@blamejs/blamejs-shop 0.0.83 → 0.0.98

package/lib/vendor/blamejs/test/layer-0-primitives/archive-tar.test.js

@@ -0,0 +1,228 @@
+"use strict";
+/**
+ * Layer 0 — b.archive.tar write + b.archive.read.tar +
+ * b.guardArchive.tarEntryPolicy + b.backup.migrate.
+ *
+ * Round-trip coverage: write tar via b.archive.tar(), read back via
+ * b.archive.read.tar(buffer adapter), extract via b.safeArchive.extract
+ * (format auto-detect lands on tar). Refusal: oversize entry, dangerous
+ * typeflag refusal by default. Migration: write a directory bundle in
+ * one storage, migrate to tar bundle in another, verify content.
+ */
+
+var helpers = require("../helpers");
+var check = helpers.check;
+var b = helpers.b;
+var os = require("node:os");
+var path = require("node:path");
+var fs = require("node:fs");
+
+async function testTarRoundTrip() {
+  var t = b.archive.tar();
+  t.addFile("readme.txt", "Hello, tar!\n");
+  t.addFile("data/numbers.csv", "n,sq\n1,1\n2,4\n");
+  t.addDirectory("docs/");
+  t.addFile("docs/nested/deep.txt", "payload\n");
+  var bytes = t.toBuffer();
+
+  check("archive.tar: tar bytes round to 512", bytes.length % 512 === 0);
+  check("archive.tar: ustar magic at offset 257",
+    bytes.slice(257, 263).toString().indexOf("ustar") === 0);
+
+  var reader = b.archive.read.tar(b.archive.adapters.buffer(bytes));
+  var entries = await reader.inspect();
+  check("archive.read.tar.inspect: 4 entries",   entries.length === 4);
+  check("archive.read.tar.inspect: file type",   entries[0].entryType === "file");
+  check("archive.read.tar.inspect: directory type", entries[2].entryType === "directory");
+}
+
+async function testSafeArchiveTarExtract() {
+  var t = b.archive.tar();
+  t.addFile("a.txt", "alpha");
+  t.addFile("nested/b.txt", "beta");
+  var bytes = t.toBuffer();
+
+  var dest = fs.mkdtempSync(path.join(os.tmpdir(), "blamejs-tar-extract-"));
+  try {
+    var result = await b.safeArchive.extract({
+      source:       bytes,
+      destination:  dest,
+      guardProfile: "balanced",
+    });
+    check("safeArchive.extract: format=tar autodetected", result.format === "tar");
+    check("safeArchive.extract: 2 entries written",       result.entries.length === 2);
+    var a = fs.readFileSync(path.join(dest, "a.txt"), "utf8");
+    var bb = fs.readFileSync(path.join(dest, "nested", "b.txt"), "utf8");
+    check("safeArchive.extract: a.txt contents",          a === "alpha");
+    check("safeArchive.extract: nested b.txt contents",   bb === "beta");
+  } finally {
+    fs.rmSync(dest, { recursive: true, force: true });
+  }
+}
+
+function testTarEntryPolicy() {
+  var p = b.guardArchive.tarEntryPolicy({ symlinks: true });
+  check("tarEntryPolicy: symlinks opted in",      p.symlinks === true);
+  check("tarEntryPolicy: hardlinks default off",   p.hardlinks === false);
+  check("tarEntryPolicy: devices default off",     p.devices === false);
+  check("tarEntryPolicy: fifos default off",       p.fifos === false);
+  check("tarEntryPolicy: sockets default off",     p.sockets === false);
+}
+
+async function testTarChecksumDetection() {
+  // Build a valid tar, corrupt the chksum field, verify reader refuses.
+  var t = b.archive.tar();
+  t.addFile("payload.txt", "hello\n");
+  var bytes = t.toBuffer();
+  // Corrupt the checksum field of the first header (offset 148, 8 bytes).
