@blamejs/blamejs-shop 0.0.114 → 0.0.116

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.0.x
 
+- v0.0.116 (2026-05-24) — **Top-level Worker exception catcher — convert Cloudflare 1101 to a clean 503 warming page.** An uncaught exception in the Worker's fetch handler used to propagate to the Cloudflare runtime, which served the generic `Error 1101 — Worker threw exception` page (cf-branded interstitial referencing wrangler tail). Visitors saw a Cloudflare error instead of the framework's render. Every fetch invocation now runs inside `_withTopLevelCatch`: catches every escape, logs to `console.error` (so wrangler tail / Logpush still see the underlying cause), and serves the existing 503 warming-up page with the framework's security headers + a `Retry-After: 10` hint. Cold-start blips during deploys, sporadic D1 / R2 binding hiccups, and any other exception that would have surfaced as 1101 now serve a branded, refresh-aware page that respects the operator's CSP / Permissions-Policy / HSTS posture. **Added:** *Top-level Worker exception catcher (`_withTopLevelCatch`)* — Wraps every `fetch` invocation. On exception: logs the stack via `console.error` (Worker substrate's observability sink — surfaces in `wrangler tail` + Logpush), then returns 503 with the existing `_warmingHtml(request.url, 8)` page + the framework's full security-headers set + `Retry-After: 10` + `Cache-Control: no-store`. Cloudflare's generic 1101 page never reaches the visitor; the cf-managed `Please enable cookies` interstitial only fires when CF's edge layer (Bot Fight Mode / challenge platform) intervenes BEFORE the Worker runs, not from Worker-thrown exceptions.
+
+- v0.0.115 (2026-05-23) — **Drop `crossorigin` from the CSS preload Link header — fixes browser preload-credentials-mismatch warning.** Browsers were warning `A preload for '/assets/themes/default/css/main.css?v=0.0.0' is found, but is not used because the request credentials mode does not match. Consider taking a look at crossorigin attribute.` Root cause: the Early Hints / `Link: rel=preload` header carried `crossorigin`, but the matching `<link rel="stylesheet">` tag in the rendered HTML did not. The browser treats the preload as a CORS request, the stylesheet as a same-origin request, and the two don't share a connection — the preloaded byte stream is discarded and the stylesheet is re-fetched from scratch. The asset is genuinely same-origin (`/assets/...`), so `crossorigin` was always wrong on the preload side; removing it lets the preload and stylesheet share the request credentials mode and the browser reuses the preloaded bytes. **Fixed:** *`_earlyHintsLink` emits the CSS preload without `crossorigin`* — `worker/index.js#_earlyHintsLink` now emits `</assets/themes/default/css/main.css?v=...>; rel=preload; as=style` — no `crossorigin` token. The asset is same-origin, the stylesheet `<link>` tag carries no `crossorigin` attribute, and the browser's preload-credentials-match check passes. Devtools no longer warns `request credentials mode does not match`. Operators with per-route extras (hero image preload on PDP, etc.) inherit the same shape — extras already shipped without `crossorigin`.
+
 - v0.0.114 (2026-05-23) — **Catalog mirror — close out the last 7 detectors + `matchOn: "basename"` runner support.** Closes the codebase-patterns catalog gap against vendored blamejs. The seven detectors held back from the v0.0.113 bulk port — six because the splice tool couldn't roundtrip their regex literals (embedded double-quotes / complex character classes) and one (`release-named-test-file`) that needed `matchOn: "basename"` support in the runner — are now hand-ported. Shop's catalog grows from 114 to 121 detectors, with seven covering archive-wrap PQC hybrid contracts, SQL transaction-wrapper extraction, the two `Map.prototype.getOrInsertComputed` Node-26 migration variants, PQC AlgorithmIdentifier `NULL` parameters anti-pattern, release-named test-file refusal, and `safeDecompress` paired-cap discipline. One legitimate `map-has-then-set` site in `lib/analytics.js#byCurrency` surfaced through the port and is kept with an inline `allow:` marker documenting the Node-26 floor-bump migration target. **Added:** *Seven new codebase-patterns detectors complete the catalog mirror* — `archive-wrap-recipient-missing-ec-half` (hybrid PQC `recipient: { publicKey: ... }` must also carry `ecPublicKey:` — uses `requires:` companion-check to exempt files where the matching `ecPublicKey` lives elsewhere), `inline-sql-transaction-wrapper` (BEGIN/COMMIT/ROLLBACK try/catch boilerplate routes through `dbSchema.runInTransaction`), `map-get-or-insert-pre-node-26` + `map-has-then-set-pre-node-26` (both variants of the two-step Map insert-if-absent pattern that Node 26 collapses to `Map.prototype.getOrInsertComputed`), `pqc-algid-with-null-params` (RFC 9909/9881/9936 — PQC AlgorithmIdentifier parameters field is ABSENT, not `NULL`), `release-named-test-file` (refuses `v0-8-41-additions.test.js` / `slot-19-enhancements.test.js` / `batch-N.test.js` shapes — uses the new `matchOn: "basename"` runner feature), `safedecompress-omits-max-compressed-bytes` (every `safeDecompress({ maxOutputBytes })` call MUST also name `maxCompressedBytes` so the caps stay aligned with operator intent — uses `requires:` companion-check). · *`matchOn: "basename"` runner support* — `_scan(regex, scope, { matchOn: "basename" })` matches the regex against each file's basename rather than file contents. Used by detectors that police naming conventions (e.g. release-named-test-file). The feature mirrors the runner contract in vendored blamejs's catalog so future basename-policing detectors can be ported verbatim. **Changed:** *`lib/analytics.js#byCurrency` carries an inline `allow:map-has-then-set-pre-node-26` marker* — The `if (!byCurrency.has(cur)) { ...byCurrency.set(cur, {...}); }` insert-if-absent in the per-currency aggregate loop migrates cleanly to `Map.prototype.getOrInsertComputed` when the framework's `engines.node` floor bumps to Node 26 (eligible Oct 2026 per the LTS calendar). The detector now exists so a fresh occurrence post-this-patch trips pre-merge; the existing site is allowed with a reason that includes the migration target.
 
