@blamejs/blamejs-shop 0.0.44

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (1220) hide show
  1. package/CHANGELOG.md +87 -0
  2. package/LICENSE +17 -0
  3. package/README.md +117 -0
  4. package/SECURITY.md +139 -0
  5. package/lib/admin.js +952 -0
  6. package/lib/analytics.js +267 -0
  7. package/lib/cart.js +279 -0
  8. package/lib/catalog-import.js +344 -0
  9. package/lib/catalog.js +769 -0
  10. package/lib/checkout.js +320 -0
  11. package/lib/config.js +151 -0
  12. package/lib/customers.js +322 -0
  13. package/lib/email.js +242 -0
  14. package/lib/externaldb-d1.js +283 -0
  15. package/lib/index.js +57 -0
  16. package/lib/inventory-alerts.js +198 -0
  17. package/lib/newsletter.js +142 -0
  18. package/lib/order.js +380 -0
  19. package/lib/payment.js +318 -0
  20. package/lib/pricing.js +185 -0
  21. package/lib/r2-bridge.js +169 -0
  22. package/lib/shipping.js +185 -0
  23. package/lib/storefront.js +2160 -0
  24. package/lib/subscriptions.js +410 -0
  25. package/lib/tax.js +161 -0
  26. package/lib/theme.js +194 -0
  27. package/lib/vendor/MANIFEST.json +19 -0
  28. package/lib/vendor/blamejs/.clusterfuzzlite/Dockerfile +23 -0
  29. package/lib/vendor/blamejs/.clusterfuzzlite/build.sh +34 -0
  30. package/lib/vendor/blamejs/.clusterfuzzlite/project.yaml +16 -0
  31. package/lib/vendor/blamejs/.dockerignore +45 -0
  32. package/lib/vendor/blamejs/.gitattributes +42 -0
  33. package/lib/vendor/blamejs/.github/CODEOWNERS +4 -0
  34. package/lib/vendor/blamejs/.github/FUNDING.yml +2 -0
  35. package/lib/vendor/blamejs/.github/ISSUE_TEMPLATE/bug_report.md +58 -0
  36. package/lib/vendor/blamejs/.github/ISSUE_TEMPLATE/config.yml +8 -0
  37. package/lib/vendor/blamejs/.github/ISSUE_TEMPLATE/feature_request.md +99 -0
  38. package/lib/vendor/blamejs/.github/PULL_REQUEST_TEMPLATE.md +77 -0
  39. package/lib/vendor/blamejs/.github/dependabot.yml +37 -0
  40. package/lib/vendor/blamejs/.github/workflows/actions-lint.yml +148 -0
  41. package/lib/vendor/blamejs/.github/workflows/cflite_batch.yml +107 -0
  42. package/lib/vendor/blamejs/.github/workflows/cflite_pr.yml +122 -0
  43. package/lib/vendor/blamejs/.github/workflows/ci.yml +511 -0
  44. package/lib/vendor/blamejs/.github/workflows/codeql.yml +50 -0
  45. package/lib/vendor/blamejs/.github/workflows/npm-publish.yml +655 -0
  46. package/lib/vendor/blamejs/.github/workflows/release-container.yml +406 -0
  47. package/lib/vendor/blamejs/.github/workflows/scorecard.yml +101 -0
  48. package/lib/vendor/blamejs/.github/workflows/sha-to-tag-verify.yml +134 -0
  49. package/lib/vendor/blamejs/.gitignore +102 -0
  50. package/lib/vendor/blamejs/.gitleaks.toml +166 -0
  51. package/lib/vendor/blamejs/.hadolint.yaml +18 -0
  52. package/lib/vendor/blamejs/.npmrc +5 -0
  53. package/lib/vendor/blamejs/.pinact.yaml +17 -0
  54. package/lib/vendor/blamejs/ARCHITECTURE.md +158 -0
  55. package/lib/vendor/blamejs/CHANGELOG.md +1351 -0
  56. package/lib/vendor/blamejs/CODE_OF_CONDUCT.md +86 -0
  57. package/lib/vendor/blamejs/CONTRIBUTING.md +156 -0
  58. package/lib/vendor/blamejs/GOVERNANCE.md +201 -0
  59. package/lib/vendor/blamejs/LICENSE +201 -0
  60. package/lib/vendor/blamejs/LTS-CALENDAR.md +29 -0
  61. package/lib/vendor/blamejs/MIGRATING.md +29 -0
  62. package/lib/vendor/blamejs/NOTICE +81 -0
  63. package/lib/vendor/blamejs/README.md +304 -0
  64. package/lib/vendor/blamejs/SECURITY.md +432 -0
  65. package/lib/vendor/blamejs/api-snapshot.json +48709 -0
  66. package/lib/vendor/blamejs/assets/BlameJS_Logo.png +0 -0
  67. package/lib/vendor/blamejs/assets/BlameJS_Logo.svg +129 -0
  68. package/lib/vendor/blamejs/bench/README.md +77 -0
  69. package/lib/vendor/blamejs/bench/_helpers.js +70 -0
  70. package/lib/vendor/blamejs/bench/baseline.json +183 -0
  71. package/lib/vendor/blamejs/bench/crypto-hash.bench.js +19 -0
  72. package/lib/vendor/blamejs/bench/crypto-symmetric.bench.js +28 -0
  73. package/lib/vendor/blamejs/bench/run.js +140 -0
  74. package/lib/vendor/blamejs/bench/safe-json.bench.js +31 -0
  75. package/lib/vendor/blamejs/bin/blamejs.js +13 -0
  76. package/lib/vendor/blamejs/docker/caddy/Caddyfile +46 -0
  77. package/lib/vendor/blamejs/docker/coredns/Corefile +37 -0
  78. package/lib/vendor/blamejs/docker/haproxy/haproxy.cfg +52 -0
  79. package/lib/vendor/blamejs/docker/init/generate-certs.sh +118 -0
  80. package/lib/vendor/blamejs/docker/keycloak/realm-blamejs-test.json +87 -0
  81. package/lib/vendor/blamejs/docker/mitmproxy/config.yaml +16 -0
  82. package/lib/vendor/blamejs/docker/mongo/init-tls.sh +17 -0
  83. package/lib/vendor/blamejs/docker/mysql/my.cnf +12 -0
  84. package/lib/vendor/blamejs/docker/nats/nats.conf +33 -0
  85. package/lib/vendor/blamejs/docker/postgres/init-tls.sh +17 -0
  86. package/lib/vendor/blamejs/docker/postgres/postgresql.conf +18 -0
  87. package/lib/vendor/blamejs/docker/rabbitmq/rabbitmq.conf +18 -0
  88. package/lib/vendor/blamejs/docker/redis/redis.conf +15 -0
  89. package/lib/vendor/blamejs/docker/squid/squid.conf +24 -0
  90. package/lib/vendor/blamejs/docker/syslog/syslog-ng.conf +34 -0
  91. package/lib/vendor/blamejs/docker-compose.test.yml +545 -0
  92. package/lib/vendor/blamejs/docs/cis-postgres-crosswalk.md +102 -0
  93. package/lib/vendor/blamejs/docs/cis-sqlite-equivalent.md +92 -0
  94. package/lib/vendor/blamejs/eslint.config.mjs +204 -0
  95. package/lib/vendor/blamejs/examples/wiki/Caddyfile +40 -0
  96. package/lib/vendor/blamejs/examples/wiki/DEPLOY.md +218 -0
  97. package/lib/vendor/blamejs/examples/wiki/Dockerfile +120 -0
  98. package/lib/vendor/blamejs/examples/wiki/README.md +157 -0
  99. package/lib/vendor/blamejs/examples/wiki/cli-snapshot.json +250 -0
  100. package/lib/vendor/blamejs/examples/wiki/docker-compose.prod.yml +231 -0
  101. package/lib/vendor/blamejs/examples/wiki/docker-compose.yml +166 -0
  102. package/lib/vendor/blamejs/examples/wiki/env-snapshot.json +217 -0
  103. package/lib/vendor/blamejs/examples/wiki/lib/auto-site-entries.js +139 -0
  104. package/lib/vendor/blamejs/examples/wiki/lib/build-app.js +555 -0
  105. package/lib/vendor/blamejs/examples/wiki/lib/harvest-cli.js +507 -0
  106. package/lib/vendor/blamejs/examples/wiki/lib/harvest-env-vars.js +435 -0
  107. package/lib/vendor/blamejs/examples/wiki/lib/harvest-errors.js +282 -0
  108. package/lib/vendor/blamejs/examples/wiki/lib/harvest-vendored-deps.js +321 -0
  109. package/lib/vendor/blamejs/examples/wiki/lib/nav.js +15 -0
  110. package/lib/vendor/blamejs/examples/wiki/lib/opts-resolver.js +75 -0
  111. package/lib/vendor/blamejs/examples/wiki/lib/page-generator.js +508 -0
  112. package/lib/vendor/blamejs/examples/wiki/lib/section.js +276 -0
  113. package/lib/vendor/blamejs/examples/wiki/lib/source-comment-block-validator.js +587 -0
  114. package/lib/vendor/blamejs/examples/wiki/lib/source-doc-parser.js +318 -0
  115. package/lib/vendor/blamejs/examples/wiki/lib/symbol-index.js +122 -0
  116. package/lib/vendor/blamejs/examples/wiki/migrations/0001-pages-schema.js +74 -0
  117. package/lib/vendor/blamejs/examples/wiki/package.json +18 -0
  118. package/lib/vendor/blamejs/examples/wiki/public/img/blamejs-logo.png +0 -0
  119. package/lib/vendor/blamejs/examples/wiki/public/img/blamejs-logo.svg +129 -0
  120. package/lib/vendor/blamejs/examples/wiki/public/robots.txt +5 -0
  121. package/lib/vendor/blamejs/examples/wiki/public/vendor/MANIFEST.json +30 -0
  122. package/lib/vendor/blamejs/examples/wiki/public/vendor/prism.css +1 -0
  123. package/lib/vendor/blamejs/examples/wiki/public/vendor/prism.js +15 -0
  124. package/lib/vendor/blamejs/examples/wiki/public/wiki.css +1250 -0
  125. package/lib/vendor/blamejs/examples/wiki/routes/admin.js +366 -0
  126. package/lib/vendor/blamejs/examples/wiki/routes/integration.js +230 -0
  127. package/lib/vendor/blamejs/examples/wiki/routes/pages.js +266 -0
  128. package/lib/vendor/blamejs/examples/wiki/scripts/backfill-module-metadata.js +214 -0
  129. package/lib/vendor/blamejs/examples/wiki/seeders/prod/0001-default-pages.js +35 -0
  130. package/lib/vendor/blamejs/examples/wiki/seeders/prod/pages/_index.js +34 -0
  131. package/lib/vendor/blamejs/examples/wiki/seeders/prod/pages/api.js +76 -0
  132. package/lib/vendor/blamejs/examples/wiki/server.js +129 -0
  133. package/lib/vendor/blamejs/examples/wiki/site.config.js +197 -0
  134. package/lib/vendor/blamejs/examples/wiki/snippets/README.md +38 -0
  135. package/lib/vendor/blamejs/examples/wiki/snippets/auth/password-hash.example.js +15 -0
  136. package/lib/vendor/blamejs/examples/wiki/src/editor.js +103 -0
  137. package/lib/vendor/blamejs/examples/wiki/src/wiki.js +349 -0
  138. package/lib/vendor/blamejs/examples/wiki/test/AUDIT.md +155 -0
  139. package/lib/vendor/blamejs/examples/wiki/test/codebase-patterns.test.js +594 -0
  140. package/lib/vendor/blamejs/examples/wiki/test/e2e.js +741 -0
  141. package/lib/vendor/blamejs/examples/wiki/test/find-missing-pages.js +254 -0
  142. package/lib/vendor/blamejs/examples/wiki/test/integration.js +391 -0
  143. package/lib/vendor/blamejs/examples/wiki/test/validate-cli-snapshot.js +379 -0
  144. package/lib/vendor/blamejs/examples/wiki/test/validate-env-snapshot.js +346 -0
  145. package/lib/vendor/blamejs/examples/wiki/test/validate-nav-coverage.js +212 -0
  146. package/lib/vendor/blamejs/examples/wiki/test/validate-site-coverage.js +252 -0
  147. package/lib/vendor/blamejs/examples/wiki/test/validate-source-comment-blocks.js +107 -0
  148. package/lib/vendor/blamejs/examples/wiki/views/_layout.html +115 -0
  149. package/lib/vendor/blamejs/examples/wiki/views/admin/api-keys.html +51 -0
  150. package/lib/vendor/blamejs/examples/wiki/views/admin/dashboard.html +22 -0
  151. package/lib/vendor/blamejs/examples/wiki/views/admin/edit.html +17 -0
  152. package/lib/vendor/blamejs/examples/wiki/views/home.html +85 -0
  153. package/lib/vendor/blamejs/examples/wiki/views/login.html +18 -0
  154. package/lib/vendor/blamejs/examples/wiki/views/page.html +5 -0
  155. package/lib/vendor/blamejs/examples/wiki/views/partials/nav.html +13 -0
  156. package/lib/vendor/blamejs/examples/wiki/views/search.html +19 -0
  157. package/lib/vendor/blamejs/examples/wiki/wiki.config.js +15 -0
  158. package/lib/vendor/blamejs/fuzz/README.md +137 -0
  159. package/lib/vendor/blamejs/fuzz/_expected.js +35 -0
  160. package/lib/vendor/blamejs/fuzz/guard-agent-registry.fuzz.js +22 -0
  161. package/lib/vendor/blamejs/fuzz/guard-csv.fuzz.js +16 -0
  162. package/lib/vendor/blamejs/fuzz/guard-csv_seed_corpus/01-basic.csv +3 -0
  163. package/lib/vendor/blamejs/fuzz/guard-csv_seed_corpus/02-formula.csv +1 -0
  164. package/lib/vendor/blamejs/fuzz/guard-csv_seed_corpus/03-hyperlink.csv +1 -0
  165. package/lib/vendor/blamejs/fuzz/guard-dsn.fuzz.js +22 -0
  166. package/lib/vendor/blamejs/fuzz/guard-email.fuzz.js +16 -0
  167. package/lib/vendor/blamejs/fuzz/guard-email_seed_corpus/01-basic.eml +5 -0
  168. package/lib/vendor/blamejs/fuzz/guard-envelope.fuzz.js +24 -0
  169. package/lib/vendor/blamejs/fuzz/guard-event-bus-payload.fuzz.js +24 -0
  170. package/lib/vendor/blamejs/fuzz/guard-event-bus-topic.fuzz.js +20 -0
  171. package/lib/vendor/blamejs/fuzz/guard-html.fuzz.js +16 -0
  172. package/lib/vendor/blamejs/fuzz/guard-html_seed_corpus/01-basic.html +1 -0
  173. package/lib/vendor/blamejs/fuzz/guard-html_seed_corpus/02-script.html +1 -0
  174. package/lib/vendor/blamejs/fuzz/guard-html_seed_corpus/03-event.html +1 -0
  175. package/lib/vendor/blamejs/fuzz/guard-html_seed_corpus/04-jsurl.html +1 -0
  176. package/lib/vendor/blamejs/fuzz/guard-idempotency-key.fuzz.js +20 -0
  177. package/lib/vendor/blamejs/fuzz/guard-imap-command.fuzz.js +35 -0
  178. package/lib/vendor/blamejs/fuzz/guard-jmap.fuzz.js +41 -0
  179. package/lib/vendor/blamejs/fuzz/guard-json.fuzz.js +16 -0
  180. package/lib/vendor/blamejs/fuzz/guard-json_seed_corpus/01-basic.json +1 -0
  181. package/lib/vendor/blamejs/fuzz/guard-json_seed_corpus/02-proto.json +1 -0
  182. package/lib/vendor/blamejs/fuzz/guard-json_seed_corpus/03-dupkey.json +1 -0
  183. package/lib/vendor/blamejs/fuzz/guard-json_seed_corpus/04-nan.json +1 -0
  184. package/lib/vendor/blamejs/fuzz/guard-json_seed_corpus/05-bom.json +1 -0
  185. package/lib/vendor/blamejs/fuzz/guard-list-id.fuzz.js +21 -0
  186. package/lib/vendor/blamejs/fuzz/guard-list-unsubscribe.fuzz.js +25 -0
  187. package/lib/vendor/blamejs/fuzz/guard-mail-compose.fuzz.js +22 -0
  188. package/lib/vendor/blamejs/fuzz/guard-mail-move.fuzz.js +22 -0
  189. package/lib/vendor/blamejs/fuzz/guard-mail-query.fuzz.js +27 -0
  190. package/lib/vendor/blamejs/fuzz/guard-mail-reply.fuzz.js +23 -0
  191. package/lib/vendor/blamejs/fuzz/guard-mail-sieve.fuzz.js +36 -0
  192. package/lib/vendor/blamejs/fuzz/guard-managesieve-command.fuzz.js +26 -0
  193. package/lib/vendor/blamejs/fuzz/guard-markdown.fuzz.js +16 -0
  194. package/lib/vendor/blamejs/fuzz/guard-markdown_seed_corpus/01-basic.md +2 -0
  195. package/lib/vendor/blamejs/fuzz/guard-markdown_seed_corpus/02-jsurl.md +1 -0
  196. package/lib/vendor/blamejs/fuzz/guard-markdown_seed_corpus/03-jsimg.md +1 -0
  197. package/lib/vendor/blamejs/fuzz/guard-message-id.fuzz.js +26 -0
  198. package/lib/vendor/blamejs/fuzz/guard-pop3-command.fuzz.js +23 -0
  199. package/lib/vendor/blamejs/fuzz/guard-posture-chain.fuzz.js +22 -0
  200. package/lib/vendor/blamejs/fuzz/guard-saga-config.fuzz.js +32 -0
  201. package/lib/vendor/blamejs/fuzz/guard-smtp-command.fuzz.js +27 -0
  202. package/lib/vendor/blamejs/fuzz/guard-snapshot-envelope.fuzz.js +22 -0
  203. package/lib/vendor/blamejs/fuzz/guard-stream-args.fuzz.js +22 -0
  204. package/lib/vendor/blamejs/fuzz/guard-svg.fuzz.js +16 -0
  205. package/lib/vendor/blamejs/fuzz/guard-svg_seed_corpus/01-basic.svg +1 -0
  206. package/lib/vendor/blamejs/fuzz/guard-svg_seed_corpus/02-script.svg +1 -0
  207. package/lib/vendor/blamejs/fuzz/guard-tenant-id.fuzz.js +20 -0
  208. package/lib/vendor/blamejs/fuzz/guard-trace-context.fuzz.js +30 -0
  209. package/lib/vendor/blamejs/fuzz/guard-xml.fuzz.js +16 -0
  210. package/lib/vendor/blamejs/fuzz/guard-xml_seed_corpus/01-basic.xml +1 -0
  211. package/lib/vendor/blamejs/fuzz/guard-xml_seed_corpus/02-xxe.xml +1 -0
  212. package/lib/vendor/blamejs/fuzz/guard-yaml.fuzz.js +16 -0
  213. package/lib/vendor/blamejs/fuzz/guard-yaml_seed_corpus/01-basic.yaml +2 -0
  214. package/lib/vendor/blamejs/fuzz/guard-yaml_seed_corpus/02-anchor.yaml +2 -0
  215. package/lib/vendor/blamejs/fuzz/guard-yaml_seed_corpus/03-norway.yaml +1 -0
  216. package/lib/vendor/blamejs/fuzz/guard-yaml_seed_corpus/04-multidoc.yaml +4 -0
  217. package/lib/vendor/blamejs/fuzz/parsers__safe-ini.fuzz.js +16 -0
  218. package/lib/vendor/blamejs/fuzz/parsers__safe-ini_seed_corpus/01-basic.ini +2 -0
  219. package/lib/vendor/blamejs/fuzz/parsers__safe-toml.fuzz.js +16 -0
  220. package/lib/vendor/blamejs/fuzz/parsers__safe-toml_seed_corpus/01-basic.toml +4 -0
  221. package/lib/vendor/blamejs/fuzz/parsers__safe-xml.fuzz.js +16 -0
  222. package/lib/vendor/blamejs/fuzz/parsers__safe-xml_seed_corpus/01-basic.xml +1 -0
  223. package/lib/vendor/blamejs/fuzz/parsers__safe-yaml.fuzz.js +16 -0
  224. package/lib/vendor/blamejs/fuzz/parsers__safe-yaml_seed_corpus/01-basic.yaml +4 -0
  225. package/lib/vendor/blamejs/fuzz/safe-decompress.fuzz.js +49 -0
  226. package/lib/vendor/blamejs/fuzz/safe-dns.fuzz.js +29 -0
  227. package/lib/vendor/blamejs/fuzz/safe-ical.fuzz.js +16 -0
  228. package/lib/vendor/blamejs/fuzz/safe-icap.fuzz.js +42 -0
  229. package/lib/vendor/blamejs/fuzz/safe-json.fuzz.js +25 -0
  230. package/lib/vendor/blamejs/fuzz/safe-json_seed_corpus/01-object.txt +1 -0
  231. package/lib/vendor/blamejs/fuzz/safe-json_seed_corpus/02-array.txt +1 -0
  232. package/lib/vendor/blamejs/fuzz/safe-json_seed_corpus/03-string.txt +1 -0
  233. package/lib/vendor/blamejs/fuzz/safe-json_seed_corpus/04-proto.txt +1 -0
  234. package/lib/vendor/blamejs/fuzz/safe-json_seed_corpus/05-deep.txt +1 -0
  235. package/lib/vendor/blamejs/fuzz/safe-jsonpath.fuzz.js +16 -0
  236. package/lib/vendor/blamejs/fuzz/safe-jsonpath_seed_corpus/01-basic.txt +1 -0
  237. package/lib/vendor/blamejs/fuzz/safe-jsonpath_seed_corpus/02-filter.txt +1 -0
  238. package/lib/vendor/blamejs/fuzz/safe-jsonpath_seed_corpus/03-deepscan.txt +1 -0
  239. package/lib/vendor/blamejs/fuzz/safe-jsonpath_seed_corpus/04-slice.txt +1 -0
  240. package/lib/vendor/blamejs/fuzz/safe-mime.fuzz.js +27 -0
  241. package/lib/vendor/blamejs/fuzz/safe-mount-info.fuzz.js +33 -0
  242. package/lib/vendor/blamejs/fuzz/safe-sieve.fuzz.js +28 -0
  243. package/lib/vendor/blamejs/fuzz/safe-smtp.fuzz.js +64 -0
  244. package/lib/vendor/blamejs/fuzz/safe-url.fuzz.js +16 -0
  245. package/lib/vendor/blamejs/fuzz/safe-url_seed_corpus/01-basic.txt +1 -0
  246. package/lib/vendor/blamejs/fuzz/safe-url_seed_corpus/02-userinfo.txt +1 -0
  247. package/lib/vendor/blamejs/fuzz/safe-url_seed_corpus/03-dangerous.txt +1 -0
  248. package/lib/vendor/blamejs/fuzz/safe-url_seed_corpus/04-data.txt +1 -0
  249. package/lib/vendor/blamejs/fuzz/safe-url_seed_corpus/05-ipv6.txt +1 -0
  250. package/lib/vendor/blamejs/fuzz/safe-url_seed_corpus/06-idn.txt +1 -0
  251. package/lib/vendor/blamejs/fuzz/safe-vcard.fuzz.js +16 -0
  252. package/lib/vendor/blamejs/index.js +678 -0
  253. package/lib/vendor/blamejs/keys/release-pqc-pub.json +7 -0
  254. package/lib/vendor/blamejs/lib/_test/crypto-fixtures.js +67 -0
  255. package/lib/vendor/blamejs/lib/a2a-tasks.js +598 -0
  256. package/lib/vendor/blamejs/lib/a2a.js +407 -0
  257. package/lib/vendor/blamejs/lib/acme.js +1448 -0
  258. package/lib/vendor/blamejs/lib/agent-audit.js +45 -0
  259. package/lib/vendor/blamejs/lib/agent-event-bus.js +382 -0
  260. package/lib/vendor/blamejs/lib/agent-idempotency.js +497 -0
  261. package/lib/vendor/blamejs/lib/agent-orchestrator.js +717 -0
  262. package/lib/vendor/blamejs/lib/agent-posture-chain.js +366 -0