+  bytes[148] = 0x39;   // change first chksum digit
+  var refused = null;
+  try {
+    var reader = b.archive.read.tar(b.archive.adapters.buffer(bytes));
+    await reader.inspect();
+  } catch (e) { refused = e; }
+  check("archive.read.tar: corrupted chksum refused",
+    refused && /chksum|bad-octal/.test(refused.code || refused.message));
+  check("archive.read.tar: chksum refusal is a b.archive.TarError",
+    refused instanceof b.archive.TarError);
+}
+
+async function testBackupMigrateDirectoryToTar() {
+  var fromRoot = fs.mkdtempSync(path.join(os.tmpdir(), "bjs-bk-from-"));
+  var toRoot = fs.mkdtempSync(path.join(os.tmpdir(), "bjs-bk-to-"));
+  var srcDir = fs.mkdtempSync(path.join(os.tmpdir(), "bjs-bk-src-"));
+  var verifyDir = fs.mkdtempSync(path.join(os.tmpdir(), "bjs-bk-verify-"));
+  fs.rmSync(verifyDir, { recursive: true });    // backend wants non-existent dest
+  try {
+    fs.writeFileSync(path.join(srcDir, "manifest.json"), JSON.stringify({ v: 1 }));
+    fs.mkdirSync(path.join(srcDir, "files"));
+    fs.writeFileSync(path.join(srcDir, "files", "blob.bin"), Buffer.from([1, 2, 3]));
+
+    var from = b.backup.bundleAdapterStorage({
+      adapter: b.backup.bundleAdapterStorage.fsAdapter({ root: fromRoot }),
+      format:  "directory",
+    });
+    var to = b.backup.bundleAdapterStorage({
+      adapter: b.backup.bundleAdapterStorage.fsAdapter({ root: toRoot }),
+      format:  "tar",
+    });
+
+    var bundleId = "2026-05-23T15-00-00-000Z-deadbeef";
+    await from.writeBundle(bundleId, srcDir);
+    check("migrate: source-bundle exists pre-migrate", await from.hasBundle(bundleId));
+    check("migrate: dest-bundle absent pre-migrate", !(await to.hasBundle(bundleId)));
+
+    var report = await b.backup.migrate({ from: from, to: to });
+    check("migrate: 1 migrated", report.migrated === 1 && report.skipped === 0);
+    check("migrate: dest-bundle present post-migrate", await to.hasBundle(bundleId));
+
+    // Idempotency: second run skips.
+    var second = await b.backup.migrate({ from: from, to: to });
+    check("migrate: idempotent (1 skipped)", second.migrated === 0 && second.skipped === 1);
+
+    // Read back from destination, verify file contents.
+    await to.readBundle(bundleId, verifyDir);
+    var manifest = JSON.parse(fs.readFileSync(path.join(verifyDir, "manifest.json"), "utf8"));
+    check("migrate: manifest round-tripped", manifest.v === 1);
+    var blob = fs.readFileSync(path.join(verifyDir, "files", "blob.bin"));
+    check("migrate: blob round-tripped",
+      blob.length === 3 && blob[0] === 1 && blob[2] === 3);
+  } finally {
+    try { fs.rmSync(fromRoot,   { recursive: true, force: true }); } catch (_e) { /* ignore */ }
+    try { fs.rmSync(toRoot,     { recursive: true, force: true }); } catch (_e) { /* ignore */ }
+    try { fs.rmSync(srcDir,     { recursive: true, force: true }); } catch (_e) { /* ignore */ }
+    try { fs.rmSync(verifyDir,  { recursive: true, force: true }); } catch (_e) { /* ignore */ }
+  }
+}
+
+async function testBackupTarFormatDefault() {
+  // Write a bundle via the v0.12.8-default format (tar) + verify the
+  // tar key landed on disk.
+  var root = fs.mkdtempSync(path.join(os.tmpdir(), "bjs-bk-tar-default-"));
+  var src = fs.mkdtempSync(path.join(os.tmpdir(), "bjs-bk-tar-src-"));
+  try {
+    fs.writeFileSync(path.join(src, "manifest.json"), JSON.stringify({ v: 1 }));
+    var storage = b.backup.bundleAdapterStorage({
+      adapter: b.backup.bundleAdapterStorage.fsAdapter({ root: root }),
+      // format defaults to "tar" in v0.12.8
+    });
+    var bid = "2026-05-23T15-30-00-000Z-cafebabe";
+    await storage.writeBundle(bid, src);
+    var tarKeyPresent = fs.existsSync(path.join(root, bid, "bundle.tar"));
+    check("bundleAdapterStorage default format: tar key on disk", tarKeyPresent);
+    check("bundleAdapterStorage default format: hasBundle true",
+      await storage.hasBundle(bid));
+  } finally {
+    try { fs.rmSync(root, { recursive: true, force: true }); } catch (_e) { /* ignore */ }
+    try { fs.rmSync(src,  { recursive: true, force: true }); } catch (_e) { /* ignore */ }
+  }
+}
+
+async function testTarTruncationRefused() {
+  // Codex P1 on v0.12.8 PR #159 — declare 11 bytes in the header
+  // but truncate the buffer to 8 payload bytes. The walker must
+  // refuse upfront rather than emitting a partial entry.
