npm - spck - Versions diffs - 0.3.1 - Mend

spck 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (155) hide show

package/.oxlintrc.json +49 -0
package/LICENSE +21 -0
package/README.md +631 -0
package/bin/cli.js +20 -0
package/bin/validate-cwd.js +41 -0
package/dist/config/__tests__/config.test.d.ts +2 -0
package/dist/config/__tests__/config.test.js +262 -0
package/dist/config/__tests__/credentials.test.d.ts +2 -0
package/dist/config/__tests__/credentials.test.js +360 -0
package/dist/config/config.d.ts +33 -0
package/dist/config/config.js +185 -0
package/dist/config/credentials.d.ts +75 -0
package/dist/config/credentials.js +259 -0
package/dist/config/server-selection.d.ts +40 -0
package/dist/config/server-selection.js +130 -0
package/dist/connection/__tests__/firebase-auth.test.d.ts +2 -0
package/dist/connection/__tests__/firebase-auth.test.js +96 -0
package/dist/connection/__tests__/hmac.test.d.ts +2 -0
package/dist/connection/__tests__/hmac.test.js +372 -0
package/dist/connection/auth.d.ts +13 -0
package/dist/connection/auth.js +91 -0
package/dist/connection/firebase-auth.d.ts +40 -0
package/dist/connection/firebase-auth.js +429 -0
package/dist/connection/hmac.d.ts +24 -0
package/dist/connection/hmac.js +109 -0
package/dist/i18n/index.d.ts +25 -0
package/dist/i18n/index.js +101 -0
package/dist/i18n/locales/en.json +313 -0
package/dist/i18n/locales/es.json +302 -0
package/dist/i18n/locales/fr.json +302 -0
package/dist/i18n/locales/id.json +302 -0
package/dist/i18n/locales/ja.json +302 -0
package/dist/i18n/locales/ko.json +302 -0
package/dist/i18n/locales/locales/en.json +309 -0
package/dist/i18n/locales/locales/es.json +302 -0
package/dist/i18n/locales/locales/fr.json +302 -0
package/dist/i18n/locales/locales/id.json +302 -0
package/dist/i18n/locales/locales/ja.json +302 -0
package/dist/i18n/locales/locales/ko.json +302 -0
package/dist/i18n/locales/locales/pt.json +302 -0
package/dist/i18n/locales/locales/zh-Hans.json +302 -0
package/dist/i18n/locales/pt.json +302 -0
package/dist/i18n/locales/zh-Hans.json +302 -0
package/dist/index.d.ts +25 -0
package/dist/index.js +493 -0
package/dist/proxy/ProxyClient.d.ts +125 -0
package/dist/proxy/ProxyClient.js +781 -0
package/dist/proxy/ProxySocketWrapper.d.ts +43 -0
package/dist/proxy/ProxySocketWrapper.js +98 -0
package/dist/proxy/__tests__/ProxyClient.test.d.ts +2 -0
package/dist/proxy/__tests__/ProxyClient.test.js +445 -0
package/dist/proxy/__tests__/ProxySocketWrapper.test.d.ts +2 -0
package/dist/proxy/__tests__/ProxySocketWrapper.test.js +190 -0
package/dist/proxy/__tests__/handshake-validation.test.d.ts +2 -0
package/dist/proxy/__tests__/handshake-validation.test.js +282 -0
package/dist/proxy/__tests__/token-refresh-race.test.d.ts +14 -0
package/dist/proxy/__tests__/token-refresh-race.test.js +173 -0
package/dist/proxy/chunking.d.ts +53 -0
package/dist/proxy/chunking.js +127 -0
package/dist/proxy/handshake-validation.d.ts +21 -0
package/dist/proxy/handshake-validation.js +49 -0
package/dist/rpc/__tests__/router.test.d.ts +2 -0
package/dist/rpc/__tests__/router.test.js +262 -0
package/dist/rpc/router.d.ts +37 -0
package/dist/rpc/router.js +132 -0
package/dist/services/BrowserProxyService.d.ts +13 -0
package/dist/services/BrowserProxyService.js +139 -0
package/dist/services/FilesystemService.d.ts +99 -0
package/dist/services/FilesystemService.js +742 -0
package/dist/services/GitService.d.ts +243 -0
package/dist/services/GitService.js +1439 -0
package/dist/services/SearchService.d.ts +93 -0
package/dist/services/SearchService.js +670 -0
package/dist/services/TerminalService.d.ts +62 -0
package/dist/services/TerminalService.js +337 -0