  263. package/lib/vendor/blamejs/lib/agent-saga.js +321 -0
  264. package/lib/vendor/blamejs/lib/agent-snapshot.js +676 -0
  265. package/lib/vendor/blamejs/lib/agent-stream.js +269 -0
  266. package/lib/vendor/blamejs/lib/agent-tenant.js +632 -0
  267. package/lib/vendor/blamejs/lib/agent-trace.js +281 -0
  268. package/lib/vendor/blamejs/lib/ai-adverse-decision.js +184 -0
  269. package/lib/vendor/blamejs/lib/ai-content-detect.js +268 -0
  270. package/lib/vendor/blamejs/lib/ai-input.js +201 -0
  271. package/lib/vendor/blamejs/lib/ai-model-manifest.js +363 -0
  272. package/lib/vendor/blamejs/lib/ai-pref.js +340 -0
  273. package/lib/vendor/blamejs/lib/api-key.js +721 -0
  274. package/lib/vendor/blamejs/lib/api-snapshot.js +458 -0
  275. package/lib/vendor/blamejs/lib/app-shutdown.js +557 -0
  276. package/lib/vendor/blamejs/lib/app.js +365 -0
  277. package/lib/vendor/blamejs/lib/archive.js +547 -0
  278. package/lib/vendor/blamejs/lib/arg-parser.js +697 -0
  279. package/lib/vendor/blamejs/lib/argon2-builtin.js +173 -0
  280. package/lib/vendor/blamejs/lib/asn1-der.js +424 -0
  281. package/lib/vendor/blamejs/lib/asyncapi-bindings.js +160 -0
  282. package/lib/vendor/blamejs/lib/asyncapi-traits.js +143 -0
  283. package/lib/vendor/blamejs/lib/asyncapi.js +575 -0
  284. package/lib/vendor/blamejs/lib/atomic-file.js +1023 -0
  285. package/lib/vendor/blamejs/lib/audit-chain.js +266 -0
  286. package/lib/vendor/blamejs/lib/audit-daily-review.js +389 -0
  287. package/lib/vendor/blamejs/lib/audit-sign.js +751 -0
  288. package/lib/vendor/blamejs/lib/audit-tools.js +1113 -0
  289. package/lib/vendor/blamejs/lib/audit.js +1671 -0
  290. package/lib/vendor/blamejs/lib/auth/aal.js +169 -0
  291. package/lib/vendor/blamejs/lib/auth/access-lock.js +220 -0
  292. package/lib/vendor/blamejs/lib/auth/acr-vocabulary.js +265 -0
  293. package/lib/vendor/blamejs/lib/auth/ato-kill-switch.js +112 -0
  294. package/lib/vendor/blamejs/lib/auth/auth-time-tracker.js +111 -0
  295. package/lib/vendor/blamejs/lib/auth/bot-challenge.js +573 -0
  296. package/lib/vendor/blamejs/lib/auth/ciba.js +637 -0
  297. package/lib/vendor/blamejs/lib/auth/dpop.js +516 -0
  298. package/lib/vendor/blamejs/lib/auth/elevation-grant.js +306 -0
  299. package/lib/vendor/blamejs/lib/auth/fal.js +229 -0
  300. package/lib/vendor/blamejs/lib/auth/fido-mds3.js +681 -0
  301. package/lib/vendor/blamejs/lib/auth/jwt-external.js +519 -0
  302. package/lib/vendor/blamejs/lib/auth/jwt.js +430 -0
  303. package/lib/vendor/blamejs/lib/auth/lockout.js +449 -0
  304. package/lib/vendor/blamejs/lib/auth/oauth.js +2141 -0
  305. package/lib/vendor/blamejs/lib/auth/oid4vci.js +657 -0
  306. package/lib/vendor/blamejs/lib/auth/oid4vp.js +531 -0
  307. package/lib/vendor/blamejs/lib/auth/openid-federation.js +600 -0
  308. package/lib/vendor/blamejs/lib/auth/passkey.js +676 -0
  309. package/lib/vendor/blamejs/lib/auth/password.js +693 -0
  310. package/lib/vendor/blamejs/lib/auth/saml.js +2109 -0
  311. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-disclosure.js +95 -0
  312. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-holder.js +225 -0
  313. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-issuer.js +197 -0
  314. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc.js +728 -0
  315. package/lib/vendor/blamejs/lib/auth/status-list.js +272 -0
  316. package/lib/vendor/blamejs/lib/auth/step-up-policy.js +335 -0
  317. package/lib/vendor/blamejs/lib/auth/step-up.js +454 -0
  318. package/lib/vendor/blamejs/lib/auth-bot-challenge.js +505 -0
  319. package/lib/vendor/blamejs/lib/auth-header.js +148 -0
  320. package/lib/vendor/blamejs/lib/backup/bundle.js +265 -0
  321. package/lib/vendor/blamejs/lib/backup/crypto.js +176 -0
  322. package/lib/vendor/blamejs/lib/backup/index.js +1001 -0
  323. package/lib/vendor/blamejs/lib/backup/manifest.js +443 -0
  324. package/lib/vendor/blamejs/lib/boot-gates.js +174 -0
  325. package/lib/vendor/blamejs/lib/breach-deadline.js +272 -0
  326. package/lib/vendor/blamejs/lib/break-glass.js +1753 -0
  327. package/lib/vendor/blamejs/lib/budr.js +205 -0
  328. package/lib/vendor/blamejs/lib/bundler.js +461 -0
  329. package/lib/vendor/blamejs/lib/cache-redis.js +256 -0
  330. package/lib/vendor/blamejs/lib/cache-status.js +288 -0
  331. package/lib/vendor/blamejs/lib/cache.js +1331 -0
  332. package/lib/vendor/blamejs/lib/calendar.js +1240 -0
  333. package/lib/vendor/blamejs/lib/canonical-json.js +143 -0
  334. package/lib/vendor/blamejs/lib/cdn-cache-control.js +473 -0
  335. package/lib/vendor/blamejs/lib/cert.js +763 -0
  336. package/lib/vendor/blamejs/lib/chain-writer.js +259 -0
  337. package/lib/vendor/blamejs/lib/circuit-breaker.js +101 -0
  338. package/lib/vendor/blamejs/lib/cli-helpers.js +237 -0
  339. package/lib/vendor/blamejs/lib/cli.js +2328 -0
  340. package/lib/vendor/blamejs/lib/client-hints.js +318 -0
  341. package/lib/vendor/blamejs/lib/cloud-events.js +277 -0
  342. package/lib/vendor/blamejs/lib/cluster-provider-db.js +317 -0
  343. package/lib/vendor/blamejs/lib/cluster-storage.js +351 -0
  344. package/lib/vendor/blamejs/lib/cluster.js +1017 -0
  345. package/lib/vendor/blamejs/lib/cms-codec.js +826 -0
  346. package/lib/vendor/blamejs/lib/codepoint-class.js +262 -0
  347. package/lib/vendor/blamejs/lib/compliance-ai-act-logging.js +190 -0
  348. package/lib/vendor/blamejs/lib/compliance-ai-act-prohibited.js +205 -0
  349. package/lib/vendor/blamejs/lib/compliance-ai-act-risk.js +189 -0
  350. package/lib/vendor/blamejs/lib/compliance-ai-act-transparency.js +200 -0
  351. package/lib/vendor/blamejs/lib/compliance-ai-act.js +821 -0
  352. package/lib/vendor/blamejs/lib/compliance-eaa.js +204 -0
  353. package/lib/vendor/blamejs/lib/compliance-sanctions-aliases.js +167 -0
  354. package/lib/vendor/blamejs/lib/compliance-sanctions-fetcher.js +206 -0
  355. package/lib/vendor/blamejs/lib/compliance-sanctions-fuzzy.js +297 -0
  356. package/lib/vendor/blamejs/lib/compliance-sanctions.js +569 -0
  357. package/lib/vendor/blamejs/lib/compliance.js +1558 -0
  358. package/lib/vendor/blamejs/lib/config-drift.js +426 -0
  359. package/lib/vendor/blamejs/lib/config.js +446 -0
  360. package/lib/vendor/blamejs/lib/consent.js +369 -0
  361. package/lib/vendor/blamejs/lib/constants.js +209 -0
  362. package/lib/vendor/blamejs/lib/content-credentials.js +704 -0
  363. package/lib/vendor/blamejs/lib/cookies.js +560 -0
  364. package/lib/vendor/blamejs/lib/cra-report.js +299 -0
  365. package/lib/vendor/blamejs/lib/credential-hash.js +394 -0
  366. package/lib/vendor/blamejs/lib/crypto-field.js +1017 -0
  367. package/lib/vendor/blamejs/lib/crypto-hpke-pq.js +187 -0
  368. package/lib/vendor/blamejs/lib/crypto-hpke.js +256 -0
  369. package/lib/vendor/blamejs/lib/crypto.js +1908 -0
  370. package/lib/vendor/blamejs/lib/csp.js +271 -0
  371. package/lib/vendor/blamejs/lib/csv.js +418 -0
  372. package/lib/vendor/blamejs/lib/daemon.js +481 -0
  373. package/lib/vendor/blamejs/lib/dark-patterns.js +488 -0
  374. package/lib/vendor/blamejs/lib/data-act.js +328 -0
  375. package/lib/vendor/blamejs/lib/db-collection.js +587 -0
  376. package/lib/vendor/blamejs/lib/db-declare-row-policy.js +267 -0
  377. package/lib/vendor/blamejs/lib/db-declare-view.js +420 -0
  378. package/lib/vendor/blamejs/lib/db-file-lifecycle.js +333 -0
  379. package/lib/vendor/blamejs/lib/db-query.js +802 -0
  380. package/lib/vendor/blamejs/lib/db-role-context.js +50 -0
  381. package/lib/vendor/blamejs/lib/db-schema.js +322 -0
  382. package/lib/vendor/blamejs/lib/db.js +3111 -0
  383. package/lib/vendor/blamejs/lib/dbsc.js +299 -0
  384. package/lib/vendor/blamejs/lib/ddl-change-control.js +523 -0
  385. package/lib/vendor/blamejs/lib/deprecate.js +377 -0
  386. package/lib/vendor/blamejs/lib/dev.js +405 -0
  387. package/lib/vendor/blamejs/lib/dora.js +402 -0
  388. package/lib/vendor/blamejs/lib/dr-runbook.js +368 -0
  389. package/lib/vendor/blamejs/lib/dsr.js +1188 -0
  390. package/lib/vendor/blamejs/lib/dual-control.js +526 -0
  391. package/lib/vendor/blamejs/lib/early-hints.js +212 -0
  392. package/lib/vendor/blamejs/lib/error-page.js +420 -0
  393. package/lib/vendor/blamejs/lib/events.js +214 -0
  394. package/lib/vendor/blamejs/lib/external-db-migrate.js +659 -0
  395. package/lib/vendor/blamejs/lib/external-db.js +1877 -0
  396. package/lib/vendor/blamejs/lib/fapi2.js +394 -0
  397. package/lib/vendor/blamejs/lib/fda-21cfr11.js +395 -0
  398. package/lib/vendor/blamejs/lib/fdx.js +370 -0
  399. package/lib/vendor/blamejs/lib/fedcm.js +264 -0
  400. package/lib/vendor/blamejs/lib/file-type.js +360 -0
  401. package/lib/vendor/blamejs/lib/file-upload.js +1256 -0
  402. package/lib/vendor/blamejs/lib/flag-cache.js +136 -0
  403. package/lib/vendor/blamejs/lib/flag-evaluation-context.js +135 -0
  404. package/lib/vendor/blamejs/lib/flag-providers.js +279 -0
  405. package/lib/vendor/blamejs/lib/flag-targeting.js +210 -0
  406. package/lib/vendor/blamejs/lib/flag.js +346 -0
  407. package/lib/vendor/blamejs/lib/forms.js +525 -0
  408. package/lib/vendor/blamejs/lib/framework-error.js +724 -0
  409. package/lib/vendor/blamejs/lib/framework-schema.js +845 -0
  410. package/lib/vendor/blamejs/lib/framework-sha1-hibp.js +34 -0
  411. package/lib/vendor/blamejs/lib/fsm.js +469 -0
  412. package/lib/vendor/blamejs/lib/gate-contract.js +1661 -0
  413. package/lib/vendor/blamejs/lib/gdpr-ropa.js +261 -0
  414. package/lib/vendor/blamejs/lib/graphql-federation.js +234 -0
  415. package/lib/vendor/blamejs/lib/guard-agent-registry.js +179 -0
  416. package/lib/vendor/blamejs/lib/guard-all.js +555 -0
  417. package/lib/vendor/blamejs/lib/guard-archive.js +901 -0
  418. package/lib/vendor/blamejs/lib/guard-auth.js +451 -0
  419. package/lib/vendor/blamejs/lib/guard-cidr.js +676 -0
  420. package/lib/vendor/blamejs/lib/guard-csv.js +1176 -0
  421. package/lib/vendor/blamejs/lib/guard-domain.js +814 -0
  422. package/lib/vendor/blamejs/lib/guard-dsn.js +382 -0
  423. package/lib/vendor/blamejs/lib/guard-email.js +951 -0
  424. package/lib/vendor/blamejs/lib/guard-envelope.js +294 -0
  425. package/lib/vendor/blamejs/lib/guard-event-bus-payload.js +217 -0
  426. package/lib/vendor/blamejs/lib/guard-event-bus-topic.js +150 -0
  427. package/lib/vendor/blamejs/lib/guard-filename.js +956 -0
  428. package/lib/vendor/blamejs/lib/guard-graphql.js +731 -0
  429. package/lib/vendor/blamejs/lib/guard-html-wcag-aria.js +164 -0
  430. package/lib/vendor/blamejs/lib/guard-html-wcag-forms.js +144 -0
  431. package/lib/vendor/blamejs/lib/guard-html-wcag-tables.js +154 -0
  432. package/lib/vendor/blamejs/lib/guard-html-wcag-tagwalk.js +44 -0
  433. package/lib/vendor/blamejs/lib/guard-html-wcag.js +470 -0
  434. package/lib/vendor/blamejs/lib/guard-html.js +1209 -0
  435. package/lib/vendor/blamejs/lib/guard-idempotency-key.js +151 -0
  436. package/lib/vendor/blamejs/lib/guard-image.js +584 -0
  437. package/lib/vendor/blamejs/lib/guard-imap-command.js +337 -0
  438. package/lib/vendor/blamejs/lib/guard-jmap.js +321 -0
  439. package/lib/vendor/blamejs/lib/guard-json.js +935 -0
  440. package/lib/vendor/blamejs/lib/guard-jsonpath.js +512 -0
  441. package/lib/vendor/blamejs/lib/guard-jwt.js +772 -0
  442. package/lib/vendor/blamejs/lib/guard-list-id.js +318 -0
  443. package/lib/vendor/blamejs/lib/guard-list-unsubscribe.js +412 -0
  444. package/lib/vendor/blamejs/lib/guard-mail-compose.js +282 -0
  445. package/lib/vendor/blamejs/lib/guard-mail-move.js +202 -0
  446. package/lib/vendor/blamejs/lib/guard-mail-query.js +310 -0
  447. package/lib/vendor/blamejs/lib/guard-mail-reply.js +172 -0
  448. package/lib/vendor/blamejs/lib/guard-mail-sieve.js +207 -0
  449. package/lib/vendor/blamejs/lib/guard-managesieve-command.js +566 -0
  450. package/lib/vendor/blamejs/lib/guard-markdown.js +768 -0
  451. package/lib/vendor/blamejs/lib/guard-message-id.js +267 -0
  452. package/lib/vendor/blamejs/lib/guard-mime.js +609 -0
  453. package/lib/vendor/blamejs/lib/guard-oauth.js +650 -0
  454. package/lib/vendor/blamejs/lib/guard-pdf.js +569 -0
  455. package/lib/vendor/blamejs/lib/guard-pop3-command.js +317 -0
  456. package/lib/vendor/blamejs/lib/guard-posture-chain.js +201 -0
  457. package/lib/vendor/blamejs/lib/guard-regex.js +632 -0
  458. package/lib/vendor/blamejs/lib/guard-saga-config.js +157 -0
  459. package/lib/vendor/blamejs/lib/guard-shell.js +522 -0
  460. package/lib/vendor/blamejs/lib/guard-smtp-command.js +594 -0
  461. package/lib/vendor/blamejs/lib/guard-snapshot-envelope.js +168 -0
  462. package/lib/vendor/blamejs/lib/guard-stream-args.js +166 -0
  463. package/lib/vendor/blamejs/lib/guard-svg.js +1163 -0
  464. package/lib/vendor/blamejs/lib/guard-template.js +490 -0
  465. package/lib/vendor/blamejs/lib/guard-tenant-id.js +138 -0
  466. package/lib/vendor/blamejs/lib/guard-time.js +586 -0
  467. package/lib/vendor/blamejs/lib/guard-trace-context.js +172 -0
  468. package/lib/vendor/blamejs/lib/guard-uuid.js +548 -0
  469. package/lib/vendor/blamejs/lib/guard-xml.js +666 -0
  470. package/lib/vendor/blamejs/lib/guard-yaml.js +726 -0
  471. package/lib/vendor/blamejs/lib/hal.js +125 -0
  472. package/lib/vendor/blamejs/lib/handlers.js +350 -0
  473. package/lib/vendor/blamejs/lib/honeytoken.js +168 -0
  474. package/lib/vendor/blamejs/lib/html-balance.js +347 -0
  475. package/lib/vendor/blamejs/lib/http-client-cache.js +923 -0
  476. package/lib/vendor/blamejs/lib/http-client-cookie-jar.js +519 -0
  477. package/lib/vendor/blamejs/lib/http-client.js +2152 -0
  478. package/lib/vendor/blamejs/lib/http-message-signature.js +589 -0
  479. package/lib/vendor/blamejs/lib/http2-teardown.js +34 -0
  480. package/lib/vendor/blamejs/lib/i18n-messageformat.js +398 -0
  481. package/lib/vendor/blamejs/lib/i18n.js +931 -0
  482. package/lib/vendor/blamejs/lib/iab-mspa.js +257 -0
  483. package/lib/vendor/blamejs/lib/iab-tcf.js +461 -0
  484. package/lib/vendor/blamejs/lib/importmap-integrity.js +90 -0
  485. package/lib/vendor/blamejs/lib/inbox.js +435 -0
  486. package/lib/vendor/blamejs/lib/incident-report.js +314 -0
  487. package/lib/vendor/blamejs/lib/ip-utils.js +102 -0
  488. package/lib/vendor/blamejs/lib/jobs.js +185 -0
  489. package/lib/vendor/blamejs/lib/jose-jwe-experimental.js +228 -0
  490. package/lib/vendor/blamejs/lib/jsonapi.js +230 -0
  491. package/lib/vendor/blamejs/lib/keychain.js +865 -0
  492. package/lib/vendor/blamejs/lib/lazy-require.js +48 -0
  493. package/lib/vendor/blamejs/lib/legal-hold.js +374 -0
  494. package/lib/vendor/blamejs/lib/local-db-thin.js +321 -0
  495. package/lib/vendor/blamejs/lib/log-stream-cloudwatch.js +369 -0
  496. package/lib/vendor/blamejs/lib/log-stream-local.js +146 -0
  497. package/lib/vendor/blamejs/lib/log-stream-otlp-grpc.js +410 -0
  498. package/lib/vendor/blamejs/lib/log-stream-otlp.js +286 -0
  499. package/lib/vendor/blamejs/lib/log-stream-syslog.js +310 -0
  500. package/lib/vendor/blamejs/lib/log-stream-webhook.js +199 -0
  501. package/lib/vendor/blamejs/lib/log-stream.js +584 -0
  502. package/lib/vendor/blamejs/lib/log.js +625 -0
  503. package/lib/vendor/blamejs/lib/lro.js +200 -0
  504. package/lib/vendor/blamejs/lib/mail-agent.js +786 -0
  505. package/lib/vendor/blamejs/lib/mail-arc-sign.js +417 -0
  506. package/lib/vendor/blamejs/lib/mail-arf.js +343 -0
  507. package/lib/vendor/blamejs/lib/mail-auth.js +2144 -0
  508. package/lib/vendor/blamejs/lib/mail-bimi.js +1047 -0
  509. package/lib/vendor/blamejs/lib/mail-bounce.js +955 -0
  510. package/lib/vendor/blamejs/lib/mail-crypto-pgp.js +1286 -0
  511. package/lib/vendor/blamejs/lib/mail-crypto-smime.js +789 -0
  512. package/lib/vendor/blamejs/lib/mail-crypto.js +108 -0
  513. package/lib/vendor/blamejs/lib/mail-dav.js +1224 -0
  514. package/lib/vendor/blamejs/lib/mail-deploy.js +1119 -0
  515. package/lib/vendor/blamejs/lib/mail-dkim.js +1250 -0
  516. package/lib/vendor/blamejs/lib/mail-greylist.js +448 -0
  517. package/lib/vendor/blamejs/lib/mail-helo.js +473 -0
  518. package/lib/vendor/blamejs/lib/mail-journal.js +435 -0
  519. package/lib/vendor/blamejs/lib/mail-mdn.js +424 -0
  520. package/lib/vendor/blamejs/lib/mail-rbl.js +392 -0
  521. package/lib/vendor/blamejs/lib/mail-require-tls.js +198 -0
  522. package/lib/vendor/blamejs/lib/mail-scan.js +502 -0
  523. package/lib/vendor/blamejs/lib/mail-send-deliver.js +629 -0
  524. package/lib/vendor/blamejs/lib/mail-server-imap.js +1858 -0
  525. package/lib/vendor/blamejs/lib/mail-server-jmap.js +1565 -0
  526. package/lib/vendor/blamejs/lib/mail-server-managesieve.js +908 -0
  527. package/lib/vendor/blamejs/lib/mail-server-mx.js +969 -0
  528. package/lib/vendor/blamejs/lib/mail-server-pop3.js +915 -0
  529. package/lib/vendor/blamejs/lib/mail-server-rate-limit.js +315 -0
  530. package/lib/vendor/blamejs/lib/mail-server-registry.js +378 -0
  531. package/lib/vendor/blamejs/lib/mail-server-submission.js +1396 -0
  532. package/lib/vendor/blamejs/lib/mail-server-tls.js +445 -0
  533. package/lib/vendor/blamejs/lib/mail-sieve.js +557 -0
  534. package/lib/vendor/blamejs/lib/mail-spam-score.js +284 -0
  535. package/lib/vendor/blamejs/lib/mail-srs.js +248 -0
  536. package/lib/vendor/blamejs/lib/mail-store-fts.js +394 -0
  537. package/lib/vendor/blamejs/lib/mail-store.js +929 -0
  538. package/lib/vendor/blamejs/lib/mail-unsubscribe.js +400 -0
  539. package/lib/vendor/blamejs/lib/mail.js +1971 -0
  540. package/lib/vendor/blamejs/lib/mcp-tool-registry.js +473 -0
  541. package/lib/vendor/blamejs/lib/mcp.js +950 -0
  542. package/lib/vendor/blamejs/lib/metrics.js +1503 -0
  543. package/lib/vendor/blamejs/lib/middleware/age-gate.js +177 -0
  544. package/lib/vendor/blamejs/lib/middleware/ai-act-disclosure.js +203 -0
  545. package/lib/vendor/blamejs/lib/middleware/api-encrypt.js +981 -0
  546. package/lib/vendor/blamejs/lib/middleware/assetlinks.js +137 -0
  547. package/lib/vendor/blamejs/lib/middleware/asyncapi-serve.js +171 -0
