@blamejs/blamejs-shop 0.0.83 → 0.0.85

package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js

@@ -2185,6 +2185,76 @@ async function testNoDuplicateCodeBlocks() {
       files: ["lib/api-key.js:issue", "lib/db-query.js:<top>", "lib/session.js:create"],
       reason: "Generic JS array helper / lambda shape — Object.keys(...).map(fn) + similar functional idioms appearing in any code that walks a column-or-key list.",
     },
+    {
+      mode:  "family-subset",
+      files: [
+        "lib/archive-read.js:_emitAudit",
+        "lib/archive-tar-read.js:_emitAudit",
+        "lib/archive.js:_emitAudit",
+        "lib/http-client.js:_emitAudit",
+      ],
+      reason: "v0.12.7 + v0.12.8 — Per-module `_emitAudit(opts, action, outcome, metadata)` shape repeats across primitives that drop-silently emit to opts.audit.safeEmit if present. Each module's audit events carry a primitive-specific `action:` namespace (archive.read.*, archive.zip.*, archive.read.tar.*, http-client.*) + per-primitive metadata fields; consolidating would lose the namespace + force every consumer to import the same audit helper. Four-file repetition is the expected shape per `feedback_audit_safeEmit_per_module_emitAudit_shape`. archive-tar.js (write) does NOT carry _emitAudit — the read side lives in sibling archive-tar-read.js so the @primitive validator can pair both `b.archive.tar` (write) and `b.archive.read.tar` (read) cleanly.",
+    },
+    {
+      mode:  "family-subset",
+      files: [
+        "lib/archive-adapters.js:fs",
+        "lib/archive-adapters.js:http",
+        "lib/network-smtp-policy.js:mtaStsFetch",
+        "lib/parsers/safe-env.js:readVar",
+      ],
+      reason: "v0.12.7 — `if (typeof <opt> !== \"string\" || <opt>.length === 0) throw new <Error>(...)` shape repeats across primitives validating REQUIRED string opts. validateOpts.requireNonEmptyString covers most call sites; the four flagged here are inline because they each carry a primitive-specific error CODE (adapter/bad-arg, smtp-policy/bad-arg, safe-env/bad-arg) that the helper's caller-error-class shape doesn't compose cleanly across — each primitive's typed-error class is module-local + the message string names the local opt. The duplicated shape is the symptom, not the cause; the cause is that JS doesn't have a way to throw an instance of caller-namespaced ErrorClass without the local closure.",
+    },
+    {
+      mode:  "family-subset",
+      files: [
+        "lib/archive-read.js:extract",
+        "lib/archive-tar-read.js:extract",
+        "lib/auth/ciba.js:pollToken",
+        "lib/auth/oid4vci.js:exchangePreAuthorizedCode",
+        "lib/auth/oid4vci.js:issueCredential",
+      ],
+      reason: "v0.12.7 + v0.12.8 — `try { ... await ... } catch (e) { /* per-step cleanup */ throw e; }` shape repeats across primitives doing multi-step async work with per-step rollback. archive-read.extract + archive-tar.extract both clean up partial-extract files; ciba.pollToken cleans up rate-limit + retry state; oid4vci.exchange/issueCredential clean up partial credential-state. Each catch body is primitive-specific (the cleanup it does is the primitive's responsibility) — extraction would require a generic transaction-style helper which is itself a v1.0+ surface decision. Five-file repetition with primitive-specific cleanup bodies stays as the documented exception.",
+    },
+    {
+      mode:  "family-subset",
+      files: [
+        "lib/archive-tar-read.js:_classifyTypeflag",
+        "lib/archive-tar-read.js:inspect",
+        "lib/auth/ciba.js:_registerInitialInterval",
+        "lib/auth/oauth.js:exchangeToken",
+        "lib/auth/oauth.js:pollDeviceCode",
+        "lib/auth/oid4vci.js:createCredentialOffer",
+        "lib/auth/oid4vci.js:exchangePreAuthorizedCode",
+        "lib/restore-rollback.js:swap",
+      ],
+      reason: "v0.12.8 — Compact branching helpers (`if (x === A) return ...; if (x === B) return ...;` switch-style) repeat across primitives that map operator-supplied enum values to internal labels. archive-tar-read._classifyTypeflag maps single-char tar typeflags (0/1/2/3/4/5/6/7/x/g) to entry-type labels (file/symlink/hardlink/device/fifo/directory/etc.); archive-tar-read.inspect dispatches on the same typeflag set per-entry — distinct vocabulary from oauth.exchangeToken / oid4vci.createCredentialOffer / etc. which dispatch on grant_type / credential_format / step. The match is shape (chain of if-equals-return), not semantic. Extraction would require a generic enum-dispatch helper for trivially-different enums — that's an obscured abstraction. Each call site's enum + label set is primitive-specific.",
+    },
+    {
+      mode:  "family-subset",
+      files: [
+        "lib/archive-read.js:_normalizeEntryTypePolicy",
