@blamejs/blamejs-shop 0.2.12 → 0.2.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (113) hide show
  1. package/CHANGELOG.md +4 -0
  2. package/README.md +1 -1
  3. package/lib/admin.js +616 -21
  4. package/lib/asset-manifest.json +5 -5
  5. package/lib/catalog.js +19 -0
  6. package/lib/storefront.js +1 -1
  7. package/lib/vendor/MANIFEST.json +3 -3
  8. package/lib/vendor/blamejs/.github/workflows/actions-lint.yml +71 -23
  9. package/lib/vendor/blamejs/.github/workflows/cflite_batch.yml +2 -0
  10. package/lib/vendor/blamejs/.github/workflows/cflite_pr.yml +2 -0
  11. package/lib/vendor/blamejs/.github/workflows/ci.yml +17 -0
  12. package/lib/vendor/blamejs/.github/workflows/npm-publish.yml +18 -10
  13. package/lib/vendor/blamejs/.github/workflows/release-container.yml +29 -16
  14. package/lib/vendor/blamejs/.github/workflows/sha-to-tag-verify.yml +22 -3
  15. package/lib/vendor/blamejs/.github/zizmor.yml +29 -0
  16. package/lib/vendor/blamejs/.pinact.yaml +24 -8
  17. package/lib/vendor/blamejs/CHANGELOG.md +20 -0
  18. package/lib/vendor/blamejs/api-snapshot.json +6 -2
  19. package/lib/vendor/blamejs/lib/agent-idempotency.js +50 -10
  20. package/lib/vendor/blamejs/lib/agent-orchestrator.js +58 -5
  21. package/lib/vendor/blamejs/lib/agent-saga.js +8 -4
  22. package/lib/vendor/blamejs/lib/agent-tenant.js +56 -4
  23. package/lib/vendor/blamejs/lib/agent-trace.js +4 -3
  24. package/lib/vendor/blamejs/lib/ai-adverse-decision.js +1 -1
  25. package/lib/vendor/blamejs/lib/archive-wrap.js +1 -1
  26. package/lib/vendor/blamejs/lib/audit-daily-review.js +3 -3
  27. package/lib/vendor/blamejs/lib/audit.js +11 -8
  28. package/lib/vendor/blamejs/lib/auth/jwt.js +7 -4
  29. package/lib/vendor/blamejs/lib/auth/saml.js +2 -2
  30. package/lib/vendor/blamejs/lib/calendar.js +14 -10
  31. package/lib/vendor/blamejs/lib/circuit-breaker.js +6 -4
  32. package/lib/vendor/blamejs/lib/compliance-ai-act-transparency.js +2 -2
  33. package/lib/vendor/blamejs/lib/compliance.js +7 -9
  34. package/lib/vendor/blamejs/lib/cookies.js +2 -2
  35. package/lib/vendor/blamejs/lib/cose.js +1 -1
  36. package/lib/vendor/blamejs/lib/crypto-field.js +8 -3
  37. package/lib/vendor/blamejs/lib/data-act.js +4 -3
  38. package/lib/vendor/blamejs/lib/did.js +1 -1
  39. package/lib/vendor/blamejs/lib/file-upload.js +18 -1
  40. package/lib/vendor/blamejs/lib/guard-archive.js +2 -2
  41. package/lib/vendor/blamejs/lib/guard-auth.js +5 -5
  42. package/lib/vendor/blamejs/lib/guard-cidr.js +4 -4
  43. package/lib/vendor/blamejs/lib/guard-csv.js +6 -6
  44. package/lib/vendor/blamejs/lib/guard-domain.js +4 -4
  45. package/lib/vendor/blamejs/lib/guard-email.js +6 -5
  46. package/lib/vendor/blamejs/lib/guard-filename.js +4 -4
  47. package/lib/vendor/blamejs/lib/guard-graphql.js +5 -5
  48. package/lib/vendor/blamejs/lib/guard-html.js +2 -2
  49. package/lib/vendor/blamejs/lib/guard-image.js +1 -1
  50. package/lib/vendor/blamejs/lib/guard-json.js +5 -5
  51. package/lib/vendor/blamejs/lib/guard-jsonpath.js +4 -4
  52. package/lib/vendor/blamejs/lib/guard-jwt.js +5 -5
  53. package/lib/vendor/blamejs/lib/guard-markdown.js +6 -6
  54. package/lib/vendor/blamejs/lib/guard-mime.js +6 -6
  55. package/lib/vendor/blamejs/lib/guard-oauth.js +5 -5
  56. package/lib/vendor/blamejs/lib/guard-pdf.js +1 -1
  57. package/lib/vendor/blamejs/lib/guard-regex.js +4 -4
  58. package/lib/vendor/blamejs/lib/guard-shell.js +4 -4
  59. package/lib/vendor/blamejs/lib/guard-svg.js +5 -5
  60. package/lib/vendor/blamejs/lib/guard-template.js +4 -4
  61. package/lib/vendor/blamejs/lib/guard-time.js +6 -6
  62. package/lib/vendor/blamejs/lib/guard-uuid.js +6 -6
  63. package/lib/vendor/blamejs/lib/guard-xml.js +4 -4
  64. package/lib/vendor/blamejs/lib/guard-yaml.js +5 -5
  65. package/lib/vendor/blamejs/lib/link-header.js +3 -2
  66. package/lib/vendor/blamejs/lib/mail-agent.js +4 -2
  67. package/lib/vendor/blamejs/lib/mail-bimi.js +3 -2
  68. package/lib/vendor/blamejs/lib/mail-crypto-pgp.js +7 -11
  69. package/lib/vendor/blamejs/lib/mail-crypto-smime.js +6 -5
  70. package/lib/vendor/blamejs/lib/mail-crypto.js +5 -5
  71. package/lib/vendor/blamejs/lib/mail-store.js +3 -2
  72. package/lib/vendor/blamejs/lib/mcp.js +2 -3
  73. package/lib/vendor/blamejs/lib/middleware/age-gate.js +10 -6
  74. package/lib/vendor/blamejs/lib/middleware/ai-act-disclosure.js +1 -1
  75. package/lib/vendor/blamejs/lib/middleware/api-encrypt.js +3 -3
