@blamejs/blamejs-shop 0.0.124 → 0.0.126

package/lib/vendor/blamejs/test/layer-0-primitives/auth-jar.test.js

@@ -0,0 +1,153 @@
+"use strict";
+/**
+ * Layer 0 — b.auth.jar.parse: RFC 9101 JWT-Secured Authorization
+ * Request (server side). Verifies the client-signed request object
+ * via verifyExternal (mandatory alg allowlist), pins iss + client_id
+ * + aud, refuses nested request / request_uri, and returns the
+ * authorization parameters. Request objects are signed inline with a
+ * classical key (RS256) to mirror a real OAuth client.
+ */
+
+var helpers = require("../helpers");
+var b = helpers.b;
+var check = helpers.check;
+var nodeCrypto = require("node:crypto");
+
+function _b64url(buf) {
+  return Buffer.from(buf).toString("base64").replace(/=+$/, "").replace(/\+/g, "-").replace(/\//g, "_");
+}
+function _signRs256(privateKey, header, payload) {
+  var input = _b64url(JSON.stringify(header)) + "." + _b64url(JSON.stringify(payload));
+  var sig = nodeCrypto.sign("sha256", Buffer.from(input, "ascii"),
+    { key: privateKey, padding: nodeCrypto.constants.RSA_PKCS1_PADDING });
+  return input + "." + _b64url(sig);
+}
+function _rsaPair() {
+  return nodeCrypto.generateKeyPairSync("rsa", {
+    modulusLength:      2048,
+    publicKeyEncoding:  { type: "spki",  format: "jwk" },
+    privateKeyEncoding: { type: "pkcs8", format: "pem" },
+  });
+}
+function _nowSec() { return Math.floor(Date.now() / 1000); }
+
+var KEYS = _rsaPair();
+var JWK = Object.assign({}, KEYS.publicKey, { kid: "c1", use: "sig", alg: "RS256" });
+var AS = "https://as.example.com";
+var CLIENT = "s6BhdRkqt3";
+
+function _requestObject(extraClaims) {
+  var payload = Object.assign({
+    iss:           CLIENT,
+    aud:           AS,
+    client_id:     CLIENT,
+    response_type: "code",
+    redirect_uri:  "https://app.example.com/cb",
+    scope:         "openid profile",
+    state:         "xyz-state",
+    nonce:         "n-0S6_WzA2Mj",
+    iat:           _nowSec(),
+    exp:           _nowSec() + 120,
+  }, extraClaims || {});
+  return _signRs256(KEYS.privateKey, { alg: "RS256", typ: "oauth-authz-req+jwt", kid: "c1" }, payload);
+}
+
+function _parseOpts(over) {
+  var o = { clientId: CLIENT, audience: AS, algorithms: ["RS256"], jwks: [JWK] };
+  if (over) { var k = Object.keys(over); for (var i = 0; i < k.length; i++) o[k[i]] = over[k[i]]; }
+  return o;
+}
+
+async function testRoundTrip() {
+  var jar = _requestObject();
+  var out = await b.auth.jar.parse(jar, _parseOpts());
+  check("parse: returns authorization params", out.params.response_type === "code" && out.params.redirect_uri === "https://app.example.com/cb");
+  check("parse: preserves state + nonce + scope", out.params.state === "xyz-state" && out.params.nonce === "n-0S6_WzA2Mj" && out.params.scope === "openid profile");
+  check("parse: strips JWT envelope claims from params", out.params.iss === undefined && out.params.aud === undefined && out.params.exp === undefined && out.params.iat === undefined);
+  check("parse: full claims still available", out.claims.iss === CLIENT && out.claims.aud === AS);
+}
+
+async function testAntiNesting() {
+  var withUri = _requestObject({ request_uri: "https://evil.example.com/ro" });
+  var e1 = null;
+  try { await b.auth.jar.parse(withUri, _parseOpts()); } catch (e) { e1 = e; }
+  check("parse: nested request_uri refused (RFC 9101 §6.3)", e1 && e1.code === "auth-jar/nested-request");
+  var withReq = _requestObject({ request: "ey.another.jwt" });
+  var e2 = null;
+  try { await b.auth.jar.parse(withReq, _parseOpts()); } catch (e) { e2 = e; }
+  check("parse: nested request refused", e2 && e2.code === "auth-jar/nested-request");
+}
+
+async function testClientIdBinding() {
+  // iss matches clientId, but the client_id claim differs → mismatch.