  548. package/lib/vendor/blamejs/lib/middleware/attach-user.js +220 -0
  549. package/lib/vendor/blamejs/lib/middleware/bearer-auth.js +293 -0
  550. package/lib/vendor/blamejs/lib/middleware/body-parser.js +1519 -0
  551. package/lib/vendor/blamejs/lib/middleware/bot-disclose.js +183 -0
  552. package/lib/vendor/blamejs/lib/middleware/bot-guard.js +217 -0
  553. package/lib/vendor/blamejs/lib/middleware/clear-site-data.js +122 -0
  554. package/lib/vendor/blamejs/lib/middleware/compose-pipeline.js +355 -0
  555. package/lib/vendor/blamejs/lib/middleware/compression.js +489 -0
  556. package/lib/vendor/blamejs/lib/middleware/cookies.js +130 -0
  557. package/lib/vendor/blamejs/lib/middleware/cors.js +386 -0
  558. package/lib/vendor/blamejs/lib/middleware/csp-nonce.js +388 -0
  559. package/lib/vendor/blamejs/lib/middleware/csp-report.js +167 -0
  560. package/lib/vendor/blamejs/lib/middleware/csrf-protect.js +499 -0
  561. package/lib/vendor/blamejs/lib/middleware/daily-byte-quota.js +243 -0
  562. package/lib/vendor/blamejs/lib/middleware/db-role-for.js +304 -0
  563. package/lib/vendor/blamejs/lib/middleware/dpop.js +402 -0
  564. package/lib/vendor/blamejs/lib/middleware/error-handler.js +69 -0
  565. package/lib/vendor/blamejs/lib/middleware/fetch-metadata.js +168 -0
  566. package/lib/vendor/blamejs/lib/middleware/flag-context.js +110 -0
  567. package/lib/vendor/blamejs/lib/middleware/gpc.js +153 -0
  568. package/lib/vendor/blamejs/lib/middleware/headers.js +242 -0
  569. package/lib/vendor/blamejs/lib/middleware/health.js +438 -0
  570. package/lib/vendor/blamejs/lib/middleware/host-allowlist.js +189 -0
  571. package/lib/vendor/blamejs/lib/middleware/idempotency-key.js +964 -0
  572. package/lib/vendor/blamejs/lib/middleware/index.js +183 -0
  573. package/lib/vendor/blamejs/lib/middleware/nel.js +214 -0
  574. package/lib/vendor/blamejs/lib/middleware/network-allowlist.js +237 -0
  575. package/lib/vendor/blamejs/lib/middleware/no-cache.js +106 -0
  576. package/lib/vendor/blamejs/lib/middleware/openapi-serve.js +177 -0
  577. package/lib/vendor/blamejs/lib/middleware/protected-resource-metadata.js +277 -0
  578. package/lib/vendor/blamejs/lib/middleware/rate-limit.js +556 -0
  579. package/lib/vendor/blamejs/lib/middleware/request-id.js +79 -0
  580. package/lib/vendor/blamejs/lib/middleware/request-log.js +205 -0
  581. package/lib/vendor/blamejs/lib/middleware/require-aal.js +138 -0
  582. package/lib/vendor/blamejs/lib/middleware/require-auth.js +144 -0
  583. package/lib/vendor/blamejs/lib/middleware/require-bound-key.js +290 -0
  584. package/lib/vendor/blamejs/lib/middleware/require-content-type.js +113 -0
  585. package/lib/vendor/blamejs/lib/middleware/require-methods.js +97 -0
  586. package/lib/vendor/blamejs/lib/middleware/require-mtls.js +212 -0
  587. package/lib/vendor/blamejs/lib/middleware/require-step-up.js +226 -0
  588. package/lib/vendor/blamejs/lib/middleware/scim-server.js +375 -0
  589. package/lib/vendor/blamejs/lib/middleware/security-headers.js +285 -0
  590. package/lib/vendor/blamejs/lib/middleware/security-txt.js +170 -0
  591. package/lib/vendor/blamejs/lib/middleware/span-http-server.js +280 -0
  592. package/lib/vendor/blamejs/lib/middleware/speculation-rules.js +323 -0
  593. package/lib/vendor/blamejs/lib/middleware/sse.js +200 -0
  594. package/lib/vendor/blamejs/lib/middleware/trace-log-correlation.js +167 -0
  595. package/lib/vendor/blamejs/lib/middleware/trace-propagate.js +148 -0
  596. package/lib/vendor/blamejs/lib/middleware/tus-upload.js +749 -0
  597. package/lib/vendor/blamejs/lib/middleware/web-app-manifest.js +164 -0
  598. package/lib/vendor/blamejs/lib/migration-files.js +37 -0
  599. package/lib/vendor/blamejs/lib/migrations.js +385 -0
  600. package/lib/vendor/blamejs/lib/mime-parse.js +198 -0
  601. package/lib/vendor/blamejs/lib/money.js +699 -0
  602. package/lib/vendor/blamejs/lib/mtls-ca.js +572 -0
  603. package/lib/vendor/blamejs/lib/mtls-engine-default.js +501 -0
  604. package/lib/vendor/blamejs/lib/network-byte-quota.js +308 -0
  605. package/lib/vendor/blamejs/lib/network-dns-resolver.js +533 -0
  606. package/lib/vendor/blamejs/lib/network-dns.js +1930 -0
  607. package/lib/vendor/blamejs/lib/network-heartbeat.js +425 -0
  608. package/lib/vendor/blamejs/lib/network-nts.js +574 -0
  609. package/lib/vendor/blamejs/lib/network-proxy.js +265 -0
  610. package/lib/vendor/blamejs/lib/network-smtp-policy.js +836 -0
  611. package/lib/vendor/blamejs/lib/network-tls.js +3126 -0
  612. package/lib/vendor/blamejs/lib/network.js +346 -0
  613. package/lib/vendor/blamejs/lib/nis2-report.js +181 -0
  614. package/lib/vendor/blamejs/lib/nist-crosswalk.js +293 -0
  615. package/lib/vendor/blamejs/lib/nonce-store.js +177 -0
  616. package/lib/vendor/blamejs/lib/notify.js +683 -0
  617. package/lib/vendor/blamejs/lib/ntp-check.js +458 -0
  618. package/lib/vendor/blamejs/lib/numeric-bounds.js +111 -0
  619. package/lib/vendor/blamejs/lib/numeric-checks.js +40 -0
  620. package/lib/vendor/blamejs/lib/object-store/azure-blob-bucket-ops.js +349 -0
  621. package/lib/vendor/blamejs/lib/object-store/azure-blob.js +488 -0
  622. package/lib/vendor/blamejs/lib/object-store/gcs-bucket-ops.js +351 -0
  623. package/lib/vendor/blamejs/lib/object-store/gcs.js +515 -0
  624. package/lib/vendor/blamejs/lib/object-store/http-put.js +153 -0
  625. package/lib/vendor/blamejs/lib/object-store/http-request.js +38 -0
  626. package/lib/vendor/blamejs/lib/object-store/index.js +197 -0
  627. package/lib/vendor/blamejs/lib/object-store/local.js +163 -0
  628. package/lib/vendor/blamejs/lib/object-store/sigv4-bucket-ops.js +1133 -0
  629. package/lib/vendor/blamejs/lib/object-store/sigv4.js +957 -0
  630. package/lib/vendor/blamejs/lib/observability-otlp-exporter.js +420 -0
  631. package/lib/vendor/blamejs/lib/observability-tracer.js +395 -0
  632. package/lib/vendor/blamejs/lib/observability.js +720 -0
  633. package/lib/vendor/blamejs/lib/openapi-paths-builder.js +248 -0
  634. package/lib/vendor/blamejs/lib/openapi-schema-walk.js +192 -0
  635. package/lib/vendor/blamejs/lib/openapi-security.js +169 -0
  636. package/lib/vendor/blamejs/lib/openapi-yaml.js +154 -0
  637. package/lib/vendor/blamejs/lib/openapi.js +489 -0
  638. package/lib/vendor/blamejs/lib/otel-export.js +278 -0
  639. package/lib/vendor/blamejs/lib/outbox.js +547 -0
  640. package/lib/vendor/blamejs/lib/pagination.js +542 -0
  641. package/lib/vendor/blamejs/lib/parsers/index.js +91 -0
  642. package/lib/vendor/blamejs/lib/parsers/safe-env.js +642 -0
  643. package/lib/vendor/blamejs/lib/parsers/safe-ini.js +293 -0
  644. package/lib/vendor/blamejs/lib/parsers/safe-toml.js +784 -0
  645. package/lib/vendor/blamejs/lib/parsers/safe-xml.js +390 -0
  646. package/lib/vendor/blamejs/lib/parsers/safe-yaml.js +1015 -0
  647. package/lib/vendor/blamejs/lib/permissions.js +793 -0
  648. package/lib/vendor/blamejs/lib/pick.js +105 -0
  649. package/lib/vendor/blamejs/lib/pqc-agent.js +351 -0
  650. package/lib/vendor/blamejs/lib/pqc-gate.js +279 -0
  651. package/lib/vendor/blamejs/lib/pqc-software.js +271 -0
  652. package/lib/vendor/blamejs/lib/problem-details.js +482 -0
  653. package/lib/vendor/blamejs/lib/process-spawn.js +196 -0
  654. package/lib/vendor/blamejs/lib/promise-pool.js +162 -0
  655. package/lib/vendor/blamejs/lib/protobuf-encoder.js +190 -0
  656. package/lib/vendor/blamejs/lib/protocol-dispatcher.js +161 -0
  657. package/lib/vendor/blamejs/lib/public-suffix.js +403 -0
  658. package/lib/vendor/blamejs/lib/pubsub-cluster.js +154 -0
  659. package/lib/vendor/blamejs/lib/pubsub-redis.js +167 -0
  660. package/lib/vendor/blamejs/lib/pubsub.js +463 -0
  661. package/lib/vendor/blamejs/lib/queue-local.js +476 -0
  662. package/lib/vendor/blamejs/lib/queue-redis.js +745 -0
  663. package/lib/vendor/blamejs/lib/queue-sqs.js +319 -0
  664. package/lib/vendor/blamejs/lib/queue.js +1016 -0
  665. package/lib/vendor/blamejs/lib/redact.js +1007 -0
  666. package/lib/vendor/blamejs/lib/redis-client.js +520 -0
  667. package/lib/vendor/blamejs/lib/render.js +285 -0
  668. package/lib/vendor/blamejs/lib/request-helpers.js +767 -0
  669. package/lib/vendor/blamejs/lib/resource-access-lock.js +116 -0
  670. package/lib/vendor/blamejs/lib/restore-bundle.js +340 -0
  671. package/lib/vendor/blamejs/lib/restore-rollback.js +365 -0
  672. package/lib/vendor/blamejs/lib/restore.js +409 -0
  673. package/lib/vendor/blamejs/lib/retention.js +640 -0
  674. package/lib/vendor/blamejs/lib/retry.js +523 -0
  675. package/lib/vendor/blamejs/lib/router.js +1289 -0
  676. package/lib/vendor/blamejs/lib/safe-async.js +1184 -0
  677. package/lib/vendor/blamejs/lib/safe-buffer.js +562 -0
  678. package/lib/vendor/blamejs/lib/safe-decompress.js +297 -0
  679. package/lib/vendor/blamejs/lib/safe-dns.js +665 -0
  680. package/lib/vendor/blamejs/lib/safe-ical.js +634 -0
  681. package/lib/vendor/blamejs/lib/safe-icap.js +502 -0
  682. package/lib/vendor/blamejs/lib/safe-json.js +946 -0
  683. package/lib/vendor/blamejs/lib/safe-jsonpath.js +285 -0
  684. package/lib/vendor/blamejs/lib/safe-mime.js +831 -0
  685. package/lib/vendor/blamejs/lib/safe-mount-info.js +306 -0
  686. package/lib/vendor/blamejs/lib/safe-path.js +254 -0
  687. package/lib/vendor/blamejs/lib/safe-redirect.js +106 -0
  688. package/lib/vendor/blamejs/lib/safe-schema.js +1810 -0
  689. package/lib/vendor/blamejs/lib/safe-sieve.js +684 -0
  690. package/lib/vendor/blamejs/lib/safe-smtp.js +185 -0
  691. package/lib/vendor/blamejs/lib/safe-sql.js +363 -0
  692. package/lib/vendor/blamejs/lib/safe-url.js +428 -0
  693. package/lib/vendor/blamejs/lib/safe-vcard.js +473 -0
  694. package/lib/vendor/blamejs/lib/sandbox-worker.js +135 -0
  695. package/lib/vendor/blamejs/lib/sandbox.js +358 -0
  696. package/lib/vendor/blamejs/lib/scheduler.js +827 -0
  697. package/lib/vendor/blamejs/lib/sd-notify.js +269 -0
  698. package/lib/vendor/blamejs/lib/sec-cyber.js +214 -0
  699. package/lib/vendor/blamejs/lib/security-assert.js +395 -0
  700. package/lib/vendor/blamejs/lib/seeders.js +620 -0
  701. package/lib/vendor/blamejs/lib/self-update-standalone-verifier.js +309 -0
  702. package/lib/vendor/blamejs/lib/self-update.js +804 -0
  703. package/lib/vendor/blamejs/lib/server-timing.js +174 -0
  704. package/lib/vendor/blamejs/lib/session-device-binding.js +431 -0
  705. package/lib/vendor/blamejs/lib/session-stores.js +138 -0
  706. package/lib/vendor/blamejs/lib/session.js +1162 -0
  707. package/lib/vendor/blamejs/lib/slug.js +381 -0
  708. package/lib/vendor/blamejs/lib/sse.js +349 -0
  709. package/lib/vendor/blamejs/lib/ssrf-guard.js +792 -0
  710. package/lib/vendor/blamejs/lib/standard-webhooks.js +183 -0
  711. package/lib/vendor/blamejs/lib/static.js +1249 -0
  712. package/lib/vendor/blamejs/lib/storage.js +1272 -0
  713. package/lib/vendor/blamejs/lib/stream-throttle.js +235 -0
  714. package/lib/vendor/blamejs/lib/structured-fields.js +244 -0
  715. package/lib/vendor/blamejs/lib/subject.js +667 -0
  716. package/lib/vendor/blamejs/lib/tcpa-10dlc.js +175 -0
  717. package/lib/vendor/blamejs/lib/template.js +931 -0
  718. package/lib/vendor/blamejs/lib/tenant-quota.js +545 -0
  719. package/lib/vendor/blamejs/lib/test-harness.js +275 -0
  720. package/lib/vendor/blamejs/lib/testing.js +1185 -0
  721. package/lib/vendor/blamejs/lib/time.js +578 -0
  722. package/lib/vendor/blamejs/lib/tls-exporter.js +239 -0
  723. package/lib/vendor/blamejs/lib/totp.js +318 -0
  724. package/lib/vendor/blamejs/lib/tracing.js +546 -0
  725. package/lib/vendor/blamejs/lib/uuid.js +207 -0
  726. package/lib/vendor/blamejs/lib/validate-opts.js +381 -0
  727. package/lib/vendor/blamejs/lib/vault/index.js +638 -0
  728. package/lib/vendor/blamejs/lib/vault/passphrase-ops.js +311 -0
  729. package/lib/vendor/blamejs/lib/vault/passphrase-source.js +198 -0
  730. package/lib/vendor/blamejs/lib/vault/rotate.js +803 -0
  731. package/lib/vendor/blamejs/lib/vault/seal-pem-file.js +471 -0
  732. package/lib/vendor/blamejs/lib/vault/wrap.js +296 -0
  733. package/lib/vendor/blamejs/lib/vault-aad.js +259 -0
  734. package/lib/vendor/blamejs/lib/vendor/.vendor-data-pubkey +4 -0
  735. package/lib/vendor/blamejs/lib/vendor/MANIFEST.json +161 -0
  736. package/lib/vendor/blamejs/lib/vendor/bimi-trust-anchors.data.js +68 -0
  737. package/lib/vendor/blamejs/lib/vendor/bimi-trust-anchors.pem +33 -0
  738. package/lib/vendor/blamejs/lib/vendor/common-passwords-top-10000.data.js +1325 -0
  739. package/lib/vendor/blamejs/lib/vendor/common-passwords-top-10000.txt +10002 -0
  740. package/lib/vendor/blamejs/lib/vendor/noble-ciphers.cjs +9 -0
  741. package/lib/vendor/blamejs/lib/vendor/noble-post-quantum.cjs +18 -0
  742. package/lib/vendor/blamejs/lib/vendor/pki.cjs +181 -0
  743. package/lib/vendor/blamejs/lib/vendor/public-suffix-list.dat +16382 -0
  744. package/lib/vendor/blamejs/lib/vendor/public-suffix-list.data.js +5881 -0
  745. package/lib/vendor/blamejs/lib/vendor/simplewebauthn-server.cjs +328 -0
  746. package/lib/vendor/blamejs/lib/vendor/vendor-data-pubkey.js +16 -0
  747. package/lib/vendor/blamejs/lib/vendor-data.js +520 -0
  748. package/lib/vendor/blamejs/lib/vex.js +630 -0
  749. package/lib/vendor/blamejs/lib/watcher.js +608 -0
  750. package/lib/vendor/blamejs/lib/web-push-vapid.js +322 -0
  751. package/lib/vendor/blamejs/lib/webhook.js +977 -0
  752. package/lib/vendor/blamejs/lib/websocket-channels.js +327 -0
  753. package/lib/vendor/blamejs/lib/websocket.js +1561 -0
  754. package/lib/vendor/blamejs/lib/wiki-concepts.js +338 -0
  755. package/lib/vendor/blamejs/lib/worker-pool.js +464 -0
  756. package/lib/vendor/blamejs/lib/ws-client.js +978 -0
  757. package/lib/vendor/blamejs/lib/xml-c14n.js +506 -0
  758. package/lib/vendor/blamejs/memory/specs/node-26-map-getorinsert-migration.md +164 -0
  759. package/lib/vendor/blamejs/oss-fuzz/projects/blamejs/Dockerfile +19 -0
  760. package/lib/vendor/blamejs/oss-fuzz/projects/blamejs/README.md +88 -0
  761. package/lib/vendor/blamejs/oss-fuzz/projects/blamejs/build.sh +26 -0
  762. package/lib/vendor/blamejs/oss-fuzz/projects/blamejs/project.yaml +28 -0
  763. package/lib/vendor/blamejs/package.json +81 -0
  764. package/lib/vendor/blamejs/release-notes/v0.0.x.json +310 -0
  765. package/lib/vendor/blamejs/release-notes/v0.1.x.json +1798 -0
  766. package/lib/vendor/blamejs/release-notes/v0.10.x.json +1288 -0
  767. package/lib/vendor/blamejs/release-notes/v0.11.x.json +2551 -0
  768. package/lib/vendor/blamejs/release-notes/v0.12.0.json +64 -0
  769. package/lib/vendor/blamejs/release-notes/v0.12.1.json +32 -0
  770. package/lib/vendor/blamejs/release-notes/v0.12.2.json +45 -0
  771. package/lib/vendor/blamejs/release-notes/v0.2.x.json +706 -0
  772. package/lib/vendor/blamejs/release-notes/v0.3.x.json +786 -0
  773. package/lib/vendor/blamejs/release-notes/v0.4.x.json +588 -0
  774. package/lib/vendor/blamejs/release-notes/v0.5.x.json +390 -0
  775. package/lib/vendor/blamejs/release-notes/v0.6.x.json +1947 -0
  776. package/lib/vendor/blamejs/release-notes/v0.7.x.json +3811 -0
  777. package/lib/vendor/blamejs/release-notes/v0.8.x.json +3318 -0
  778. package/lib/vendor/blamejs/release-notes/v0.9.x.json +2257 -0
  779. package/lib/vendor/blamejs/scripts/build-vendored-sbom.js +325 -0
  780. package/lib/vendor/blamejs/scripts/check-api-snapshot.js +62 -0
  781. package/lib/vendor/blamejs/scripts/check-changelog-extract.js +108 -0
  782. package/lib/vendor/blamejs/scripts/check-pack-against-gitignore.js +83 -0
  783. package/lib/vendor/blamejs/scripts/check-services.js +483 -0
  784. package/lib/vendor/blamejs/scripts/check-vendor-currency.js +349 -0
  785. package/lib/vendor/blamejs/scripts/consolidate-release-notes.js +216 -0
  786. package/lib/vendor/blamejs/scripts/gen-migrating.js +275 -0
  787. package/lib/vendor/blamejs/scripts/generate-changelog-entry.js +577 -0
  788. package/lib/vendor/blamejs/scripts/generate-release-signing-key.js +79 -0
  789. package/lib/vendor/blamejs/scripts/publish-dep-confusion-placeholder.sh +101 -0
  790. package/lib/vendor/blamejs/scripts/refresh-api-snapshot.js +31 -0
  791. package/lib/vendor/blamejs/scripts/refresh-vendor-manifest.js +132 -0
  792. package/lib/vendor/blamejs/scripts/release.js +652 -0
  793. package/lib/vendor/blamejs/scripts/sha3-digest.js +62 -0
  794. package/lib/vendor/blamejs/scripts/sign-release-artifact.js +92 -0
  795. package/lib/vendor/blamejs/scripts/test-integration.js +181 -0
  796. package/lib/vendor/blamejs/scripts/test-wiki-integration.js +126 -0
  797. package/lib/vendor/blamejs/scripts/validate-source-comment-blocks.js +77 -0
  798. package/lib/vendor/blamejs/scripts/vendor-data-gen.js +186 -0
  799. package/lib/vendor/blamejs/scripts/vendor-data-keygen.js +101 -0
  800. package/lib/vendor/blamejs/scripts/vendor-update.sh +278 -0
  801. package/lib/vendor/blamejs/test/00-primitives.js +19075 -0
  802. package/lib/vendor/blamejs/test/10-state.js +622 -0
  803. package/lib/vendor/blamejs/test/20-db.js +561 -0
  804. package/lib/vendor/blamejs/test/30-chain.js +2110 -0
  805. package/lib/vendor/blamejs/test/40-consumers.js +2453 -0
  806. package/lib/vendor/blamejs/test/50-integration.js +486 -0
  807. package/lib/vendor/blamejs/test/_helpers.js +10 -0
  808. package/lib/vendor/blamejs/test/_smoke-worker.js +69 -0
  809. package/lib/vendor/blamejs/test/fixtures/exploit-corpus/corpus.json +368 -0
  810. package/lib/vendor/blamejs/test/fixtures/http-client-stream-payload.txt +2 -0
  811. package/lib/vendor/blamejs/test/fixtures/worker-pool/echo.js +52 -0
  812. package/lib/vendor/blamejs/test/helpers/_codebase-shingle-worker.js +24 -0
  813. package/lib/vendor/blamejs/test/helpers/_codebase-shingle.js +203 -0
  814. package/lib/vendor/blamejs/test/helpers/_shape-match.js +513 -0
  815. package/lib/vendor/blamejs/test/helpers/check.js +36 -0
  816. package/lib/vendor/blamejs/test/helpers/cluster.js +70 -0
