCommandNames = () => listVisibleCommandNames(policy);
+    context.resolveCommandForIntrospection = (name) => {
+      if (!policy) return name;
+      return policy.aliasToOriginal.get(String(name).toUpperCase()) ?? String(name).toUpperCase();
+    };
+  }
+  const handler = HANDLERS.get(resolvedCommand);
   if (!handler) {
     context?.onUnknownCommand?.({
       command: cmd,

package/src/embed.js

@@ -13,6 +13,7 @@ import net from 'node:net';
 import { handleConnection } from './server/connection.js';
 import { createEngine } from './engine/engine.js';
 import { openDb } from './storage/sqlite/db.js';
+import { compileCommandPolicy } from './commands/registry.js';
 
 export { handleConnection, createEngine, openDb };
 
@@ -37,6 +38,7 @@ export { handleConnection, createEngine, openDb };
  * @param {Record<string, string|number>} [options.pragma] Override specific pragmas only when needed (e.g. { synchronous: 'FULL' }). Applied after the template.
  * @param {RESPliteHooks} [options.hooks]         Optional event hooks for observability (onUnknownCommand, onCommandError, onSocketError).
  * @param {boolean} [options.gracefulShutdown=true] If true, register SIGTERM/SIGINT to call close(). Set false if you handle shutdown yourself to avoid double handlers.
+ * @param {{ rename?: Record<string, string>, disabled?: string[] } | null} [options.commandPolicy] Optional: rename/disable commands for hardening.
  * @returns {Promise<{ port: number, host: string, close: () => Promise<void> }>}
  */
 export async function createRESPlite({
@@ -47,7 +49,9 @@ export async function createRESPlite({
   pragma,
   hooks = {},
   gracefulShutdown = true,
+  commandPolicy = null,
 } = {}) {
+  const compiledCommandPolicy = compileCommandPolicy(commandPolicy);
   const db = openDb(dbPath, { pragmaTemplate, pragma });
   const engine = createEngine({ db });
   const connections = new Set();
@@ -55,7 +59,7 @@ export async function createRESPlite({
   const server = net.createServer((socket) => {
     connections.add(socket);
     socket.once('close', () => connections.delete(socket));
-    handleConnection(socket, engine, hooks);
+    handleConnection(socket, engine, hooks, compiledCommandPolicy);
   });
   await new Promise((resolve) => server.listen(port, host, resolve));
 

package/src/index.js

@@ -26,6 +26,7 @@ const DEFAULT_PORT = 6379;
  * @param {string} [options.pragmaTemplate]
  * @param {Record<string, string|number>} [options.pragma] Override specific pragmas when needed (e.g. { synchronous: 'FULL' }). Convention: template is applied by default.
  * @param {boolean} [options.gracefulShutdown=true] If true, register SIGTERM/SIGINT to close server and DB. Set false if you handle shutdown yourself.
+ * @param {{ rename?: Record<string, string>, disabled?: string[] } | null} [options.commandPolicy] Optional: rename/disable commands for hardening.
  */
 export function startServer(options = {}) {
   const dbPath = options.dbPath ?? process.env.RESPLITE_DB ?? DEFAULT_DB_PATH;
@@ -45,7 +46,7 @@ export function startServer(options = {}) {
   sweeper.start();
 
   const connections = new Set();
-  const server = createServer({ engine, port, connections });
+  const server = createServer({ engine, port, connections, commandPolicy: options.commandPolicy ?? null });
 
   if (gracefulShutdown) {
     let shuttingDown = false;

package/src/server/connection.js

@@ -3,7 +3,7 @@
  */
 
 import { RESPReader } from '../resp/parser.js';
-import { dispatch } from '../commands/registry.js';
+import { compileCommandPolicy, dispatch } from '../commands/registry.js';
 import { encode, encodeSimpleString, encodeError } from '../resp/encoder.js';
 import { registerMonitorClient, unregisterMonitorClient, broadcastMonitorCommand } from './monitor.js';
 
