@blamejs/blamejs-shop 0.0.44

package/lib/vendor/blamejs/test/integration/mail-smtp.test.js

@@ -0,0 +1,161 @@
+"use strict";
+/**
+ * Live SMTP round-trip against the docker-compose Mailpit fixture.
+ * Exercises lib/mail.js's smtpTransport over the same RFC 5321 wire
+ * format operators get in production. Mailpit captures every message
+ * and surfaces it through an HTTP API on :8025 — that's the assertion
+ * surface for what landed.
+ *
+ * No security bypass — the test exports the pki-init CA from the docker
+ * volume and passes it via opts.ca so STARTTLS verification stays on.
+ */
+var fs = require("node:fs");
+var http = require("node:http");
+var helpers = require("../helpers");
+var check = helpers.check;
+var services = require("../helpers/services");
+var b = require("../../");
+
+function _httpJson(url) {
+  return new Promise(function (resolve, reject) {
+    var req = http.get(url, function (res) {
+      var chunks = [];
+      res.on("data", function (c) { chunks.push(c); });
+      res.on("end", function () {
+        var body = Buffer.concat(chunks).toString("utf8");
+        if (res.statusCode < 200 || res.statusCode >= 300) {
+          return reject(new Error("HTTP " + res.statusCode + " " + body.slice(0, 200)));
+        }
+        try { resolve(JSON.parse(body)); }
+        catch (e) { reject(new Error("bad JSON: " + e.message)); }
+      });
+    });
+    req.once("error", reject);
+  });
+}
+
+function _httpDelete(url) {
+  return new Promise(function (resolve, reject) {
+    var u = new URL(url);
+    var req = http.request({
+      method: "DELETE", host: u.hostname, port: u.port, path: u.pathname,
+    }, function (res) {
+      res.on("data", function () {});
+      res.on("end", function () {
+        if (res.statusCode < 200 || res.statusCode >= 300) {
+          return reject(new Error("DELETE HTTP " + res.statusCode));
+        }
+        resolve();
+      });
+    });
+    req.once("error", reject);
+    req.end();
+  });
+}
+
+async function run() {
+  var svc = await services.requireService("mailpit");
+  if (!svc.ok) throw new Error("mailpit unreachable: " + svc.reason);
+
+  var caPath = await services.exportCaCert();
+  var caPem = fs.readFileSync(caPath, "utf8");
+
+  // Cert covers DNS:mailpit, DNS:blamejs-test-mailpit, DNS:localhost.
+  // SNI rejects IP literals, so use "localhost" — it's in the SAN list.
+  var transport = b.mail.transports.smtp({
+    host:           "localhost",
+    port:           1025,
+    ehloName:       "blamejs-test",
+    timeoutMs:      5000,
+    minTlsVersion:  "TLSv1.3",
+    ca:             caPem,
+    // Verification stays on: the CA we just pinned anchors the chain,
+    // so no rejectUnauthorized: false bypass anywhere.