  817. package/lib/vendor/blamejs/test/helpers/db.js +143 -0
  818. package/lib/vendor/blamejs/test/helpers/drivers.js +207 -0
  819. package/lib/vendor/blamejs/test/helpers/fs-watch.js +101 -0
  820. package/lib/vendor/blamejs/test/helpers/http.js +14 -0
  821. package/lib/vendor/blamejs/test/helpers/index.js +93 -0
  822. package/lib/vendor/blamejs/test/helpers/json-round-trip.js +120 -0
  823. package/lib/vendor/blamejs/test/helpers/mocks.js +20 -0
  824. package/lib/vendor/blamejs/test/helpers/otel.js +13 -0
  825. package/lib/vendor/blamejs/test/helpers/services.js +380 -0
  826. package/lib/vendor/blamejs/test/helpers/wait.js +206 -0
  827. package/lib/vendor/blamejs/test/integration/cache.test.js +235 -0
  828. package/lib/vendor/blamejs/test/integration/cluster-provider-mysql.test.js +174 -0
  829. package/lib/vendor/blamejs/test/integration/federation-auth.test.js +611 -0
  830. package/lib/vendor/blamejs/test/integration/http-client.test.js +129 -0
  831. package/lib/vendor/blamejs/test/integration/log-stream.test.js +219 -0
  832. package/lib/vendor/blamejs/test/integration/mail-crypto-smime.test.js +181 -0
  833. package/lib/vendor/blamejs/test/integration/mail-dkim.test.js +152 -0
  834. package/lib/vendor/blamejs/test/integration/mail-smtp.test.js +161 -0
  835. package/lib/vendor/blamejs/test/integration/mtls-ca.test.js +289 -0
  836. package/lib/vendor/blamejs/test/integration/network-dns.test.js +123 -0
  837. package/lib/vendor/blamejs/test/integration/network-heartbeat.test.js +101 -0
  838. package/lib/vendor/blamejs/test/integration/ntp-check.test.js +89 -0
  839. package/lib/vendor/blamejs/test/integration/object-store-sigv4.test.js +403 -0
  840. package/lib/vendor/blamejs/test/integration/pqc-pkcs8-forward-compat.test.js +271 -0
  841. package/lib/vendor/blamejs/test/integration/pubsub.test.js +137 -0
  842. package/lib/vendor/blamejs/test/integration/queue-redis.test.js +352 -0
  843. package/lib/vendor/blamejs/test/integration/redis-client-tls.test.js +96 -0
  844. package/lib/vendor/blamejs/test/integration/ssrf-guard.test.js +98 -0
  845. package/lib/vendor/blamejs/test/integration/websocket-permessage-deflate.test.js +261 -0
  846. package/lib/vendor/blamejs/test/integration/ws-client-roundtrip.test.js +230 -0
  847. package/lib/vendor/blamejs/test/layer-0-primitives/a2a-tasks.test.js +211 -0
  848. package/lib/vendor/blamejs/test/layer-0-primitives/a2a.test.js +59 -0
  849. package/lib/vendor/blamejs/test/layer-0-primitives/access-lock.test.js +136 -0
  850. package/lib/vendor/blamejs/test/layer-0-primitives/acme.test.js +219 -0
  851. package/lib/vendor/blamejs/test/layer-0-primitives/age-gate.test.js +69 -0
  852. package/lib/vendor/blamejs/test/layer-0-primitives/agent-event-bus.test.js +266 -0
  853. package/lib/vendor/blamejs/test/layer-0-primitives/agent-idempotency.test.js +262 -0
  854. package/lib/vendor/blamejs/test/layer-0-primitives/agent-orchestrator.test.js +390 -0
  855. package/lib/vendor/blamejs/test/layer-0-primitives/agent-posture-chain.test.js +174 -0
  856. package/lib/vendor/blamejs/test/layer-0-primitives/agent-saga.test.js +279 -0
  857. package/lib/vendor/blamejs/test/layer-0-primitives/agent-snapshot.test.js +322 -0
  858. package/lib/vendor/blamejs/test/layer-0-primitives/agent-stream.test.js +227 -0
  859. package/lib/vendor/blamejs/test/layer-0-primitives/agent-tenant.test.js +302 -0
  860. package/lib/vendor/blamejs/test/layer-0-primitives/agent-trace.test.js +150 -0
  861. package/lib/vendor/blamejs/test/layer-0-primitives/ai-adverse-decision.test.js +44 -0
  862. package/lib/vendor/blamejs/test/layer-0-primitives/ai-content-detect.test.js +150 -0
  863. package/lib/vendor/blamejs/test/layer-0-primitives/ai-input.test.js +50 -0
  864. package/lib/vendor/blamejs/test/layer-0-primitives/ai-model-manifest.test.js +96 -0
  865. package/lib/vendor/blamejs/test/layer-0-primitives/ai-pref.test.js +76 -0
  866. package/lib/vendor/blamejs/test/layer-0-primitives/api-encrypt.test.js +1080 -0
  867. package/lib/vendor/blamejs/test/layer-0-primitives/app-shutdown.test.js +311 -0
  868. package/lib/vendor/blamejs/test/layer-0-primitives/archive-zip-stream.test.js +291 -0
  869. package/lib/vendor/blamejs/test/layer-0-primitives/archive.test.js +140 -0
  870. package/lib/vendor/blamejs/test/layer-0-primitives/arg-parser.test.js +267 -0
  871. package/lib/vendor/blamejs/test/layer-0-primitives/asn1-der.test.js +108 -0
  872. package/lib/vendor/blamejs/test/layer-0-primitives/asyncapi.test.js +929 -0
  873. package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-conflict-path.test.js +80 -0
  874. package/lib/vendor/blamejs/test/layer-0-primitives/audit-cve-defensive.test.js +176 -0
  875. package/lib/vendor/blamejs/test/layer-0-primitives/audit-daily-review.test.js +132 -0
  876. package/lib/vendor/blamejs/test/layer-0-primitives/audit-export-cadf.test.js +97 -0
  877. package/lib/vendor/blamejs/test/layer-0-primitives/audit-framework-namespaces.test.js +141 -0
  878. package/lib/vendor/blamejs/test/layer-0-primitives/audit-segregation.test.js +115 -0
  879. package/lib/vendor/blamejs/test/layer-0-primitives/audit-sign-ml-dsa-65.test.js +163 -0
  880. package/lib/vendor/blamejs/test/layer-0-primitives/audit-use-store.test.js +246 -0
  881. package/lib/vendor/blamejs/test/layer-0-primitives/auth-bot-challenge-verifier.test.js +485 -0
  882. package/lib/vendor/blamejs/test/layer-0-primitives/auth-bot-challenge.test.js +331 -0
  883. package/lib/vendor/blamejs/test/layer-0-primitives/auth-jwt-defenses.test.js +352 -0
  884. package/lib/vendor/blamejs/test/layer-0-primitives/auth-lockout.test.js +572 -0
  885. package/lib/vendor/blamejs/test/layer-0-primitives/auth-password-audit.test.js +61 -0
  886. package/lib/vendor/blamejs/test/layer-0-primitives/azure-blob-bucket-ops.test.js +258 -0
  887. package/lib/vendor/blamejs/test/layer-0-primitives/backup-manifest-signature.test.js +105 -0
  888. package/lib/vendor/blamejs/test/layer-0-primitives/backup-worker.test.js +34 -0
  889. package/lib/vendor/blamejs/test/layer-0-primitives/bearer-auth.test.js +107 -0
  890. package/lib/vendor/blamejs/test/layer-0-primitives/body-parser-chunked-malformed.test.js +131 -0
  891. package/lib/vendor/blamejs/test/layer-0-primitives/body-parser-smuggling.test.js +118 -0
  892. package/lib/vendor/blamejs/test/layer-0-primitives/boot-gates.test.js +85 -0
  893. package/lib/vendor/blamejs/test/layer-0-primitives/breach-deadline.test.js +38 -0
  894. package/lib/vendor/blamejs/test/layer-0-primitives/break-glass.test.js +861 -0
  895. package/lib/vendor/blamejs/test/layer-0-primitives/budr.test.js +55 -0
  896. package/lib/vendor/blamejs/test/layer-0-primitives/bundler-engine.test.js +209 -0
  897. package/lib/vendor/blamejs/test/layer-0-primitives/cache-status.test.js +129 -0
  898. package/lib/vendor/blamejs/test/layer-0-primitives/cache.test.js +871 -0
  899. package/lib/vendor/blamejs/test/layer-0-primitives/calendar.test.js +891 -0
  900. package/lib/vendor/blamejs/test/layer-0-primitives/canonical-json-jcs.test.js +43 -0
  901. package/lib/vendor/blamejs/test/layer-0-primitives/cdn-cache-control.test.js +243 -0
  902. package/lib/vendor/blamejs/test/layer-0-primitives/cert.test.js +550 -0
  903. package/lib/vendor/blamejs/test/layer-0-primitives/clear-site-data.test.js +107 -0
  904. package/lib/vendor/blamejs/test/layer-0-primitives/cli-api-key.test.js +147 -0
  905. package/lib/vendor/blamejs/test/layer-0-primitives/cli-audit-verify-chain.test.js +104 -0
  906. package/lib/vendor/blamejs/test/layer-0-primitives/cli-backup.test.js +135 -0
  907. package/lib/vendor/blamejs/test/layer-0-primitives/cli-config-drift.test.js +67 -0
  908. package/lib/vendor/blamejs/test/layer-0-primitives/cli-erase.test.js +75 -0
  909. package/lib/vendor/blamejs/test/layer-0-primitives/cli-file-type.test.js +98 -0
  910. package/lib/vendor/blamejs/test/layer-0-primitives/cli-helpers.test.js +145 -0
  911. package/lib/vendor/blamejs/test/layer-0-primitives/cli-mtls.test.js +133 -0
  912. package/lib/vendor/blamejs/test/layer-0-primitives/cli-password.test.js +97 -0
  913. package/lib/vendor/blamejs/test/layer-0-primitives/cli-restore.test.js +160 -0
  914. package/lib/vendor/blamejs/test/layer-0-primitives/cli-retention.test.js +84 -0
  915. package/lib/vendor/blamejs/test/layer-0-primitives/cli-security.test.js +69 -0
  916. package/lib/vendor/blamejs/test/layer-0-primitives/cli-vault.test.js +142 -0
  917. package/lib/vendor/blamejs/test/layer-0-primitives/client-hints.test.js +133 -0
  918. package/lib/vendor/blamejs/test/layer-0-primitives/cms-codec.test.js +237 -0
  919. package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +9600 -0
  920. package/lib/vendor/blamejs/test/layer-0-primitives/compliance-ai-act.test.js +575 -0
  921. package/lib/vendor/blamejs/test/layer-0-primitives/compliance-cascade.test.js +89 -0
  922. package/lib/vendor/blamejs/test/layer-0-primitives/compliance-eaa.test.js +36 -0
  923. package/lib/vendor/blamejs/test/layer-0-primitives/compliance-sanctions.test.js +712 -0
  924. package/lib/vendor/blamejs/test/layer-0-primitives/compliance.test.js +278 -0
  925. package/lib/vendor/blamejs/test/layer-0-primitives/config-drift.test.js +97 -0
  926. package/lib/vendor/blamejs/test/layer-0-primitives/config.test.js +424 -0
  927. package/lib/vendor/blamejs/test/layer-0-primitives/content-credentials.test.js +94 -0
  928. package/lib/vendor/blamejs/test/layer-0-primitives/cors.test.js +357 -0
  929. package/lib/vendor/blamejs/test/layer-0-primitives/cra-report.test.js +31 -0
  930. package/lib/vendor/blamejs/test/layer-0-primitives/credential-hash.test.js +226 -0
  931. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-base64url.test.js +86 -0
  932. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-envelope.test.js +85 -0
  933. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-hash-files-parallel.test.js +193 -0
  934. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-hash-stream.test.js +98 -0
  935. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-hpke-pq.test.js +132 -0
  936. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-hpke.test.js +155 -0
  937. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-mlkem768-x25519.test.js +129 -0
  938. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-namespace-hash.test.js +0 -0
  939. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-random-int.test.js +72 -0
  940. package/lib/vendor/blamejs/test/layer-0-primitives/csp-builder.test.js +96 -0
  941. package/lib/vendor/blamejs/test/layer-0-primitives/csp-nonce.test.js +401 -0
  942. package/lib/vendor/blamejs/test/layer-0-primitives/csp-report.test.js +34 -0
  943. package/lib/vendor/blamejs/test/layer-0-primitives/csv.test.js +180 -0
  944. package/lib/vendor/blamejs/test/layer-0-primitives/daemon.test.js +210 -0
  945. package/lib/vendor/blamejs/test/layer-0-primitives/daily-byte-quota.test.js +153 -0
  946. package/lib/vendor/blamejs/test/layer-0-primitives/dark-patterns.test.js +66 -0
  947. package/lib/vendor/blamejs/test/layer-0-primitives/data-act.test.js +74 -0
  948. package/lib/vendor/blamejs/test/layer-0-primitives/db-collection-extensions.test.js +226 -0
  949. package/lib/vendor/blamejs/test/layer-0-primitives/db-collection.test.js +136 -0
  950. package/lib/vendor/blamejs/test/layer-0-primitives/db-init-extensions.test.js +165 -0
  951. package/lib/vendor/blamejs/test/layer-0-primitives/db-query-cross-schema.test.js +150 -0
  952. package/lib/vendor/blamejs/test/layer-0-primitives/db-query-extensions.test.js +191 -0
  953. package/lib/vendor/blamejs/test/layer-0-primitives/db-role-for.test.js +228 -0
  954. package/lib/vendor/blamejs/test/layer-0-primitives/db-vacuum.test.js +55 -0
  955. package/lib/vendor/blamejs/test/layer-0-primitives/db-worm.test.js +89 -0
  956. package/lib/vendor/blamejs/test/layer-0-primitives/ddl-change-control.test.js +184 -0
  957. package/lib/vendor/blamejs/test/layer-0-primitives/declare-row-policy.test.js +203 -0
  958. package/lib/vendor/blamejs/test/layer-0-primitives/declare-view.test.js +303 -0
  959. package/lib/vendor/blamejs/test/layer-0-primitives/dns-dnssec-algorithm.test.js +163 -0
  960. package/lib/vendor/blamejs/test/layer-0-primitives/dns-null-mx.test.js +39 -0
  961. package/lib/vendor/blamejs/test/layer-0-primitives/dora.test.js +165 -0
  962. package/lib/vendor/blamejs/test/layer-0-primitives/dr-runbook.test.js +59 -0
  963. package/lib/vendor/blamejs/test/layer-0-primitives/dsr-state-rules.test.js +55 -0
  964. package/lib/vendor/blamejs/test/layer-0-primitives/dsr.test.js +786 -0
  965. package/lib/vendor/blamejs/test/layer-0-primitives/dual-control.test.js +105 -0
  966. package/lib/vendor/blamejs/test/layer-0-primitives/early-hints.test.js +147 -0
  967. package/lib/vendor/blamejs/test/layer-0-primitives/events.test.js +105 -0
  968. package/lib/vendor/blamejs/test/layer-0-primitives/exploit-replay.test.js +243 -0
  969. package/lib/vendor/blamejs/test/layer-0-primitives/external-db-hardening.test.js +181 -0
  970. package/lib/vendor/blamejs/test/layer-0-primitives/external-db-migrate.test.js +190 -0
  971. package/lib/vendor/blamejs/test/layer-0-primitives/external-db-routing.test.js +531 -0
  972. package/lib/vendor/blamejs/test/layer-0-primitives/fal.test.js +118 -0
  973. package/lib/vendor/blamejs/test/layer-0-primitives/fapi2.test.js +89 -0
  974. package/lib/vendor/blamejs/test/layer-0-primitives/fda-21cfr11.test.js +156 -0
  975. package/lib/vendor/blamejs/test/layer-0-primitives/fdx.test.js +79 -0
  976. package/lib/vendor/blamejs/test/layer-0-primitives/fedcm-dbsc.test.js +216 -0
  977. package/lib/vendor/blamejs/test/layer-0-primitives/federation-vc-suite.test.js +434 -0
  978. package/lib/vendor/blamejs/test/layer-0-primitives/fido-mds3.test.js +432 -0
  979. package/lib/vendor/blamejs/test/layer-0-primitives/file-type.test.js +81 -0
  980. package/lib/vendor/blamejs/test/layer-0-primitives/flag.test.js +887 -0
  981. package/lib/vendor/blamejs/test/layer-0-primitives/forensic-snapshot.test.js +51 -0
  982. package/lib/vendor/blamejs/test/layer-0-primitives/fsm.test.js +375 -0
  983. package/lib/vendor/blamejs/test/layer-0-primitives/gcs-bucket-ops.test.js +321 -0
  984. package/lib/vendor/blamejs/test/layer-0-primitives/gdpr-ropa.test.js +41 -0
  985. package/lib/vendor/blamejs/test/layer-0-primitives/graphql-federation.test.js +32 -0
  986. package/lib/vendor/blamejs/test/layer-0-primitives/guard-agent-registry.test.js +87 -0
  987. package/lib/vendor/blamejs/test/layer-0-primitives/guard-all.test.js +328 -0
  988. package/lib/vendor/blamejs/test/layer-0-primitives/guard-archive.test.js +339 -0
  989. package/lib/vendor/blamejs/test/layer-0-primitives/guard-csv.test.js +694 -0
  990. package/lib/vendor/blamejs/test/layer-0-primitives/guard-dsn.test.js +296 -0
  991. package/lib/vendor/blamejs/test/layer-0-primitives/guard-email.test.js +234 -0
  992. package/lib/vendor/blamejs/test/layer-0-primitives/guard-envelope.test.js +192 -0
  993. package/lib/vendor/blamejs/test/layer-0-primitives/guard-event-bus-payload.test.js +89 -0
  994. package/lib/vendor/blamejs/test/layer-0-primitives/guard-event-bus-topic.test.js +71 -0
  995. package/lib/vendor/blamejs/test/layer-0-primitives/guard-filename.test.js +386 -0
  996. package/lib/vendor/blamejs/test/layer-0-primitives/guard-html-wcag.test.js +859 -0
  997. package/lib/vendor/blamejs/test/layer-0-primitives/guard-html.test.js +357 -0
  998. package/lib/vendor/blamejs/test/layer-0-primitives/guard-idempotency-key.test.js +92 -0
  999. package/lib/vendor/blamejs/test/layer-0-primitives/guard-imap-command.test.js +0 -0
  1000. package/lib/vendor/blamejs/test/layer-0-primitives/guard-jmap.test.js +174 -0
  1001. package/lib/vendor/blamejs/test/layer-0-primitives/guard-json.test.js +317 -0
  1002. package/lib/vendor/blamejs/test/layer-0-primitives/guard-list-id.test.js +199 -0
  1003. package/lib/vendor/blamejs/test/layer-0-primitives/guard-list-unsubscribe.test.js +214 -0
  1004. package/lib/vendor/blamejs/test/layer-0-primitives/guard-mail-compose.test.js +111 -0
  1005. package/lib/vendor/blamejs/test/layer-0-primitives/guard-mail-move.test.js +110 -0
  1006. package/lib/vendor/blamejs/test/layer-0-primitives/guard-mail-query.test.js +112 -0
  1007. package/lib/vendor/blamejs/test/layer-0-primitives/guard-mail-reply.test.js +86 -0
  1008. package/lib/vendor/blamejs/test/layer-0-primitives/guard-mail-sieve.test.js +92 -0
  1009. package/lib/vendor/blamejs/test/layer-0-primitives/guard-managesieve-command.test.js +301 -0
  1010. package/lib/vendor/blamejs/test/layer-0-primitives/guard-markdown.test.js +265 -0
  1011. package/lib/vendor/blamejs/test/layer-0-primitives/guard-message-id.test.js +0 -0
  1012. package/lib/vendor/blamejs/test/layer-0-primitives/guard-pop3-command.test.js +161 -0
  1013. package/lib/vendor/blamejs/test/layer-0-primitives/guard-posture-chain.test.js +100 -0
  1014. package/lib/vendor/blamejs/test/layer-0-primitives/guard-saga-config.test.js +79 -0
  1015. package/lib/vendor/blamejs/test/layer-0-primitives/guard-smtp-command.test.js +269 -0
  1016. package/lib/vendor/blamejs/test/layer-0-primitives/guard-snapshot-envelope.test.js +89 -0
  1017. package/lib/vendor/blamejs/test/layer-0-primitives/guard-stream-args.test.js +78 -0
  1018. package/lib/vendor/blamejs/test/layer-0-primitives/guard-svg.test.js +288 -0
  1019. package/lib/vendor/blamejs/test/layer-0-primitives/guard-tenant-id.test.js +69 -0
  1020. package/lib/vendor/blamejs/test/layer-0-primitives/guard-trace-context.test.js +102 -0
  1021. package/lib/vendor/blamejs/test/layer-0-primitives/guard-xml.test.js +202 -0
  1022. package/lib/vendor/blamejs/test/layer-0-primitives/guard-yaml.test.js +203 -0
  1023. package/lib/vendor/blamejs/test/layer-0-primitives/hal.test.js +51 -0
  1024. package/lib/vendor/blamejs/test/layer-0-primitives/honeytoken.test.js +50 -0
  1025. package/lib/vendor/blamejs/test/layer-0-primitives/html-balance.test.js +37 -0