 - v0.0.113 (2026-05-23) — **Catalog mirror — 66 new codebase-patterns detectors ported from vendored blamejs.** The codebase-patterns detector catalog grows from 48 to 114 — 66 new detectors ported verbatim from `lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js`. The full vendored set covers archive-handling traps, framework-helper composition (the `inline-*` family), Node-version-conditional patterns, SBOM derivation traps, mail-server TLS upgrade hygiene, mountinfo bind-detection invariants, and dozens of other bug classes the framework has surfaced through audits. Every new detector scopes `shop` (lib + worker) so reinventions are caught anywhere in the application surface. Vendor allowlist entries referencing internal blamejs paths (e.g. `lib/crypto.js`) are kept verbatim — shop's `_walk` skips the vendor tree, so those entries are harmless no-ops and preserve the operator-readable reason text. Three pre-existing inline reinventions surfaced through the port and are kept with inline `allow:` markers documenting why the framework helper can't compose — the existing `TypeError` message contract requires the literal field name (`/timeoutMs/`, `/opts.version/`) which `validateOpts.*`'s `code`-first error shape doesn't carry. Eight detector blocks (six with regex literals containing literal `"` characters that the splice tool can't roundtrip, plus `release-named-test-file` whose `matchOn: "basename"` directive shop's runner doesn't honor yet, plus `inline-base64url-three-replace` already ported in 0.0.112) defer to a follow-up. **Added:** *Mirror 66 new codebase-patterns detectors from vendored blamejs* — Categories: archive-handling (extract-overwrite-without-refusal, gz-without-safedecompress, read-gz-without-self-authored-budget, tar-walker-without-truncation-check, wrap-recipient-missing-ec-half — except wrap-recipient which deferred to follow-up); the `inline-*` family of framework-helper composition reminders (40+ detectors covering aggregate-issues, assert-no-char-threats, audit-emit-wrapper, audit-shape-validation, bad-input-issue-result, batch-positive-int-validation, buffer-byte-equality-loop, build-guard-gate-forwarder, char-strip-policy-cascade, codepoint-class-table, compliance-posture-lookup, crlf-string-test, default-resolution-cascade, detect-char-threats, emit-event-wrapper, extract-bytes-as-text, flush-timer-scheduler, hex-string-validator, iso8601-millisecond-strip, issue-validator-entry, log-via-or-fallback, migration-filename-regex, numeric-bounds-cascade, object-store-http-request, observability-shape-validation, optional-* validators, profile-builder-forwarder, redis-client-opts-forwarding, require-* validators, resolve-profile-and-posture, rule-pack-loader, sql-identifier-regex, trailing-hspace-strip); SBOM derivation traps (toplevel-ref-by-slash-heuristic, bom-ref enum-rank-without-validation, etc.); compliance/posture coverage (compliance-posture-coverage-drift); cred-store + mailstore + mountinfo invariants; PQC + dot-stuff regex shapes; CONDSTORE + BDAT mail-server invariants. Full list visible by diffing `test/layer-0-primitives/codebase-patterns.test.js` against the v0.0.112 baseline. · *Worker `b` adapter exposes `b.validateOpts`* — `worker/b.js` now re-exports the `validate-opts` leaf module so future Worker primitives can compose `b.validateOpts.optionalPositiveFinite` / `b.validateOpts.optionalFunction` / `b.validateOpts.requireNonEmptyString` etc. against the same one-source-of-truth as lib-side primitives. Adds the leaf to the Worker bundle but doesn't bind a public namespace change. **Changed:** *Three inline-validation sites carry per-line `allow:` markers* — `lib/externaldb-d1.js#_validateOpts` (two lines: `timeoutMs`, `fetch`), `lib/r2-bridge.js#_validateOpts` (one line: `timeoutMs`), and `worker/render/search.js#renderSearch` (one line: `opts.version`) keep the literal `TypeError` shape with the labelled message because each is paired with a test contract that asserts the field name appears in the message (`assert.throws(..., /timeoutMs/)`). The framework's `validateOpts.*` helper produces a `code`-first `TypeError` (`TypeError: validate-opts/bad-positive-finite`) whose message doesn't carry the label; routing through it would silently strip the labelled-field contract from the test. Marker explains the constraint at the source.