+  var mismatched = _requestObject({ client_id: "different-client" });
+  var e1 = null;
+  try { await b.auth.jar.parse(mismatched, _parseOpts()); } catch (e) { e1 = e; }
+  check("parse: client_id claim mismatch refused", e1 && e1.code === "auth-jar/client-id-mismatch");
+
+  // iss itself differs from expected clientId → verifyExternal issuer pin throws.
+  var wrongIss = _signRs256(KEYS.privateKey, { alg: "RS256", typ: "oauth-authz-req+jwt", kid: "c1" },
+    { iss: "attacker-client", aud: AS, client_id: "attacker-client", response_type: "code",
+      iat: _nowSec(), exp: _nowSec() + 120 });
+  var e2 = null;
+  try { await b.auth.jar.parse(wrongIss, _parseOpts()); } catch (e) { e2 = e; }
+  check("parse: iss not matching expected client refused (verifyExternal issuer pin)", e2 !== null);
+
+  // Codex P2 on PR #182 — a request object that OMITS client_id must
+  // be refused (RFC 9101 §5.2 requires it in the signed object), not
+  // waved through on the strength of an outer query-param client_id.
+  var noClientId = _signRs256(KEYS.privateKey, { alg: "RS256", typ: "oauth-authz-req+jwt", kid: "c1" },
+    { iss: CLIENT, aud: AS, response_type: "code", redirect_uri: "https://app/cb",
+      iat: _nowSec(), exp: _nowSec() + 120 });
+  var e3 = null;
+  try { await b.auth.jar.parse(noClientId, _parseOpts()); } catch (e) { e3 = e; }
+  check("parse: missing client_id claim refused (RFC 9101 §5.2)", e3 && e3.code === "auth-jar/missing-client-id");
+}
+
+async function testAlgConfusionDelegated() {
+  var jar = _requestObject();
+  // Valid RS256 JAR, but the AS only accepts HS256 → verifyExternal refuses the HMAC alg.
+  var e1 = null;
+  try { await b.auth.jar.parse(jar, _parseOpts({ algorithms: ["HS256"] })); } catch (e) { e1 = e; }
+  check("parse: HMAC in the allowlist refused (alg-confusion defense delegated)", e1 && /refused-alg/.test(e1.code || ""));
+  // Audience mismatch → verifyExternal aud pin throws.
+  var e2 = null;
+  try { await b.auth.jar.parse(jar, _parseOpts({ audience: "https://other-as.example.com" })); } catch (e) { e2 = e; }
+  check("parse: audience mismatch refused", e2 !== null);
+}
+
+async function testValidation() {
+  var bads = [
+    [function () { return b.auth.jar.parse("", _parseOpts()); }, "auth-jar/no-jar"],
+    [function () { return b.auth.jar.parse(_requestObject(), { audience: AS, algorithms: ["RS256"], jwks: [JWK] }); }, "auth-jar/bad-client-id"],
+    [function () { return b.auth.jar.parse(_requestObject(), { clientId: CLIENT, algorithms: ["RS256"], jwks: [JWK] }); }, "auth-jar/bad-audience"],
+  ];
+  var ok = true;
+  for (var i = 0; i < bads.length; i++) {
+    var caught = null;
+    try { await bads[i][0](); } catch (e) { caught = e; }
+    if (!caught || caught.code !== bads[i][1]) { ok = false; check("validation case " + i + " expected " + bads[i][1] + " got " + (caught && caught.code), false); }
+  }
+  check("parse: malformed args throw the right codes", ok);
+  // Missing algorithms → verifyExternal requires it (no defaults).
