@blamejs/blamejs-shop 0.0.44

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (1220) hide show
  1. package/CHANGELOG.md +87 -0
  2. package/LICENSE +17 -0
  3. package/README.md +117 -0
  4. package/SECURITY.md +139 -0
  5. package/lib/admin.js +952 -0
  6. package/lib/analytics.js +267 -0
  7. package/lib/cart.js +279 -0
  8. package/lib/catalog-import.js +344 -0
  9. package/lib/catalog.js +769 -0
  10. package/lib/checkout.js +320 -0
  11. package/lib/config.js +151 -0
  12. package/lib/customers.js +322 -0
  13. package/lib/email.js +242 -0
  14. package/lib/externaldb-d1.js +283 -0
  15. package/lib/index.js +57 -0
  16. package/lib/inventory-alerts.js +198 -0
  17. package/lib/newsletter.js +142 -0
  18. package/lib/order.js +380 -0
  19. package/lib/payment.js +318 -0
  20. package/lib/pricing.js +185 -0
  21. package/lib/r2-bridge.js +169 -0
  22. package/lib/shipping.js +185 -0
  23. package/lib/storefront.js +2160 -0
  24. package/lib/subscriptions.js +410 -0
  25. package/lib/tax.js +161 -0
  26. package/lib/theme.js +194 -0
  27. package/lib/vendor/MANIFEST.json +19 -0
  28. package/lib/vendor/blamejs/.clusterfuzzlite/Dockerfile +23 -0
  29. package/lib/vendor/blamejs/.clusterfuzzlite/build.sh +34 -0
  30. package/lib/vendor/blamejs/.clusterfuzzlite/project.yaml +16 -0
  31. package/lib/vendor/blamejs/.dockerignore +45 -0
  32. package/lib/vendor/blamejs/.gitattributes +42 -0
  33. package/lib/vendor/blamejs/.github/CODEOWNERS +4 -0
  34. package/lib/vendor/blamejs/.github/FUNDING.yml +2 -0
  35. package/lib/vendor/blamejs/.github/ISSUE_TEMPLATE/bug_report.md +58 -0
  36. package/lib/vendor/blamejs/.github/ISSUE_TEMPLATE/config.yml +8 -0
  37. package/lib/vendor/blamejs/.github/ISSUE_TEMPLATE/feature_request.md +99 -0
  38. package/lib/vendor/blamejs/.github/PULL_REQUEST_TEMPLATE.md +77 -0
  39. package/lib/vendor/blamejs/.github/dependabot.yml +37 -0
  40. package/lib/vendor/blamejs/.github/workflows/actions-lint.yml +148 -0
  41. package/lib/vendor/blamejs/.github/workflows/cflite_batch.yml +107 -0
  42. package/lib/vendor/blamejs/.github/workflows/cflite_pr.yml +122 -0
  43. package/lib/vendor/blamejs/.github/workflows/ci.yml +511 -0
  44. package/lib/vendor/blamejs/.github/workflows/codeql.yml +50 -0
  45. package/lib/vendor/blamejs/.github/workflows/npm-publish.yml +655 -0
  46. package/lib/vendor/blamejs/.github/workflows/release-container.yml +406 -0
  47. package/lib/vendor/blamejs/.github/workflows/scorecard.yml +101 -0
  48. package/lib/vendor/blamejs/.github/workflows/sha-to-tag-verify.yml +134 -0
  49. package/lib/vendor/blamejs/.gitignore +102 -0
  50. package/lib/vendor/blamejs/.gitleaks.toml +166 -0
  51. package/lib/vendor/blamejs/.hadolint.yaml +18 -0
  52. package/lib/vendor/blamejs/.npmrc +5 -0
  53. package/lib/vendor/blamejs/.pinact.yaml +17 -0
  54. package/lib/vendor/blamejs/ARCHITECTURE.md +158 -0
  55. package/lib/vendor/blamejs/CHANGELOG.md +1351 -0
  56. package/lib/vendor/blamejs/CODE_OF_CONDUCT.md +86 -0
  57. package/lib/vendor/blamejs/CONTRIBUTING.md +156 -0
  58. package/lib/vendor/blamejs/GOVERNANCE.md +201 -0
  59. package/lib/vendor/blamejs/LICENSE +201 -0
  60. package/lib/vendor/blamejs/LTS-CALENDAR.md +29 -0
  61. package/lib/vendor/blamejs/MIGRATING.md +29 -0
  62. package/lib/vendor/blamejs/NOTICE +81 -0
  63. package/lib/vendor/blamejs/README.md +304 -0
  64. package/lib/vendor/blamejs/SECURITY.md +432 -0
  65. package/lib/vendor/blamejs/api-snapshot.json +48709 -0
  66. package/lib/vendor/blamejs/assets/BlameJS_Logo.png +0 -0
  67. package/lib/vendor/blamejs/assets/BlameJS_Logo.svg +129 -0
  68. package/lib/vendor/blamejs/bench/README.md +77 -0
  69. package/lib/vendor/blamejs/bench/_helpers.js +70 -0
  70. package/lib/vendor/blamejs/bench/baseline.json +183 -0
  71. package/lib/vendor/blamejs/bench/crypto-hash.bench.js +19 -0
  72. package/lib/vendor/blamejs/bench/crypto-symmetric.bench.js +28 -0
  73. package/lib/vendor/blamejs/bench/run.js +140 -0
  74. package/lib/vendor/blamejs/bench/safe-json.bench.js +31 -0
  75. package/lib/vendor/blamejs/bin/blamejs.js +13 -0
  76. package/lib/vendor/blamejs/docker/caddy/Caddyfile +46 -0
  77. package/lib/vendor/blamejs/docker/coredns/Corefile +37 -0
  78. package/lib/vendor/blamejs/docker/haproxy/haproxy.cfg +52 -0
  79. package/lib/vendor/blamejs/docker/init/generate-certs.sh +118 -0
  80. package/lib/vendor/blamejs/docker/keycloak/realm-blamejs-test.json +87 -0
  81. package/lib/vendor/blamejs/docker/mitmproxy/config.yaml +16 -0
  82. package/lib/vendor/blamejs/docker/mongo/init-tls.sh +17 -0
  83. package/lib/vendor/blamejs/docker/mysql/my.cnf +12 -0
  84. package/lib/vendor/blamejs/docker/nats/nats.conf +33 -0
  85. package/lib/vendor/blamejs/docker/postgres/init-tls.sh +17 -0
  86. package/lib/vendor/blamejs/docker/postgres/postgresql.conf +18 -0
  87. package/lib/vendor/blamejs/docker/rabbitmq/rabbitmq.conf +18 -0
  88. package/lib/vendor/blamejs/docker/redis/redis.conf +15 -0
  89. package/lib/vendor/blamejs/docker/squid/squid.conf +24 -0
  90. package/lib/vendor/blamejs/docker/syslog/syslog-ng.conf +34 -0
  91. package/lib/vendor/blamejs/docker-compose.test.yml +545 -0
  92. package/lib/vendor/blamejs/docs/cis-postgres-crosswalk.md +102 -0
  93. package/lib/vendor/blamejs/docs/cis-sqlite-equivalent.md +92 -0
  94. package/lib/vendor/blamejs/eslint.config.mjs +204 -0
  95. package/lib/vendor/blamejs/examples/wiki/Caddyfile +40 -0
  96. package/lib/vendor/blamejs/examples/wiki/DEPLOY.md +218 -0
  97. package/lib/vendor/blamejs/examples/wiki/Dockerfile +120 -0
  98. package/lib/vendor/blamejs/examples/wiki/README.md +157 -0
  99. package/lib/vendor/blamejs/examples/wiki/cli-snapshot.json +250 -0
  100. package/lib/vendor/blamejs/examples/wiki/docker-compose.prod.yml +231 -0
  101. package/lib/vendor/blamejs/examples/wiki/docker-compose.yml +166 -0
  102. package/lib/vendor/blamejs/examples/wiki/env-snapshot.json +217 -0
  103. package/lib/vendor/blamejs/examples/wiki/lib/auto-site-entries.js +139 -0
  104. package/lib/vendor/blamejs/examples/wiki/lib/build-app.js +555 -0
  105. package/lib/vendor/blamejs/examples/wiki/lib/harvest-cli.js +507 -0
  106. package/lib/vendor/blamejs/examples/wiki/lib/harvest-env-vars.js +435 -0
  107. package/lib/vendor/blamejs/examples/wiki/lib/harvest-errors.js +282 -0
  108. package/lib/vendor/blamejs/examples/wiki/lib/harvest-vendored-deps.js +321 -0
  109. package/lib/vendor/blamejs/examples/wiki/lib/nav.js +15 -0
  110. package/lib/vendor/blamejs/examples/wiki/lib/opts-resolver.js +75 -0
  111. package/lib/vendor/blamejs/examples/wiki/lib/page-generator.js +508 -0
  112. package/lib/vendor/blamejs/examples/wiki/lib/section.js +276 -0
  113. package/lib/vendor/blamejs/examples/wiki/lib/source-comment-block-validator.js +587 -0
  114. package/lib/vendor/blamejs/examples/wiki/lib/source-doc-parser.js +318 -0
  115. package/lib/vendor/blamejs/examples/wiki/lib/symbol-index.js +122 -0
  116. package/lib/vendor/blamejs/examples/wiki/migrations/0001-pages-schema.js +74 -0
  117. package/lib/vendor/blamejs/examples/wiki/package.json +18 -0
  118. package/lib/vendor/blamejs/examples/wiki/public/img/blamejs-logo.png +0 -0
  119. package/lib/vendor/blamejs/examples/wiki/public/img/blamejs-logo.svg +129 -0
  120. package/lib/vendor/blamejs/examples/wiki/public/robots.txt +5 -0
  121. package/lib/vendor/blamejs/examples/wiki/public/vendor/MANIFEST.json +30 -0
  122. package/lib/vendor/blamejs/examples/wiki/public/vendor/prism.css +1 -0
  123. package/lib/vendor/blamejs/examples/wiki/public/vendor/prism.js +15 -0
  124. package/lib/vendor/blamejs/examples/wiki/public/wiki.css +1250 -0
  125. package/lib/vendor/blamejs/examples/wiki/routes/admin.js +366 -0
  126. package/lib/vendor/blamejs/examples/wiki/routes/integration.js +230 -0
  127. package/lib/vendor/blamejs/examples/wiki/routes/pages.js +266 -0
  128. package/lib/vendor/blamejs/examples/wiki/scripts/backfill-module-metadata.js +214 -0
  129. package/lib/vendor/blamejs/examples/wiki/seeders/prod/0001-default-pages.js +35 -0
  130. package/lib/vendor/blamejs/examples/wiki/seeders/prod/pages/_index.js +34 -0
  131. package/lib/vendor/blamejs/examples/wiki/seeders/prod/pages/api.js +76 -0
  132. package/lib/vendor/blamejs/examples/wiki/server.js +129 -0
  133. package/lib/vendor/blamejs/examples/wiki/site.config.js +197 -0
  134. package/lib/vendor/blamejs/examples/wiki/snippets/README.md +38 -0
  135. package/lib/vendor/blamejs/examples/wiki/snippets/auth/password-hash.example.js +15 -0
  136. package/lib/vendor/blamejs/examples/wiki/src/editor.js +103 -0
  137. package/lib/vendor/blamejs/examples/wiki/src/wiki.js +349 -0
  138. package/lib/vendor/blamejs/examples/wiki/test/AUDIT.md +155 -0
  139. package/lib/vendor/blamejs/examples/wiki/test/codebase-patterns.test.js +594 -0
  140. package/lib/vendor/blamejs/examples/wiki/test/e2e.js +741 -0
  141. package/lib/vendor/blamejs/examples/wiki/test/find-missing-pages.js +254 -0
  142. package/lib/vendor/blamejs/examples/wiki/test/integration.js +391 -0
  143. package/lib/vendor/blamejs/examples/wiki/test/validate-cli-snapshot.js +379 -0
  144. package/lib/vendor/blamejs/examples/wiki/test/validate-env-snapshot.js +346 -0
  145. package/lib/vendor/blamejs/examples/wiki/test/validate-nav-coverage.js +212 -0
  146. package/lib/vendor/blamejs/examples/wiki/test/validate-site-coverage.js +252 -0
  147. package/lib/vendor/blamejs/examples/wiki/test/validate-source-comment-blocks.js +107 -0
  148. package/lib/vendor/blamejs/examples/wiki/views/_layout.html +115 -0
  149. package/lib/vendor/blamejs/examples/wiki/views/admin/api-keys.html +51 -0
  150. package/lib/vendor/blamejs/examples/wiki/views/admin/dashboard.html +22 -0
  151. package/lib/vendor/blamejs/examples/wiki/views/admin/edit.html +17 -0
  152. package/lib/vendor/blamejs/examples/wiki/views/home.html +85 -0
  153. package/lib/vendor/blamejs/examples/wiki/views/login.html +18 -0
  154. package/lib/vendor/blamejs/examples/wiki/views/page.html +5 -0
  155. package/lib/vendor/blamejs/examples/wiki/views/partials/nav.html +13 -0
  156. package/lib/vendor/blamejs/examples/wiki/views/search.html +19 -0
  157. package/lib/vendor/blamejs/examples/wiki/wiki.config.js +15 -0
  158. package/lib/vendor/blamejs/fuzz/README.md +137 -0
  159. package/lib/vendor/blamejs/fuzz/_expected.js +35 -0
  160. package/lib/vendor/blamejs/fuzz/guard-agent-registry.fuzz.js +22 -0
  161. package/lib/vendor/blamejs/fuzz/guard-csv.fuzz.js +16 -0
  162. package/lib/vendor/blamejs/fuzz/guard-csv_seed_corpus/01-basic.csv +3 -0
  163. package/lib/vendor/blamejs/fuzz/guard-csv_seed_corpus/02-formula.csv +1 -0
  164. package/lib/vendor/blamejs/fuzz/guard-csv_seed_corpus/03-hyperlink.csv +1 -0
  165. package/lib/vendor/blamejs/fuzz/guard-dsn.fuzz.js +22 -0
  166. package/lib/vendor/blamejs/fuzz/guard-email.fuzz.js +16 -0
  167. package/lib/vendor/blamejs/fuzz/guard-email_seed_corpus/01-basic.eml +5 -0
  168. package/lib/vendor/blamejs/fuzz/guard-envelope.fuzz.js +24 -0
  169. package/lib/vendor/blamejs/fuzz/guard-event-bus-payload.fuzz.js +24 -0
  170. package/lib/vendor/blamejs/fuzz/guard-event-bus-topic.fuzz.js +20 -0
  171. package/lib/vendor/blamejs/fuzz/guard-html.fuzz.js +16 -0
  172. package/lib/vendor/blamejs/fuzz/guard-html_seed_corpus/01-basic.html +1 -0
  173. package/lib/vendor/blamejs/fuzz/guard-html_seed_corpus/02-script.html +1 -0
  174. package/lib/vendor/blamejs/fuzz/guard-html_seed_corpus/03-event.html +1 -0
  175. package/lib/vendor/blamejs/fuzz/guard-html_seed_corpus/04-jsurl.html +1 -0
  176. package/lib/vendor/blamejs/fuzz/guard-idempotency-key.fuzz.js +20 -0
  177. package/lib/vendor/blamejs/fuzz/guard-imap-command.fuzz.js +35 -0
  178. package/lib/vendor/blamejs/fuzz/guard-jmap.fuzz.js +41 -0
  179. package/lib/vendor/blamejs/fuzz/guard-json.fuzz.js +16 -0
  180. package/lib/vendor/blamejs/fuzz/guard-json_seed_corpus/01-basic.json +1 -0
  181. package/lib/vendor/blamejs/fuzz/guard-json_seed_corpus/02-proto.json +1 -0
  182. package/lib/vendor/blamejs/fuzz/guard-json_seed_corpus/03-dupkey.json +1 -0
  183. package/lib/vendor/blamejs/fuzz/guard-json_seed_corpus/04-nan.json +1 -0
  184. package/lib/vendor/blamejs/fuzz/guard-json_seed_corpus/05-bom.json +1 -0
  185. package/lib/vendor/blamejs/fuzz/guard-list-id.fuzz.js +21 -0
  186. package/lib/vendor/blamejs/fuzz/guard-list-unsubscribe.fuzz.js +25 -0
  187. package/lib/vendor/blamejs/fuzz/guard-mail-compose.fuzz.js +22 -0
  188. package/lib/vendor/blamejs/fuzz/guard-mail-move.fuzz.js +22 -0
  189. package/lib/vendor/blamejs/fuzz/guard-mail-query.fuzz.js +27 -0
  190. package/lib/vendor/blamejs/fuzz/guard-mail-reply.fuzz.js +23 -0
  191. package/lib/vendor/blamejs/fuzz/guard-mail-sieve.fuzz.js +36 -0
  192. package/lib/vendor/blamejs/fuzz/guard-managesieve-command.fuzz.js +26 -0
  193. package/lib/vendor/blamejs/fuzz/guard-markdown.fuzz.js +16 -0
  194. package/lib/vendor/blamejs/fuzz/guard-markdown_seed_corpus/01-basic.md +2 -0
  195. package/lib/vendor/blamejs/fuzz/guard-markdown_seed_corpus/02-jsurl.md +1 -0
  196. package/lib/vendor/blamejs/fuzz/guard-markdown_seed_corpus/03-jsimg.md +1 -0
  197. package/lib/vendor/blamejs/fuzz/guard-message-id.fuzz.js +26 -0
  198. package/lib/vendor/blamejs/fuzz/guard-pop3-command.fuzz.js +23 -0
  199. package/lib/vendor/blamejs/fuzz/guard-posture-chain.fuzz.js +22 -0
  200. package/lib/vendor/blamejs/fuzz/guard-saga-config.fuzz.js +32 -0
  201. package/lib/vendor/blamejs/fuzz/guard-smtp-command.fuzz.js +27 -0
  202. package/lib/vendor/blamejs/fuzz/guard-snapshot-envelope.fuzz.js +22 -0
  203. package/lib/vendor/blamejs/fuzz/guard-stream-args.fuzz.js +22 -0
  204. package/lib/vendor/blamejs/fuzz/guard-svg.fuzz.js +16 -0
  205. package/lib/vendor/blamejs/fuzz/guard-svg_seed_corpus/01-basic.svg +1 -0
  206. package/lib/vendor/blamejs/fuzz/guard-svg_seed_corpus/02-script.svg +1 -0
  207. package/lib/vendor/blamejs/fuzz/guard-tenant-id.fuzz.js +20 -0
  208. package/lib/vendor/blamejs/fuzz/guard-trace-context.fuzz.js +30 -0
  209. package/lib/vendor/blamejs/fuzz/guard-xml.fuzz.js +16 -0
  210. package/lib/vendor/blamejs/fuzz/guard-xml_seed_corpus/01-basic.xml +1 -0
  211. package/lib/vendor/blamejs/fuzz/guard-xml_seed_corpus/02-xxe.xml +1 -0
  212. package/lib/vendor/blamejs/fuzz/guard-yaml.fuzz.js +16 -0
  213. package/lib/vendor/blamejs/fuzz/guard-yaml_seed_corpus/01-basic.yaml +2 -0
  214. package/lib/vendor/blamejs/fuzz/guard-yaml_seed_corpus/02-anchor.yaml +2 -0
  215. package/lib/vendor/blamejs/fuzz/guard-yaml_seed_corpus/03-norway.yaml +1 -0
  216. package/lib/vendor/blamejs/fuzz/guard-yaml_seed_corpus/04-multidoc.yaml +4 -0
  217. package/lib/vendor/blamejs/fuzz/parsers__safe-ini.fuzz.js +16 -0
  218. package/lib/vendor/blamejs/fuzz/parsers__safe-ini_seed_corpus/01-basic.ini +2 -0
  219. package/lib/vendor/blamejs/fuzz/parsers__safe-toml.fuzz.js +16 -0
  220. package/lib/vendor/blamejs/fuzz/parsers__safe-toml_seed_corpus/01-basic.toml +4 -0
  221. package/lib/vendor/blamejs/fuzz/parsers__safe-xml.fuzz.js +16 -0
  222. package/lib/vendor/blamejs/fuzz/parsers__safe-xml_seed_corpus/01-basic.xml +1 -0
  223. package/lib/vendor/blamejs/fuzz/parsers__safe-yaml.fuzz.js +16 -0
  224. package/lib/vendor/blamejs/fuzz/parsers__safe-yaml_seed_corpus/01-basic.yaml +4 -0
  225. package/lib/vendor/blamejs/fuzz/safe-decompress.fuzz.js +49 -0
  226. package/lib/vendor/blamejs/fuzz/safe-dns.fuzz.js +29 -0
  227. package/lib/vendor/blamejs/fuzz/safe-ical.fuzz.js +16 -0
  228. package/lib/vendor/blamejs/fuzz/safe-icap.fuzz.js +42 -0
  229. package/lib/vendor/blamejs/fuzz/safe-json.fuzz.js +25 -0
  230. package/lib/vendor/blamejs/fuzz/safe-json_seed_corpus/01-object.txt +1 -0
  231. package/lib/vendor/blamejs/fuzz/safe-json_seed_corpus/02-array.txt +1 -0
  232. package/lib/vendor/blamejs/fuzz/safe-json_seed_corpus/03-string.txt +1 -0
  233. package/lib/vendor/blamejs/fuzz/safe-json_seed_corpus/04-proto.txt +1 -0
  234. package/lib/vendor/blamejs/fuzz/safe-json_seed_corpus/05-deep.txt +1 -0
  235. package/lib/vendor/blamejs/fuzz/safe-jsonpath.fuzz.js +16 -0
  236. package/lib/vendor/blamejs/fuzz/safe-jsonpath_seed_corpus/01-basic.txt +1 -0
  237. package/lib/vendor/blamejs/fuzz/safe-jsonpath_seed_corpus/02-filter.txt +1 -0
  238. package/lib/vendor/blamejs/fuzz/safe-jsonpath_seed_corpus/03-deepscan.txt +1 -0
  239. package/lib/vendor/blamejs/fuzz/safe-jsonpath_seed_corpus/04-slice.txt +1 -0
  240. package/lib/vendor/blamejs/fuzz/safe-mime.fuzz.js +27 -0
  241. package/lib/vendor/blamejs/fuzz/safe-mount-info.fuzz.js +33 -0
  242. package/lib/vendor/blamejs/fuzz/safe-sieve.fuzz.js +28 -0
  243. package/lib/vendor/blamejs/fuzz/safe-smtp.fuzz.js +64 -0
  244. package/lib/vendor/blamejs/fuzz/safe-url.fuzz.js +16 -0
  245. package/lib/vendor/blamejs/fuzz/safe-url_seed_corpus/01-basic.txt +1 -0
  246. package/lib/vendor/blamejs/fuzz/safe-url_seed_corpus/02-userinfo.txt +1 -0
