@blamejs/blamejs-shop 0.2.12 → 0.2.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (113) hide show
  1. package/CHANGELOG.md +4 -0
  2. package/README.md +1 -1
  3. package/lib/admin.js +616 -21
  4. package/lib/asset-manifest.json +5 -5
  5. package/lib/catalog.js +19 -0
  6. package/lib/storefront.js +1 -1
  7. package/lib/vendor/MANIFEST.json +3 -3
  8. package/lib/vendor/blamejs/.github/workflows/actions-lint.yml +71 -23
  9. package/lib/vendor/blamejs/.github/workflows/cflite_batch.yml +2 -0
  10. package/lib/vendor/blamejs/.github/workflows/cflite_pr.yml +2 -0
  11. package/lib/vendor/blamejs/.github/workflows/ci.yml +17 -0
  12. package/lib/vendor/blamejs/.github/workflows/npm-publish.yml +18 -10
  13. package/lib/vendor/blamejs/.github/workflows/release-container.yml +29 -16
  14. package/lib/vendor/blamejs/.github/workflows/sha-to-tag-verify.yml +22 -3
  15. package/lib/vendor/blamejs/.github/zizmor.yml +29 -0
  16. package/lib/vendor/blamejs/.pinact.yaml +24 -8
  17. package/lib/vendor/blamejs/CHANGELOG.md +20 -0
  18. package/lib/vendor/blamejs/api-snapshot.json +6 -2
  19. package/lib/vendor/blamejs/lib/agent-idempotency.js +50 -10
  20. package/lib/vendor/blamejs/lib/agent-orchestrator.js +58 -5
  21. package/lib/vendor/blamejs/lib/agent-saga.js +8 -4
  22. package/lib/vendor/blamejs/lib/agent-tenant.js +56 -4
  23. package/lib/vendor/blamejs/lib/agent-trace.js +4 -3
  24. package/lib/vendor/blamejs/lib/ai-adverse-decision.js +1 -1
  25. package/lib/vendor/blamejs/lib/archive-wrap.js +1 -1
  26. package/lib/vendor/blamejs/lib/audit-daily-review.js +3 -3
  27. package/lib/vendor/blamejs/lib/audit.js +11 -8
  28. package/lib/vendor/blamejs/lib/auth/jwt.js +7 -4
  29. package/lib/vendor/blamejs/lib/auth/saml.js +2 -2
  30. package/lib/vendor/blamejs/lib/calendar.js +14 -10
  31. package/lib/vendor/blamejs/lib/circuit-breaker.js +6 -4
  32. package/lib/vendor/blamejs/lib/compliance-ai-act-transparency.js +2 -2
  33. package/lib/vendor/blamejs/lib/compliance.js +7 -9
  34. package/lib/vendor/blamejs/lib/cookies.js +2 -2
  35. package/lib/vendor/blamejs/lib/cose.js +1 -1
  36. package/lib/vendor/blamejs/lib/crypto-field.js +8 -3
  37. package/lib/vendor/blamejs/lib/data-act.js +4 -3
  38. package/lib/vendor/blamejs/lib/did.js +1 -1
  39. package/lib/vendor/blamejs/lib/file-upload.js +18 -1
  40. package/lib/vendor/blamejs/lib/guard-archive.js +2 -2
  41. package/lib/vendor/blamejs/lib/guard-auth.js +5 -5
  42. package/lib/vendor/blamejs/lib/guard-cidr.js +4 -4
  43. package/lib/vendor/blamejs/lib/guard-csv.js +6 -6
  44. package/lib/vendor/blamejs/lib/guard-domain.js +4 -4
  45. package/lib/vendor/blamejs/lib/guard-email.js +6 -5
  46. package/lib/vendor/blamejs/lib/guard-filename.js +4 -4
  47. package/lib/vendor/blamejs/lib/guard-graphql.js +5 -5
  48. package/lib/vendor/blamejs/lib/guard-html.js +2 -2
  49. package/lib/vendor/blamejs/lib/guard-image.js +1 -1
  50. package/lib/vendor/blamejs/lib/guard-json.js +5 -5
  51. package/lib/vendor/blamejs/lib/guard-jsonpath.js +4 -4
  52. package/lib/vendor/blamejs/lib/guard-jwt.js +5 -5
  53. package/lib/vendor/blamejs/lib/guard-markdown.js +6 -6
  54. package/lib/vendor/blamejs/lib/guard-mime.js +6 -6
  55. package/lib/vendor/blamejs/lib/guard-oauth.js +5 -5
  56. package/lib/vendor/blamejs/lib/guard-pdf.js +1 -1
  57. package/lib/vendor/blamejs/lib/guard-regex.js +4 -4
  58. package/lib/vendor/blamejs/lib/guard-shell.js +4 -4
  59. package/lib/vendor/blamejs/lib/guard-svg.js +5 -5
  60. package/lib/vendor/blamejs/lib/guard-template.js +4 -4
  61. package/lib/vendor/blamejs/lib/guard-time.js +6 -6
  62. package/lib/vendor/blamejs/lib/guard-uuid.js +6 -6
  63. package/lib/vendor/blamejs/lib/guard-xml.js +4 -4
  64. package/lib/vendor/blamejs/lib/guard-yaml.js +5 -5
  65. package/lib/vendor/blamejs/lib/link-header.js +3 -2
  66. package/lib/vendor/blamejs/lib/mail-agent.js +4 -2
  67. package/lib/vendor/blamejs/lib/mail-bimi.js +3 -2
  68. package/lib/vendor/blamejs/lib/mail-crypto-pgp.js +7 -11
  69. package/lib/vendor/blamejs/lib/mail-crypto-smime.js +6 -5
  70. package/lib/vendor/blamejs/lib/mail-crypto.js +5 -5
  71. package/lib/vendor/blamejs/lib/mail-store.js +3 -2
  72. package/lib/vendor/blamejs/lib/mcp.js +2 -3
  73. package/lib/vendor/blamejs/lib/middleware/age-gate.js +10 -6
  74. package/lib/vendor/blamejs/lib/middleware/ai-act-disclosure.js +1 -1
  75. package/lib/vendor/blamejs/lib/middleware/api-encrypt.js +3 -3
  76. package/lib/vendor/blamejs/lib/middleware/compose-pipeline.js +1 -1