+  var noAlg = null;
+  try { await b.auth.jar.parse(_requestObject(), { clientId: CLIENT, audience: AS, jwks: [JWK] }); } catch (e) { noAlg = e; }
+  check("parse: missing algorithms refused (verifyExternal — no alg defaults)", noAlg !== null);
+}
+
+async function run() {
+  await testRoundTrip();
+  await testAntiNesting();
+  await testClientIdBinding();
+  await testAlgConfusionDelegated();
+  await testValidation();
+}
+
+module.exports = { run: run };
+
+if (require.main === module) {
+  run().then(
+    function () { console.log("[auth-jar] OK — " + helpers.getChecks() + " checks passed"); },
+    function (e) { console.error("FAIL:", e && e.stack || e); process.exit(1); }
+  );
+}

package/lib/vendor/blamejs/test/layer-0-primitives/backup-key-rotation.test.js

@@ -0,0 +1,141 @@
+"use strict";
+/**
+ * Layer 0 — bundleAdapterStorage.keyRotation: whole-repository
+ * envelope rotation (composes rewrapAllBundles) + post-rotation
+ * read-back under the new key (composes verifyAllBundles), so a
+ * rotation that corrupts a bundle surfaces immediately rather than at
+ * restore time.
+ */
+
+var fs = require("node:fs");
+var path = require("node:path");
+var os = require("node:os");
+var b = require("../../index");
+var helpers = require("../helpers");
+var check = helpers.check;
+
+function _mk(prefix) { return fs.mkdtempSync(path.join(os.tmpdir(), prefix)); }
+function _rm(d) { try { fs.rmSync(d, { recursive: true, force: true }); } catch (_e) { /* ignore */ } }
+
+async function testKeyRotationRecipient() {
+  var oldPair = b.crypto.generateEncryptionKeyPair();
+  var newPair = b.crypto.generateEncryptionKeyPair();
+  var src = _mk("kr-src-");
+  var dest = _mk("kr-dest-");
+  try {
+    fs.writeFileSync(path.join(src, "a"), "payload", { mode: 0o600 });
+    var storage = b.backup.bundleAdapterStorage({
+      adapter:        b.backup.bundleAdapterStorage.fsAdapter({ root: dest }),
+      format:         "tar.gz",
+      cryptoStrategy: "recipient",
+      recipient:      oldPair,
+      audit:          false,
+    });
+    var ids = ["2026-05-24T09-00-00-000Z-aa000001", "2026-05-24T09-15-00-000Z-aa000002"];
+    for (var i = 0; i < ids.length; i += 1) await storage.writeBundle(ids[i], src);
+
+    var report = await storage.keyRotation({ newRecipient: newPair });
+    check("keyRotation: rotated every bundle", report.total === 2 && report.rotated === 2 && report.failed === 0);
+    check("keyRotation: post-rotation verify read every bundle under the new key",
+      report.verified === 2 && report.verifyFailed === 0);
+    check("keyRotation: carries a rotationId + rotatedAt", /^rotation-/.test(report.rotationId) && typeof report.rotatedAt === "string");
+
+    // Independent confirmation: a fresh storage under the NEW key reads all bundles.