package/lib/vendor/MANIFEST.json

@@ -3,8 +3,8 @@
   "_about": "blamejs.shop vendors a single framework — blamejs — which itself bundles every server-side crypto/identity dependency. The transitive packages blamejs ships are surfaced in its own MANIFEST.json at lib/vendor/blamejs/lib/vendor/MANIFEST.json — Trivy / Grype rely on that nested data for CVE attribution.",
   "packages": {
     "blamejs": {
-      "version": "0.12.20",
-      "tag": "v0.12.20",
+      "version": "0.12.21",
+      "tag": "v0.12.21",
       "license": "Apache-2.0",
       "author": "blamejs contributors",
       "source": "https://github.com/blamejs/blamejs",

package/lib/vendor/blamejs/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.12.x
 
+- v0.12.21 (2026-05-24) — **`bundleAdapterStorage.rewrapBundle(bundleId, opts)` — key rotation without restore + rewrite of inner archive bytes.** `storage.rewrapBundle(bundleId, opts?)` rotates a bundle's wrap envelope under a new recipient keypair or passphrase WITHOUT touching the inner tar / tar.gz bytes. Operators rotating a compromised keypair, migrating to a new HSM, or refreshing passphrases on a HIPAA-posture repository previously had to `readBundle` → write to a stage dir → `writeBundle` under the new key — three byte-walks of the bundle payload, two filesystem touches, transient plaintext on disk. rewrapBundle does it as unwrap + rewrap in memory: zero disk plaintext, one round-trip through the wrap layer, the gzipped tar archive bytes inside the envelope are never inflated. Cross-kind rotation (recipient ↔ passphrase) is refused — that's a separate migration the operator configures with explicit cryptoStrategy switch. **Added:** *`storage.rewrapBundle(bundleId, opts?)` — in-place envelope rotation* — Unwraps the bundle under the old key (storage's configured recipient/passphrase OR `opts.oldRecipient` / `opts.oldPassphrase`), re-wraps under the new key (`opts.newRecipient` / `opts.newPassphrase`), writes the rewrapped bytes back to the same storage key. Returns `{ bundleId, oldEnvelopeKind, newEnvelopeKind, bytesRewritten }`. Plaintext bundles refused with `backup/no-envelope-to-rewrap`; cross-kind rotation refused with `backup/no-new-recipient` / `backup/no-new-passphrase`. The inner archive bytes (the gz-compressed tar payload) are never decompressed or re-encoded — rewrap is a wrap-layer-only operation. **Security:** *Zero plaintext on disk during rotation* — The inner tar bytes flow only through memory — old-envelope unwrap → new-envelope wrap → adapter writeFile. Operators previously rotating via readBundle + writeBundle wrote plaintext archive bytes to a temporary stage directory; rewrapBundle removes that exposure window entirely. Matches the operator-side discipline that backup payloads should never land on disk in plaintext form during steady-state operations.
+
 - v0.12.20 (2026-05-24) — **`bundleAdapterStorage.verifyAllBundles(opts)` — bounded-parallel batch integrity walk with stopOnFirstFailure short-circuit.** Batch wrapper over the v0.12.19 verifyBundle primitive. `storage.verifyAllBundles(opts?)` iterates `listBundles()` + walks each bundle with a bounded-parallel pool. Returns `{ total, ok, failed, results }` where `results` carries every per-bundle verifyBundle output (including bundleId, format, envelopeKind, entryCount, errors). `opts.concurrency` defaults to 4 (gentle on the storage backend); `opts.stopOnFirstFailure` short-circuits the walk when an unhealthy bundle is found (default off — operators want the full health report). `opts.recipient` / `opts.passphrase` forwarded to every per-bundle verify call. Operators wiring a periodic cron job over a backup repository now have a single primitive to call instead of hand-rolling the listBundles loop. **Added:** *`storage.verifyAllBundles(opts?)` — batch integrity walk* — Iterates `listBundles()` + calls `verifyBundle(bundleId, opts)` on each. Bounded-parallel fan-out (default 4 workers; `opts.concurrency` raises or lowers); each worker pulls from a shared queue + the warm-up keeps `concurrency` workers in flight until the queue drains. Returns the aggregate `{ total, ok, failed, results }` with `results` sorted by bundleId so the report is stable across runs regardless of completion order. `opts.stopOnFirstFailure` short-circuits the walk when the first unhealthy bundle is found — useful for fast-fail CI gates that don't need to enumerate every failure.
 