  77. package/lib/vendor/blamejs/lib/middleware/csp-nonce.js +2 -2
  78. package/lib/vendor/blamejs/lib/middleware/flag-context.js +1 -1
  79. package/lib/vendor/blamejs/lib/middleware/rate-limit.js +2 -2
  80. package/lib/vendor/blamejs/lib/middleware/require-auth.js +2 -1
  81. package/lib/vendor/blamejs/lib/queue-redis.js +9 -0
  82. package/lib/vendor/blamejs/lib/queue.js +17 -1
  83. package/lib/vendor/blamejs/lib/retry.js +26 -0
  84. package/lib/vendor/blamejs/lib/router.js +4 -1
  85. package/lib/vendor/blamejs/lib/safe-decompress.js +3 -2
  86. package/lib/vendor/blamejs/lib/safe-icap.js +3 -2
  87. package/lib/vendor/blamejs/lib/safe-mime.js +1 -1
  88. package/lib/vendor/blamejs/lib/safe-smtp.js +1 -1
  89. package/lib/vendor/blamejs/lib/sec-cyber.js +1 -1
  90. package/lib/vendor/blamejs/lib/storage.js +20 -16
  91. package/lib/vendor/blamejs/lib/tsa.js +2 -1
  92. package/lib/vendor/blamejs/lib/vault/index.js +1 -0
  93. package/lib/vendor/blamejs/lib/vault-aad.js +2 -2
  94. package/lib/vendor/blamejs/package.json +1 -1
  95. package/lib/vendor/blamejs/release-notes/v0.13.23.json +42 -0
  96. package/lib/vendor/blamejs/release-notes/v0.13.24.json +26 -0
  97. package/lib/vendor/blamejs/release-notes/v0.13.25.json +39 -0
  98. package/lib/vendor/blamejs/release-notes/v0.13.26.json +31 -0
  99. package/lib/vendor/blamejs/release-notes/v0.13.27.json +34 -0
  100. package/lib/vendor/blamejs/release-notes/v0.13.28.json +30 -0
  101. package/lib/vendor/blamejs/release-notes/v0.13.29.json +30 -0
  102. package/lib/vendor/blamejs/release-notes/v0.13.30.json +30 -0
  103. package/lib/vendor/blamejs/release-notes/v0.13.31.json +26 -0
  104. package/lib/vendor/blamejs/release-notes/v0.13.32.json +34 -0
  105. package/lib/vendor/blamejs/test/20-db.js +30 -0
  106. package/lib/vendor/blamejs/test/integration/queue-redis.test.js +14 -0
  107. package/lib/vendor/blamejs/test/layer-0-primitives/agent-idempotency.test.js +37 -0
  108. package/lib/vendor/blamejs/test/layer-0-primitives/agent-orchestrator.test.js +37 -0
  109. package/lib/vendor/blamejs/test/layer-0-primitives/agent-tenant.test.js +26 -0
  110. package/lib/vendor/blamejs/test/layer-0-primitives/audit-daily-review.test.js +9 -0
  111. package/lib/vendor/blamejs/test/layer-0-primitives/retry.test.js +25 -0
  112. package/lib/vendor/blamejs/test/smoke.js +25 -0
  113. package/package.json +1 -1
@@ -441,7 +441,7 @@ function _detectIssues(input, opts) {
441
441
  * @related b.guardJwt.sanitize, b.guardJwt.gate
442
442
  *
443
443
  * Apply the full guard-jwt threat catalog to a JWT compact-
444
- * serialization string. Returns `{ ok, issues, refusal? }` per
444
+ * serialization string. Returns `{ ok, issues }` per
445
445
  * `gateContract.aggregateIssues`. Detected classes include
446
446
  * `alg-none` (always critical), `kid-traversal` (always critical),
447
447
  * `alg-not-allowed`, `typ-confusion`, `crit-unknown`, `exp-past`,
@@ -456,7 +456,7 @@ function _detectIssues(input, opts) {
456
456
  *
457
457
  * @opts
458
458
  * profile: "strict"|"balanced"|"permissive",
459
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
459
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
460
460
  * allowedAlgs: string[],
461
461
  * requiredClaims: string[],
462
462
  * knownCrit: string[],
@@ -524,7 +524,7 @@ function validate(input, opts) {
524
524
  *
525
525
  * @opts
526
526
  * profile: "strict"|"balanced"|"permissive",
527
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
527
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
528
528
  * ...: every guardJwt.validate opt is honored,
529
529
  *
530
530
  * @example
@@ -573,13 +573,13 @@ function sanitize(input, opts) {
573
573
  *
574
574
  * @opts
575
575
  * profile: "strict"|"balanced"|"permissive",
576
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
576
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
577
577
  * name: string, // gate label for audit trails
578
578
  * ...: every guardJwt.validate opt is honored,
579
579
  *
580
580
  * @example
581
581
  * var jwtGate = b.guardJwt.gate({ profile: "strict" });
582
- * var rv = await jwtGate.run({
582
+ * var rv = await jwtGate.check({
583
583
  * identifier:
584
584
  * "eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0." +
585
585
  * "eyJzdWIiOiJhdHRhY2tlciJ9.",
@@ -505,7 +505,7 @@ function _detectIssues(input, opts) {
505
505
  *
506
506
  * @opts
507
507
  * profile: "strict"|"balanced"|"permissive",
508
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