+    var fresh = b.backup.bundleAdapterStorage({
+      adapter:        b.backup.bundleAdapterStorage.fsAdapter({ root: dest }),
+      format:         "tar.gz",
+      cryptoStrategy: "recipient",
+      recipient:      newPair,
+      audit:          false,
+    });
+    var v = await fresh.verifyAllBundles();
+    check("keyRotation: rotation landed — new-key storage verifies all", v.ok === 2 && v.failed === 0);
+  } finally { _rm(src); _rm(dest); }
+}
+
+async function testKeyRotationPassphrase() {
+  var oldPass = b.crypto.generateBytes(32).toString("hex");
+  var newPass = b.crypto.generateBytes(32).toString("hex");
+  var src = _mk("kr-pp-src-");
+  var dest = _mk("kr-pp-dest-");
+  try {
+    fs.writeFileSync(path.join(src, "a"), "payload", { mode: 0o600 });
+    var storage = b.backup.bundleAdapterStorage({
+      adapter:        b.backup.bundleAdapterStorage.fsAdapter({ root: dest }),
+      format:         "tar.gz",
+      cryptoStrategy: "passphrase",
+      passphrase:     oldPass,
+      audit:          false,
+    });
+    await storage.writeBundle("2026-05-24T11-00-00-000Z-bb000001", src);
+    var report = await storage.keyRotation({ oldPassphrase: oldPass, newPassphrase: newPass });
+    check("keyRotation: passphrase rotation rotated + verified",
+      report.rotated === 1 && report.failed === 0 && report.verified === 1 && report.verifyFailed === 0);
+  } finally { _rm(src); _rm(dest); }
+}
+
+async function testKeyRotationVerifyOptOut() {
+  var oldPair = b.crypto.generateEncryptionKeyPair();
+  var newPair = b.crypto.generateEncryptionKeyPair();
+  var src = _mk("kr-nov-src-");
+  var dest = _mk("kr-nov-dest-");
+  try {
+    fs.writeFileSync(path.join(src, "a"), "payload", { mode: 0o600 });
+    var storage = b.backup.bundleAdapterStorage({
+      adapter:        b.backup.bundleAdapterStorage.fsAdapter({ root: dest }),
+      format:         "tar.gz",
+      cryptoStrategy: "recipient",
+      recipient:      oldPair,
+      audit:          false,
+    });
+    await storage.writeBundle("2026-05-24T12-00-00-000Z-cc000001", src);
+    var report = await storage.keyRotation({ newRecipient: newPair, verify: false });
+    check("keyRotation: verify:false skips read-back (verified null)", report.rotated === 1 && report.verified === null && report.verifyFailed === 0);
+  } finally { _rm(src); _rm(dest); }
+}
+
+async function testKeyRotationRefusals() {
+  var dest = _mk("kr-ref-dest-");
+  try {
+    // cryptoStrategy "none" — nothing to rotate.
+    var plain = b.backup.bundleAdapterStorage({
+      adapter: b.backup.bundleAdapterStorage.fsAdapter({ root: dest }), audit: false,
+    });
+    var none = null;
+    try { await plain.keyRotation({ newRecipient: b.crypto.generateEncryptionKeyPair() }); } catch (e) { none = e; }
+    check("keyRotation: refuses on cryptoStrategy none", none && none.code === "backup/no-envelope-to-rewrap");
+
+    var rec = b.backup.bundleAdapterStorage({
+      adapter:        b.backup.bundleAdapterStorage.fsAdapter({ root: dest }),
+      cryptoStrategy: "recipient",
+      recipient:      b.crypto.generateEncryptionKeyPair(),
+      audit:          false,
+    });
+    // Missing newRecipient.
+    var noNew = null;
+    try { await rec.keyRotation({}); } catch (e) { noNew = e; }
+    check("keyRotation: refuses without newRecipient", noNew && noNew.code === "backup/no-recipient");
+
+    // dualWrap deferred-with-condition.
+    var dual = null;
+    try { await rec.keyRotation({ newRecipient: b.crypto.generateEncryptionKeyPair(), dualWrap: true }); } catch (e) { dual = e; }
+    check("keyRotation: dualWrap refused (deferred — needs multi-recipient envelopes)",
+      dual && dual.code === "backup/dual-wrap-unsupported");
+  } finally { _rm(dest); }
+}
+
+async function run() {
+  await testKeyRotationRecipient();
+  await testKeyRotationPassphrase();
+  await testKeyRotationVerifyOptOut();
+  await testKeyRotationRefusals();
+}
+
+module.exports = { run: run };
+
+if (require.main === module) {
+  run().then(
+    function () { console.log("[backup-key-rotation] OK — " + helpers.getChecks() + " checks passed"); },
+    function (e) { console.error("FAIL:", e && e.stack || e); process.exit(1); }
+  );
+}

package/lib/vendor/blamejs/test/layer-0-primitives/cbor.test.js

@@ -0,0 +1,177 @@
+"use strict";
+/**
+ * Layer 0 — b.cbor bounded deterministic CBOR codec (RFC 8949).