+  });
+
+  await _httpDelete("http://127.0.0.1:8025/api/v1/messages");
+
+  // ---- single-recipient, full STARTTLS with strict cert verification ----
+  var subject = "blamejs-integration " + Date.now();
+  var body = "Hello from the integration suite at " + new Date().toISOString();
+  var rv = await transport.send({
+    from:    "test@blamejs.local",
+    to:      ["recipient@example.com"],
+    subject: subject,
+    text:    body,
+  });
+  check("smtp.send: returns transport='smtp'", rv && rv.transport === "smtp");
+  check("smtp.send: returns deliveredAt timestamp",
+        typeof rv.deliveredAt === "number" && rv.deliveredAt > 0);
+
+  var listing = await _httpJson("http://127.0.0.1:8025/api/v1/messages");
+  check("mailpit: captured exactly one message",
+        listing && Array.isArray(listing.messages) && listing.messages.length === 1);
+  var captured = listing.messages[0];
+  check("mailpit: subject matches exactly",
+        captured.Subject === subject);
+  check("mailpit: From correct",
+        captured.From && captured.From.Address === "test@blamejs.local");
+  check("mailpit: single To recipient",
+        Array.isArray(captured.To) && captured.To.length === 1 &&
+        captured.To[0].Address === "recipient@example.com");
+
+  var detail = await _httpJson("http://127.0.0.1:8025/api/v1/message/" + captured.ID);
+  check("mailpit: body text round-trip",
+        detail && detail.Text && detail.Text.indexOf(body) !== -1);
+
+  // ---- multi-recipient (to + cc) + dot-stuffing edge case ----
+  await _httpDelete("http://127.0.0.1:8025/api/v1/messages");
+  var bodyWithDot = "first line\n.dotline\nlast line";
+  await transport.send({
+    from:    "test@blamejs.local",
+    to:      ["a@example.com", "b@example.com"],
+    cc:      ["c@example.com"],
+    subject: "multi-rcpt + dot-stuff",
+    text:    bodyWithDot,
+  });
+  var listing2 = await _httpJson("http://127.0.0.1:8025/api/v1/messages");
+  check("mailpit: multi-rcpt captured",
+        listing2.messages.length === 1);
+  var multi = listing2.messages[0];
+  var allRcpts = (multi.To || []).concat(multi.Cc || []).map(function (a) { return a.Address; });
+  check("smtp: all 3 recipients delivered (to+cc)",
+        allRcpts.indexOf("a@example.com") !== -1 &&
+        allRcpts.indexOf("b@example.com") !== -1 &&
+        allRcpts.indexOf("c@example.com") !== -1);
+  var detail2 = await _httpJson("http://127.0.0.1:8025/api/v1/message/" + multi.ID);
+  check("smtp: dot-stuffing transparency works (leading-dot line preserved)",
+        detail2 && detail2.Text && detail2.Text.indexOf(".dotline") !== -1);
+
+  // ---- bad CA: cert verification fails cleanly with a real error ----
+  var transportBadCa = b.mail.transports.smtp({
+    host:           "localhost",
+    port:           1025,
+    ehloName:       "blamejs-test",
+    timeoutMs:      5000,
+    ca:             "-----BEGIN CERTIFICATE-----\nMIIB-not-a-real-cert\n-----END CERTIFICATE-----\n",
+  });
+  var threw = null;
+  try {
+    await transportBadCa.send({
+      from:    "test@blamejs.local",
+      to:      ["x@example.com"],
+      subject: "should fail",
+      text:    "blocked by cert verify",
+    });
+  } catch (e) { threw = e; }
+  check("smtp: bogus CA causes a MailError (verification not bypassed)",
+        threw && threw.code && /smtp|tls|cert|verify/i.test(threw.code + " " + (threw.message || "")));
+
+  // ---- final cleanup ----
+  await _httpDelete("http://127.0.0.1:8025/api/v1/messages");
+}
+
+module.exports = { run: run };
+
+if (require.main === module) {
+  run().then(
+    function () { console.log("OK — " + helpers.getChecks() + " checks passed"); process.exit(0); },
+    function (e) { console.error("FAIL:", e.stack || e); process.exit(1); }
+  );
+}

package/lib/vendor/blamejs/test/integration/mtls-ca.test.js

@@ -0,0 +1,289 @@
+"use strict";
+/**
+ * Live mTLS CA test — exercises lib/mtls-ca's CA bootstrap + client
+ * cert issuance against the framework's default engine. After issue,
+ * the leaf cert is used in a real TLS handshake (server presents the
+ * issued cert, client trusts the CA, strict verify on) so the chain
+ * is exercised end-to-end.
+ */
+var fs = require("node:fs");
+var os = require("node:os");
+var path = require("node:path");
+var crypto = require("node:crypto");
+var tls = require("node:tls");
+var helpers = require("../helpers");
+var check = helpers.check;
+var b = require("../../");
+
+async function run() {
+  var tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "blamejs-mtls-"));
+  try {
+    // caKeySealedMode='disabled' keeps the CA private key on disk in
+    // plaintext for the test fixture — production deployments wire
+    // opts.vault so the CA key stays sealed at rest.