508
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
509
509
  * bidiPolicy: "reject"|"strip"|"audit"|"allow",
510
510
  * controlPolicy: "reject"|"strip"|"allow",
511
511
  * nullBytePolicy: "reject"|"strip"|"allow",
@@ -568,7 +568,7 @@ function validate(input, opts) {
568
568
  *
569
569
  * @opts
570
570
  * profile: "strict"|"balanced"|"permissive",
571
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
571
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
572
572
  * ...: same shape as b.guardMarkdown.validate opts,
573
573
  *
574
574
  * @example
@@ -606,7 +606,7 @@ function sanitize(input, opts) {
606
606
  * @compliance hipaa, pci-dss, gdpr, soc2
607
607
  * @related b.guardMarkdown.validate, b.guardMarkdown.sanitize, b.guardAll.gate, b.staticServe.create
608
608
  *
609
- * Build an async gate `(ctx) -> { ok, action, issues }` consumable
609
+ * Build a guard gate whose async `check(ctx)` returns `{ ok, action, issues }`, consumable
610
610
  * by `b.guardAll`, `b.staticServe`, `b.fileUpload`, and any host
611
611
  * that ingests user-supplied markdown. The gate decodes
612
612
  * `ctx.bytes` / `ctx.bodyText`, runs `validate`, and maps
@@ -617,15 +617,15 @@ function sanitize(input, opts) {
617
617
  * @opts
618
618
  * name: string, // gate label for audit / observability
619
619
  * profile: "strict"|"balanced"|"permissive",
620
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
620
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
621
621
  * ...: same shape as b.guardMarkdown.validate opts,
622
622
  *
623
623
  * @example
624
624
  * var g = b.guardMarkdown.gate({ profile: "strict" });
625
- * var rv = await g({ bytes: Buffer.from("# hello\n", "utf8") });
625
+ * var rv = await g.check({ bytes: Buffer.from("# hello\n", "utf8") });
626
626
  * rv.action; // → "serve"
627
627
  *
628
- * var bad = await g({ bytes: Buffer.from("[x](javascript:1)", "utf8") });
628
+ * var bad = await g.check({ bytes: Buffer.from("[x](javascript:1)", "utf8") });
629
629
  * bad.action; // → "refuse"
630
630
  */
631
631
  function gate(opts) {
@@ -369,7 +369,7 @@ function _detectIssues(input, opts) {
369
369
  *
370
370
  * @opts
371
371
  * profile: "strict"|"balanced"|"permissive",
372
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
372
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
373
373
  * bidiPolicy: "reject"|"strip"|"audit"|"allow",
374
374
  * controlPolicy: "reject"|"strip"|"allow",
375
375
  * nullBytePolicy: "reject"|"strip"|"allow",
@@ -423,7 +423,7 @@ function validate(input, opts) {
423
423
  *
424
424
  * @opts
425
425
  * profile: "strict"|"balanced"|"permissive",
426
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
426
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
427
427
  * ...: same shape as b.guardMime.validate opts,
428
428
  *
429
429
  * @example
@@ -467,7 +467,7 @@ function sanitize(input, opts) {
467
467
  * @compliance hipaa, pci-dss, gdpr, soc2
468
468
  * @related b.guardMime.validate, b.guardMime.sanitize, b.guardAll.gate
469
469
  *
470
- * Build an async gate `(ctx) -> { ok, action, issues }` consumable
470
+ * Build a guard gate whose async `check(ctx)` returns `{ ok, action, issues }`, consumable
471
471
  * by `b.guardAll`, `b.staticServe`, `b.fileUpload`, and any other
472
472
  * host that integrates the guard contract. The gate reads
473
473
  * `ctx.identifier` (or `ctx.mime`), runs `validate`, and maps
@@ -477,15 +477,15 @@ function sanitize(input, opts) {
477
477
  * @opts
478
478
  * name: string, // gate label for audit / observability
479
479
  * profile: "strict"|"balanced"|"permissive",
480
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
480
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
481
481
  * ...: same shape as b.guardMime.validate opts,
482
482
  *
483
483
  * @example
484
484
  * var g = b.guardMime.gate({ profile: "strict" });
485
- * var rv = await g({ identifier: "application/json" });
485
+ * var rv = await g.check({ identifier: "application/json" });
486
486
  * rv.action; // → "serve"
487
487
  *
488
- * var bad = await g({ identifier: "application/x-msdownload" });
488
+ * var bad = await g.check({ identifier: "application/x-msdownload" });
489
489
  * bad.action; // → "refuse"
490
490
  */
491
491
  function gate(opts) {
@@ -352,7 +352,7 @@ function _detectIssues(flow, opts) {
352
352
  * @related b.guardOauth.sanitize, b.guardOauth.gate
353
353
  *
354
354
  * Apply the full guard-oauth threat catalog to a flow bundle.