 - v0.12.19 (2026-05-24) — **`bundleAdapterStorage.verifyBundle(bundleId)` — bundle integrity check without restore + `b.safeArchive.inspect` tar.gz support.** `storage.verifyBundle(bundleId, opts?)` walks a bundle without restoring it: confirms the payload exists, the envelope (if any) decrypts under the supplied key, and the inner tar / tar.gz walker enumerates every entry without writing to disk. Returns `{ ok, format, envelopeKind, entryCount, errors }` — operators wanting periodic health-check of a backup repository call verifyBundle across `listBundles()` and aggregate `ok === false` results. Composes the bundle's known format directly through the unwrap → gunzip → tar pipeline (skips safeArchive's auto-sniff because the bundle's format is already known from bundleInfo). `b.safeArchive.inspect` separately gains `format: "tar.gz"` dispatch — operators with a known tar.gz payload now get entry enumeration without extracting. **Added:** *`storage.verifyBundle(bundleId, opts?)` — integrity check without restore* — Composes bundleInfo for format/envelope detection + the unwrap → gunzip → tar walker chain directly. opts.recipient / opts.passphrase override the storage's configured keys (useful for verifying a bundle under a different key set than the storage was opened with — e.g. verifying that a key rotation candidate can still read a bundle). Wrong key / corrupted payload returns `ok: false` with a typed error code in the errors array rather than throwing. Directory format reports ok=true based on manifest existence + readability (the inspect walker doesn't apply). · *`b.safeArchive.inspect` accepts `format: "tar.gz"`* — Mirrors the v0.12.9 extract surface: operators handed a `.tar.gz` payload can now enumerate entries without extracting. Composes `b.archive.read.gz` + `.asTar()` internally so the same bomb caps apply (1 GiB output / 100× ratio default) to inspect calls.

package/lib/vendor/blamejs/api-snapshot.json

@@ -1,7 +1,7 @@
 {
   "version": 1,
-  "frameworkVersion": "0.12.20",
-  "createdAt": "2026-05-24T05:46:34.569Z",
+  "frameworkVersion": "0.12.21",
+  "createdAt": "2026-05-24T06:29:00.300Z",
   "exports": {
     "a2a": {
       "type": "object",