  247. package/lib/vendor/blamejs/fuzz/safe-url_seed_corpus/03-dangerous.txt +1 -0
  248. package/lib/vendor/blamejs/fuzz/safe-url_seed_corpus/04-data.txt +1 -0
  249. package/lib/vendor/blamejs/fuzz/safe-url_seed_corpus/05-ipv6.txt +1 -0
  250. package/lib/vendor/blamejs/fuzz/safe-url_seed_corpus/06-idn.txt +1 -0
  251. package/lib/vendor/blamejs/fuzz/safe-vcard.fuzz.js +16 -0
  252. package/lib/vendor/blamejs/index.js +678 -0
  253. package/lib/vendor/blamejs/keys/release-pqc-pub.json +7 -0
  254. package/lib/vendor/blamejs/lib/_test/crypto-fixtures.js +67 -0
  255. package/lib/vendor/blamejs/lib/a2a-tasks.js +598 -0
  256. package/lib/vendor/blamejs/lib/a2a.js +407 -0
  257. package/lib/vendor/blamejs/lib/acme.js +1448 -0
  258. package/lib/vendor/blamejs/lib/agent-audit.js +45 -0
  259. package/lib/vendor/blamejs/lib/agent-event-bus.js +382 -0
  260. package/lib/vendor/blamejs/lib/agent-idempotency.js +497 -0
  261. package/lib/vendor/blamejs/lib/agent-orchestrator.js +717 -0
  262. package/lib/vendor/blamejs/lib/agent-posture-chain.js +366 -0
  263. package/lib/vendor/blamejs/lib/agent-saga.js +321 -0
  264. package/lib/vendor/blamejs/lib/agent-snapshot.js +676 -0
  265. package/lib/vendor/blamejs/lib/agent-stream.js +269 -0
  266. package/lib/vendor/blamejs/lib/agent-tenant.js +632 -0
  267. package/lib/vendor/blamejs/lib/agent-trace.js +281 -0
  268. package/lib/vendor/blamejs/lib/ai-adverse-decision.js +184 -0
  269. package/lib/vendor/blamejs/lib/ai-content-detect.js +268 -0
  270. package/lib/vendor/blamejs/lib/ai-input.js +201 -0
  271. package/lib/vendor/blamejs/lib/ai-model-manifest.js +363 -0
  272. package/lib/vendor/blamejs/lib/ai-pref.js +340 -0
  273. package/lib/vendor/blamejs/lib/api-key.js +721 -0
  274. package/lib/vendor/blamejs/lib/api-snapshot.js +458 -0
  275. package/lib/vendor/blamejs/lib/app-shutdown.js +557 -0
  276. package/lib/vendor/blamejs/lib/app.js +365 -0
  277. package/lib/vendor/blamejs/lib/archive.js +547 -0
  278. package/lib/vendor/blamejs/lib/arg-parser.js +697 -0
  279. package/lib/vendor/blamejs/lib/argon2-builtin.js +173 -0
  280. package/lib/vendor/blamejs/lib/asn1-der.js +424 -0
  281. package/lib/vendor/blamejs/lib/asyncapi-bindings.js +160 -0
  282. package/lib/vendor/blamejs/lib/asyncapi-traits.js +143 -0
  283. package/lib/vendor/blamejs/lib/asyncapi.js +575 -0
  284. package/lib/vendor/blamejs/lib/atomic-file.js +1023 -0
  285. package/lib/vendor/blamejs/lib/audit-chain.js +266 -0
  286. package/lib/vendor/blamejs/lib/audit-daily-review.js +389 -0
  287. package/lib/vendor/blamejs/lib/audit-sign.js +751 -0
  288. package/lib/vendor/blamejs/lib/audit-tools.js +1113 -0
  289. package/lib/vendor/blamejs/lib/audit.js +1671 -0
  290. package/lib/vendor/blamejs/lib/auth/aal.js +169 -0
  291. package/lib/vendor/blamejs/lib/auth/access-lock.js +220 -0
  292. package/lib/vendor/blamejs/lib/auth/acr-vocabulary.js +265 -0
  293. package/lib/vendor/blamejs/lib/auth/ato-kill-switch.js +112 -0
  294. package/lib/vendor/blamejs/lib/auth/auth-time-tracker.js +111 -0
  295. package/lib/vendor/blamejs/lib/auth/bot-challenge.js +573 -0
  296. package/lib/vendor/blamejs/lib/auth/ciba.js +637 -0
  297. package/lib/vendor/blamejs/lib/auth/dpop.js +516 -0
  298. package/lib/vendor/blamejs/lib/auth/elevation-grant.js +306 -0
  299. package/lib/vendor/blamejs/lib/auth/fal.js +229 -0
  300. package/lib/vendor/blamejs/lib/auth/fido-mds3.js +681 -0
  301. package/lib/vendor/blamejs/lib/auth/jwt-external.js +519 -0
  302. package/lib/vendor/blamejs/lib/auth/jwt.js +430 -0
  303. package/lib/vendor/blamejs/lib/auth/lockout.js +449 -0
  304. package/lib/vendor/blamejs/lib/auth/oauth.js +2141 -0
  305. package/lib/vendor/blamejs/lib/auth/oid4vci.js +657 -0
  306. package/lib/vendor/blamejs/lib/auth/oid4vp.js +531 -0
  307. package/lib/vendor/blamejs/lib/auth/openid-federation.js +600 -0
  308. package/lib/vendor/blamejs/lib/auth/passkey.js +676 -0
  309. package/lib/vendor/blamejs/lib/auth/password.js +693 -0
  310. package/lib/vendor/blamejs/lib/auth/saml.js +2109 -0
  311. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-disclosure.js +95 -0
  312. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-holder.js +225 -0
  313. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-issuer.js +197 -0
  314. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc.js +728 -0
  315. package/lib/vendor/blamejs/lib/auth/status-list.js +272 -0
  316. package/lib/vendor/blamejs/lib/auth/step-up-policy.js +335 -0
  317. package/lib/vendor/blamejs/lib/auth/step-up.js +454 -0
  318. package/lib/vendor/blamejs/lib/auth-bot-challenge.js +505 -0
  319. package/lib/vendor/blamejs/lib/auth-header.js +148 -0
  320. package/lib/vendor/blamejs/lib/backup/bundle.js +265 -0
  321. package/lib/vendor/blamejs/lib/backup/crypto.js +176 -0
  322. package/lib/vendor/blamejs/lib/backup/index.js +1001 -0
  323. package/lib/vendor/blamejs/lib/backup/manifest.js +443 -0
  324. package/lib/vendor/blamejs/lib/boot-gates.js +174 -0
  325. package/lib/vendor/blamejs/lib/breach-deadline.js +272 -0
  326. package/lib/vendor/blamejs/lib/break-glass.js +1753 -0
  327. package/lib/vendor/blamejs/lib/budr.js +205 -0
  328. package/lib/vendor/blamejs/lib/bundler.js +461 -0
  329. package/lib/vendor/blamejs/lib/cache-redis.js +256 -0
  330. package/lib/vendor/blamejs/lib/cache-status.js +288 -0
  331. package/lib/vendor/blamejs/lib/cache.js +1331 -0
  332. package/lib/vendor/blamejs/lib/calendar.js +1240 -0
  333. package/lib/vendor/blamejs/lib/canonical-json.js +143 -0
  334. package/lib/vendor/blamejs/lib/cdn-cache-control.js +473 -0
  335. package/lib/vendor/blamejs/lib/cert.js +763 -0
  336. package/lib/vendor/blamejs/lib/chain-writer.js +259 -0
  337. package/lib/vendor/blamejs/lib/circuit-breaker.js +101 -0
  338. package/lib/vendor/blamejs/lib/cli-helpers.js +237 -0
  339. package/lib/vendor/blamejs/lib/cli.js +2328 -0
  340. package/lib/vendor/blamejs/lib/client-hints.js +318 -0
  341. package/lib/vendor/blamejs/lib/cloud-events.js +277 -0
  342. package/lib/vendor/blamejs/lib/cluster-provider-db.js +317 -0
  343. package/lib/vendor/blamejs/lib/cluster-storage.js +351 -0
  344. package/lib/vendor/blamejs/lib/cluster.js +1017 -0
  345. package/lib/vendor/blamejs/lib/cms-codec.js +826 -0
  346. package/lib/vendor/blamejs/lib/codepoint-class.js +262 -0
  347. package/lib/vendor/blamejs/lib/compliance-ai-act-logging.js +190 -0
  348. package/lib/vendor/blamejs/lib/compliance-ai-act-prohibited.js +205 -0
  349. package/lib/vendor/blamejs/lib/compliance-ai-act-risk.js +189 -0
  350. package/lib/vendor/blamejs/lib/compliance-ai-act-transparency.js +200 -0
  351. package/lib/vendor/blamejs/lib/compliance-ai-act.js +821 -0
  352. package/lib/vendor/blamejs/lib/compliance-eaa.js +204 -0
  353. package/lib/vendor/blamejs/lib/compliance-sanctions-aliases.js +167 -0
  354. package/lib/vendor/blamejs/lib/compliance-sanctions-fetcher.js +206 -0
  355. package/lib/vendor/blamejs/lib/compliance-sanctions-fuzzy.js +297 -0
  356. package/lib/vendor/blamejs/lib/compliance-sanctions.js +569 -0
  357. package/lib/vendor/blamejs/lib/compliance.js +1558 -0
  358. package/lib/vendor/blamejs/lib/config-drift.js +426 -0
  359. package/lib/vendor/blamejs/lib/config.js +446 -0
  360. package/lib/vendor/blamejs/lib/consent.js +369 -0
  361. package/lib/vendor/blamejs/lib/constants.js +209 -0
  362. package/lib/vendor/blamejs/lib/content-credentials.js +704 -0
  363. package/lib/vendor/blamejs/lib/cookies.js +560 -0
  364. package/lib/vendor/blamejs/lib/cra-report.js +299 -0
  365. package/lib/vendor/blamejs/lib/credential-hash.js +394 -0
  366. package/lib/vendor/blamejs/lib/crypto-field.js +1017 -0
  367. package/lib/vendor/blamejs/lib/crypto-hpke-pq.js +187 -0
  368. package/lib/vendor/blamejs/lib/crypto-hpke.js +256 -0
  369. package/lib/vendor/blamejs/lib/crypto.js +1908 -0
  370. package/lib/vendor/blamejs/lib/csp.js +271 -0
  371. package/lib/vendor/blamejs/lib/csv.js +418 -0
  372. package/lib/vendor/blamejs/lib/daemon.js +481 -0
  373. package/lib/vendor/blamejs/lib/dark-patterns.js +488 -0
  374. package/lib/vendor/blamejs/lib/data-act.js +328 -0
  375. package/lib/vendor/blamejs/lib/db-collection.js +587 -0
  376. package/lib/vendor/blamejs/lib/db-declare-row-policy.js +267 -0
  377. package/lib/vendor/blamejs/lib/db-declare-view.js +420 -0
  378. package/lib/vendor/blamejs/lib/db-file-lifecycle.js +333 -0
  379. package/lib/vendor/blamejs/lib/db-query.js +802 -0
  380. package/lib/vendor/blamejs/lib/db-role-context.js +50 -0
  381. package/lib/vendor/blamejs/lib/db-schema.js +322 -0
  382. package/lib/vendor/blamejs/lib/db.js +3111 -0
  383. package/lib/vendor/blamejs/lib/dbsc.js +299 -0
  384. package/lib/vendor/blamejs/lib/ddl-change-control.js +523 -0
  385. package/lib/vendor/blamejs/lib/deprecate.js +377 -0
  386. package/lib/vendor/blamejs/lib/dev.js +405 -0
  387. package/lib/vendor/blamejs/lib/dora.js +402 -0
  388. package/lib/vendor/blamejs/lib/dr-runbook.js +368 -0
  389. package/lib/vendor/blamejs/lib/dsr.js +1188 -0
  390. package/lib/vendor/blamejs/lib/dual-control.js +526 -0
  391. package/lib/vendor/blamejs/lib/early-hints.js +212 -0
  392. package/lib/vendor/blamejs/lib/error-page.js +420 -0
  393. package/lib/vendor/blamejs/lib/events.js +214 -0
  394. package/lib/vendor/blamejs/lib/external-db-migrate.js +659 -0
  395. package/lib/vendor/blamejs/lib/external-db.js +1877 -0
  396. package/lib/vendor/blamejs/lib/fapi2.js +394 -0
  397. package/lib/vendor/blamejs/lib/fda-21cfr11.js +395 -0
  398. package/lib/vendor/blamejs/lib/fdx.js +370 -0
  399. package/lib/vendor/blamejs/lib/fedcm.js +264 -0
  400. package/lib/vendor/blamejs/lib/file-type.js +360 -0
  401. package/lib/vendor/blamejs/lib/file-upload.js +1256 -0
  402. package/lib/vendor/blamejs/lib/flag-cache.js +136 -0
  403. package/lib/vendor/blamejs/lib/flag-evaluation-context.js +135 -0
  404. package/lib/vendor/blamejs/lib/flag-providers.js +279 -0
  405. package/lib/vendor/blamejs/lib/flag-targeting.js +210 -0
  406. package/lib/vendor/blamejs/lib/flag.js +346 -0
  407. package/lib/vendor/blamejs/lib/forms.js +525 -0
  408. package/lib/vendor/blamejs/lib/framework-error.js +724 -0
  409. package/lib/vendor/blamejs/lib/framework-schema.js +845 -0
  410. package/lib/vendor/blamejs/lib/framework-sha1-hibp.js +34 -0
  411. package/lib/vendor/blamejs/lib/fsm.js +469 -0
  412. package/lib/vendor/blamejs/lib/gate-contract.js +1661 -0
  413. package/lib/vendor/blamejs/lib/gdpr-ropa.js +261 -0
  414. package/lib/vendor/blamejs/lib/graphql-federation.js +234 -0
  415. package/lib/vendor/blamejs/lib/guard-agent-registry.js +179 -0
  416. package/lib/vendor/blamejs/lib/guard-all.js +555 -0
  417. package/lib/vendor/blamejs/lib/guard-archive.js +901 -0
  418. package/lib/vendor/blamejs/lib/guard-auth.js +451 -0
  419. package/lib/vendor/blamejs/lib/guard-cidr.js +676 -0
  420. package/lib/vendor/blamejs/lib/guard-csv.js +1176 -0
  421. package/lib/vendor/blamejs/lib/guard-domain.js +814 -0
  422. package/lib/vendor/blamejs/lib/guard-dsn.js +382 -0
  423. package/lib/vendor/blamejs/lib/guard-email.js +951 -0
  424. package/lib/vendor/blamejs/lib/guard-envelope.js +294 -0
  425. package/lib/vendor/blamejs/lib/guard-event-bus-payload.js +217 -0
  426. package/lib/vendor/blamejs/lib/guard-event-bus-topic.js +150 -0
  427. package/lib/vendor/blamejs/lib/guard-filename.js +956 -0
  428. package/lib/vendor/blamejs/lib/guard-graphql.js +731 -0
  429. package/lib/vendor/blamejs/lib/guard-html-wcag-aria.js +164 -0
  430. package/lib/vendor/blamejs/lib/guard-html-wcag-forms.js +144 -0
  431. package/lib/vendor/blamejs/lib/guard-html-wcag-tables.js +154 -0
  432. package/lib/vendor/blamejs/lib/guard-html-wcag-tagwalk.js +44 -0
  433. package/lib/vendor/blamejs/lib/guard-html-wcag.js +470 -0
  434. package/lib/vendor/blamejs/lib/guard-html.js +1209 -0
  435. package/lib/vendor/blamejs/lib/guard-idempotency-key.js +151 -0
  436. package/lib/vendor/blamejs/lib/guard-image.js +584 -0
  437. package/lib/vendor/blamejs/lib/guard-imap-command.js +337 -0
  438. package/lib/vendor/blamejs/lib/guard-jmap.js +321 -0
  439. package/lib/vendor/blamejs/lib/guard-json.js +935 -0
  440. package/lib/vendor/blamejs/lib/guard-jsonpath.js +512 -0
  441. package/lib/vendor/blamejs/lib/guard-jwt.js +772 -0
  442. package/lib/vendor/blamejs/lib/guard-list-id.js +318 -0
  443. package/lib/vendor/blamejs/lib/guard-list-unsubscribe.js +412 -0
  444. package/lib/vendor/blamejs/lib/guard-mail-compose.js +282 -0
  445. package/lib/vendor/blamejs/lib/guard-mail-move.js +202 -0
  446. package/lib/vendor/blamejs/lib/guard-mail-query.js +310 -0
  447. package/lib/vendor/blamejs/lib/guard-mail-reply.js +172 -0
  448. package/lib/vendor/blamejs/lib/guard-mail-sieve.js +207 -0
  449. package/lib/vendor/blamejs/lib/guard-managesieve-command.js +566 -0
  450. package/lib/vendor/blamejs/lib/guard-markdown.js +768 -0
  451. package/lib/vendor/blamejs/lib/guard-message-id.js +267 -0
  452. package/lib/vendor/blamejs/lib/guard-mime.js +609 -0
  453. package/lib/vendor/blamejs/lib/guard-oauth.js +650 -0
  454. package/lib/vendor/blamejs/lib/guard-pdf.js +569 -0
  455. package/lib/vendor/blamejs/lib/guard-pop3-command.js +317 -0
  456. package/lib/vendor/blamejs/lib/guard-posture-chain.js +201 -0
  457. package/lib/vendor/blamejs/lib/guard-regex.js +632 -0
  458. package/lib/vendor/blamejs/lib/guard-saga-config.js +157 -0
  459. package/lib/vendor/blamejs/lib/guard-shell.js +522 -0
  460. package/lib/vendor/blamejs/lib/guard-smtp-command.js +594 -0
  461. package/lib/vendor/blamejs/lib/guard-snapshot-envelope.js +168 -0
  462. package/lib/vendor/blamejs/lib/guard-stream-args.js +166 -0
  463. package/lib/vendor/blamejs/lib/guard-svg.js +1163 -0
  464. package/lib/vendor/blamejs/lib/guard-template.js +490 -0
  465. package/lib/vendor/blamejs/lib/guard-tenant-id.js +138 -0
  466. package/lib/vendor/blamejs/lib/guard-time.js +586 -0
  467. package/lib/vendor/blamejs/lib/guard-trace-context.js +172 -0
  468. package/lib/vendor/blamejs/lib/guard-uuid.js +548 -0
  469. package/lib/vendor/blamejs/lib/guard-xml.js +666 -0
  470. package/lib/vendor/blamejs/lib/guard-yaml.js +726 -0
  471. package/lib/vendor/blamejs/lib/hal.js +125 -0
  472. package/lib/vendor/blamejs/lib/handlers.js +350 -0
  473. package/lib/vendor/blamejs/lib/honeytoken.js +168 -0
  474. package/lib/vendor/blamejs/lib/html-balance.js +347 -0
  475. package/lib/vendor/blamejs/lib/http-client-cache.js +923 -0
  476. package/lib/vendor/blamejs/lib/http-client-cookie-jar.js +519 -0
  477. package/lib/vendor/blamejs/lib/http-client.js +2152 -0
  478. package/lib/vendor/blamejs/lib/http-message-signature.js +589 -0
  479. package/lib/vendor/blamejs/lib/http2-teardown.js +34 -0
  480. package/lib/vendor/blamejs/lib/i18n-messageformat.js +398 -0
  481. package/lib/vendor/blamejs/lib/i18n.js +931 -0
  482. package/lib/vendor/blamejs/lib/iab-mspa.js +257 -0
  483. package/lib/vendor/blamejs/lib/iab-tcf.js +461 -0
  484. package/lib/vendor/blamejs/lib/importmap-integrity.js +90 -0
  485. package/lib/vendor/blamejs/lib/inbox.js +435 -0
  486. package/lib/vendor/blamejs/lib/incident-report.js +314 -0
  487. package/lib/vendor/blamejs/lib/ip-utils.js +102 -0
  488. package/lib/vendor/blamejs/lib/jobs.js +185 -0
  489. package/lib/vendor/blamejs/lib/jose-jwe-experimental.js +228 -0
  490. package/lib/vendor/blamejs/lib/jsonapi.js +230 -0
  491. package/lib/vendor/blamejs/lib/keychain.js +865 -0
  492. package/lib/vendor/blamejs/lib/lazy-require.js +48 -0
  493. package/lib/vendor/blamejs/lib/legal-hold.js +374 -0
  494. package/lib/vendor/blamejs/lib/local-db-thin.js +321 -0
  495. package/lib/vendor/blamejs/lib/log-stream-cloudwatch.js +369 -0
  496. package/lib/vendor/blamejs/lib/log-stream-local.js +146 -0
  497. package/lib/vendor/blamejs/lib/log-stream-otlp-grpc.js +410 -0
  498. package/lib/vendor/blamejs/lib/log-stream-otlp.js +286 -0
  499. package/lib/vendor/blamejs/lib/log-stream-syslog.js +310 -0
  500. package/lib/vendor/blamejs/lib/log-stream-webhook.js +199 -0
  501. package/lib/vendor/blamejs/lib/log-stream.js +584 -0
  502. package/lib/vendor/blamejs/lib/log.js +625 -0
  503. package/lib/vendor/blamejs/lib/lro.js +200 -0
  504. package/lib/vendor/blamejs/lib/mail-agent.js +786 -0
  505. package/lib/vendor/blamejs/lib/mail-arc-sign.js +417 -0
  506. package/lib/vendor/blamejs/lib/mail-arf.js +343 -0
  507. package/lib/vendor/blamejs/lib/mail-auth.js +2144 -0
  508. package/lib/vendor/blamejs/lib/mail-bimi.js +1047 -0
  509. package/lib/vendor/blamejs/lib/mail-bounce.js +955 -0
  510. package/lib/vendor/blamejs/lib/mail-crypto-pgp.js +1286 -0
  511. package/lib/vendor/blamejs/lib/mail-crypto-smime.js +789 -0
  512. package/lib/vendor/blamejs/lib/mail-crypto.js +108 -0