+  var t = b.archive.tar();
+  t.addFile("payload.txt", Buffer.from("hello world"));    // 11 bytes
+  var bytes = t.toBuffer();
+  // First header block is at offset 0-511; first data block at
+  // 512-1023 (padded to 512 bytes from the declared 11). Truncate to
+  // 768 bytes: header survives intact but the data block ends
+  // halfway — walker must refuse before slicing partial bytes as
+  // a "complete" file.
+  var truncated = bytes.slice(0, 768);
+  var refused = null;
+  try {
+    var reader = b.archive.read.tar(b.archive.adapters.buffer(truncated));
+    await reader.extract({
+      destination: fs.mkdtempSync(path.join(os.tmpdir(), "bjs-tar-trunc-")),
+    });
+  } catch (e) { refused = e; }
+  check("archive.read.tar: truncated entry refused with typed error",
+    refused && /truncated-entry/.test(refused.code || refused.message));
+}
+
+async function testBackupBundleTooLargeRefused() {
+  // Codex P2 on v0.12.8 PR #159 — bundleAdapterStorage with a
+  // tight maxBundleBytes cap must refuse oversized payloads upfront
+  // rather than OOM during in-memory tar materialization.
+  var srcDir = fs.mkdtempSync(path.join(os.tmpdir(), "bjs-bk-bulk-"));
+  var dest = fs.mkdtempSync(path.join(os.tmpdir(), "bjs-bk-bulk-dest-"));
+  try {
+    fs.writeFileSync(path.join(srcDir, "big.bin"), Buffer.alloc(64 * 1024));
+    var storage = b.backup.bundleAdapterStorage({
+      adapter:        b.backup.bundleAdapterStorage.fsAdapter({ root: dest }),
+      format:         "tar",
+      maxBundleBytes: 16 * 1024,
+    });
+    var refused = null;
+    try {
+      await storage.writeBundle("2026-05-23T00-00-00-000Z-abcdef12", srcDir);
+    } catch (e) { refused = e; }
+    check("backup: bundle exceeding maxBundleBytes refused upfront",
+      refused && /bundle-too-large/.test(refused.code || refused.message));
+  } finally {
+    try { fs.rmSync(srcDir, { recursive: true, force: true }); } catch (_e) { /* ignore */ }
+    try { fs.rmSync(dest,   { recursive: true, force: true }); } catch (_e) { /* ignore */ }
+  }
+}
+
+async function run() {
+  await testTarRoundTrip();
+  await testSafeArchiveTarExtract();
+  testTarEntryPolicy();
+  await testTarChecksumDetection();
+  await testTarTruncationRefused();
+  await testBackupMigrateDirectoryToTar();
+  await testBackupTarFormatDefault();
+  await testBackupBundleTooLargeRefused();
+}
+
+module.exports = { run: run };
+
+if (require.main === module) {
+  run().then(
+    function () { console.log("[archive-tar] OK — " + helpers.getChecks() + " checks passed"); },
+    function (e) { console.error("FAIL:", e && e.stack || e); process.exit(1); }
+  );
+}

package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js

@@ -2185,6 +2185,76 @@ async function testNoDuplicateCodeBlocks() {
       files: ["lib/api-key.js:issue", "lib/db-query.js:<top>", "lib/session.js:create"],
       reason: "Generic JS array helper / lambda shape — Object.keys(...).map(fn) + similar functional idioms appearing in any code that walks a column-or-key list.",
     },
+    {
+      mode:  "family-subset",
+      files: [
+        "lib/archive-read.js:_emitAudit",
+        "lib/archive-tar-read.js:_emitAudit",
+        "lib/archive.js:_emitAudit",
+        "lib/http-client.js:_emitAudit",
+      ],
+      reason: "v0.12.7 + v0.12.8 — Per-module `_emitAudit(opts, action, outcome, metadata)` shape repeats across primitives that drop-silently emit to opts.audit.safeEmit if present. Each module's audit events carry a primitive-specific `action:` namespace (archive.read.*, archive.zip.*, archive.read.tar.*, http-client.*) + per-primitive metadata fields; consolidating would lose the namespace + force every consumer to import the same audit helper. Four-file repetition is the expected shape per `feedback_audit_safeEmit_per_module_emitAudit_shape`. archive-tar.js (write) does NOT carry _emitAudit — the read side lives in sibling archive-tar-read.js so the @primitive validator can pair both `b.archive.tar` (write) and `b.archive.read.tar` (read) cleanly.",
+    },
+    {