@@ -13,11 +13,13 @@ let nextConnectionId = 0;
  * @param {import('net').Socket} socket
  * @param {object} engine
  * @param {object} [hooks] Optional: onUnknownCommand, onCommandError, onSocketError
+ * @param {object|null} [commandPolicy] Optional: command rename/disable policy.
  */
-export function handleConnection(socket, engine, hooks = {}) {
+export function handleConnection(socket, engine, hooks = {}, commandPolicy = null) {
   const reader = new RESPReader();
   const connectionId = ++nextConnectionId;
   const clientAddress = `${socket.remoteAddress ?? 'unknown'}:${socket.remotePort ?? 0}`;
+  const compiledCommandPolicy = compileCommandPolicy(commandPolicy);
   const context = {
     connectionId,
     clientAddress,
@@ -29,6 +31,7 @@ export function handleConnection(socket, engine, hooks = {}) {
     onUnknownCommand: hooks.onUnknownCommand,
     onCommandError: hooks.onCommandError,
     onSocketError: hooks.onSocketError,
+    commandPolicy: compiledCommandPolicy,
   };
 
   function writeResult(out) {

package/src/server/tcp-server.js

@@ -4,6 +4,7 @@
 
 import net from 'node:net';
 import { handleConnection } from './connection.js';
+import { compileCommandPolicy } from '../commands/registry.js';
 
 /**
  * @param {object} options
@@ -11,15 +12,17 @@ import { handleConnection } from './connection.js';
  * @param {number} [options.port=6379]
  * @param {string} [options.host='0.0.0.0']
  * @param {Set<import('node:net').Socket>} [options.connections] If provided, each accepted socket is added here (for graceful shutdown).
+ * @param {object|null} [options.commandPolicy] Optional: command rename/disable policy.
  * @returns {import('node:net').Server}
  */
-export function createServer({ engine, port = 6379, host = '0.0.0.0', connections = null }) {
+export function createServer({ engine, port = 6379, host = '0.0.0.0', connections = null, commandPolicy = null }) {
+  const compiledCommandPolicy = compileCommandPolicy(commandPolicy);
   const server = net.createServer((socket) => {
     if (connections) {
       connections.add(socket);
       socket.once('close', () => connections.delete(socket));
     }
-    handleConnection(socket, engine);
+    handleConnection(socket, engine, {}, compiledCommandPolicy);
   });
   return server;
 }

package/test/helpers/server.js

@@ -7,17 +7,20 @@ import net from 'node:net';
 import { handleConnection } from '../../src/server/connection.js';
 import { createEngine } from '../../src/engine/engine.js';
 import { openDb } from '../../src/storage/sqlite/db.js';
+import { compileCommandPolicy } from '../../src/commands/registry.js';
 import { tmpDbPath } from './tmp.js';
 
 export function createTestServer(options = {}) {
   const dbPath = options.dbPath || tmpDbPath();
   const db = openDb(dbPath);
   const engine = createEngine({ db });
+  const hooks = options.hooks || {};
+  const commandPolicy = compileCommandPolicy(options.commandPolicy ?? null);
   const connections = new Set();
   const server = net.createServer((socket) => {
     connections.add(socket);
     socket.once('close', () => connections.delete(socket));
-    handleConnection(socket, engine);
+    handleConnection(socket, engine, hooks, commandPolicy);
   });
   return new Promise((resolve, reject) => {
     server.listen(0, '127.0.0.1', () => {