  513. package/lib/vendor/blamejs/lib/mail-dav.js +1224 -0
  514. package/lib/vendor/blamejs/lib/mail-deploy.js +1119 -0
  515. package/lib/vendor/blamejs/lib/mail-dkim.js +1250 -0
  516. package/lib/vendor/blamejs/lib/mail-greylist.js +448 -0
  517. package/lib/vendor/blamejs/lib/mail-helo.js +473 -0
  518. package/lib/vendor/blamejs/lib/mail-journal.js +435 -0
  519. package/lib/vendor/blamejs/lib/mail-mdn.js +424 -0
  520. package/lib/vendor/blamejs/lib/mail-rbl.js +392 -0
  521. package/lib/vendor/blamejs/lib/mail-require-tls.js +198 -0
  522. package/lib/vendor/blamejs/lib/mail-scan.js +502 -0
  523. package/lib/vendor/blamejs/lib/mail-send-deliver.js +629 -0
  524. package/lib/vendor/blamejs/lib/mail-server-imap.js +1858 -0
  525. package/lib/vendor/blamejs/lib/mail-server-jmap.js +1565 -0
  526. package/lib/vendor/blamejs/lib/mail-server-managesieve.js +908 -0
  527. package/lib/vendor/blamejs/lib/mail-server-mx.js +969 -0
  528. package/lib/vendor/blamejs/lib/mail-server-pop3.js +915 -0
  529. package/lib/vendor/blamejs/lib/mail-server-rate-limit.js +315 -0
  530. package/lib/vendor/blamejs/lib/mail-server-registry.js +378 -0
  531. package/lib/vendor/blamejs/lib/mail-server-submission.js +1396 -0
  532. package/lib/vendor/blamejs/lib/mail-server-tls.js +445 -0
  533. package/lib/vendor/blamejs/lib/mail-sieve.js +557 -0
  534. package/lib/vendor/blamejs/lib/mail-spam-score.js +284 -0
  535. package/lib/vendor/blamejs/lib/mail-srs.js +248 -0
  536. package/lib/vendor/blamejs/lib/mail-store-fts.js +394 -0
  537. package/lib/vendor/blamejs/lib/mail-store.js +929 -0
  538. package/lib/vendor/blamejs/lib/mail-unsubscribe.js +400 -0
  539. package/lib/vendor/blamejs/lib/mail.js +1971 -0
  540. package/lib/vendor/blamejs/lib/mcp-tool-registry.js +473 -0
  541. package/lib/vendor/blamejs/lib/mcp.js +950 -0
  542. package/lib/vendor/blamejs/lib/metrics.js +1503 -0
  543. package/lib/vendor/blamejs/lib/middleware/age-gate.js +177 -0
  544. package/lib/vendor/blamejs/lib/middleware/ai-act-disclosure.js +203 -0
  545. package/lib/vendor/blamejs/lib/middleware/api-encrypt.js +981 -0
  546. package/lib/vendor/blamejs/lib/middleware/assetlinks.js +137 -0
  547. package/lib/vendor/blamejs/lib/middleware/asyncapi-serve.js +171 -0
  548. package/lib/vendor/blamejs/lib/middleware/attach-user.js +220 -0
  549. package/lib/vendor/blamejs/lib/middleware/bearer-auth.js +293 -0
  550. package/lib/vendor/blamejs/lib/middleware/body-parser.js +1519 -0
  551. package/lib/vendor/blamejs/lib/middleware/bot-disclose.js +183 -0
  552. package/lib/vendor/blamejs/lib/middleware/bot-guard.js +217 -0
  553. package/lib/vendor/blamejs/lib/middleware/clear-site-data.js +122 -0
  554. package/lib/vendor/blamejs/lib/middleware/compose-pipeline.js +355 -0
  555. package/lib/vendor/blamejs/lib/middleware/compression.js +489 -0
  556. package/lib/vendor/blamejs/lib/middleware/cookies.js +130 -0
  557. package/lib/vendor/blamejs/lib/middleware/cors.js +386 -0
  558. package/lib/vendor/blamejs/lib/middleware/csp-nonce.js +388 -0
  559. package/lib/vendor/blamejs/lib/middleware/csp-report.js +167 -0
  560. package/lib/vendor/blamejs/lib/middleware/csrf-protect.js +499 -0
  561. package/lib/vendor/blamejs/lib/middleware/daily-byte-quota.js +243 -0
  562. package/lib/vendor/blamejs/lib/middleware/db-role-for.js +304 -0
  563. package/lib/vendor/blamejs/lib/middleware/dpop.js +402 -0
  564. package/lib/vendor/blamejs/lib/middleware/error-handler.js +69 -0
  565. package/lib/vendor/blamejs/lib/middleware/fetch-metadata.js +168 -0
  566. package/lib/vendor/blamejs/lib/middleware/flag-context.js +110 -0
  567. package/lib/vendor/blamejs/lib/middleware/gpc.js +153 -0
  568. package/lib/vendor/blamejs/lib/middleware/headers.js +242 -0
  569. package/lib/vendor/blamejs/lib/middleware/health.js +438 -0
  570. package/lib/vendor/blamejs/lib/middleware/host-allowlist.js +189 -0
  571. package/lib/vendor/blamejs/lib/middleware/idempotency-key.js +964 -0
  572. package/lib/vendor/blamejs/lib/middleware/index.js +183 -0
  573. package/lib/vendor/blamejs/lib/middleware/nel.js +214 -0
  574. package/lib/vendor/blamejs/lib/middleware/network-allowlist.js +237 -0
  575. package/lib/vendor/blamejs/lib/middleware/no-cache.js +106 -0
  576. package/lib/vendor/blamejs/lib/middleware/openapi-serve.js +177 -0
  577. package/lib/vendor/blamejs/lib/middleware/protected-resource-metadata.js +277 -0
  578. package/lib/vendor/blamejs/lib/middleware/rate-limit.js +556 -0
  579. package/lib/vendor/blamejs/lib/middleware/request-id.js +79 -0
  580. package/lib/vendor/blamejs/lib/middleware/request-log.js +205 -0
  581. package/lib/vendor/blamejs/lib/middleware/require-aal.js +138 -0
  582. package/lib/vendor/blamejs/lib/middleware/require-auth.js +144 -0
  583. package/lib/vendor/blamejs/lib/middleware/require-bound-key.js +290 -0
  584. package/lib/vendor/blamejs/lib/middleware/require-content-type.js +113 -0
  585. package/lib/vendor/blamejs/lib/middleware/require-methods.js +97 -0
  586. package/lib/vendor/blamejs/lib/middleware/require-mtls.js +212 -0
  587. package/lib/vendor/blamejs/lib/middleware/require-step-up.js +226 -0
  588. package/lib/vendor/blamejs/lib/middleware/scim-server.js +375 -0
  589. package/lib/vendor/blamejs/lib/middleware/security-headers.js +285 -0
  590. package/lib/vendor/blamejs/lib/middleware/security-txt.js +170 -0
  591. package/lib/vendor/blamejs/lib/middleware/span-http-server.js +280 -0
  592. package/lib/vendor/blamejs/lib/middleware/speculation-rules.js +323 -0
  593. package/lib/vendor/blamejs/lib/middleware/sse.js +200 -0
  594. package/lib/vendor/blamejs/lib/middleware/trace-log-correlation.js +167 -0
  595. package/lib/vendor/blamejs/lib/middleware/trace-propagate.js +148 -0
  596. package/lib/vendor/blamejs/lib/middleware/tus-upload.js +749 -0
  597. package/lib/vendor/blamejs/lib/middleware/web-app-manifest.js +164 -0
  598. package/lib/vendor/blamejs/lib/migration-files.js +37 -0
  599. package/lib/vendor/blamejs/lib/migrations.js +385 -0
  600. package/lib/vendor/blamejs/lib/mime-parse.js +198 -0
  601. package/lib/vendor/blamejs/lib/money.js +699 -0
  602. package/lib/vendor/blamejs/lib/mtls-ca.js +572 -0
  603. package/lib/vendor/blamejs/lib/mtls-engine-default.js +501 -0
  604. package/lib/vendor/blamejs/lib/network-byte-quota.js +308 -0
  605. package/lib/vendor/blamejs/lib/network-dns-resolver.js +533 -0
  606. package/lib/vendor/blamejs/lib/network-dns.js +1930 -0
  607. package/lib/vendor/blamejs/lib/network-heartbeat.js +425 -0
  608. package/lib/vendor/blamejs/lib/network-nts.js +574 -0
  609. package/lib/vendor/blamejs/lib/network-proxy.js +265 -0
  610. package/lib/vendor/blamejs/lib/network-smtp-policy.js +836 -0
  611. package/lib/vendor/blamejs/lib/network-tls.js +3126 -0
  612. package/lib/vendor/blamejs/lib/network.js +346 -0
  613. package/lib/vendor/blamejs/lib/nis2-report.js +181 -0
  614. package/lib/vendor/blamejs/lib/nist-crosswalk.js +293 -0
  615. package/lib/vendor/blamejs/lib/nonce-store.js +177 -0
  616. package/lib/vendor/blamejs/lib/notify.js +683 -0
  617. package/lib/vendor/blamejs/lib/ntp-check.js +458 -0
  618. package/lib/vendor/blamejs/lib/numeric-bounds.js +111 -0
  619. package/lib/vendor/blamejs/lib/numeric-checks.js +40 -0
  620. package/lib/vendor/blamejs/lib/object-store/azure-blob-bucket-ops.js +349 -0
  621. package/lib/vendor/blamejs/lib/object-store/azure-blob.js +488 -0
  622. package/lib/vendor/blamejs/lib/object-store/gcs-bucket-ops.js +351 -0
  623. package/lib/vendor/blamejs/lib/object-store/gcs.js +515 -0
  624. package/lib/vendor/blamejs/lib/object-store/http-put.js +153 -0
  625. package/lib/vendor/blamejs/lib/object-store/http-request.js +38 -0
  626. package/lib/vendor/blamejs/lib/object-store/index.js +197 -0
  627. package/lib/vendor/blamejs/lib/object-store/local.js +163 -0
  628. package/lib/vendor/blamejs/lib/object-store/sigv4-bucket-ops.js +1133 -0
  629. package/lib/vendor/blamejs/lib/object-store/sigv4.js +957 -0
  630. package/lib/vendor/blamejs/lib/observability-otlp-exporter.js +420 -0
  631. package/lib/vendor/blamejs/lib/observability-tracer.js +395 -0
  632. package/lib/vendor/blamejs/lib/observability.js +720 -0
  633. package/lib/vendor/blamejs/lib/openapi-paths-builder.js +248 -0
  634. package/lib/vendor/blamejs/lib/openapi-schema-walk.js +192 -0
  635. package/lib/vendor/blamejs/lib/openapi-security.js +169 -0
  636. package/lib/vendor/blamejs/lib/openapi-yaml.js +154 -0
  637. package/lib/vendor/blamejs/lib/openapi.js +489 -0
  638. package/lib/vendor/blamejs/lib/otel-export.js +278 -0
  639. package/lib/vendor/blamejs/lib/outbox.js +547 -0
  640. package/lib/vendor/blamejs/lib/pagination.js +542 -0
  641. package/lib/vendor/blamejs/lib/parsers/index.js +91 -0
  642. package/lib/vendor/blamejs/lib/parsers/safe-env.js +642 -0
  643. package/lib/vendor/blamejs/lib/parsers/safe-ini.js +293 -0
  644. package/lib/vendor/blamejs/lib/parsers/safe-toml.js +784 -0
  645. package/lib/vendor/blamejs/lib/parsers/safe-xml.js +390 -0
  646. package/lib/vendor/blamejs/lib/parsers/safe-yaml.js +1015 -0
  647. package/lib/vendor/blamejs/lib/permissions.js +793 -0
  648. package/lib/vendor/blamejs/lib/pick.js +105 -0
  649. package/lib/vendor/blamejs/lib/pqc-agent.js +351 -0
  650. package/lib/vendor/blamejs/lib/pqc-gate.js +279 -0
  651. package/lib/vendor/blamejs/lib/pqc-software.js +271 -0
  652. package/lib/vendor/blamejs/lib/problem-details.js +482 -0
  653. package/lib/vendor/blamejs/lib/process-spawn.js +196 -0
  654. package/lib/vendor/blamejs/lib/promise-pool.js +162 -0
  655. package/lib/vendor/blamejs/lib/protobuf-encoder.js +190 -0
  656. package/lib/vendor/blamejs/lib/protocol-dispatcher.js +161 -0
  657. package/lib/vendor/blamejs/lib/public-suffix.js +403 -0
  658. package/lib/vendor/blamejs/lib/pubsub-cluster.js +154 -0
  659. package/lib/vendor/blamejs/lib/pubsub-redis.js +167 -0
  660. package/lib/vendor/blamejs/lib/pubsub.js +463 -0
  661. package/lib/vendor/blamejs/lib/queue-local.js +476 -0
  662. package/lib/vendor/blamejs/lib/queue-redis.js +745 -0
  663. package/lib/vendor/blamejs/lib/queue-sqs.js +319 -0
  664. package/lib/vendor/blamejs/lib/queue.js +1016 -0
  665. package/lib/vendor/blamejs/lib/redact.js +1007 -0
  666. package/lib/vendor/blamejs/lib/redis-client.js +520 -0
  667. package/lib/vendor/blamejs/lib/render.js +285 -0
  668. package/lib/vendor/blamejs/lib/request-helpers.js +767 -0
  669. package/lib/vendor/blamejs/lib/resource-access-lock.js +116 -0
  670. package/lib/vendor/blamejs/lib/restore-bundle.js +340 -0
  671. package/lib/vendor/blamejs/lib/restore-rollback.js +365 -0
  672. package/lib/vendor/blamejs/lib/restore.js +409 -0
  673. package/lib/vendor/blamejs/lib/retention.js +640 -0
  674. package/lib/vendor/blamejs/lib/retry.js +523 -0
  675. package/lib/vendor/blamejs/lib/router.js +1289 -0
  676. package/lib/vendor/blamejs/lib/safe-async.js +1184 -0
  677. package/lib/vendor/blamejs/lib/safe-buffer.js +562 -0
  678. package/lib/vendor/blamejs/lib/safe-decompress.js +297 -0
  679. package/lib/vendor/blamejs/lib/safe-dns.js +665 -0
  680. package/lib/vendor/blamejs/lib/safe-ical.js +634 -0
  681. package/lib/vendor/blamejs/lib/safe-icap.js +502 -0
  682. package/lib/vendor/blamejs/lib/safe-json.js +946 -0
  683. package/lib/vendor/blamejs/lib/safe-jsonpath.js +285 -0
  684. package/lib/vendor/blamejs/lib/safe-mime.js +831 -0
  685. package/lib/vendor/blamejs/lib/safe-mount-info.js +306 -0
  686. package/lib/vendor/blamejs/lib/safe-path.js +254 -0
  687. package/lib/vendor/blamejs/lib/safe-redirect.js +106 -0
  688. package/lib/vendor/blamejs/lib/safe-schema.js +1810 -0
  689. package/lib/vendor/blamejs/lib/safe-sieve.js +684 -0
  690. package/lib/vendor/blamejs/lib/safe-smtp.js +185 -0
  691. package/lib/vendor/blamejs/lib/safe-sql.js +363 -0
  692. package/lib/vendor/blamejs/lib/safe-url.js +428 -0
  693. package/lib/vendor/blamejs/lib/safe-vcard.js +473 -0
  694. package/lib/vendor/blamejs/lib/sandbox-worker.js +135 -0
  695. package/lib/vendor/blamejs/lib/sandbox.js +358 -0
  696. package/lib/vendor/blamejs/lib/scheduler.js +827 -0
  697. package/lib/vendor/blamejs/lib/sd-notify.js +269 -0
  698. package/lib/vendor/blamejs/lib/sec-cyber.js +214 -0
  699. package/lib/vendor/blamejs/lib/security-assert.js +395 -0
  700. package/lib/vendor/blamejs/lib/seeders.js +620 -0
  701. package/lib/vendor/blamejs/lib/self-update-standalone-verifier.js +309 -0
  702. package/lib/vendor/blamejs/lib/self-update.js +804 -0
  703. package/lib/vendor/blamejs/lib/server-timing.js +174 -0
  704. package/lib/vendor/blamejs/lib/session-device-binding.js +431 -0
  705. package/lib/vendor/blamejs/lib/session-stores.js +138 -0
  706. package/lib/vendor/blamejs/lib/session.js +1162 -0
  707. package/lib/vendor/blamejs/lib/slug.js +381 -0
  708. package/lib/vendor/blamejs/lib/sse.js +349 -0
  709. package/lib/vendor/blamejs/lib/ssrf-guard.js +792 -0
  710. package/lib/vendor/blamejs/lib/standard-webhooks.js +183 -0
  711. package/lib/vendor/blamejs/lib/static.js +1249 -0
  712. package/lib/vendor/blamejs/lib/storage.js +1272 -0
  713. package/lib/vendor/blamejs/lib/stream-throttle.js +235 -0
  714. package/lib/vendor/blamejs/lib/structured-fields.js +244 -0
  715. package/lib/vendor/blamejs/lib/subject.js +667 -0
  716. package/lib/vendor/blamejs/lib/tcpa-10dlc.js +175 -0
  717. package/lib/vendor/blamejs/lib/template.js +931 -0
  718. package/lib/vendor/blamejs/lib/tenant-quota.js +545 -0
  719. package/lib/vendor/blamejs/lib/test-harness.js +275 -0
  720. package/lib/vendor/blamejs/lib/testing.js +1185 -0
  721. package/lib/vendor/blamejs/lib/time.js +578 -0
  722. package/lib/vendor/blamejs/lib/tls-exporter.js +239 -0
  723. package/lib/vendor/blamejs/lib/totp.js +318 -0
  724. package/lib/vendor/blamejs/lib/tracing.js +546 -0
  725. package/lib/vendor/blamejs/lib/uuid.js +207 -0
  726. package/lib/vendor/blamejs/lib/validate-opts.js +381 -0
  727. package/lib/vendor/blamejs/lib/vault/index.js +638 -0
  728. package/lib/vendor/blamejs/lib/vault/passphrase-ops.js +311 -0
  729. package/lib/vendor/blamejs/lib/vault/passphrase-source.js +198 -0
  730. package/lib/vendor/blamejs/lib/vault/rotate.js +803 -0
  731. package/lib/vendor/blamejs/lib/vault/seal-pem-file.js +471 -0
  732. package/lib/vendor/blamejs/lib/vault/wrap.js +296 -0
  733. package/lib/vendor/blamejs/lib/vault-aad.js +259 -0
  734. package/lib/vendor/blamejs/lib/vendor/.vendor-data-pubkey +4 -0
  735. package/lib/vendor/blamejs/lib/vendor/MANIFEST.json +161 -0
  736. package/lib/vendor/blamejs/lib/vendor/bimi-trust-anchors.data.js +68 -0
  737. package/lib/vendor/blamejs/lib/vendor/bimi-trust-anchors.pem +33 -0
  738. package/lib/vendor/blamejs/lib/vendor/common-passwords-top-10000.data.js +1325 -0
  739. package/lib/vendor/blamejs/lib/vendor/common-passwords-top-10000.txt +10002 -0
  740. package/lib/vendor/blamejs/lib/vendor/noble-ciphers.cjs +9 -0
  741. package/lib/vendor/blamejs/lib/vendor/noble-post-quantum.cjs +18 -0
  742. package/lib/vendor/blamejs/lib/vendor/pki.cjs +181 -0
  743. package/lib/vendor/blamejs/lib/vendor/public-suffix-list.dat +16382 -0
  744. package/lib/vendor/blamejs/lib/vendor/public-suffix-list.data.js +5881 -0
  745. package/lib/vendor/blamejs/lib/vendor/simplewebauthn-server.cjs +328 -0
  746. package/lib/vendor/blamejs/lib/vendor/vendor-data-pubkey.js +16 -0
  747. package/lib/vendor/blamejs/lib/vendor-data.js +520 -0
  748. package/lib/vendor/blamejs/lib/vex.js +630 -0
  749. package/lib/vendor/blamejs/lib/watcher.js +608 -0
  750. package/lib/vendor/blamejs/lib/web-push-vapid.js +322 -0
  751. package/lib/vendor/blamejs/lib/webhook.js +977 -0
  752. package/lib/vendor/blamejs/lib/websocket-channels.js +327 -0
  753. package/lib/vendor/blamejs/lib/websocket.js +1561 -0
  754. package/lib/vendor/blamejs/lib/wiki-concepts.js +338 -0
  755. package/lib/vendor/blamejs/lib/worker-pool.js +464 -0
  756. package/lib/vendor/blamejs/lib/ws-client.js +978 -0
  757. package/lib/vendor/blamejs/lib/xml-c14n.js +506 -0
  758. package/lib/vendor/blamejs/memory/specs/node-26-map-getorinsert-migration.md +164 -0
  759. package/lib/vendor/blamejs/oss-fuzz/projects/blamejs/Dockerfile +19 -0
  760. package/lib/vendor/blamejs/oss-fuzz/projects/blamejs/README.md +88 -0
  761. package/lib/vendor/blamejs/oss-fuzz/projects/blamejs/build.sh +26 -0
  762. package/lib/vendor/blamejs/oss-fuzz/projects/blamejs/project.yaml +28 -0
  763. package/lib/vendor/blamejs/package.json +81 -0
  764. package/lib/vendor/blamejs/release-notes/v0.0.x.json +310 -0
  765. package/lib/vendor/blamejs/release-notes/v0.1.x.json +1798 -0
  766. package/lib/vendor/blamejs/release-notes/v0.10.x.json +1288 -0
  767. package/lib/vendor/blamejs/release-notes/v0.11.x.json +2551 -0
  768. package/lib/vendor/blamejs/release-notes/v0.12.0.json +64 -0
  769. package/lib/vendor/blamejs/release-notes/v0.12.1.json +32 -0
