@blamejs/blamejs-shop 0.2.12 → 0.2.14
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +4 -0
- package/README.md +1 -1
- package/lib/admin.js +616 -21
- package/lib/asset-manifest.json +5 -5
- package/lib/catalog.js +19 -0
- package/lib/storefront.js +1 -1
- package/lib/vendor/MANIFEST.json +3 -3
- package/lib/vendor/blamejs/.github/workflows/actions-lint.yml +71 -23
- package/lib/vendor/blamejs/.github/workflows/cflite_batch.yml +2 -0
- package/lib/vendor/blamejs/.github/workflows/cflite_pr.yml +2 -0
- package/lib/vendor/blamejs/.github/workflows/ci.yml +17 -0
- package/lib/vendor/blamejs/.github/workflows/npm-publish.yml +18 -10
- package/lib/vendor/blamejs/.github/workflows/release-container.yml +29 -16
- package/lib/vendor/blamejs/.github/workflows/sha-to-tag-verify.yml +22 -3
- package/lib/vendor/blamejs/.github/zizmor.yml +29 -0
- package/lib/vendor/blamejs/.pinact.yaml +24 -8
- package/lib/vendor/blamejs/CHANGELOG.md +20 -0
- package/lib/vendor/blamejs/api-snapshot.json +6 -2
- package/lib/vendor/blamejs/lib/agent-idempotency.js +50 -10
- package/lib/vendor/blamejs/lib/agent-orchestrator.js +58 -5
- package/lib/vendor/blamejs/lib/agent-saga.js +8 -4
- package/lib/vendor/blamejs/lib/agent-tenant.js +56 -4
- package/lib/vendor/blamejs/lib/agent-trace.js +4 -3
- package/lib/vendor/blamejs/lib/ai-adverse-decision.js +1 -1
- package/lib/vendor/blamejs/lib/archive-wrap.js +1 -1
- package/lib/vendor/blamejs/lib/audit-daily-review.js +3 -3
- package/lib/vendor/blamejs/lib/audit.js +11 -8
- package/lib/vendor/blamejs/lib/auth/jwt.js +7 -4
- package/lib/vendor/blamejs/lib/auth/saml.js +2 -2
- package/lib/vendor/blamejs/lib/calendar.js +14 -10
- package/lib/vendor/blamejs/lib/circuit-breaker.js +6 -4
- package/lib/vendor/blamejs/lib/compliance-ai-act-transparency.js +2 -2
- package/lib/vendor/blamejs/lib/compliance.js +7 -9
- package/lib/vendor/blamejs/lib/cookies.js +2 -2
- package/lib/vendor/blamejs/lib/cose.js +1 -1
- package/lib/vendor/blamejs/lib/crypto-field.js +8 -3
- package/lib/vendor/blamejs/lib/data-act.js +4 -3
- package/lib/vendor/blamejs/lib/did.js +1 -1
- package/lib/vendor/blamejs/lib/file-upload.js +18 -1
- package/lib/vendor/blamejs/lib/guard-archive.js +2 -2
- package/lib/vendor/blamejs/lib/guard-auth.js +5 -5
- package/lib/vendor/blamejs/lib/guard-cidr.js +4 -4
- package/lib/vendor/blamejs/lib/guard-csv.js +6 -6
- package/lib/vendor/blamejs/lib/guard-domain.js +4 -4
- package/lib/vendor/blamejs/lib/guard-email.js +6 -5
- package/lib/vendor/blamejs/lib/guard-filename.js +4 -4
- package/lib/vendor/blamejs/lib/guard-graphql.js +5 -5
- package/lib/vendor/blamejs/lib/guard-html.js +2 -2
- package/lib/vendor/blamejs/lib/guard-image.js +1 -1
- package/lib/vendor/blamejs/lib/guard-json.js +5 -5
- package/lib/vendor/blamejs/lib/guard-jsonpath.js +4 -4
- package/lib/vendor/blamejs/lib/guard-jwt.js +5 -5
- package/lib/vendor/blamejs/lib/guard-markdown.js +6 -6
- package/lib/vendor/blamejs/lib/guard-mime.js +6 -6
- package/lib/vendor/blamejs/lib/guard-oauth.js +5 -5
- package/lib/vendor/blamejs/lib/guard-pdf.js +1 -1
- package/lib/vendor/blamejs/lib/guard-regex.js +4 -4
- package/lib/vendor/blamejs/lib/guard-shell.js +4 -4
- package/lib/vendor/blamejs/lib/guard-svg.js +5 -5
- package/lib/vendor/blamejs/lib/guard-template.js +4 -4
- package/lib/vendor/blamejs/lib/guard-time.js +6 -6
- package/lib/vendor/blamejs/lib/guard-uuid.js +6 -6
- package/lib/vendor/blamejs/lib/guard-xml.js +4 -4
- package/lib/vendor/blamejs/lib/guard-yaml.js +5 -5
- package/lib/vendor/blamejs/lib/link-header.js +3 -2
- package/lib/vendor/blamejs/lib/mail-agent.js +4 -2
- package/lib/vendor/blamejs/lib/mail-bimi.js +3 -2
- package/lib/vendor/blamejs/lib/mail-crypto-pgp.js +7 -11
- package/lib/vendor/blamejs/lib/mail-crypto-smime.js +6 -5
- package/lib/vendor/blamejs/lib/mail-crypto.js +5 -5
- package/lib/vendor/blamejs/lib/mail-store.js +3 -2
- package/lib/vendor/blamejs/lib/mcp.js +2 -3
- package/lib/vendor/blamejs/lib/middleware/age-gate.js +10 -6
- package/lib/vendor/blamejs/lib/middleware/ai-act-disclosure.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/api-encrypt.js +3 -3
- package/lib/vendor/blamejs/lib/middleware/compose-pipeline.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/csp-nonce.js +2 -2
- package/lib/vendor/blamejs/lib/middleware/flag-context.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/rate-limit.js +2 -2
- package/lib/vendor/blamejs/lib/middleware/require-auth.js +2 -1
- package/lib/vendor/blamejs/lib/queue-redis.js +9 -0
- package/lib/vendor/blamejs/lib/queue.js +17 -1
- package/lib/vendor/blamejs/lib/retry.js +26 -0
- package/lib/vendor/blamejs/lib/router.js +4 -1
- package/lib/vendor/blamejs/lib/safe-decompress.js +3 -2
- package/lib/vendor/blamejs/lib/safe-icap.js +3 -2
- package/lib/vendor/blamejs/lib/safe-mime.js +1 -1
- package/lib/vendor/blamejs/lib/safe-smtp.js +1 -1
