@blamejs/blamejs-shop 0.1.37 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (73) hide show
  1. package/CHANGELOG.md +6 -0
  2. package/lib/admin.js +205 -42
  3. package/lib/asset-manifest.json +5 -5
  4. package/lib/storefront.js +428 -51
  5. package/lib/vendor/MANIFEST.json +2 -2
  6. package/lib/vendor/blamejs/CHANGELOG.md +12 -0
  7. package/lib/vendor/blamejs/README.md +2 -2
  8. package/lib/vendor/blamejs/SECURITY.md +1 -0
  9. package/lib/vendor/blamejs/api-snapshot.json +2 -2
  10. package/lib/vendor/blamejs/lib/ai-disclosure.js +2 -3
  11. package/lib/vendor/blamejs/lib/archive-gz.js +5 -3
  12. package/lib/vendor/blamejs/lib/archive-read.js +101 -35
  13. package/lib/vendor/blamejs/lib/archive-tar-read.js +86 -31
  14. package/lib/vendor/blamejs/lib/archive-tar.js +2 -3
  15. package/lib/vendor/blamejs/lib/auth/fal.js +12 -0
  16. package/lib/vendor/blamejs/lib/auth/jwt-external.js +15 -11
  17. package/lib/vendor/blamejs/lib/auth/jwt.js +2 -2
  18. package/lib/vendor/blamejs/lib/auth/oauth.js +7 -6
  19. package/lib/vendor/blamejs/lib/auth/oid4vci.js +3 -3
  20. package/lib/vendor/blamejs/lib/auth/saml.js +15 -12
  21. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc.js +3 -3
  22. package/lib/vendor/blamejs/lib/backup/index.js +2 -3
  23. package/lib/vendor/blamejs/lib/calendar.js +9 -2
  24. package/lib/vendor/blamejs/lib/circuit-breaker.js +5 -4
  25. package/lib/vendor/blamejs/lib/cose.js +4 -3
  26. package/lib/vendor/blamejs/lib/crypto-hpke.js +1 -1
  27. package/lib/vendor/blamejs/lib/crypto-oprf.js +2 -2
  28. package/lib/vendor/blamejs/lib/crypto.js +2 -2
  29. package/lib/vendor/blamejs/lib/framework-error.js +2 -1
  30. package/lib/vendor/blamejs/lib/guard-jwt.js +3 -2
  31. package/lib/vendor/blamejs/lib/guard-smtp-command.js +2 -2
  32. package/lib/vendor/blamejs/lib/mail-auth.js +2 -2
  33. package/lib/vendor/blamejs/lib/mail-crypto-pgp.js +1 -1
  34. package/lib/vendor/blamejs/lib/mail-crypto-smime.js +7 -7
  35. package/lib/vendor/blamejs/lib/mail-crypto.js +1 -1
  36. package/lib/vendor/blamejs/lib/mail-dav.js +5 -4
  37. package/lib/vendor/blamejs/lib/mail-deploy.js +3 -2
  38. package/lib/vendor/blamejs/lib/mail-server-imap.js +1 -1
  39. package/lib/vendor/blamejs/lib/mail-server-jmap.js +10 -10
  40. package/lib/vendor/blamejs/lib/mail-server-managesieve.js +1 -1
  41. package/lib/vendor/blamejs/lib/mail-server-mx.js +142 -47
  42. package/lib/vendor/blamejs/lib/mail-server-submission.js +6 -5
  43. package/lib/vendor/blamejs/lib/mail-store.js +2 -2
  44. package/lib/vendor/blamejs/lib/mail.js +2 -2
  45. package/lib/vendor/blamejs/lib/mdoc.js +14 -14
  46. package/lib/vendor/blamejs/lib/network-dnssec.js +10 -8
  47. package/lib/vendor/blamejs/lib/network-tls.js +10 -7
  48. package/lib/vendor/blamejs/lib/safe-decompress.js +8 -6
  49. package/lib/vendor/blamejs/lib/safe-ical.js +12 -12
  50. package/lib/vendor/blamejs/lib/safe-mime.js +6 -6
  51. package/lib/vendor/blamejs/lib/safe-sieve.js +1 -1
  52. package/lib/vendor/blamejs/lib/safe-smtp.js +1 -1
  53. package/lib/vendor/blamejs/package.json +1 -1
  54. package/lib/vendor/blamejs/release-notes/v0.13.10.json +44 -0
  55. package/lib/vendor/blamejs/release-notes/v0.13.11.json +27 -0
  56. package/lib/vendor/blamejs/release-notes/v0.13.12.json +36 -0
  57. package/lib/vendor/blamejs/release-notes/v0.13.7.json +27 -0
  58. package/lib/vendor/blamejs/release-notes/v0.13.8.json +27 -0
  59. package/lib/vendor/blamejs/release-notes/v0.13.9.json +27 -0
  60. package/lib/vendor/blamejs/test/layer-0-primitives/archive-read.test.js +82 -0
  61. package/lib/vendor/blamejs/test/layer-0-primitives/auth-jwt-defenses.test.js +4 -4
  62. package/lib/vendor/blamejs/test/layer-0-primitives/calendar.test.js +31 -0
  63. package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +188 -6
  64. package/lib/vendor/blamejs/test/layer-0-primitives/fal.test.js +26 -0
  65. package/lib/vendor/blamejs/test/layer-0-primitives/mail-crypto-smime.test.js +5 -5
  66. package/lib/vendor/blamejs/test/layer-0-primitives/mail-dav.test.js +1 -1
  67. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-mx.test.js +166 -1
  68. package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-cluster.test.js +25 -18
  69. package/lib/vendor/blamejs/test/layer-0-primitives/safe-ical.test.js +2 -2
  70. package/lib/vendor/blamejs/test/layer-0-primitives/sandbox.test.js +12 -12
  71. package/lib/vendor/blamejs/test/layer-0-primitives/scheduler-exactly-once.test.js +15 -9
  72. package/lib/vendor/blamejs/test/layer-0-primitives/websocket-channels.test.js +0 -6
  73. package/package.json +1 -1
@@ -26,7 +26,7 @@ async function testHappyPath() {
26
26
  var r = await b.sandbox.run({
27
27
  source: "return { upper: input.name.toUpperCase(), len: input.name.length };",
28
28
  input: { name: "alice" },
29
- timeoutMs: 5000,
29
+ timeoutMs: 10000,
30
30
  });
31
31
  check("happy path returns wrapped result", typeof r === "object");
32
32
  check("happy path produces result.result.upper", r.result && r.result.upper === "ALICE");
@@ -40,7 +40,7 @@ async function testAllowedBuiltins() {
40
40
  source: "return { ts: Date.now() > 0, sqrt: Math.sqrt(16) };",
41
41
  input: {},
42
42
  allowed: ["Date", "Math"],
43
- timeoutMs: 5000,
43
+ timeoutMs: 10000,
44
44
  });
45
45
  check("allowed Date works", r.result.ts === true);
46
46
  check("allowed Math works", r.result.sqrt === 4);
@@ -51,7 +51,7 @@ async function testBadAllowedRejected() {
51
51
  await b.sandbox.run({
52
52
  source: "return null;",
53
53
  allowed: ["process"],
54
- timeoutMs: 5000,
54
+ timeoutMs: 10000,
55
55
  });
56
56
  check("bad-allowed should have refused", false);
57
57
  } catch (e) {
@@ -62,13 +62,13 @@ async function testBadAllowedRejected() {
62
62
 