355
- * Returns `{ ok, issues, refusal? }` per
355
+ * Returns `{ ok, issues }` per
356
356
  * `gateContract.aggregateIssues`. Detected classes include
357
357
  * `pkce-missing`, `pkce-method` (e.g. plain under require-s256),
358
358
  * `state-missing`, `redirect-uri-not-allowed`,
@@ -365,7 +365,7 @@ function _detectIssues(flow, opts) {
365
365
  *
366
366
  * @opts
367
367
  * profile: "strict"|"balanced"|"permissive",
368
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
368
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
369
369
  * pkcePolicy: "require-s256"|"require-any"|"audit"|"allow",
370
370
  * statePolicy: "require"|"audit"|"allow",
371
371
  * redirectUriPolicy: "require-exact-allowlist"|"audit"|"allow",
@@ -427,7 +427,7 @@ function validate(input, opts) {
427
427
  *
428
428
  * @opts
429
429
  * profile: "strict"|"balanced"|"permissive",
430
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
430
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
431
431
  * ...: every guardOauth.validate opt is honored,
432
432
  *
433
433
  * @example
@@ -475,7 +475,7 @@ function sanitize(input, opts) {
475
475
  *
476
476
  * @opts
477
477
  * profile: "strict"|"balanced"|"permissive",
478
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
478
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
479
479
  * name: string, // gate label for audit trails
480
480
  * ...: every guardOauth.validate opt is honored,
481
481
  *
@@ -484,7 +484,7 @@ function sanitize(input, opts) {
484
484
  * profile: "strict",
485
485
  * allowedRedirectUris: ["https://app.example.com/callback"],
486
486
  * });
487
- * var rv = await oauthGate.run({
487
+ * var rv = await oauthGate.check({
488
488
  * oauthFlow: {
489
489
  * response_type: "code",
490
490
  * redirect_uri: "https://attacker.example/callback",
@@ -410,7 +410,7 @@ function sanitize(input, opts) {
410
410
  *
411
411
  * @opts
412
412
  * profile: "strict"|"balanced"|"permissive",
413
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
413
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
414
414
  * name: string,
415
415
  * ...: any validate opt
416
416
  *
@@ -30,7 +30,7 @@
30
30
  * Profiles: `strict` / `balanced` / `permissive`. Compliance
31
31
  * postures: `hipaa` / `pci-dss` / `gdpr` / `soc2`. Operators
32
32
  * select via `{ profile: "strict" }` or
33
- * `{ compliance: "hipaa" }`; postures overlay on top of the
33
+ * `{ compliancePosture: "hipaa" }`; postures overlay on top of the
34
34
  * profile baseline. Nested-quantifier rejection holds at every
35
35
  * profile — the catastrophic class is never an operator opt-in.
36
36
  *
@@ -368,7 +368,7 @@ function _detectNestedExtglob(input, opts, issues) {
368
368
  *
369
369
  * @opts
370
370
  * profile: "strict"|"balanced"|"permissive",
371
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
371
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
372
372
  * bidiPolicy: "reject"|"audit"|"allow",
373
373
  * controlPolicy: "reject"|"audit"|"allow",
374
374
  * nullBytePolicy: "reject"|"audit"|"allow",
@@ -422,7 +422,7 @@ function validate(input, opts) {
422
422
  *
423
423
  * @opts
424
424
  * profile: "strict"|"balanced"|"permissive",
425
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
425
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
426
426
  * nestedQuantPolicy: "reject"|"audit"|"allow",
427
427
  * alternationQuantPolicy: "reject"|"audit"|"allow",
428
428
  * boundedRepeatPolicy: "reject"|"audit"|"allow",
@@ -477,7 +477,7 @@ function sanitize(input, opts) {
477
477
  *
478
478
  * @opts
479
479
  * profile: "strict"|"balanced"|"permissive",
480
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
480
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
481
481
  * name: string, // override gate name in audit emissions
482
482
  * nestedQuantPolicy: "reject"|"audit"|"allow",
483
483
  * alternationQuantPolicy: "reject"|"audit"|"allow",
@@ -28,7 +28,7 @@
28
28
  *
29
29
  * Profiles: `strict` / `balanced` / `permissive`. Compliance
30
30
  * postures: `hipaa` / `pci-dss` / `gdpr` / `soc2`. Operators select
31
- * via `{ profile: "strict" }` or `{ compliance: "hipaa" }`;
31
+ * via `{ profile: "strict" }` or `{ compliancePosture: "hipaa" }`;
32
32
  * postures overlay on top of the profile baseline.
