@blamejs/blamejs-shop 0.0.113 → 0.0.114

package/lib/vendor/blamejs/lib/safe-archive.js

@@ -47,6 +47,7 @@ var archiveRead = lazyRequire(function () { return require("./archive-read"); })
 var archiveAdapters = lazyRequire(function () { return require("./archive-adapters"); });
 var archiveTarRead = lazyRequire(function () { return require("./archive-tar-read"); });
 var archiveGz = lazyRequire(function () { return require("./archive-gz"); });
+var archiveWrap = lazyRequire(function () { return require("./archive-wrap"); });
 
 // ---- Format sniffing ----------------------------------------------------
 
@@ -93,6 +94,10 @@ async function _sniffMagic(adapter) {
   if (head.length >= 5) {
     var prefix = head.slice(0, 5).toString("utf8");
     if (prefix === MAGIC_ENCPACKED) return { format: "encryptPacked" };
+    // v0.12.15 — archive-wrap recipient envelope (v0.12.10 / BAWRP).
+    if (prefix === "BAWRP") return { format: "wrap-recipient" };
+    // v0.12.15 — archive-wrap passphrase envelope (v0.12.11 / BAWPP).
+    if (prefix === "BAWPP") return { format: "wrap-passphrase" };
   }
   // tar — "ustar" at offset 257 within the first 512-byte header.
   if (head.length >= 263) {
@@ -102,6 +107,22 @@ async function _sniffMagic(adapter) {
   return { format: "unknown" };
 }
 
+// Collect a random-access adapter's bytes into a Buffer. Used by
+// the v0.12.15 auto-unwrap path so the envelope can be decrypted
+// inline + the inner bytes re-fed to a buffer adapter for format
+// re-sniffing. Adapters expose `size` + `range(offset, length)`.
+async function _collectSourceBytes(source) {
+  var size = source.size;
+  if (size == null && typeof source.resolveSize === "function") {
+    size = await source.resolveSize();
+  }
+  if (typeof size !== "number" || size < 0) {
+    throw new SafeArchiveError("safe-archive/bad-source",
+      "_collectSourceBytes: source adapter did not report a numeric size");
+  }
+  return source.range(0, size);
+}
+
 // ---- Public extract orchestrator ----------------------------------------
 