  770. package/lib/vendor/blamejs/release-notes/v0.12.2.json +45 -0
  771. package/lib/vendor/blamejs/release-notes/v0.2.x.json +706 -0
  772. package/lib/vendor/blamejs/release-notes/v0.3.x.json +786 -0
  773. package/lib/vendor/blamejs/release-notes/v0.4.x.json +588 -0
  774. package/lib/vendor/blamejs/release-notes/v0.5.x.json +390 -0
  775. package/lib/vendor/blamejs/release-notes/v0.6.x.json +1947 -0
  776. package/lib/vendor/blamejs/release-notes/v0.7.x.json +3811 -0
  777. package/lib/vendor/blamejs/release-notes/v0.8.x.json +3318 -0
  778. package/lib/vendor/blamejs/release-notes/v0.9.x.json +2257 -0
  779. package/lib/vendor/blamejs/scripts/build-vendored-sbom.js +325 -0
  780. package/lib/vendor/blamejs/scripts/check-api-snapshot.js +62 -0
  781. package/lib/vendor/blamejs/scripts/check-changelog-extract.js +108 -0
  782. package/lib/vendor/blamejs/scripts/check-pack-against-gitignore.js +83 -0
  783. package/lib/vendor/blamejs/scripts/check-services.js +483 -0
  784. package/lib/vendor/blamejs/scripts/check-vendor-currency.js +349 -0
  785. package/lib/vendor/blamejs/scripts/consolidate-release-notes.js +216 -0
  786. package/lib/vendor/blamejs/scripts/gen-migrating.js +275 -0
  787. package/lib/vendor/blamejs/scripts/generate-changelog-entry.js +577 -0
  788. package/lib/vendor/blamejs/scripts/generate-release-signing-key.js +79 -0
  789. package/lib/vendor/blamejs/scripts/publish-dep-confusion-placeholder.sh +101 -0
  790. package/lib/vendor/blamejs/scripts/refresh-api-snapshot.js +31 -0
  791. package/lib/vendor/blamejs/scripts/refresh-vendor-manifest.js +132 -0
  792. package/lib/vendor/blamejs/scripts/release.js +652 -0
  793. package/lib/vendor/blamejs/scripts/sha3-digest.js +62 -0
  794. package/lib/vendor/blamejs/scripts/sign-release-artifact.js +92 -0
  795. package/lib/vendor/blamejs/scripts/test-integration.js +181 -0
  796. package/lib/vendor/blamejs/scripts/test-wiki-integration.js +126 -0
  797. package/lib/vendor/blamejs/scripts/validate-source-comment-blocks.js +77 -0
  798. package/lib/vendor/blamejs/scripts/vendor-data-gen.js +186 -0
  799. package/lib/vendor/blamejs/scripts/vendor-data-keygen.js +101 -0
  800. package/lib/vendor/blamejs/scripts/vendor-update.sh +278 -0
  801. package/lib/vendor/blamejs/test/00-primitives.js +19075 -0
  802. package/lib/vendor/blamejs/test/10-state.js +622 -0
  803. package/lib/vendor/blamejs/test/20-db.js +561 -0
  804. package/lib/vendor/blamejs/test/30-chain.js +2110 -0
  805. package/lib/vendor/blamejs/test/40-consumers.js +2453 -0
  806. package/lib/vendor/blamejs/test/50-integration.js +486 -0
  807. package/lib/vendor/blamejs/test/_helpers.js +10 -0
  808. package/lib/vendor/blamejs/test/_smoke-worker.js +69 -0
  809. package/lib/vendor/blamejs/test/fixtures/exploit-corpus/corpus.json +368 -0
  810. package/lib/vendor/blamejs/test/fixtures/http-client-stream-payload.txt +2 -0
  811. package/lib/vendor/blamejs/test/fixtures/worker-pool/echo.js +52 -0
  812. package/lib/vendor/blamejs/test/helpers/_codebase-shingle-worker.js +24 -0
  813. package/lib/vendor/blamejs/test/helpers/_codebase-shingle.js +203 -0
  814. package/lib/vendor/blamejs/test/helpers/_shape-match.js +513 -0
  815. package/lib/vendor/blamejs/test/helpers/check.js +36 -0
  816. package/lib/vendor/blamejs/test/helpers/cluster.js +70 -0
  817. package/lib/vendor/blamejs/test/helpers/db.js +143 -0
  818. package/lib/vendor/blamejs/test/helpers/drivers.js +207 -0
  819. package/lib/vendor/blamejs/test/helpers/fs-watch.js +101 -0
  820. package/lib/vendor/blamejs/test/helpers/http.js +14 -0
  821. package/lib/vendor/blamejs/test/helpers/index.js +93 -0
  822. package/lib/vendor/blamejs/test/helpers/json-round-trip.js +120 -0
  823. package/lib/vendor/blamejs/test/helpers/mocks.js +20 -0
  824. package/lib/vendor/blamejs/test/helpers/otel.js +13 -0
  825. package/lib/vendor/blamejs/test/helpers/services.js +380 -0
  826. package/lib/vendor/blamejs/test/helpers/wait.js +206 -0
  827. package/lib/vendor/blamejs/test/integration/cache.test.js +235 -0
  828. package/lib/vendor/blamejs/test/integration/cluster-provider-mysql.test.js +174 -0
  829. package/lib/vendor/blamejs/test/integration/federation-auth.test.js +611 -0
  830. package/lib/vendor/blamejs/test/integration/http-client.test.js +129 -0
  831. package/lib/vendor/blamejs/test/integration/log-stream.test.js +219 -0
  832. package/lib/vendor/blamejs/test/integration/mail-crypto-smime.test.js +181 -0
  833. package/lib/vendor/blamejs/test/integration/mail-dkim.test.js +152 -0
  834. package/lib/vendor/blamejs/test/integration/mail-smtp.test.js +161 -0
  835. package/lib/vendor/blamejs/test/integration/mtls-ca.test.js +289 -0
  836. package/lib/vendor/blamejs/test/integration/network-dns.test.js +123 -0
  837. package/lib/vendor/blamejs/test/integration/network-heartbeat.test.js +101 -0
  838. package/lib/vendor/blamejs/test/integration/ntp-check.test.js +89 -0
  839. package/lib/vendor/blamejs/test/integration/object-store-sigv4.test.js +403 -0
  840. package/lib/vendor/blamejs/test/integration/pqc-pkcs8-forward-compat.test.js +271 -0
  841. package/lib/vendor/blamejs/test/integration/pubsub.test.js +137 -0
  842. package/lib/vendor/blamejs/test/integration/queue-redis.test.js +352 -0
  843. package/lib/vendor/blamejs/test/integration/redis-client-tls.test.js +96 -0
  844. package/lib/vendor/blamejs/test/integration/ssrf-guard.test.js +98 -0
  845. package/lib/vendor/blamejs/test/integration/websocket-permessage-deflate.test.js +261 -0
  846. package/lib/vendor/blamejs/test/integration/ws-client-roundtrip.test.js +230 -0
  847. package/lib/vendor/blamejs/test/layer-0-primitives/a2a-tasks.test.js +211 -0
  848. package/lib/vendor/blamejs/test/layer-0-primitives/a2a.test.js +59 -0
  849. package/lib/vendor/blamejs/test/layer-0-primitives/access-lock.test.js +136 -0
  850. package/lib/vendor/blamejs/test/layer-0-primitives/acme.test.js +219 -0
  851. package/lib/vendor/blamejs/test/layer-0-primitives/age-gate.test.js +69 -0
  852. package/lib/vendor/blamejs/test/layer-0-primitives/agent-event-bus.test.js +266 -0
  853. package/lib/vendor/blamejs/test/layer-0-primitives/agent-idempotency.test.js +262 -0
  854. package/lib/vendor/blamejs/test/layer-0-primitives/agent-orchestrator.test.js +390 -0
  855. package/lib/vendor/blamejs/test/layer-0-primitives/agent-posture-chain.test.js +174 -0
  856. package/lib/vendor/blamejs/test/layer-0-primitives/agent-saga.test.js +279 -0
  857. package/lib/vendor/blamejs/test/layer-0-primitives/agent-snapshot.test.js +322 -0
  858. package/lib/vendor/blamejs/test/layer-0-primitives/agent-stream.test.js +227 -0
  859. package/lib/vendor/blamejs/test/layer-0-primitives/agent-tenant.test.js +302 -0
  860. package/lib/vendor/blamejs/test/layer-0-primitives/agent-trace.test.js +150 -0
  861. package/lib/vendor/blamejs/test/layer-0-primitives/ai-adverse-decision.test.js +44 -0
  862. package/lib/vendor/blamejs/test/layer-0-primitives/ai-content-detect.test.js +150 -0
  863. package/lib/vendor/blamejs/test/layer-0-primitives/ai-input.test.js +50 -0
  864. package/lib/vendor/blamejs/test/layer-0-primitives/ai-model-manifest.test.js +96 -0
  865. package/lib/vendor/blamejs/test/layer-0-primitives/ai-pref.test.js +76 -0
  866. package/lib/vendor/blamejs/test/layer-0-primitives/api-encrypt.test.js +1080 -0
  867. package/lib/vendor/blamejs/test/layer-0-primitives/app-shutdown.test.js +311 -0
  868. package/lib/vendor/blamejs/test/layer-0-primitives/archive-zip-stream.test.js +291 -0
  869. package/lib/vendor/blamejs/test/layer-0-primitives/archive.test.js +140 -0
  870. package/lib/vendor/blamejs/test/layer-0-primitives/arg-parser.test.js +267 -0
  871. package/lib/vendor/blamejs/test/layer-0-primitives/asn1-der.test.js +108 -0
  872. package/lib/vendor/blamejs/test/layer-0-primitives/asyncapi.test.js +929 -0
  873. package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-conflict-path.test.js +80 -0
  874. package/lib/vendor/blamejs/test/layer-0-primitives/audit-cve-defensive.test.js +176 -0
  875. package/lib/vendor/blamejs/test/layer-0-primitives/audit-daily-review.test.js +132 -0
  876. package/lib/vendor/blamejs/test/layer-0-primitives/audit-export-cadf.test.js +97 -0
  877. package/lib/vendor/blamejs/test/layer-0-primitives/audit-framework-namespaces.test.js +141 -0
  878. package/lib/vendor/blamejs/test/layer-0-primitives/audit-segregation.test.js +115 -0
  879. package/lib/vendor/blamejs/test/layer-0-primitives/audit-sign-ml-dsa-65.test.js +163 -0
  880. package/lib/vendor/blamejs/test/layer-0-primitives/audit-use-store.test.js +246 -0
  881. package/lib/vendor/blamejs/test/layer-0-primitives/auth-bot-challenge-verifier.test.js +485 -0
  882. package/lib/vendor/blamejs/test/layer-0-primitives/auth-bot-challenge.test.js +331 -0
  883. package/lib/vendor/blamejs/test/layer-0-primitives/auth-jwt-defenses.test.js +352 -0
  884. package/lib/vendor/blamejs/test/layer-0-primitives/auth-lockout.test.js +572 -0
  885. package/lib/vendor/blamejs/test/layer-0-primitives/auth-password-audit.test.js +61 -0
  886. package/lib/vendor/blamejs/test/layer-0-primitives/azure-blob-bucket-ops.test.js +258 -0
  887. package/lib/vendor/blamejs/test/layer-0-primitives/backup-manifest-signature.test.js +105 -0
  888. package/lib/vendor/blamejs/test/layer-0-primitives/backup-worker.test.js +34 -0
  889. package/lib/vendor/blamejs/test/layer-0-primitives/bearer-auth.test.js +107 -0
  890. package/lib/vendor/blamejs/test/layer-0-primitives/body-parser-chunked-malformed.test.js +131 -0
  891. package/lib/vendor/blamejs/test/layer-0-primitives/body-parser-smuggling.test.js +118 -0
  892. package/lib/vendor/blamejs/test/layer-0-primitives/boot-gates.test.js +85 -0
  893. package/lib/vendor/blamejs/test/layer-0-primitives/breach-deadline.test.js +38 -0
  894. package/lib/vendor/blamejs/test/layer-0-primitives/break-glass.test.js +861 -0
  895. package/lib/vendor/blamejs/test/layer-0-primitives/budr.test.js +55 -0
  896. package/lib/vendor/blamejs/test/layer-0-primitives/bundler-engine.test.js +209 -0
  897. package/lib/vendor/blamejs/test/layer-0-primitives/cache-status.test.js +129 -0
  898. package/lib/vendor/blamejs/test/layer-0-primitives/cache.test.js +871 -0
  899. package/lib/vendor/blamejs/test/layer-0-primitives/calendar.test.js +891 -0
  900. package/lib/vendor/blamejs/test/layer-0-primitives/canonical-json-jcs.test.js +43 -0
  901. package/lib/vendor/blamejs/test/layer-0-primitives/cdn-cache-control.test.js +243 -0
  902. package/lib/vendor/blamejs/test/layer-0-primitives/cert.test.js +550 -0
  903. package/lib/vendor/blamejs/test/layer-0-primitives/clear-site-data.test.js +107 -0
  904. package/lib/vendor/blamejs/test/layer-0-primitives/cli-api-key.test.js +147 -0
  905. package/lib/vendor/blamejs/test/layer-0-primitives/cli-audit-verify-chain.test.js +104 -0
  906. package/lib/vendor/blamejs/test/layer-0-primitives/cli-backup.test.js +135 -0
  907. package/lib/vendor/blamejs/test/layer-0-primitives/cli-config-drift.test.js +67 -0
  908. package/lib/vendor/blamejs/test/layer-0-primitives/cli-erase.test.js +75 -0
  909. package/lib/vendor/blamejs/test/layer-0-primitives/cli-file-type.test.js +98 -0
  910. package/lib/vendor/blamejs/test/layer-0-primitives/cli-helpers.test.js +145 -0
  911. package/lib/vendor/blamejs/test/layer-0-primitives/cli-mtls.test.js +133 -0
  912. package/lib/vendor/blamejs/test/layer-0-primitives/cli-password.test.js +97 -0
  913. package/lib/vendor/blamejs/test/layer-0-primitives/cli-restore.test.js +160 -0
  914. package/lib/vendor/blamejs/test/layer-0-primitives/cli-retention.test.js +84 -0
  915. package/lib/vendor/blamejs/test/layer-0-primitives/cli-security.test.js +69 -0
  916. package/lib/vendor/blamejs/test/layer-0-primitives/cli-vault.test.js +142 -0
  917. package/lib/vendor/blamejs/test/layer-0-primitives/client-hints.test.js +133 -0
  918. package/lib/vendor/blamejs/test/layer-0-primitives/cms-codec.test.js +237 -0
  919. package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +9600 -0
  920. package/lib/vendor/blamejs/test/layer-0-primitives/compliance-ai-act.test.js +575 -0
  921. package/lib/vendor/blamejs/test/layer-0-primitives/compliance-cascade.test.js +89 -0
  922. package/lib/vendor/blamejs/test/layer-0-primitives/compliance-eaa.test.js +36 -0
  923. package/lib/vendor/blamejs/test/layer-0-primitives/compliance-sanctions.test.js +712 -0
  924. package/lib/vendor/blamejs/test/layer-0-primitives/compliance.test.js +278 -0
  925. package/lib/vendor/blamejs/test/layer-0-primitives/config-drift.test.js +97 -0
  926. package/lib/vendor/blamejs/test/layer-0-primitives/config.test.js +424 -0
  927. package/lib/vendor/blamejs/test/layer-0-primitives/content-credentials.test.js +94 -0
  928. package/lib/vendor/blamejs/test/layer-0-primitives/cors.test.js +357 -0
  929. package/lib/vendor/blamejs/test/layer-0-primitives/cra-report.test.js +31 -0
  930. package/lib/vendor/blamejs/test/layer-0-primitives/credential-hash.test.js +226 -0
  931. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-base64url.test.js +86 -0
  932. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-envelope.test.js +85 -0
  933. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-hash-files-parallel.test.js +193 -0
  934. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-hash-stream.test.js +98 -0
  935. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-hpke-pq.test.js +132 -0
  936. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-hpke.test.js +155 -0
  937. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-mlkem768-x25519.test.js +129 -0
  938. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-namespace-hash.test.js +0 -0
  939. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-random-int.test.js +72 -0
  940. package/lib/vendor/blamejs/test/layer-0-primitives/csp-builder.test.js +96 -0
  941. package/lib/vendor/blamejs/test/layer-0-primitives/csp-nonce.test.js +401 -0
  942. package/lib/vendor/blamejs/test/layer-0-primitives/csp-report.test.js +34 -0
  943. package/lib/vendor/blamejs/test/layer-0-primitives/csv.test.js +180 -0
  944. package/lib/vendor/blamejs/test/layer-0-primitives/daemon.test.js +210 -0
  945. package/lib/vendor/blamejs/test/layer-0-primitives/daily-byte-quota.test.js +153 -0
  946. package/lib/vendor/blamejs/test/layer-0-primitives/dark-patterns.test.js +66 -0
  947. package/lib/vendor/blamejs/test/layer-0-primitives/data-act.test.js +74 -0
  948. package/lib/vendor/blamejs/test/layer-0-primitives/db-collection-extensions.test.js +226 -0
  949. package/lib/vendor/blamejs/test/layer-0-primitives/db-collection.test.js +136 -0
  950. package/lib/vendor/blamejs/test/layer-0-primitives/db-init-extensions.test.js +165 -0
  951. package/lib/vendor/blamejs/test/layer-0-primitives/db-query-cross-schema.test.js +150 -0
  952. package/lib/vendor/blamejs/test/layer-0-primitives/db-query-extensions.test.js +191 -0
  953. package/lib/vendor/blamejs/test/layer-0-primitives/db-role-for.test.js +228 -0
  954. package/lib/vendor/blamejs/test/layer-0-primitives/db-vacuum.test.js +55 -0
  955. package/lib/vendor/blamejs/test/layer-0-primitives/db-worm.test.js +89 -0
  956. package/lib/vendor/blamejs/test/layer-0-primitives/ddl-change-control.test.js +184 -0
  957. package/lib/vendor/blamejs/test/layer-0-primitives/declare-row-policy.test.js +203 -0
  958. package/lib/vendor/blamejs/test/layer-0-primitives/declare-view.test.js +303 -0
  959. package/lib/vendor/blamejs/test/layer-0-primitives/dns-dnssec-algorithm.test.js +163 -0
  960. package/lib/vendor/blamejs/test/layer-0-primitives/dns-null-mx.test.js +39 -0
  961. package/lib/vendor/blamejs/test/layer-0-primitives/dora.test.js +165 -0
  962. package/lib/vendor/blamejs/test/layer-0-primitives/dr-runbook.test.js +59 -0
  963. package/lib/vendor/blamejs/test/layer-0-primitives/dsr-state-rules.test.js +55 -0
  964. package/lib/vendor/blamejs/test/layer-0-primitives/dsr.test.js +786 -0
  965. package/lib/vendor/blamejs/test/layer-0-primitives/dual-control.test.js +105 -0
  966. package/lib/vendor/blamejs/test/layer-0-primitives/early-hints.test.js +147 -0
  967. package/lib/vendor/blamejs/test/layer-0-primitives/events.test.js +105 -0
  968. package/lib/vendor/blamejs/test/layer-0-primitives/exploit-replay.test.js +243 -0
  969. package/lib/vendor/blamejs/test/layer-0-primitives/external-db-hardening.test.js +181 -0
  970. package/lib/vendor/blamejs/test/layer-0-primitives/external-db-migrate.test.js +190 -0
  971. package/lib/vendor/blamejs/test/layer-0-primitives/external-db-routing.test.js +531 -0
  972. package/lib/vendor/blamejs/test/layer-0-primitives/fal.test.js +118 -0
  973. package/lib/vendor/blamejs/test/layer-0-primitives/fapi2.test.js +89 -0
  974. package/lib/vendor/blamejs/test/layer-0-primitives/fda-21cfr11.test.js +156 -0