  76. package/lib/vendor/blamejs/lib/middleware/compose-pipeline.js +1 -1
  77. package/lib/vendor/blamejs/lib/middleware/csp-nonce.js +2 -2
  78. package/lib/vendor/blamejs/lib/middleware/flag-context.js +1 -1
  79. package/lib/vendor/blamejs/lib/middleware/rate-limit.js +2 -2
  80. package/lib/vendor/blamejs/lib/middleware/require-auth.js +2 -1
  81. package/lib/vendor/blamejs/lib/queue-redis.js +9 -0
  82. package/lib/vendor/blamejs/lib/queue.js +17 -1
  83. package/lib/vendor/blamejs/lib/retry.js +26 -0
  84. package/lib/vendor/blamejs/lib/router.js +4 -1
  85. package/lib/vendor/blamejs/lib/safe-decompress.js +3 -2
  86. package/lib/vendor/blamejs/lib/safe-icap.js +3 -2
  87. package/lib/vendor/blamejs/lib/safe-mime.js +1 -1
  88. package/lib/vendor/blamejs/lib/safe-smtp.js +1 -1
  89. package/lib/vendor/blamejs/lib/sec-cyber.js +1 -1
  90. package/lib/vendor/blamejs/lib/storage.js +20 -16
  91. package/lib/vendor/blamejs/lib/tsa.js +2 -1
  92. package/lib/vendor/blamejs/lib/vault/index.js +1 -0
  93. package/lib/vendor/blamejs/lib/vault-aad.js +2 -2
  94. package/lib/vendor/blamejs/package.json +1 -1
  95. package/lib/vendor/blamejs/release-notes/v0.13.23.json +42 -0
  96. package/lib/vendor/blamejs/release-notes/v0.13.24.json +26 -0
  97. package/lib/vendor/blamejs/release-notes/v0.13.25.json +39 -0
  98. package/lib/vendor/blamejs/release-notes/v0.13.26.json +31 -0
  99. package/lib/vendor/blamejs/release-notes/v0.13.27.json +34 -0
  100. package/lib/vendor/blamejs/release-notes/v0.13.28.json +30 -0
  101. package/lib/vendor/blamejs/release-notes/v0.13.29.json +30 -0
  102. package/lib/vendor/blamejs/release-notes/v0.13.30.json +30 -0
  103. package/lib/vendor/blamejs/release-notes/v0.13.31.json +26 -0
  104. package/lib/vendor/blamejs/release-notes/v0.13.32.json +34 -0
  105. package/lib/vendor/blamejs/test/20-db.js +30 -0
  106. package/lib/vendor/blamejs/test/integration/queue-redis.test.js +14 -0
  107. package/lib/vendor/blamejs/test/layer-0-primitives/agent-idempotency.test.js +37 -0
  108. package/lib/vendor/blamejs/test/layer-0-primitives/agent-orchestrator.test.js +37 -0
  109. package/lib/vendor/blamejs/test/layer-0-primitives/agent-tenant.test.js +26 -0
  110. package/lib/vendor/blamejs/test/layer-0-primitives/audit-daily-review.test.js +9 -0
  111. package/lib/vendor/blamejs/test/layer-0-primitives/retry.test.js +25 -0
  112. package/lib/vendor/blamejs/test/smoke.js +25 -0
  113. package/package.json +1 -1
@@ -0,0 +1,30 @@
1
+ {
2
+ "$schema": "../scripts/release-notes-schema.json",
3
+ "version": "0.13.28",
4
+ "date": "2026-05-28",
5
+ "headline": "Queue retry backoff now applies on the Redis backend; static-serve path-containment edge closed",
6
+ "summary": "Two behavioral fixes plus doc corrections. The Redis queue backend silently discarded the documented retry backoff: b.queue.consume passes the delay as `{ retryDelayMs }` (the shape the local backend reads), but the Redis backend's fail() accepted only a bare-number third argument, so the object failed its numeric check and the delay was forced to 0 — a failing job re-leased immediately instead of waiting 1s/2s/4s/…, a retry storm under failure. The Redis backend now accepts the object form, so the exponential backoff applies as documented (verified by an integration test against real Redis). Separately, b.router.serveStatic's path-containment check used a bare string prefix, so a sibling directory whose name extends the root (root `/srv/public` vs `/srv/public-evil`) could pass; it now anchors on a path separator. Also: b.fileUpload now surfaces (via an observability counter) when a configured content-safety gate is skipped because an upload streamed past the reassembly cap, and documents that boundary; and b.cookies.parse's example output is corrected.",
7
+ "sections": [
8
+ {
9
+ "heading": "Fixed",
10
+ "items": [
11
+ {
12
+ "title": "Redis queue backend honors the documented retry backoff",
13
+ "body": "`b.queue.consume` re-pends a failed job with deterministic exponential backoff (1s base, 5min cap) by calling the backend's `fail()` with `{ retryDelayMs }`. The Redis backend's `fail()` accepted only a bare-number third argument, so the object failed its `typeof === \"number\"` check and the delay was reset to 0 — a failing job became immediately re-leasable, hot-looping instead of backing off. `fail()` now accepts both the object form (as the local backend does) and a bare number, so the backoff applies on Redis. An integration test against real Redis pins it."