+ * Encoder validated against RFC 8949 Appendix A vectors + §4.2
+ * deterministic encoding; decoder validated against the bounded
+ * refusals (depth / size / indefinite-length / reserved-ai / tag /
+ * duplicate-key / trailing-byte / non-canonical).
+ */
+
+var b = require("../../index");
+var helpers = require("../helpers");
+var check = helpers.check;
+var cbor = b.cbor;
+
+function _hex(buf) { return Buffer.from(buf).toString("hex"); }
+
+function testSurface() {
+  // Reference every export through the public b.cbor.* path (the
+  // coverage gate matches the dotted form).
+  check("b.cbor.encode exposed", typeof b.cbor.encode === "function");
+  check("b.cbor.decode exposed", typeof b.cbor.decode === "function");
+  check("b.cbor.Tag exposed", typeof b.cbor.Tag === "function");
+  check("b.cbor.CborError exposed", typeof b.cbor.CborError === "function");
+  var rt = b.cbor.decode(b.cbor.encode(new b.cbor.Tag(0, "x")), { allowedTags: [0] });
+  check("b.cbor round-trips a tag via the public path", rt instanceof b.cbor.Tag && rt.value === "x");
+  var err = null;
+  try { b.cbor.decode(Buffer.from([0x9f, 0x01, 0xff])); } catch (e) { err = e; }
+  check("b.cbor.CborError is thrown on bad input", err instanceof b.cbor.CborError);
+}
+
+function testAppendixAVectors() {
+  // RFC 8949 Appendix A.
+  var vectors = [
+    [0, "00"], [1, "01"], [10, "0a"], [23, "17"], [24, "1818"], [100, "1864"],
+    [1000, "1903e8"], [-1, "20"], [-100, "3863"], [1000000, "1a000f4240"],
+    [false, "f4"], [true, "f5"], [null, "f6"],
+    ["", "60"], ["a", "6161"], ["IETF", "6449455446"], ["ü", "62c3bc"],
+    [[], "80"], [[1, 2, 3], "83010203"], [[1, [2, 3], [4, 5]], "8301820203820405"],
+  ];
+  var ok = true;
+  for (var i = 0; i < vectors.length; i++) {
+    var got = _hex(cbor.encode(vectors[i][0]));
+    if (got !== vectors[i][1]) { ok = false; check("vector " + JSON.stringify(vectors[i][0]) + " → " + vectors[i][1] + " (got " + got + ")", false); }
+  }
+  check("encode: matches RFC 8949 Appendix A integer/string/array vectors", ok);
+  check("encode: bytes h'01020304' → 4401020304", _hex(cbor.encode(Buffer.from([1, 2, 3, 4]))) === "4401020304");
+  // Preferred float serialization (§4.2.1): shortest width that
+  // round-trips. 1.5 fits float16; an integer-valued float is encoded
+  // as an integer (deterministic encoding prefers the shortest form).
+  check("encode: float 1.5 → f93e00 (preferred half)", _hex(cbor.encode(1.5)) === "f93e00");
+  check("encode: 100000 → integer, not float", _hex(cbor.encode(100000)) === "1a000186a0");
+  check("encode: 3.4 → float64 (not half/float32 representable)", _hex(cbor.encode(3.4)) === "fb400b333333333333");
+  check("encode: map {1:2,3:4} (int keys) → a201020304", _hex(cbor.encode(new Map([[1, 2], [3, 4]]))) === "a201020304");
+  check("encode: nested {a:1,b:[2,3]} → a26161016162820203", _hex(cbor.encode({ a: 1, b: [2, 3] })) === "a26161016162820203");
+}
+
+function testDeterministicEncoding() {
+  // §4.2 — map keys sorted by encoded-key bytes regardless of order.