  1026. package/lib/vendor/blamejs/test/layer-0-primitives/http-client-cache.test.js +692 -0
  1027. package/lib/vendor/blamejs/test/layer-0-primitives/http-client-stream.test.js +280 -0
  1028. package/lib/vendor/blamejs/test/layer-0-primitives/http-message-signature.test.js +225 -0
  1029. package/lib/vendor/blamejs/test/layer-0-primitives/i18n-messageformat.test.js +203 -0
  1030. package/lib/vendor/blamejs/test/layer-0-primitives/i18n.test.js +991 -0
  1031. package/lib/vendor/blamejs/test/layer-0-primitives/iab-mspa.test.js +63 -0
  1032. package/lib/vendor/blamejs/test/layer-0-primitives/iab-tcf.test.js +73 -0
  1033. package/lib/vendor/blamejs/test/layer-0-primitives/idempotency-key.test.js +612 -0
  1034. package/lib/vendor/blamejs/test/layer-0-primitives/importmap-integrity.test.js +56 -0
  1035. package/lib/vendor/blamejs/test/layer-0-primitives/inbox.test.js +166 -0
  1036. package/lib/vendor/blamejs/test/layer-0-primitives/incident-report.test.js +29 -0
  1037. package/lib/vendor/blamejs/test/layer-0-primitives/jose-jwe-experimental.test.js +121 -0
  1038. package/lib/vendor/blamejs/test/layer-0-primitives/json-api.test.js +58 -0
  1039. package/lib/vendor/blamejs/test/layer-0-primitives/json-round-trip-helper.test.js +110 -0
  1040. package/lib/vendor/blamejs/test/layer-0-primitives/jwt-external.test.js +159 -0
  1041. package/lib/vendor/blamejs/test/layer-0-primitives/keychain.test.js +0 -0
  1042. package/lib/vendor/blamejs/test/layer-0-primitives/legal-hold.test.js +118 -0
  1043. package/lib/vendor/blamejs/test/layer-0-primitives/local-db-thin.test.js +150 -0
  1044. package/lib/vendor/blamejs/test/layer-0-primitives/log-stream-cloudwatch.test.js +489 -0
  1045. package/lib/vendor/blamejs/test/layer-0-primitives/log-stream-otlp-grpc.test.js +207 -0
  1046. package/lib/vendor/blamejs/test/layer-0-primitives/log-stream-otlp.test.js +283 -0
  1047. package/lib/vendor/blamejs/test/layer-0-primitives/lro.test.js +65 -0
  1048. package/lib/vendor/blamejs/test/layer-0-primitives/mail-agent.test.js +417 -0
  1049. package/lib/vendor/blamejs/test/layer-0-primitives/mail-arf.test.js +208 -0
  1050. package/lib/vendor/blamejs/test/layer-0-primitives/mail-auth.test.js +910 -0
  1051. package/lib/vendor/blamejs/test/layer-0-primitives/mail-bimi.test.js +502 -0
  1052. package/lib/vendor/blamejs/test/layer-0-primitives/mail-bounce.test.js +680 -0
  1053. package/lib/vendor/blamejs/test/layer-0-primitives/mail-canspam.test.js +128 -0
  1054. package/lib/vendor/blamejs/test/layer-0-primitives/mail-crypto-pgp-experimental.test.js +149 -0
  1055. package/lib/vendor/blamejs/test/layer-0-primitives/mail-crypto-pgp.test.js +323 -0
  1056. package/lib/vendor/blamejs/test/layer-0-primitives/mail-crypto-smime.test.js +297 -0
  1057. package/lib/vendor/blamejs/test/layer-0-primitives/mail-dav.test.js +514 -0
  1058. package/lib/vendor/blamejs/test/layer-0-primitives/mail-deploy-tlsrpt.test.js +369 -0
  1059. package/lib/vendor/blamejs/test/layer-0-primitives/mail-deploy.test.js +199 -0
  1060. package/lib/vendor/blamejs/test/layer-0-primitives/mail-dkim.test.js +627 -0
  1061. package/lib/vendor/blamejs/test/layer-0-primitives/mail-feedback-id.test.js +56 -0
  1062. package/lib/vendor/blamejs/test/layer-0-primitives/mail-greylist.test.js +217 -0
  1063. package/lib/vendor/blamejs/test/layer-0-primitives/mail-helo.test.js +283 -0
  1064. package/lib/vendor/blamejs/test/layer-0-primitives/mail-journal.test.js +217 -0
  1065. package/lib/vendor/blamejs/test/layer-0-primitives/mail-mdn.test.js +334 -0
  1066. package/lib/vendor/blamejs/test/layer-0-primitives/mail-rbl.test.js +271 -0
  1067. package/lib/vendor/blamejs/test/layer-0-primitives/mail-require-tls.test.js +128 -0
  1068. package/lib/vendor/blamejs/test/layer-0-primitives/mail-scan.test.js +215 -0
  1069. package/lib/vendor/blamejs/test/layer-0-primitives/mail-send-deliver.test.js +336 -0
  1070. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-imap.test.js +732 -0
  1071. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-jmap.test.js +840 -0
  1072. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-managesieve.test.js +130 -0
  1073. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-mx.test.js +285 -0
  1074. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-pop3.test.js +74 -0
  1075. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-rate-limit.test.js +112 -0
  1076. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-registry.test.js +229 -0
  1077. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-submission.test.js +394 -0
  1078. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-tls.test.js +147 -0
  1079. package/lib/vendor/blamejs/test/layer-0-primitives/mail-sieve.test.js +151 -0
  1080. package/lib/vendor/blamejs/test/layer-0-primitives/mail-spam-score.test.js +204 -0
  1081. package/lib/vendor/blamejs/test/layer-0-primitives/mail-srs.test.js +152 -0
  1082. package/lib/vendor/blamejs/test/layer-0-primitives/mail-store-fts.test.js +279 -0
  1083. package/lib/vendor/blamejs/test/layer-0-primitives/mail-store.test.js +323 -0
  1084. package/lib/vendor/blamejs/test/layer-0-primitives/mail-unsubscribe.test.js +165 -0
  1085. package/lib/vendor/blamejs/test/layer-0-primitives/mail.test.js +439 -0
  1086. package/lib/vendor/blamejs/test/layer-0-primitives/mcp-tool-registry.test.js +202 -0
  1087. package/lib/vendor/blamejs/test/layer-0-primitives/mcp.test.js +155 -0
  1088. package/lib/vendor/blamejs/test/layer-0-primitives/metrics-shadow-registry.test.js +112 -0
  1089. package/lib/vendor/blamejs/test/layer-0-primitives/metrics-snapshot.test.js +224 -0
  1090. package/lib/vendor/blamejs/test/layer-0-primitives/middleware-compose-pipeline.test.js +278 -0
  1091. package/lib/vendor/blamejs/test/layer-0-primitives/money.test.js +376 -0
  1092. package/lib/vendor/blamejs/test/layer-0-primitives/mtls-ca-paths.test.js +89 -0
  1093. package/lib/vendor/blamejs/test/layer-0-primitives/nel.test.js +200 -0
  1094. package/lib/vendor/blamejs/test/layer-0-primitives/network-allowlist.test.js +106 -0
  1095. package/lib/vendor/blamejs/test/layer-0-primitives/network-byte-quota.test.js +133 -0
  1096. package/lib/vendor/blamejs/test/layer-0-primitives/network-dns-resolver.test.js +372 -0
  1097. package/lib/vendor/blamejs/test/layer-0-primitives/network-dns.test.js +635 -0
  1098. package/lib/vendor/blamejs/test/layer-0-primitives/network-heartbeat-passive.test.js +128 -0
  1099. package/lib/vendor/blamejs/test/layer-0-primitives/network-tls-build-options.test.js +130 -0
  1100. package/lib/vendor/blamejs/test/layer-0-primitives/network-tls-ct-inclusion.test.js +179 -0
  1101. package/lib/vendor/blamejs/test/layer-0-primitives/network-tls.test.js +447 -0
  1102. package/lib/vendor/blamejs/test/layer-0-primitives/network.test.js +369 -0
  1103. package/lib/vendor/blamejs/test/layer-0-primitives/nis2-report.test.js +21 -0
  1104. package/lib/vendor/blamejs/test/layer-0-primitives/nist-crosswalk.test.js +42 -0
  1105. package/lib/vendor/blamejs/test/layer-0-primitives/no-cache.test.js +98 -0
  1106. package/lib/vendor/blamejs/test/layer-0-primitives/notify.test.js +707 -0
  1107. package/lib/vendor/blamejs/test/layer-0-primitives/numeric-bounds.test.js +142 -0
  1108. package/lib/vendor/blamejs/test/layer-0-primitives/oauth-callback.test.js +72 -0
  1109. package/lib/vendor/blamejs/test/layer-0-primitives/observability-tracing.test.js +597 -0
  1110. package/lib/vendor/blamejs/test/layer-0-primitives/observability.test.js +190 -0
  1111. package/lib/vendor/blamejs/test/layer-0-primitives/openapi.test.js +877 -0
  1112. package/lib/vendor/blamejs/test/layer-0-primitives/otel-export.test.js +257 -0
  1113. package/lib/vendor/blamejs/test/layer-0-primitives/pagination.test.js +522 -0
  1114. package/lib/vendor/blamejs/test/layer-0-primitives/parsers-standalone.test.js +216 -0
  1115. package/lib/vendor/blamejs/test/layer-0-primitives/passkey.test.js +324 -0
  1116. package/lib/vendor/blamejs/test/layer-0-primitives/permissions.test.js +546 -0
  1117. package/lib/vendor/blamejs/test/layer-0-primitives/pqc-agent-curve.test.js +153 -0
  1118. package/lib/vendor/blamejs/test/layer-0-primitives/pqc-software.test.js +94 -0
  1119. package/lib/vendor/blamejs/test/layer-0-primitives/problem-details.test.js +195 -0
  1120. package/lib/vendor/blamejs/test/layer-0-primitives/process-spawn.test.js +62 -0
  1121. package/lib/vendor/blamejs/test/layer-0-primitives/promise-pool.test.js +93 -0
  1122. package/lib/vendor/blamejs/test/layer-0-primitives/protected-resource-metadata.test.js +68 -0
  1123. package/lib/vendor/blamejs/test/layer-0-primitives/protobuf-encoder.test.js +138 -0
  1124. package/lib/vendor/blamejs/test/layer-0-primitives/protocol-dispatcher.test.js +174 -0
  1125. package/lib/vendor/blamejs/test/layer-0-primitives/public-suffix.test.js +197 -0
  1126. package/lib/vendor/blamejs/test/layer-0-primitives/pubsub.test.js +232 -0
  1127. package/lib/vendor/blamejs/test/layer-0-primitives/queue-dlq-extend-lease.test.js +178 -0
  1128. package/lib/vendor/blamejs/test/layer-0-primitives/queue-flow-repeat.test.js +322 -0
  1129. package/lib/vendor/blamejs/test/layer-0-primitives/queue-priority-rate-progress.test.js +266 -0
  1130. package/lib/vendor/blamejs/test/layer-0-primitives/queue-sqs.test.js +300 -0
  1131. package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-cluster.test.js +338 -0
  1132. package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-registry.test.js +75 -0
  1133. package/lib/vendor/blamejs/test/layer-0-primitives/redact-dlp.test.js +246 -0
  1134. package/lib/vendor/blamejs/test/layer-0-primitives/redis-client.test.js +130 -0
  1135. package/lib/vendor/blamejs/test/layer-0-primitives/request-helpers.test.js +335 -0
  1136. package/lib/vendor/blamejs/test/layer-0-primitives/request-log.test.js +170 -0
  1137. package/lib/vendor/blamejs/test/layer-0-primitives/require-auth-cache-control.test.js +93 -0
  1138. package/lib/vendor/blamejs/test/layer-0-primitives/require-mtls.test.js +34 -0
  1139. package/lib/vendor/blamejs/test/layer-0-primitives/resource-access-lock.test.js +52 -0
  1140. package/lib/vendor/blamejs/test/layer-0-primitives/retention-floor.test.js +67 -0
  1141. package/lib/vendor/blamejs/test/layer-0-primitives/retry.test.js +535 -0
  1142. package/lib/vendor/blamejs/test/layer-0-primitives/router-cross-origin-redirect.test.js +0 -0
  1143. package/lib/vendor/blamejs/test/layer-0-primitives/router-tls0rtt.test.js +128 -0
  1144. package/lib/vendor/blamejs/test/layer-0-primitives/safe-async-loops.test.js +163 -0
  1145. package/lib/vendor/blamejs/test/layer-0-primitives/safe-async-parallel.test.js +170 -0
  1146. package/lib/vendor/blamejs/test/layer-0-primitives/safe-decompress.test.js +248 -0
  1147. package/lib/vendor/blamejs/test/layer-0-primitives/safe-dns.test.js +451 -0
  1148. package/lib/vendor/blamejs/test/layer-0-primitives/safe-ical.test.js +289 -0
  1149. package/lib/vendor/blamejs/test/layer-0-primitives/safe-icap.test.js +206 -0
  1150. package/lib/vendor/blamejs/test/layer-0-primitives/safe-jsonpath.test.js +104 -0
  1151. package/lib/vendor/blamejs/test/layer-0-primitives/safe-mime.test.js +339 -0
  1152. package/lib/vendor/blamejs/test/layer-0-primitives/safe-mount-info.test.js +180 -0
  1153. package/lib/vendor/blamejs/test/layer-0-primitives/safe-path.test.js +78 -0
  1154. package/lib/vendor/blamejs/test/layer-0-primitives/safe-sieve.test.js +123 -0
  1155. package/lib/vendor/blamejs/test/layer-0-primitives/safe-smtp.test.js +95 -0
  1156. package/lib/vendor/blamejs/test/layer-0-primitives/safe-url-idn-homograph.test.js +77 -0
  1157. package/lib/vendor/blamejs/test/layer-0-primitives/safe-vcard.test.js +257 -0
  1158. package/lib/vendor/blamejs/test/layer-0-primitives/saml-slo.test.js +249 -0
  1159. package/lib/vendor/blamejs/test/layer-0-primitives/sandbox.test.js +228 -0
  1160. package/lib/vendor/blamejs/test/layer-0-primitives/scheduler-exactly-once.test.js +238 -0
  1161. package/lib/vendor/blamejs/test/layer-0-primitives/scim-server.test.js +92 -0
  1162. package/lib/vendor/blamejs/test/layer-0-primitives/sd-jwt-vc.test.js +700 -0
  1163. package/lib/vendor/blamejs/test/layer-0-primitives/sd-notify.test.js +67 -0
  1164. package/lib/vendor/blamejs/test/layer-0-primitives/sec-cyber.test.js +85 -0
  1165. package/lib/vendor/blamejs/test/layer-0-primitives/security-assert.test.js +107 -0
  1166. package/lib/vendor/blamejs/test/layer-0-primitives/security-headers.test.js +175 -0
  1167. package/lib/vendor/blamejs/test/layer-0-primitives/seeders.test.js +816 -0
  1168. package/lib/vendor/blamejs/test/layer-0-primitives/self-update-standalone-verifier.test.js +168 -0
  1169. package/lib/vendor/blamejs/test/layer-0-primitives/self-update.test.js +302 -0
  1170. package/lib/vendor/blamejs/test/layer-0-primitives/server-timing.test.js +93 -0
  1171. package/lib/vendor/blamejs/test/layer-0-primitives/session-device-binding.test.js +247 -0
  1172. package/lib/vendor/blamejs/test/layer-0-primitives/session-extensions.test.js +295 -0
  1173. package/lib/vendor/blamejs/test/layer-0-primitives/shape-match.test.js +142 -0
  1174. package/lib/vendor/blamejs/test/layer-0-primitives/sigv4-bucket-ops.test.js +952 -0
  1175. package/lib/vendor/blamejs/test/layer-0-primitives/sigv4-multipart-sse.test.js +441 -0
  1176. package/lib/vendor/blamejs/test/layer-0-primitives/slug.test.js +330 -0
  1177. package/lib/vendor/blamejs/test/layer-0-primitives/smtp-policy.test.js +233 -0
  1178. package/lib/vendor/blamejs/test/layer-0-primitives/source-comment-blocks.test.js +105 -0
  1179. package/lib/vendor/blamejs/test/layer-0-primitives/speculation-rules.test.js +319 -0
  1180. package/lib/vendor/blamejs/test/layer-0-primitives/sse.test.js +148 -0
  1181. package/lib/vendor/blamejs/test/layer-0-primitives/ssrf-guard.test.js +283 -0
  1182. package/lib/vendor/blamejs/test/layer-0-primitives/standard-webhooks.test.js +67 -0
  1183. package/lib/vendor/blamejs/test/layer-0-primitives/static.test.js +266 -0
  1184. package/lib/vendor/blamejs/test/layer-0-primitives/step-up.test.js +487 -0
  1185. package/lib/vendor/blamejs/test/layer-0-primitives/storage-chunk-scratch.test.js +0 -0
  1186. package/lib/vendor/blamejs/test/layer-0-primitives/storage-presigned-url.test.js +773 -0
  1187. package/lib/vendor/blamejs/test/layer-0-primitives/stream-throttle.test.js +173 -0
  1188. package/lib/vendor/blamejs/test/layer-0-primitives/structured-fields.test.js +180 -0
  1189. package/lib/vendor/blamejs/test/layer-0-primitives/tcpa-10dlc.test.js +66 -0
  1190. package/lib/vendor/blamejs/test/layer-0-primitives/tenant-quota.test.js +89 -0
  1191. package/lib/vendor/blamejs/test/layer-0-primitives/test-coverage.test.js +571 -0
  1192. package/lib/vendor/blamejs/test/layer-0-primitives/test-harness.test.js +190 -0
  1193. package/lib/vendor/blamejs/test/layer-0-primitives/testing-request.test.js +119 -0
  1194. package/lib/vendor/blamejs/test/layer-0-primitives/testing.test.js +522 -0
  1195. package/lib/vendor/blamejs/test/layer-0-primitives/time.test.js +151 -0
  1196. package/lib/vendor/blamejs/test/layer-0-primitives/tls-exporter.test.js +168 -0
  1197. package/lib/vendor/blamejs/test/layer-0-primitives/tls-ocsp-ct.test.js +275 -0
  1198. package/lib/vendor/blamejs/test/layer-0-primitives/tls-ocsp-verify.test.js +105 -0
  1199. package/lib/vendor/blamejs/test/layer-0-primitives/tls-pinset-drift.test.js +35 -0
  1200. package/lib/vendor/blamejs/test/layer-0-primitives/tls-preferred-groups.test.js +81 -0
  1201. package/lib/vendor/blamejs/test/layer-0-primitives/tracing.test.js +280 -0
  1202. package/lib/vendor/blamejs/test/layer-0-primitives/uuid.test.js +93 -0
  1203. package/lib/vendor/blamejs/test/layer-0-primitives/vault-aad.test.js +277 -0
  1204. package/lib/vendor/blamejs/test/layer-0-primitives/vault-seal-pem-file.test.js +252 -0
  1205. package/lib/vendor/blamejs/test/layer-0-primitives/vendor-data.test.js +149 -0
  1206. package/lib/vendor/blamejs/test/layer-0-primitives/vendor-manifest.test.js +92 -0
  1207. package/lib/vendor/blamejs/test/layer-0-primitives/vex.test.js +661 -0
  1208. package/lib/vendor/blamejs/test/layer-0-primitives/watcher.test.js +308 -0
  1209. package/lib/vendor/blamejs/test/layer-0-primitives/web-push-vapid.test.js +144 -0
  1210. package/lib/vendor/blamejs/test/layer-0-primitives/webhook.test.js +674 -0
  1211. package/lib/vendor/blamejs/test/layer-0-primitives/websocket-channels.test.js +360 -0
  1212. package/lib/vendor/blamejs/test/layer-0-primitives/worker-pool.test.js +302 -0
  1213. package/lib/vendor/blamejs/test/layer-0-primitives/ws-client.test.js +349 -0
  1214. package/lib/vendor/blamejs/test/layer-1-state/api-key.test.js +717 -0
  1215. package/lib/vendor/blamejs/test/layer-5-integration/bundler-output.test.js +444 -0
  1216. package/lib/vendor/blamejs/test/layer-5-integration/guard-host-integration.test.js +597 -0
  1217. package/lib/vendor/blamejs/test/layer-5-integration/security-chaos.test.js +308 -0
  1218. package/lib/vendor/blamejs/test/smoke.js +431 -0
  1219. package/lib/webhooks.js +305 -0
  1220. package/package.json +43 -0
package/lib/vendor/blamejs/lib/mail-deploy.js ADDED
@@ -0,0 +1,1119 @@
1
+ "use strict";
2
+
3
+ /**
4
+ * @module b.mail.deploy
5
+ * @nav Mail
6
+ * @title Mail deployment helpers
7
+ * @order 250
8
+ * @since 0.9.56
9
+ *
10
+ * @intro
11
+ * Operator-deployment helpers for standing up a blamejs mail
12
+ * server. Generates the policy text + DNS records + client
13
+ * auto-discovery XML every deployment needs alongside the wire-
14
+ * protocol primitives. Pairs with existing verifiers
15
+ * (`b.network.smtp.policy` carries the inbound MTA-STS / TLS-RPT
16
+ * evaluation logic shipped pre-v0.9.46; `b.mail.bimi` carries the
17
+ * inbound BIMI trust-anchor verifier) so the publish-side helpers
18
+ * stay thin and the operator runs one vocabulary across both sides.