package/dist/services/__tests__/BrowserProxyService.test.d.ts +2 -0
package/dist/services/__tests__/BrowserProxyService.test.js +145 -0
package/dist/services/__tests__/FilesystemService.test.d.ts +2 -0
package/dist/services/__tests__/FilesystemService.test.js +609 -0
package/dist/services/__tests__/GitService.test.d.ts +2 -0
package/dist/services/__tests__/GitService.test.js +953 -0
package/dist/services/__tests__/SearchService.test.d.ts +2 -0
package/dist/services/__tests__/SearchService.test.js +384 -0
package/dist/services/__tests__/TerminalService.test.d.ts +2 -0
package/dist/services/__tests__/TerminalService.test.js +513 -0
package/dist/setup/wizard.d.ts +10 -0
package/dist/setup/wizard.js +172 -0
package/dist/types.d.ts +196 -0
package/dist/types.js +44 -0
package/dist/utils/__tests__/gitignore.test.d.ts +2 -0
package/dist/utils/__tests__/gitignore.test.js +127 -0
package/dist/utils/gitignore.d.ts +24 -0
package/dist/utils/gitignore.js +77 -0
package/dist/utils/logger.d.ts +96 -0
package/dist/utils/logger.js +456 -0
package/dist/utils/project-dir.d.ts +51 -0
package/dist/utils/project-dir.js +191 -0
package/dist/utils/ripgrep.d.ts +34 -0
package/dist/utils/ripgrep.js +148 -0
package/dist/utils/tool-detection.d.ts +17 -0
package/dist/utils/tool-detection.js +126 -0
package/dist/watcher/FileWatcher.d.ts +10 -0
package/dist/watcher/FileWatcher.js +42 -0
package/package.json +70 -0
package/src/config/__tests__/config.test.ts +318 -0
package/src/config/__tests__/credentials.test.ts +494 -0
package/src/config/config.ts +206 -0
package/src/config/credentials.ts +302 -0
package/src/config/server-selection.ts +150 -0
package/src/connection/__tests__/firebase-auth.test.ts +121 -0
package/src/connection/__tests__/hmac.test.ts +509 -0
package/src/connection/auth.ts +140 -0
package/src/connection/firebase-auth.ts +504 -0
package/src/connection/hmac.ts +139 -0
package/src/i18n/index.ts +119 -0
package/src/i18n/locales/en.json +313 -0
package/src/i18n/locales/es.json +302 -0
package/src/i18n/locales/fr.json +302 -0
package/src/i18n/locales/id.json +302 -0
package/src/i18n/locales/ja.json +302 -0
package/src/i18n/locales/ko.json +302 -0
package/src/i18n/locales/pt.json +302 -0
package/src/i18n/locales/zh-Hans.json +302 -0
package/src/index.ts +542 -0
package/src/proxy/ProxyClient.ts +968 -0
package/src/proxy/ProxySocketWrapper.ts +113 -0
package/src/proxy/__tests__/ProxyClient.test.ts +575 -0
package/src/proxy/__tests__/ProxySocketWrapper.test.ts +251 -0
package/src/proxy/__tests__/handshake-validation.test.ts +367 -0
package/src/proxy/chunking.ts +162 -0
package/src/proxy/handshake-validation.ts +64 -0
package/src/rpc/__tests__/router.test.ts +400 -0
package/src/rpc/router.ts +183 -0
package/src/services/BrowserProxyService.ts +179 -0
package/src/services/FilesystemService.ts +841 -0
package/src/services/GitService.ts +1639 -0
package/src/services/SearchService.ts +809 -0
package/src/services/TerminalService.ts +413 -0
package/src/services/__tests__/BrowserProxyService.test.ts +155 -0
package/src/services/__tests__/FilesystemService.test.ts +1002 -0
package/src/services/__tests__/GitService.test.ts +1552 -0
package/src/services/__tests__/SearchService.test.ts +484 -0
package/src/services/__tests__/TerminalService.test.ts +702 -0
package/src/setup/wizard.ts +242 -0
package/src/types/fossil-delta.d.ts +4 -0
package/src/types.ts +287 -0
package/src/utils/__tests__/gitignore.test.ts +174 -0
package/src/utils/gitignore.ts +91 -0
package/src/utils/logger.ts +578 -0
package/src/utils/project-dir.ts +218 -0
package/src/utils/ripgrep.ts +180 -0
package/src/utils/tool-detection.ts +141 -0
package/src/watcher/FileWatcher.ts +53 -0
package/tsconfig.json +24 -0