+      mode:  "family-subset",
+      files: [
+        "lib/archive-adapters.js:fs",
+        "lib/archive-adapters.js:http",
+        "lib/network-smtp-policy.js:mtaStsFetch",
+        "lib/parsers/safe-env.js:readVar",
+      ],
+      reason: "v0.12.7 — `if (typeof <opt> !== \"string\" || <opt>.length === 0) throw new <Error>(...)` shape repeats across primitives validating REQUIRED string opts. validateOpts.requireNonEmptyString covers most call sites; the four flagged here are inline because they each carry a primitive-specific error CODE (adapter/bad-arg, smtp-policy/bad-arg, safe-env/bad-arg) that the helper's caller-error-class shape doesn't compose cleanly across — each primitive's typed-error class is module-local + the message string names the local opt. The duplicated shape is the symptom, not the cause; the cause is that JS doesn't have a way to throw an instance of caller-namespaced ErrorClass without the local closure.",
+    },
+    {
+      mode:  "family-subset",
+      files: [
+        "lib/archive-read.js:extract",
+        "lib/archive-tar-read.js:extract",
+        "lib/auth/ciba.js:pollToken",
+        "lib/auth/oid4vci.js:exchangePreAuthorizedCode",
+        "lib/auth/oid4vci.js:issueCredential",
+      ],
+      reason: "v0.12.7 + v0.12.8 — `try { ... await ... } catch (e) { /* per-step cleanup */ throw e; }` shape repeats across primitives doing multi-step async work with per-step rollback. archive-read.extract + archive-tar.extract both clean up partial-extract files; ciba.pollToken cleans up rate-limit + retry state; oid4vci.exchange/issueCredential clean up partial credential-state. Each catch body is primitive-specific (the cleanup it does is the primitive's responsibility) — extraction would require a generic transaction-style helper which is itself a v1.0+ surface decision. Five-file repetition with primitive-specific cleanup bodies stays as the documented exception.",
+    },
+    {
+      mode:  "family-subset",
+      files: [
+        "lib/archive-tar-read.js:_classifyTypeflag",
+        "lib/archive-tar-read.js:inspect",
+        "lib/auth/ciba.js:_registerInitialInterval",
+        "lib/auth/oauth.js:exchangeToken",
+        "lib/auth/oauth.js:pollDeviceCode",
+        "lib/auth/oid4vci.js:createCredentialOffer",
+        "lib/auth/oid4vci.js:exchangePreAuthorizedCode",
+        "lib/restore-rollback.js:swap",
+      ],
+      reason: "v0.12.8 — Compact branching helpers (`if (x === A) return ...; if (x === B) return ...;` switch-style) repeat across primitives that map operator-supplied enum values to internal labels. archive-tar-read._classifyTypeflag maps single-char tar typeflags (0/1/2/3/4/5/6/7/x/g) to entry-type labels (file/symlink/hardlink/device/fifo/directory/etc.); archive-tar-read.inspect dispatches on the same typeflag set per-entry — distinct vocabulary from oauth.exchangeToken / oid4vci.createCredentialOffer / etc. which dispatch on grant_type / credential_format / step. The match is shape (chain of if-equals-return), not semantic. Extraction would require a generic enum-dispatch helper for trivially-different enums — that's an obscured abstraction. Each call site's enum + label set is primitive-specific.",
+    },
+    {
+      mode:  "family-subset",
+      files: [
+        "lib/archive-read.js:_normalizeEntryTypePolicy",
+        "lib/archive-tar-read.js:_normalizeEntryTypePolicy",
+        "lib/archive.js:writeTo",
+      ],
+      reason: "v0.12.8 — `_normalizeEntryTypePolicy` shape is genuinely duplicated between archive-read.js + archive-tar-read.js — both copy DEFAULT_ENTRY_TYPE_POLICY and merge with operator opts. Could extract to a shared lib/_archive-policy.js helper in a future patch; for v0.12.8 keeping the duplication so the format-specific entry-type vocabulary (zip's external-attrs vs tar's typeflag) stays close to the reader that uses it. archive.js:writeTo is the unrelated third file in the dup cluster — its toBuffer + writeFileSync shape happens to share the 50-token shingle by coincidence (writeTo is the legacy ZIP write-to-path helper, not policy-related).",
