@blamejs/blamejs-shop 0.2.23 → 0.2.25
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +4 -0
- package/lib/admin.js +42 -9
- package/lib/asset-manifest.json +1 -1
- package/lib/cart.js +24 -9
- package/lib/storefront.js +190 -38
- package/lib/vendor/MANIFEST.json +3 -3
- package/lib/vendor/blamejs/CHANGELOG.md +4 -0
- package/lib/vendor/blamejs/GOVERNANCE.md +2 -3
- package/lib/vendor/blamejs/LTS-CALENDAR.md +6 -2
- package/lib/vendor/blamejs/SECURITY.md +1 -1
- package/lib/vendor/blamejs/api-snapshot.json +2 -2
- package/lib/vendor/blamejs/lib/a2a.js +11 -11
- package/lib/vendor/blamejs/lib/agent-snapshot.js +1 -1
- package/lib/vendor/blamejs/lib/ai-capability.js +20 -20
- package/lib/vendor/blamejs/lib/ai-content-detect.js +4 -3
- package/lib/vendor/blamejs/lib/ai-dp.js +17 -17
- package/lib/vendor/blamejs/lib/ai-input.js +3 -3
- package/lib/vendor/blamejs/lib/ai-pref.js +9 -9
- package/lib/vendor/blamejs/lib/ai-quota.js +17 -17
- package/lib/vendor/blamejs/lib/archive-read.js +10 -7
- package/lib/vendor/blamejs/lib/arg-parser.js +38 -38
- package/lib/vendor/blamejs/lib/audit-sign.js +4 -4
- package/lib/vendor/blamejs/lib/auth/acr-vocabulary.js +4 -4
- package/lib/vendor/blamejs/lib/auth/auth-time-tracker.js +1 -1
- package/lib/vendor/blamejs/lib/auth/elevation-grant.js +10 -10
- package/lib/vendor/blamejs/lib/auth/step-up-policy.js +12 -12
- package/lib/vendor/blamejs/lib/auth/step-up.js +15 -15
- package/lib/vendor/blamejs/lib/boot-gates.js +6 -6
- package/lib/vendor/blamejs/lib/break-glass.js +1 -1
- package/lib/vendor/blamejs/lib/budr.js +6 -6
- package/lib/vendor/blamejs/lib/cms-codec.js +10 -9
- package/lib/vendor/blamejs/lib/content-credentials.js +13 -13
- package/lib/vendor/blamejs/lib/dark-patterns.js +15 -15
- package/lib/vendor/blamejs/lib/ddl-change-control.js +37 -37
- package/lib/vendor/blamejs/lib/dr-runbook.js +7 -7
- package/lib/vendor/blamejs/lib/fapi2.js +9 -9
- package/lib/vendor/blamejs/lib/fdx.js +7 -7
- package/lib/vendor/blamejs/lib/graphql-federation.js +2 -2
- package/lib/vendor/blamejs/lib/iab-mspa.js +5 -5
- package/lib/vendor/blamejs/lib/iab-tcf.js +18 -18
- package/lib/vendor/blamejs/lib/mail-crypto-smime.js +10 -6
- package/lib/vendor/blamejs/lib/mcp.js +13 -13
- package/lib/vendor/blamejs/lib/middleware/require-step-up.js +3 -3
- package/lib/vendor/blamejs/lib/mtls-ca.js +2 -2
- package/lib/vendor/blamejs/lib/safe-archive.js +8 -7
- package/lib/vendor/blamejs/lib/sec-cyber.js +3 -3
- package/lib/vendor/blamejs/lib/sse.js +14 -14
- package/lib/vendor/blamejs/lib/tcpa-10dlc.js +5 -5
- package/lib/vendor/blamejs/lib/tenant-quota.js +18 -18
- package/lib/vendor/blamejs/package.json +1 -1
- package/lib/vendor/blamejs/release-notes/v0.13.43.json +39 -0
- package/lib/vendor/blamejs/release-notes/v0.13.44.json +31 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/a2a.test.js +1 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/ai-capability.test.js +15 -15
- package/lib/vendor/blamejs/test/layer-0-primitives/ai-dp.test.js +16 -16
- package/lib/vendor/blamejs/test/layer-0-primitives/ai-input.test.js +2 -2
- package/lib/vendor/blamejs/test/layer-0-primitives/ai-pref.test.js +2 -2
- package/lib/vendor/blamejs/test/layer-0-primitives/ai-quota.test.js +19 -19
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-sign-ml-dsa-65.test.js +1 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/boot-gates.test.js +1 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/budr.test.js +3 -3
- package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +52 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/content-credentials.test.js +3 -3