14
+ },
15
+ {
16
+ "title": "`b.router.serveStatic` path-containment anchors on a separator",
17
+ "body": "The containment check was `resolvedPath.startsWith(root)`, which a sibling directory sharing the root's name as a prefix (root `/srv/public` vs `/srv/public-evil`) could satisfy. It now requires the resolved path to equal `root` or start with `root + path.sep`, closing the sibling-prefix edge (`b.staticServe.create` remains the hardened serving path, with realpath + filename gating)."
18
+ },
19
+ {
20
+ "title": "`b.fileUpload` surfaces content-safety gate skips on oversized streamed uploads",
21
+ "body": "The byte-level content-safety gate inspects the reassembled buffer, so it runs on uploads up to `maxStreamReassemblyBytes` (default 64 MiB); a larger upload is handed to `onFinalize` as a stream and the byte-content gate is skipped (MIME-sniff and filename gates still run). That skip now emits a `fileUpload.content_safety_skipped_streamed` observability counter instead of passing silently, and the limit is documented. To guarantee content-gating of a type, cap `maxFileBytes` at or below `maxStreamReassemblyBytes`."
22
+ },
23
+ {
24
+ "title": "`b.cookies.parse` example output corrected",
25
+ "body": "The example claimed `theme=%22dark%22` parses to `theme: \"dark\"`, but quote-stripping runs before percent-decoding, so the literal quotes survive. The example now uses `theme=dark%20mode` → `theme: \"dark mode\"`, which demonstrates percent-decoding without the quote-strip-ordering quirk."
26
+ }
27
+ ]
28
+ }
29
+ ]
30
+ }
@@ -0,0 +1,30 @@
1
+ {
2
+ "$schema": "../scripts/release-notes-schema.json",
3
+ "version": "0.13.29",
4
+ "date": "2026-05-28",
5
+ "headline": "Doc corrections: AI Act disclosure kind values, SQS queue model, age-gate coupling",
6
+ "summary": "Documentation corrections. The most actionable: b.middleware.aiActDisclosure's @opts listed two EU AI Act transparency `kind` values (`deepfake` and `synthetic-content`) that the middleware does not accept, so they threw at construction; the accepted values use the hyphenated Art. 50 spellings (e.g. `deep-fake`) and include a text-public-interest variant the enum omitted — an operator copying the documented values crashed a compliance middleware at boot. The b.queue docs implied the SQS backend is driven by the generic b.queue.consume loop like local/redis; SQS is actually an SQS-native adapter (complete/fail by message receipt handle, server-side redrive) driven directly, and the docs now say so. b.middleware.ageGate's `requireAge` 451 floor is documented as taking effect only alongside `consentRequired` (it was silently inert without it). Plus a compose-pipeline @since and a flag-context @related correction. No code behavior changed.",
7
+ "sections": [
8
+ {
9
+ "heading": "Fixed",
10
+ "items": [
11
+ {
12
+ "title": "`b.middleware.aiActDisclosure` documents the accepted `kind` values",
13
+ "body": "The `@opts` listed `kind` as `ai-interaction | deepfake | emotion-recognition | biometric-categorisation | synthetic-content`. Two of those — `deepfake` and `synthetic-content` — are not accepted and threw at construction; the EU AI Act Art. 50 values use hyphenated spellings (e.g. `deep-fake`, the generated-content variant) and include `ai-text-public-interest`, which the documented enum omitted. The `@opts` now lists the full set the middleware accepts."
14
+ },
15
+ {
16
+ "title": "`b.queue` SQS backend documented as SQS-native, not consume-driven",
17
+ "body": "The module docs implied the `sqs` backend is interchangeable with `local`/`redis` under the generic `b.queue.consume` loop. SQS is an SQS-native adapter: `complete` / `fail` act on the message's `receiptHandle` (returned by `lease()`, threaded back by the caller), and DLQ + visibility-expiry are handled server-side by the queue's RedrivePolicy. The docs now state that `sqs` is driven directly (lease → handle → complete/fail) rather than by `b.queue.consume`, and does not use the framework DLQ / sweep."
18
+ },
19
+ {
20
+ "title": "`b.middleware.ageGate` documents the `requireAge` / `consentRequired` coupling",
21
+ "body": "`requireAge` (the HTTP 451 legal floor) is evaluated within the consent classification, so it takes effect only when `consentRequired` is also set — `requireAge` alone, with `consentRequired: null`, never classifies a request as below-threshold and the 451 never fires. The `@opts` and prose now state this coupling instead of presenting `requireAge` as a standalone threshold."