- package/lib/vendor/blamejs/lib/sec-cyber.js +1 -1
- package/lib/vendor/blamejs/lib/storage.js +20 -16
- package/lib/vendor/blamejs/lib/tsa.js +2 -1
- package/lib/vendor/blamejs/lib/vault/index.js +1 -0
- package/lib/vendor/blamejs/lib/vault-aad.js +2 -2
- package/lib/vendor/blamejs/package.json +1 -1
- package/lib/vendor/blamejs/release-notes/v0.13.23.json +42 -0
- package/lib/vendor/blamejs/release-notes/v0.13.24.json +26 -0
- package/lib/vendor/blamejs/release-notes/v0.13.25.json +39 -0
- package/lib/vendor/blamejs/release-notes/v0.13.26.json +31 -0
- package/lib/vendor/blamejs/release-notes/v0.13.27.json +34 -0
- package/lib/vendor/blamejs/release-notes/v0.13.28.json +30 -0
- package/lib/vendor/blamejs/release-notes/v0.13.29.json +30 -0
- package/lib/vendor/blamejs/release-notes/v0.13.30.json +30 -0
- package/lib/vendor/blamejs/release-notes/v0.13.31.json +26 -0
- package/lib/vendor/blamejs/release-notes/v0.13.32.json +34 -0
- package/lib/vendor/blamejs/test/20-db.js +30 -0
- package/lib/vendor/blamejs/test/integration/queue-redis.test.js +14 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/agent-idempotency.test.js +37 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/agent-orchestrator.test.js +37 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/agent-tenant.test.js +26 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-daily-review.test.js +9 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/retry.test.js +25 -0
- package/lib/vendor/blamejs/test/smoke.js +25 -0
- package/package.json +1 -1
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
{
|
|
2
|
+
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
+
"version": "0.13.28",
|
|
4
|
+
"date": "2026-05-28",
|
|
5
|
+
"headline": "Queue retry backoff now applies on the Redis backend; static-serve path-containment edge closed",
|
|
6
|
+
"summary": "Two behavioral fixes plus doc corrections. The Redis queue backend silently discarded the documented retry backoff: b.queue.consume passes the delay as `{ retryDelayMs }` (the shape the local backend reads), but the Redis backend's fail() accepted only a bare-number third argument, so the object failed its numeric check and the delay was forced to 0 — a failing job re-leased immediately instead of waiting 1s/2s/4s/…, a retry storm under failure. The Redis backend now accepts the object form, so the exponential backoff applies as documented (verified by an integration test against real Redis). Separately, b.router.serveStatic's path-containment check used a bare string prefix, so a sibling directory whose name extends the root (root `/srv/public` vs `/srv/public-evil`) could pass; it now anchors on a path separator. Also: b.fileUpload now surfaces (via an observability counter) when a configured content-safety gate is skipped because an upload streamed past the reassembly cap, and documents that boundary; and b.cookies.parse's example output is corrected.",
|
|
7
|
+
"sections": [
|
|
8
|
+
{
|
|
9
|
+
"heading": "Fixed",
|
|
10
|
+
"items": [
|
|
11
|
+
{
|
|
12
|
+
"title": "Redis queue backend honors the documented retry backoff",
|
|
13
|
+
"body": "`b.queue.consume` re-pends a failed job with deterministic exponential backoff (1s base, 5min cap) by calling the backend's `fail()` with `{ retryDelayMs }`. The Redis backend's `fail()` accepted only a bare-number third argument, so the object failed its `typeof === \"number\"` check and the delay was reset to 0 — a failing job became immediately re-leasable, hot-looping instead of backing off. `fail()` now accepts both the object form (as the local backend does) and a bare number, so the backoff applies on Redis. An integration test against real Redis pins it."
|
|
14
|
+
},
|
|
15
|
+
{
|
|
16
|
+
"title": "`b.router.serveStatic` path-containment anchors on a separator",
|
|
17
|
+
"body": "The containment check was `resolvedPath.startsWith(root)`, which a sibling directory sharing the root's name as a prefix (root `/srv/public` vs `/srv/public-evil`) could satisfy. It now requires the resolved path to equal `root` or start with `root + path.sep`, closing the sibling-prefix edge (`b.staticServe.create` remains the hardened serving path, with realpath + filename gating)."
|
|
18
|
+
},
|
|
19
|
+
{
|
|
20
|
+
"title": "`b.fileUpload` surfaces content-safety gate skips on oversized streamed uploads",
|
|
21
|
+
"body": "The byte-level content-safety gate inspects the reassembled buffer, so it runs on uploads up to `maxStreamReassemblyBytes` (default 64 MiB); a larger upload is handed to `onFinalize` as a stream and the byte-content gate is skipped (MIME-sniff and filename gates still run). That skip now emits a `fileUpload.content_safety_skipped_streamed` observability counter instead of passing silently, and the limit is documented. To guarantee content-gating of a type, cap `maxFileBytes` at or below `maxStreamReassemblyBytes`."