33
33
  *
34
34
  * Shell args cannot be repaired safely — `sanitize` either passes
@@ -262,7 +262,7 @@ function _detectIssues(input, opts) {
262
262
  *
263
263
  * @opts
264
264
  * profile: "strict"|"balanced"|"permissive",
265
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
265
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
266
266
  * bidiPolicy: "reject"|"audit"|"allow",
267
267
  * controlPolicy: "reject"|"audit"|"allow",
268
268
  * nullBytePolicy: "reject"|"audit"|"allow",
@@ -314,7 +314,7 @@ function validate(input, opts) {
314
314
  *
315
315
  * @opts
316
316
  * profile: "strict"|"balanced"|"permissive",
317
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
317
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
318
318
  * posixMetaPolicy: "reject"|"audit"|"allow",
319
319
  * cmdMetaPolicy: "reject"|"audit"|"allow",
320
320
  * dollarSubstPolicy: "reject"|"audit"|"allow",
@@ -369,7 +369,7 @@ function sanitize(input, opts) {
369
369
  *
370
370
  * @opts
371
371
  * profile: "strict"|"balanced"|"permissive",
372
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
372
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
373
373
  * name: string, // override gate name in audit emissions
374
374
  * posixMetaPolicy: "reject"|"audit"|"allow",
375
375
  * cmdMetaPolicy: "reject"|"audit"|"allow",
@@ -1017,9 +1017,9 @@ function sanitize(input, opts) {
1017
1017
  * @status stable
1018
1018
  * @related b.guardSvg.validate, b.guardSvg.sanitize, b.fileUpload, b.staticServe
1019
1019
  *
1020
- * Build a uniform gate over guard-* family contract. Returns an
1021
- * async function whose verdict is `{ ok, action, issues?,
1022
- * sanitized? }` where `action` is `serve` / `audit-only` /
1020
+ * Build a uniform gate over the guard-* family contract. Returns a
1021
+ * gate whose async `check(ctx)` produces a verdict `{ ok, action,
1022
+ * issues?, sanitized? }` where `action` is `serve` / `audit-only` /
1023
1023
  * `sanitize` / `refuse`. SVGZ inputs always refuse — operators
1024
1024
  * ungzip and re-gate the inner SVG. External `xlink:href` on
1025
1025
  * `<use>` / `<feImage>` refuses under `strict` (SSRF + XSS chain).
@@ -1042,13 +1042,13 @@ function sanitize(input, opts) {
1042
1042
  *
1043
1043
  * @example
1044
1044
  * var g = b.guardSvg.gate({ profile: "strict" });
1045
- * var verdict = await g({
1045
+ * var verdict = await g.check({
1046
1046
  * bytes: Buffer.from('<svg><circle r="10"/></svg>', "utf8"),
1047
1047
  * });
1048
1048
  * verdict.action; // → "serve"
1049
1049
  *
1050
1050
  * // Refuses external xlink:href under strict:
1051
- * var refuse = await g({
1051
+ * var refuse = await g.check({
1052
1052
  * bytes: Buffer.from(
1053
1053
  * '<svg><use xlink:href="https://evil.example/x.svg#a"/></svg>',
1054
1054
  * "utf8"),
@@ -34,7 +34,7 @@
34
34
  * Profiles: `strict` / `balanced` / `permissive`. Compliance
35
35
  * postures: `hipaa` / `pci-dss` / `gdpr` / `soc2`. Operators
36
36
  * select via `{ profile: "strict" }` or
37
- * `{ compliance: "hipaa" }`; postures overlay on top of the
37
+ * `{ compliancePosture: "hipaa" }`; postures overlay on top of the
38
38
  * profile baseline. Jinja / ERB / Pug shape rejection holds at
39
39
  * every profile — the SSTI class is never an operator opt-in.
40
40
  *
@@ -237,7 +237,7 @@ function _detectIssues(input, opts) {
237
237
  *
238
238
  * @opts
239
239
  * profile: "strict"|"balanced"|"permissive",
240
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
240
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
241
241
  * bidiPolicy: "reject"|"audit"|"allow",
242
242
  * controlPolicy: "reject"|"audit"|"allow",
243
243
  * nullBytePolicy: "reject"|"audit"|"allow",
@@ -287,7 +287,7 @@ function validate(input, opts) {
287
287
  *
288
288
  * @opts
289
289
  * profile: "strict"|"balanced"|"permissive",
290
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
290
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
291
291
  * jinjaPolicy: "reject"|"audit"|"allow",
292
292
  * erbPolicy: "reject"|"audit"|"allow",
293
293
  * pugPolicy: "reject"|"audit"|"allow",
@@ -339,7 +339,7 @@ function sanitize(input, opts) {
339
339
  *
340
340
  * @opts
341
341
  * profile: "strict"|"balanced"|"permissive",
342
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
342
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
343
343
  * name: string, // override gate name in audit emissions
344
344
  * jinjaPolicy: "reject"|"audit"|"allow",
345
345
  * erbPolicy: "reject"|"audit"|"allow",
@@ -347,7 +347,7 @@ function _detectIssues(input, opts) {
347
347
  *
348
348
  * @opts
349
349
  * profile: "strict"|"balanced"|"permissive",
350
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
350
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
351
351
  * bidiPolicy: "reject"|"strip"|"audit"|"allow",
352
352
  * controlPolicy: "reject"|"strip"|"allow",
353
353
  * nullBytePolicy: "reject"|"strip"|"allow",
@@ -403,7 +403,7 @@ function validate(input, opts) {
403
403
  *
404
404
  * @opts
405
405
  * profile: "strict"|"balanced"|"permissive",
406
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
406
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
407
407
  * ...: same shape as b.guardTime.validate opts,
408
408
  *
409
409
  * @example
@@ -442,7 +442,7 @@ function sanitize(input, opts) {
442
442
  * @compliance hipaa, pci-dss, gdpr, soc2
443
443
  * @related b.guardTime.validate, b.guardTime.sanitize, b.guardAll.gate
444
444
  *
445
- * Build an async gate `(ctx) -> { ok, action, issues }` consumable