 /**
@@ -180,6 +201,50 @@ async function extract(opts) {
       var sniff = await _sniffMagic(source);
       format = sniff.format;
     }
+    // v0.12.15 — auto-unwrap path. When the sniffer identifies a
+    // wrap envelope, unwrap inline + re-sniff the inner bytes so
+    // operators get a single extract() call regardless of envelope
+    // shape. Operator must supply opts.recipient or opts.passphrase
+    // matching the envelope kind.
+    if (format === "wrap-recipient" || format === "wrap-passphrase") {
+      var sealedBytes = await _collectSourceBytes(source);
+      var inner;
+      if (format === "wrap-recipient") {
+        if (!opts.recipient) {
+          throw new SafeArchiveError("safe-archive/no-recipient-for-wrap",
+            "extract: source is a wrap-recipient envelope (BAWRP) but opts.recipient was not supplied. " +
+            "Pass `{ recipient: { privateKey, ecPrivateKey } }` (or peer-cert form) to unwrap inline.");
+        }
+        inner = archiveWrap().unwrap(sealedBytes, { recipient: opts.recipient });
+      } else {
+        if (typeof opts.passphrase !== "string" && !Buffer.isBuffer(opts.passphrase)) {
+          throw new SafeArchiveError("safe-archive/no-passphrase-for-wrap",
+            "extract: source is a wrap-passphrase envelope (BAWPP) but opts.passphrase was not supplied. " +
+            "Pass `{ passphrase: <string|Buffer> }` to unwrap inline.");
+        }
+        inner = await archiveWrap().unwrapWithPassphrase(sealedBytes, { passphrase: opts.passphrase });
+      }
+      // Codex P1 on v0.12.15 PR #166 — close the original source
+      // adapter BEFORE replacing it. When opts.source was a string
+      // path, the fs adapter opened a file descriptor; overwriting
+      // `source` loses the close reference and the descriptor
+      // leaks across repeated extract() calls (eventually EMFILE
+      // under load). The outer finally still closes whatever
+      // `source` points at, but the original handle needs explicit
+      // release here.
+      if (typeof source.close === "function" && typeof opts.source === "string") {
+        try { source.close(); } catch (_e) { /* drop-silent */ }
+      }
+      // Codex P2 on v0.12.15 PR #166 — forward opts.signal to the
+      // inner buffer adapter so abort propagation stays intact
+      // across the unwrap boundary. Without it, an abort raised
+      // after unwrapping would no longer cancel inner range()
+      // calls, breaking the documented signal contract for
+      // large wrapped archives.
+      source = archiveAdapters().buffer(inner, { signal: opts.signal });
+      var innerSniff = await _sniffMagic(source);
+      format = innerSniff.format;
+    }
     var reader;
     if (format === "zip") {
       reader = archiveRead().zip(source, {
@@ -210,8 +275,8 @@ async function extract(opts) {
       });
     } else {
       throw new SafeArchiveError("safe-archive/format-unsupported",
-        "extract: format=" + JSON.stringify(format) + " — v0.12.9 ships ZIP + tar + tar.gz " +
-        "(encryptPacked-wrap lands v0.12.10)");
+        "extract: format=" + JSON.stringify(format) + " — v0.12.9 ships ZIP + tar + tar.gz; " +
+        "v0.12.10/v0.12.11 added wrap-recipient + wrap-passphrase envelopes (auto-unwrap as of v0.12.15)");
     }
     var result = await reader.extract({
       destination:    opts.destination,
@@ -265,6 +330,38 @@ async function inspect(opts) {
       var sniff = await _sniffMagic(source);
       format = sniff.format;
     }
+    // v0.12.16 — auto-unwrap path for inspect, parallel to the
+    // v0.12.15 extract path. Wrap envelopes (BAWRP / BAWPP) are
+    // unwrapped inline + re-sniffed so operators can enumerate
+    // entries of a sealed archive in a single inspect() call.
+    if (format === "wrap-recipient" || format === "wrap-passphrase") {
+      var sealedBytes = await _collectSourceBytes(source);
+      var inner;
+      if (format === "wrap-recipient") {
+        if (!opts.recipient) {
+          throw new SafeArchiveError("safe-archive/no-recipient-for-wrap",
+            "inspect: source is a wrap-recipient envelope (BAWRP) but opts.recipient was not supplied. " +
+            "Pass `{ recipient: { privateKey, ecPrivateKey } }` (or peer-cert form) to unwrap inline.");
+        }
+        inner = archiveWrap().unwrap(sealedBytes, { recipient: opts.recipient });
+      } else {
+        if (typeof opts.passphrase !== "string" && !Buffer.isBuffer(opts.passphrase)) {
+          throw new SafeArchiveError("safe-archive/no-passphrase-for-wrap",
+            "inspect: source is a wrap-passphrase envelope (BAWPP) but opts.passphrase was not supplied. " +
+            "Pass `{ passphrase: <string|Buffer> }` to unwrap inline.");
+        }
+        inner = await archiveWrap().unwrapWithPassphrase(sealedBytes, { passphrase: opts.passphrase });
+      }
+      // v0.12.15 P1 — close the original fs adapter (if string-
+      // backed) BEFORE replacing the source reference. v0.12.15 P2
+      // — forward opts.signal to the inner buffer adapter.
+      if (typeof source.close === "function" && typeof opts.source === "string") {
+        try { source.close(); } catch (_e) { /* drop-silent */ }
+      }
+      source = archiveAdapters().buffer(inner, { signal: opts.signal });
+      var innerSniff = await _sniffMagic(source);
+      format = innerSniff.format;
+    }
     var reader;
     if (format === "zip") {
       reader = archiveRead().zip(source, {
@@ -276,9 +373,21 @@ async function inspect(opts) {
         bombPolicy: opts.bombPolicy,
         audit:      opts.audit,
       });
+    } else if (format === "tar.gz") {
+      // v0.12.19 — inspect parity with extract for tar.gz format.
+      // gz envelope auto-decompresses + the inner tar walker
+      // enumerates entries without writing to disk.
+      reader = archiveGz().read.gz(source, {
+        maxDecompressedBytes: opts.maxDecompressedBytes,
+        maxExpansionRatio:    opts.maxExpansionRatio,
+        audit:                opts.audit,
+      }).asTar({
+        bombPolicy: opts.bombPolicy,
+        audit:      opts.audit,
+      });
     } else {
       throw new SafeArchiveError("safe-archive/format-unsupported",
-        "inspect: format=" + JSON.stringify(format) + " — v0.12.8 ships ZIP + tar");
+        "inspect: format=" + JSON.stringify(format) + " — v0.12.19 ships ZIP + tar + tar.gz; auto-unwraps wrap envelopes");
     }
     var entries = await reader.inspect();
     var totalCompressed = 0;