22
+ },
23
+ {
24
+ "title": "Smaller doc corrections",
25
+ "body": "`b.middleware.composePipeline`'s `@since` is corrected to 0.9.43 (its actual ship version). `b.middleware.flagContext`'s `@related` pointed at a non-existent `b.flagClient.getBoolean`; it now references `b.flag.create`."
26
+ }
27
+ ]
28
+ }
29
+ ]
30
+ }
@@ -0,0 +1,30 @@
1
+ {
2
+ "$schema": "../scripts/release-notes-schema.json",
3
+ "version": "0.13.30",
4
+ "date": "2026-05-28",
5
+ "headline": "Doc corrections in the safe-* parsers (defaults, an error code, an example, a status list)",
6
+ "summary": "Four documentation corrections in the safe-* input parsers; no code behavior changed. The parsers' enforced limits and controls are unchanged — these align the docs with what the code already does. b.safeMime.parse's documented default transfer-encoding allowlist listed `binary`, which is excluded by default (opt-in per RFC 3030 BINARYMIME). b.safeDecompress documented a refusal code (`output-too-large`) it never emits — an absolute-size bomb surfaces under `decompress-failed`. b.safeSmtp.findDotTerminator's example output was off by one. b.safeIcap's intro status-code summary omitted 404 / 405 / 408 (the detailed block already listed them).",
7
+ "sections": [
8
+ {
9
+ "heading": "Fixed",
10
+ "items": [
11
+ {
12
+ "title": "`b.safeMime.parse` documents the actual default transfer-encoding allowlist",
13
+ "body": "The `@opts` default listed `7bit/8bit/binary/qp/base64`, but `binary` is deliberately excluded by default (RFC 3030 BINARYMIME is opt-in); the default is `7bit/8bit/quoted-printable/base64`. The doc now matches, so operators don't expect inbound `Content-Transfer-Encoding: binary` parts to pass without opting in."
14
+ },
15
+ {
16
+ "title": "`b.safeDecompress` names the real absolute-size-bomb refusal code",
17
+ "body": "The refusal-posture list documented `safe-decompress/output-too-large` for a bomb-by-absolute-size, but that code is never emitted — zlib's `maxOutputLength` throws before allocation and the failure surfaces as `safe-decompress/decompress-failed`. The doc now names the code an operator branching on the result will actually see (the ratio, output-byte, and compressed-input caps are unchanged and enforced)."
18
+ },
19
+ {
20
+ "title": "`b.safeSmtp.findDotTerminator` example output corrected",
21
+ "body": "The example claimed the `\\r\\n.\\r\\n` terminator in `\"Hello world.\\r\\n.\\r\\n\"` is at index 13; it is at index 12. The example now shows 12 (the implementation was already correct)."
22
+ },
23
+ {
24
+ "title": "`b.safeIcap` intro status-code summary lists 404 / 405 / 408",
25
+ "body": "The intro summary said only `100 / 200 / 204 / 400 / 403 / 5xx` are honored, but the parser also accepts `404 / 405 / 408` (legitimate RFC 3507 §4.3.3 codes, already listed in the detailed `parse` block). The intro summary now matches."
26
+ }
27
+ ]
28
+ }
29
+ ]
30
+ }
@@ -0,0 +1,26 @@
1
+ {
2
+ "$schema": "../scripts/release-notes-schema.json",
3
+ "version": "0.13.31",
4
+ "date": "2026-05-28",
5
+ "headline": "Circuit-breaker onStateChange callback now fires; mcp / vault-aad doc corrections",
6
+ "summary": "b.circuitBreaker documented an `onStateChange` callback (both an option and an `onStateChange(handler)` registration method) plus a state-change payload, but the callback was never invoked — only an observability event fired. The callback is now implemented: it fires on every transition with `{ name, from, to, at }`, the registration method works, and a non-function handler is rejected at construction. The same primitive's docs are corrected to name the real accessor (`getState()`, not `state()`) and drop a never-read `audit` option. Plus two doc-only corrections: b.mcp.toolResult.sanitize described composing b.guardHtml / b.ai.input.classify (it uses built-in detection) and documented a `classifyInput` option it never read; and b.vault.aad's prose said HKDF-SHAKE256 where the derivation is SHAKE256 (the AEAD AAD-binding itself is unchanged and sound).",
7
+ "sections": [
8
+ {
9
+ "heading": "Fixed",
10
+ "items": [
11
+ {
12
+ "title": "`b.circuitBreaker` onStateChange callback is invoked on every transition",
13
+ "body": "The `onStateChange` option and the `onStateChange(handler)` registration method are now wired: each registered handler is called with `{ name, from, to, at }` on every state transition (closed→open, open→half, half→closed/open), alongside the existing `breaker.state.change` observability event. A non-function `onStateChange` is rejected at construction. Previously the documented callback never fired. The docs are also corrected to name the real state accessor `getState()` (there is a `state` property, so `state()` was never a method) and to drop a never-read `audit` option."