package/lib/vendor/blamejs/lib/backup/index.js

@@ -1532,6 +1532,105 @@ function bundleAdapterStorage(opts) {
         };
       }
     },
+    // rewrapBundle(bundleId, opts) — v0.12.21 key rotation
+    // without restore + rewrite. Unwraps the bundle under the old
+    // key + re-wraps under the new key. Inner tar / tar.gz bytes
+    // are never decompressed or rewritten. Operators rotating
+    // recipient keypairs avoid the full restore-to-disk → rewrite
+    // cycle. Returns `{ bundleId, oldEnvelopeKind, newEnvelopeKind,
+    // bytesRewritten }`. Refuses cross-kind rotation (recipient ↔
+    // passphrase) — that's a separate migration the operator
+    // configures explicitly.
+    async rewrapBundle(bundleId, rwOpts) {
+      rwOpts = rwOpts || {};
+      _ensureBundleId(bundleId);
+      var info = await this.bundleInfo(bundleId);
+      if (info.format !== "tar" && info.format !== "tar.gz") {
+        throw new BackupError("backup/format-not-wrappable",
+          "rewrapBundle: '" + bundleId + "' has format=" + JSON.stringify(info.format) +
+          " — only tar / tar.gz bundles carry wrap envelopes");
+      }
+      var rwKeySuffix = info.format === "tar.gz" ? TAR_GZ_KEY_SUFFIX : TAR_KEY_SUFFIX;
+      var sealed = await adapter.readFile(bundleId + rwKeySuffix);
+      var envelopeKind = info.envelopeKind;
+      // Codex P2 on v0.12.21 PR #172 — when the adapter has no
+      // readPartial capability, bundleInfo returns envelopeKind:
+      // "unknown" rather than risk a full payload load. For
+      // rewrap, we already have to load the payload (to unwrap),
+      // so fall back to a sniffEnvelope on the loaded sealed
+      // bytes — fixes the regression where adapters satisfying
+      // the minimum contract couldn't use rewrapBundle.
+      if (envelopeKind === "unknown") {
+        envelopeKind = archiveLazy().sniffEnvelope(sealed);
+      }
+      if (envelopeKind !== "recipient" && envelopeKind !== "passphrase") {
+        throw new BackupError("backup/no-envelope-to-rewrap",
+          "rewrapBundle: '" + bundleId + "' carries envelopeKind=" +
+          JSON.stringify(envelopeKind) + " — nothing to rewrap");
+      }
+      // Override the info.envelopeKind we use below so the
+      // dispatch + return shape reflect the actual envelope we
+      // detected (matters when bundleInfo returned "unknown").
+      info = Object.assign({}, info, { envelopeKind: envelopeKind });
+      var inner;
+      if (info.envelopeKind === "recipient") {
+        var oldRcp = rwOpts.oldRecipient !== undefined ? rwOpts.oldRecipient : recipient;
+        if (!oldRcp) {
+          throw new BackupError("backup/no-old-recipient",
+            "rewrapBundle: opts.oldRecipient (or the storage's configured recipient) is required to unwrap");
+        }
+        if (!rwOpts.newRecipient || typeof rwOpts.newRecipient !== "object") {
+          throw new BackupError("backup/no-new-recipient",
+            "rewrapBundle: opts.newRecipient is required to re-seal under the rotated key");
+        }
+        inner = archiveLazy().unwrap(sealed, { recipient: oldRcp });
+        var resealed = archiveLazy().wrap(inner, { recipient: rwOpts.newRecipient });
+        await adapter.writeFile(bundleId + rwKeySuffix, resealed);
+        return {
+          bundleId:         bundleId,
+          oldEnvelopeKind:  "recipient",
+          newEnvelopeKind:  "recipient",
+          bytesRewritten:   resealed.length,
+        };
+      }
+      // passphrase
+      var oldPass = rwOpts.oldPassphrase !== undefined ? rwOpts.oldPassphrase : passphrase;
+      if (typeof oldPass !== "string" && !Buffer.isBuffer(oldPass)) {
+        throw new BackupError("backup/no-old-passphrase",
+          "rewrapBundle: opts.oldPassphrase (or the storage's configured passphrase) is required to unwrap");
+      }
+      if (typeof rwOpts.newPassphrase !== "string" && !Buffer.isBuffer(rwOpts.newPassphrase)) {
+        throw new BackupError("backup/no-new-passphrase",
+          "rewrapBundle: opts.newPassphrase is required (string or Buffer) to re-seal");
+      }
+      inner = await archiveLazy().unwrapWithPassphrase(sealed, { passphrase: oldPass });
+      // Codex P1 on v0.12.21 PR #172 — preserve the storage's
+      // configured entropy floor across rewrap. The
+      // writeBundle path raises the floor to 128 bits under
+      // HIPAA / PCI-DSS postures (per
+      // BACKUP_ENCRYPTION_REQUIRED_POSTURES); rewrapBundle MUST
+      // apply the same floor so a rotated passphrase that
+      // writeBundle would refuse can't slip through. The
+      // operator's explicit rwOpts.passphraseMinEntropyBits
+      // can raise the floor further but cannot lower it.
+      var effectiveFloor = passphraseMinEntropyBits;                                  // storage's posture-effective floor
+      if (typeof rwOpts.passphraseMinEntropyBits === "number" &&
+          Number.isFinite(rwOpts.passphraseMinEntropyBits) &&
+          rwOpts.passphraseMinEntropyBits > effectiveFloor) {
+        effectiveFloor = Math.floor(rwOpts.passphraseMinEntropyBits);
+      }
+      var resealedP = await archiveLazy().wrapWithPassphrase(inner, {
+        passphrase:     rwOpts.newPassphrase,
+        minEntropyBits: effectiveFloor,
+      });
+      await adapter.writeFile(bundleId + rwKeySuffix, resealedP);
+      return {
+        bundleId:         bundleId,
+        oldEnvelopeKind:  "passphrase",
+        newEnvelopeKind:  "passphrase",
+        bytesRewritten:   resealedP.length,
+      };
+    },
     // verifyAllBundles(opts?) — v0.12.20 batch integrity check.
     // Iterates listBundles() + calls verifyBundle on each. Returns
     // `{ total, ok, failed, results }` where `results` is an array

package/lib/vendor/blamejs/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.12.20",
+  "version": "0.12.21",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/lib/vendor/blamejs/release-notes/v0.12.21.json