+    var ca = b.mtlsCa.create({ dataDir: tmpDir, caKeySealedMode: "disabled" });
+    check("mtlsCa.create: returned instance", typeof ca === "object");
+    check("mtlsCa: exposes initCA + generateClientCert",
+          typeof ca.initCA === "function" &&
+          typeof ca.generateClientCert === "function");
+
+    // ---- bootstrap CA ----
+    var caBundle = await ca.initCA();
+    check("initCA: returned caCertPem",
+          typeof caBundle.caCertPem === "string" &&
+          caBundle.caCertPem.indexOf("-----BEGIN CERTIFICATE-----") === 0);
+    check("initCA: returned caKeyPem (PEM-shaped private key)",
+          typeof caBundle.caKeyPem === "string" &&
+          /-----BEGIN (RSA |EC |ED25519 )?PRIVATE KEY-----/.test(caBundle.caKeyPem));
+
+    // ---- second initCA returns the same bundle (idempotent) ----
+    var caBundle2 = await ca.initCA();
+    check("initCA: idempotent — second call returns same CA cert",
+          caBundle2.caCertPem === caBundle.caCertPem);
+
+    // ---- issue a client cert ----
+    var leaf = await ca.generateClientCert({
+      cn:           "test-client.blamejs.local",
+      validityDays: 7,
+    });
+    check("generateClientCert: returned cert PEM",
+          typeof leaf.cert === "string" &&
+          leaf.cert.indexOf("-----BEGIN CERTIFICATE-----") === 0);
+    check("generateClientCert: returned key PEM",
+          typeof leaf.key === "string" &&
+          /-----BEGIN (RSA |EC |ED25519 )?PRIVATE KEY-----/.test(leaf.key));
+
+    // ---- inspect the issued cert ----
+    var x509 = new crypto.X509Certificate(leaf.cert);
+    check("issued cert: subject CN matches request",
+          /test-client\.blamejs\.local/.test(x509.subject || ""));
+    check("issued cert: validFrom is in the past",
+          new Date(x509.validFrom).getTime() < Date.now());
+    check("issued cert: validTo is in the future",
+          new Date(x509.validTo).getTime() > Date.now());
+
+    var caX509 = new crypto.X509Certificate(caBundle.caCertPem);
+    check("issued cert: leaf signed by the CA we bootstrapped",
+          x509.verify(caX509.publicKey) === true);
+    check("issued cert: issuer DN matches CA subject DN",
+          x509.issuer === caX509.subject);
+
+    // ---- end-to-end mTLS: server presents a serverAuth cert, client
+    //      presents a clientAuth cert, both issued by the same CA, both
+    //      verified strict on each side. This is the canonical mTLS
+    //      shape the framework targets.
+    var serverLeaf = await ca.generateClientCert({
+      cn:           "test-server.blamejs.local",
+      sans:         ["DNS:test-server.blamejs.local", "DNS:localhost", "IP:127.0.0.1"],
+      usage:        "server",
+      validityDays: 7,
+    });
+    check("generateClientCert: usage='server' returned a cert", typeof serverLeaf.cert === "string");
+    var serverX509 = new crypto.X509Certificate(serverLeaf.cert);
+    // node's X509Certificate.toString() doesn't surface EKU/SAN strings
+    // in a stable form across versions — the live TLS handshake below
+    // is the real EKU-correctness check. Here just confirm the SAN
+    // covers our hostname (subjectAltName IS in toString()).
+    check("server cert: SAN covers test-server.blamejs.local",
+          /test-server\.blamejs\.local/.test(serverX509.subjectAltName || serverX509.toString()));
+
+    // ---- algorithm posture lock-in ----
+    // The framework's mtls-engine-default uses ECDSA P-384 deliberately:
+    // node:tls and major OS cert stores don't accept SLH-DSA / ML-DSA
+    // signatures on X.509 leaves yet. When that changes, this assertion
+    // FAILS and forces the engine swap (CA_KEY_ALG + CA_SIG_ALG bump,
+    // CA_GENERATION increment so status() reports the algorithm change).