+    },
+    {
+      mode:  "family-subset",
+      files: [
+        "lib/agent-idempotency.js:_checkArgs",
+        "lib/agent-tenant.js:_sealField",
+        "lib/atomic-file.js:copyDirRecursive",
+        "lib/ddl-change-control.js:approve",
+        "lib/ddl-change-control.js:reject",
+        "lib/deprecate.js:alias",
+        "lib/guard-filename.js:verifyExtractionPath",
+        "lib/jose-jwe-experimental.js:decrypt",
+        "lib/mail-deploy.js:_validateTlsRptReport",
+        "lib/totp.js:uri",
+      ],
+      reason: "v0.12.7 — Generic string-argument validation shape: `if (typeof X !== \"string\" || X.length === 0) throw new <ErrorClass>(<code>, ...)` repeats across primitives validating REQUIRED non-empty string opts. Each call site emits a primitive-specific typed error class (BackupError, GuardFilenameError, IdempotencyError, AgentTenantError, AtomicFileError, DdlError, DeprecateError, JoseError, MailDeployError, TotpError) so extracting to a shared helper would lose the per-primitive error namespace. validateOpts.requireNonEmptyString covers most call sites where the caller's typed-error class composes with the helper's caller-error-class shape; the 9 file paths here are inline because each one's typed error has a primitive-local code namespace + message string the helper can't compose cleanly. Same shape as the v0.10.16 client-hints/csp/sandbox family-subset reason (inline for per-primitive typed errors). 5/9/3-file subsets at smaller token windows are the same family — one entry covers all of them.",
+    },
     {
       mode:  "family-subset",
       files: [
@@ -5391,7 +5461,10 @@ var KNOWN_ANTIPATTERNS = [
       "lib/observability-otlp-exporter.js",    // byResource grouping (Map<resKey, bucket>) — object-literal factory
       "lib/otel-export.js",                    // counters / observations (2 sites) — object-literal factory
       "lib/pubsub.js",                         // exactSubs (Map<channel, Set<sub>>) — Set factory
+      "lib/backup/index.js",                   // bundleAdapterStorage.listBundles: byBundle (Map<bundleId, stats>) — object-literal factory
     ],
+    // Strong-dup allowlists added with v0.12.7 archive substrate
+    // — see KNOWN_CLUSTERS additions below for structural reasons.
     reason: "Node 26 ships Map.prototype.getOrInsertComputed(key, factory) — a single-lookup get-or-insert that replaces the two-step `var v = m.get(k); if (!v) { v = factory(); m.set(k, v); }` pattern. The sweep is deferred to the Node 26 floor-bump (eligible Oct 2026); engines.node is `>=24` today. Allowlist above is the survey ground truth from memory/specs/node-26-map-getorinsert-migration.md. New code post-this-patch trips the detector — either wait for the floor bump, or add the call site to BOTH the allowlist AND the migration spec in the same patch. When the floor moves, the bump commit walks the allowlist, rewrites each call site, drops the allowlist + flips the detector to enforce.",
   },
   {
@@ -5512,6 +5585,113 @@ var KNOWN_ANTIPATTERNS = [
     reason: "Codex P1 on v0.12.6 PR #157 — `_anyValueToProto` negative-int path wrapped a varint payload in `embeddedMessage` (wire-type 2) instead of using `int64` (wire-type 0 varint). The wire-type mismatch poisons the whole OTLP batch; the `v >>> 0` truncation also dropped sign + high bits. Fixed by adding `pb.int64` + `pb.sint64` to the encoder + routing the negative-int branch through `pb.int64`. Detector locks the shape: `embeddedMessage(N, _writeVarint(...))` cannot recur.",
   },
 
+  {
+    // Codex P1 on v0.12.7 PR #158 — archive-read.extract's rollback
+    // cleanup deleted PRE-EXISTING destination files when a later
+    // entry failed. The renameSync(tmpPath, resolvedPath) silently
+    // overwrote operator files at the destination, then on abort the
+    // catch-block rmSync wiped them out — permanent data loss
+    // disguised as atomic rollback. Fix: refuse to write when the
+    // destination path already exists; force operators to extract
+    // into a fresh / empty subtree.