+        "lib/archive-tar-read.js:_normalizeEntryTypePolicy",
+        "lib/archive.js:writeTo",
+      ],
+      reason: "v0.12.8 — `_normalizeEntryTypePolicy` shape is genuinely duplicated between archive-read.js + archive-tar-read.js — both copy DEFAULT_ENTRY_TYPE_POLICY and merge with operator opts. Could extract to a shared lib/_archive-policy.js helper in a future patch; for v0.12.8 keeping the duplication so the format-specific entry-type vocabulary (zip's external-attrs vs tar's typeflag) stays close to the reader that uses it. archive.js:writeTo is the unrelated third file in the dup cluster — its toBuffer + writeFileSync shape happens to share the 50-token shingle by coincidence (writeTo is the legacy ZIP write-to-path helper, not policy-related).",
+    },
+    {
+      mode:  "family-subset",
+      files: [
+        "lib/agent-idempotency.js:_checkArgs",
+        "lib/agent-tenant.js:_sealField",
+        "lib/atomic-file.js:copyDirRecursive",
+        "lib/ddl-change-control.js:approve",
+        "lib/ddl-change-control.js:reject",
+        "lib/deprecate.js:alias",
+        "lib/guard-filename.js:verifyExtractionPath",
+        "lib/jose-jwe-experimental.js:decrypt",
+        "lib/mail-deploy.js:_validateTlsRptReport",
+        "lib/totp.js:uri",
+      ],
+      reason: "v0.12.7 — Generic string-argument validation shape: `if (typeof X !== \"string\" || X.length === 0) throw new <ErrorClass>(<code>, ...)` repeats across primitives validating REQUIRED non-empty string opts. Each call site emits a primitive-specific typed error class (BackupError, GuardFilenameError, IdempotencyError, AgentTenantError, AtomicFileError, DdlError, DeprecateError, JoseError, MailDeployError, TotpError) so extracting to a shared helper would lose the per-primitive error namespace. validateOpts.requireNonEmptyString covers most call sites where the caller's typed-error class composes with the helper's caller-error-class shape; the 9 file paths here are inline because each one's typed error has a primitive-local code namespace + message string the helper can't compose cleanly. Same shape as the v0.10.16 client-hints/csp/sandbox family-subset reason (inline for per-primitive typed errors). 5/9/3-file subsets at smaller token windows are the same family — one entry covers all of them.",
+    },
     {
       mode:  "family-subset",
       files: [
@@ -5391,7 +5461,10 @@ var KNOWN_ANTIPATTERNS = [
       "lib/observability-otlp-exporter.js",    // byResource grouping (Map<resKey, bucket>) — object-literal factory
       "lib/otel-export.js",                    // counters / observations (2 sites) — object-literal factory
       "lib/pubsub.js",                         // exactSubs (Map<channel, Set<sub>>) — Set factory
+      "lib/backup/index.js",                   // bundleAdapterStorage.listBundles: byBundle (Map<bundleId, stats>) — object-literal factory
     ],
+    // Strong-dup allowlists added with v0.12.7 archive substrate
+    // — see KNOWN_CLUSTERS additions below for structural reasons.
     reason: "Node 26 ships Map.prototype.getOrInsertComputed(key, factory) — a single-lookup get-or-insert that replaces the two-step `var v = m.get(k); if (!v) { v = factory(); m.set(k, v); }` pattern. The sweep is deferred to the Node 26 floor-bump (eligible Oct 2026); engines.node is `>=24` today. Allowlist above is the survey ground truth from memory/specs/node-26-map-getorinsert-migration.md. New code post-this-patch trips the detector — either wait for the floor bump, or add the call site to BOTH the allowlist AND the migration spec in the same patch. When the floor moves, the bump commit walks the allowlist, rewrites each call site, drops the allowlist + flips the detector to enforce.",
   },
   {
@@ -5512,6 +5585,60 @@ var KNOWN_ANTIPATTERNS = [
     reason: "Codex P1 on v0.12.6 PR #157 — `_anyValueToProto` negative-int path wrapped a varint payload in `embeddedMessage` (wire-type 2) instead of using `int64` (wire-type 0 varint). The wire-type mismatch poisons the whole OTLP batch; the `v >>> 0` truncation also dropped sign + high bits. Fixed by adding `pb.int64` + `pb.sint64` to the encoder + routing the negative-int branch through `pb.int64`. Detector locks the shape: `embeddedMessage(N, _writeVarint(...))` cannot recur.",
   },
 
+  {
+    // Codex P1 on v0.12.7 PR #158 — archive-read.extract's rollback
+    // cleanup deleted PRE-EXISTING destination files when a later
+    // entry failed. The renameSync(tmpPath, resolvedPath) silently
+    // overwrote operator files at the destination, then on abort the
+    // catch-block rmSync wiped them out — permanent data loss
+    // disguised as atomic rollback. Fix: refuse to write when the
+    // destination path already exists; force operators to extract
+    // into a fresh / empty subtree.