package/vitest.config.ts +19 -0

package/src/services/TerminalService.ts ADDED Viewed

@@ -0,0 +1,413 @@
+/**
+ * Terminal service - manages PTY sessions with xterm-headless
+ */
+import * as pty from 'node-pty';
+import XtermHeadlessModule from '@xterm/headless';
+import SerializeAddonModule from '@xterm/addon-serialize';
+import defaultShell from 'default-shell';
+import { AuthenticatedSocket, ErrorCode, createRPCError } from '../types.js';
+import { logTerminalRead, logTerminalWrite } from '../utils/logger.js';
+const { Terminal: XtermHeadless } = XtermHeadlessModule as any;
+const { SerializeAddon } = SerializeAddonModule as any;
+// Hard limit on terminal buffer size to prevent memory exhaustion (DoS)
+const MAX_BUFFER_LINES_HARD_LIMIT = 50000;
+interface TerminalSession {
+  id: string;
+  pty: pty.IPty;
+  xterm: any;
+  serializeAddon: any;
+  cols: number;
+  rows: number;
+  exited: boolean;
+  exitCode?: number;
+  uid: string;
+  pendingWrites: number; // Track number of pending write operations
+}
+export class TerminalService {
+  private sessions: Map<string, TerminalSession> = new Map();
+  private activeTerminalId: string | null = null;
+  constructor(
+    private getSocket: () => AuthenticatedSocket,
+    private maxTerminals: number = 10,
+    private maxBufferedLines: number = 10000,
+    private rootPath: string = process.cwd()
+  ) {
+    // Enforce hard limit on buffer size to prevent memory exhaustion
+    if (this.maxBufferedLines > MAX_BUFFER_LINES_HARD_LIMIT) {
+      console.warn(
+        `Terminal buffer size ${this.maxBufferedLines} exceeds hard limit ${MAX_BUFFER_LINES_HARD_LIMIT}. ` +
+        `Capping at ${MAX_BUFFER_LINES_HARD_LIMIT} lines.`
+      );
+      this.maxBufferedLines = MAX_BUFFER_LINES_HARD_LIMIT;
+    }
+  }
+  /**
+   * Get UID from socket with fallback
+   */
+  private getUid(): string {
+    return this.getSocket().data?.uid || 'unknown';
+  }
+  /**
+   * Handle terminal RPC methods
+   */
+  async handle(method: string, params: any): Promise<any> {
+    const uid = this.getUid();
+    let result: any;
+    let error: any;
+    // Define read and write operations
+    const readOps = ['list', 'refresh'];
+    const writeOps = ['create', 'destroy', 'activate', 'send', 'resize'];
+    try {
+      switch (method) {
+        case 'create':
+          result = await this.create(params);
+          logTerminalWrite(method, params, uid, true, undefined, { terminalId: result });
+          return result;
+        case 'destroy':
+          result = await this.destroy(params);
+          logTerminalWrite(method, params, uid, true);
+          return result;
+        case 'activate':
+          result = await this.activate(params);
+          logTerminalWrite(method, params, uid, true);
+          return result;
+        case 'send':
+          result = await this.send(params);
+          logTerminalWrite(method, params, uid, true);
+          return result;
+        case 'resize':
+          result = await this.resize(params);
+          logTerminalWrite(method, params, uid, true);
+          return result;
+        case 'refresh':
+          result = await this.refresh(params);
+          logTerminalRead(method, params, uid, true);
+          return result;
+        case 'list':
+          result = await this.list();
+          logTerminalRead(method, params, uid, true, undefined, { count: result.length });
+          return result;
+        default:
+          throw createRPCError(ErrorCode.METHOD_NOT_FOUND, `Method not found: terminal.${method}`);
+      }
+    } catch (err: any) {
+      error = err;
+      // Log error based on operation type
+      if (readOps.includes(method)) {