  975. package/lib/vendor/blamejs/test/layer-0-primitives/fdx.test.js +79 -0
  976. package/lib/vendor/blamejs/test/layer-0-primitives/fedcm-dbsc.test.js +216 -0
  977. package/lib/vendor/blamejs/test/layer-0-primitives/federation-vc-suite.test.js +434 -0
  978. package/lib/vendor/blamejs/test/layer-0-primitives/fido-mds3.test.js +432 -0
  979. package/lib/vendor/blamejs/test/layer-0-primitives/file-type.test.js +81 -0
  980. package/lib/vendor/blamejs/test/layer-0-primitives/flag.test.js +887 -0
  981. package/lib/vendor/blamejs/test/layer-0-primitives/forensic-snapshot.test.js +51 -0
  982. package/lib/vendor/blamejs/test/layer-0-primitives/fsm.test.js +375 -0
  983. package/lib/vendor/blamejs/test/layer-0-primitives/gcs-bucket-ops.test.js +321 -0
  984. package/lib/vendor/blamejs/test/layer-0-primitives/gdpr-ropa.test.js +41 -0
  985. package/lib/vendor/blamejs/test/layer-0-primitives/graphql-federation.test.js +32 -0
  986. package/lib/vendor/blamejs/test/layer-0-primitives/guard-agent-registry.test.js +87 -0
  987. package/lib/vendor/blamejs/test/layer-0-primitives/guard-all.test.js +328 -0
  988. package/lib/vendor/blamejs/test/layer-0-primitives/guard-archive.test.js +339 -0
  989. package/lib/vendor/blamejs/test/layer-0-primitives/guard-csv.test.js +694 -0
  990. package/lib/vendor/blamejs/test/layer-0-primitives/guard-dsn.test.js +296 -0
  991. package/lib/vendor/blamejs/test/layer-0-primitives/guard-email.test.js +234 -0
  992. package/lib/vendor/blamejs/test/layer-0-primitives/guard-envelope.test.js +192 -0
  993. package/lib/vendor/blamejs/test/layer-0-primitives/guard-event-bus-payload.test.js +89 -0
  994. package/lib/vendor/blamejs/test/layer-0-primitives/guard-event-bus-topic.test.js +71 -0
  995. package/lib/vendor/blamejs/test/layer-0-primitives/guard-filename.test.js +386 -0
  996. package/lib/vendor/blamejs/test/layer-0-primitives/guard-html-wcag.test.js +859 -0
  997. package/lib/vendor/blamejs/test/layer-0-primitives/guard-html.test.js +357 -0
  998. package/lib/vendor/blamejs/test/layer-0-primitives/guard-idempotency-key.test.js +92 -0
  999. package/lib/vendor/blamejs/test/layer-0-primitives/guard-imap-command.test.js +0 -0
  1000. package/lib/vendor/blamejs/test/layer-0-primitives/guard-jmap.test.js +174 -0
  1001. package/lib/vendor/blamejs/test/layer-0-primitives/guard-json.test.js +317 -0
  1002. package/lib/vendor/blamejs/test/layer-0-primitives/guard-list-id.test.js +199 -0
  1003. package/lib/vendor/blamejs/test/layer-0-primitives/guard-list-unsubscribe.test.js +214 -0
  1004. package/lib/vendor/blamejs/test/layer-0-primitives/guard-mail-compose.test.js +111 -0
  1005. package/lib/vendor/blamejs/test/layer-0-primitives/guard-mail-move.test.js +110 -0
  1006. package/lib/vendor/blamejs/test/layer-0-primitives/guard-mail-query.test.js +112 -0
  1007. package/lib/vendor/blamejs/test/layer-0-primitives/guard-mail-reply.test.js +86 -0
  1008. package/lib/vendor/blamejs/test/layer-0-primitives/guard-mail-sieve.test.js +92 -0
  1009. package/lib/vendor/blamejs/test/layer-0-primitives/guard-managesieve-command.test.js +301 -0
  1010. package/lib/vendor/blamejs/test/layer-0-primitives/guard-markdown.test.js +265 -0
  1011. package/lib/vendor/blamejs/test/layer-0-primitives/guard-message-id.test.js +0 -0
  1012. package/lib/vendor/blamejs/test/layer-0-primitives/guard-pop3-command.test.js +161 -0
  1013. package/lib/vendor/blamejs/test/layer-0-primitives/guard-posture-chain.test.js +100 -0
  1014. package/lib/vendor/blamejs/test/layer-0-primitives/guard-saga-config.test.js +79 -0
  1015. package/lib/vendor/blamejs/test/layer-0-primitives/guard-smtp-command.test.js +269 -0
  1016. package/lib/vendor/blamejs/test/layer-0-primitives/guard-snapshot-envelope.test.js +89 -0
  1017. package/lib/vendor/blamejs/test/layer-0-primitives/guard-stream-args.test.js +78 -0
  1018. package/lib/vendor/blamejs/test/layer-0-primitives/guard-svg.test.js +288 -0
  1019. package/lib/vendor/blamejs/test/layer-0-primitives/guard-tenant-id.test.js +69 -0
  1020. package/lib/vendor/blamejs/test/layer-0-primitives/guard-trace-context.test.js +102 -0
  1021. package/lib/vendor/blamejs/test/layer-0-primitives/guard-xml.test.js +202 -0
  1022. package/lib/vendor/blamejs/test/layer-0-primitives/guard-yaml.test.js +203 -0
  1023. package/lib/vendor/blamejs/test/layer-0-primitives/hal.test.js +51 -0
  1024. package/lib/vendor/blamejs/test/layer-0-primitives/honeytoken.test.js +50 -0
  1025. package/lib/vendor/blamejs/test/layer-0-primitives/html-balance.test.js +37 -0
  1026. package/lib/vendor/blamejs/test/layer-0-primitives/http-client-cache.test.js +692 -0
  1027. package/lib/vendor/blamejs/test/layer-0-primitives/http-client-stream.test.js +280 -0
  1028. package/lib/vendor/blamejs/test/layer-0-primitives/http-message-signature.test.js +225 -0
  1029. package/lib/vendor/blamejs/test/layer-0-primitives/i18n-messageformat.test.js +203 -0
  1030. package/lib/vendor/blamejs/test/layer-0-primitives/i18n.test.js +991 -0
  1031. package/lib/vendor/blamejs/test/layer-0-primitives/iab-mspa.test.js +63 -0
  1032. package/lib/vendor/blamejs/test/layer-0-primitives/iab-tcf.test.js +73 -0
  1033. package/lib/vendor/blamejs/test/layer-0-primitives/idempotency-key.test.js +612 -0
  1034. package/lib/vendor/blamejs/test/layer-0-primitives/importmap-integrity.test.js +56 -0
  1035. package/lib/vendor/blamejs/test/layer-0-primitives/inbox.test.js +166 -0
  1036. package/lib/vendor/blamejs/test/layer-0-primitives/incident-report.test.js +29 -0
  1037. package/lib/vendor/blamejs/test/layer-0-primitives/jose-jwe-experimental.test.js +121 -0
  1038. package/lib/vendor/blamejs/test/layer-0-primitives/json-api.test.js +58 -0
  1039. package/lib/vendor/blamejs/test/layer-0-primitives/json-round-trip-helper.test.js +110 -0
  1040. package/lib/vendor/blamejs/test/layer-0-primitives/jwt-external.test.js +159 -0
  1041. package/lib/vendor/blamejs/test/layer-0-primitives/keychain.test.js +0 -0
  1042. package/lib/vendor/blamejs/test/layer-0-primitives/legal-hold.test.js +118 -0
  1043. package/lib/vendor/blamejs/test/layer-0-primitives/local-db-thin.test.js +150 -0
  1044. package/lib/vendor/blamejs/test/layer-0-primitives/log-stream-cloudwatch.test.js +489 -0
  1045. package/lib/vendor/blamejs/test/layer-0-primitives/log-stream-otlp-grpc.test.js +207 -0
  1046. package/lib/vendor/blamejs/test/layer-0-primitives/log-stream-otlp.test.js +283 -0
  1047. package/lib/vendor/blamejs/test/layer-0-primitives/lro.test.js +65 -0
  1048. package/lib/vendor/blamejs/test/layer-0-primitives/mail-agent.test.js +417 -0
  1049. package/lib/vendor/blamejs/test/layer-0-primitives/mail-arf.test.js +208 -0
  1050. package/lib/vendor/blamejs/test/layer-0-primitives/mail-auth.test.js +910 -0
  1051. package/lib/vendor/blamejs/test/layer-0-primitives/mail-bimi.test.js +502 -0
  1052. package/lib/vendor/blamejs/test/layer-0-primitives/mail-bounce.test.js +680 -0
  1053. package/lib/vendor/blamejs/test/layer-0-primitives/mail-canspam.test.js +128 -0
  1054. package/lib/vendor/blamejs/test/layer-0-primitives/mail-crypto-pgp-experimental.test.js +149 -0
  1055. package/lib/vendor/blamejs/test/layer-0-primitives/mail-crypto-pgp.test.js +323 -0
  1056. package/lib/vendor/blamejs/test/layer-0-primitives/mail-crypto-smime.test.js +297 -0
  1057. package/lib/vendor/blamejs/test/layer-0-primitives/mail-dav.test.js +514 -0
  1058. package/lib/vendor/blamejs/test/layer-0-primitives/mail-deploy-tlsrpt.test.js +369 -0
  1059. package/lib/vendor/blamejs/test/layer-0-primitives/mail-deploy.test.js +199 -0
  1060. package/lib/vendor/blamejs/test/layer-0-primitives/mail-dkim.test.js +627 -0
  1061. package/lib/vendor/blamejs/test/layer-0-primitives/mail-feedback-id.test.js +56 -0
  1062. package/lib/vendor/blamejs/test/layer-0-primitives/mail-greylist.test.js +217 -0
  1063. package/lib/vendor/blamejs/test/layer-0-primitives/mail-helo.test.js +283 -0
  1064. package/lib/vendor/blamejs/test/layer-0-primitives/mail-journal.test.js +217 -0
  1065. package/lib/vendor/blamejs/test/layer-0-primitives/mail-mdn.test.js +334 -0
  1066. package/lib/vendor/blamejs/test/layer-0-primitives/mail-rbl.test.js +271 -0
  1067. package/lib/vendor/blamejs/test/layer-0-primitives/mail-require-tls.test.js +128 -0
  1068. package/lib/vendor/blamejs/test/layer-0-primitives/mail-scan.test.js +215 -0
  1069. package/lib/vendor/blamejs/test/layer-0-primitives/mail-send-deliver.test.js +336 -0
  1070. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-imap.test.js +732 -0
  1071. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-jmap.test.js +840 -0
  1072. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-managesieve.test.js +130 -0
  1073. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-mx.test.js +285 -0
  1074. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-pop3.test.js +74 -0
  1075. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-rate-limit.test.js +112 -0
  1076. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-registry.test.js +229 -0
  1077. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-submission.test.js +394 -0
  1078. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-tls.test.js +147 -0
  1079. package/lib/vendor/blamejs/test/layer-0-primitives/mail-sieve.test.js +151 -0
  1080. package/lib/vendor/blamejs/test/layer-0-primitives/mail-spam-score.test.js +204 -0
  1081. package/lib/vendor/blamejs/test/layer-0-primitives/mail-srs.test.js +152 -0
  1082. package/lib/vendor/blamejs/test/layer-0-primitives/mail-store-fts.test.js +279 -0
  1083. package/lib/vendor/blamejs/test/layer-0-primitives/mail-store.test.js +323 -0
  1084. package/lib/vendor/blamejs/test/layer-0-primitives/mail-unsubscribe.test.js +165 -0
  1085. package/lib/vendor/blamejs/test/layer-0-primitives/mail.test.js +439 -0
  1086. package/lib/vendor/blamejs/test/layer-0-primitives/mcp-tool-registry.test.js +202 -0
  1087. package/lib/vendor/blamejs/test/layer-0-primitives/mcp.test.js +155 -0
  1088. package/lib/vendor/blamejs/test/layer-0-primitives/metrics-shadow-registry.test.js +112 -0
  1089. package/lib/vendor/blamejs/test/layer-0-primitives/metrics-snapshot.test.js +224 -0
  1090. package/lib/vendor/blamejs/test/layer-0-primitives/middleware-compose-pipeline.test.js +278 -0
  1091. package/lib/vendor/blamejs/test/layer-0-primitives/money.test.js +376 -0
  1092. package/lib/vendor/blamejs/test/layer-0-primitives/mtls-ca-paths.test.js +89 -0
  1093. package/lib/vendor/blamejs/test/layer-0-primitives/nel.test.js +200 -0
  1094. package/lib/vendor/blamejs/test/layer-0-primitives/network-allowlist.test.js +106 -0
  1095. package/lib/vendor/blamejs/test/layer-0-primitives/network-byte-quota.test.js +133 -0
  1096. package/lib/vendor/blamejs/test/layer-0-primitives/network-dns-resolver.test.js +372 -0
  1097. package/lib/vendor/blamejs/test/layer-0-primitives/network-dns.test.js +635 -0
  1098. package/lib/vendor/blamejs/test/layer-0-primitives/network-heartbeat-passive.test.js +128 -0
  1099. package/lib/vendor/blamejs/test/layer-0-primitives/network-tls-build-options.test.js +130 -0
  1100. package/lib/vendor/blamejs/test/layer-0-primitives/network-tls-ct-inclusion.test.js +179 -0
  1101. package/lib/vendor/blamejs/test/layer-0-primitives/network-tls.test.js +447 -0
  1102. package/lib/vendor/blamejs/test/layer-0-primitives/network.test.js +369 -0
  1103. package/lib/vendor/blamejs/test/layer-0-primitives/nis2-report.test.js +21 -0
  1104. package/lib/vendor/blamejs/test/layer-0-primitives/nist-crosswalk.test.js +42 -0
  1105. package/lib/vendor/blamejs/test/layer-0-primitives/no-cache.test.js +98 -0
  1106. package/lib/vendor/blamejs/test/layer-0-primitives/notify.test.js +707 -0
  1107. package/lib/vendor/blamejs/test/layer-0-primitives/numeric-bounds.test.js +142 -0
  1108. package/lib/vendor/blamejs/test/layer-0-primitives/oauth-callback.test.js +72 -0
  1109. package/lib/vendor/blamejs/test/layer-0-primitives/observability-tracing.test.js +597 -0
  1110. package/lib/vendor/blamejs/test/layer-0-primitives/observability.test.js +190 -0
  1111. package/lib/vendor/blamejs/test/layer-0-primitives/openapi.test.js +877 -0
  1112. package/lib/vendor/blamejs/test/layer-0-primitives/otel-export.test.js +257 -0
  1113. package/lib/vendor/blamejs/test/layer-0-primitives/pagination.test.js +522 -0
  1114. package/lib/vendor/blamejs/test/layer-0-primitives/parsers-standalone.test.js +216 -0
  1115. package/lib/vendor/blamejs/test/layer-0-primitives/passkey.test.js +324 -0
  1116. package/lib/vendor/blamejs/test/layer-0-primitives/permissions.test.js +546 -0
  1117. package/lib/vendor/blamejs/test/layer-0-primitives/pqc-agent-curve.test.js +153 -0
  1118. package/lib/vendor/blamejs/test/layer-0-primitives/pqc-software.test.js +94 -0
  1119. package/lib/vendor/blamejs/test/layer-0-primitives/problem-details.test.js +195 -0
  1120. package/lib/vendor/blamejs/test/layer-0-primitives/process-spawn.test.js +62 -0
  1121. package/lib/vendor/blamejs/test/layer-0-primitives/promise-pool.test.js +93 -0
  1122. package/lib/vendor/blamejs/test/layer-0-primitives/protected-resource-metadata.test.js +68 -0
  1123. package/lib/vendor/blamejs/test/layer-0-primitives/protobuf-encoder.test.js +138 -0
  1124. package/lib/vendor/blamejs/test/layer-0-primitives/protocol-dispatcher.test.js +174 -0
  1125. package/lib/vendor/blamejs/test/layer-0-primitives/public-suffix.test.js +197 -0
  1126. package/lib/vendor/blamejs/test/layer-0-primitives/pubsub.test.js +232 -0
  1127. package/lib/vendor/blamejs/test/layer-0-primitives/queue-dlq-extend-lease.test.js +178 -0
  1128. package/lib/vendor/blamejs/test/layer-0-primitives/queue-flow-repeat.test.js +322 -0
  1129. package/lib/vendor/blamejs/test/layer-0-primitives/queue-priority-rate-progress.test.js +266 -0
  1130. package/lib/vendor/blamejs/test/layer-0-primitives/queue-sqs.test.js +300 -0
  1131. package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-cluster.test.js +338 -0
  1132. package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-registry.test.js +75 -0
  1133. package/lib/vendor/blamejs/test/layer-0-primitives/redact-dlp.test.js +246 -0
  1134. package/lib/vendor/blamejs/test/layer-0-primitives/redis-client.test.js +130 -0
  1135. package/lib/vendor/blamejs/test/layer-0-primitives/request-helpers.test.js +335 -0
  1136. package/lib/vendor/blamejs/test/layer-0-primitives/request-log.test.js +170 -0
  1137. package/lib/vendor/blamejs/test/layer-0-primitives/require-auth-cache-control.test.js +93 -0
  1138. package/lib/vendor/blamejs/test/layer-0-primitives/require-mtls.test.js +34 -0
  1139. package/lib/vendor/blamejs/test/layer-0-primitives/resource-access-lock.test.js +52 -0
  1140. package/lib/vendor/blamejs/test/layer-0-primitives/retention-floor.test.js +67 -0
  1141. package/lib/vendor/blamejs/test/layer-0-primitives/retry.test.js +535 -0
  1142. package/lib/vendor/blamejs/test/layer-0-primitives/router-cross-origin-redirect.test.js +0 -0
  1143. package/lib/vendor/blamejs/test/layer-0-primitives/router-tls0rtt.test.js +128 -0
  1144. package/lib/vendor/blamejs/test/layer-0-primitives/safe-async-loops.test.js +163 -0
  1145. package/lib/vendor/blamejs/test/layer-0-primitives/safe-async-parallel.test.js +170 -0
  1146. package/lib/vendor/blamejs/test/layer-0-primitives/safe-decompress.test.js +248 -0
  1147. package/lib/vendor/blamejs/test/layer-0-primitives/safe-dns.test.js +451 -0
  1148. package/lib/vendor/blamejs/test/layer-0-primitives/safe-ical.test.js +289 -0
  1149. package/lib/vendor/blamejs/test/layer-0-primitives/safe-icap.test.js +206 -0
  1150. package/lib/vendor/blamejs/test/layer-0-primitives/safe-jsonpath.test.js +104 -0
  1151. package/lib/vendor/blamejs/test/layer-0-primitives/safe-mime.test.js +339 -0
  1152. package/lib/vendor/blamejs/test/layer-0-primitives/safe-mount-info.test.js +180 -0
  1153. package/lib/vendor/blamejs/test/layer-0-primitives/safe-path.test.js +78 -0
  1154. package/lib/vendor/blamejs/test/layer-0-primitives/safe-sieve.test.js +123 -0
  1155. package/lib/vendor/blamejs/test/layer-0-primitives/safe-smtp.test.js +95 -0
  1156. package/lib/vendor/blamejs/test/layer-0-primitives/safe-url-idn-homograph.test.js +77 -0
  1157. package/lib/vendor/blamejs/test/layer-0-primitives/safe-vcard.test.js +257 -0
  1158. package/lib/vendor/blamejs/test/layer-0-primitives/saml-slo.test.js +249 -0
  1159. package/lib/vendor/blamejs/test/layer-0-primitives/sandbox.test.js +228 -0
  1160. package/lib/vendor/blamejs/test/layer-0-primitives/scheduler-exactly-once.test.js +238 -0
  1161. package/lib/vendor/blamejs/test/layer-0-primitives/scim-server.test.js +92 -0
  1162. package/lib/vendor/blamejs/test/layer-0-primitives/sd-jwt-vc.test.js +700 -0
  1163. package/lib/vendor/blamejs/test/layer-0-primitives/sd-notify.test.js +67 -0
  1164. package/lib/vendor/blamejs/test/layer-0-primitives/sec-cyber.test.js +85 -0