package/lib/vendor/blamejs/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.12.12",
+  "version": "0.12.20",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/lib/vendor/blamejs/release-notes/v0.12.13.json

@@ -0,0 +1,31 @@
+{
+  "$schema": "../scripts/release-notes-schema.json",
+  "version": "0.12.13",
+  "date": "2026-05-23",
+  "headline": "`b.backup.bundleAdapterStorage.objectStoreAdapter` — wraps any `b.objectStore` backend (local / SigV4 / GCS / Azure-Blob) into the backup-adapter contract; closes the v0.11.2 \"any custom backend\" promise",
+  "summary": "`b.backup.bundleAdapterStorage.objectStoreAdapter(client, opts)` adapts a `b.objectStore`-shaped client into the `{ writeFile, readFile, listKeys, deleteKey, hasKey }` adapter contract that `bundleAdapterStorage` consumes. Operators wire any of the four shipped object-store backends (`protocol: \"local\"` / `\"sigv4\"` for S3+MinIO / `\"gcs\"` / `\"azure-blob\"`) through the same recipient / passphrase wrap layers shipped in v0.12.10 and v0.12.11 — the bundle bytes hit the object-store `put` as an opaque envelope. `opts.prefix` namespaces every key under a fixed root inside the bucket so operators sharing a bucket across deployments keep listings scoped. Closes the deferral surfaced in v0.11.2 JSDoc and the v0.12.10 release-notes follow-up list: \"S3 or any custom backend\" is now wired with no operator-supplied adapter glue.",
+  "sections": [
+    {
+      "heading": "Added",
+      "items": [
+        {
+          "title": "`b.backup.bundleAdapterStorage.objectStoreAdapter(client, opts?)` — object-store-backed bundle storage",
+          "body": "Adapts any `b.objectStore.buildBackend({ protocol })` client (local / sigv4 / gcs / azure-blob) into the `{ writeFile, readFile, listKeys, deleteKey, hasKey }` adapter contract. NOT_FOUND errors from the underlying client translate to `backup/no-key` for the readFile path and to idempotent return-without-throw for deleteKey (matching the fsAdapter contract). hasKey routes through `client.head(key)` — NOT_FOUND → false; any other error propagates so operators can distinguish network failure from missing-key. Composes transparently with v0.12.10 `cryptoStrategy: \"recipient\"` and v0.12.11 `cryptoStrategy: \"passphrase\"` — the wrap envelope is the bytes hitting the object-store put."
+        },
+        {
+          "title": "`opts.prefix` — per-deployment key namespacing inside the bucket",
+          "body": "Operators sharing one bucket across multiple deployments (per-environment / per-tenant / per-region) pass distinct prefixes so listings stay scoped. The prefix gets a trailing slash inserted automatically; traversal segments (`..`) and NUL bytes refused upfront with `backup/bad-arg` so a misconfigured prefix can't escape the operator's intended scope. listKeys strips the prefix on return so the adapter surface looks identical to the fsAdapter — operators switching backends don't see key-shape drift."
+        }
+      ]
+    },
+    {
+      "heading": "Security",
+      "items": [
+        {
+          "title": "Key path validation — traversal + NUL byte refusal at every adapter call",
+          "body": "Every `_scopedKey(key)` invocation refuses keys containing `..` traversal segments or NUL bytes upfront with `backup/bad-key` so a misconfigured bundleId or an attacker-controlled value never reaches the underlying `client.put(...)` / `client.get(...)`. Matches the same defensive posture the fsAdapter carries against operator-supplied key shapes."
+        }
+      ]
+    }
+  ]
+}