63
63
  async function testBadSourceRejected() {
64
64
  try {
65
- await b.sandbox.run({ source: "", timeoutMs: 5000 });
65
+ await b.sandbox.run({ source: "", timeoutMs: 10000 });
66
66
  check("empty source should refuse", false);
67
67
  } catch (e) {
68
68
  check("empty source refused", e && e.code === "sandbox/bad-source");
69
69
  }
70
70
  try {
71
- await b.sandbox.run({ source: 42, timeoutMs: 5000 });
71
+ await b.sandbox.run({ source: 42, timeoutMs: 10000 });
72
72
  check("non-string source should refuse", false);
73
73
  } catch (e) {
74
74
  check("non-string source refused", e && e.code === "sandbox/bad-source");
@@ -92,7 +92,7 @@ async function testBadTimeoutRejected() {
92
92
 
93
93
  async function testBadMaxBytesRejected() {
94
94
  try {
95
- await b.sandbox.run({ source: "return 1;", maxBytes: 100, timeoutMs: 5000 });
95
+ await b.sandbox.run({ source: "return 1;", maxBytes: 100, timeoutMs: 10000 });
96
96
  check("under-floor maxBytes should refuse", false);
97
97
  } catch (e) {
98
98
  check("under-floor maxBytes refused", e && e.code === "sandbox/bad-max-bytes");
@@ -113,7 +113,7 @@ async function testTimeoutEnforced() {
113
113
 