14
+ },
15
+ {
16
+ "title": "`b.mcp.toolResult.sanitize` documents its actual detection and options",
17
+ "body": "The prose said the sanitizer composes `b.guardHtml`'s strict profile and `b.ai.input.classify`; it uses built-in dangerous-HTML and prompt-injection-marker detection. The `@opts` also listed a `classifyInput` override the function never read. The prose now describes the built-in detection and the unwired `classifyInput` option is removed. The fail-closed refusal behavior (default `posture: \"refuse\"`) is unchanged."
18
+ },
19
+ {
20
+ "title": "`b.vault.aad` derivation named correctly (SHAKE256)",
21
+ "body": "The module prose described the per-binding key derivation as HKDF-SHAKE256; it is SHAKE256 over the vault root concatenated with the binding inputs (no HKDF extract/expand). The AEAD AAD-binding to (table, row, column, schema version) — the file's actual security guarantee — is unchanged and sound; only the KDF name in the doc was wrong."
22
+ }
23
+ ]
24
+ }
25
+ ]
26
+ }
@@ -0,0 +1,34 @@
1
+ {
2
+ "$schema": "../scripts/release-notes-schema.json",
3
+ "version": "0.13.32",
4
+ "date": "2026-05-28",
5
+ "headline": "`b.auditDailyReview` enforces notify under the sox-404 posture; compliance doc corrections",
6
+ "summary": "b.auditDailyReview documented `sox-404` (SOX §404 ICFR — the internal-controls regime this primitive serves) as one of the postures that make a `notify` callback mandatory at construction, but the enforcement set used only `sox`, so pinning `posture: \"sox-404\"` without a notify channel was silently accepted. `sox-404` is now in the mandatory-notify set, so the advertised guarantee holds (a regression test pins it). The rest are documentation corrections with no behavior change: b.compliance.posturesByDomain / posturesByJurisdiction examples showed small fixed arrays where the functions return every matching posture (the catalog has grown); b.dataAct's surface list named two methods that do not exist (the real surface is declareProduct / recordUserAccess / shareWithThirdParty / recordSwitchRequest, with gatekeeper refusal folded into shareWithThirdParty); b.secCyber.eightKArtifact's documented return key `audit` is actually `deadlineBusinessDays`; and b.compliance.aiAct.transparency's helper summary named `cspMetaTag` / a `watermark({ kind })` argument that are really `metaTags` / `watermark({ mediaKind })`.",
7
+ "sections": [
8
+ {
9
+ "heading": "Fixed",
10
+ "items": [
11
+ {
12
+ "title": "`b.auditDailyReview` requires a notify channel under the `sox-404` posture",
13
+ "body": "The docs listed `sox-404` among the postures that make a `notify` callback mandatory at create-time, but the enforcement set contained only `sox` — so `posture: \"sox-404\"` without `notify` was accepted instead of refused. `sox-404` (SOX §404 ICFR) is now in the mandatory-notify set, matching the documented guarantee; constructing without a notify channel under it throws `auditDailyReview/notify-required-under-posture`."
14
+ },
15
+ {
16
+ "title": "`b.compliance` jurisdiction/domain lister examples no longer enumerate a stale fixed set",
17
+ "body": "`posturesByDomain` and `posturesByJurisdiction` return every posture matching the domain/jurisdiction, but their `@example`s showed small fixed arrays from before the posture catalog grew. The examples now show a representative prefix with `...` and note they return the full matching set."
18
+ },
19
+ {
20
+ "title": "`b.dataAct` surface list matches the real methods",
21
+ "body": "The module surface listed `userAccessible(...)` and `refuseGatekeeper(...)`, neither of which exists. The real surface is `declareProduct` / `recordUserAccess` / `shareWithThirdParty` / `recordSwitchRequest`, and DMA-gatekeeper refusal (Art 32 §1) is enforced inside `shareWithThirdParty`. The doc now reflects that."
22
+ },
23
+ {
24
+ "title": "`b.secCyber.eightKArtifact` documented return shape corrected",
25
+ "body": "The signature line showed `{ artifact, deadline, audit }`; the function returns `{ artifact, deadline, deadlineBusinessDays }` (there is no `audit` key). The doc now matches."
26
+ },
27
+ {
28
+ "title": "`b.compliance.aiAct.transparency` helper names corrected",
29
+ "body": "The helper summary named a `cspMetaTag(...)` function and a `watermark({ kind })` argument; the real names are `metaTags(...)` and `watermark({ mediaKind })`. Calling the documented names threw. Also corrected: a `b.aiAdverseDecision` illustration showed an ECOA `statutoryDeadlines` shape that didn't match the regime's actual deadlines."
30
+ }
31
+ ]
32
+ }
33
+ ]
34
+ }
@@ -427,11 +427,41 @@ async function testCrossSchemaAttach() {
427
427
  }
428
428
  }
429
429
 
430
+ async function testUnsealRowNullsForgedValue() {
431
+ // Security regression (CRYPTO-1): an unseal failure — a DB-write
432
+ // attacker's forged `vault:<…>` payload, or a valid ciphertext copied
433
+ // to a different row (AAD mismatch) — must NULL the column so
434
+ // downstream sees "no value", not the attacker-crafted string. A prior
435
+ // `unsealed ? unsealed : out[field]` write-back silently kept the
436
+ // forged value on failure, defeating the documented defense.