package/lib/vendor/blamejs/release-notes/v0.12.14.json

@@ -0,0 +1,18 @@
+{
+  "$schema": "../scripts/release-notes-schema.json",
+  "version": "0.12.14",
+  "date": "2026-05-23",
+  "headline": "`b.archive.sniffEnvelope(bytes)` — identify recipient vs passphrase vs raw payload without attempting decryption",
+  "summary": "Small helper closing a gap in the archive-wrap surface. `b.archive.sniffEnvelope(bytes)` reads the first 5 bytes of a buffer and returns one of `\"recipient\"` (v0.12.10 BAWRP envelope), `\"passphrase\"` (v0.12.11 BAWPP envelope), or `\"none\"` (raw payload or unrelated bytes). The sniff does NO cryptographic work — no Argon2id round, no decapsulation, no allocation beyond a 5-byte ASCII compare — so it's safe to call on adversarial input. Operators dispatching between unwrap paths get a clean predicate instead of trial-decrypting under multiple key candidates.",
+  "sections": [
+    {
+      "heading": "Added",
+      "items": [
+        {
+          "title": "`b.archive.sniffEnvelope(bytes)` — magic-byte envelope identifier",
+          "body": "Returns `\"recipient\"` (BAWRP / v0.12.10 hybrid PQC envelope), `\"passphrase\"` (BAWPP / v0.12.11 Argon2id + XChaCha20 envelope), or `\"none\"` (raw archive bytes / unrelated payload). Accepts Buffer + Uint8Array; non-buffer / null / undefined / empty-buffer inputs return `\"none\"` upfront. Operators wire the result into a switch that dispatches to the matching unwrap primitive — no trial decryption, no per-key candidate attempts."
+        }
+      ]
+    }
+  ]
+}

package/lib/vendor/blamejs/release-notes/v0.12.15.json

@@ -0,0 +1,27 @@
+{
+  "$schema": "../scripts/release-notes-schema.json",
+  "version": "0.12.15",
+  "date": "2026-05-23",
+  "headline": "`b.safeArchive.extract` auto-unwraps v0.12.10 recipient and v0.12.11 passphrase envelopes inline",
+  "summary": "The safeArchive orchestrator's `format: \"auto\"` sniffer recognises `BAWRP` (v0.12.10 recipient) and `BAWPP` (v0.12.11 passphrase) envelope magics and routes through `b.archive.unwrap` / `b.archive.unwrapWithPassphrase` inline before re-sniffing the inner format. Operators pass `opts.recipient` (or `opts.passphrase`) alongside `source` + `destination` and get a single extract() call regardless of envelope shape. Missing the matching key opt surfaces a structured `safe-archive/no-recipient-for-wrap` / `safe-archive/no-passphrase-for-wrap` refusal upfront rather than a downstream crypto error.",
+  "sections": [
+    {
+      "heading": "Added",
+      "items": [
+        {
+          "title": "`b.safeArchive.extract` auto-unwraps wrap envelopes",
+          "body": "The sniffer at byte 0-4 recognises `BAWRP` (returns `format: \"wrap-recipient\"`) and `BAWPP` (returns `format: \"wrap-passphrase\"`). The extract path collects the sealed adapter into a Buffer, routes through `b.archive.unwrap` (recipient) or `b.archive.unwrapWithPassphrase` (passphrase), wraps the inner bytes in a buffer adapter, re-sniffs the inner format, and dispatches to the appropriate `b.archive.read.*` reader. A wrap-around-tar.gz envelope round-trips through wrap → unwrap → gunzip → untar with no operator intervention beyond passing the key opt."
+        }
+      ]
+    },
+    {
+      "heading": "Security",
+      "items": [
+        {
+          "title": "Missing-key opt refused upfront with structured error",
+          "body": "When the sniffer identifies a wrap envelope but the operator hasn't supplied `opts.recipient` (BAWRP) or `opts.passphrase` (BAWPP), extract refuses with `safe-archive/no-recipient-for-wrap` / `safe-archive/no-passphrase-for-wrap` BEFORE any decryption attempt. Operators wiring extract behind an HTTP boundary get a typed refusal instead of a leaked crypto-level error."
+        }
+      ]
+    }
+  ]
+}