@@ -0,0 +1,27 @@
+{
+  "$schema": "../scripts/release-notes-schema.json",
+  "version": "0.12.21",
+  "date": "2026-05-24",
+  "headline": "`bundleAdapterStorage.rewrapBundle(bundleId, opts)` — key rotation without restore + rewrite of inner archive bytes",
+  "summary": "`storage.rewrapBundle(bundleId, opts?)` rotates a bundle's wrap envelope under a new recipient keypair or passphrase WITHOUT touching the inner tar / tar.gz bytes. Operators rotating a compromised keypair, migrating to a new HSM, or refreshing passphrases on a HIPAA-posture repository previously had to `readBundle` → write to a stage dir → `writeBundle` under the new key — three byte-walks of the bundle payload, two filesystem touches, transient plaintext on disk. rewrapBundle does it as unwrap + rewrap in memory: zero disk plaintext, one round-trip through the wrap layer, the gzipped tar archive bytes inside the envelope are never inflated. Cross-kind rotation (recipient ↔ passphrase) is refused — that's a separate migration the operator configures with explicit cryptoStrategy switch.",
+  "sections": [
+    {
+      "heading": "Added",
+      "items": [
+        {
+          "title": "`storage.rewrapBundle(bundleId, opts?)` — in-place envelope rotation",
+          "body": "Unwraps the bundle under the old key (storage's configured recipient/passphrase OR `opts.oldRecipient` / `opts.oldPassphrase`), re-wraps under the new key (`opts.newRecipient` / `opts.newPassphrase`), writes the rewrapped bytes back to the same storage key. Returns `{ bundleId, oldEnvelopeKind, newEnvelopeKind, bytesRewritten }`. Plaintext bundles refused with `backup/no-envelope-to-rewrap`; cross-kind rotation refused with `backup/no-new-recipient` / `backup/no-new-passphrase`. The inner archive bytes (the gz-compressed tar payload) are never decompressed or re-encoded — rewrap is a wrap-layer-only operation."
+        }
+      ]
+    },
+    {
+      "heading": "Security",
+      "items": [
+        {
+          "title": "Zero plaintext on disk during rotation",
+          "body": "The inner tar bytes flow only through memory — old-envelope unwrap → new-envelope wrap → adapter writeFile. Operators previously rotating via readBundle + writeBundle wrote plaintext archive bytes to a temporary stage directory; rewrapBundle removes that exposure window entirely. Matches the operator-side discipline that backup payloads should never land on disk in plaintext form during steady-state operations."
+        }
+      ]
+    }
+  ]
+}