+  check("deterministic: map key order is normalized", _hex(cbor.encode({ b: 2, a: 1 })) === _hex(cbor.encode({ a: 1, b: 2 })));
+  check("deterministic: shortest-form integer head", _hex(cbor.encode(24)) === "1818" && _hex(cbor.encode(23)) === "17");
+  // Duplicate key on encode (a Map can hold structurally-equal encoded keys only via distinct JS keys — guard the explicit case).
+  var dup = null;
+  try { cbor.encode(new Map([["a", 1]])); } catch (e) { dup = e; }
+  check("deterministic: well-formed map encodes", dup === null);
+}
+
+function testRoundTrip() {
+  var value = { id: 7, tags: ["x", "y"], meta: new Map([[1, "alg"], [2, Buffer.from([0xab])]]), ok: true, n: null };
+  var decoded = cbor.decode(cbor.encode(value));
+  check("round-trip: top-level map decodes to Map", decoded instanceof Map);
+  check("round-trip: scalar + array + nested preserved",
+    decoded.get("id") === 7 && decoded.get("tags")[1] === "y" && decoded.get("ok") === true && decoded.get("n") === null);
+  check("round-trip: nested map int keys preserved", decoded.get("meta") instanceof Map && decoded.get("meta").get(1) === "alg");
+  check("round-trip: byte string preserved", Buffer.isBuffer(decoded.get("meta").get(2)) && decoded.get("meta").get(2)[0] === 0xab);
+  // negative + float + float16 decode
+  check("round-trip: negative int", cbor.decode(cbor.encode(-100)) === -100);
+  check("round-trip: float64", cbor.decode(cbor.encode(3.14159)) === 3.14159);
+  check("decode: float16 (0xf93e00 = 1.5)", cbor.decode(Buffer.from([0xf9, 0x3e, 0x00])) === 1.5);
+  // Preferred-width round-trips: each chooses the shortest exact form.
+  [1.5, -2.5, 0.5, 3.4, 1e300, 5.960464477539063e-8].forEach(function (n) {
+    check("preferred-float round-trip " + n, cbor.decode(cbor.encode(n)) === n);
+  });
+  // A canonically float16-encoded value passes requireDeterministic
+  // (the preferred-serialization fix — float64 emission would falsely
+  // reject it).
+  check("requireDeterministic: float16-canonical input accepted", cbor.decode(cbor.encode(1.5), { requireDeterministic: true }) === 1.5);
+}
+
+function testInvalidUtf8() {
+  // CBOR text strings must be valid UTF-8 (§3.1) — malformed bytes are
+  // refused, not silently replaced with U+FFFD.
+  var bad = null;
+  try { cbor.decode(Buffer.from([0x63, 0xff, 0xff, 0xff])); } catch (e) { bad = e; }   // text(3) + invalid bytes
+  check("decode: invalid UTF-8 text string refused", bad && bad.code === "cbor/invalid-utf8");
+  check("decode: valid multibyte UTF-8 preserved", cbor.decode(cbor.encode("héllo ☃")) === "héllo ☃");
+}
+
+function testTags() {
+  var enc = cbor.encode(new cbor.Tag(42, "answer"));
+  check("encode: tagged value", _hex(enc) === "d82a66616e73776572");
+  var refused = null;
+  try { cbor.decode(enc); } catch (e) { refused = e; }
+  check("decode: tag refused unless allowlisted", refused && refused.code === "cbor/tag-refused");
+  var t = cbor.decode(enc, { allowedTags: [42] });
+  check("decode: allowlisted tag returns Tag", t instanceof cbor.Tag && t.tag === 42 && t.value === "answer");
+}
+
+function testBoundedRefusals() {
+  var cases = [
+    ["indefinite array", Buffer.from([0x9f, 0x01, 0xff]), {}, "cbor/indefinite-refused"],
+    ["reserved ai-28", Buffer.from([0x1c]), {}, "cbor/reserved-ai"],