445
+ * Build a guard gate whose async `check(ctx)` returns `{ ok, action, issues }`, consumable
446
446
  * by `b.guardAll`, audit pipelines, scheduling primitives, and
447
447
  * retention readers. The gate reads `ctx.identifier` (or
448
448
  * `ctx.timestamp` / `ctx.time`), runs `validate`, and maps
@@ -452,15 +452,15 @@ function sanitize(input, opts) {
452
452
  * @opts
453
453
  * name: string, // gate label for audit / observability
454
454
  * profile: "strict"|"balanced"|"permissive",
455
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
455
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
456
456
  * ...: same shape as b.guardTime.validate opts,
457
457
  *
458
458
  * @example
459
459
  * var g = b.guardTime.gate({ profile: "strict" });
460
- * var rv = await g({ identifier: "2026-05-05T12:34:56Z" });
460
+ * var rv = await g.check({ identifier: "2026-05-05T12:34:56Z" });
461
461
  * rv.action; // → "serve"
462
462
  *
463
- * var bad = await g({ identifier: "2026-05-05 12:34:56" });
463
+ * var bad = await g.check({ identifier: "2026-05-05 12:34:56" });
464
464
  * bad.action; // → "refuse"
465
465
  */
466
466
  function gate(opts) {
@@ -307,7 +307,7 @@ function _detectIssues(input, opts) {
307
307
  *
308
308
  * @opts
309
309
  * profile: "strict"|"balanced"|"permissive",
310
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
310
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
311
311
  * bidiPolicy: "reject"|"strip"|"audit"|"allow",
312
312
  * controlPolicy: "reject"|"strip"|"allow",
313
313
  * nullBytePolicy: "reject"|"strip"|"allow",
@@ -361,7 +361,7 @@ function validate(input, opts) {
361
361
  *
362
362
  * @opts
363
363
  * profile: "strict"|"balanced"|"permissive",
364
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
364
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
365
365
  * ...: same shape as b.guardUuid.validate opts,
366
366
  *
367
367
  * @example
@@ -406,7 +406,7 @@ function sanitize(input, opts) {
406
406
  * @compliance hipaa, pci-dss, gdpr, soc2
407
407
  * @related b.guardUuid.validate, b.guardUuid.sanitize, b.guardAll.gate
408
408
  *
409
- * Build an async gate `(ctx) -> { ok, action, issues }` consumable
409
+ * Build a guard gate whose async `check(ctx)` returns `{ ok, action, issues }`, consumable
410
410
  * by `b.guardAll`, ID validators, and any host that handles
411
411
  * UUID-shaped tokens. The gate reads `ctx.identifier` (or
412
412
  * `ctx.uuid`), runs `validate`, and maps severity to action: zero
@@ -416,15 +416,15 @@ function sanitize(input, opts) {
416
416
  * @opts
417
417
  * name: string, // gate label for audit / observability
418
418
  * profile: "strict"|"balanced"|"permissive",
419
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
419
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
420
420
  * ...: same shape as b.guardUuid.validate opts,
421
421
  *
422
422
  * @example
423
423
  * var g = b.guardUuid.gate({ profile: "strict" });
424
- * var rv = await g({ identifier: "550e8400-e29b-41d4-a716-446655440000" });
424
+ * var rv = await g.check({ identifier: "550e8400-e29b-41d4-a716-446655440000" });
425
425
  * rv.action; // → "serve"
426
426
  *
427
- * var bad = await g({ identifier: "{550e8400-e29b-41d4-a716-446655440000}" });
427
+ * var bad = await g.check({ identifier: "{550e8400-e29b-41d4-a716-446655440000}" });
428
428
  * bad.action; // → "refuse"
429
429
  */
430
430
  function gate(opts) {
@@ -371,7 +371,7 @@ function _detectIssues(input, opts) {
371
371
  *
372
372
  * Inspect `input` (string of XML source) for the full guard-xml
373
373
  * threat catalog without invoking a parser. Returns
374
- * `{ ok, issues, severities }` where `issues` enumerates every
374
+ * `{ ok, issues }` where `issues` enumerates every
375
375
  * DOCTYPE declaration, `<!ENTITY>` definition (including parameter
376
376
  * entities), SYSTEM/PUBLIC external-entity reference, XInclude
377
377
  * directive, xsi:schemaLocation hint, processing instruction (after
@@ -388,7 +388,7 @@ function _detectIssues(input, opts) {
388
388
  *
389
389
  * @opts
390
390
  * profile: "strict"|"balanced"|"permissive",
391
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
391
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
392
392
  * doctypePolicy: "reject"|"audit"|"allow",
393
393
  * entityPolicy: "reject"|"audit"|"allow",
394
394
  * externalEntityPolicy: "reject"|"audit"|"allow",
@@ -455,7 +455,7 @@ function validate(input, opts) {
455
455
  *
456
456
  * @opts
457
457
  * profile: "strict"|"balanced"|"permissive",
458
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
458
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
459
459
  * bidiPolicy: "reject"|"strip"|"audit"|"allow",
460
460
  * controlPolicy: "reject"|"strip"|"allow",
461
461
  * nullBytePolicy: "reject"|"strip"|"allow",
@@ -514,7 +514,7 @@ function sanitize(input, opts) {
514
514
  *
515
515
  * @opts
516
516
  * profile: "strict"|"balanced"|"permissive",
517
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
517
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
518
518
  * name: string, // gate identity for audit / observability
519
519
  *
520
520
  * @example
@@ -58,7 +58,7 @@
58
58
  *
59
59
  * Profiles: `strict` / `balanced` / `permissive`. Compliance
60
60
  * postures: `hipaa` / `pci-dss` / `gdpr` / `soc2`. Operators select
61
- * via `{ profile: "strict" }` or `{ compliance: "hipaa" }`;
61
+ * via `{ profile: "strict" }` or `{ compliancePosture: "hipaa" }`;
62
62
  * postures overlay on top of the profile baseline.