114
114
  async function testParseError() {
115
115
  try {
116
- await b.sandbox.run({ source: "this is not valid javascript ((", timeoutMs: 5000 });
116
+ await b.sandbox.run({ source: "this is not valid javascript ((", timeoutMs: 10000 });
117
117
  check("malformed source should refuse", false);
118
118
  } catch (e) {
119
119
  check("parse-error returned", e && e.code === "sandbox/parse-error");
@@ -124,7 +124,7 @@ async function testRuntimeError() {
124
124
  try {
125
125
  await b.sandbox.run({
126
126
  source: "throw new Error('boom');",
127
- timeoutMs: 5000,
127
+ timeoutMs: 10000,
128
128
  });
129
129
  check("throwing source should reject", false);
130
130
  } catch (e) {
@@ -138,7 +138,7 @@ async function testBadInput() {
138
138
  var circular = {};
139
139
  circular.self = circular;
140
140
  try {
141
- await b.sandbox.run({ source: "return 1;", input: circular, timeoutMs: 5000 });
141
+ await b.sandbox.run({ source: "return 1;", input: circular, timeoutMs: 10000 });
142
142
  check("circular input should refuse", false);
143
143
  } catch (e) {
144
144
  check("bad-input refused", e && e.code === "sandbox/bad-input");
@@ -151,7 +151,7 @@ async function testContainment() {
151
151
  try {
152
152
  await b.sandbox.run({
153
153
  source: "var x = require; return typeof x;",
154
- timeoutMs: 5000,
154
+ timeoutMs: 10000,
155
155
  });
156
156
  check("require should not be reachable", false);
157
157
  } catch (e) {
@@ -163,7 +163,7 @@ async function testProcessUnreachable() {
163
163
  try {
164
164
  await b.sandbox.run({
165
165
  source: "return process.env.HOME;",
166
- timeoutMs: 5000,
166
+ timeoutMs: 10000,
167
167
  });
168
168
  check("process should not be reachable", false);
169
169
  } catch (e) {
@@ -176,7 +176,7 @@ async function testNoNetworkAccess() {
176
176
  try {
177
177
  await b.sandbox.run({
178
178
  source: "var http = require('http'); return 1;",
179
- timeoutMs: 5000,
179
+ timeoutMs: 10000,
180
180
  });
181
181
  check("network access should refuse", false);
182
182
  } catch (e) {
@@ -21,12 +21,6 @@ var check = helpers.check;
21
21
  var setupTestDb = helpers.setupTestDb;
22
22
  var teardownTestDb = helpers.teardownTestDb;
23
23
 
24
- function _waitMicrotasks(n) {
25
- var p = Promise.resolve();
26
- for (var i = 0; i < (n || 5); i++) p = p.then(function () { return new Promise(function (r) { setImmediate(r); }); });
27
- return p;
28
- }
29
-
30
24
  async function testSingleNodeNoTickClaim() {
31
25
  // No opts.cluster wired → tick-claim path skipped entirely. fires
32
26
  // increments normally, tickClaimLost stays 0, no rows in the ticks
@@ -38,7 +32,10 @@ async function testSingleNodeNoTickClaim() {
38
32
  var sched = b.scheduler.create({ audit: false });
39
33
  sched.schedule({ name: "single", every: 60000, run: async function () { fired++; } });
40
34
  sched._fireOnce("single");
41
- await _waitMicrotasks(5);
35
+ await helpers.waitUntil(function () {
36
+ var t = sched.list()[0];
37
+ return t && t.fires === 1;
38
+ }, { timeoutMs: 5000, label: "scheduler single-node: fire callback completed" });
42
39
  var listed = sched.list()[0];
43
40
  check("single-node: fires increments", listed.fires === 1);
44
41
  check("single-node: tickClaimLost stays 0", listed.tickClaimLost === 0);
@@ -69,7 +66,10 @@ async function testClusterWinnerInsertsTickRow() {
69
66
  var nominalRun = task.nextRun;
70
67
 
71
68
  sched._fireOnce("winner");
72
- await _waitMicrotasks(10);
69
+ await helpers.waitUntil(function () {
70
+ var t = sched.list()[0];
71
+ return t && t.fires === 1;
72
+ }, { timeoutMs: 5000, label: "scheduler winner: tick-claim won + fire completed" });
73
73
 
74
74
  var listed = sched.list()[0];
75
75
  check("winner: fires increments", listed.fires === 1);
@@ -116,7 +116,13 @@ async function testClusterLoserSkipsAndCounts() {
116
116
  );
117
117
 
118
118
  sched._fireOnce("loser");
119
- await _waitMicrotasks(10);
119
+ // The lost tick-claim is observable as tickClaimLost incrementing —
120
+ // poll on that rather than a fixed tick budget. Once it lands, the
121
+ // skipped run (fires stays 0) is guaranteed.
122
+ await helpers.waitUntil(function () {
123
+ var t = sched.list()[0];
124
+ return t && t.tickClaimLost === 1;
125
+ }, { timeoutMs: 5000, label: "scheduler loser: tick-claim lost recorded" });
120
126
 
121
127
  var listed = sched.list()[0];
122
128
  check("loser: fires stays 0", listed.fires === 0);
@@ -16,12 +16,6 @@ var check = helpers.check;
16
16
  var setupTestDb = helpers.setupTestDb;
17
17
  var teardownTestDb = helpers.teardownTestDb;
18
18
 
19
- function _waitMicrotasks(n) {
20
- var p = Promise.resolve();
21
- for (var i = 0; i < (n || 5); i++) p = p.then(function () { return new Promise(function (r) { setImmediate(r); }); });
22
- return p;
23
- }
24
-
25
19
  // Minimal connection mock — EventEmitter with .send() that captures
26
20
  // what was sent. Mirrors the WebSocketConnection surface that
27
21
  // websocket-channels actually touches (.send + .on('close')).
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@blamejs/blamejs-shop",
3
- "version": "0.1.37",
3
+ "version": "0.2.0",
4
4
  "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
5
5
  "main": "lib/index.js",
6
6
  "scripts": {