package/test/integration/command-security.test.js

@@ -0,0 +1,90 @@
+/**
+ * Integration tests for command hardening policy (rename/disable).
+ */
+
+import { describe, it, before, after } from 'node:test';
+import assert from 'node:assert/strict';
+import { createTestServer } from '../helpers/server.js';
+import { sendCommand, argv } from '../helpers/client.js';
+import { tryParseValue } from '../../src/resp/parser.js';
+
+function parseResp(buffer) {
+  const parsed = tryParseValue(buffer, 0);
+  return parsed ? parsed.value : null;
+}
+
+function asUtf8(value) {
+  return Buffer.isBuffer(value) ? value.toString('utf8') : String(value);
+}
+
+describe('command hardening policy', () => {
+  let s;
+  let port;
+
+  before(async () => {
+    s = await createTestServer({
+      commandPolicy: {
+        rename: {
+          KEYS: 'SAFE_KEYS',
+          DEL: 'RMDEL',
+        },
+        disabled: ['MONITOR'],
+      },
+    });
+    port = s.port;
+  });
+
+  after(async () => {
+    await s.closeAsync();
+  });
+
+  it('renamed command is available only through alias', async () => {
+    const setReply = parseResp(await sendCommand(port, argv('SET', 'policy:k1', 'v1')));
+    assert.equal(asUtf8(setReply), 'OK');
+
+    const aliasReply = parseResp(await sendCommand(port, argv('SAFE_KEYS', 'policy:*')));
+    assert.ok(Array.isArray(aliasReply));
+    assert.ok(aliasReply.map(asUtf8).includes('policy:k1'));
+
+    const oldNameReply = parseResp(await sendCommand(port, argv('KEYS', 'policy:*')));
+    assert.ok(oldNameReply && oldNameReply.error);
+    assert.equal(asUtf8(oldNameReply.error), 'ERR command not supported yet');
+  });
+
+  it('explicitly disabled command returns unsupported', async () => {
+    const reply = parseResp(await sendCommand(port, argv('MONITOR')));
+    assert.ok(reply && reply.error);
+    assert.equal(asUtf8(reply.error), 'ERR command not supported yet');
+  });
+
+  it('COMMAND only exposes visible names and keeps canonical metadata', async () => {
+    const listReply = parseResp(await sendCommand(port, argv('COMMAND')));
+    assert.ok(Array.isArray(listReply));
+    const names = listReply.map((doc) => asUtf8(doc[0]).toUpperCase());
+    assert.ok(names.includes('SAFE_KEYS'));
+    assert.ok(names.includes('RMDEL'));
+    assert.ok(!names.includes('KEYS'));
+    assert.ok(!names.includes('DEL'));
+    assert.ok(!names.includes('MONITOR'));
+
+    const infoReply = parseResp(await sendCommand(port, argv('COMMAND', 'INFO', 'RMDEL')));
+    assert.ok(Array.isArray(infoReply));
+    assert.equal(infoReply.length, 1);
+    const rmDelDoc = infoReply[0];
+    assert.equal(asUtf8(rmDelDoc[0]), 'rmdel');
+    assert.equal(rmDelDoc[1], -2);
+    const flags = rmDelDoc[2].map(asUtf8);
+    assert.ok(flags.includes('write'));
+  });
+
+  it('renamed write command executes through alias and blocks original', async () => {
+    await sendCommand(port, argv('SET', 'policy:del', 'to-delete'));
+
+    const aliasDeleteReply = parseResp(await sendCommand(port, argv('RMDEL', 'policy:del')));
+    assert.equal(aliasDeleteReply, 1);
+
+    const originalDeleteReply = parseResp(await sendCommand(port, argv('DEL', 'policy:del')));
+    assert.ok(originalDeleteReply && originalDeleteReply.error);
+    assert.equal(asUtf8(originalDeleteReply.error), 'ERR command not supported yet');
+  });
+});

package/test/integration/embed.test.js

@@ -142,6 +142,33 @@ describe('createRESPlite', () => {
     assert.ok(sub.clientAddress.length > 0);
   });
 
+  it('onUnknownCommand hook is also called for disabled commands', async () => {
+    const unknownCalls = [];
+    const srv = await createRESPlite({
+      commandPolicy: {
+        disabled: ['MONITOR'],
+      },
+      hooks: {
+        onUnknownCommand(payload) {
+          unknownCalls.push(payload);
+        },
+      },
+    });
+    const client = await redisClient(srv.port);
+    try {
+      await client.sendCommand(['MONITOR']);
+      assert.fail('expected error');
+    } catch (e) {
+      assert.ok(e.message.includes('not supported'), e.message);
+    }
+    await client.quit();
+    await srv.close();
+
+    assert.equal(unknownCalls.length, 1);
+    assert.equal(unknownCalls[0].command, 'MONITOR');
+    assert.equal(unknownCalls[0].argsCount, 0);
+  });
+
   it('onCommandError hook is called when command returns or throws error', async () => {
     const errorCalls = [];
     const srv = await createRESPlite({

package/test/integration/migration-dirty-tracker.test.js

@@ -27,7 +27,13 @@ const PREFIX    = `__resplite_tracker_test_${process.pid}__`;
 
 /** Connect to local Redis; return null if unavailable. */
 async function tryConnectRedis() {
-  const client = createClient({ url: REDIS_URL });
+  const client = createClient({
+    url: REDIS_URL,
+    socket: {
+      connectTimeout: 1500,
+      reconnectStrategy: () => new Error('no reconnect in tests'),
+    },
+  });
   try {
     await client.connect();
     await client.ping();