+    //
+    // Detector scope: any lib/archive*.js or lib/safe-archive.js file
+    // that calls renameSync into a path it ALSO tracks for cleanup
+    // MUST refuse overwrite up-front. Codify as a file-scoped invariant:
+    // archive-read.js must contain "destination-exists" refusal code.
+    id: "archive-extract-overwrite-without-refusal",
+    primitive: "extract loops in lib/archive-read.js MUST refuse to write to a destination path that already exists — atomic rollback via tmp-rename + tracked-path cleanup is only safe when every tracked path was newly created. Pre-existing files at the destination + catch-block rmSync = data loss.",
+    // File-scoped: only fires on archive-read.js / safe-archive.js
+    // shape. The pattern is renameSync of a tmpPath onto resolvedPath
+    // (the canonical destination variable) — atomic-file.js's
+    // operator-file rename is a different shape (operator already
+    // owns the destination context); http-client.js's atomic-tmp
+    // rename writes operator-supplied paths under operator-supplied
+    // tmp dirs, also a different concern.
+    regex: /written\.push\s*\(\s*\{[^}]*path:\s*resolvedPath/,
+    requires: /destination-exists/,
+    skipCommentLines: true,
+    allowlist: [],
+    reason: "Codex P1 on v0.12.7 PR #158 — archive-read.extract used renameSync to atomically place each decompressed entry at its canonical destination + tracked written[].path for catch-block cleanup. When the destination directory was non-empty, the rename silently overwrote operator files; on extract abort, the cleanup deleted them. Fix: refuse upfront if destination path exists, force operators to use a fresh / empty subtree. Detector locks the shape: any extract code that tracks resolvedPath for catch-block cleanup MUST carry a `destination-exists` refusal in the same file.",
+  },
+
+  {
+    // Codex P1 + P2 on v0.12.9 PR #160 — backup readBundle's
+    // tar.gz restore path inherited archive.read.gz defaults (1 GiB
+    // output / 100× ratio), which made the SAME primitive write
+    // bundles it couldn't read back. The detector enforces the
+    // write/read contract for self-authored gzip payloads: any
+    // lib/ call to `archive.read.gz(...)` from a context that has
+    // its own size budget (paired with a `maxBundleBytes` /
+    // `maxOutputBytes` / `maxPayloadBytes` opt) MUST propagate
+    // that budget to read.gz via `maxDecompressedBytes` AND
+    // disable the ratio cap (`maxExpansionRatio: 0`) — bombs in
+    // self-authored payloads are already prevented at write time.
+    id: "archive-read-gz-without-self-authored-budget",
+    primitive: "callers of archive.read.gz from a context that gates its own writes on a size cap (maxBundleBytes / similar) must pass maxDecompressedBytes + maxExpansionRatio:0 so the write/read contract is symmetric. Bomb defenses live at the upstream cap; the gz layer just decompresses.",
+    // File-scoped: only fires on backup/index.js shapes for now.
+    // archive.read.gz called with no opts is fine in operator code
+    // (adversarial-input case); the antipattern is when the caller
+    // also writes payloads under its own size cap.
+    regex: /archive(?:Lazy\(\))?\.read\.gz\s*\([^)]*\)\s*[^,{]/,
+    requires: /maxDecompressedBytes/,
+    skipCommentLines: true,
+    allowlist: [
+      // archive-gz.js IS the read.gz primitive itself.
+      "lib/archive-gz.js",
+    ],
+    reason: "Codex P1/P2 on v0.12.9 PR #160 — backup readBundle's tar.gz restore inherited the 100× ratio + 1 GiB output defaults, breaking restore for zero-filled DB dumps + ~1-8 GiB bundles that writeBundle accepts. Fix: every archive.read.gz call from a primitive with its own size budget propagates that budget. Detector locks the symmetry.",
+  },
+
+  {
+    // v0.12.9 — Direct node:zlib gunzip calls in lib/ must compose
+    // b.safeDecompress (1 GiB output / 100× ratio default caps) so a
+    // hostile gzip stream can't OOM or expand-bomb the host. Mirrors
+    // the v0.11.5 must-compose pattern. lib/archive-gz.js IS the
+    // canonical gunzip site (it wires safeDecompress in directly);
+    // every other lib/ call to zlib.gunzipSync / zlib.createGunzip
+    // must either route through b.safeDecompress OR carry a marker
+    // explaining why it's safe to bypass (e.g. the caller already
+    // applied `maxOutputLength` AND the input is operator-controlled).