19
+ *
20
+ * Surface:
21
+ * - `b.mail.deploy.mtaStsPublish(opts)` — RFC 8461 §3.2
22
+ * `/.well-known/mta-sts.txt` policy text + DNS TXT record advice
23
+ * + DNS record-name advice. Pairs with the inbound MTA-STS
24
+ * verifier on the receiving side.
25
+ * - `b.mail.deploy.danePublish(opts)` — RFC 7672 + RFC 6698 TLSA
26
+ * record generator. Computes SHA-256 SubjectPublicKeyInfo hash
27
+ * from an operator-supplied PEM cert, returns the TLSA record
28
+ * string for the operator's DNS zone.
29
+ * - `b.mail.deploy.autoConfigXml(opts)` — Thunderbird's
30
+ * `autoconfig.example.com/mail/config-v1.1.xml` shape. RFC-less
31
+ * (Mozilla convention) but documented at
32
+ * https://wiki.mozilla.org/Thunderbird:Autoconfiguration:ConfigFileFormat
33
+ * - `b.mail.deploy.autoDiscoverXml(opts)` — Outlook's
34
+ * `autodiscover.example.com/autodiscover/autodiscover.xml`
35
+ * response shape. MS-OXDSCLI Section 5 + MS-OXDISCO.
36
+ *
37
+ * The XML generators emit single-string output the operator wires
38
+ * into `b.staticServe` (mta-sts.txt + autoconfig.xml) or a route
39
+ * handler (autodiscover, which is request-conditional). No new
40
+ * network surface — these are pure deterministic functions.
41
+ *
42
+ * @card
43
+ * Operator-deployment helpers: MTA-STS / DANE / autoconfig /
44
+ * autodiscover text generators. Pair with the existing inbound
45
+ * verifiers to complete the publish ↔ verify cycle.
46
+ */
47
+
48
+ var nodeCrypto = require("node:crypto");
49
+ var zlib = require("node:zlib");
50
+ var lazyRequire = require("./lazy-require");
51
+ var validateOpts = require("./validate-opts");
52
+ var numericBounds = require("./numeric-bounds");
53
+ var C = require("./constants");
54
+ var safeJson = require("./safe-json");
55
+ var safeBuffer = require("./safe-buffer");
56
+ var guardJson = lazyRequire(function () { return require("./guard-json"); });
57
+ var audit = lazyRequire(function () { return require("./audit"); });
58
+ var { defineClass } = require("./framework-error");
59
+
60
+ var MailDeployError = defineClass("MailDeployError", { alwaysPermanent: true });
61
+ var TlsRptParseError = defineClass("TlsRptParseError", { alwaysPermanent: true });
62
+
63
+ // RFC 8461 §3.2 MTA-STS policy field allowlist. Field values typed +
64
+ // bounded — operator supplies them; we never echo arbitrary bytes
65
+ // into a DNS-resolvable resource.
66
+ var STS_MODES = Object.freeze({ enforce: 1, testing: 1, none: 1 });
67
+
68
+ function _domainOk(d) {
69
+ if (typeof d !== "string" || d.length === 0 || d.length > 253) return false; // allow:raw-byte-literal — RFC 1035 §2.3.4
70
+ // Bounded LDH check; we don't pull in b.guardDomain here because
71
+ // the helper is text-generation and the operator owns the value.
72
+ // Refuse C0 (covers CR / LF / NUL), DEL, and `"` outright —
73
+ // header-injection class + XML-attribute-injection class.
74
+ for (var i = 0; i < d.length; i++) {
75
+ var c = d.charCodeAt(i);
76
+ if (c < 0x20 || c === 0x7F || c === 0x22) return false; // allow:raw-byte-literal — refuse C0 / DEL / "
77
+ }
78
+ return true;
79
+ }
80
+
81
+ function _xmlEscape(s) {
82
+ return String(s)
83
+ .replace(/&/g, "&amp;")
84
+ .replace(/</g, "&lt;")
85
+ .replace(/>/g, "&gt;")
86
+ .replace(/"/g, "&quot;")
87
+ .replace(/'/g, "&apos;");
88
+ }
89
+
90
+ /**
91
+ * @primitive b.mail.deploy.mtaStsPublish
92
+ * @signature b.mail.deploy.mtaStsPublish(opts)
93
+ * @since 0.9.56
94
+ * @status stable
95
+ * @related b.mail.deploy.danePublish
96
+ *
97
+ * Generate the MTA-STS policy file ([RFC 8461 §3.2](https://www.rfc-editor.org/rfc/rfc8461#section-3.2))
98
+ * + DNS TXT record advice. Operator serves the returned `policyText`
99
+ * over HTTPS at `https://mta-sts.<domain>/.well-known/mta-sts.txt`
100
+ * and publishes the TXT record at `_mta-sts.<domain>` so peers can
101
+ * discover the policy version.
102
+ *
103
+ * @opts
104
+ * domain: string, // your mail domain, e.g. "example.com"
105
+ * mode: "enforce"|"testing"|"none",
106
+ * mxHosts: string[], // your MX server hostnames (wildcards `*.mx.` allowed per §3.2.1)
107
+ * maxAgeSec: number, // policy TTL — RFC 8461 §3.2 SHOULD be ≥ 604800 (1 week)
108
+ * policyId: string?, // optional; defaults to ISO 8601 timestamp
109
+ *
110
+ * @example
111
+ * var rv = b.mail.deploy.mtaStsPublish({
112
+ * domain: "example.com",
113
+ * mode: "enforce",
114
+ * mxHosts: ["mx1.example.com", "mx2.example.com"],
115
+ * maxAgeSec: 604800,
116
+ * });
117
+ * rv.policyText; // → multi-line MTA-STS policy
118
+ * rv.dnsTxtRecord; // → "v=STSv1; id=20260516T120000Z;"
119
+ * rv.policyPath; // → "/.well-known/mta-sts.txt"
120
+ * rv.dnsTxtName; // → "_mta-sts.example.com"
121
+ */
122
+ function mtaStsPublish(opts) {
123
+ validateOpts.requireObject(opts || {}, "b.mail.deploy.mtaStsPublish",
124
+ MailDeployError, "mail-deploy/bad-opts");
125
+ if (!_domainOk(opts.domain)) {
126
+ throw new MailDeployError("mail-deploy/bad-domain",
127
+ "mtaStsPublish: opts.domain must be a valid hostname");
128
+ }
129
+ if (!STS_MODES[opts.mode]) {
130
+ throw new MailDeployError("mail-deploy/bad-mode",
131
+ "mtaStsPublish: opts.mode must be 'enforce' | 'testing' | 'none'");
132
+ }
133
+ if (!Array.isArray(opts.mxHosts) || opts.mxHosts.length === 0) {
134
+ throw new MailDeployError("mail-deploy/bad-mx",
135
+ "mtaStsPublish: opts.mxHosts must be a non-empty array");
136
+ }
137
+ if (opts.mxHosts.length > 64) { // allow:raw-byte-literal — array cap
138
+ throw new MailDeployError("mail-deploy/bad-mx",
139
+ "mtaStsPublish: opts.mxHosts must contain at most 64 entries");
140
+ }
141
+ for (var i = 0; i < opts.mxHosts.length; i++) {
142
+ var m = opts.mxHosts[i];
143
+ if (typeof m !== "string" || m.length === 0 || m.length > 253) { // allow:raw-byte-literal — RFC 1035 cap
144
+ throw new MailDeployError("mail-deploy/bad-mx",
145
+ "mtaStsPublish: opts.mxHosts[" + i + "] invalid");
146
+ }
147
+ // Allow wildcard `*.mx.example.com` per RFC 8461 §3.2.1.
148
+ var bare = m.charCodeAt(0) === 0x2A && m.charCodeAt(1) === 0x2E ? m.slice(2) : m;
149
+ if (!_domainOk(bare)) {
150
+ throw new MailDeployError("mail-deploy/bad-mx",
151
+ "mtaStsPublish: opts.mxHosts[" + i + "] not a valid hostname");
152
+ }
153
+ }
154
+ if (!numericBounds.isPositiveFiniteInt(opts.maxAgeSec)) {
155
+ throw new MailDeployError("mail-deploy/bad-max-age",
156
+ "mtaStsPublish: opts.maxAgeSec must be a positive integer");
157
+ }
158
+ if (opts.maxAgeSec > 31557600) { // allow:raw-time-literal — 1 year in seconds (RFC 8461 §3.2 max_age unit) // allow:raw-byte-literal — same numeric, no byte semantic
159
+ throw new MailDeployError("mail-deploy/bad-max-age",
160
+ "mtaStsPublish: opts.maxAgeSec exceeds 1 year (RFC 8461 §3.2 SHOULD ≤ 31557600)");
161
+ }
162
+
163
+ // RFC 8461 §3.2 policy text uses CRLF.
164
+ var lines = [];
165
+ lines.push("version: STSv1");
166
+ lines.push("mode: " + opts.mode);
167
+ for (var j = 0; j < opts.mxHosts.length; j++) {
168
+ lines.push("mx: " + opts.mxHosts[j]);
169
+ }
170
+ lines.push("max_age: " + opts.maxAgeSec);
171
+ var policyText = lines.join("\r\n") + "\r\n";
172
+
173
+ // RFC 8461 §3.1 — DNS TXT record carries the policy version (id).
174
+ // Operator updates `id` whenever they re-publish a different policy
175
+ // so peers can detect the change without re-fetching every fetch.
176
+ var policyId;
177
+ if (typeof opts.policyId === "string" && opts.policyId.length > 0) {
178
+ if (!/^[a-zA-Z0-9_-]{1,32}$/.test(opts.policyId)) { // allow:raw-byte-literal — RFC 8461 §3.1 token shape
179
+ throw new MailDeployError("mail-deploy/bad-policy-id",
180
+ "mtaStsPublish: opts.policyId must match [a-zA-Z0-9_-]{1,32}");
181
+ }
182
+ policyId = opts.policyId;
183
+ } else {
184
+ // ISO 8601 timestamp w/o punctuation = unique-by-second.
185
+ policyId = new Date().toISOString().replace(/[-:.TZ]/g, "").slice(0, 16); // allow:raw-byte-literal — yyyymmddhhmmssms
186
+ }
187
+
188
+ return {
189
+ policyText: policyText,
190
+ policyPath: "/.well-known/mta-sts.txt",
191
+ dnsTxtName: "_mta-sts." + opts.domain,
192
+ dnsTxtRecord: "v=STSv1; id=" + policyId + ";",
193
+ policyId: policyId,
194
+ };
195
+ }
196
+
197
+ /**
198
+ * @primitive b.mail.deploy.danePublish
199
+ * @signature b.mail.deploy.danePublish(opts)
200
+ * @since 0.9.56
201
+ * @status stable
202
+ *
203
+ * Generate a TLSA record string ([RFC 7672](https://www.rfc-editor.org/rfc/rfc7672)
204
+ * + [RFC 6698](https://www.rfc-editor.org/rfc/rfc6698)) for an MX
205
+ * host's TLS certificate. Computes the SHA-256 SubjectPublicKeyInfo
206
+ * hash of the operator-supplied cert PEM (DANE-EE matching type 1) —
207
+ * the recommended posture per RFC 7672 §3.1.3 because it survives
208
+ * intermediate-CA changes as long as the leaf key stays stable.
209
+ *
210
+ * @opts
211
+ * certPem: string, // PEM cert text
212
+ * mxHost: string, // e.g. "mx1.example.com"
213
+ * port: number?, // default 25 (RFC 7672 §3.1)
214
+ * usage: number?, // 3 (DANE-EE) | 2 (DANE-TA) | 1 (PKIX-EE) | 0 (PKIX-TA); default 3
215
+ * selector: number?, // 1 (SPKI) | 0 (cert); default 1
216
+ * matchType: number?, // 1 (SHA-256) | 2 (SHA-512); default 1
217
+ *
218
+ * @example
219
+ * var rv = b.mail.deploy.danePublish({
220
+ * certPem: fs.readFileSync("/etc/letsencrypt/live/mx1/cert.pem", "utf8"),
221
+ * mxHost: "mx1.example.com",
222
+ * });
223
+ * rv.dnsName; // → "_25._tcp.mx1.example.com"
224
+ * rv.record; // → "3 1 1 <64-hex>"
225
+ * rv.zoneLine; // → "_25._tcp.mx1.example.com. IN TLSA 3 1 1 <64-hex>"
226
+ */
227
+ function danePublish(opts) {
228
+ validateOpts.requireObject(opts || {}, "b.mail.deploy.danePublish",
229
+ MailDeployError, "mail-deploy/bad-opts");
230
+ validateOpts.requireNonEmptyString(opts.certPem,
231
+ "b.mail.deploy.danePublish: opts.certPem", MailDeployError, "mail-deploy/bad-cert");
232
+ if (opts.certPem.length > 65536) { // allow:raw-byte-literal — sanity cap on PEM input
233
+ throw new MailDeployError("mail-deploy/bad-cert",
234
+ "danePublish: opts.certPem too large");
235
+ }
236
+ if (!_domainOk(opts.mxHost)) {
237
+ throw new MailDeployError("mail-deploy/bad-mx-host",
238
+ "danePublish: opts.mxHost must be a valid hostname");
239
+ }
240
+ var port = opts.port === undefined ? 25 : opts.port; // allow:raw-byte-literal — RFC 7672 §3.1 default port
241
+ if (!numericBounds.isPositiveFiniteInt(port) || port > 65535) { // allow:raw-byte-literal — IANA port range
242
+ throw new MailDeployError("mail-deploy/bad-port",
243
+ "danePublish: opts.port must be 1..65535");
244
+ }
245
+ var usage = opts.usage === undefined ? 3 : opts.usage; // allow:raw-byte-literal — DANE-EE
246
+ var selector = opts.selector === undefined ? 1 : opts.selector; // allow:raw-byte-literal — SPKI
247
+ var matchType = opts.matchType === undefined ? 1 : opts.matchType; // allow:raw-byte-literal — SHA-256
248
+ if ([0, 1, 2, 3].indexOf(usage) === -1) {
249
+ throw new MailDeployError("mail-deploy/bad-usage",
250
+ "danePublish: opts.usage must be 0|1|2|3 (RFC 6698 §2.1.1)");
251
+ }
252
+ if ([0, 1].indexOf(selector) === -1) {
253
+ throw new MailDeployError("mail-deploy/bad-selector",
254
+ "danePublish: opts.selector must be 0|1 (RFC 6698 §2.1.2)");
255
+ }
256
+ if ([1, 2].indexOf(matchType) === -1) {
257
+ throw new MailDeployError("mail-deploy/bad-match-type",
258
+ "danePublish: opts.matchType must be 1|2 (RFC 6698 §2.1.3; matchType 0 'exact' refused — record bloat)");
259
+ }
260
+
261
+ // Parse cert PEM via node:crypto X509Certificate, extract the bytes
262
+ // we hash. selector=0 → full DER; selector=1 → SubjectPublicKeyInfo.
263
+ var x509;
264
+ try {
265
+ x509 = new nodeCrypto.X509Certificate(opts.certPem);
266
+ } catch (e) {
267
+ throw new MailDeployError("mail-deploy/bad-cert",
268
+ "danePublish: cert PEM did not parse: " + (e && e.message ? e.message : String(e)));
269
+ }
270
+ var bytes;
271
+ if (selector === 0) {
272
+ bytes = x509.raw;
273
+ } else {
274
+ // SPKI extraction — node:crypto X509Certificate.publicKey.export.
275
+ var spki = x509.publicKey.export({ type: "spki", format: "der" });
276
+ bytes = spki;
277
+ }
278
+ var algo = matchType === 1 ? "sha256" : "sha512";
279
+ var hashHex = nodeCrypto.createHash(algo).update(bytes).digest("hex");
280
+ var record = usage + " " + selector + " " + matchType + " " + hashHex;
281
+ var dnsName = "_" + port + "._tcp." + opts.mxHost;
282
+ return {
283
+ dnsName: dnsName,
284
+ record: record,
285
+ zoneLine: dnsName + ". IN TLSA " + record,
286
+ usage: usage,
287
+ selector: selector,
288
+ matchType: matchType,
289
+ };
290
+ }
291
+
292
+ /**
293
+ * @primitive b.mail.deploy.autoConfigXml
294
+ * @signature b.mail.deploy.autoConfigXml(opts)
295
+ * @since 0.9.56
296
+ * @status stable
297
+ *
298
+ * Generate Thunderbird's `autoconfig.<domain>/mail/config-v1.1.xml`
299
+ * payload. Thunderbird checks this URL when a user types their
300
+ * email address into the new-account wizard; serving the XML
301
+ * eliminates the per-user IMAP / SMTP host + port + auth-method
302
+ * data entry that mail clients otherwise demand.
303
+ *
304
+ * The endpoint format is Mozilla-convention rather than RFC, but
305
+ * Outlook, Apple Mail's Mail.app, and Evolution all read the same
306
+ * file when present.
307
+ *
308
+ * @opts
309
+ * domain: string, // e.g. "example.com"
310
+ * displayName: string?, // brand label; defaults to domain
311
+ * imap: { host, port, socketType?, username? }, // optional
312
+ * pop3: { host, port, socketType?, username? }, // optional
313
+ * smtp: { host, port, socketType?, username? }, // optional
314
+ * jmap: { url }?, // optional — JMAP-aware clients
315
+ *
316
+ * @example
317
+ * var xml = b.mail.deploy.autoConfigXml({
318
+ * domain: "example.com",
319
+ * imap: { host: "imap.example.com", port: 993, socketType: "SSL" },
320
+ * smtp: { host: "smtp.example.com", port: 587, socketType: "STARTTLS" },
321
+ * });
322
+ * // Serve at `https://autoconfig.example.com/mail/config-v1.1.xml`
323
+ */
324
+ function autoConfigXml(opts) {
325
+ validateOpts.requireObject(opts || {}, "b.mail.deploy.autoConfigXml",
326
+ MailDeployError, "mail-deploy/bad-opts");
327
+ if (!_domainOk(opts.domain)) {
328
+ throw new MailDeployError("mail-deploy/bad-domain",
329
+ "autoConfigXml: opts.domain must be a valid hostname");
330
+ }
331
+ var brand = typeof opts.displayName === "string" && opts.displayName.length > 0 ?
332
+ opts.displayName : opts.domain;
333
+ if (brand.length > 256) { // allow:raw-byte-literal — DOM attr cap
334
+ throw new MailDeployError("mail-deploy/bad-displayName",
335
+ "autoConfigXml: opts.displayName too long");
336
+ }
337
+ // Per Mozilla autoconfig config-v1.1 spec
338
+ // (https://wiki.mozilla.org/Thunderbird:Autoconfiguration:ConfigFileFormat),
339
+ // the `type` attribute on `incomingServer` / `outgoingServer` carries
340
+ // the protocol name (`imap` / `pop3` / `smtp`), not the direction. The
341
+ // `incomingServer` / `outgoingServer` element name itself signals
342
+ // direction; the attribute disambiguates between IMAP- and POP3-
343
+ // shaped incoming connections.
344
+ function _server(element, protocol, cfg) {
345
+ if (!cfg) return "";
346
+ if (!_domainOk(cfg.host)) {
347
+ throw new MailDeployError("mail-deploy/bad-host",
348
+ "autoConfigXml: opts." + protocol + ".host invalid");
349
+ }
350
+ if (!numericBounds.isPositiveFiniteInt(cfg.port) || cfg.port > 65535) { // allow:raw-byte-literal — IANA port
351
+ throw new MailDeployError("mail-deploy/bad-port",
352
+ "autoConfigXml: opts." + protocol + ".port invalid");
353
+ }
354
+ var socketType = cfg.socketType === "STARTTLS" || cfg.socketType === "plain" ?
355
+ cfg.socketType : "SSL";
356
+ var userTok = typeof cfg.username === "string" && cfg.username.length > 0 ?
357
+ cfg.username : "%EMAILADDRESS%";
358
+ return "" +
359
+ " <" + element + " type=\"" + protocol + "\">\n" +
360
+ " <hostname>" + _xmlEscape(cfg.host) + "</hostname>\n" +
361
+ " <port>" + cfg.port + "</port>\n" +
362
+ " <socketType>" + socketType + "</socketType>\n" +
363
+ " <username>" + _xmlEscape(userTok) + "</username>\n" +
364
+ " <authentication>password-cleartext</authentication>\n" +
365
+ " </" + element + ">\n";
366
+ }
367
+ // JMAP-aware clients read a different element (`mailproxy` /
368
+ // `jmapServer` per the Mozilla draft + Fastmail convention).