  1165. package/lib/vendor/blamejs/test/layer-0-primitives/security-assert.test.js +107 -0
  1166. package/lib/vendor/blamejs/test/layer-0-primitives/security-headers.test.js +175 -0
  1167. package/lib/vendor/blamejs/test/layer-0-primitives/seeders.test.js +816 -0
  1168. package/lib/vendor/blamejs/test/layer-0-primitives/self-update-standalone-verifier.test.js +168 -0
  1169. package/lib/vendor/blamejs/test/layer-0-primitives/self-update.test.js +302 -0
  1170. package/lib/vendor/blamejs/test/layer-0-primitives/server-timing.test.js +93 -0
  1171. package/lib/vendor/blamejs/test/layer-0-primitives/session-device-binding.test.js +247 -0
  1172. package/lib/vendor/blamejs/test/layer-0-primitives/session-extensions.test.js +295 -0
  1173. package/lib/vendor/blamejs/test/layer-0-primitives/shape-match.test.js +142 -0
  1174. package/lib/vendor/blamejs/test/layer-0-primitives/sigv4-bucket-ops.test.js +952 -0
  1175. package/lib/vendor/blamejs/test/layer-0-primitives/sigv4-multipart-sse.test.js +441 -0
  1176. package/lib/vendor/blamejs/test/layer-0-primitives/slug.test.js +330 -0
  1177. package/lib/vendor/blamejs/test/layer-0-primitives/smtp-policy.test.js +233 -0
  1178. package/lib/vendor/blamejs/test/layer-0-primitives/source-comment-blocks.test.js +105 -0
  1179. package/lib/vendor/blamejs/test/layer-0-primitives/speculation-rules.test.js +319 -0
  1180. package/lib/vendor/blamejs/test/layer-0-primitives/sse.test.js +148 -0
  1181. package/lib/vendor/blamejs/test/layer-0-primitives/ssrf-guard.test.js +283 -0
  1182. package/lib/vendor/blamejs/test/layer-0-primitives/standard-webhooks.test.js +67 -0
  1183. package/lib/vendor/blamejs/test/layer-0-primitives/static.test.js +266 -0
  1184. package/lib/vendor/blamejs/test/layer-0-primitives/step-up.test.js +487 -0
  1185. package/lib/vendor/blamejs/test/layer-0-primitives/storage-chunk-scratch.test.js +0 -0
  1186. package/lib/vendor/blamejs/test/layer-0-primitives/storage-presigned-url.test.js +773 -0
  1187. package/lib/vendor/blamejs/test/layer-0-primitives/stream-throttle.test.js +173 -0
  1188. package/lib/vendor/blamejs/test/layer-0-primitives/structured-fields.test.js +180 -0
  1189. package/lib/vendor/blamejs/test/layer-0-primitives/tcpa-10dlc.test.js +66 -0
  1190. package/lib/vendor/blamejs/test/layer-0-primitives/tenant-quota.test.js +89 -0
  1191. package/lib/vendor/blamejs/test/layer-0-primitives/test-coverage.test.js +571 -0
  1192. package/lib/vendor/blamejs/test/layer-0-primitives/test-harness.test.js +190 -0
  1193. package/lib/vendor/blamejs/test/layer-0-primitives/testing-request.test.js +119 -0
  1194. package/lib/vendor/blamejs/test/layer-0-primitives/testing.test.js +522 -0
  1195. package/lib/vendor/blamejs/test/layer-0-primitives/time.test.js +151 -0
  1196. package/lib/vendor/blamejs/test/layer-0-primitives/tls-exporter.test.js +168 -0
  1197. package/lib/vendor/blamejs/test/layer-0-primitives/tls-ocsp-ct.test.js +275 -0
  1198. package/lib/vendor/blamejs/test/layer-0-primitives/tls-ocsp-verify.test.js +105 -0
  1199. package/lib/vendor/blamejs/test/layer-0-primitives/tls-pinset-drift.test.js +35 -0
  1200. package/lib/vendor/blamejs/test/layer-0-primitives/tls-preferred-groups.test.js +81 -0
  1201. package/lib/vendor/blamejs/test/layer-0-primitives/tracing.test.js +280 -0
  1202. package/lib/vendor/blamejs/test/layer-0-primitives/uuid.test.js +93 -0
  1203. package/lib/vendor/blamejs/test/layer-0-primitives/vault-aad.test.js +277 -0
  1204. package/lib/vendor/blamejs/test/layer-0-primitives/vault-seal-pem-file.test.js +252 -0
  1205. package/lib/vendor/blamejs/test/layer-0-primitives/vendor-data.test.js +149 -0
  1206. package/lib/vendor/blamejs/test/layer-0-primitives/vendor-manifest.test.js +92 -0
  1207. package/lib/vendor/blamejs/test/layer-0-primitives/vex.test.js +661 -0
  1208. package/lib/vendor/blamejs/test/layer-0-primitives/watcher.test.js +308 -0
  1209. package/lib/vendor/blamejs/test/layer-0-primitives/web-push-vapid.test.js +144 -0
  1210. package/lib/vendor/blamejs/test/layer-0-primitives/webhook.test.js +674 -0
  1211. package/lib/vendor/blamejs/test/layer-0-primitives/websocket-channels.test.js +360 -0
  1212. package/lib/vendor/blamejs/test/layer-0-primitives/worker-pool.test.js +302 -0
  1213. package/lib/vendor/blamejs/test/layer-0-primitives/ws-client.test.js +349 -0
  1214. package/lib/vendor/blamejs/test/layer-1-state/api-key.test.js +717 -0
  1215. package/lib/vendor/blamejs/test/layer-5-integration/bundler-output.test.js +444 -0
  1216. package/lib/vendor/blamejs/test/layer-5-integration/guard-host-integration.test.js +597 -0
  1217. package/lib/vendor/blamejs/test/layer-5-integration/security-chaos.test.js +308 -0
  1218. package/lib/vendor/blamejs/test/smoke.js +431 -0
  1219. package/lib/webhooks.js +305 -0
  1220. package/package.json +43 -0
package/lib/vendor/blamejs/lib/audit-tools.js ADDED
@@ -0,0 +1,1113 @@
1
+ "use strict";
2
+ /**
3
+ * @module b.auditTools
4
+ * @nav Observability
5
+ * @title Audit Tools
6
+ *
7
+ * @intro
8
+ * Operator-side audit-chain inspection / export — verify chain
9
+ * integrity end-to-end, export RFC 8785 canonical-JSON slices,
10
+ * format rows for downstream SIEM (CADF / ISO 19395), and generate
11
+ * tamper-evident compliance-evidence bundles auditors can verify
12
+ * off-line.
13
+ *
14
+ * Four core operations on top of the live `audit_log` chain:
15
+ *
16
+ * archive(opts) Bundle rows older than `before` into a
17
+ * PQC-encrypted archive with chain proof + a
18
+ * covering signed checkpoint. Live rows are
19
+ * untouched until a separate `purge()` call.
20
+ * exportSlice(opts) Auditor-shaped slice (date range / action
21
+ * filter) with chain proof — deliver evidence
22
+ * to an external auditor without surrendering
23
+ * the whole log.
24
+ * verifyBundle(opts) Round-trip integrity: decrypt the bundle,
25
+ * walk chain math across the contained rows,
26
+ * verify the covering checkpoint's ML-DSA
27
+ * signature (archive bundles only).
28
+ * purge(opts) Confirmation-gated deletion of live rows
29
+ * already captured in a verified archive
30
+ * bundle. Inserts a purge-anchor so
31
+ * `b.audit.verify()` keeps working post-purge.
32
+ *
33
+ * Bundle layout (POSIX-flat directory; matches the backup-bundle
34
+ * shape so operators see one mental model for "encrypted blamejs
35
+ * bundle"):
36
+ *
37
+ * <out>/manifest.json Canonical-JSON manifest (format / kind /
38
+ * range / rowCount / per-blob salts /
39
+ * framework version; archive bundles also
40
+ * carry the covering checkpoint summary).
41
+ * <out>/rows.enc PQC-encrypted JSONL of audit rows in
42
+ * sealed form so rowHash stays computable
43
+ * from disk bytes byte-for-byte.
44
+ * <out>/checkpoint.enc Archive-only. PQC-encrypted JSON of the
45
+ * covering audit_checkpoints row.
46
+ *
47
+ * `kind="archive"` bundles always include a covering checkpoint
48
+ * (atMonotonicCounter >= lastCounter) so the off-chain signature
49
+ * tamper-evidences the whole archive. `kind="export"` bundles are
50
+ * auditor evidence; the chain math is self-contained, with the
51
+ * upstream signature anchor optional.
52
+ *
53
+ * @card
54
+ * Operator-side audit-chain inspection / export — verify chain integrity end-to-end, export RFC 8785 canonical-JSON slices, format rows for downstream SIEM (CADF / ISO 19395), and generate tamper-evident compliance-evidence bundles auditors can verify off-line.
55
+ */
56
+
57
+ var nodeFs = require("node:fs");
58
+ var nodePath = require("node:path");
59
+ var pkg = require("../package.json");
60
+ var atomicFile = require("./atomic-file");
61
+ var auditChain = require("./audit-chain");
62
+ var canonicalJson = require("./canonical-json");
63
+ var auditSign = require("./audit-sign");
64
+ var backupCrypto = require("./backup/crypto");
65
+ var clusterStorage = require("./cluster-storage");
66
+ var lazyRequire = require("./lazy-require");
67
+ var validateOpts = require("./validate-opts");
68
+ var safeJson = require("./safe-json");
69
+ var { defineClass } = require("./framework-error");
70
+
71
+ var FRAMEWORK_VERSION = (pkg && pkg.version) || "unknown";
72
+
73
+ // Lazy `db` — db requires audit at top-of-file, audit transitively
74
+ // reaches into audit-tools via the operator-supplied default fns,
75
+ // so importing db at audit-tools' top would close the cycle. Lazy
76
+ // keeps the load order one-way.
77
+ var db = lazyRequire(function () { return require("./db"); });
78
+
79
+ var AuditToolsError = defineClass("AuditToolsError", { alwaysPermanent: true });
80
+
81
+ var BUNDLE_FORMAT = "blamejs-audit-bundle-v1";
82
+ var KIND_ARCHIVE = "archive";
83
+ var KIND_EXPORT = "export";
84
+ var VALID_KINDS = { archive: true, export: true };
85
+
86
+ // ---- Helpers ----
87
+
88
+ function _toMs(value) {
89
+ if (value == null) return null;
90
+ if (typeof value === "number") return value;
91
+ if (value instanceof Date) return value.getTime();
92
+ if (typeof value === "string") {
93
+ var ms = Date.parse(value);
94
+ if (isNaN(ms)) {
95
+ throw new AuditToolsError("audit-tools/bad-date",
96
+ "invalid date value: " + value);
97
+ }
98
+ return ms;
99
+ }
100
+ throw new AuditToolsError("audit-tools/bad-date",
101
+ "date must be a number, Date, or parseable string");
102
+ }
103
+
104
+ function _requirePassphrase(passphrase) {
105
+ if (!Buffer.isBuffer(passphrase) && typeof passphrase !== "string") {
106
+ throw new AuditToolsError("audit-tools/no-passphrase",
107
+ "opts.passphrase is required (Buffer or string)");
108
+ }
109
+ if (passphrase.length === 0) {
110
+ throw new AuditToolsError("audit-tools/no-passphrase",
111
+ "opts.passphrase must be non-empty");
112
+ }
113
+ }
114
+
115
+ function _requireOutDir(outDir, kind) {
116
+ if (typeof outDir !== "string" || outDir.length === 0) {
117
+ throw new AuditToolsError("audit-tools/no-outdir",
118
+ kind + ": opts.out is required");
119
+ }
120
+ if (nodeFs.existsSync(outDir)) {
121
+ throw new AuditToolsError("audit-tools/outdir-exists",
122
+ kind + ": out already exists: " + outDir +
123
+ " (refusing to overwrite — pick a fresh path)");
124
+ }
125
+ }
126
+
127
+ // Canonical-JSON via the shared lib/canonical-json walker — same bytes
128
+ // as audit-chain.canonicalize, config-drift._stableStringify, and
129
+ // pagination._canonicalize for the same input. Pre-v0.6.67 each site
130
+ // had its own copy of the walk, all carrying the same silent-loss bug
131
+ // for Date / Buffer / Map / Set / BigInt / circular renodeFs.
132
+ function _canonicalize(value) { return canonicalJson.stringify(value); }
133
+
134
+ // Convert a single audit_log row to its on-disk-canonical JSON shape.
135
+ // Buffers become hex strings (matches audit-chain.canonicalize). Used
136
+ // so JSONL written into rows.enc has the exact bytes a verifier needs
137
+ // to recompute rowHash.
138
+ function _rowToWireForm(row) {
139
+ var out = {};
140
+ var keys = Object.keys(row);
141
+ for (var i = 0; i < keys.length; i++) {
142
+ var k = keys[i];
143
+ var v = row[k];
144
+ if (Buffer.isBuffer(v)) out[k] = "hex:" + v.toString("hex");
145
+ else if (v instanceof Uint8Array) out[k] = "hex:" + Buffer.from(v).toString("hex");
146
+ else if (v === undefined) out[k] = null;
147
+ else out[k] = v;
148
+ }
149
+ return out;
150
+ }
151
+
152
+ // F-AUD-4 — operator-facing wire helper that surfaces recordedAt as
153
+ // ISO-8601 / RFC 3339 alongside the existing Unix-ms integer.
154
+ // Auditors comparing rows against external SIEM events expect ISO
155
+ // with explicit Z; the framework's primary ms storage stays
156
+ // unchanged AND _rowToWireForm (which the chain-hash canonicalizes
157
+ // over) doesn't change its bytes — so chain verify continues to
158
+ // match. Operators call this on retrieved rows for export.
159
+ /**
160
+ * @primitive b.auditTools.withRecordedAtIso
161
+ * @signature b.auditTools.withRecordedAtIso(row)
162
+ * @since 0.7.30
163
+ * @related b.auditTools.exportSlice, b.auditTools.exportCadf
164
+ *
165
+ * Surface `recordedAt` as ISO-8601 / RFC 3339 (with explicit `Z`)
166
+ * alongside the framework's primary Unix-ms integer. Auditors
167
+ * comparing rows against external SIEM events expect ISO; the chain
168
+ * hash is unaffected because the canonical wire form used for
169
+ * hashing doesn't include the derived `recordedAtIso` field.
170
+ *
171
+ * Returns a shallow copy with `recordedAtIso` added when
172
+ * `recordedAt` is a finite number / bigint; otherwise returns the
173
+ * input unchanged.
174
+ *
175
+ * @example
176
+ * var row = { _id: "evt-1", recordedAt: 1762560000000, action: "auth.login" };
177
+ * var formatted = b.auditTools.withRecordedAtIso(row);
178
+ * // → { _id: "evt-1", recordedAt: 1762560000000,
179
+ * // recordedAtIso: "2025-11-08T00:00:00.000Z", action: "auth.login" }
180
+ */
181
+ function withRecordedAtIso(row) {
182
+ if (!row) return row;
183
+ var out = Object.assign({}, row);
184
+ if (typeof row.recordedAt === "number" || typeof row.recordedAt === "bigint") {
185
+ var ms = typeof row.recordedAt === "bigint" ? Number(row.recordedAt) : row.recordedAt;
186
+ if (isFinite(ms)) out.recordedAtIso = new Date(ms).toISOString();
187
+ }
188
+ return out;
189
+ }
190
+
191
+ function _wireFormToRow(wire) {
192
+ var out = {};
193
+ var keys = Object.keys(wire);
194
+ for (var i = 0; i < keys.length; i++) {
195
+ var k = keys[i];
196
+ var v = wire[k];
197
+ if (typeof v === "string" && v.indexOf("hex:") === 0) {
198
+ out[k] = Buffer.from(v.slice(4), "hex");
199
+ } else {
200
+ out[k] = v;
201
+ }
202
+ }
203
+ return out;
204
+ }
205
+
206
+ // Walk a slice of audit rows recomputing their hash chain. Returns
207
+ // { ok, rowsVerified, breakAt? }. The starting prevHash is the caller's
208
+ // responsibility — for archive/export slices it's the row preceding the
209
+ // slice's first row (which is itself in the bundle's manifest as a
210
+ // witness, or ZERO_HASH for slices that start at counter=1).
211
+ function _verifyChainSlice(rows, startPrevHash) {
212
+ var prevHash = startPrevHash;
213
+ for (var i = 0; i < rows.length; i++) {
214
+ var row = rows[i];
215
+ if (row.prevHash !== prevHash) {
216
+ return {
217
+ ok: false, rowsVerified: i, breakAt: i,
218
+ reason: "prevHash mismatch",
219
+ expected: prevHash,
220
+ actual: row.prevHash,
221
+ };
222
+ }
223
+ var fields = Object.assign({}, row);
224
+ delete fields.prevHash;
225
+ delete fields.rowHash;
226
+ delete fields.nonce;
227
+ delete fields.fencingToken;
228
+ var nonceBuf = Buffer.isBuffer(row.nonce) ? row.nonce : Buffer.from(row.nonce);
229
+ var computed = auditChain.computeRowHash(prevHash, fields, nonceBuf);
230
+ if (computed !== row.rowHash) {
231
+ return {
232
+ ok: false, rowsVerified: i, breakAt: i,
233
+ reason: "rowHash mismatch",
234
+ expected: computed,
235
+ actual: row.rowHash,
236
+ };
237
+ }
238
+ prevHash = row.rowHash;
239
+ }
240
+ return { ok: true, rowsVerified: rows.length, lastHash: prevHash };
241
+ }
242
+
243
+ // Read all audit rows from the operator's reader. Defaults to a
244
+ // cluster-storage reader so the tooling works in both single-node and
245
+ // cluster deployments without the caller knowing which mode is active.
246
+ async function _defaultReadRows(criteria) {
247
+ var sql = 'SELECT * FROM "audit_log"';
248
+ var conds = [];
249
+ var params = [];
250
+ if (criteria.fromMs != null) { conds.push("recordedAt >= ?"); params.push(criteria.fromMs); }
251
+ if (criteria.toMs != null) { conds.push("recordedAt <= ?"); params.push(criteria.toMs); }
252
+ if (criteria.beforeMs != null) { conds.push("recordedAt < ?"); params.push(criteria.beforeMs); }
253
+ if (criteria.action) { conds.push("action = ?"); params.push(criteria.action); }
254
+ if (criteria.firstCounter != null) { conds.push("monotonicCounter >= ?"); params.push(criteria.firstCounter); }
255
+ if (criteria.lastCounter != null) { conds.push("monotonicCounter <= ?"); params.push(criteria.lastCounter); }
256
+ if (conds.length > 0) sql += " WHERE " + conds.join(" AND ");
257
+ sql += " ORDER BY monotonicCounter ASC";
258
+ return clusterStorage.executeAll(sql, params);
259
+ }
260
+
261
+ async function _defaultReadCoveringCheckpoint(lastCounter) {
262
+ return clusterStorage.executeOne(
263
+ "SELECT * FROM audit_checkpoints " +
264
+ "WHERE atMonotonicCounter >= ? " +
265
+ "ORDER BY atMonotonicCounter ASC LIMIT 1",
266
+ [lastCounter]
267
+ );
268
+ }
269
+
270
+ async function _defaultReadPredecessorRowHash(firstCounter) {
271
+ if (firstCounter <= 1) return auditChain.ZERO_HASH;
272
+ var row = await clusterStorage.executeOne(
273
+ "SELECT rowHash FROM audit_log WHERE monotonicCounter = ?",
274
+ [firstCounter - 1]
275
+ );
276
+ if (!row) {
277
+ // First row of the slice is right after a purged range. Read the
278
+ // purge anchor's lastRowHash instead.