437
+ var tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "blamejs-cf-forged-"));
438
+ try {
439
+ await setupTestDb(tmpDir);
440
+ b.cryptoField.registerTable("cf_forged_regress", {
441
+ sealedFields: ["secret"], aad: true, rowIdField: "id",
442
+ });
443
+ var sealed = b.cryptoField.sealRow("cf_forged_regress", { id: "r1", secret: "hello" });
444
+ check("cryptoField valid round-trip",
445
+ b.cryptoField.unsealRow("cf_forged_regress", sealed).secret === "hello");
446
+ var forged = b.cryptoField.unsealRow("cf_forged_regress",
447
+ { id: "r1", secret: "vault.aad:Zm9yZ2VkLWdhcmJhZ2U=" });
448
+ check("forged sealed value nulls the field (not kept)", forged.secret === null);
449
+ var crossRow = b.cryptoField.unsealRow("cf_forged_regress",
450
+ { id: "DIFFERENT-ROW", secret: sealed.secret });
451
+ check("cross-row-copied ciphertext nulls the field (AAD mismatch)", crossRow.secret === null);
452
+ var plain = b.cryptoField.unsealRow("cf_forged_regress", { id: "r2", secret: "not-sealed" });
453
+ check("non-sealed pass-through value is kept", plain.secret === "not-sealed");
454
+ } finally {
455
+ await teardownTestDb(tmpDir);
456
+ }
457
+ }
458
+
430
459
  // ---- run() ----
431
460
 
432
461
  async function run() {
433
462
  // db basic
434
463
  await testDbBasic();
464
+ await testUnsealRowNullsForgedValue();
435
465
  await testDbWriteOps();
436
466
  await testDbSealedWithoutDerived();
437
467
  await testDbTransactions();
@@ -152,6 +152,20 @@ async function run() {
152
152
  lease3b[0].attempts === 2); // sweep doesn't re-increment; lease does
153
153
  await qr.complete(enq3.jobId);
154
154
 
155
+ // ---- fail() honors the object-form { retryDelayMs } b.queue.consume
156
+ // passes (regression: the redis backend previously accepted only
157
+ // a bare-number 3rd arg, so the object failed the typeof check
158
+ // and the delay was forced to 0 — the documented exponential
159
+ // backoff was silently discarded and the job re-leased at once) ----
160
+ var QB = "retry-backoff";
161
+ var enqB = await qr.enqueue(QB, { go: 1 }, { maxAttempts: 5 });
162
+ var leaseB = await qr.lease(QB, 5000, 1);
163
+ check("lease: backoff-regression job leased", leaseB.length === 1);
164
+ await qr.fail(enqB.jobId, "boom", { retryDelayMs: 60000 }); // object form, 60s delay
165
+ var leaseBNow = await qr.lease(QB, 5000, 1);
166
+ check("fail({retryDelayMs}) delays re-lease — backoff honored, not forced to 0",
167
+ leaseBNow.length === 0);
168
+
155
169
  // ---- fail + retry path ----
156
170
  var Q4 = "retry";
157
171
  var enq4 = await qr.enqueue(Q4, { go: 1 }, { maxAttempts: 2 });
@@ -235,8 +235,45 @@ async function testReplayCountAtomic() {
235
235
  (r1.replayCount === 2 && r2.replayCount === 1));
236
236
  }
237
237
 
238
+ async function testAtRestSealingWithVault() {
239
+ // The cached result is sealed at rest via b.cryptoField when a vault
240
+ // is configured. Init a vault, capture what actually lands in the
241
+ // backend, and assert the sensitive payload is not stored in the
242
+ // clear — then confirm it round-trips. Reset the vault afterwards so
243
+ // the remaining (vault-less) tests run in their expected mode.
244
+ var os = require("node:os");
245
+ var path = require("node:path");
246
+ var fs = require("node:fs");
247
+ var dir = fs.mkdtempSync(path.join(os.tmpdir(), "blamejs-idem-seal-"));
248
+ check("vault.isInitialized() is false before init", b.vault.isInitialized() === false);
249
+ await b.vault.init({ mode: "plaintext", dataDir: dir });
250
+ try {
251
+ check("vault.isInitialized() is true after init", b.vault.isInitialized() === true);
252
+ var SECRET = "patient-PII-9007199254740993";
253
+ var captured = null;
254
+ var backend = {
255
+ _m: Object.create(null),
256
+ async get(m, a, h) { return this._m[m + a + h] || null; },
257
+ async put(m, a, h, row) { this._m[m + a + h] = row; captured = row; },
258
+ async delete(m, a, h) { delete this._m[m + a + h]; },
259
+ };
260
+ var idem = b.agent.idempotency.create({ store: backend });
261
+ await idem.put("move", "u-seal", "jmap-seal-1", { payload: SECRET });
262
+ check("at-rest: result blob is sealed (no plaintext leak)",
263
+ typeof captured.resultBlob === "string" && captured.resultBlob.indexOf(SECRET) === -1);
264
+ check("at-rest: sealed blob carries a vault prefix",
265
+ /^vault(\.aad)?:/.test(String(captured.resultBlob)));
266
+ var hit = await idem.get("move", "u-seal", "jmap-seal-1");
267
+ check("at-rest: sealed result round-trips to plaintext",
268
+ hit && hit.result && hit.result.payload === SECRET);
269
+ } finally {
270
+ b.vault._resetForTest();
271
+ }
272
+ }
273
+
238
274
  async function run() {
239
275
  testSurface();
276
+ await testAtRestSealingWithVault();
240
277
  await testBasicGetPut();
241
278
  await testCrossActorIsolation();
242
279
  await testCrossMethodIsolation();
@@ -361,6 +361,42 @@ async function testShardForSaltedFnv() {
361
361
  Object.keys(spread).length >= 4);
362
362
  }
363
363
 
364
+ async function testRegistryRowSealedAtRest() {
365
+ // Registry rows seal tenantId + endpoint metadata at rest via
366
+ // b.cryptoField when a vault is configured. Scope a vault around this
367
+ // one test (the other tests intentionally run vault-less to exercise
368
+ // the salted-FNV fallback), capture what lands in the backend, and
369
+ // assert the sensitive fields are not stored in the clear — then
370
+ // confirm the tenantId filter still resolves through unseal.