package/lib/vendor/blamejs/release-notes/v0.12.16.json

@@ -0,0 +1,18 @@
+{
+  "$schema": "../scripts/release-notes-schema.json",
+  "version": "0.12.16",
+  "date": "2026-05-23",
+  "headline": "`b.safeArchive.inspect` auto-unwraps wrap envelopes (parallel to the v0.12.15 extract path)",
+  "summary": "Mirrors the v0.12.15 auto-unwrap support into `b.safeArchive.inspect`. Operators enumerating entries of a sealed archive get a single inspect() call regardless of envelope shape — pass `opts.recipient` or `opts.passphrase` alongside `source` and the orchestrator unwraps inline before walking the inner format. Missing-key opt surfaces a structured `safe-archive/no-recipient-for-wrap` / `safe-archive/no-passphrase-for-wrap` refusal upfront. Carries the v0.12.15 P1 + P2 fixes (close original source before replacing + forward opts.signal to inner buffer adapter) into the inspect path so the same descriptor-leak + abort-propagation contracts hold.",
+  "sections": [
+    {
+      "heading": "Added",
+      "items": [
+        {
+          "title": "`b.safeArchive.inspect` auto-unwraps `BAWRP` + `BAWPP` envelopes",
+          "body": "The orchestrator's `format: \"auto\"` sniffer recognises the wrap magics and routes through `b.archive.unwrap` / `b.archive.unwrapWithPassphrase` inline. After unwrap, the inner bytes are wrapped in a buffer adapter + re-sniffed; the resulting summary carries the INNER `format` (`\"tar\"` / `\"zip\"` / etc.) — operators querying `summary.format` see the carrier format, not `\"wrap-recipient\"`. Entry enumeration walks the inner archive after a single key-derivation pass; no temporary file lands on disk."
+        }
+      ]
+    }
+  ]
+}

package/lib/vendor/blamejs/release-notes/v0.12.17.json

@@ -0,0 +1,22 @@
+{
+  "$schema": "../scripts/release-notes-schema.json",
+  "version": "0.12.17",
+  "date": "2026-05-23",
+  "headline": "`bundleAdapterStorage.bundleInfo` + `listBundles.format` — per-bundle introspection for envelope kind + format without restore",
+  "summary": "Two introspection additions on `b.backup.bundleAdapterStorage`. `listBundles()` now returns the inferred `format` (`\"tar\"` / `\"tar.gz\"` / `\"directory\"`) per bundle from the storage key suffix — no byte read. `storage.bundleInfo(bundleId)` returns `{ bundleId, format, envelopeKind, sizeBytes }` where `envelopeKind` is the result of a 5-byte magic probe (`\"recipient\"` / `\"passphrase\"` / `\"none\"`). Operators administering a multi-strategy backup repository can now filter bundles by encryption posture or by format without a full restore cycle.",
+  "sections": [
+    {
+      "heading": "Added",
+      "items": [
+        {
+          "title": "`listBundles()` carries inferred format per bundle",
+          "body": "Each entry now includes `format` alongside `bundleId` / `createdAt` / `size`. Inference is from the storage key suffix the writeBundle path produced — `<bid>/bundle.tar` → tar, `<bid>/bundle.tar.gz` → tar.gz, anything else → directory. Cheap: no byte read, no per-key stat call. Operators rendering a bundle picker UI now sort + filter by format from a single list call."
+        },
+        {
+          "title": "`storage.bundleInfo(bundleId)` — per-bundle introspection",
+          "body": "Returns `{ bundleId, format, envelopeKind, sizeBytes }`. `format` from the storage layout (no byte read). `envelopeKind` from `b.archive.sniffEnvelope` over the bundle payload — `\"recipient\"` (BAWRP / v0.12.10 hybrid PQC), `\"passphrase\"` (BAWPP / v0.12.11 Argon2id), `\"none\"` (plaintext or directory format). `sizeBytes` is the payload byte count for tar / tar.gz; null for directory format (operator's per-file walk applies if exact size matters). Nonexistent bundles refused with `backup/bundle-not-found`."
+        }
+      ]
+    }
+  ]
+}