+        logTerminalRead(method, params, uid, false, error);
+      } else if (writeOps.includes(method)) {
+        logTerminalWrite(method, params, uid, false, error);
+      }
+      throw error;
+    }
+  }
+  /**
+   * Create new terminal session
+   */
+  private async create(params: { cols: number; rows: number }): Promise<string> {
+    const uid = this.getUid();
+    // Check terminal limit
+    const userTerminals = Array.from(this.sessions.values()).filter((s) => s.uid === uid);
+    if (userTerminals.length >= this.maxTerminals) {
+      throw createRPCError(
+        ErrorCode.TERMINAL_LIMIT_EXCEEDED,
+        `Terminal limit exceeded (max ${this.maxTerminals})`
+      );
+    }
+    const terminalId = this.generateId();
+    // Get default shell for the platform
+    const shell = defaultShell;
+    // Spawn PTY process
+    let ptyProcess: pty.IPty;
+    try {
+      ptyProcess = pty.spawn(shell, [], {
+        name: 'xterm-256color',
+        cols: params.cols || 80,
+        rows: params.rows || 24,
+        cwd: this.rootPath,
+        env: process.env,
+      });
+    } catch (error: any) {
+      // Log full error details server-side for debugging
+      console.error('Failed to spawn terminal:', {
+        error: error.message,
+        shell,
+        cwd: this.rootPath,
+        stack: error.stack,
+      });
+      // Send sanitized error to client (no system paths or stack traces)
+      throw createRPCError(
+        ErrorCode.INTERNAL_ERROR,
+        'Failed to spawn terminal. Please check that the shell is available and the working directory is accessible.'
+      );
+    }
+    // Create headless xterm for buffer management
+    const xterm = new XtermHeadless({
+      cols: params.cols || 80,
+      rows: params.rows || 24,
+      // Enforce hard limit as defense in depth (should already be capped in constructor)
+      scrollback: Math.min(this.maxBufferedLines, MAX_BUFFER_LINES_HARD_LIMIT),
+      allowProposedApi: true
+    });
+    const serializeAddon = new SerializeAddon();
+    xterm.loadAddon(serializeAddon);
+    // Connect PTY to xterm buffer
+    ptyProcess.onData((data) => {
+      const session = this.sessions.get(terminalId);
+      if (session) {
+        // Track pending write
+        session.pendingWrites++;
+        // Write to xterm with callback
+        xterm.write(data, () => {
+          // Decrement pending writes when complete
+          if (session.pendingWrites > 0) {
+            session.pendingWrites--;
+          }
+        });
+      }
+      // If this is the active terminal, stream to client
+      if (this.activeTerminalId === terminalId) {
+        this.getSocket().emit('rpc', {
+          jsonrpc: '2.0',
+          method: 'terminal.output',
+          params: { terminalId, data },
+        });
+      }
+    });
+    // Handle process exit
+    ptyProcess.onExit(({ exitCode }) => {
+      const session = this.sessions.get(terminalId);
+      if (session) {
+        session.exited = true;
+        session.exitCode = exitCode;
+        // Notify client
+        this.getSocket().emit('rpc', {
+          jsonrpc: '2.0',
+          method: 'terminal.exited',
+          params: { terminalId, exitCode },
+        });
+      }
+    });
+    // Store session
+    this.sessions.set(terminalId, {
+      id: terminalId,
+      pty: ptyProcess,
+      xterm,
+      serializeAddon,
+      cols: params.cols || 80,
+      rows: params.rows || 24,
+      exited: false,
+      uid,
+      pendingWrites: 0,
+    });
+    // Send initial buffer
+    await this.sendBufferRefresh(terminalId);
+    return terminalId;
+  }
+  /**
+   * Destroy terminal session
+   */