|
|
22
|
+
},
|
|
23
|
+
{
|
|
24
|
+
"title": "`b.cookies.parse` example output corrected",
|
|
25
|
+
"body": "The example claimed `theme=%22dark%22` parses to `theme: \"dark\"`, but quote-stripping runs before percent-decoding, so the literal quotes survive. The example now uses `theme=dark%20mode` → `theme: \"dark mode\"`, which demonstrates percent-decoding without the quote-strip-ordering quirk."
|
|
26
|
+
}
|
|
27
|
+
]
|
|
28
|
+
}
|
|
29
|
+
]
|
|
30
|
+
}
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
{
|
|
2
|
+
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
+
"version": "0.13.29",
|
|
4
|
+
"date": "2026-05-28",
|
|
5
|
+
"headline": "Doc corrections: AI Act disclosure kind values, SQS queue model, age-gate coupling",
|
|
6
|
+
"summary": "Documentation corrections. The most actionable: b.middleware.aiActDisclosure's @opts listed two EU AI Act transparency `kind` values (`deepfake` and `synthetic-content`) that the middleware does not accept, so they threw at construction; the accepted values use the hyphenated Art. 50 spellings (e.g. `deep-fake`) and include a text-public-interest variant the enum omitted — an operator copying the documented values crashed a compliance middleware at boot. The b.queue docs implied the SQS backend is driven by the generic b.queue.consume loop like local/redis; SQS is actually an SQS-native adapter (complete/fail by message receipt handle, server-side redrive) driven directly, and the docs now say so. b.middleware.ageGate's `requireAge` 451 floor is documented as taking effect only alongside `consentRequired` (it was silently inert without it). Plus a compose-pipeline @since and a flag-context @related correction. No code behavior changed.",
|
|
7
|
+
"sections": [
|
|
8
|
+
{
|
|
9
|
+
"heading": "Fixed",
|
|
10
|
+
"items": [
|
|
11
|
+
{
|
|
12
|
+
"title": "`b.middleware.aiActDisclosure` documents the accepted `kind` values",
|
|
13
|
+
"body": "The `@opts` listed `kind` as `ai-interaction | deepfake | emotion-recognition | biometric-categorisation | synthetic-content`. Two of those — `deepfake` and `synthetic-content` — are not accepted and threw at construction; the EU AI Act Art. 50 values use hyphenated spellings (e.g. `deep-fake`, the generated-content variant) and include `ai-text-public-interest`, which the documented enum omitted. The `@opts` now lists the full set the middleware accepts."
|
|
14
|
+
},
|
|
15
|
+
{
|
|
16
|
+
"title": "`b.queue` SQS backend documented as SQS-native, not consume-driven",
|
|
17
|
+
"body": "The module docs implied the `sqs` backend is interchangeable with `local`/`redis` under the generic `b.queue.consume` loop. SQS is an SQS-native adapter: `complete` / `fail` act on the message's `receiptHandle` (returned by `lease()`, threaded back by the caller), and DLQ + visibility-expiry are handled server-side by the queue's RedrivePolicy. The docs now state that `sqs` is driven directly (lease → handle → complete/fail) rather than by `b.queue.consume`, and does not use the framework DLQ / sweep."
|
|
18
|
+
},
|
|
19
|
+
{
|
|
20
|
+
"title": "`b.middleware.ageGate` documents the `requireAge` / `consentRequired` coupling",
|
|
21
|
+
"body": "`requireAge` (the HTTP 451 legal floor) is evaluated within the consent classification, so it takes effect only when `consentRequired` is also set — `requireAge` alone, with `consentRequired: null`, never classifies a request as below-threshold and the 451 never fires. The `@opts` and prose now state this coupling instead of presenting `requireAge` as a standalone threshold."
|
|
22
|
+
},
|
|
23
|
+
{
|
|
24
|
+
"title": "Smaller doc corrections",
|
|
25
|
+
"body": "`b.middleware.composePipeline`'s `@since` is corrected to 0.9.43 (its actual ship version). `b.middleware.flagContext`'s `@related` pointed at a non-existent `b.flagClient.getBoolean`; it now references `b.flag.create`."
|
|
26
|
+
}
|
|
27
|
+
]
|
|
28
|
+
}
|
|
29
|
+
]
|
|
30
|
+
}
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
{
|
|
2
|
+
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
+
"version": "0.13.30",
|
|
4
|
+
"date": "2026-05-28",
|
|
5
|
+
"headline": "Doc corrections in the safe-* parsers (defaults, an error code, an example, a status list)",
|
|
6
|
+
"summary": "Four documentation corrections in the safe-* input parsers; no code behavior changed. The parsers' enforced limits and controls are unchanged — these align the docs with what the code already does. b.safeMime.parse's documented default transfer-encoding allowlist listed `binary`, which is excluded by default (opt-in per RFC 3030 BINARYMIME). b.safeDecompress documented a refusal code (`output-too-large`) it never emits — an absolute-size bomb surfaces under `decompress-failed`. b.safeSmtp.findDotTerminator's example output was off by one. b.safeIcap's intro status-code summary omitted 404 / 405 / 408 (the detailed block already listed them).",
|
|
7
|
+
"sections": [
|
|
8
|
+
{
|
|
9
|
+
"heading": "Fixed",
|
|
10
|
+
"items": [
|
|
11
|
+
{
|
|
12
|
+
"title": "`b.safeMime.parse` documents the actual default transfer-encoding allowlist",
|
|
13
|
+
"body": "The `@opts` default listed `7bit/8bit/binary/qp/base64`, but `binary` is deliberately excluded by default (RFC 3030 BINARYMIME is opt-in); the default is `7bit/8bit/quoted-printable/base64`. The doc now matches, so operators don't expect inbound `Content-Transfer-Encoding: binary` parts to pass without opting in."