package/lib/vendor/blamejs/release-notes/v0.12.18.json

@@ -0,0 +1,22 @@
+{
+  "$schema": "../scripts/release-notes-schema.json",
+  "version": "0.12.18",
+  "date": "2026-05-24",
+  "headline": "`bundleAdapterStorage.listBundles({ withStats })` + `bundleInfo.createdAt` — opt-in mtime + size from `statKey`",
+  "summary": "Two additions on `b.backup.bundleAdapterStorage`. `listBundles({ withStats: true })` fans out `statKey` per bundle and populates `createdAt` (ISO string from mtimeMs) + `size` (bytes) on every entry. Without the opt the default fast path stays a single listKeys call — operators rendering a bundle picker UI choose between O(1) listings and O(N) stat-enriched listings explicitly. `bundleInfo(bundleId)` gains the same `createdAt` field for parity. fsAdapter + objectStoreAdapter both expose `statKey`; legacy adapters without the capability leave the fields null.",
+  "sections": [
+    {
+      "heading": "Added",
+      "items": [
+        {
+          "title": "`storage.listBundles({ withStats: true })` — opt-in per-bundle stat fan-out",
+          "body": "When the adapter exposes `statKey`, populates `createdAt` (ISO string from mtimeMs) + `size` (bytes) per entry. Stat fan-out is O(N) round-trips so the opt is OFF by default — operators wanting cheap one-shot listings stay on `listBundles()`. Format precedence (tar.gz > tar > directory) carries through to which payload key gets stat'd."
+        },
+        {
+          "title": "`storage.bundleInfo(bundleId)` returns `createdAt`",
+          "body": "The bundle introspection primitive now returns `{ bundleId, format, envelopeKind, sizeBytes, createdAt }`. `createdAt` is the ISO string derived from `statKey.mtimeMs` (when the adapter exposes it) — null otherwise. Matches the listBundles+withStats shape so operators can use bundleInfo for single-bundle drill-downs without re-mapping field names."
+        }
+      ]
+    }
+  ]
+}

package/lib/vendor/blamejs/release-notes/v0.12.19.json

@@ -0,0 +1,22 @@
+{
+  "$schema": "../scripts/release-notes-schema.json",
+  "version": "0.12.19",
+  "date": "2026-05-24",
+  "headline": "`bundleAdapterStorage.verifyBundle(bundleId)` — bundle integrity check without restore + `b.safeArchive.inspect` tar.gz support",
+  "summary": "`storage.verifyBundle(bundleId, opts?)` walks a bundle without restoring it: confirms the payload exists, the envelope (if any) decrypts under the supplied key, and the inner tar / tar.gz walker enumerates every entry without writing to disk. Returns `{ ok, format, envelopeKind, entryCount, errors }` — operators wanting periodic health-check of a backup repository call verifyBundle across `listBundles()` and aggregate `ok === false` results. Composes the bundle's known format directly through the unwrap → gunzip → tar pipeline (skips safeArchive's auto-sniff because the bundle's format is already known from bundleInfo). `b.safeArchive.inspect` separately gains `format: \"tar.gz\"` dispatch — operators with a known tar.gz payload now get entry enumeration without extracting.",
+  "sections": [
+    {
+      "heading": "Added",
+      "items": [
+        {
+          "title": "`storage.verifyBundle(bundleId, opts?)` — integrity check without restore",
+          "body": "Composes bundleInfo for format/envelope detection + the unwrap → gunzip → tar walker chain directly. opts.recipient / opts.passphrase override the storage's configured keys (useful for verifying a bundle under a different key set than the storage was opened with — e.g. verifying that a key rotation candidate can still read a bundle). Wrong key / corrupted payload returns `ok: false` with a typed error code in the errors array rather than throwing. Directory format reports ok=true based on manifest existence + readability (the inspect walker doesn't apply)."
+        },
+        {
+          "title": "`b.safeArchive.inspect` accepts `format: \"tar.gz\"`",
+          "body": "Mirrors the v0.12.9 extract surface: operators handed a `.tar.gz` payload can now enumerate entries without extracting. Composes `b.archive.read.gz` + `.asTar()` internally so the same bomb caps apply (1 GiB output / 100× ratio default) to inspect calls."
+        }
+      ]
+    }
+  ]
+}