+    check("CA cert algorithm: framework's documented bridge ECDSA P-384",
+          serverX509.publicKey && /ECDSA|EC|prime256|secp384/i.test(
+            (serverX509.publicKey.asymmetricKeyType || "") + " " +
+            (serverX509.publicKey.asymmetricKeyDetails &&
+             serverX509.publicKey.asymmetricKeyDetails.namedCurve || "")));
+
+    var server = tls.createServer({
+      key:                serverLeaf.key,
+      cert:               serverLeaf.cert,
+      ca:                 caBundle.caCertPem,
+      requestCert:        true,
+      rejectUnauthorized: true,
+    });
+    await new Promise(function (resolve) { server.listen(0, "127.0.0.1", resolve); });
+    var port = server.address().port;
+    var serverSawClient = null;
+    server.on("secureConnection", function (sock) {
+      serverSawClient = sock.getPeerCertificate();
+      sock.write("ok\n");
+      sock.end();
+    });
+
+    var clientGot = await new Promise(function (resolve, reject) {
+      var sock = tls.connect({
+        host:               "127.0.0.1",
+        port:               port,
+        ca:                 caBundle.caCertPem,
+        cert:               leaf.cert,
+        key:                leaf.key,
+        servername:         "test-server.blamejs.local",
+        rejectUnauthorized: true,
+      });
+      var chunks = [];
+      sock.on("data", function (c) { chunks.push(c); });
+      sock.on("end", function () { resolve(Buffer.concat(chunks).toString("utf8")); });
+      sock.once("error", reject);
+    });
+    check("end-to-end mTLS: client received server data with strict verify",
+          clientGot === "ok\n");
+    check("end-to-end mTLS: server saw the client's CN",
+          serverSawClient && serverSawClient.subject &&
+          /test-client\.blamejs\.local/.test(serverSawClient.subject.CN || ""));
+    server.close();
+
+    // ---- usage='both' issues a dual-EKU cert ----
+    // Verify the EKU OIDs by booting a TLS server with the cert AND
+    // using the same cert as a client elsewhere. If the cert lacks
+    // either EKU, one of the two roles fails. That's a stronger test
+    // than a regex over toString().
+    var bothLeaf = await ca.generateClientCert({
+      cn:           "dual.blamejs.local",
+      sans:         ["DNS:dual.blamejs.local", "DNS:localhost", "IP:127.0.0.1"],
+      usage:        "both",
+      validityDays: 7,
+    });
+    check("generateClientCert: usage='both' returned a cert",
+          typeof bothLeaf.cert === "string" && bothLeaf.usage === "both");
+
+    var bothServer = tls.createServer({
+      key:                bothLeaf.key,
+      cert:               bothLeaf.cert,
+      ca:                 caBundle.caCertPem,
+      requestCert:        true,
+      rejectUnauthorized: true,
+    });
+    await new Promise(function (resolve) { bothServer.listen(0, "127.0.0.1", resolve); });
+    var bothPort = bothServer.address().port;
+    bothServer.on("secureConnection", function (sock) { sock.write("dual-ok\n"); sock.end(); });
+
+    var bothGot = await new Promise(function (resolve, reject) {
+      var sock = tls.connect({
+        host:               "127.0.0.1",
+        port:               bothPort,
+        ca:                 caBundle.caCertPem,
+        cert:               bothLeaf.cert,
+        key:                bothLeaf.key,
+        servername:         "dual.blamejs.local",
+        rejectUnauthorized: true,
+      });
+      var chunks = [];
+      sock.on("data", function (c) { chunks.push(c); });
+      sock.on("end", function () { resolve(Buffer.concat(chunks).toString("utf8")); });
+      sock.once("error", reject);
+    });
+    check("usage='both': dual-EKU cert works as BOTH server AND client in mTLS",
+          bothGot === "dual-ok\n");
+    bothServer.close();
+