- package/lib/vendor/blamejs/test/layer-0-primitives/dark-patterns.test.js +2 -2
- package/lib/vendor/blamejs/test/layer-0-primitives/dr-runbook.test.js +1 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/fapi2.test.js +6 -6
- package/lib/vendor/blamejs/test/layer-0-primitives/fdx.test.js +2 -2
- package/lib/vendor/blamejs/test/layer-0-primitives/graphql-federation.test.js +1 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/iab-mspa.test.js +3 -3
- package/lib/vendor/blamejs/test/layer-0-primitives/iab-tcf.test.js +7 -7
- package/lib/vendor/blamejs/test/layer-0-primitives/mcp.test.js +5 -5
- package/lib/vendor/blamejs/test/layer-0-primitives/sse.test.js +1 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/tcpa-10dlc.test.js +3 -3
- package/lib/vendor/blamejs/test/layer-0-primitives/tenant-quota.test.js +3 -3
- package/lib/vendor/blamejs/test/layer-0-primitives/ws-client.test.js +4 -1
- package/package.json +1 -1
|
@@ -81,30 +81,30 @@ function parseRequest(body, opts) {
|
|
|
81
81
|
try {
|
|
82
82
|
parsed = typeof body === "string" ? safeJson.parse(body, { maxBytes: C.BYTES.mib(1) }) : body; // allow:JSON.parse — routed via safeJson.parse
|
|
83
83
|
} catch (_e) {
|
|
84
|
-
throw errorClass.factory("
|
|
84
|
+
throw errorClass.factory("mcp/bad-json",
|
|
85
85
|
"mcp.parseRequest: body is not valid JSON");
|
|
86
86
|
}
|
|
87
87
|
if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
|
|
88
|
-
throw errorClass.factory("
|
|
88
|
+
throw errorClass.factory("mcp/bad-envelope",
|
|
89
89
|
"mcp.parseRequest: request must be a JSON-RPC object");
|
|
90
90
|
}
|
|
91
91
|
if (parsed.jsonrpc !== "2.0") {
|
|
92
|
-
throw errorClass.factory("
|
|
92
|
+
throw errorClass.factory("mcp/bad-version",
|
|
93
93
|
"mcp.parseRequest: jsonrpc must be \"2.0\"");
|
|
94
94
|
}
|
|
95
95
|
if (typeof parsed.method !== "string" || parsed.method.length === 0 ||
|
|
96
96
|
parsed.method.length > METHOD_NAME_MAX) {
|
|
97
|
-
throw errorClass.factory("
|
|
97
|
+
throw errorClass.factory("mcp/bad-method",
|
|
98
98
|
"mcp.parseRequest: method must be a non-empty string under 256 bytes");
|
|
99
99
|
}
|
|
100
100
|
if (parsed.id !== undefined && parsed.id !== null &&
|
|
101
101
|
typeof parsed.id !== "string" && typeof parsed.id !== "number") {
|
|
102
|
-
throw errorClass.factory("
|
|
102
|
+
throw errorClass.factory("mcp/bad-id",
|
|
103
103
|
"mcp.parseRequest: id must be string, number, or null");
|
|
104
104
|
}
|
|
105
105
|
if (parsed.params !== undefined && parsed.params !== null &&
|
|
106
106
|
typeof parsed.params !== "object") {
|
|
107
|
-
throw errorClass.factory("
|
|
107
|
+
throw errorClass.factory("mcp/bad-params",
|
|
108
108
|
"mcp.parseRequest: params must be object or array");
|
|
109
109
|
}
|
|
110
110
|
return parsed;
|
|
@@ -167,7 +167,7 @@ function _readBodyBuffered(req, maxBytes, errorClass) {
|
|
|
167
167
|
try { collector.push(chunk); }
|
|
168
168
|
catch (_e) {
|
|
169
169
|
req.destroy();
|
|
170
|
-
reject(errorClass.factory("
|
|
170
|
+
reject(errorClass.factory("mcp/body-too-large",
|
|
171
171
|
"mcp: request body exceeds " + maxBytes + " bytes"));
|
|
172
172
|
}
|
|
173
173
|
});
|
|
@@ -178,17 +178,17 @@ function _readBodyBuffered(req, maxBytes, errorClass) {
|
|
|
178
178
|
|
|
179
179
|
function _checkRedirectUri(uri, allowlist, errorClass) {
|
|
180
180
|
if (typeof uri !== "string") {
|
|
181
|
-
throw errorClass.factory("
|
|
181
|
+
throw errorClass.factory("mcp/bad-redirect-uri",
|
|
182
182
|
"mcp: redirect_uri must be a string");
|
|
183
183
|
}
|
|
184
184
|
if (!Array.isArray(allowlist) || allowlist.indexOf(uri) === -1) {