371
+ var os = require("node:os");
372
+ var path = require("node:path");
373
+ var fs = require("node:fs");
374
+ var dir = fs.mkdtempSync(path.join(os.tmpdir(), "blamejs-orch-seal-"));
375
+ await helpers.setupVaultOnly(dir);
376
+ try {
377
+ var captured = null;
378
+ var backend = {
379
+ _m: Object.create(null),
380
+ async get(n) { return this._m[n] || null; },
381
+ async set(n, row) { this._m[n] = row; if (n === "svc-seal") captured = row; },
382
+ async delete(n) { delete this._m[n]; },
383
+ async list() { return Object.values(this._m); },
384
+ };
385
+ var orch = b.agent.orchestrator.create({ backend: backend });
386
+ await orch.register("svc-seal", { kind: "mail", handle: function () {} },
387
+ { agentKind: "mail", tenantId: "acme-corp", metadata: { endpoint: "https://internal-host:9000" } });
388
+ check("orch at-rest: tenantId sealed (no plaintext leak)",
389
+ typeof captured.tenantId === "string" && captured.tenantId.indexOf("acme-corp") === -1);
390
+ check("orch at-rest: metadata sealed (no endpoint leak)",
391
+ typeof captured.metadata === "string" && captured.metadata.indexOf("internal-host") === -1);
392
+ var listed = await orch.list({ tenantId: "acme-corp" });
393
+ check("orch at-rest: tenantId filter resolves through unseal",
394
+ listed.length === 1 && listed[0].name === "svc-seal" && listed[0].tenantId === "acme-corp");
395
+ } finally {
396
+ helpers.teardownVaultOnly(dir);
397
+ }
398
+ }
399
+
364
400
  async function run() {
365
401
  testSurface();
366
402
  await testRegisterLookupUnregister();
@@ -381,6 +417,7 @@ async function run() {
381
417
  await testHealth();
382
418
  await testStreamRegistry();
383
419
  await testPermissions();
420
+ await testRegistryRowSealedAtRest();
384
421
  }
385
422
 
386
423
  module.exports = { run: run };
@@ -268,12 +268,38 @@ async function testUnsealRowAuditsOnDecryptRefusal() {
268
268
  check("BUG-4: audit emitted on cross-tenant null", saw);
269
269
  }
270
270
 
271
+ async function testRegistryMetadataSealedAtRest() {
272
+ // The registry row's metadata is sealed at rest via b.cryptoField when
273
+ // a vault is configured (it is, in this file's run()). Capture what
274
+ // lands in the backend and assert the sensitive metadata is not stored
275
+ // in the clear, then confirm lookup round-trips it back to an object.
276
+ var SECRET = "tenant-billing-id-XQ42";
277
+ var captured = null;
278
+ var backend = {
279
+ _m: Object.create(null),
280
+ async get(k) { return this._m[k] || null; },
281
+ async set(k, row) { this._m[k] = row; if (k === "acme-seal") captured = row; },
282
+ async delete(k) { delete this._m[k]; },
283
+ async list() { return Object.values(this._m); },
284
+ };
285
+ var tn = b.agent.tenant.create({ backend: backend });
286
+ await tn.register("acme-seal", { posture: "hipaa", metadata: { billingId: SECRET } });
287
+ check("tenant at-rest: metadata sealed (no plaintext leak)",
288
+ typeof captured.metadata === "string" && captured.metadata.indexOf(SECRET) === -1);
289
+ check("tenant at-rest: sealed metadata carries a vault prefix",
290
+ /^vault(\.aad)?:/.test(String(captured.metadata)));
291
+ var cfg = await tn.lookup("acme-seal");
292
+ check("tenant at-rest: metadata round-trips to an object",
293
+ cfg && cfg.metadata && cfg.metadata.billingId === SECRET);
294
+ }
295
+
271
296
  async function run() {
272
297
  var tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "blamejs-vault-"));
273
298
  global._testVaultDir = tmpDir;
274
299
  await helpers.setupVaultOnly(tmpDir);
275
300
  try {
276
301
  testSurface();
302
+ await testRegistryMetadataSealedAtRest();
277
303
  await testRegisterLookupUnregister();
278
304
  await testCheckCrossTenant();
279
305
  await testCrossTenantAdminScope();
@@ -82,6 +82,15 @@ function testPostureRequiresNotify() {
82
82
  } catch (e) { threw = e; }
83
83
  check("pci-dss posture without notify throws",
84
84
  threw && /notify-required-under-posture/.test(threw.code || ""));
85
+
86
+ // sox-404 (SOX §404 ICFR — the audit/internal-controls regime this
87
+ // primitive serves) is an advertised notify-required posture too.