package/lib/vendor/blamejs/release-notes/v0.12.20.json

@@ -0,0 +1,18 @@
+{
+  "$schema": "../scripts/release-notes-schema.json",
+  "version": "0.12.20",
+  "date": "2026-05-24",
+  "headline": "`bundleAdapterStorage.verifyAllBundles(opts)` — bounded-parallel batch integrity walk with stopOnFirstFailure short-circuit",
+  "summary": "Batch wrapper over the v0.12.19 verifyBundle primitive. `storage.verifyAllBundles(opts?)` iterates `listBundles()` + walks each bundle with a bounded-parallel pool. Returns `{ total, ok, failed, results }` where `results` carries every per-bundle verifyBundle output (including bundleId, format, envelopeKind, entryCount, errors). `opts.concurrency` defaults to 4 (gentle on the storage backend); `opts.stopOnFirstFailure` short-circuits the walk when an unhealthy bundle is found (default off — operators want the full health report). `opts.recipient` / `opts.passphrase` forwarded to every per-bundle verify call. Operators wiring a periodic cron job over a backup repository now have a single primitive to call instead of hand-rolling the listBundles loop.",
+  "sections": [
+    {
+      "heading": "Added",
+      "items": [
+        {
+          "title": "`storage.verifyAllBundles(opts?)` — batch integrity walk",
+          "body": "Iterates `listBundles()` + calls `verifyBundle(bundleId, opts)` on each. Bounded-parallel fan-out (default 4 workers; `opts.concurrency` raises or lowers); each worker pulls from a shared queue + the warm-up keeps `concurrency` workers in flight until the queue drains. Returns the aggregate `{ total, ok, failed, results }` with `results` sorted by bundleId so the report is stable across runs regardless of completion order. `opts.stopOnFirstFailure` short-circuits the walk when the first unhealthy bundle is found — useful for fast-fail CI gates that don't need to enumerate every failure."
+        }
+      ]
+    }
+  ]
+}

package/lib/vendor/blamejs/test/layer-0-primitives/archive-sniff-envelope.test.js