369
+ function _jmapServer(cfg) {
370
+ if (!cfg) return "";
371
+ if (typeof cfg.url !== "string" || cfg.url.length === 0 || cfg.url.length > 1024) { // allow:raw-byte-literal — URL cap
372
+ throw new MailDeployError("mail-deploy/bad-jmap-url",
373
+ "autoConfigXml: opts.jmap.url must be a non-empty string");
374
+ }
375
+ // Refuse control bytes / quote in the URL.
376
+ for (var k = 0; k < cfg.url.length; k++) {
377
+ var c = cfg.url.charCodeAt(k);
378
+ if (c < 0x20 || c === 0x7F || c === 0x22) { // allow:raw-byte-literal — C0 / DEL / "
379
+ throw new MailDeployError("mail-deploy/bad-jmap-url",
380
+ "autoConfigXml: opts.jmap.url contains control byte");
381
+ }
382
+ }
383
+ return "" +
384
+ " <incomingServer type=\"jmap\">\n" +
385
+ " <url>" + _xmlEscape(cfg.url) + "</url>\n" +
386
+ " <username>%EMAILADDRESS%</username>\n" +
387
+ " <authentication>OAuth2</authentication>\n" +
388
+ " </incomingServer>\n";
389
+ }
390
+ var incoming = "";
391
+ if (opts.imap) incoming += _server("incomingServer", "imap", opts.imap);
392
+ if (opts.pop3) incoming += _server("incomingServer", "pop3", opts.pop3);
393
+ if (opts.jmap) incoming += _jmapServer(opts.jmap);
394
+ if (!incoming) {
395
+ throw new MailDeployError("mail-deploy/bad-opts",
396
+ "autoConfigXml: at least one of opts.imap / opts.pop3 / opts.jmap required");
397
+ }
398
+ var outgoing = opts.smtp ? _server("outgoingServer", "smtp", opts.smtp) : "";
399
+
400
+ return "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" +
401
+ "<clientConfig version=\"1.1\">\n" +
402
+ " <emailProvider id=\"" + _xmlEscape(opts.domain) + "\">\n" +
403
+ " <domain>" + _xmlEscape(opts.domain) + "</domain>\n" +
404
+ " <displayName>" + _xmlEscape(brand) + "</displayName>\n" +
405
+ " <displayShortName>" + _xmlEscape(brand) + "</displayShortName>\n" +
406
+ incoming +
407
+ outgoing +
408
+ " </emailProvider>\n" +
409
+ "</clientConfig>\n";
410
+ }
411
+
412
+ /**
413
+ * @primitive b.mail.deploy.autoDiscoverXml
414
+ * @signature b.mail.deploy.autoDiscoverXml(opts)
415
+ * @since 0.9.56
416
+ * @status stable
417
+ *
418
+ * Generate Outlook's `autodiscover/autodiscover.xml` response payload.
419
+ * Outlook POSTs an XML request to
420
+ * `https://autodiscover.<domain>/autodiscover/autodiscover.xml` with
421
+ * the user's email; the response declares IMAP + SMTP host / port /
422
+ * socket settings. MS-OXDISCO + MS-OXDSCLI (open spec).
423
+ *
424
+ * @opts
425
+ * email: string, // operator-extracted from the POST body
426
+ * imap: { host, port, ssl? }, // optional
427
+ * pop3: { host, port, ssl? }, // optional
428
+ * smtp: { host, port, ssl? }, // optional
429
+ *
430
+ * @example
431
+ * var xml = b.mail.deploy.autoDiscoverXml({
432
+ * email: "alice@example.com",
433
+ * imap: { host: "imap.example.com", port: 993, ssl: true },
434
+ * smtp: { host: "smtp.example.com", port: 465, ssl: true },
435
+ * });
436
+ */
437
+ function autoDiscoverXml(opts) {
438
+ validateOpts.requireObject(opts || {}, "b.mail.deploy.autoDiscoverXml",
439
+ MailDeployError, "mail-deploy/bad-opts");
440
+ if (typeof opts.email !== "string" || opts.email.length === 0 || opts.email.length > 254) { // allow:raw-byte-literal — RFC 5321 cap
441
+ throw new MailDeployError("mail-deploy/bad-email",
442
+ "autoDiscoverXml: opts.email must be a non-empty string");
443
+ }
444
+ // Refuse CR / LF / NUL / control bytes in email (XML injection class).
445
+ for (var i = 0; i < opts.email.length; i++) {
446
+ var c = opts.email.charCodeAt(i);
447
+ if (c < 0x20 || c === 0x7F) { // allow:raw-byte-literal — C0 / DEL
448
+ throw new MailDeployError("mail-deploy/bad-email",
449
+ "autoDiscoverXml: opts.email contains control byte");
450
+ }
451
+ }
452
+ function _proto(kind, cfg) {
453
+ if (!cfg) return "";
454
+ if (!_domainOk(cfg.host)) {
455
+ throw new MailDeployError("mail-deploy/bad-host",
456
+ "autoDiscoverXml: opts." + kind.toLowerCase() + ".host invalid");
457
+ }
458
+ if (!numericBounds.isPositiveFiniteInt(cfg.port) || cfg.port > 65535) { // allow:raw-byte-literal — IANA port
459
+ throw new MailDeployError("mail-deploy/bad-port",
460
+ "autoDiscoverXml: opts." + kind.toLowerCase() + ".port invalid");
461
+ }
462
+ var ssl = cfg.ssl === false ? "off" : "on";
463
+ return "" +
464
+ " <Protocol>\n" +
465
+ " <Type>" + kind + "</Type>\n" +
466
+ " <Server>" + _xmlEscape(cfg.host) + "</Server>\n" +
467
+ " <Port>" + cfg.port + "</Port>\n" +
468
+ " <SSL>" + ssl + "</SSL>\n" +
469
+ " <SPA>off</SPA>\n" +
470
+ " <Encryption>" + (ssl === "on" ? "SSL" : "None") + "</Encryption>\n" +
471
+ " <AuthRequired>on</AuthRequired>\n" +
472
+ " </Protocol>\n";
473
+ }
474
+ var protos = "";
475
+ if (opts.imap) protos += _proto("IMAP", opts.imap);
476
+ if (opts.pop3) protos += _proto("POP3", opts.pop3);
477
+ if (opts.smtp) protos += _proto("SMTP", opts.smtp);
478
+ if (!protos) {
479
+ throw new MailDeployError("mail-deploy/bad-opts",
480
+ "autoDiscoverXml: at least one of opts.imap / opts.pop3 / opts.smtp required");
481
+ }
482
+ return "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n" +
483
+ "<Autodiscover xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006\">\n" +
484
+ " <Response xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a\">\n" +
485
+ " <Account>\n" +
486
+ " <AccountType>email</AccountType>\n" +
487
+ " <Action>settings</Action>\n" +
488
+ protos +
489
+ " </Account>\n" +
490
+ " </Response>\n" +
491
+ "</Autodiscover>\n";
492
+ }
493
+
494
+ // ---- TLS-RPT receiver (RFC 8460) ----
495
+ //
496
+ // Inbound aggregate-report ingest for operators who publish
497
+ // `rua=https://reports.example.com/tlsrpt` on `_smtp._tls.<domain>`.
498
+ // Reporters POST `application/tlsrpt+json` (raw) or
499
+ // `application/tlsrpt+gzip` (gzip-wrapped JSON) per RFC 8460 §5.4
500
+ // + §6.4-6.5 IANA media-type registrations.
501
+ //
502
+ // v1 scope (this slice):
503
+ // - `parseTlsRptReport(bytes, opts?)` — pure parser + §4.4 schema
504
+ // validator. Caps decompressed size (default 32 MiB), compressed
505
+ // size (default 4 MiB), and compression ratio (default 50:1) to
506
+ // defend CVE-2025-0725 / generic decompression-amplification.
507
+ // - `tlsRptIngestHttp({...})` — (req, res) factory returning an
508
+ // RFC 8460 §5.4-compliant handler (201 on accept / 400 on bad
509
+ // JSON / 413 on size / 415 on bad media-type / 405 on non-POST).
510
+ // - `tlsRptReportSchema()` — schema descriptor for operator
511
+ // dashboards.
512
+ //
513
+ // Deferred from v1 (each with documented condition):
514
+ // - `mailto:` ingest via b.mail.server.mx. Defer condition: no
515
+ // operator demand has surfaced; HTTPS POST is the de-facto
516
+ // deployment shape for TLS-RPT today (reporters with `rua=mailto:`
517
+ // ingest are a long tail). Operators wanting mailto: ingest
518
+ // compose b.mail.server.mx today + call `parseTlsRptReport` on
519
+ // the extracted body part themselves. Reopens when an operator
520
+ // surfaces concrete demand AND the mail.server.mx surface stays
521
+ // stable across the upcoming UTA-draft revisions.
522
+ // - Brotli decompression. Defer condition: no fielded reporter
523
+ // uses `Content-Encoding: br` for TLS-RPT today; the IANA
524
+ // media-type registry (RFC 8460 §6.4) only registers +json and
525
+ // +gzip. Operators behind a brotli-encoding proxy decode at the
526
+ // proxy layer. Reopens when at least one fielded reporter ships
527
+ // brotli or the in-progress UTA-draft requires it.
528
+
529
+ // Hard caps — defensive against CVE-2025-0725 (libcurl/zlib
530
+ // integer overflow), CVE-2024-zlib decompression amplification, and
531
+ // the §5.2 community ceiling (receivers commonly cap at 10 MiB).
532
+ var TLSRPT_MAX_COMPRESSED_BYTES = C.BYTES.mib(4); // allow:raw-byte-literal — 4 MiB compressed cap per §5.2 community practice
533
+ var TLSRPT_MAX_DECOMPRESSED_BYTES = C.BYTES.mib(32); // allow:raw-byte-literal — 32 MiB decompressed cap (operators override via opts)
534
+ var TLSRPT_MAX_RATIO = 50; // allow:raw-byte-literal — 50:1 compression ratio refusal
535
+ var TLSRPT_MAX_POLICIES = 1000; // allow:raw-byte-literal allow:raw-time-literal — RFC 8460 §4.4 policy-cardinality cap
536
+ var TLSRPT_MAX_FAILURE_DETAILS = 10000; // allow:raw-byte-literal — per-policy failure-details cap
537
+ var TLSRPT_GZIP_MAGIC_0 = 0x1f; // allow:raw-byte-literal — RFC 1952 gzip magic byte 0
538
+ var TLSRPT_GZIP_MAGIC_1 = 0x8b; // allow:raw-byte-literal — RFC 1952 gzip magic byte 1
539
+
540
+ // Valid RFC 8460 §4.4 result-type values for `failure-details[].result-type`.
541
+ var TLSRPT_RESULT_TYPES = Object.freeze({
542
+ "starttls-not-supported": 1,
543
+ "certificate-host-mismatch": 1,
544
+ "certificate-expired": 1,
545
+ "certificate-not-trusted": 1,
546
+ "validation-failure": 1,
547
+ "tlsa-invalid": 1,
548
+ "dnssec-invalid": 1,
549
+ "dane-required": 1,
550
+ "sts-policy-fetch-error": 1,
551
+ "sts-policy-invalid": 1,
552
+ "sts-webpki-invalid": 1,
553
+ });
554
+
555
+ // Valid RFC 8460 §4.4 policy-type values.
556
+ var TLSRPT_POLICY_TYPES = Object.freeze({
557
+ sts: 1, tlsa: 1, "no-policy-found": 1,
558
+ });
559
+
560
+ /**
561
+ * @primitive b.mail.deploy.parseTlsRptReport
562
+ * @signature b.mail.deploy.parseTlsRptReport(input, opts?)
563
+ * @since 0.10.15
564
+ * @status stable
565
+ * @compliance hipaa, pci-dss, gdpr, soc2
566
+ * @related b.mail.deploy.tlsRptIngestHttp, b.mail.deploy.tlsRptReportSchema
567
+ *
568
+ * Parse + validate an RFC 8460 TLS-RPT aggregate report. Accepts:
569
+ * - Raw `application/tlsrpt+json` bytes (Buffer or string).
570
+ * - `application/tlsrpt+gzip` bytes (gzip magic auto-detected via
571
+ * `0x1f 0x8b` per RFC 1952, or routed when `opts.contentType`
572
+ * names a gzip media-type).
573
+ *
574
+ * Refusal posture:
575
+ * - Compressed payload > `opts.maxCompressedBytes` (default 4 MiB)
576
+ * → `mail-tlsrpt/oversize-compressed`.
577
+ * - Decompressed payload > `opts.maxDecompressedBytes` (default
578
+ * 32 MiB) → `mail-tlsrpt/gunzip-bomb`.
579
+ * - Compression ratio > `opts.maxRatio` (default 50:1) →
580
+ * `mail-tlsrpt/ratio-bomb`.
581
+ * - Malformed gzip → `mail-tlsrpt/gunzip-failed`.
582
+ * - Routes through `b.guardJson.parse` for proto-pollution / depth
583
+ * / key-count defenses before the §4.4 schema walk.
584
+ * - Missing REQUIRED §4.4 fields → `mail-tlsrpt/bad-schema`.
585
+ * - `policies` MUST be an array (RFC 8460 §4.4 erratum, even for
586
+ * single-policy reports).
587
+ *
588
+ * @opts
589
+ * contentType: string, // optional — hint for gzip routing
590
+ * maxCompressedBytes: number, // default TLSRPT_MAX_COMPRESSED_BYTES (4 MiB)
591
+ * maxDecompressedBytes: number, // default TLSRPT_MAX_DECOMPRESSED_BYTES (32 MiB)
592
+ * maxRatio: number, // default 50 (compressed:decompressed cap)
593
+ *
594
+ * @example
595
+ * var report = b.mail.deploy.parseTlsRptReport(reqBody, {
596
+ * contentType: req.headers["content-type"],
597
+ * });
598
+ * // → { organization-name, date-range: {start, end}, contact-info,
599
+ * // report-id, policies: [{ policy-type, policy-domain, ... }] }
600
+ */
601
+ function parseTlsRptReport(input, opts) {
602
+ opts = opts || {};
603
+ var bytes;
604
+ if (Buffer.isBuffer(input)) bytes = input;
605
+ else if (typeof input === "string") bytes = Buffer.from(input, "utf8");
606
+ else {
607
+ throw new TlsRptParseError("mail-tlsrpt/bad-input",
608
+ "parseTlsRptReport: input must be a Buffer or string");
609
+ }
610
+ numericBounds.requireAllPositiveFiniteIntIfPresent(opts,
611
+ ["maxCompressedBytes", "maxDecompressedBytes", "maxRatio"],
612
+ "parseTlsRptReport", TlsRptParseError, "mail-tlsrpt/bad-opts");
613
+ var maxCompressed = opts.maxCompressedBytes || TLSRPT_MAX_COMPRESSED_BYTES;
614
+ var maxDecompressed = opts.maxDecompressedBytes || TLSRPT_MAX_DECOMPRESSED_BYTES;
615
+ var maxRatio = opts.maxRatio || TLSRPT_MAX_RATIO;
616
+ if (bytes.length > maxCompressed) {
617
+ throw new TlsRptParseError("mail-tlsrpt/oversize-compressed",
618
+ "parseTlsRptReport: compressed payload " + bytes.length +
619
+ " bytes exceeds maxCompressedBytes=" + maxCompressed);
620
+ }
621
+
622
+ // gzip auto-detect — magic 0x1f 0x8b per RFC 1952. Routes through
623
+ // the same defensive shape as DMARC RUA (lib/mail-auth.js): bound
624
+ // decompression at the cap, surface bomb-vs-malformed as distinct
625
+ // typed errors so audit / alert wiring can react differently.
626
+ var contentType = (opts.contentType || "").toLowerCase();
627
+ var compressedLen = bytes.length;
628
+ var looksGzip = bytes.length >= 2 && bytes[0] === TLSRPT_GZIP_MAGIC_0 && bytes[1] === TLSRPT_GZIP_MAGIC_1;
629
+ var wasCompressed = false;
630
+ if (contentType.indexOf("gzip") !== -1 || looksGzip) {
631
+ wasCompressed = true;
632
+ try { bytes = zlib.gunzipSync(bytes, { maxOutputLength: maxDecompressed }); }
633
+ catch (e) {
634
+ var msg = (e && e.message) || String(e);
635
+ var isBomb = (e && (e.code === "ERR_BUFFER_TOO_LARGE" || e.code === "ERR_OUT_OF_RANGE")) ||
636
+ /output length|max(?:imum)?\s+output|exceeds?/i.test(msg);
637
+ if (isBomb) {
638
+ throw new TlsRptParseError("mail-tlsrpt/gunzip-bomb",
639
+ "parseTlsRptReport: gunzip output exceeded " + maxDecompressed +
640
+ " bytes (decompression amplification — refused per CVE-2025-0725 class)");
641
+ }
642
+ throw new TlsRptParseError("mail-tlsrpt/gunzip-failed",
643
+ "parseTlsRptReport: gunzip failed: " + msg);
644
+ }
645
+ if (compressedLen > 0 && bytes.length / compressedLen > maxRatio) {
646
+ throw new TlsRptParseError("mail-tlsrpt/ratio-bomb",
647
+ "parseTlsRptReport: decompression ratio " +
648
+ Math.round(bytes.length / compressedLen) + ":1 exceeds maxRatio=" +
649
+ maxRatio + ":1 (decompression amplification — refused)");
650
+ }
651
+ }
652
+
653
+ // Route through b.guardJson — proto-pollution / depth / key-count
654
+ // defenses on every untrusted-JSON parse path (closes v0.10.14
655
+ // detector class for untrusted-json-without-guardjson).
656
+ var raw;
657
+ try {
658
+ raw = guardJson().parse(bytes.toString("utf8"), {
659
+ maxBytes: maxDecompressed,
660
+ maxDepth: 32, // allow:raw-byte-literal — JSON depth cap
661
+ maxKeys: 1000, // allow:raw-byte-literal — top-level key cap
662
+ });
663
+ } catch (_e) {
664
+ // Fall back to b.safeJson.parse if guardJson isn't available (in
665
+ // certain bootstrap paths). Both refuse __proto__ / depth-bombs.
666
+ try { raw = safeJson.parse(bytes.toString("utf8")); }
667
+ catch (e2) {
668
+ throw new TlsRptParseError("mail-tlsrpt/bad-json",
669
+ "parseTlsRptReport: JSON parse failed: " + ((e2 && e2.message) || String(e2)));
670
+ }
671
+ }
672
+
673
+ return _validateTlsRptReport(raw, { wasCompressed: wasCompressed });
674
+ }
675
+
676
+ function _validateTlsRptReport(raw, ctx) {
677
+ if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
678
+ throw new TlsRptParseError("mail-tlsrpt/bad-schema",
679
+ "parseTlsRptReport: top-level must be a JSON object");
680
+ }
681
+ // RFC 8460 §4.4 REQUIRED fields.
682
+ var orgName = raw["organization-name"];
683
+ var contact = raw["contact-info"];
684
+ var reportId = raw["report-id"];
685
+ var dateRange = raw["date-range"];
686
+ var policies = raw["policies"];
687
+ if (typeof orgName !== "string" || orgName.length === 0) {
688
+ throw new TlsRptParseError("mail-tlsrpt/bad-schema",
689
+ "parseTlsRptReport: missing required string 'organization-name'");
690
+ }
691
+ if (typeof contact !== "string" || contact.length === 0) {
692
+ throw new TlsRptParseError("mail-tlsrpt/bad-schema",
693
+ "parseTlsRptReport: missing required string 'contact-info'");
694
+ }
695
+ if (typeof reportId !== "string" || reportId.length === 0) {
696
+ throw new TlsRptParseError("mail-tlsrpt/bad-schema",
697
+ "parseTlsRptReport: missing required string 'report-id'");
698
+ }
699
+ if (!dateRange || typeof dateRange !== "object" ||
700
+ typeof dateRange["start-datetime"] !== "string" ||
701
+ typeof dateRange["end-datetime"] !== "string") {
702
+ throw new TlsRptParseError("mail-tlsrpt/bad-schema",
703
+ "parseTlsRptReport: 'date-range' must have string start-datetime + end-datetime");
704
+ }
705
+ // RFC 8460 §4.4 erratum — `policies` MUST be an array even for a
706
+ // single-policy report. Some legacy implementations emit a bare
707
+ // object; we refuse to normalize so the operator catches the
708
+ // upstream non-conformance.
709
+ if (!Array.isArray(policies)) {
710
+ throw new TlsRptParseError("mail-tlsrpt/bad-schema",
711
+ "parseTlsRptReport: 'policies' must be an array (RFC 8460 §4.4 erratum); single-policy reports still use [policy] form");
712
+ }
713
+ if (policies.length === 0) {
714
+ throw new TlsRptParseError("mail-tlsrpt/bad-schema",
715
+ "parseTlsRptReport: 'policies' must be a non-empty array");
716
+ }
717
+ if (policies.length > TLSRPT_MAX_POLICIES) {
718
+ throw new TlsRptParseError("mail-tlsrpt/too-many-policies",
719
+ "parseTlsRptReport: report has " + policies.length +
720
+ " policies (cap " + TLSRPT_MAX_POLICIES + ")");
721
+ }
722
+ // Codex P2 (v0.10.15) — validate summary counts as finite non-negative
723
+ // integers before summing. `Number(...) || 0` would accept
724
+ // `Infinity` (from JSON literal `1e309` or string "Infinity"),
725
+ // negative values, and arbitrary strings (coerced to NaN→0). Each
726
+ // is operator-untrusted input on an audit-emitted path.