+    // ---- bad usage rejected ----
+    var threwBadUsage = null;
+    try { await ca.generateClientCert({ cn: "x", usage: "neither" }); }
+    catch (e) { threwBadUsage = e; }
+    check("generateClientCert: rejects unknown usage value",
+          threwBadUsage && /usage|invalid|unknown/i.test(threwBadUsage.message || ""));
+
+    // ---- p12 packaging if exposed ----
+    if (typeof ca.generateClientP12 === "function") {
+      var p12 = await ca.generateClientP12({
+        cn:           "p12-client.blamejs.local",
+        validityDays: 7,
+        password:     "test-pkcs12-password",
+      });
+      check("generateClientP12: returned a Buffer",
+            p12 && Buffer.isBuffer(p12.p12) && p12.p12.length > 0);
+    }
+
+    // ---- status surface ----
+    if (typeof ca.status === "function") {
+      var st = ca.status();
+      check("status: surfaces CA presence",
+            typeof st === "object" && st !== null);
+    }
+
+    // ---- revocation registry + CRL (v0.6.45) ----
+    check("revoke: function present",       typeof ca.revoke === "function");
+    check("isRevoked: function present",    typeof ca.isRevoked === "function");
+    check("getRevocations: function present", typeof ca.getRevocations === "function");
+    check("generateCrl: function present",  typeof ca.generateCrl === "function");
+    var startCount = ca.getRevocations().length;
+    var revoked = ca.revoke("0xABC123", { reason: "key-compromise" });
+    check("revoke: returns the recorded entry",
+          revoked && revoked.serialNumber === "abc123" && revoked.reason === "key-compromise");
+    check("revoke: reasonCode mapped to RFC 5280 code 1",
+          revoked.reasonCode === 1);
+    check("isRevoked('0xABC123') === true",  ca.isRevoked("0xABC123") === true);
+    check("isRevoked: serial-format-agnostic (lowercase hex match)",
+          ca.isRevoked("ABC123") === true && ca.isRevoked("abc:12:3") === true);
+    check("isRevoked: unknown serial → false",
+          ca.isRevoked("DEADBEEF") === false);
+    var dup = ca.revoke("ABC123", { reason: "key-compromise" });
+    check("revoke is idempotent — same revokedAt on duplicate call",
+          dup.revokedAt === revoked.revokedAt);
+    check("getRevocations: registry grew by 1",
+          ca.getRevocations().length === startCount + 1);
+    var threwBadSerial = null;
+    try { ca.revoke(""); } catch (e) { threwBadSerial = e; }
+    check("revoke: empty serial throws bad-serial",
+          threwBadSerial && /bad-serial/.test(threwBadSerial.code || ""));
+    var threwBadReason = null;
+    try { ca.revoke("AABB", { reason: "made-up" }); } catch (e) { threwBadReason = e; }
+    check("revoke: unknown reason throws bad-reason",
+          threwBadReason && /bad-reason/.test(threwBadReason.code || ""));
+    // v0.6.52 — serial gibberish must be rejected, not silently
+    // normalised to a single-hex-char serial. Pre-fix: "xyz-not-hex"
+    // stripped to "e" and registered a phantom revocation row.
+    var threwGarbageSerial = null;
+    try { ca.revoke("xyz-not-hex"); } catch (e) { threwGarbageSerial = e; }
+    check("revoke: gibberish serial 'xyz-not-hex' throws bad-serial",
+          threwGarbageSerial && /bad-serial/.test(threwGarbageSerial.code || ""));
+    var threwWhitespaceOnly = null;
+    try { ca.revoke("   "); } catch (e) { threwWhitespaceOnly = e; }
+    check("revoke: whitespace-only serial throws bad-serial",
+          threwWhitespaceOnly && /bad-serial/.test(threwWhitespaceOnly.code || ""));
+    var threwGarbage2 = null;
+    try { ca.revoke("nope"); } catch (e) { threwGarbage2 = e; }
+    check("revoke: 'nope' (no hex digits) throws bad-serial",
+          threwGarbage2 && /bad-serial/.test(threwGarbage2.code || ""));
+
+    // CRL generation against the real engine + real CA.