63
63
  *
64
64
  * @card
@@ -452,7 +452,7 @@ function _detectDuplicateKeysYaml(text) {
452
452
  *
453
453
  * Inspect `input` (string of YAML source) for the full guard-yaml
454
454
  * threat catalog without committing to a parsed value. Returns
455
- * `{ ok, issues, severities }` where `issues` is the aggregated
455
+ * `{ ok, issues }` where `issues` is the aggregated
456
456
  * detector output — every dangerous-tag prefix, custom-tag use,
457
457
  * anchor / alias amplification, multi-document split, Norway-
458
458
  * problem implicit boolean, leading-zero octal, merge-key chain,
@@ -468,7 +468,7 @@ function _detectDuplicateKeysYaml(text) {
468
468
  *
469
469
  * @opts
470
470
  * profile: "strict"|"balanced"|"permissive",
471
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
471
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
472
472
  * tagPolicy: "reject"|"audit"|"allow",
473
473
  * aliasPolicy: "reject"|"audit"|"allow",
474
474
  * multiDocPolicy: "reject"|"audit"|"allow",
@@ -535,7 +535,7 @@ function validate(input, opts) {
535
535
  *
536
536
  * @opts
537
537
  * profile: "strict"|"balanced"|"permissive",
538
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
538
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
539
539
  * tagPolicy: "reject"|"audit"|"allow",
540
540
  * aliasPolicy: "reject"|"audit"|"allow",
541
541
  * maxBytes: number, maxDepth: number, maxNodes: number,
@@ -586,7 +586,7 @@ function parse(input, opts) {
586
586
  *
587
587
  * @opts
588
588
  * profile: "strict"|"balanced"|"permissive",
589
- * compliance: "hipaa"|"pci-dss"|"gdpr"|"soc2",
589
+ * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
590
590
  * name: string, // gate identity for audit / observability
591
591
  *
592
592
  * @example
@@ -125,8 +125,9 @@ function _serParam(name, value) {
125
125
  * Build an HTTP <code>Link</code> header value from an array of
126
126
  * <code>{ uri, rel, params? }</code> (or a single such object). The URI
127
127
  * is angle-bracketed, <code>rel</code> (string or array) is emitted
128
- * first, and parameters are token-valued when they fit RFC 7230 token
129
- * grammar or double-quoted otherwise. Useful for emitting standard REST
128
+ * first, and every parameter value is double-quoted (always valid under
129
+ * RFC 8288, and required for space-separated multi-rel and media-type
130
+ * values like <code>text/html</code>). Useful for emitting standard REST
130
131
  * pagination links.
131
132
  *
132
133
  * @example
@@ -156,8 +156,10 @@ var COMPOSE_HINT = Object.freeze({
156
156
  * @related b.mailStore, b.mail.agent.consumer
157
157
  *
158
158
  * Create the agent facade. Returns an object with read / write / sieve
159
- * / identity / mdn / export / import / consumer methods. Reads stay
160
- * synchronous-shaped via promises; writes audit on completion.
159
+ * / identity / mdn / export / import methods. Reads stay
160
+ * synchronous-shaped via promises; writes audit on completion. (The
161
+ * queue consumer is the sibling export <code>b.mail.agent.consumer</code>,
162
+ * not a method on this object.)
161
163
  *
162
164
  * @opts
163
165
  * store: b.mailStore instance, // required
@@ -34,8 +34,9 @@
34
34
  * subjectAltName URI matches the BIMI domain, and confirms the
35
35
  * cert carries the BIMI mark-verification policy OID
36
36
  * (1.3.6.1.5.5.7.3.31). The verified mark is returned as
37
- * { svg, evidenceDocument } pulled from RFC 3709 logotype extension
38
- * when present.
37
+ * { svg, evidenceDocument } — `svg` pulled from the RFC 3709
38
+ * logotype extension when present, `evidenceDocument` echoed from the
39
+ * operator-supplied opts.evidenceDocument.
39
40
  *
40
41
  * `validateTinyPsSvg` enforces the AuthIndicators-WG Tiny PS subset:
41
42
  * single root <svg>, version="1.2", baseProfile="tiny-ps", viewBox
@@ -57,19 +57,15 @@
57
57
  * to a known operator key rather than trusting any key that
58
58
  * happens to match the signature.