|
|
14
|
+
},
|
|
15
|
+
{
|
|
16
|
+
"title": "`b.safeDecompress` names the real absolute-size-bomb refusal code",
|
|
17
|
+
"body": "The refusal-posture list documented `safe-decompress/output-too-large` for a bomb-by-absolute-size, but that code is never emitted — zlib's `maxOutputLength` throws before allocation and the failure surfaces as `safe-decompress/decompress-failed`. The doc now names the code an operator branching on the result will actually see (the ratio, output-byte, and compressed-input caps are unchanged and enforced)."
|
|
18
|
+
},
|
|
19
|
+
{
|
|
20
|
+
"title": "`b.safeSmtp.findDotTerminator` example output corrected",
|
|
21
|
+
"body": "The example claimed the `\\r\\n.\\r\\n` terminator in `\"Hello world.\\r\\n.\\r\\n\"` is at index 13; it is at index 12. The example now shows 12 (the implementation was already correct)."
|
|
22
|
+
},
|
|
23
|
+
{
|
|
24
|
+
"title": "`b.safeIcap` intro status-code summary lists 404 / 405 / 408",
|
|
25
|
+
"body": "The intro summary said only `100 / 200 / 204 / 400 / 403 / 5xx` are honored, but the parser also accepts `404 / 405 / 408` (legitimate RFC 3507 §4.3.3 codes, already listed in the detailed `parse` block). The intro summary now matches."
|
|
26
|
+
}
|
|
27
|
+
]
|
|
28
|
+
}
|
|
29
|
+
]
|
|
30
|
+
}
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
{
|
|
2
|
+
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
+
"version": "0.13.31",
|
|
4
|
+
"date": "2026-05-28",
|
|
5
|
+
"headline": "Circuit-breaker onStateChange callback now fires; mcp / vault-aad doc corrections",
|
|
6
|
+
"summary": "b.circuitBreaker documented an `onStateChange` callback (both an option and an `onStateChange(handler)` registration method) plus a state-change payload, but the callback was never invoked — only an observability event fired. The callback is now implemented: it fires on every transition with `{ name, from, to, at }`, the registration method works, and a non-function handler is rejected at construction. The same primitive's docs are corrected to name the real accessor (`getState()`, not `state()`) and drop a never-read `audit` option. Plus two doc-only corrections: b.mcp.toolResult.sanitize described composing b.guardHtml / b.ai.input.classify (it uses built-in detection) and documented a `classifyInput` option it never read; and b.vault.aad's prose said HKDF-SHAKE256 where the derivation is SHAKE256 (the AEAD AAD-binding itself is unchanged and sound).",
|
|
7
|
+
"sections": [
|
|
8
|
+
{
|
|
9
|
+
"heading": "Fixed",
|
|
10
|
+
"items": [
|
|
11
|
+
{
|
|
12
|
+
"title": "`b.circuitBreaker` onStateChange callback is invoked on every transition",
|
|
13
|
+
"body": "The `onStateChange` option and the `onStateChange(handler)` registration method are now wired: each registered handler is called with `{ name, from, to, at }` on every state transition (closed→open, open→half, half→closed/open), alongside the existing `breaker.state.change` observability event. A non-function `onStateChange` is rejected at construction. Previously the documented callback never fired. The docs are also corrected to name the real state accessor `getState()` (there is a `state` property, so `state()` was never a method) and to drop a never-read `audit` option."
|
|
14
|
+
},
|
|
15
|
+
{
|
|
16
|
+
"title": "`b.mcp.toolResult.sanitize` documents its actual detection and options",
|
|
17
|
+
"body": "The prose said the sanitizer composes `b.guardHtml`'s strict profile and `b.ai.input.classify`; it uses built-in dangerous-HTML and prompt-injection-marker detection. The `@opts` also listed a `classifyInput` override the function never read. The prose now describes the built-in detection and the unwired `classifyInput` option is removed. The fail-closed refusal behavior (default `posture: \"refuse\"`) is unchanged."
|
|
18
|
+
},
|
|
19
|
+
{
|
|
20
|
+
"title": "`b.vault.aad` derivation named correctly (SHAKE256)",
|
|
21
|
+
"body": "The module prose described the per-binding key derivation as HKDF-SHAKE256; it is SHAKE256 over the vault root concatenated with the binding inputs (no HKDF extract/expand). The AEAD AAD-binding to (table, row, column, schema version) — the file's actual security guarantee — is unchanged and sound; only the KDF name in the doc was wrong."
|
|
22
|
+
}
|
|
23
|
+
]
|
|
24
|
+
}
|
|
25
|
+
]
|
|
26
|
+
}
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
{
|
|
2
|
+
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
+
"version": "0.13.32",
|
|
4
|
+
"date": "2026-05-28",
|
|
5
|
+
"headline": "`b.auditDailyReview` enforces notify under the sox-404 posture; compliance doc corrections",
|
|
6
|
+
"summary": "b.auditDailyReview documented `sox-404` (SOX §404 ICFR — the internal-controls regime this primitive serves) as one of the postures that make a `notify` callback mandatory at construction, but the enforcement set used only `sox`, so pinning `posture: \"sox-404\"` without a notify channel was silently accepted. `sox-404` is now in the mandatory-notify set, so the advertised guarantee holds (a regression test pins it). The rest are documentation corrections with no behavior change: b.compliance.posturesByDomain / posturesByJurisdiction examples showed small fixed arrays where the functions return every matching posture (the catalog has grown); b.dataAct's surface list named two methods that do not exist (the real surface is declareProduct / recordUserAccess / shareWithThirdParty / recordSwitchRequest, with gatekeeper refusal folded into shareWithThirdParty); b.secCyber.eightKArtifact's documented return key `audit` is actually `deadlineBusinessDays`; and b.compliance.aiAct.transparency's helper summary named `cspMetaTag` / a `watermark({ kind })` argument that are really `metaTags` / `watermark({ mediaKind })`.",
|
|
7
|
+
"sections": [
|
|
8
|
+
{
|
|
9
|
+
"heading": "Fixed",
|
|
10
|
+
"items": [
|
|
11
|
+
{
|
|
12
|
+
"title": "`b.auditDailyReview` requires a notify channel under the `sox-404` posture",
|
|
13
|
+
"body": "The docs listed `sox-404` among the postures that make a `notify` callback mandatory at create-time, but the enforcement set contained only `sox` — so `posture: \"sox-404\"` without `notify` was accepted instead of refused. `sox-404` (SOX §404 ICFR) is now in the mandatory-notify set, matching the documented guarantee; constructing without a notify channel under it throws `auditDailyReview/notify-required-under-posture`."