+    var crl = await ca.generateCrl();
+    check("generateCrl: returns crlPem",
+          typeof crl.crlPem === "string" && /^-----BEGIN (?:X509 )?CRL-----/m.test(crl.crlPem));
+    check("generateCrl: entryCount matches getRevocations.length",
+          crl.entryCount === ca.getRevocations().length);
+    check("generateCrl: nextUpdate ~7 days after thisUpdate by default",
+          crl.nextUpdate.getTime() - crl.thisUpdate.getTime() > 6.5 * 24 * 60 * 60 * 1000);
+    check("generateCrl: persisted to ca.crl on disk",
+          fs.existsSync(crl.path) &&
+          /BEGIN (?:X509 )?CRL/.test(fs.readFileSync(crl.path, "utf8")));
+    // CRL signature: parse via node:crypto and confirm issuer matches CA subject.
+    // node:crypto.X509Certificate doesn't parse CRLs directly, but we can at
+    // least confirm the PEM structure + base64-decoded DER size is plausible.
+    var derBytes = Buffer.from(crl.crlPem.replace(/-----.*-----|\s/g, ""), "base64");
+    check("CRL DER decodes to a non-trivial sequence",
+          derBytes.length > 100);
+
+    // Persist new revocation, regenerate CRL, confirm entry count grows.
+    ca.revoke("CAFEBABE", { reason: "superseded" });
+    var crl2 = await ca.generateCrl();
+    check("generateCrl: picks up new revocations on regenerate",
+          crl2.entryCount === crl.entryCount + 1);
+  } finally {
+    fs.rmSync(tmpDir, { recursive: true, force: true });
+  }
+}
+
+module.exports = { run: run };
+
+if (require.main === module) {
+  run().then(
+    function () { console.log("OK — " + helpers.getChecks() + " checks passed"); process.exit(0); },
+    function (e) { console.error("FAIL:", e.stack || e); process.exit(1); }
+  );
+}

package/lib/vendor/blamejs/test/integration/network-dns.test.js

@@ -0,0 +1,123 @@
+"use strict";
+/**
+ * Live DNS round-trip against the docker-compose CoreDNS fixture.
+ * Exercises all three resolution modes — plain UDP/TCP, DoT (port 1853),
+ * DoH (port 8053) — with strict TLS verification against the test CA.
+ *
+ * No security bypass: rejectUnauthorized stays on, the test exports the
+ * pki-init CA out of the docker volume and passes it via the framework's
+ * `ca` option on useDnsOverTls / useDnsOverHttps. A failure to verify
+ * surfaces as a DnsError on the lookup, NOT an unhandled rejection.
+ */
+var fs = require("node:fs");
+var helpers = require("../helpers");
+var check = helpers.check;
+var services = require("../helpers/services");
+var b = require("../../");
+
+async function run() {
+  var svc = await services.requireService("dns");
+  if (!svc.ok) throw new Error("coredns unreachable: " + svc.reason);
+
+  var dns = (b.network && b.network.dns) || b.networkDns;
+  if (!dns) throw new Error("framework does not expose b.network.dns");
+
+  // Pull the test CA out of the docker volume so we can pin against it.