+    id: "archive-gz-without-safedecompress",
+    primitive: "every lib/ call to zlib.gunzipSync / zlib.createGunzip / gunzip MUST either go through lib/archive-gz.js (which composes b.safeDecompress) OR carry an `allow:archive-gz-without-safedecompress` marker with the reason the bomb gate is bypassed (typically: `maxOutputLength` is already enforced + the input is operator-trusted).",
+    regex: /zlib\.(?:gunzipSync|createGunzip)\b/,
+    requires: /safeDecompress|maxOutputLength|allow:archive-gz-without-safedecompress/,
+    skipCommentLines: true,
+    allowlist: [
+      // archive-gz.js is the canonical gunzip site — it directly
+      // imports safeDecompress and routes every call through it.
+      // Listed here so the detector doesn't false-positive against
+      // its own enforcement file.
+      "lib/archive-gz.js",
+    ],
+    reason: "v0.12.9 — b.archive.read.gz is the framework's gzip read primitive and composes b.safeDecompress for every gunzip. Direct lib/ zlib.gunzipSync / zlib.createGunzip calls must either route through b.archive.read.gz, compose b.safeDecompress inline, OR carry an explicit `maxOutputLength` cap with the bypass marker. The detector locks the contract so v0.13+ primitives that handle a gzip-wrapped payload can't quietly drop the bomb cap.",
+  },
+
+  {
+    // Codex P1 on v0.12.8 PR #159 — archive-tar-read.js's walker
+    // advanced `pos` by the declared padded block size without
+    // checking that those bytes existed in the buffer. A truncated
+    // archive (header says 11 bytes, buffer holds 8) silently
+    // produced an entry whose extract() sliced the 8-byte prefix
+    // and wrote it as if it were the complete file. Fix: refuse
+    // upfront with a `truncated-entry` typed error when
+    // `bodyStart + paddedSize > bytes.length`. Same shape applies
+    // to the pax-extended-header path (its `bodyEnd` advance was
+    // the same uncapped arithmetic).
+    id: "archive-tar-walker-without-truncation-check",
+    primitive: "tar walkers in lib/archive-tar-read.js MUST verify that the declared block size fits within the remaining buffer before advancing `pos` — a header that claims more bytes than the buffer holds is a truncated archive, not a valid entry. The refusal carries `truncated-entry` code so operators can distinguish wire-format-bad input from policy-bad input.",
+    // File-scoped: only fires on archive-tar-read.js. The walker
+    // advances pos by paddedSize (Math.ceil(hdr.size / BLOCK_SIZE)
+    // * BLOCK_SIZE) — any code that adds paddedSize to pos without
+    // a preceding bounds check is the smell.
+    regex: /pos\s*\+=\s*paddedSize/,
+    requires: /truncated-entry/,
+    skipCommentLines: true,
+    allowlist: [],
+    reason: "Codex P1 on v0.12.8 PR #159 — archive-tar-read.js's tar walker recorded each entry and advanced pos by paddedSize without verifying the declared bytes existed in the buffer. A truncated archive silently produced a partial-content entry on extract — exact reproducer in the Codex thread: declared 11-byte file backed by 8 bytes of buffer produced an 8-byte output. Fix: refuse upfront with `archive-tar/truncated-entry` typed error. Detector locks the shape: any code path that advances pos by paddedSize in archive-tar-read.js MUST carry a `truncated-entry` refusal in the same file.",
+  },
+
   {
     // Codex P2 on v0.11.22 PR #126 — `b.cert.create`'s SNI dispatch
     // wildcard-matched `*.example.com` against `foo.bar.example.com`

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/blamejs-shop",
-  "version": "0.0.83",
+  "version": "0.0.98",
   "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
   "main": "lib/index.js",
   "scripts": {
@@ -35,7 +35,7 @@
     "type": "git",
     "url": "git+https://github.com/blamejs/blamejs.shop.git"
   },
-  "homepage": "https://github.com/blamejs/blamejs.shop",
+  "homepage": "https://blamejs.shop",
   "devDependencies": {
     "@cloudflare/containers": "^0.3.4",
     "wrangler": "^4.93.0"