+    //
+    // Detector scope: any lib/archive*.js or lib/safe-archive.js file
+    // that calls renameSync into a path it ALSO tracks for cleanup
+    // MUST refuse overwrite up-front. Codify as a file-scoped invariant:
+    // archive-read.js must contain "destination-exists" refusal code.
+    id: "archive-extract-overwrite-without-refusal",
+    primitive: "extract loops in lib/archive-read.js MUST refuse to write to a destination path that already exists — atomic rollback via tmp-rename + tracked-path cleanup is only safe when every tracked path was newly created. Pre-existing files at the destination + catch-block rmSync = data loss.",
+    // File-scoped: only fires on archive-read.js / safe-archive.js
+    // shape. The pattern is renameSync of a tmpPath onto resolvedPath
+    // (the canonical destination variable) — atomic-file.js's
+    // operator-file rename is a different shape (operator already
+    // owns the destination context); http-client.js's atomic-tmp
+    // rename writes operator-supplied paths under operator-supplied
+    // tmp dirs, also a different concern.
+    regex: /written\.push\s*\(\s*\{[^}]*path:\s*resolvedPath/,
+    requires: /destination-exists/,
+    skipCommentLines: true,
+    allowlist: [],
+    reason: "Codex P1 on v0.12.7 PR #158 — archive-read.extract used renameSync to atomically place each decompressed entry at its canonical destination + tracked written[].path for catch-block cleanup. When the destination directory was non-empty, the rename silently overwrote operator files; on extract abort, the cleanup deleted them. Fix: refuse upfront if destination path exists, force operators to use a fresh / empty subtree. Detector locks the shape: any extract code that tracks resolvedPath for catch-block cleanup MUST carry a `destination-exists` refusal in the same file.",
+  },
+
+  {
+    // Codex P1 on v0.12.8 PR #159 — archive-tar-read.js's walker
+    // advanced `pos` by the declared padded block size without
+    // checking that those bytes existed in the buffer. A truncated
+    // archive (header says 11 bytes, buffer holds 8) silently
+    // produced an entry whose extract() sliced the 8-byte prefix
+    // and wrote it as if it were the complete file. Fix: refuse
+    // upfront with a `truncated-entry` typed error when
+    // `bodyStart + paddedSize > bytes.length`. Same shape applies
+    // to the pax-extended-header path (its `bodyEnd` advance was
+    // the same uncapped arithmetic).
+    id: "archive-tar-walker-without-truncation-check",
+    primitive: "tar walkers in lib/archive-tar-read.js MUST verify that the declared block size fits within the remaining buffer before advancing `pos` — a header that claims more bytes than the buffer holds is a truncated archive, not a valid entry. The refusal carries `truncated-entry` code so operators can distinguish wire-format-bad input from policy-bad input.",
+    // File-scoped: only fires on archive-tar-read.js. The walker
+    // advances pos by paddedSize (Math.ceil(hdr.size / BLOCK_SIZE)
+    // * BLOCK_SIZE) — any code that adds paddedSize to pos without
+    // a preceding bounds check is the smell.
+    regex: /pos\s*\+=\s*paddedSize/,
+    requires: /truncated-entry/,
+    skipCommentLines: true,
+    allowlist: [],
+    reason: "Codex P1 on v0.12.8 PR #159 — archive-tar-read.js's tar walker recorded each entry and advanced pos by paddedSize without verifying the declared bytes existed in the buffer. A truncated archive silently produced a partial-content entry on extract — exact reproducer in the Codex thread: declared 11-byte file backed by 8 bytes of buffer produced an 8-byte output. Fix: refuse upfront with `archive-tar/truncated-entry` typed error. Detector locks the shape: any code path that advances pos by paddedSize in archive-tar-read.js MUST carry a `truncated-entry` refusal in the same file.",
+  },
+
   {
     // Codex P2 on v0.11.22 PR #126 — `b.cert.create`'s SNI dispatch
     // wildcard-matched `*.example.com` against `foo.bar.example.com`

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/blamejs-shop",
-  "version": "0.0.83",
+  "version": "0.0.85",
   "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
   "main": "lib/index.js",
   "scripts": {
@@ -35,7 +35,7 @@
     "type": "git",
     "url": "git+https://github.com/blamejs/blamejs.shop.git"
   },
-  "homepage": "https://github.com/blamejs/blamejs.shop",
+  "homepage": "https://blamejs.shop",
   "devDependencies": {
     "@cloudflare/containers": "^0.3.4",
     "wrangler": "^4.93.0"