+  var caPath = await services.exportCaCert();
+  var caPem = fs.readFileSync(caPath, "utf8");
+  check("CA cert exported from docker volume",
+        caPem.indexOf("-----BEGIN CERTIFICATE-----") === 0);
+
+  // ---- baseline: lookup against system resolvers works ----
+  if (typeof dns._resetForTest === "function") dns._resetForTest();
+  dns.setLookupTimeoutMs(4000);
+  var sys = await dns.lookup("example.com");
+  check("baseline lookup: returns object",     typeof sys === "object" && sys !== null);
+  check("baseline lookup: address non-empty",  typeof sys.address === "string" && sys.address.length > 0);
+  check("baseline lookup: family is 4 or 6",   sys.family === 4 || sys.family === 6);
+
+  // ---- DoT against our CoreDNS, pinned to test CA ----
+  if (typeof dns._resetForTest === "function") dns._resetForTest();
+  dns.useDnsOverTls({
+    host:       "127.0.0.1",
+    port:       1853,
+    servername: "coredns",
+    ca:         caPem,
+  });
+  dns.setLookupTimeoutMs(5000);
+
+  var dotResults = await dns.resolve4("example.com");
+  check("DoT: resolve4 returned array",
+        Array.isArray(dotResults));
+  check("DoT: resolve4 returned at least one address",
+        dotResults.length > 0);
+  check("DoT: every address is dotted-quad IPv4",
+        dotResults.every(function (a) { return /^\d+\.\d+\.\d+\.\d+$/.test(a); }));
+
+  // ---- DoT IPv6 (AAAA) ----
+  var dotV6 = await dns.resolveAaaa("example.com");
+  check("DoT: resolveAaaa returned array (may be empty for some names)",
+        Array.isArray(dotV6));
+
+  // ---- DoT: bad servername surfaces as DnsError, not unhandled rejection ----
+  if (typeof dns._resetForTest === "function") dns._resetForTest();
+  dns.useDnsOverTls({
+    host:       "127.0.0.1",
+    port:       1853,
+    servername: "wrong-name-not-in-cert",
+    ca:         caPem,
+  });
+  dns.setLookupTimeoutMs(5000);
+  var threwBad = null;
+  try { await dns.resolve4("example.com"); }
+  catch (e) { threwBad = e; }
+  check("DoT: bad servername throws DnsError",
+        threwBad && threwBad.code && /handshake|tls|verify|hostname/i.test(threwBad.code + " " + threwBad.message));
+
+  // ---- DoH against our CoreDNS, pinned to test CA ----
+  if (typeof dns._resetForTest === "function") dns._resetForTest();
+  dns.useDnsOverHttps({
+    url:    "https://localhost:8053/dns-query",
+    method: "POST",
+    ca:     caPem,
+  });
+  dns.setLookupTimeoutMs(5000);
+
+  var dohResults = await dns.resolve4("example.com");
+  check("DoH: resolve4 returned non-empty array",
+        Array.isArray(dohResults) && dohResults.length > 0);
+  check("DoH: every address is dotted-quad IPv4",
+        dohResults.every(function (a) { return /^\d+\.\d+\.\d+\.\d+$/.test(a); }));
+
+  // ---- DoH GET path (under URL length cap) ----
+  if (typeof dns._resetForTest === "function") dns._resetForTest();
+  dns.useDnsOverHttps({
+    url:    "https://localhost:8053/dns-query",
+    method: "GET",
+    ca:     caPem,
+  });
+  dns.setLookupTimeoutMs(5000);
+  var dohGet = await dns.resolve4("example.com");
+  check("DoH GET: resolve4 returned non-empty array",
+        Array.isArray(dohGet) && dohGet.length > 0);
+
+  // ---- cache: second lookup hits the cache ----
+  if (typeof dns._resetForTest === "function") dns._resetForTest();
+  dns.setLookupTimeoutMs(4000);
+  dns.setCacheTtlMs(60000);
+  var first = await dns.lookup("example.com");
+  var second = await dns.lookup("example.com");
+  check("cache: second lookup returns same address",
+        first.address === second.address);
+
+  if (typeof dns._resetForTest === "function") dns._resetForTest();
+}
+
+module.exports = { run: run };
+
+if (require.main === module) {
+  run().then(
+    function () { console.log("OK — " + helpers.getChecks() + " checks passed"); process.exit(0); },
+    function (e) { console.error("FAIL:", e.stack || e); process.exit(1); }
+  );
+}

package/lib/vendor/blamejs/test/integration/network-heartbeat.test.js

@@ -0,0 +1,101 @@
+"use strict";
+/**
+ * Live heartbeat probe against the docker-compose Caddy fixture.