package/lib/vendor/blamejs/test/layer-0-primitives/backup-rewrap-bundle.test.js

@@ -0,0 +1,233 @@
+"use strict";
+/**
+ * Layer 0 — bundleAdapterStorage.rewrapBundle key rotation without
+ * restore/rewrite of inner archive bytes.
+ */
+
+var fs = require("node:fs");
+var path = require("node:path");
+var os = require("node:os");
+var b = require("../../index");
+var helpers = require("../helpers");
+var check = helpers.check;
+
+async function testRewrapRecipientRotation() {
+  var oldPair = b.crypto.generateEncryptionKeyPair();
+  var newPair = b.crypto.generateEncryptionKeyPair();
+  var src = fs.mkdtempSync(path.join(os.tmpdir(), "rw-src-"));
+  var dest = fs.mkdtempSync(path.join(os.tmpdir(), "rw-dest-"));
+  var verify = path.join(os.tmpdir(), "rw-v-" + Date.now());
+  try {
+    fs.writeFileSync(path.join(src, "a.json"), "{\"v\":1}", { mode: 0o600 });
+    var storage = b.backup.bundleAdapterStorage({
+      adapter:        b.backup.bundleAdapterStorage.fsAdapter({ root: dest }),
+      format:         "tar.gz",
+      cryptoStrategy: "recipient",
+      recipient:      oldPair,
+    });
+    var bid = "2026-05-24T06-00-00-000Z-aabbccdd";
+    await storage.writeBundle(bid, src);
+    var rw = await storage.rewrapBundle(bid, { newRecipient: newPair });
+    check("rewrapBundle: returns oldEnvelopeKind + newEnvelopeKind",
+      rw.oldEnvelopeKind === "recipient" && rw.newEnvelopeKind === "recipient");
+    check("rewrapBundle: bytesRewritten > 0", rw.bytesRewritten > 0);
+    // Open a fresh storage with newPair + restore
+    var rotated = b.backup.bundleAdapterStorage({
+      adapter:        b.backup.bundleAdapterStorage.fsAdapter({ root: dest }),
+      format:         "tar.gz",
+      cryptoStrategy: "recipient",
+      recipient:      newPair,
+    });
+    await rotated.readBundle(bid, verify);
+    check("rewrapBundle: bundle restores under newRecipient after rotation",
+      fs.readFileSync(path.join(verify, "a.json"), "utf-8") === "{\"v\":1}");
+  } finally {
+    try { fs.rmSync(src,    { recursive: true, force: true }); } catch (_e) { /* ignore */ }
+    try { fs.rmSync(dest,   { recursive: true, force: true }); } catch (_e) { /* ignore */ }
+    try { fs.rmSync(verify, { recursive: true, force: true }); } catch (_e) { /* ignore */ }
+  }
+}
+
+async function testRewrapPassphraseRotation() {
+  var oldPass = "aLongCorrectHorseBatteryStaple9876!Phrase";
+  var newPass = "completelyDifferentPassphraseEvenLonger123!@#";
+  var src = fs.mkdtempSync(path.join(os.tmpdir(), "rw-p-src-"));
+  var dest = fs.mkdtempSync(path.join(os.tmpdir(), "rw-p-dest-"));
+  var verify = path.join(os.tmpdir(), "rw-p-v-" + Date.now());
+  try {
+    fs.writeFileSync(path.join(src, "a.json"), "{\"v\":2}", { mode: 0o600 });
+    var storage = b.backup.bundleAdapterStorage({
+      adapter:        b.backup.bundleAdapterStorage.fsAdapter({ root: dest }),
+      format:         "tar.gz",
+      cryptoStrategy: "passphrase",
+      passphrase:     oldPass,
+    });
+    var bid = "2026-05-24T06-30-00-000Z-eeffaabb";
+    await storage.writeBundle(bid, src);
+    var rw = await storage.rewrapBundle(bid, { newPassphrase: newPass });
+    check("rewrapBundle: passphrase rotation reports passphrase envelope",
+      rw.oldEnvelopeKind === "passphrase" && rw.newEnvelopeKind === "passphrase");
+    var rotated = b.backup.bundleAdapterStorage({
+      adapter:        b.backup.bundleAdapterStorage.fsAdapter({ root: dest }),
+      format:         "tar.gz",
+      cryptoStrategy: "passphrase",
+      passphrase:     newPass,
+    });
+    await rotated.readBundle(bid, verify);
+    check("rewrapBundle: bundle restores under newPassphrase after rotation",
+      fs.readFileSync(path.join(verify, "a.json"), "utf-8") === "{\"v\":2}");
+  } finally {
+    try { fs.rmSync(src,    { recursive: true, force: true }); } catch (_e) { /* ignore */ }
+    try { fs.rmSync(dest,   { recursive: true, force: true }); } catch (_e) { /* ignore */ }
+    try { fs.rmSync(verify, { recursive: true, force: true }); } catch (_e) { /* ignore */ }
+  }
+}
+
+async function testRewrapRefusesPlaintextBundle() {
+  var src = fs.mkdtempSync(path.join(os.tmpdir(), "rw-pt-src-"));
+  var dest = fs.mkdtempSync(path.join(os.tmpdir(), "rw-pt-dest-"));
+  try {
+    fs.writeFileSync(path.join(src, "a"), "x", { mode: 0o600 });
+    var storage = b.backup.bundleAdapterStorage({
+      adapter: b.backup.bundleAdapterStorage.fsAdapter({ root: dest }),
+      format:  "tar.gz",
+    });
+    var bid = "2026-05-24T06-45-00-000Z-99887766";
+    await storage.writeBundle(bid, src);
+    var refused = null;
+    try {
+      await storage.rewrapBundle(bid, {
+        newRecipient: b.crypto.generateEncryptionKeyPair(),
+      });
+    } catch (e) { refused = e; }
+    check("rewrapBundle: plaintext bundle refused with no-envelope-to-rewrap",
+      refused && /no-envelope-to-rewrap/.test(refused.code || refused.message));
+  } finally {
+    try { fs.rmSync(src,  { recursive: true, force: true }); } catch (_e) { /* ignore */ }
+    try { fs.rmSync(dest, { recursive: true, force: true }); } catch (_e) { /* ignore */ }
+  }
+}
+
+async function testRewrapHipaaPreservesEntropyFloor() {
+  // Codex P1 on v0.12.21 PR #172 — under HIPAA posture, the
+  // storage's effective entropy floor is 128 bits. rewrapBundle
+  // must enforce that floor regardless of what
+  // opts.passphraseMinEntropyBits says — otherwise a rotation to
+  // a weak passphrase that writeBundle would refuse slips through.