727
+ var totalSuccess = 0, totalFailure = 0;
728
+ for (var i = 0; i < policies.length; i += 1) {
729
+ _validatePolicy(policies[i], i);
730
+ var summary = policies[i]["summary"];
731
+ if (summary && typeof summary === "object") {
732
+ var sRaw = summary["total-successful-session-count"];
733
+ var fRaw = summary["total-failure-session-count"];
734
+ if (sRaw !== undefined) {
735
+ if (typeof sRaw !== "number" || !isFinite(sRaw) || sRaw < 0 || Math.floor(sRaw) !== sRaw) {
736
+ throw new TlsRptParseError("mail-tlsrpt/bad-summary",
737
+ "parseTlsRptReport: policies[" + i + "].summary.total-successful-session-count must be a finite non-negative integer");
738
+ }
739
+ totalSuccess += sRaw;
740
+ }
741
+ if (fRaw !== undefined) {
742
+ if (typeof fRaw !== "number" || !isFinite(fRaw) || fRaw < 0 || Math.floor(fRaw) !== fRaw) {
743
+ throw new TlsRptParseError("mail-tlsrpt/bad-summary",
744
+ "parseTlsRptReport: policies[" + i + "].summary.total-failure-session-count must be a finite non-negative integer");
745
+ }
746
+ totalFailure += fRaw;
747
+ }
748
+ }
749
+ }
750
+ // Return a normalized shape — preserve every operator-readable
751
+ // field, plus add framework-attached metadata (sessionTotals,
752
+ // wasCompressed) that doesn't conflict with the RFC schema.
753
+ return {
754
+ "organization-name": orgName,
755
+ "contact-info": contact,
756
+ "report-id": reportId,
757
+ "date-range": {
758
+ "start-datetime": dateRange["start-datetime"],
759
+ "end-datetime": dateRange["end-datetime"],
760
+ },
761
+ "policies": policies,
762
+ sessionTotals: {
763
+ success: totalSuccess,
764
+ failure: totalFailure,
765
+ },
766
+ wasCompressed: ctx.wasCompressed === true,
767
+ };
768
+ }
769
+
770
+ function _validatePolicy(p, idx) {
771
+ if (!p || typeof p !== "object") {
772
+ throw new TlsRptParseError("mail-tlsrpt/bad-policy",
773
+ "parseTlsRptReport: policies[" + idx + "] must be an object");
774
+ }
775
+ var policy = p["policy"];
776
+ if (!policy || typeof policy !== "object") {
777
+ throw new TlsRptParseError("mail-tlsrpt/bad-policy",
778
+ "parseTlsRptReport: policies[" + idx + "].policy missing");
779
+ }
780
+ var pType = policy["policy-type"];
781
+ if (!TLSRPT_POLICY_TYPES[pType]) {
782
+ throw new TlsRptParseError("mail-tlsrpt/bad-policy",
783
+ "parseTlsRptReport: policies[" + idx + "].policy.policy-type '" + pType +
784
+ "' not in {sts, tlsa, no-policy-found}");
785
+ }
786
+ if (typeof policy["policy-domain"] !== "string" || policy["policy-domain"].length === 0) {
787
+ throw new TlsRptParseError("mail-tlsrpt/bad-policy",
788
+ "parseTlsRptReport: policies[" + idx + "].policy.policy-domain missing");
789
+ }
790
+ // policy-string is optional for no-policy-found, REQUIRED otherwise.
791
+ // We don't enforce — operators may receive partial reports from
792
+ // legacy reporters; we surface the field as-is.
793
+ var failureDetails = p["failure-details"];
794
+ if (failureDetails !== undefined) {
795
+ if (!Array.isArray(failureDetails)) {
796
+ throw new TlsRptParseError("mail-tlsrpt/bad-policy",
797
+ "parseTlsRptReport: policies[" + idx + "].failure-details must be an array");
798
+ }
799
+ if (failureDetails.length > TLSRPT_MAX_FAILURE_DETAILS) {
800
+ throw new TlsRptParseError("mail-tlsrpt/too-many-failures",
801
+ "parseTlsRptReport: policies[" + idx + "] has " + failureDetails.length +
802
+ " failure-details (cap " + TLSRPT_MAX_FAILURE_DETAILS + ")");
803
+ }
804
+ for (var k = 0; k < failureDetails.length; k += 1) {
805
+ var fd = failureDetails[k];
806
+ if (!fd || typeof fd !== "object") {
807
+ throw new TlsRptParseError("mail-tlsrpt/bad-failure-detail",
808
+ "parseTlsRptReport: policies[" + idx + "].failure-details[" + k + "] must be an object");
809
+ }
810
+ if (typeof fd["result-type"] === "string" && !TLSRPT_RESULT_TYPES[fd["result-type"]]) {
811
+ // Unknown result-type — surface as audit metadata but don't
812
+ // refuse; RFC 8460 §4.4 result-type registry can grow over
813
+ // time and we shouldn't break on new IANA entries.
814
+ }
815
+ }
816
+ }
817
+ }
818
+
819
+ /**
820
+ * @primitive b.mail.deploy.tlsRptReportSchema
821
+ * @signature b.mail.deploy.tlsRptReportSchema()
822
+ * @since 0.10.15
823
+ * @status stable
824
+ * @related b.mail.deploy.parseTlsRptReport
825
+ *
826
+ * Returns a structured RFC 8460 §4.4 schema descriptor — operator
827
+ * dashboards consume this to render report shape consistently.
828
+ * The descriptor names every required + optional field with type +
829
+ * cardinality + brief description. Pure function; safe to cache.
830
+ *
831
+ * @example
832
+ * var schema = b.mail.deploy.tlsRptReportSchema();
833
+ * schema.required.indexOf("report-id") !== -1; // → true
834
+ */
835
+ function tlsRptReportSchema() {
836
+ return {
837
+ rfc: "RFC 8460 §4.4",
838
+ required: [
839
+ "organization-name", "contact-info", "report-id", "date-range", "policies",
840
+ ],
841
+ fields: {
842
+ "organization-name": { type: "string", required: true, description: "Reporter organisation display name." },
843
+ "contact-info": { type: "string", required: true, description: "Email / URI for reporter contact." },
844
+ "report-id": { type: "string", required: true, description: "Reporter-issued unique report identifier (RFC 5322 msg-id shape)." },
845
+ "date-range": { type: "object", required: true, description: "Window the report covers; { start-datetime, end-datetime } in RFC 3339 form." },
846
+ "policies": { type: "array", required: true, description: "Array of policy evaluations (RFC 8460 §4.4 erratum — always array, even for single-policy reports)." },
847
+ },
848
+ policyFields: {
849
+ "policy": { type: "object", required: true, description: "{ policy-type, policy-string, policy-domain, mx-host }." },
850
+ "summary": { type: "object", required: false, description: "{ total-successful-session-count, total-failure-session-count }." },
851
+ "failure-details": { type: "array", required: false, description: "Per-failure details (result-type, sending-mta-ip, etc.)." },
852
+ },
853
+ policyTypes: Object.keys(TLSRPT_POLICY_TYPES),
854
+ resultTypes: Object.keys(TLSRPT_RESULT_TYPES),
855
+ };
856
+ }
857
+
858
+ /**
859
+ * @primitive b.mail.deploy.tlsRptIngestHttp
860
+ * @signature b.mail.deploy.tlsRptIngestHttp(opts)
861
+ * @since 0.10.15
862
+ * @status stable
863
+ * @compliance hipaa, pci-dss, gdpr, soc2
864
+ * @related b.mail.deploy.parseTlsRptReport, b.mail.deploy.tlsRptReportSchema
865
+ *
866
+ * Returns an `(req, res)` request handler mounted at the operator's
867
+ * `rua=https://<host>/<path>` endpoint. Implements the receive-side
868
+ * of RFC 8460 §5.4:
869
+ *
870
+ * - POST only — non-POST returns 405 with Allow: POST.
871
+ * - Accepts `application/tlsrpt+json` and `application/tlsrpt+gzip`
872
+ * (RFC 8460 §6.4-6.5 IANA media types). 415 on others.
873
+ * - Body size cap (default 4 MiB compressed) — 413 on exceed.
874
+ * - Routes the bytes through `parseTlsRptReport`. 400 on parse
875
+ * failure (with `Error-Type:` header naming the typed error
876
+ * code). 201 on accept.
877
+ * - Calls `opts.onAccept(report, req)` after successful parse.
878
+ * Operator's hook decides storage (most operators journal +
879
+ * emit a metric); the framework does NOT persist by default.
880
+ * - Emits a `mail.tlsrpt.ingest_http` audit event with
881
+ * posture-aware payload (organization-name, report-id,
882
+ * policy-domain set, session totals).
883
+ *
884
+ * Authentication discipline (Codex P2 v0.10.15):
885
+ * - `trustedReporters` is a CONTENT-SIDE soft filter — it compares
886
+ * the reporter's self-declared `organization-name` field (the
887
+ * report body, operator-untrusted) against the operator's
888
+ * allowlist. A hostile sender can forge any `organization-name`
889
+ * string to bypass it. This option is ADVISORY: a tripwire that
890
+ * surfaces unexpected reporter-name strings in audit, not an
891
+ * authentication boundary.
892
+ * - For real authentication, supply `opts.authenticate(req)` — the
893
+ * hook fires BEFORE parsing the body and returns truthy / falsy
894
+ * (or a Promise). False / falsy refuses with 401 + the
895
+ * `mail-tlsrpt/unauthenticated` audit code. Operators wire this
896
+ * to their mTLS-peer-cert / IP-allowlist / signed-header /
897
+ * reverse-proxy auth boundary. The framework intentionally does
898
+ * NOT couple to any specific auth scheme.
899
+ *
900
+ * @opts
901
+ * authenticate: Function, // (req) → boolean | Promise<boolean>; SHA real auth boundary
902
+ * trustedReporters: string[], // ADVISORY content filter on report.organization-name (operator-untrusted field)
903
+ * maxCompressedBytes: number, // default 4 MiB
904
+ * maxDecompressedBytes: number, // default 32 MiB
905
+ * maxRatio: number, // default 50
906
+ * onAccept: Function, // (report, req) → void | Promise
907
+ * onRefuse: Function, // (errCode, errMessage, req) → void
908
+ * audit: object, // optional b.audit handle (default: framework audit)
909
+ *
910
+ * @example
911
+ * app.post("/tlsrpt", b.mail.deploy.tlsRptIngestHttp({
912
+ * onAccept: function (report) {
913
+ * b.journal.append({ kind: "tlsrpt", report: report });
914
+ * },
915
+ * }));
916
+ */
917
+ function tlsRptIngestHttp(opts) {
918
+ opts = opts || {};
919
+ validateOpts(opts, ["authenticate", "trustedReporters", "maxCompressedBytes",
920
+ "maxDecompressedBytes", "maxRatio", "onAccept", "onRefuse",
921
+ "audit", "compliance"],
922
+ "mail.deploy.tlsRptIngestHttp");
923
+ validateOpts.optionalFunction(opts.authenticate, "tlsRptIngestHttp: opts.authenticate",
924
+ MailDeployError, "mail-tlsrpt/bad-opts");
925
+ if (opts.trustedReporters !== undefined &&
926
+ (!Array.isArray(opts.trustedReporters) ||
927
+ opts.trustedReporters.some(function (s) { return typeof s !== "string"; }))) {
928
+ throw new MailDeployError("mail-tlsrpt/bad-opts",
929
+ "tlsRptIngestHttp: opts.trustedReporters must be an array of strings");
930
+ }
931
+ var authenticate = typeof opts.authenticate === "function" ? opts.authenticate : null;
932
+ var trusted = opts.trustedReporters
933
+ ? Object.freeze(opts.trustedReporters.reduce(function (a, s) { a[s] = 1; return a; }, {}))
934
+ : null;
935
+ numericBounds.requirePositiveFiniteIntIfPresent(opts.maxCompressedBytes, "maxCompressedBytes", MailDeployError, "mail-tlsrpt/bad-opts");
936
+ var maxCompressed = opts.maxCompressedBytes || TLSRPT_MAX_COMPRESSED_BYTES;
937
+ // Cache the other caps so the per-request parser call sees them.
938
+ var parseOpts = {
939
+ maxCompressedBytes: maxCompressed,
940
+ maxDecompressedBytes: opts.maxDecompressedBytes,
941
+ maxRatio: opts.maxRatio,
942
+ };
943
+ var onAccept = typeof opts.onAccept === "function" ? opts.onAccept : null;
944
+ var onRefuse = typeof opts.onRefuse === "function" ? opts.onRefuse : null;
945
+
946
+ return function tlsRptHandler(req, res) {
947
+ if (req.method !== "POST") {
948
+ res.writeHead(405, { "Allow": "POST", "Content-Type": "text/plain" }); // allow:raw-byte-literal allow:raw-time-literal — RFC 8460 §5.4 status code
949
+ res.end("RFC 8460 §5.4 requires POST\n");
950
+ return;
951
+ }
952
+ var ct = (req.headers["content-type"] || "").toLowerCase();
953
+ var ctRoot = ct.split(";")[0].trim();
954
+ if (ctRoot !== "application/tlsrpt+json" && ctRoot !== "application/tlsrpt+gzip") {
955
+ _safeAuditEmit(opts.audit, "mail.tlsrpt.ingest_http", "denied", {
956
+ reason: "bad-content-type", contentType: ctRoot,
957
+ });
958
+ if (onRefuse) try { onRefuse("mail-tlsrpt/bad-content-type", "unexpected content-type " + ctRoot, req); }
959
+ catch (_e) { /* drop-silent */ }
960
+ res.writeHead(415, { "Content-Type": "text/plain", "Accept": "application/tlsrpt+json, application/tlsrpt+gzip" }); // allow:raw-byte-literal allow:raw-time-literal — RFC 8460 §5.4 status code
961
+ res.end("RFC 8460 §6.4-6.5 media types required\n");
962
+ return;
963
+ }
964
+ // Codex P2 (v0.10.15) — real-authentication boundary BEFORE body
965
+ // collection. The operator-supplied `authenticate(req)` hook
966
+ // routes to mTLS peer-cert / IP-allowlist / signed-header /
967
+ // reverse-proxy header inspection. Sync-or-async; falsy → 401.
968
+ if (authenticate) {
969
+ var authPromise;
970
+ try { authPromise = Promise.resolve(authenticate(req)); }
971
+ catch (e) { authPromise = Promise.reject(e); }
972
+ authPromise.then(function (ok) {
973
+ if (!ok) {
974
+ _safeAuditEmit(opts.audit, "mail.tlsrpt.ingest_http", "denied", { reason: "unauthenticated" });
975
+ if (onRefuse) try { onRefuse("mail-tlsrpt/unauthenticated", "authenticate(req) returned falsy", req); }
976
+ catch (_e) { /* drop-silent */ }
977
+ res.writeHead(401, { "Content-Type": "text/plain", "Error-Type": "mail-tlsrpt/unauthenticated" }); // allow:raw-byte-literal allow:raw-time-literal — RFC 8460 §5.4 status code
978
+ res.end("authentication required\n");
979
+ return;
980
+ }
981
+ _collectAndProcess();
982
+ }, function (err) {
983
+ _safeAuditEmit(opts.audit, "mail.tlsrpt.ingest_http", "denied", {
984
+ reason: "auth-error", message: (err && err.message) || String(err),
985
+ });
986
+ if (onRefuse) try { onRefuse("mail-tlsrpt/auth-error", (err && err.message) || String(err), req); }
987
+ catch (_e) { /* drop-silent */ }
988
+ res.writeHead(500, { "Content-Type": "text/plain", "Error-Type": "mail-tlsrpt/auth-error" }); // allow:raw-byte-literal allow:raw-time-literal — RFC 8460 §5.4 status code
989
+ res.end("authenticate hook threw\n");
990
+ });
991
+ return;
992
+ }
993
+ _collectAndProcess();
994
+
995
+ function _collectAndProcess() {
996
+ var collector = safeBuffer.boundedChunkCollector({
997
+ maxBytes: maxCompressed,
998
+ errorClass: MailDeployError,
999
+ sizeCode: "mail-tlsrpt/oversize-compressed",
1000
+ });
1001
+ var aborted = false;
1002
+ req.on("data", function (chunk) {
1003
+ if (aborted) return;
1004
+ try { collector.push(chunk); }
1005
+ catch (e) {
1006
+ aborted = true;
1007
+ try { req.destroy(); } catch (_e) { /* best-effort */ }
1008
+ _safeAuditEmit(opts.audit, "mail.tlsrpt.ingest_http", "denied", {
1009
+ reason: "oversize-compressed", bytes: collector.bytesCollected(), cap: maxCompressed,
1010
+ });
1011
+ if (onRefuse) try { onRefuse("mail-tlsrpt/oversize-compressed", "body exceeded " + maxCompressed + " bytes", req); }
1012
+ catch (_e) { /* drop-silent */ }
1013
+ if (!res.headersSent) {
1014
+ res.writeHead(413, { "Content-Type": "text/plain" }); // allow:raw-byte-literal allow:raw-time-literal — RFC 8460 §5.4 status code
1015
+ res.end("RFC 8460 §5.4 — body exceeds " + maxCompressed + " bytes\n");
1016
+ }
1017
+ void e; // _e shadowed by lower scope; mark intent
1018
+ }
1019
+ });
1020
+ req.on("end", function () {
1021
+ if (aborted) return;
1022
+ var report;
1023
+ try {
1024
+ report = parseTlsRptReport(collector.result(), Object.assign({
1025
+ contentType: ctRoot,
1026
+ }, parseOpts));
1027
+ } catch (e) {
1028
+ var code = (e && e.code) || "mail-tlsrpt/unknown";
1029
+ _safeAuditEmit(opts.audit, "mail.tlsrpt.ingest_http", "denied", {
1030
+ reason: code, message: (e && e.message) || String(e),
1031
+ });
1032
+ if (onRefuse) try { onRefuse(code, (e && e.message) || String(e), req); }
1033
+ catch (_e) { /* drop-silent */ }
1034
+ var status = code === "mail-tlsrpt/oversize-compressed" ? 413
1035
+ : code === "mail-tlsrpt/gunzip-bomb" ? 413
1036
+ : code === "mail-tlsrpt/ratio-bomb" ? 413
1037
+ : code === "mail-tlsrpt/bad-content-type" ? 415
1038
+ : 400; // allow:raw-byte-literal allow:raw-time-literal — RFC 8460 §5.4 status code
1039
+ res.writeHead(status, { "Content-Type": "text/plain", "Error-Type": code });
1040
+ res.end("RFC 8460 §5.4 — refused: " + code + "\n");
1041
+ return;
1042
+ }
1043
+ if (trusted && !trusted[report["organization-name"]]) {
1044
+ _safeAuditEmit(opts.audit, "mail.tlsrpt.ingest_http", "denied", {
1045
+ reason: "untrusted-reporter", reporter: report["organization-name"],
1046
+ });
1047
+ if (onRefuse) try { onRefuse("mail-tlsrpt/untrusted-reporter",
1048
+ "reporter '" + report["organization-name"] + "' not in trustedReporters", req); }
1049
+ catch (_e) { /* drop-silent */ }
1050
+ res.writeHead(403, { "Content-Type": "text/plain", "Error-Type": "mail-tlsrpt/untrusted-reporter" }); // allow:raw-byte-literal allow:raw-time-literal — RFC 8460 §5.4 status code
1051
+ res.end("RFC 8460 §5.3-class: untrusted reporter\n");
1052
+ return;
1053
+ }
1054
+ var policyDomains = report.policies.map(function (p) {
1055
+ return p && p.policy && p.policy["policy-domain"];
1056
+ }).filter(Boolean);
1057
+ _safeAuditEmit(opts.audit, "mail.tlsrpt.ingest_http", "success", {
1058
+ reporter: report["organization-name"],
1059
+ reportId: report["report-id"],
1060
+ policyDomains: policyDomains,
1061
+ sessionTotals: report.sessionTotals,
1062
+ policyCount: report.policies.length,
1063
+ wasCompressed: report.wasCompressed,
1064
+ });
1065
+ if (onAccept) {
1066
+ try {
1067
+ var ret = onAccept(report, req);
1068
+ if (ret && typeof ret.then === "function") {
1069
+ ret.then(function () {
1070
+ if (!res.headersSent) {
1071
+ res.writeHead(201, { "Content-Type": "text/plain" }); // allow:raw-byte-literal allow:raw-time-literal — RFC 8460 §5.4 status code
1072
+ res.end("RFC 8460 §5.4 — accepted\n");
1073
+ }
1074
+ }, function (_e) {
1075
+ if (!res.headersSent) {
1076
+ res.writeHead(500, { "Content-Type": "text/plain" }); // allow:raw-byte-literal — internal-error status
1077
+ res.end("internal error processing report\n");
1078
+ }
1079
+ });
1080
+ return;
1081
+ }
1082
+ } catch (_e) { /* fall through to 201 — operator hook is best-effort */ }
1083
+ }
1084
+ res.writeHead(201, { "Content-Type": "text/plain" }); // allow:raw-byte-literal allow:raw-time-literal — RFC 8460 §5.4 status code
1085
+ res.end("RFC 8460 §5.4 — accepted\n");
1086
+ });
1087
+ req.on("error", function () {
1088
+ if (aborted) return;
1089
+ aborted = true;
1090
+ _safeAuditEmit(opts.audit, "mail.tlsrpt.ingest_http", "denied", { reason: "req-error" });
1091
+ if (!res.headersSent) {
1092
+ res.writeHead(400, { "Content-Type": "text/plain" }); // allow:raw-byte-literal allow:raw-time-literal — RFC 8460 §5.4 status code
1093
+ res.end("malformed request\n");
1094
+ }
1095
+ });
1096
+ } // end _collectAndProcess
1097
+ };
1098
+ }
1099
+
1100
+ function _safeAuditEmit(handle, action, outcome, metadata) {
1101
+ try {
1102
+ var a = handle || audit();
1103
+ if (a && typeof a.safeEmit === "function") {
1104
+ a.safeEmit({ action: action, outcome: outcome, actor: {}, metadata: metadata });
1105
+ }
1106
+ } catch (_e) { /* drop-silent — audit failure must not block ingest */ }
1107
+ }
1108
+
1109
+ module.exports = {
1110
+ mtaStsPublish: mtaStsPublish,
1111
+ danePublish: danePublish,
1112
+ autoConfigXml: autoConfigXml,
1113
+ autoDiscoverXml: autoDiscoverXml,
1114
+ parseTlsRptReport: parseTlsRptReport,
1115
+ tlsRptReportSchema: tlsRptReportSchema,
1116
+ tlsRptIngestHttp: tlsRptIngestHttp,
1117
+ MailDeployError: MailDeployError,
1118
+ TlsRptParseError: TlsRptParseError,
1119
+ };