279
+ var anchor = await clusterStorage.executeOne(
280
+ "SELECT lastPurgedRowHash, lastPurgedCounter FROM _blamejs_audit_purge_anchor " +
281
+ "WHERE scope = 'audit'"
282
+ );
283
+ if (anchor && Number(anchor.lastPurgedCounter) === firstCounter - 1) {
284
+ return anchor.lastPurgedRowHash;
285
+ }
286
+ throw new AuditToolsError("audit-tools/no-predecessor",
287
+ "predecessor row at counter=" + (firstCounter - 1) + " missing — chain proof would be ungrounded");
288
+ }
289
+ return row.rowHash;
290
+ }
291
+
292
+ // ---- Bundle writer ----
293
+
294
+ async function _writeBundle(args) {
295
+ var outDir = args.outDir;
296
+ var kind = args.kind;
297
+ var rows = args.rows;
298
+ var checkpoint = args.checkpoint || null;
299
+ var passphrase = args.passphrase;
300
+ var predecessorRowHash = args.predecessorRowHash;
301
+
302
+ atomicFile.ensureDir(outDir);
303
+
304
+ var firstRow = rows[0];
305
+ var lastRow = rows[rows.length - 1];
306
+
307
+ // 1. Encrypt the rows JSONL
308
+ var jsonl = rows.map(function (r) {
309
+ return JSON.stringify(_rowToWireForm(r));
310
+ }).join("\n") + "\n";
311
+ var rowsEnc = await backupCrypto.encryptWithFreshSalt(jsonl, passphrase);
312
+ atomicFile.writeSync(nodePath.join(outDir, "rows.enc"), rowsEnc.encrypted, { fileMode: 0o600 });
313
+
314
+ // 2. (archive) Encrypt the checkpoint JSON
315
+ var checkpointSalt = null;
316
+ if (checkpoint) {
317
+ var ckptJson = _canonicalize(_rowToWireForm(checkpoint));
318
+ var ckptEnc = await backupCrypto.encryptWithFreshSalt(ckptJson, passphrase);
319
+ atomicFile.writeSync(nodePath.join(outDir, "checkpoint.enc"), ckptEnc.encrypted, { fileMode: 0o600 });
320
+ checkpointSalt = ckptEnc.salt;
321
+ }
322
+
323
+ // 3. Build manifest
324
+ var manifest = {
325
+ format: BUNDLE_FORMAT,
326
+ kind: kind,
327
+ createdAt: Date.now(),
328
+ frameworkVersion: FRAMEWORK_VERSION,
329
+ rowCount: rows.length,
330
+ range: {
331
+ firstCounter: Number(firstRow.monotonicCounter),
332
+ lastCounter: Number(lastRow.monotonicCounter),
333
+ firstRecordedAt: Number(firstRow.recordedAt),
334
+ lastRecordedAt: Number(lastRow.recordedAt),
335
+ firstRowHash: String(firstRow.rowHash),
336
+ lastRowHash: String(lastRow.rowHash),
337
+ predecessorRowHash: String(predecessorRowHash),
338
+ },
339
+ salts: {
340
+ rows: rowsEnc.salt,
341
+ checkpoint: checkpointSalt,
342
+ },
343
+ checksum: {
344
+ rowsSha3_512: backupCrypto.checksum(rowsEnc.encrypted),
345
+ checkpointSha3_512: checkpointSalt
346
+ ? backupCrypto.checksum(nodeFs.readFileSync(nodePath.join(outDir, "checkpoint.enc")))
347
+ : null,
348
+ },
349
+ };
350
+ if (checkpoint) {
351
+ manifest.checkpoint = {
352
+ atMonotonicCounter: Number(checkpoint.atMonotonicCounter),
353
+ atRowHash: String(checkpoint.atRowHash),
354
+ publicKeyFingerprint: String(checkpoint.publicKeyFingerprint),
355
+ checkpointId: String(checkpoint._id),
356
+ };
357
+ }
358
+ var manifestPath = nodePath.join(outDir, "manifest.json");
359
+ atomicFile.writeSync(manifestPath, _canonicalize(manifest), { fileMode: 0o600 });
360
+ return { manifest: manifest, manifestPath: manifestPath };
361
+ }
362
+
363
+ // ---- Bundle reader ----
364
+
365
+ async function _readBundle(inDir, passphrase) {
366
+ if (typeof inDir !== "string" || !nodeFs.existsSync(inDir)) {
367
+ throw new AuditToolsError("audit-tools/no-bundle",
368
+ "bundle directory does not exist: " + inDir);
369
+ }
370
+ var manifestPath = nodePath.join(inDir, "manifest.json");
371
+ if (!nodeFs.existsSync(manifestPath)) {
372
+ throw new AuditToolsError("audit-tools/no-manifest",
373
+ "manifest.json missing in " + inDir);
374
+ }
375
+ var manifest = safeJson.parse(nodeFs.readFileSync(manifestPath, "utf8"));
376
+ if (!manifest || manifest.format !== BUNDLE_FORMAT) {
377
+ throw new AuditToolsError("audit-tools/bad-format",
378
+ "manifest.format is not " + BUNDLE_FORMAT);
379
+ }
380
+ if (!VALID_KINDS[manifest.kind]) {
381
+ throw new AuditToolsError("audit-tools/bad-kind",
382
+ "manifest.kind must be one of " + Object.keys(VALID_KINDS).join(", "));
383
+ }
384
+
385
+ var rowsEncPath = nodePath.join(inDir, "rows.enc");
386
+ if (!nodeFs.existsSync(rowsEncPath)) {
387
+ throw new AuditToolsError("audit-tools/no-rows-blob",
388
+ "rows.enc missing in " + inDir);
389
+ }
390
+ var rowsEnc = nodeFs.readFileSync(rowsEncPath);
391
+ if (manifest.checksum && manifest.checksum.rowsSha3_512 &&
392
+ backupCrypto.checksum(rowsEnc) !== manifest.checksum.rowsSha3_512) {
393
+ throw new AuditToolsError("audit-tools/rows-checksum-mismatch",
394
+ "rows.enc checksum does not match manifest — bundle was tampered with");
395
+ }
396
+ var rowsPlainBuf = await backupCrypto.decryptWithPassphrase(rowsEnc, passphrase, manifest.salts.rows);
397
+ var rowsPlain = rowsPlainBuf.toString("utf8");
398
+ var lines = rowsPlain.split("\n").filter(function (l) { return l.length > 0; });
399
+ var rows = lines.map(function (l) { return _wireFormToRow(safeJson.parse(l)); });
400
+
401
+ var checkpoint = null;
402
+ if (manifest.kind === KIND_ARCHIVE) {
403
+ var ckptPath = nodePath.join(inDir, "checkpoint.enc");
404
+ if (!nodeFs.existsSync(ckptPath)) {
405
+ throw new AuditToolsError("audit-tools/no-checkpoint-blob",
406
+ "checkpoint.enc missing in " + inDir + " (archive bundles must include the covering checkpoint)");
407
+ }
408
+ var ckptEnc = nodeFs.readFileSync(ckptPath);
409
+ if (manifest.checksum && manifest.checksum.checkpointSha3_512 &&
410
+ backupCrypto.checksum(ckptEnc) !== manifest.checksum.checkpointSha3_512) {
411
+ throw new AuditToolsError("audit-tools/checkpoint-checksum-mismatch",
412
+ "checkpoint.enc checksum does not match manifest");
413
+ }
414
+ var ckptPlain = (await backupCrypto.decryptWithPassphrase(ckptEnc, passphrase, manifest.salts.checkpoint))
415
+ .toString("utf8");
416
+ checkpoint = _wireFormToRow(safeJson.parse(ckptPlain));
417
+ }
418
+
419
+ return { manifest: manifest, rows: rows, checkpoint: checkpoint };
420
+ }
421
+
422
+ // ---- Public ops ----
423
+
424
+ /**
425
+ * @primitive b.auditTools.archive
426
+ * @signature b.auditTools.archive(opts)
427
+ * @since 0.7.30
428
+ * @compliance hipaa, pci-dss, gdpr, soc2, sox-404
429
+ * @related b.auditTools.verifyBundle, b.auditTools.purge, b.audit.checkpoint
430
+ *
431
+ * Bundle every audit row older than `opts.before` into a
432
+ * PQC-encrypted archive (XChaCha20-Poly1305 + Argon2id-derived key)
433
+ * containing a chain proof and the covering ML-DSA-87 checkpoint.
434
+ * Live rows are untouched — call `b.auditTools.purge` separately
435
+ * once the archive is verified.
436
+ *
437
+ * Refuses if `opts.out` exists, no rows match, or no signed
438
+ * checkpoint covers the slice (run `b.audit.checkpoint()` first).
439
+ *
440
+ * @opts
441
+ * out: string, // fresh directory path for the bundle
442
+ * before: number|Date|string, // archive rows recordedAt < this
443
+ * passphrase: Buffer|string, // bundle-encryption passphrase
444
+ *
445
+ * @example
446
+ * var ninetyDaysAgo = Date.now() - 90 * 24 * 60 * 60 * 1000;
447
+ * var result = await b.auditTools.archive({
448
+ * out: "/var/audit/2026-Q1.bundle",
449
+ * before: ninetyDaysAgo,
450
+ * passphrase: process.env.AUDIT_BUNDLE_PASSPHRASE,
451
+ * });
452
+ * // → { rowCount: 14823, range: { firstCounter: 1, lastCounter: 14823, ... },
453
+ * // manifestPath: "/var/audit/2026-Q1.bundle/manifest.json", ... }
454
+ */
455
+ async function archive(opts) {
456
+ opts = opts || {};
457
+ _requirePassphrase(opts.passphrase);
458
+ _requireOutDir(opts.out, "archive");
459
+ var beforeMs = _toMs(opts.before);
460
+ if (beforeMs == null) {
461
+ throw new AuditToolsError("audit-tools/no-before",
462
+ "archive: opts.before is required (date older than which rows are archived)");
463
+ }
464
+ var readRows = opts.readRows || _defaultReadRows;
465
+ var readCovering = opts.readCoveringCheckpoint || _defaultReadCoveringCheckpoint;
466
+ var readPredecessorHash = opts.readPredecessorRowHash || _defaultReadPredecessorRowHash;
467
+
468
+ var rows = await readRows({ beforeMs: beforeMs });
469
+ if (rows.length === 0) {
470
+ throw new AuditToolsError("audit-tools/empty",
471
+ "archive: no audit rows match (before=" + new Date(beforeMs).toISOString() + ")");
472
+ }
473
+ var lastCounter = Number(rows[rows.length - 1].monotonicCounter);
474
+ var firstCounter = Number(rows[0].monotonicCounter);
475
+
476
+ var checkpoint = await readCovering(lastCounter);
477
+ if (!checkpoint) {
478
+ throw new AuditToolsError("audit-tools/no-covering-checkpoint",
479
+ "archive: no signed checkpoint covers counter=" + lastCounter +
480
+ " — run audit.checkpoint() before archiving so the bundle has an off-chain anchor");
481
+ }
482
+
483
+ var predecessorRowHash = await readPredecessorHash(firstCounter);
484
+
485
+ var written = await _writeBundle({
486
+ outDir: opts.out,
487
+ kind: KIND_ARCHIVE,
488
+ rows: rows,
489
+ checkpoint: checkpoint,
490
+ passphrase: opts.passphrase,
491
+ predecessorRowHash: predecessorRowHash,
492
+ });
493
+
494
+ return {
495
+ manifest: written.manifest,
496
+ manifestPath: written.manifestPath,
497
+ outDir: opts.out,
498
+ rowCount: rows.length,
499
+ range: written.manifest.range,
500
+ };
501
+ }
502
+
503
+ /**
504
+ * @primitive b.auditTools.exportSlice
505
+ * @signature b.auditTools.exportSlice(opts)
506
+ * @since 0.7.30
507
+ * @compliance hipaa, pci-dss, gdpr, soc2
508
+ * @related b.auditTools.archive, b.auditTools.verifyBundle, b.auditTools.exportCadf
509
+ *
510
+ * Auditor-shaped slice — bundle the audit rows in `[from, to]`
511
+ * (optionally filtered by exact `action`) into a PQC-encrypted
512
+ * directory carrying chain-proof material. Refuses non-contiguous
513
+ * slices because chain verification cannot ground a sequence with
514
+ * gaps in `monotonicCounter`.
515
+ *
516
+ * Use date-range filters that cover every row in the range; an
517
+ * action filter that drops intermediate counters is rejected with
518
+ * `audit-tools/non-contiguous`.
519
+ *
520
+ * @opts
521
+ * out: string, // fresh directory path
522
+ * from: number|Date|string, // recordedAt >= this (inclusive)
523
+ * to: number|Date|string, // recordedAt <= this (inclusive)
524
+ * action: string, // exact action match (optional)
525
+ * passphrase: Buffer|string, // bundle-encryption passphrase
526
+ *
527
+ * @example
528
+ * var bundle = await b.auditTools.exportSlice({
529
+ * out: "/tmp/audit-2026-q1.bundle",
530
+ * from: "2026-01-01T00:00:00Z",
531
+ * to: "2026-03-31T23:59:59Z",
532
+ * passphrase: process.env.AUDIT_BUNDLE_PASSPHRASE,
533
+ * });
534
+ * // → { rowCount: 4218, manifest: { kind: "export", ... }, ... }
535
+ */
536
+ async function exportSlice(opts) {
537
+ opts = opts || {};
538
+ _requirePassphrase(opts.passphrase);
539
+ _requireOutDir(opts.out, "export");
540
+ var fromMs = _toMs(opts.from);
541
+ var toMs = _toMs(opts.to);
542
+ var readRows = opts.readRows || _defaultReadRows;
543
+ var readPredecessorHash = opts.readPredecessorRowHash || _defaultReadPredecessorRowHash;
544
+
545
+ var criteria = {};
546
+ if (fromMs != null) criteria.fromMs = fromMs;
547
+ if (toMs != null) criteria.toMs = toMs;
548
+ if (opts.action) criteria.action = opts.action;
549
+
550
+ var rows = await readRows(criteria);
551
+ if (rows.length === 0) {
552
+ throw new AuditToolsError("audit-tools/empty",
553
+ "export: no audit rows match criteria");
554
+ }
555
+ // For an export the slice may be non-contiguous in counter space (e.g.
556
+ // filtered by action). Reject non-contiguous slices because chain
557
+ // verification can't ground a non-contiguous sequence.
558
+ for (var i = 1; i < rows.length; i++) {
559
+ var prev = Number(rows[i - 1].monotonicCounter);
560
+ var cur = Number(rows[i].monotonicCounter);
561
+ if (cur !== prev + 1) {
562
+ throw new AuditToolsError("audit-tools/non-contiguous",
563
+ "export: slice is non-contiguous in monotonicCounter (" + prev + " → " + cur + "). " +
564
+ "Filtered exports break chain proof; use date-range filters that cover all rows in the range.");
565
+ }
566
+ }
567
+ var firstCounter = Number(rows[0].monotonicCounter);
568
+ var predecessorRowHash = await readPredecessorHash(firstCounter);
569
+
570
+ var written = await _writeBundle({
571
+ outDir: opts.out,
572
+ kind: KIND_EXPORT,
573
+ rows: rows,
574
+ checkpoint: null,
575
+ passphrase: opts.passphrase,
576
+ predecessorRowHash: predecessorRowHash,
577
+ });
578
+
579
+ return {
580
+ manifest: written.manifest,
581
+ manifestPath: written.manifestPath,
582
+ outDir: opts.out,
583
+ rowCount: rows.length,
584
+ range: written.manifest.range,
585
+ };
586
+ }
587
+
588
+ /**
589
+ * @primitive b.auditTools.verifyBundle
590
+ * @signature b.auditTools.verifyBundle(opts)
591
+ * @since 0.7.30
592
+ * @compliance hipaa, pci-dss, gdpr, soc2, sox-404
593
+ * @related b.auditTools.archive, b.auditTools.exportSlice, b.auditTools.purge
594
+ *
595
+ * Round-trip integrity check on a bundle directory: decrypt
596
+ * `rows.enc`, walk the prevHash → rowHash chain across the contained
597
+ * rows starting from the manifest's `predecessorRowHash` witness,
598
+ * confirm `firstRowHash` / `lastRowHash` match, and (archive only)
599
+ * verify the covering checkpoint's ML-DSA-87 signature against the
600
+ * locally-loaded audit-sign public key (or `opts.verifySignature`
601
+ * for cross-machine auditors).
602
+ *
603
+ * Returns `{ ok: true, kind, rowsVerified, range, manifest }` on
604
+ * success or `{ ok: false, reason, breakAt? }` at the first break.
605
+ *
606
+ * @opts
607
+ * in: string, // bundle directory
608
+ * passphrase: Buffer|string, // decryption passphrase
609
+ * verifyCheckpointSignature: boolean, // default true
610
+ * verifySignature: function(checkpoint), // override the default verifier
611
+ * includeRows: boolean, // attach decrypted rows to result
612
+ *
613
+ * @example
614
+ * var result = await b.auditTools.verifyBundle({
615
+ * in: "/var/audit/2026-Q1.bundle",
616
+ * passphrase: process.env.AUDIT_BUNDLE_PASSPHRASE,
617
+ * });
618
+ * if (!result.ok) {
619
+ * console.error("bundle integrity break:", result.reason);
620
+ * process.exit(1);
621
+ * }
622
+ * // → { ok: true, kind: "archive", rowsVerified: 14823, range: { ... } }
623
+ */
624
+ async function verifyBundle(opts) {
625
+ opts = opts || {};
626
+ _requirePassphrase(opts.passphrase);
627
+ if (typeof opts.in !== "string") {
628
+ throw new AuditToolsError("audit-tools/no-indir",
629
+ "verifyBundle: opts.in is required (bundle directory)");
630
+ }
631
+ var read = await _readBundle(opts.in, opts.passphrase);
632
+
633
+ // 1. Walk the chain math across the slice.
634
+ var chainResult = _verifyChainSlice(read.rows, read.manifest.range.predecessorRowHash);
635
+ if (!chainResult.ok) {
636
+ return {
637
+ ok: false,
638
+ kind: read.manifest.kind,
639
+ rowsVerified: chainResult.rowsVerified,
640
+ breakAt: chainResult.breakAt,
641
+ reason: "chain " + chainResult.reason +
642
+ " (counter=" + Number(read.rows[chainResult.breakAt].monotonicCounter) + ")",
643
+ expected: chainResult.expected,
644
+ actual: chainResult.actual,
645
+ };
646
+ }
647
+
648
+ // 2. Confirm the stored firstRowHash + lastRowHash match the slice
649
+ if (read.rows[0].rowHash !== read.manifest.range.firstRowHash) {
650
+ return {
651
+ ok: false, kind: read.manifest.kind, rowsVerified: read.rows.length,
652
+ reason: "manifest.range.firstRowHash does not match first row's rowHash",
653
+ };
654
+ }
655
+ if (read.rows[read.rows.length - 1].rowHash !== read.manifest.range.lastRowHash) {
656
+ return {
657
+ ok: false, kind: read.manifest.kind, rowsVerified: read.rows.length,
658
+ reason: "manifest.range.lastRowHash does not match last row's rowHash",
659
+ };
660
+ }
661
+
662
+ // 3. (archive only) verify the covering checkpoint signature
663
+ if (read.manifest.kind === KIND_ARCHIVE) {
664
+ if (!read.checkpoint) {
665
+ return { ok: false, kind: KIND_ARCHIVE, reason: "checkpoint missing from archive bundle" };
666
+ }
667
+ if (Number(read.checkpoint.atMonotonicCounter) < Number(read.manifest.range.lastCounter)) {
668
+ return {
669
+ ok: false, kind: KIND_ARCHIVE,
670
+ reason: "checkpoint atMonotonicCounter (" + read.checkpoint.atMonotonicCounter +
671
+ ") < archive lastCounter (" + read.manifest.range.lastCounter + ")",
672
+ };
673
+ }
674
+ if (opts.verifyCheckpointSignature !== false) {
675
+ var verifier = opts.verifySignature || _defaultVerifyCheckpointSignature;
676
+ var sigOk = verifier(read.checkpoint);
677
+ if (!sigOk) {
678
+ return {
679
+ ok: false, kind: KIND_ARCHIVE,
680
+ reason: "checkpoint ML-DSA signature verification failed (auditor's audit-sign public key may differ from archive's; pass opts.verifySignature to override)",
681
+ };
682
+ }
683
+ }
684
+ }
685
+
686
+ return {
687
+ ok: true,
688
+ kind: read.manifest.kind,
689
+ rowsVerified: read.rows.length,
690
+ range: read.manifest.range,
691
+ manifest: read.manifest,
692
+ rows: opts.includeRows ? read.rows : undefined,
693
+ };
694
+ }
695
+
696
+ function _defaultVerifyCheckpointSignature(checkpoint) {
697
+ // Use the locally-loaded audit-sign keypair. Auditors verifying an
698
+ // archive on a different machine will need to pass opts.verifySignature
699
+ // with their own loaded public key. The framework deliberately doesn't
700
+ // ship public keys inside the bundle — the public key fingerprint in
701
+ // the checkpoint row is the verifier's lookup key.