|
|
14
|
+
},
|
|
15
|
+
{
|
|
16
|
+
"title": "`b.compliance` jurisdiction/domain lister examples no longer enumerate a stale fixed set",
|
|
17
|
+
"body": "`posturesByDomain` and `posturesByJurisdiction` return every posture matching the domain/jurisdiction, but their `@example`s showed small fixed arrays from before the posture catalog grew. The examples now show a representative prefix with `...` and note they return the full matching set."
|
|
18
|
+
},
|
|
19
|
+
{
|
|
20
|
+
"title": "`b.dataAct` surface list matches the real methods",
|
|
21
|
+
"body": "The module surface listed `userAccessible(...)` and `refuseGatekeeper(...)`, neither of which exists. The real surface is `declareProduct` / `recordUserAccess` / `shareWithThirdParty` / `recordSwitchRequest`, and DMA-gatekeeper refusal (Art 32 §1) is enforced inside `shareWithThirdParty`. The doc now reflects that."
|
|
22
|
+
},
|
|
23
|
+
{
|
|
24
|
+
"title": "`b.secCyber.eightKArtifact` documented return shape corrected",
|
|
25
|
+
"body": "The signature line showed `{ artifact, deadline, audit }`; the function returns `{ artifact, deadline, deadlineBusinessDays }` (there is no `audit` key). The doc now matches."
|
|
26
|
+
},
|
|
27
|
+
{
|
|
28
|
+
"title": "`b.compliance.aiAct.transparency` helper names corrected",
|
|
29
|
+
"body": "The helper summary named a `cspMetaTag(...)` function and a `watermark({ kind })` argument; the real names are `metaTags(...)` and `watermark({ mediaKind })`. Calling the documented names threw. Also corrected: a `b.aiAdverseDecision` illustration showed an ECOA `statutoryDeadlines` shape that didn't match the regime's actual deadlines."
|
|
30
|
+
}
|
|
31
|
+
]
|
|
32
|
+
}
|
|
33
|
+
]
|
|
34
|
+
}
|
|
@@ -427,11 +427,41 @@ async function testCrossSchemaAttach() {
|
|
|
427
427
|
}
|
|
428
428
|
}
|
|
429
429
|
|
|
430
|
+
async function testUnsealRowNullsForgedValue() {
|
|
431
|
+
// Security regression (CRYPTO-1): an unseal failure — a DB-write
|
|
432
|
+
// attacker's forged `vault:<…>` payload, or a valid ciphertext copied
|
|
433
|
+
// to a different row (AAD mismatch) — must NULL the column so
|
|
434
|
+
// downstream sees "no value", not the attacker-crafted string. A prior
|
|
435
|
+
// `unsealed ? unsealed : out[field]` write-back silently kept the
|
|
436
|
+
// forged value on failure, defeating the documented defense.
|
|
437
|
+
var tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "blamejs-cf-forged-"));
|
|
438
|
+
try {
|
|
439
|
+
await setupTestDb(tmpDir);
|
|
440
|
+
b.cryptoField.registerTable("cf_forged_regress", {
|
|
441
|
+
sealedFields: ["secret"], aad: true, rowIdField: "id",
|
|
442
|
+
});
|
|
443
|
+
var sealed = b.cryptoField.sealRow("cf_forged_regress", { id: "r1", secret: "hello" });
|
|
444
|
+
check("cryptoField valid round-trip",
|
|
445
|
+
b.cryptoField.unsealRow("cf_forged_regress", sealed).secret === "hello");
|
|
446
|
+
var forged = b.cryptoField.unsealRow("cf_forged_regress",
|
|
447
|
+
{ id: "r1", secret: "vault.aad:Zm9yZ2VkLWdhcmJhZ2U=" });
|
|
448
|
+
check("forged sealed value nulls the field (not kept)", forged.secret === null);
|
|
449
|
+
var crossRow = b.cryptoField.unsealRow("cf_forged_regress",
|
|
450
|
+
{ id: "DIFFERENT-ROW", secret: sealed.secret });
|
|
451
|
+
check("cross-row-copied ciphertext nulls the field (AAD mismatch)", crossRow.secret === null);
|
|
452
|
+
var plain = b.cryptoField.unsealRow("cf_forged_regress", { id: "r2", secret: "not-sealed" });
|
|
453
|
+
check("non-sealed pass-through value is kept", plain.secret === "not-sealed");
|
|
454
|
+
} finally {
|
|
455
|
+
await teardownTestDb(tmpDir);
|
|
456
|
+
}
|
|
457
|
+
}
|
|
458
|
+
|
|
430
459
|
// ---- run() ----
|
|
431
460
|
|
|
432
461
|
async function run() {
|
|
433
462
|
// db basic
|
|
434
463
|
await testDbBasic();
|
|
464
|
+
await testUnsealRowNullsForgedValue();
|
|
435
465
|
await testDbWriteOps();
|
|
436
466
|
await testDbSealedWithoutDerived();
|
|
437
467
|
await testDbTransactions();
|
|
@@ -152,6 +152,20 @@ async function run() {
|
|
|
152
152
|
lease3b[0].attempts === 2); // sweep doesn't re-increment; lease does
|
|
153
153
|
await qr.complete(enq3.jobId);
|
|
154
154
|
|
|
155
|
+