88
+ var threw404 = null;
89
+ try {
90
+ b.auditDailyReview.create({ audit: _fakeAudit([]), posture: "sox-404" });
91
+ } catch (e) { threw404 = e; }
92
+ check("sox-404 posture without notify throws",
93
+ threw404 && /notify-required-under-posture/.test(threw404.code || ""));
85
94
  }
86
95
 
87
96
  function testBadSeverity() {
@@ -307,6 +307,30 @@ async function testBreakerClosedToOpen() {
307
307
  threw && threw.code === "CIRCUIT_OPEN");
308
308
  }
309
309
 
310
+ async function testBreakerOnStateChange() {
311
+ // The documented onStateChange opt + onStateChange(handler) method must
312
+ // both fire on every transition with the { name, from, to, at } payload.
313
+ var events = [];
314
+ var br = new b.retry.CircuitBreaker("test-osc", {
315
+ failureThreshold: 2, cooldownMs: 1000, successThreshold: 1,
316
+ onStateChange: function (e) { events.push(e); },
317
+ });
318
+ var late = [];
319
+ br.onStateChange(function (e) { late.push(e); });
320
+ for (var i = 0; i < 2; i++) {
321
+ try { await br.wrap(function () { throw new Error("boom"); }); } catch (_e) {}
322
+ }
323
+ check("breaker: onStateChange opt fired on closed→open", events.length === 1);
324
+ check("breaker: onStateChange payload carries name/from/to/at",
325
+ events[0] && events[0].name === "test-osc" && events[0].from === "closed" &&
326
+ events[0].to === "open" && typeof events[0].at === "number");
327
+ check("breaker: onStateChange(handler) registration also fired", late.length === 1);
328
+ // A non-function handler is refused at config time.
329
+ var threw = null;
330
+ try { new b.retry.CircuitBreaker("bad", { onStateChange: 42 }); } catch (e) { threw = e; }
331
+ check("breaker: non-function onStateChange throws", threw instanceof TypeError);
332
+ }
333
+
310
334
  async function testBreakerOpenToHalfToClosed() {
311
335
  var br = new b.retry.CircuitBreaker("test-2", {
312
336
  failureThreshold: 2, cooldownMs: 30, successThreshold: 2,
@@ -517,6 +541,7 @@ async function run() {
517
541
  await testWithRetryValidatesOpts();
518
542
 
519
543
  await testBreakerClosedToOpen();
544
+ await testBreakerOnStateChange();
520
545
  await testBreakerOpenToHalfToClosed();
521
546
  await testBreakerHalfToOpenOnFailure();
522
547
  await testBreakerIgnoresPermanent();
@@ -472,6 +472,31 @@ function _checkChangelogInSync() {
472
472
  await _runLayer(5, path.join(__dirname, "50-integration.js"), "Layer 5");
473
473
 
474
474
  console.log("OK — " + helpers.getChecks() + " checks passed (" + (Date.now() - smokeStart) + "ms total)");
475
+
476
+ // Deterministic exit on success. The .catch() below exits 1 on
477
+ // failure; the success path historically fell through and relied on
478
+ // the event loop draining on its own. A lingering handle (a forked-
479
+ // child stdio pipe, a Layer-5 integration server whose socket did not
480
+ // fully close, an unref-missed timer) then keeps the process alive
481
+ // after the suite finished, burning the CI job's timeout budget until
482
+ // the runner cancels it — observed on the slow macos-latest runner
483
+ // (OK printed, ~3.5 min idle, job-timeout cancel). Reap it here: if
484
+ // anything still holds the loop open, name the handle kinds so a real
485
+ // resource leak surfaces in the log rather than being silently masked,
486
+ // then exit 0.
487
+ var _stdio = [process.stdout, process.stderr, process.stdin];
488
+ var _lingering = (typeof process._getActiveHandles === "function"
489
+ ? process._getActiveHandles() : []).filter(function (h) { return _stdio.indexOf(h) === -1; });
490
+ if (_lingering.length > 0) {
491
+ var _kinds = {};
492
+ _lingering.forEach(function (h) {
493
+ var name = (h && h.constructor && h.constructor.name) || typeof h;
494
+ _kinds[name] = (_kinds[name] || 0) + 1;
495
+ });
496
+ console.error("smoke: " + _lingering.length + " handle(s) still open after pass — forcing exit. kinds: " +
497
+ Object.keys(_kinds).map(function (k) { return k + "x" + _kinds[k]; }).join(", "));
498
+ }
499
+ process.exit(0);
475
500
  })().catch(function (err) {
476
501
  console.error("SMOKE TEST FAILED:", err.message);
477
502
  console.error(err.stack);
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@blamejs/blamejs-shop",
3
- "version": "0.2.12",
3
+ "version": "0.2.14",
4
4
  "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
5
5
  "main": "lib/index.js",
6
6
  "scripts": {