702
+ try {
703
+ var pub = auditSign.getPublicKey();
704
+ var fp = auditSign.getPublicKeyFingerprint();
705
+ if (fp !== checkpoint.publicKeyFingerprint) return false;
706
+ var payload = Buffer.from(
707
+ "blamejs-audit-checkpoint-v1\n" +
708
+ String(checkpoint.atMonotonicCounter) + "\n" +
709
+ checkpoint.atRowHash + "\n" +
710
+ String(checkpoint.createdAt),
711
+ "utf8"
712
+ );
713
+ var sig = Buffer.isBuffer(checkpoint.signature) ? checkpoint.signature : Buffer.from(checkpoint.signature);
714
+ return auditSign.verify(payload, sig, pub);
715
+ } catch (_e) { return false; }
716
+ }
717
+
718
+ /**
719
+ * @primitive b.auditTools.purge
720
+ * @signature b.auditTools.purge(opts)
721
+ * @since 0.7.30
722
+ * @compliance hipaa, pci-dss, gdpr, soc2, sox-404
723
+ * @related b.auditTools.archive, b.auditTools.verifyBundle, b.audit.verify
724
+ *
725
+ * Confirmation-gated deletion of live audit rows already captured in
726
+ * a verified archive bundle. Refuses unless `opts.confirm === true`,
727
+ * the bundle verifies clean as `kind="archive"`, and the bundle's
728
+ * `firstCounter` / `predecessorRowHash` match the next contiguous
729
+ * purge point on disk. Inserts a `_blamejs_audit_purge_anchor` row
730
+ * so `b.audit.verify()` keeps chaining post-purge — the anchor's
731
+ * `lastPurgedRowHash` becomes the new chain origin.
732
+ *
733
+ * @opts
734
+ * confirm: true, // exact `true` required
735
+ * archive: string, // path to a verified archive bundle
736
+ * passphrase: Buffer|string, // bundle decryption passphrase
737
+ * verifySignature: function(checkpoint),// auditor pubkey override
738
+ *
739
+ * @example
740
+ * var result = await b.auditTools.purge({
741
+ * confirm: true,
742
+ * archive: "/var/audit/2026-Q1.bundle",
743
+ * passphrase: process.env.AUDIT_BUNDLE_PASSPHRASE,
744
+ * });
745
+ * // → { purged: true, rowsDeleted: 14823, lastPurgedCounter: 14823, ... }
746
+ */
747
+ async function purge(opts) {
748
+ opts = opts || {};
749
+ if (opts.confirm !== true) {
750
+ throw new AuditToolsError("audit-tools/no-confirm",
751
+ "purge: opts.confirm must be exactly true — destructive operation requires explicit acknowledgement");
752
+ }
753
+ if (typeof opts.archive !== "string") {
754
+ throw new AuditToolsError("audit-tools/no-archive",
755
+ "purge: opts.archive is required (path to a verified archive bundle)");
756
+ }
757
+ _requirePassphrase(opts.passphrase);
758
+
759
+ // 1. Verify the archive bundle. Refuses with a clear reason if not ok.
760
+ var v = await verifyBundle({
761
+ in: opts.archive,
762
+ passphrase: opts.passphrase,
763
+ verifySignature: opts.verifySignature, // auditor pubkey override
764
+ });
765
+ if (!v.ok) {
766
+ throw new AuditToolsError("audit-tools/archive-not-ok",
767
+ "purge: archive failed verification: " + v.reason);
768
+ }
769
+ if (v.kind !== KIND_ARCHIVE) {
770
+ throw new AuditToolsError("audit-tools/wrong-kind",
771
+ "purge: bundle kind is '" + v.kind + "', must be 'archive'");
772
+ }
773
+
774
+ // 2. Refuse if the archive doesn't start at the next purge point. Keeps
775
+ // the chain anchor monotonic — operators can't jump-purge a middle range.
776
+ var readAnchor = opts.readAnchor || _defaultReadPurgeAnchor;
777
+ var anchor = await readAnchor();
778
+ var expectedFirstCounter = anchor ? Number(anchor.lastPurgedCounter) + 1 : 1;
779
+ if (Number(v.range.firstCounter) !== expectedFirstCounter) {
780
+ throw new AuditToolsError("audit-tools/non-monotonic-purge",
781
+ "purge: archive's firstCounter=" + v.range.firstCounter +
782
+ " does not match expected next-purge counter=" + expectedFirstCounter +
783
+ " (purges must be contiguous from the chain origin or last anchor)");
784
+ }
785
+ if (anchor && v.range.predecessorRowHash !== anchor.lastPurgedRowHash) {
786
+ throw new AuditToolsError("audit-tools/anchor-mismatch",
787
+ "purge: archive's predecessorRowHash does not match the prior purge anchor's lastPurgedRowHash");
788
+ }
789
+
790
+ // 3. Apply the deletion + new anchor write. This is the only mutation
791
+ // path — operator-supplied for testability; default executes against
792
+ // the live cluster-storage.
793
+ var apply = opts.apply || _defaultApplyPurge;
794
+ var result = await apply({
795
+ lastPurgedCounter: Number(v.range.lastCounter),
796
+ lastPurgedRowHash: v.range.lastRowHash,
797
+ archiveBundleId: v.manifest.checkpoint && v.manifest.checkpoint.checkpointId
798
+ || ("manifest:" + v.range.lastCounter),
799
+ purgedAt: Date.now(),
800
+ });
801
+
802
+ return {
803
+ purged: true,
804
+ rowsDeleted: result.rowsDeleted,
805
+ checkpointsDeleted: result.checkpointsDeleted,
806
+ lastPurgedCounter: Number(v.range.lastCounter),
807
+ lastPurgedRowHash: v.range.lastRowHash,
808
+ archiveBundleId: result.archiveBundleId,
809
+ };
810
+ }
811
+
812
+ async function _defaultReadPurgeAnchor() {
813
+ return clusterStorage.executeOne(
814
+ "SELECT * FROM _blamejs_audit_purge_anchor WHERE scope = 'audit'"
815
+ );
816
+ }
817
+
818
+ async function _defaultApplyPurge(args) {
819
+ var del = await db().purgeAuditChain({ lastPurgedCounter: args.lastPurgedCounter });
820
+ // UPSERT the single-row anchor. SQLite + Postgres both support
821
+ // INSERT ... ON CONFLICT(scope) DO UPDATE.
822
+ await clusterStorage.execute(
823
+ "INSERT INTO _blamejs_audit_purge_anchor " +
824
+ "(scope, lastPurgedCounter, lastPurgedRowHash, archiveBundleId, purgedAt) " +
825
+ "VALUES ('audit', ?, ?, ?, ?) " +
826
+ "ON CONFLICT(scope) DO UPDATE SET " +
827
+ "lastPurgedCounter = excluded.lastPurgedCounter, " +
828
+ "lastPurgedRowHash = excluded.lastPurgedRowHash, " +
829
+ "archiveBundleId = excluded.archiveBundleId, " +
830
+ "purgedAt = excluded.purgedAt",
831
+ [args.lastPurgedCounter, args.lastPurgedRowHash, args.archiveBundleId, args.purgedAt]
832
+ );
833
+ return {
834
+ rowsDeleted: del.rowsDeleted,
835
+ checkpointsDeleted: del.checkpointsDeleted,
836
+ archiveBundleId: args.archiveBundleId,
837
+ };
838
+ }
839
+
840
+ /**
841
+ * @primitive b.auditTools.forensicSnapshot
842
+ * @signature b.auditTools.forensicSnapshot(opts)
843
+ * @since 0.8.40
844
+ * @compliance hipaa, pci-dss, gdpr, soc2, sox-404, dora, nis2
845
+ * @related b.auditTools.exportSlice, b.auditTools.archive
846
+ *
847
+ * Post-compromise composer that bundles an audit slice (from
848
+ * `since` → now) plus operator-supplied incident metadata
849
+ * (incidentId, reason, actor) and runtime fingerprint (Node version
850
+ * / platform / pid / uptime) into a single tamper-evident artifact
851
+ * for legal / regulators / the IR team. Emits an
852
+ * `audit.forensic_snapshot.composed` audit event so the act of
853
+ * composing the snapshot is itself on-chain.
854
+ *
855
+ * @opts
856
+ * out: string, // fresh directory path
857
+ * since: number|Date|string, // include rows recordedAt >= this
858
+ * passphrase: Buffer|string, // bundle-encryption passphrase
859
+ * reason: string, // required incident-context reason
860
+ * incidentId: string, // optional ticket / incident id
861
+ * actor: { id, role }, // optional incident-commander identity
862
+ *
863
+ * @example
864
+ * var snap = await b.auditTools.forensicSnapshot({
865
+ * out: "/forensics/2026-05-08-inc-42",
866
+ * since: Date.now() - 7 * 24 * 60 * 60 * 1000,
867
+ * passphrase: process.env.AUDIT_BUNDLE_PASSPHRASE,
868
+ * incidentId: "inc-2026-05-08-42",
869
+ * reason: "ATO investigation: 14 failed MFA from new geo, user u-42",
870
+ * actor: { id: "alice@ops.example.com", role: "incident-commander" },
871
+ * });
872
+ * // → { snapshotKind: "forensic", incidentId: "inc-2026-05-08-42", ... }
873
+ */
874
+ async function forensicSnapshot(opts) {
875
+ opts = opts || {};
876
+ _requirePassphrase(opts.passphrase);
877
+ _requireOutDir(opts.out, "forensicSnapshot");
878
+ var sinceMs = _toMs(opts.since);
879
+ if (sinceMs == null) {
880
+ throw new AuditToolsError("audit-tools/no-since",
881
+ "forensicSnapshot: opts.since is required");
882
+ }
883
+ validateOpts.requireNonEmptyString(opts.reason, "reason", AuditToolsError, "audit-tools/no-reason");
884
+ var sliceResult = await exportSlice({
885
+ out: opts.out,
886
+ since: sinceMs,
887
+ until: Date.now(),
888
+ passphrase: opts.passphrase,
889
+ readRows: opts.readRows,
890
+ readCoveringCheckpoint: opts.readCoveringCheckpoint,
891
+ });
892
+ // Compose snapshot manifest with operator-supplied IR context.
893
+ var manifest = {
894
+ snapshotKind: "forensic",
895
+ incidentId: opts.incidentId || null,
896
+ reason: opts.reason,
897
+ actor: opts.actor || null,
898
+ composedAt: new Date().toISOString(),
899
+ auditSliceFile: sliceResult && sliceResult.path,
900
+ auditSliceCount: sliceResult && sliceResult.rowCount,
901
+ runtime: {
902
+ nodeVersion: process.version,
903
+ platform: process.platform,
904
+ arch: process.arch,
905
+ pid: process.pid,
906
+ uptimeSec: Math.round(process.uptime()),
907
+ },
908
+ };
909
+ var manifestPath = require("node:path").join(opts.out, "forensic-snapshot.json");
910
+ require("node:fs").writeFileSync(manifestPath, _canonicalize(manifest), "utf8");
911
+ try {
912
+ require("./audit").safeEmit({
913
+ action: "audit.forensic_snapshot.composed",
914
+ outcome: "success",
915
+ metadata: {
916
+ out: opts.out,
917
+ incidentId: manifest.incidentId,
918
+ reason: opts.reason,
919
+ actor: opts.actor || null,
920
+ rowCount: manifest.auditSliceCount || 0,
921
+ },
922
+ });
923
+ } catch (_e) { /* audit best-effort */ }
924
+ return Object.assign({}, manifest, { manifestPath: manifestPath });
925
+ }
926
+
927
+ // CADF (Cloud Auditing Data Federation, ISO/IEC 19395:2017) is the
928
+ // OpenStack/FedRAMP-tier cloud-audit envelope auditors increasingly
929
+ // expect for federated tooling (cross-tenant SIEM, CSP reporting).
930
+ //
931
+ // We map blamejs audit fields onto CADF attributes:
932
+ //
933
+ // blamejs CADF
934
+ // ---------------------- ----------------------------------
935
+ // _id eventid (UUID-ish)
936
+ // action action (typed verb namespace)
937
+ // outcome outcome (success | failure | unknown | pending)
938
+ // actorUserId initiator.id (typed via initiator.typeURI)
939
+ // resourceKind+resourceId target.id + target.typeURI
940
+ // recordedAt eventTime (ISO-8601)
941
+ // reason reason.reasonCode + reason.policyType
942
+ // metadata attachments[] (operator-supplied free-form)
943
+ // prevHash/rowHash observer.id link to chain anchor
944
+ //
945
+ // CADF requires every event to declare its observer (the auditing
946
+ // system). We declare blamejs as the observer with a typeURI of
947
+ // service/audit. The framework version pins observer.id so an auditor
948
+ // can correlate envelope-level events back to a deployment.
949
+ function _toCadfOutcome(outcome) {
950
+ if (outcome === "success") return "success";
951
+ if (outcome === "failure" || outcome === "denied") return "failure";
952
+ if (outcome === "warning") return "unknown";
953
+ return outcome || "unknown";
954
+ }
955
+
956
+ function _toCadfEvent(row) {
957
+ var meta = null;
958
+ if (row.metadata) {
959
+ try { meta = typeof row.metadata === "string" ? safeJson.parse(row.metadata) : row.metadata; }
960
+ catch (_e) { meta = { raw: String(row.metadata) }; }
961
+ }
962
+ var ev = {
963
+ typeURI: "http://schemas.dmtf.org/cloud/audit/1.0/event",
964
+ eventType: "activity",
965
+ id: row._id,
966
+ eventTime: new Date(Number(row.recordedAt)).toISOString(),
967
+ action: row.action,
968
+ outcome: _toCadfOutcome(row.outcome),
969
+ initiator: {
970
+ id: row.actorUserIdHash || row.actorUserId || "unknown",
971
+ typeURI: "service/security/account/user",
972
+ addresses: row.actorIp ? [{ url: row.actorIp, name: "actorIp" }] : undefined,
973
+ name: row.actorSessionId || undefined,
974
+ },
975
+ target: {
976
+ id: row.resourceIdHash || row.resourceId || row.resourceKind || "n/a",
977
+ typeURI: row.resourceKind ? ("service/storage/" + row.resourceKind) : "service/security",
978
+ },
979
+ observer: {
980
+ id: "blamejs:" + (pkg.version || "unknown"),
981
+ typeURI: "service/security/audit",
982
+ name: "blamejs.audit",
983
+ },
984
+ reason: row.reason ? {
985
+ reasonCode: String(row.reason).slice(0, 256), // allow:raw-byte-literal — reason cap
986
+ policyType: "blamejs.audit-chain",
987
+ } : undefined,
988
+ attachments: meta ? [{
989
+ contentType: "application/json",
990
+ content: JSON.stringify(meta),
991
+ name: "blamejs.metadata",
992
+ }] : undefined,
993
+ // Custom CADF extension — anchors back into the audit chain.
994
+ "blamejs:chain": {
995
+ monotonicCounter: Number(row.monotonicCounter),
996
+ prevHash: row.prevHash,
997
+ rowHash: row.rowHash,
998
+ },
999
+ };
1000
+ return ev;
1001
+ }
1002
+
1003
+ /**
1004
+ * @primitive b.auditTools.exportCadf
1005
+ * @signature b.auditTools.exportCadf(opts)
1006
+ * @since 0.7.30
1007
+ * @compliance soc2, pci-dss, gdpr
1008
+ * @related b.auditTools.exportAudit, b.auditTools.exportSlice
1009
+ *
1010
+ * Format an audit slice as a CADF event-batch (Cloud Auditing Data
1011
+ * Federation, ISO/IEC 19395:2017 + DMTF) — the FedRAMP / OpenStack
1012
+ * envelope cross-tenant SIEMs and CSP reporting tools expect for
1013
+ * federated tooling. Maps blamejs fields onto CADF attributes
1014
+ * (initiator / target / observer / outcome / reason) and embeds a
1015
+ * `blamejs:chain` extension carrying `monotonicCounter` / prevHash /
1016
+ * rowHash so auditors can correlate the envelope back to the chain.
1017
+ *
1018
+ * Returns an object with `events: [...]` ready to ship as JSON.
1019
+ *
1020
+ * @opts
1021
+ * format: "cadf", // optional — defaults to "cadf"
1022
+ * from: number|Date|string, // recordedAt >= this
1023
+ * to: number|Date|string, // recordedAt <= this
1024
+ * action: string, // exact action filter
1025
+ *
1026
+ * @example
1027
+ * var batch = await b.auditTools.exportCadf({
1028
+ * from: "2026-05-01T00:00:00Z",
1029
+ * to: "2026-05-08T00:00:00Z",
1030
+ * action: "auth.login",
1031
+ * });
1032
+ * // → { typeURI: ".../event-batch", framework: "blamejs", events: [...] }
1033
+ */
1034
+ async function exportCadf(opts) {
1035
+ opts = opts || {};
1036
+ if (opts.format !== undefined && opts.format !== "cadf") {
1037
+ throw new AuditToolsError("audit-tools/bad-format",
1038
+ "audit.export: format must be 'cadf' for exportCadf");
1039
+ }
1040
+ var fromMs = _toMs(opts.from);
1041
+ var toMs = _toMs(opts.to);
1042
+ var readRows = opts.readRows || _defaultReadRows;
1043
+ var criteria = {};
1044
+ if (fromMs != null) criteria.fromMs = fromMs;
1045
+ if (toMs != null) criteria.toMs = toMs;
1046
+ if (opts.action) criteria.action = opts.action;
1047
+ var rows = await readRows(criteria);
1048
+ var events = new Array(rows.length);
1049
+ for (var i = 0; i < rows.length; i++) {
1050
+ events[i] = _toCadfEvent(rows[i]);
1051
+ }
1052
+ return {
1053
+ typeURI: "http://schemas.dmtf.org/cloud/audit/1.0/event-batch",
1054
+ framework: "blamejs",
1055
+ frameworkVersion: pkg.version,
1056
+ range: {
1057
+ from: fromMs != null ? new Date(fromMs).toISOString() : null,
1058
+ to: toMs != null ? new Date(toMs).toISOString() : null,
1059
+ },
1060
+ events: events,
1061
+ };
1062
+ }
1063
+
1064
+ // Operator-facing dispatcher — `b.audit.export({ format })`. Future
1065
+ // formats register here.
1066
+ /**
1067
+ * @primitive b.auditTools.exportAudit
1068
+ * @signature b.auditTools.exportAudit(opts)
1069
+ * @since 0.7.30
1070
+ * @compliance soc2, pci-dss, gdpr
1071
+ * @related b.auditTools.exportCadf, b.auditTools.exportSlice
1072
+ *
1073
+ * Format dispatcher for downstream-SIEM exports. Reads `opts.format`
1074
+ * (default `"cadf"`) and delegates to the matching formatter. Future
1075
+ * envelope formats (CEF / OCSF / etc.) register here so callers stay
1076
+ * on a stable signature even when the framework adds formats.
1077
+ *
1078
+ * @opts
1079
+ * format: "cadf", // selector — defaults to "cadf"
1080
+ * from: number|Date|string, // recordedAt >= this
1081
+ * to: number|Date|string, // recordedAt <= this
1082
+ * action: string, // exact action filter
1083
+ *
1084
+ * @example
1085
+ * var batch = await b.auditTools.exportAudit({
1086
+ * format: "cadf",
1087
+ * from: "2026-05-01T00:00:00Z",
1088
+ * to: "2026-05-08T00:00:00Z",
1089
+ * });
1090
+ * // → { typeURI: ".../event-batch", framework: "blamejs", events: [...] }
1091
+ */
1092
+ async function exportAudit(opts) {
1093
+ opts = opts || {};
1094
+ var format = opts.format || "cadf";
1095
+ if (format === "cadf") return await exportCadf(opts);
1096
+ throw new AuditToolsError("audit-tools/bad-format",
1097
+ "audit.export: format must be one of: cadf (got '" + format + "')");
1098
+ }
1099
+
1100
+ module.exports = {
1101
+ archive: archive,
1102
+ exportSlice: exportSlice,
1103
+ exportAudit: exportAudit,
1104
+ exportCadf: exportCadf,
1105
+ forensicSnapshot: forensicSnapshot,
1106
+ verifyBundle: verifyBundle,
1107
+ purge: purge,
1108
+ withRecordedAtIso: withRecordedAtIso,
1109
+ BUNDLE_FORMAT: BUNDLE_FORMAT,
1110
+ KIND_ARCHIVE: KIND_ARCHIVE,
1111
+ KIND_EXPORT: KIND_EXPORT,
1112
+ AuditToolsError: AuditToolsError,
1113
+ };