+  var src = fs.mkdtempSync(path.join(os.tmpdir(), "rw-hipaa-src-"));
+  var dest = fs.mkdtempSync(path.join(os.tmpdir(), "rw-hipaa-dest-"));
+  try {
+    fs.writeFileSync(path.join(src, "phi.json"), "{\"id\":42}", { mode: 0o600 });
+    var strongPass = "aLongCorrectHorseBatteryStaple9876!Phrase";   // ~227 bits
+    var storage = b.backup.bundleAdapterStorage({
+      adapter:        b.backup.bundleAdapterStorage.fsAdapter({ root: dest }),
+      format:         "tar.gz",
+      cryptoStrategy: "passphrase",
+      passphrase:     strongPass,
+      posture:        "hipaa",
+    });
+    var bid = "2026-05-24T07-30-00-000Z-bbbb1111";
+    await storage.writeBundle(bid, src);
+    // Try rotating to a passphrase that's ~100 bits — passes the
+    // default 80-bit floor but should be refused under HIPAA's
+    // 128-bit floor.
+    var weakPass = "lowercaseonlyword123";  // 20 chars, lower+digit alphabet=36 → ~103 bits — above 80, below 128
+    var refused = null;
+    try {
+      await storage.rewrapBundle(bid, { newPassphrase: weakPass });
+    } catch (e) { refused = e; }
+    check("rewrapBundle: HIPAA posture's 128-bit entropy floor enforced across rotation",
+      refused && /weak-passphrase/.test(refused.code || refused.message));
+  } finally {
+    try { fs.rmSync(src,  { recursive: true, force: true }); } catch (_e) { /* ignore */ }
+    try { fs.rmSync(dest, { recursive: true, force: true }); } catch (_e) { /* ignore */ }
+  }
+}
+
+async function testRewrapWithLegacyAdapter() {
+  // Codex P2 on v0.12.21 PR #172 — adapters without readPartial
+  // get envelopeKind: "unknown" from bundleInfo. rewrapBundle
+  // must fall back to sniffing the loaded sealed bytes rather
+  // than refusing with no-envelope-to-rewrap.
+  var pair = b.crypto.generateEncryptionKeyPair();
+  var newPair = b.crypto.generateEncryptionKeyPair();
+  var src = fs.mkdtempSync(path.join(os.tmpdir(), "rw-leg-src-"));
+  var fullDest = fs.mkdtempSync(path.join(os.tmpdir(), "rw-leg-dest-"));
+  try {
+    fs.writeFileSync(path.join(src, "a"), "x", { mode: 0o600 });
+    // Bootstrap with the full fsAdapter to get a valid bundle.
+    var bootstrap = b.backup.bundleAdapterStorage({
+      adapter:        b.backup.bundleAdapterStorage.fsAdapter({ root: fullDest }),
+      format:         "tar.gz",
+      cryptoStrategy: "recipient",
+      recipient:      pair,
+    });
+    var bid = "2026-05-24T07-45-00-000Z-cccc2222";
+    await bootstrap.writeBundle(bid, src);
+    // Re-wrap the bundle bytes through a legacy adapter that
+    // exposes only the minimum contract (no readPartial / statKey).
+    var fullAdapter = b.backup.bundleAdapterStorage.fsAdapter({ root: fullDest });
+    var legacyAdapter = {
+      writeFile: fullAdapter.writeFile,
+      readFile:  fullAdapter.readFile,
+      listKeys:  fullAdapter.listKeys,
+      deleteKey: fullAdapter.deleteKey,
+      hasKey:    fullAdapter.hasKey,
+      // Intentionally omit readPartial + statKey.
+    };
+    var legacyStorage = b.backup.bundleAdapterStorage({
+      adapter:        legacyAdapter,
+      format:         "tar.gz",
+      cryptoStrategy: "recipient",
+      recipient:      pair,
+    });
+    var rw = await legacyStorage.rewrapBundle(bid, { newRecipient: newPair });
+    check("rewrapBundle: legacy adapter (no readPartial) succeeds via fallback sniff",
+      rw.oldEnvelopeKind === "recipient" && rw.newEnvelopeKind === "recipient");
+  } finally {
+    try { fs.rmSync(src,      { recursive: true, force: true }); } catch (_e) { /* ignore */ }
+    try { fs.rmSync(fullDest, { recursive: true, force: true }); } catch (_e) { /* ignore */ }
+  }
+}
+
+async function testRewrapRefusesMissingNewRecipient() {
+  var oldPair = b.crypto.generateEncryptionKeyPair();
+  var src = fs.mkdtempSync(path.join(os.tmpdir(), "rw-nr-src-"));
+  var dest = fs.mkdtempSync(path.join(os.tmpdir(), "rw-nr-dest-"));
+  try {
+    fs.writeFileSync(path.join(src, "a"), "x", { mode: 0o600 });
+    var storage = b.backup.bundleAdapterStorage({
+      adapter:        b.backup.bundleAdapterStorage.fsAdapter({ root: dest }),
+      format:         "tar.gz",
+      cryptoStrategy: "recipient",
+      recipient:      oldPair,
+    });
+    var bid = "2026-05-24T07-00-00-000Z-aabbcc01";
+    await storage.writeBundle(bid, src);
+    var refused = null;
+    try { await storage.rewrapBundle(bid, {}); } catch (e) { refused = e; }
+    check("rewrapBundle: missing newRecipient refused upfront",
+      refused && /no-new-recipient/.test(refused.code || refused.message));
+  } finally {
+    try { fs.rmSync(src,  { recursive: true, force: true }); } catch (_e) { /* ignore */ }
+    try { fs.rmSync(dest, { recursive: true, force: true }); } catch (_e) { /* ignore */ }
+  }
+}
+
+async function run() {
+  await testRewrapRecipientRotation();
+  await testRewrapPassphraseRotation();
+  await testRewrapRefusesPlaintextBundle();
+  await testRewrapRefusesMissingNewRecipient();
+  await testRewrapHipaaPreservesEntropyFloor();
+  await testRewrapWithLegacyAdapter();
+}
+
+module.exports = { run: run };
+
+if (require.main === module) {
+  run().then(
+    function () { console.log("[backup-rewrap-bundle] OK — " + helpers.getChecks() + " checks passed"); },
+    function (e) { console.error("FAIL:", e && e.stack || e); process.exit(1); }
+  );
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/blamejs-shop",
-  "version": "0.0.114",
+  "version": "0.0.116",
   "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
   "main": "lib/index.js",
   "scripts": {