+    ["duplicate map key", Buffer.from([0xa2, 0x01, 0x02, 0x01, 0x03]), {}, "cbor/duplicate-key"],
+    ["trailing bytes", Buffer.from([0x01, 0x02]), {}, "cbor/trailing-bytes"],
+    ["truncated head", Buffer.from([0x18]), {}, "cbor/truncated"],
+    ["length bomb (no data)", Buffer.from([0x9a, 0xff, 0xff, 0xff, 0xff]), {}, "cbor/truncated"],
+    ["bad simple value (major 7, ai 28)", Buffer.from([0xfc]), {}, "cbor/bad-simple"],
+  ];
+  var ok = true;
+  for (var i = 0; i < cases.length; i++) {
+    var caught = null;
+    try { cbor.decode(cases[i][1], cases[i][2]); } catch (e) { caught = e; }
+    if (!caught || caught.code !== cases[i][3]) { ok = false; check(cases[i][0] + " expected " + cases[i][3] + " got " + (caught && caught.code), false); }
+  }
+  check("decode: bounded refusals fire with the right codes", ok);
+
+  var depth = null;
+  try { cbor.decode(cbor.encode([[[[[1]]]]]), { maxDepth: 2 }); } catch (e) { depth = e; }
+  check("decode: maxDepth refuses over-deep nesting", depth && depth.code === "cbor/max-depth");
+
+  var big = null;
+  try { cbor.decode(cbor.encode([1, 2, 3, 4, 5]), { maxBytes: 2 }); } catch (e) { big = e; }
+  check("decode: maxBytes refuses oversize input", big && big.code === "cbor/too-large");
+}
+
+function testRequireDeterministic() {
+  // Long-form encoding of 1 (0x1801) is valid CBOR but non-canonical.
+  var nonCanon = null;
+  try { cbor.decode(Buffer.from([0x18, 0x01]), { requireDeterministic: true }); } catch (e) { nonCanon = e; }
+  check("requireDeterministic: non-canonical long-form refused", nonCanon && nonCanon.code === "cbor/not-deterministic");
+  // A canonical encoding round-trips through the determinism check.
+  var d = cbor.decode(cbor.encode({ a: 1, b: 2 }), { requireDeterministic: true });
+  check("requireDeterministic: canonical input accepted", d.get("a") === 1 && d.get("b") === 2);
+  // Lenient decode (default) accepts the long form.
+  check("decode: non-canonical accepted without requireDeterministic", cbor.decode(Buffer.from([0x18, 0x01])) === 1);
+}
+
+function testInputValidation() {
+  var e1 = null;
+  try { cbor.decode("not a buffer"); } catch (e) { e1 = e; }
+  check("decode: non-buffer input refused", e1 && e1.code === "cbor/bad-input");
+  var e2 = null;
+  try { cbor.encode(function () {}); } catch (e) { e2 = e; }
+  check("encode: unencodable value refused", e2 && e2.code === "cbor/unencodable");
+  var e3 = null;
+  try { cbor.encode(NaN); } catch (e) { e3 = e; }
+  check("encode: NaN refused by default", e3 && e3.code === "cbor/non-finite");
+  check("encode: NaN emitted under allowNonFinite", Buffer.isBuffer(cbor.encode(NaN, { allowNonFinite: true })));
+}
+
+function run() {
+  testSurface();
+  testAppendixAVectors();
+  testDeterministicEncoding();
+  testRoundTrip();
+  testInvalidUtf8();
+  testTags();
+  testBoundedRefusals();
+  testRequireDeterministic();
+  testInputValidation();
+}
+
+module.exports = { run: run };
+
+if (require.main === module) {
+  run();
+  console.log("[cbor] OK — " + helpers.getChecks() + " checks passed");
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/blamejs-shop",
-  "version": "0.0.124",
+  "version": "0.0.126",
   "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
   "main": "lib/index.js",
   "scripts": {