59
59
  *
60
- * Deferred from v1 (each with the documented condition for opting in):
60
+ * Now live (promoted to the stable top-level surface in v0.11.32):
61
61
  * - In-process encrypt + decrypt (Message Encrypted Session Key +
62
62
  * Symmetrically Encrypted Integrity Protected Data packets,
63
- * RFC 9580 §5.1 / §5.13) and WKD key discovery (draft-koch-
64
- * openpgp-webkey-service). Defer condition: ships in v0.10.14
65
- * alongside `b.mail.crypto.smime` sign + verify the CMS
66
- * substrate `b.cms` landed in v0.10.13 unblocked the S/MIME
67
- * side, and OpenPGP encrypt rides the same release so the
68
- * mail-crypto surface lights up coherently rather than half-
69
- * on-each-side across two patches. Cheap escape hatch (pre-
70
- * v0.10.14): operators wire a third-party OpenPGP library in
71
- * their own consumer code and call this module's sign() /
72
- * verify() on the resulting cleartext blob.
63
+ * RFC 9580 §5.1 / §5.13) as `b.mail.crypto.pgp.encrypt` /
64
+ * `.decrypt`, and WKD key discovery (draft-koch-openpgp-webkey-
65
+ * service) as `b.mail.crypto.pgp.wkd` all on the same `b.cms`
66
+ * substrate that backs S/MIME sign/verify.
67
+ *
68
+ * Deferred (with the documented condition for opting in):
73
69
  * - v6 signature packets (RFC 9580 §5.2.3, packet version 6 with
74
70
  * SHA2-512 fingerprints and salted hashes). Defer condition: v6
75
71
  * is not yet emitted by GnuPG 2.4 LTS or by Sequoia stable, so
@@ -670,14 +670,15 @@ function _wrapBase64(s) {
670
670
  * Operator-side cert preflight that lights up at boot: refuses
671
671
  * SHA-1 / MD5 signatures, RSA keys < 2048 bits, MD2 / MD5 / SHA-1
672
672
  * as the certificate-signature algorithm. Returns the parsed cert
673
- * shape (subject CN, issuer CN, validFrom / validTo, key algorithm
674
- * + size, signature algorithm). Throws `mail-crypto/smime/bad-cert`
675
- * on any of the above; throws `mail-crypto/smime/expired-cert` if
676
- * the cert is outside its validity window.
673
+ * shape: the full subject / issuer DN strings, the validity window,
674
+ * the signature algorithm (name + OID), the key type, and the SHA-256
675
+ * fingerprint. Throws `mail-crypto/smime/bad-cert` on any of the above;
676
+ * throws `mail-crypto/smime/expired-cert` if the cert is outside its
677
+ * validity window.
677
678
  *
678
679
  * @example
679
680
  * var info = b.mail.crypto.smime.checkCert({ certPem: pem });
680
- * // → { subjectCN, issuerCN, validFrom, validTo, keyAlg, keyBits, sigAlg }
681
+ * // → { subject, issuer, validFrom, validTo, sigAlgName, sigAlgOid, keyType, fingerprint256 }
681
682
  */
682
683
  function checkCert(opts) {
683
684
  opts = validateOpts.requireObject(opts, "mail.crypto.smime.checkCert",
@@ -22,11 +22,11 @@
22
22
  * (pub-alg 1, EMSA-PKCS1-v1_5 + SHA-256, 2048-bit floor per
23
23
  * RFC 8301).
24
24
  * - `b.mail.crypto.smime` — S/MIME 4.0 per RFC 8551 with CMS
25
- * SignedData per RFC 5652. v1 surface: checkCert() the
26
- * operator-side preflight that refuses SHA-1 / MD5 / < 2048-bit
27
- * RSA certs at boot. sign() + verify() are DEFERRED in v1; see
28
- * the @intro block in lib/mail-crypto-smime.js for the deferral
29
- * conditions and the operator escape hatch.
25
+ * SignedData per RFC 5652. Surface: sign() + verify() + verifyAll()
26
+ * (built on the `b.cms` substrate digest recompute + timing-safe
27
+ * compare + PQC signature verify + X.509 chain walk) plus
28
+ * checkCert(), the operator-side preflight that refuses SHA-1 /
29
+ * MD5 / < 2048-bit RSA certs at boot.
30
30
  *
31
31
  * Both sub-namespaces share `MailCryptoError` (FrameworkError
32
32
  * subclass via defineClass with alwaysPermanent: true) so operator
@@ -90,8 +90,9 @@ var DEFAULT_FOLDERS = Object.freeze([
90
90
  * @related b.safeMime, b.guardMessageId, b.cryptoField
91
91
  *
92
92
  * Build a mail-store handle. Returns an object with `appendMessage` /
93
- * `fetchByObjectId` / `queryByModseq` / `setFlags` / `createFolder` /
94
- * `listFolders` / `threadFor` / `quota` / `setLegalHold` / `destroy`.
93
+ * `fetchByObjectId` / `search` / `queryByModseq` / `setFlags` /
94
+ * `createFolder` / `listFolders` / `threadFor` / `quota` /
95
+ * `moveMessages` / `setLegalHold` / `hardExpunge`.
95
96
  *
96
97
  * @opts
97
98
  * backend: object, // required — sqlite-shaped { prepare(sql) → { run, get, all }, transaction(fn) }