// ---- fail() honors the object-form { retryDelayMs } b.queue.consume
|
|
156
|
+
// passes (regression: the redis backend previously accepted only
|
|
157
|
+
// a bare-number 3rd arg, so the object failed the typeof check
|
|
158
|
+
// and the delay was forced to 0 — the documented exponential
|
|
159
|
+
// backoff was silently discarded and the job re-leased at once) ----
|
|
160
|
+
var QB = "retry-backoff";
|
|
161
|
+
var enqB = await qr.enqueue(QB, { go: 1 }, { maxAttempts: 5 });
|
|
162
|
+
var leaseB = await qr.lease(QB, 5000, 1);
|
|
163
|
+
check("lease: backoff-regression job leased", leaseB.length === 1);
|
|
164
|
+
await qr.fail(enqB.jobId, "boom", { retryDelayMs: 60000 }); // object form, 60s delay
|
|
165
|
+
var leaseBNow = await qr.lease(QB, 5000, 1);
|
|
166
|
+
check("fail({retryDelayMs}) delays re-lease — backoff honored, not forced to 0",
|
|
167
|
+
leaseBNow.length === 0);
|
|
168
|
+
|
|
155
169
|
// ---- fail + retry path ----
|
|
156
170
|
var Q4 = "retry";
|
|
157
171
|
var enq4 = await qr.enqueue(Q4, { go: 1 }, { maxAttempts: 2 });
|
|
@@ -235,8 +235,45 @@ async function testReplayCountAtomic() {
|
|
|
235
235
|
(r1.replayCount === 2 && r2.replayCount === 1));
|
|
236
236
|
}
|
|
237
237
|
|
|
238
|
+
async function testAtRestSealingWithVault() {
|
|
239
|
+
// The cached result is sealed at rest via b.cryptoField when a vault
|
|
240
|
+
// is configured. Init a vault, capture what actually lands in the
|
|
241
|
+
// backend, and assert the sensitive payload is not stored in the
|
|
242
|
+
// clear — then confirm it round-trips. Reset the vault afterwards so
|
|
243
|
+
// the remaining (vault-less) tests run in their expected mode.
|
|
244
|
+
var os = require("node:os");
|
|
245
|
+
var path = require("node:path");
|
|
246
|
+
var fs = require("node:fs");
|
|
247
|
+
var dir = fs.mkdtempSync(path.join(os.tmpdir(), "blamejs-idem-seal-"));
|
|
248
|
+
check("vault.isInitialized() is false before init", b.vault.isInitialized() === false);
|
|
249
|
+
await b.vault.init({ mode: "plaintext", dataDir: dir });
|
|
250
|
+
try {
|
|
251
|
+
check("vault.isInitialized() is true after init", b.vault.isInitialized() === true);
|
|
252
|
+
var SECRET = "patient-PII-9007199254740993";
|
|
253
|
+
var captured = null;
|
|
254
|
+
var backend = {
|
|
255
|
+
_m: Object.create(null),
|
|
256
|
+
async get(m, a, h) { return this._m[m + a + h] || null; },
|
|
257
|
+
async put(m, a, h, row) { this._m[m + a + h] = row; captured = row; },
|
|
258
|
+
async delete(m, a, h) { delete this._m[m + a + h]; },
|
|
259
|
+
};
|
|
260
|
+
var idem = b.agent.idempotency.create({ store: backend });
|
|
261
|
+
await idem.put("move", "u-seal", "jmap-seal-1", { payload: SECRET });
|
|
262
|
+
check("at-rest: result blob is sealed (no plaintext leak)",
|
|
263
|
+
typeof captured.resultBlob === "string" && captured.resultBlob.indexOf(SECRET) === -1);
|
|
264
|
+
check("at-rest: sealed blob carries a vault prefix",
|
|
265
|
+
/^vault(\.aad)?:/.test(String(captured.resultBlob)));
|
|
266
|
+
var hit = await idem.get("move", "u-seal", "jmap-seal-1");
|
|
267
|
+
check("at-rest: sealed result round-trips to plaintext",
|
|
268
|
+
hit && hit.result && hit.result.payload === SECRET);
|
|
269
|
+
} finally {
|
|
270
|
+
b.vault._resetForTest();
|
|
271
|
+
}
|
|
272
|
+
}
|
|
273
|
+
|
|
238
274
|
async function run() {
|
|
239
275
|
testSurface();
|
|
276
|
+
await testAtRestSealingWithVault();
|
|
240
277
|
await testBasicGetPut();
|
|
241
278
|
await testCrossActorIsolation();
|
|
242
279
|
await testCrossMethodIsolation();
|
|
@@ -361,6 +361,42 @@ async function testShardForSaltedFnv() {
|
|
|
361
361
|
Object.keys(spread).length >= 4);
|
|
362
362
|
}
|
|
363
363
|
|
|
364
|
+
async function testRegistryRowSealedAtRest() {
|
|
365
|
+
// Registry rows seal tenantId + endpoint metadata at rest via
|
|
366
|
+
// b.cryptoField when a vault is configured. Scope a vault around this
|
|
367
|
+
// one test (the other tests intentionally run vault-less to exercise
|
|
368
|
+
// the salted-FNV fallback), capture what lands in the backend, and
|
|
369
|
+
// assert the sensitive fields are not stored in the clear — then
|
|
370
|
+
// confirm the tenantId filter still resolves through unseal.