+  private async destroy(params: { terminalId: string }): Promise<void> {
+    const session = this.sessions.get(params.terminalId);
+    if (!session) {
+      throw createRPCError(ErrorCode.TERMINAL_NOT_FOUND, 'Terminal not found');
+    }
+    // Verify ownership
+    if (session.uid !== this.getUid()) {
+      throw createRPCError(ErrorCode.PERMISSION_DENIED, 'Permission denied');
+    }
+    // Kill PTY process if still running
+    if (!session.exited) {
+      session.pty.kill();
+    }
+    // Clean up
+    this.sessions.delete(params.terminalId);
+    if (this.activeTerminalId === params.terminalId) {
+      this.activeTerminalId = null;
+    }
+  }
+  /**
+   * Activate terminal (start streaming)
+   */
+  private async activate(params: { terminalId: string }): Promise<void> {
+    const session = this.sessions.get(params.terminalId);
+    if (!session) {
+      throw createRPCError(ErrorCode.TERMINAL_NOT_FOUND, 'Terminal not found');
+    }
+    // Verify ownership
+    if (session.uid !== this.getUid()) {
+      throw createRPCError(ErrorCode.PERMISSION_DENIED, 'Permission denied');
+    }
+    // Update active terminal
+    this.activeTerminalId = params.terminalId;
+    // Send full buffer refresh
+    await this.sendBufferRefresh(params.terminalId);
+  }
+  /**
+   * Send input to terminal
+   */
+  private async send(params: { terminalId: string; data: string }): Promise<void> {
+    const session = this.sessions.get(params.terminalId);
+    if (!session) {
+      throw createRPCError(ErrorCode.TERMINAL_NOT_FOUND, 'Terminal not found');
+    }
+    // Verify ownership
+    if (session.uid !== this.getUid()) {
+      throw createRPCError(ErrorCode.PERMISSION_DENIED, 'Permission denied');
+    }
+    if (session.exited) {
+      throw createRPCError(
+        ErrorCode.TERMINAL_PROCESS_EXITED,
+        'Terminal process has exited'
+      );
+    }
+    // Write to PTY
+    session.pty.write(params.data);
+  }
+  /**
+   * Resize terminal
+   */
+  private async resize(params: { terminalId: string; cols: number; rows: number }): Promise<void> {
+    const session = this.sessions.get(params.terminalId);
+    if (!session) {
+      throw createRPCError(ErrorCode.TERMINAL_NOT_FOUND, 'Terminal not found');
+    }
+    // Verify ownership
+    if (session.uid !== this.getUid()) {
+      throw createRPCError(ErrorCode.PERMISSION_DENIED, 'Permission denied');
+    }
+    // Resize PTY
+    session.pty.resize(params.cols, params.rows);
+    // Resize xterm buffer
+    session.xterm.resize(params.cols, params.rows);
+    // Update session
+    session.cols = params.cols;
+    session.rows = params.rows;
+  }
+  /**
+   * Refresh terminal buffer
+   */
+  private async refresh(params: { terminalId: string }): Promise<void> {
+    const session = this.sessions.get(params.terminalId);
+    if (!session) {
+      throw createRPCError(ErrorCode.TERMINAL_NOT_FOUND, 'Terminal not found');
+    }
+    // Verify ownership
+    if (session.uid !== this.getUid()) {
+      throw createRPCError(ErrorCode.PERMISSION_DENIED, 'Permission denied');
+    }
+    await this.sendBufferRefresh(params.terminalId);
+  }
+  /**
+   * List terminals for current user
+   */
+  private async list(): Promise<string[]> {
+    const uid = this.getUid();
+    return Array.from(this.sessions.values())
+      .filter((s) => s.uid === uid)
+      .map((s) => s.id);
+  }
+  /**
+   * Send buffer refresh notification
+   */
+  private async sendBufferRefresh(terminalId: string): Promise<void> {
+    const session = this.sessions.get(terminalId);
+    if (!session) return;
+    // Wait for pending writes to complete
+    const waitForWrites = async () => {