+ * Exercises lib/network-heartbeat (b.network.heartbeat) — the
+ * framework's uptime monitor — as a real timer-driven probe loop
+ * that hits a real HTTP endpoint and records OK/FAIL transitions.
+ *
+ * Covers all three target types: http, tcp, ntp.
+ */
+var helpers = require("../helpers");
+var check = helpers.check;
+var services = require("../helpers/services");
+var b = require("../../");
+
+async function run() {
+  var caddy = await services.requireService("caddy");
+  if (!caddy.ok) throw new Error("caddy unreachable: " + caddy.reason);
+
+  if (typeof b.network.heartbeat._resetForTest === "function") b.network.heartbeat._resetForTest();
+
+  var stateChanges = [];
+  b.network.heartbeat.start({
+    onStateChange: function (event) { stateChanges.push(event); },
+    onResult:      function (_event) { /* fire-and-forget */ },
+    targets: [
+      // Healthy HTTP target — caddy /healthz returns 200.
+      {
+        name:             "caddy-up",
+        type:             "http",
+        url:              "http://127.0.0.1:8080/healthz",
+        intervalMs:       100,
+        timeoutMs:        2000,
+        threshold:        1,
+        allowedProtocols: b.safeUrl.ALLOW_HTTP_ALL,
+        allowInternal:    true,
+      },
+      // Failing HTTP target — port 1 doesn't accept.
+      {
+        name:             "caddy-down",
+        type:             "http",
+        url:              "http://127.0.0.1:1/never-here",
+        intervalMs:       100,
+        timeoutMs:        500,
+        threshold:        1,
+        allowedProtocols: b.safeUrl.ALLOW_HTTP_ALL,
+        allowInternal:    true,
+      },
+      // Healthy TCP target — squid listens on 3128.
+      {
+        name:       "squid-tcp",
+        type:       "tcp",
+        host:       "127.0.0.1",
+        port:       3128,
+        intervalMs: 100,
+        timeoutMs:  2000,
+        threshold:  1,
+      },
+    ],
+  });
+
+  // Wait until probes have fired across all three configured targets.
+  var statuses = await helpers.waitUntil(function () {
+    var s = b.network.heartbeat.statuses();
+    var count = Array.isArray(s) ? s.length : Object.keys(s).length;
+    return count >= 3 ? s : false;
+  }, { label: "heartbeat: 3+ probe statuses available" });
+  check("statuses: returns at least one entry",
+        Array.isArray(statuses) ? statuses.length >= 3 : Object.keys(statuses).length >= 3);
+
+  var caddyUp = b.network.heartbeat.status("caddy-up");
+  check("caddy-up: status object returned",
+        typeof caddyUp === "object" && caddyUp !== null);
+  check("caddy-up: marked as up/healthy",
+        /up|healthy|ok|success/i.test(JSON.stringify(caddyUp)));
+
+  var caddyDown = b.network.heartbeat.status("caddy-down");
+  check("caddy-down: status object returned",
+        typeof caddyDown === "object" && caddyDown !== null);
+  check("caddy-down: marked as down/failure",
+        /down|fail|error|unhealthy/i.test(JSON.stringify(caddyDown)));
+
+  var squidTcp = b.network.heartbeat.status("squid-tcp");
+  check("squid-tcp: TCP target probe returned status",
+        typeof squidTcp === "object" && squidTcp !== null);
+  check("squid-tcp: marked as up (port is open)",
+        /up|healthy|ok|success/i.test(JSON.stringify(squidTcp)));
+
+  check("onStateChange: fired for at least one target",
+        stateChanges.length >= 1);
+
+  b.network.heartbeat.stopAll();
+}
+
+module.exports = { run: run };
+
+if (require.main === module) {
+  run().then(
+    function () { console.log("OK — " + helpers.getChecks() + " checks passed"); process.exit(0); },
+    function (e) { console.error("FAIL:", e.stack || e); process.exit(1); }
+  );
+}