|
|
371
|
+
var os = require("node:os");
|
|
372
|
+
var path = require("node:path");
|
|
373
|
+
var fs = require("node:fs");
|
|
374
|
+
var dir = fs.mkdtempSync(path.join(os.tmpdir(), "blamejs-orch-seal-"));
|
|
375
|
+
await helpers.setupVaultOnly(dir);
|
|
376
|
+
try {
|
|
377
|
+
var captured = null;
|
|
378
|
+
var backend = {
|
|
379
|
+
_m: Object.create(null),
|
|
380
|
+
async get(n) { return this._m[n] || null; },
|
|
381
|
+
async set(n, row) { this._m[n] = row; if (n === "svc-seal") captured = row; },
|
|
382
|
+
async delete(n) { delete this._m[n]; },
|
|
383
|
+
async list() { return Object.values(this._m); },
|
|
384
|
+
};
|
|
385
|
+
var orch = b.agent.orchestrator.create({ backend: backend });
|
|
386
|
+
await orch.register("svc-seal", { kind: "mail", handle: function () {} },
|
|
387
|
+
{ agentKind: "mail", tenantId: "acme-corp", metadata: { endpoint: "https://internal-host:9000" } });
|
|
388
|
+
check("orch at-rest: tenantId sealed (no plaintext leak)",
|
|
389
|
+
typeof captured.tenantId === "string" && captured.tenantId.indexOf("acme-corp") === -1);
|
|
390
|
+
check("orch at-rest: metadata sealed (no endpoint leak)",
|
|
391
|
+
typeof captured.metadata === "string" && captured.metadata.indexOf("internal-host") === -1);
|
|
392
|
+
var listed = await orch.list({ tenantId: "acme-corp" });
|
|
393
|
+
check("orch at-rest: tenantId filter resolves through unseal",
|
|
394
|
+
listed.length === 1 && listed[0].name === "svc-seal" && listed[0].tenantId === "acme-corp");
|
|
395
|
+
} finally {
|
|
396
|
+
helpers.teardownVaultOnly(dir);
|
|
397
|
+
}
|
|
398
|
+
}
|
|
399
|
+
|
|
364
400
|
async function run() {
|
|
365
401
|
testSurface();
|
|
366
402
|
await testRegisterLookupUnregister();
|
|
@@ -381,6 +417,7 @@ async function run() {
|
|
|
381
417
|
await testHealth();
|
|
382
418
|
await testStreamRegistry();
|
|
383
419
|
await testPermissions();
|
|
420
|
+
await testRegistryRowSealedAtRest();
|
|
384
421
|
}
|
|
385
422
|
|
|
386
423
|
module.exports = { run: run };
|
|
@@ -268,12 +268,38 @@ async function testUnsealRowAuditsOnDecryptRefusal() {
|
|
|
268
268
|
check("BUG-4: audit emitted on cross-tenant null", saw);
|
|
269
269
|
}
|
|
270
270
|
|
|
271
|
+
async function testRegistryMetadataSealedAtRest() {
|
|
272
|
+
// The registry row's metadata is sealed at rest via b.cryptoField when
|
|
273
|
+
// a vault is configured (it is, in this file's run()). Capture what
|
|
274
|
+
// lands in the backend and assert the sensitive metadata is not stored
|
|
275
|
+
// in the clear, then confirm lookup round-trips it back to an object.
|
|
276
|
+
var SECRET = "tenant-billing-id-XQ42";
|
|
277
|
+
var captured = null;
|
|
278
|
+
var backend = {
|
|
279
|
+
_m: Object.create(null),
|
|
280
|
+
async get(k) { return this._m[k] || null; },
|
|
281
|
+
async set(k, row) { this._m[k] = row; if (k === "acme-seal") captured = row; },
|
|
282
|
+
async delete(k) { delete this._m[k]; },
|
|
283
|
+
async list() { return Object.values(this._m); },
|
|
284
|
+
};
|
|
285
|
+
var tn = b.agent.tenant.create({ backend: backend });
|
|
286
|
+
await tn.register("acme-seal", { posture: "hipaa", metadata: { billingId: SECRET } });
|
|
287
|
+
check("tenant at-rest: metadata sealed (no plaintext leak)",
|
|
288
|
+
typeof captured.metadata === "string" && captured.metadata.indexOf(SECRET) === -1);
|
|
289
|
+
check("tenant at-rest: sealed metadata carries a vault prefix",
|
|
290
|
+
/^vault(\.aad)?:/.test(String(captured.metadata)));
|
|
291
|
+
var cfg = await tn.lookup("acme-seal");
|
|
292
|
+
check("tenant at-rest: metadata round-trips to an object",
|
|
293
|
+
cfg && cfg.metadata && cfg.metadata.billingId === SECRET);
|
|
294
|
+
}
|
|
295
|
+
|
|
271
296
|
async function run() {
|
|
272
297
|
var tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "blamejs-vault-"));
|
|
273
298
|
global._testVaultDir = tmpDir;
|
|
274
299
|
await helpers.setupVaultOnly(tmpDir);
|
|
275
300
|
try {
|
|
276
301
|
testSurface();
|
|
302
|
+
await testRegistryMetadataSealedAtRest();
|
|
277
303
|
await testRegisterLookupUnregister();
|
|
278
304
|
await testCheckCrossTenant();
|
|
279
305
|
await testCrossTenantAdminScope();
|
|
@@ -82,6 +82,15 @@ function testPostureRequiresNotify() {
|
|
|
82
82
|
} catch (e) { threw = e; }
|
|
83
83
|
check("pci-dss posture without notify throws",
|
|
84
84
|
threw && /notify-required-under-posture/.test(threw.code || ""));
|
|
85
|
+
|
|
86
|
+
// sox-404 (SOX §404 ICFR — the audit/internal-controls regime this
|
|
87
|
+
// primitive serves) is an advertised notify-required posture too.