+      const maxWaitTime = 5000; // 5 seconds max
+      const checkInterval = 10; // Check every 10ms
+      let elapsed = 0;
+      while (session.pendingWrites > 0 && elapsed < maxWaitTime) {
+        await new Promise(resolve => setTimeout(resolve, checkInterval));
+        elapsed += checkInterval;
+      }
+      if (elapsed >= maxWaitTime) {
+        console.warn(`Timeout waiting for pending writes (${session.pendingWrites} remaining)`);
+      }
+    };
+    await waitForWrites();
+    // Serialize xterm buffer
+    const buffer = session.serializeAddon.serialize();
+    // Send to client
+    this.getSocket().emit('rpc', {
+      jsonrpc: '2.0',
+      method: 'terminal.bufferRefresh',
+      params: { terminalId, buffer },
+    });
+  }
+  /**
+   * Generate unique terminal ID
+   */
+  private generateId(): string {
+    return `term-${Date.now()}-${Math.random().toString(36).substr(2, 9)}`;
+  }
+  /**
+   * Cleanup all terminals
+   */
+  cleanup(): void {
+    for (const session of this.sessions.values()) {
+      if (!session.exited) {
+        session.pty.kill();
+      }
+    }
+    this.sessions.clear();
+  }
+}

package/src/services/__tests__/BrowserProxyService.test.ts ADDED Viewed

@@ -0,0 +1,155 @@
+import { describe, it, expect, beforeEach, vi } from 'vitest';
+/**
+ * Tests for BrowserProxyService edge cases
+ */
+import http from 'http';
+import { BrowserProxyService } from '../BrowserProxyService.js';
+import { ErrorCode } from '../../types.js';
+function makeService() {
+  return new BrowserProxyService();
+}
+function startServer(handler: http.RequestListener): Promise<{ port: number; close: () => Promise<void> }> {
+  return new Promise((resolve, reject) => {
+    const server = http.createServer(handler);
+    server.listen(0, '127.0.0.1', () => {
+      const { port } = server.address() as { port: number };
+      resolve({ port, close: () => new Promise<void>((res) => server.close(() => res())) });
+    });
+    server.on('error', reject);
+  });
+}
+function makeParams(overrides: Record<string, any> = {}) {
+  return { requestId: 'req-1', url: 'http://localhost:3000/', method: 'GET', headers: {}, body: null, ...overrides };
+}
+function makeSocket(deviceId = 'test-device-1') {
+  return { data: { deviceId, uid: 'test-user' } } as any;
+}
+describe('BrowserProxyService', () => {
+  let service: BrowserProxyService;
+  beforeEach(() => { service = makeService(); });
+  it('rejects unknown RPC methods', async () => {
+    await expect(service.handle('unknown', makeParams(), makeSocket())).rejects.toMatchObject({ code: ErrorCode.METHOD_NOT_FOUND });
+  });
+  it.each([
+    ['non-localhost hostname', 'http://example.com/'],
+    ['internal IP',           'http://192.168.1.1:3000/'],
+    ['0.0.0.0',               'http://0.0.0.0:3000/'],
+  ])('rejects %s', async (_label, url) => {
+    await expect(service.handle('request', makeParams({ url }), makeSocket())).rejects.toMatchObject({ code: ErrorCode.PERMISSION_DENIED });
+  });
+  it.each([
+    ['malformed URL', 'not-a-url',              ErrorCode.INVALID_PARAMS],
+    ['port 0',        'http://localhost:0/',     ErrorCode.INVALID_PARAMS],
+    ['port > 65535',  'http://localhost:99999/', ErrorCode.INVALID_PARAMS],
+    ['TRACE method',  'http://localhost:3000/',  ErrorCode.INVALID_PARAMS],
+  ])('rejects %s', async (_label, urlOrMethod, code) => {
+    const isMethod = _label.includes('method');
+    await expect(
+      service.handle('request', makeParams(isMethod ? { method: 'TRACE' } : { url: urlOrMethod }), makeSocket())
+    ).rejects.toMatchObject({ code });
+  });
+  it('forwards POST body bytes and returns base64-encoded response', async () => {