@@ -0,0 +1,118 @@
+"use strict";
+/**
+ * Layer 0 — b.archive.sniffEnvelope — magic-byte identification
+ * of recipient vs passphrase envelopes vs raw payload.
+ */
+
+var b = require("../../index");
+var helpers = require("../helpers");
+var check = helpers.check;
+
+async function testSniffRecipient() {
+  var pair = b.crypto.generateEncryptionKeyPair();
+  var sealed = b.archive.wrap(Buffer.from("PHI"), { recipient: pair });
+  check("sniffEnvelope: BAWRP buffer returns \"recipient\"",
+    b.archive.sniffEnvelope(sealed) === "recipient");
+}
+
+async function testSniffPassphrase() {
+  var sealed = await b.archive.wrapWithPassphrase(Buffer.from("PHI"), {
+    passphrase: "aLongCorrectHorseBatteryStaple9876!Phrase",
+  });
+  check("sniffEnvelope: BAWPP buffer returns \"passphrase\"",
+    b.archive.sniffEnvelope(sealed) === "passphrase");
+}
+
+async function testSniffRawBytes() {
+  check("sniffEnvelope: plain bytes return \"none\"",
+    b.archive.sniffEnvelope(Buffer.from("hello world")) === "none");
+  check("sniffEnvelope: gzip bytes return \"none\" (gzip is not a wrap envelope)",
+    b.archive.sniffEnvelope(Buffer.from([0x1f, 0x8b, 0x08, 0x00])) === "none");
+  check("sniffEnvelope: tar header bytes return \"none\"",
+    b.archive.sniffEnvelope(Buffer.alloc(512)) === "none");
+}
+
+async function testSniffEmpty() {
+  check("sniffEnvelope: empty buffer returns \"none\"",
+    b.archive.sniffEnvelope(Buffer.alloc(0)) === "none");
+  check("sniffEnvelope: 1-byte buffer returns \"none\"",
+    b.archive.sniffEnvelope(Buffer.from([0x42])) === "none");
+  check("sniffEnvelope: 4-byte buffer (below magic) returns \"none\"",
+    b.archive.sniffEnvelope(Buffer.from("BAWR")) === "none");
+}
+
+async function testSniffTruncatedEnvelope() {
+  // Codex P2B on v0.12.14 PR #165 — a 5-byte BAWRP / BAWPP buffer is
+  // a TRUNCATED envelope, not raw bytes. Sniff must classify by the
+  // magic alone so dispatch routes to unwrap, which surfaces the
+  // truncation error.
+  check("sniffEnvelope: 5-byte BAWRP returns \"recipient\" (truncated envelope, not raw)",
+    b.archive.sniffEnvelope(Buffer.from("BAWRP")) === "recipient");
+  check("sniffEnvelope: 5-byte BAWPP returns \"passphrase\" (truncated envelope, not raw)",
+    b.archive.sniffEnvelope(Buffer.from("BAWPP")) === "passphrase");
+  // Operator dispatch path: truncated envelopes routed to unwrap
+  // surface a structured wrap error rather than silent
+  // misclassification.
+  var refused = null;
+  try {
+    b.archive.unwrap(Buffer.from("BAWRP"), {
+      recipient: b.crypto.generateEncryptionKeyPair(),
+    });
+  } catch (e) { refused = e; }
+  check("sniffEnvelope → unwrap on truncated BAWRP: structured error surfaced",
+    refused instanceof b.archive.ArchiveWrapError);
+}
+
+async function testSniffZeroCopyView() {
+  // Codex P2A on v0.12.14 PR #165 — sniff must NOT copy the input
+  // when given a Uint8Array. Construct a large Uint8Array, check
+  // the sniff returns quickly without allocating a Buffer of the
+  // full input length. We can't directly measure allocation here,
+  // but we can verify the result is correct + the byte at the
+  // typed-array's byteOffset is read (not byte 0 of the underlying
+  // ArrayBuffer).
+  var underlying = new ArrayBuffer(1024);
+  var view = new Uint8Array(underlying, 100, 50);  // offset 100, length 50
+  // Write BAWRP into the view starting at view[0] (which is
+  // underlying[100]).
+  view[0] = 0x42; view[1] = 0x41; view[2] = 0x57; view[3] = 0x52; view[4] = 0x50;
+  check("sniffEnvelope: zero-copy view honours byteOffset",
+    b.archive.sniffEnvelope(view) === "recipient");
+}
+
+async function testSniffNonBuffer() {
+  check("sniffEnvelope: string input returns \"none\" (non-Buffer)",
+    b.archive.sniffEnvelope("BAWRP") === "none");
+  check("sniffEnvelope: null returns \"none\"",
+    b.archive.sniffEnvelope(null) === "none");
+  check("sniffEnvelope: undefined returns \"none\"",
+    b.archive.sniffEnvelope(undefined) === "none");
+}
+
+async function testSniffUint8Array() {
+  var pair = b.crypto.generateEncryptionKeyPair();
+  var sealed = b.archive.wrap(Buffer.from("X"), { recipient: pair });
+  var u8 = new Uint8Array(sealed);
+  check("sniffEnvelope: Uint8Array carrying BAWRP returns \"recipient\"",
+    b.archive.sniffEnvelope(u8) === "recipient");
+}
+
+async function run() {
+  await testSniffRecipient();
+  await testSniffPassphrase();
+  await testSniffRawBytes();
+  await testSniffEmpty();
+  await testSniffTruncatedEnvelope();
+  await testSniffZeroCopyView();
+  await testSniffNonBuffer();
+  await testSniffUint8Array();
+}
+
+module.exports = { run: run };
+
+if (require.main === module) {
+  run().then(
+    function () { console.log("[archive-sniff-envelope] OK — " + helpers.getChecks() + " checks passed"); },
+    function (e) { console.error("FAIL:", e && e.stack || e); process.exit(1); }
+  );
+}