|
|
88
|
+
var threw404 = null;
|
|
89
|
+
try {
|
|
90
|
+
b.auditDailyReview.create({ audit: _fakeAudit([]), posture: "sox-404" });
|
|
91
|
+
} catch (e) { threw404 = e; }
|
|
92
|
+
check("sox-404 posture without notify throws",
|
|
93
|
+
threw404 && /notify-required-under-posture/.test(threw404.code || ""));
|
|
85
94
|
}
|
|
86
95
|
|
|
87
96
|
function testBadSeverity() {
|
|
@@ -307,6 +307,30 @@ async function testBreakerClosedToOpen() {
|
|
|
307
307
|
threw && threw.code === "CIRCUIT_OPEN");
|
|
308
308
|
}
|
|
309
309
|
|
|
310
|
+
async function testBreakerOnStateChange() {
|
|
311
|
+
// The documented onStateChange opt + onStateChange(handler) method must
|
|
312
|
+
// both fire on every transition with the { name, from, to, at } payload.
|
|
313
|
+
var events = [];
|
|
314
|
+
var br = new b.retry.CircuitBreaker("test-osc", {
|
|
315
|
+
failureThreshold: 2, cooldownMs: 1000, successThreshold: 1,
|
|
316
|
+
onStateChange: function (e) { events.push(e); },
|
|
317
|
+
});
|
|
318
|
+
var late = [];
|
|
319
|
+
br.onStateChange(function (e) { late.push(e); });
|
|
320
|
+
for (var i = 0; i < 2; i++) {
|
|
321
|
+
try { await br.wrap(function () { throw new Error("boom"); }); } catch (_e) {}
|
|
322
|
+
}
|
|
323
|
+
check("breaker: onStateChange opt fired on closed→open", events.length === 1);
|
|
324
|
+
check("breaker: onStateChange payload carries name/from/to/at",
|
|
325
|
+
events[0] && events[0].name === "test-osc" && events[0].from === "closed" &&
|
|
326
|
+
events[0].to === "open" && typeof events[0].at === "number");
|
|
327
|
+
check("breaker: onStateChange(handler) registration also fired", late.length === 1);
|
|
328
|
+
// A non-function handler is refused at config time.
|
|
329
|
+
var threw = null;
|
|
330
|
+
try { new b.retry.CircuitBreaker("bad", { onStateChange: 42 }); } catch (e) { threw = e; }
|
|
331
|
+
check("breaker: non-function onStateChange throws", threw instanceof TypeError);
|
|
332
|
+
}
|
|
333
|
+
|
|
310
334
|
async function testBreakerOpenToHalfToClosed() {
|
|
311
335
|
var br = new b.retry.CircuitBreaker("test-2", {
|
|
312
336
|
failureThreshold: 2, cooldownMs: 30, successThreshold: 2,
|
|
@@ -517,6 +541,7 @@ async function run() {
|
|
|
517
541
|
await testWithRetryValidatesOpts();
|
|
518
542
|
|
|
519
543
|
await testBreakerClosedToOpen();
|
|
544
|
+
await testBreakerOnStateChange();
|
|
520
545
|
await testBreakerOpenToHalfToClosed();
|
|
521
546
|
await testBreakerHalfToOpenOnFailure();
|
|
522
547
|
await testBreakerIgnoresPermanent();
|
|
@@ -472,6 +472,31 @@ function _checkChangelogInSync() {
|
|
|
472
472
|
await _runLayer(5, path.join(__dirname, "50-integration.js"), "Layer 5");
|
|
473
473
|
|
|
474
474
|
console.log("OK — " + helpers.getChecks() + " checks passed (" + (Date.now() - smokeStart) + "ms total)");
|
|
475
|
+
|
|
476
|
+
// Deterministic exit on success. The .catch() below exits 1 on
|
|
477
|
+
// failure; the success path historically fell through and relied on
|
|
478
|
+
// the event loop draining on its own. A lingering handle (a forked-
|
|
479
|
+
// child stdio pipe, a Layer-5 integration server whose socket did not
|
|
480
|
+
// fully close, an unref-missed timer) then keeps the process alive
|
|
481
|
+
// after the suite finished, burning the CI job's timeout budget until
|
|
482
|
+
// the runner cancels it — observed on the slow macos-latest runner
|
|
483
|
+
// (OK printed, ~3.5 min idle, job-timeout cancel). Reap it here: if
|
|
484
|
+
// anything still holds the loop open, name the handle kinds so a real
|
|
485
|
+
// resource leak surfaces in the log rather than being silently masked,
|
|
486
|
+
// then exit 0.
|
|
487
|
+
var _stdio = [process.stdout, process.stderr, process.stdin];
|
|
488
|
+
var _lingering = (typeof process._getActiveHandles === "function"
|
|
489
|
+
? process._getActiveHandles() : []).filter(function (h) { return _stdio.indexOf(h) === -1; });
|
|
490
|
+
if (_lingering.length > 0) {
|
|
491
|
+
var _kinds = {};
|
|
492
|
+
_lingering.forEach(function (h) {
|
|
493
|
+
var name = (h && h.constructor && h.constructor.name) || typeof h;
|
|
494
|
+
_kinds[name] = (_kinds[name] || 0) + 1;
|
|
495
|
+
});
|
|
496
|
+
console.error("smoke: " + _lingering.length + " handle(s) still open after pass — forcing exit. kinds: " +
|
|
497
|
+
Object.keys(_kinds).map(function (k) { return k + "x" + _kinds[k]; }).join(", "));
|
|
498
|
+
}
|
|
499
|
+
process.exit(0);
|
|
475
500
|
})().catch(function (err) {
|
|
476
501
|
console.error("SMOKE TEST FAILED:", err.message);
|
|
477
502
|
console.error(err.stack);
|
package/package.json
CHANGED