+    let receivedBody = '';
+    const srv = await startServer((req, res) => {
+      req.on('data', (c) => { receivedBody += c.toString(); });
+      req.on('end', () => { res.writeHead(200); res.end('pong'); });
+    });
+    try {
+      const result = await service.handle('request', makeParams({
+        url: `http://localhost:${srv.port}/`,
+        method: 'POST',
+        body: Array.from(Buffer.from('ping')),
+      }), makeSocket());
+      expect(receivedBody).toBe('ping');
+      expect(result.bodyEncoding).toBe('base64');
+      expect(Buffer.from(result.body, 'base64').toString()).toBe('pong');
+    } finally {
+      await srv.close();
+    }
+  });
+  it('correctly encodes binary response body', async () => {
+    const binary = Buffer.from([0x00, 0x01, 0xff, 0xfe]);
+    const srv = await startServer((_req, res) => { res.writeHead(200); res.end(binary); });
+    try {
+      const result = await service.handle('request', makeParams({ url: `http://localhost:${srv.port}/` }), makeSocket());
+      expect(Buffer.from(result.body, 'base64')).toEqual(binary);
+    } finally {
+      await srv.close();
+    }
+  });
+  it('strips hop-by-hop headers and forwards custom headers', async () => {
+    let received: http.IncomingHttpHeaders = {};
+    const srv = await startServer((req, res) => { received = req.headers; res.writeHead(200); res.end(); });
+    try {
+      await service.handle('request', makeParams({
+        url: `http://localhost:${srv.port}/`,
+        headers: { 'transfer-encoding': 'chunked', 'upgrade': 'websocket', 'x-custom': 'yes' },
+      }), makeSocket());
+      expect(received['transfer-encoding']).toBeUndefined();
+      expect(received['upgrade']).toBeUndefined();
+      expect(received['x-custom']).toBe('yes');
+    } finally {
+      await srv.close();
+    }
+  });
+  it('rejects with INTERNAL_ERROR on ECONNREFUSED', async () => {
+    await expect(
+      service.handle('request', makeParams({ url: 'http://localhost:19999/' }), makeSocket())
+    ).rejects.toMatchObject({ code: ErrorCode.INTERNAL_ERROR });
+  });
+  it('rejects with OPERATION_TIMEOUT when server hangs', async () => {
+    const srv = await startServer(() => { /* hang */ });
+    try {
+      vi.spyOn(service as any, 'fetch').mockImplementation((...args: unknown[]) => {
+        const url = args[0] as URL;
+        return new Promise((_res, reject) => {
+          const req = http.request({ hostname: url.hostname, port: url.port, path: '/', timeout: 50 });
+          req.on('timeout', () => { req.destroy(); reject({ code: ErrorCode.OPERATION_TIMEOUT, message: 'timed out' }); });
+          req.on('error', reject);
+          req.end();
+        });
+      });
+      await expect(service.handle('request', makeParams({ url: `http://localhost:${srv.port}/` }), makeSocket()))
+        .rejects.toMatchObject({ code: ErrorCode.OPERATION_TIMEOUT });
+    } finally {
+      vi.restoreAllMocks();
+      await srv.close();
+    }
+  });
+  it('rejects responses exceeding 10 MB', async () => {
+    const srv = await startServer((_req, res) => {
+      res.writeHead(200);
+      const chunk = Buffer.alloc(1024 * 1024);
+      let sent = 0;
+      const write = () => {
+        while (sent < 11) {
+          if (!res.write(chunk)) { res.once('drain', write); return; }
+          sent++;
+        }
+        res.end();
+      };
+      write();
+    });
+    try {
+      await expect(service.handle('request', makeParams({ url: `http://localhost:${srv.port}/` }), makeSocket()))
+        .rejects.toMatchObject({ code: ErrorCode.INTERNAL_ERROR });
+    } finally {
+      await srv.close();
+    }
+  });
+});