|
|
185
|
-
throw errorClass.factory("
|
|
185
|
+
throw errorClass.factory("mcp/redirect-uri-refused",
|
|
186
186
|
"mcp: redirect_uri not in allowlist (OAuth 2.1 / RFC 9700 sec 4.1.1)");
|
|
187
187
|
}
|
|
188
188
|
var parsed;
|
|
189
189
|
try { parsed = safeUrl.parse(uri); }
|
|
190
190
|
catch (_e) {
|
|
191
|
-
throw errorClass.factory("
|
|
191
|
+
throw errorClass.factory("mcp/bad-redirect-uri",
|
|
192
192
|
"mcp: redirect_uri did not parse");
|
|
193
193
|
}
|
|
194
194
|
var isHttps = parsed.protocol === "https:";
|
|
@@ -205,7 +205,7 @@ function _checkRedirectUri(uri, allowlist, errorClass) {
|
|
|
205
205
|
}
|
|
206
206
|
var isLocal = rawHost === "localhost" || rawHost === "127.0.0.1" || rawHost === "::1";
|
|
207
207
|
if (!isHttps && !isLocal) {
|
|
208
|
-
throw errorClass.factory("
|
|
208
|
+
throw errorClass.factory("mcp/insecure-redirect-uri",
|
|
209
209
|
"mcp: redirect_uri must be HTTPS (or localhost; RFC 9700 sec 4.1.1)");
|
|
210
210
|
}
|
|
211
211
|
}
|
|
@@ -257,7 +257,7 @@ function serverGuard(opts) {
|
|
|
257
257
|
var requireBearer = opts.requireBearer !== false;
|
|
258
258
|
var verifyBearer = opts.verifyBearer || null;
|
|
259
259
|
if (requireBearer && typeof verifyBearer !== "function") {
|
|
260
|
-
throw errorClass.factory("
|
|
260
|
+
throw errorClass.factory("mcp/bad-opts",
|
|
261
261
|
"mcp.serverGuard: verifyBearer required when requireBearer=true");
|
|
262
262
|
}
|
|
263
263
|
var redirectUriAllowlist = Array.isArray(opts.redirectUriAllowlist)
|
|
@@ -266,7 +266,7 @@ function serverGuard(opts) {
|
|
|
266
266
|
var registerClientAllowlist = typeof opts.registerClientAllowlist === "function"
|
|
267
267
|
? opts.registerClientAllowlist : null;
|
|
268
268
|
if (allowDynamicRegister && !registerClientAllowlist) {
|
|
269
|
-
throw errorClass.factory("
|
|
269
|
+
throw errorClass.factory("mcp/bad-opts",
|
|
270
270
|
"mcp.serverGuard: allowDynamicRegister=true requires registerClientAllowlist function");
|
|
271
271
|
}
|
|
272
272
|
var toolAllowlist = Array.isArray(opts.toolAllowlist) ? opts.toolAllowlist : null;
|
|
@@ -123,11 +123,11 @@ function create(opts) {
|
|
|
123
123
|
], "middleware.requireStepUp");
|
|
124
124
|
|
|
125
125
|
if (!opts.requirement || typeof opts.requirement !== "object") {
|
|
126
|
-
throw new AuthError("auth-
|
|
126
|
+
throw new AuthError("auth-step-up/bad-requirement",
|
|
127
127
|
"middleware.requireStepUp: opts.requirement must be an object");
|
|
128
128
|
}
|
|
129
129
|
validateOpts.optionalFunction(opts.getClaims,
|
|
130
|
-
"middleware.requireStepUp: getClaims", AuthError, "auth-
|
|
130
|
+
"middleware.requireStepUp: getClaims", AuthError, "auth-step-up/bad-opt");
|
|
131
131
|
|
|
132
132
|
var realm = (typeof opts.realm === "string" && opts.realm.length > 0)
|
|
133
133
|
? opts.realm : "api";
|
|
@@ -146,7 +146,7 @@ function create(opts) {
|
|
|
146
146
|
// on the first hot-path request.
|
|
147
147
|
var probe = stepUp().evaluate({ claims: { acr: "0" }, requirement: opts.requirement });
|
|
148
148
|
if (probe.error === "bad_requirement" || probe.error === "unknown_acr") {
|
|
149
|
-
throw new AuthError("auth-
|
|
149
|
+
throw new AuthError("auth-step-up/bad-requirement",
|
|
150
150
|
"middleware.requireStepUp: " + (probe.reason || probe.error));
|
|
151
151
|
}
|
|
152
152
|
|
|
@@ -517,8 +517,8 @@ function create(opts) {
|
|
|
517
517
|
opts3 = opts3 || {};
|
|
518
518
|
if (typeof engine.generateCrl !== "function") {
|
|
519
519
|
throw new MtlsCaError("mtls-ca/engine-no-crl",
|
|
520
|
-
"configured engine does not implement generateCrl(); the
|
|
521
|
-
"engine
|
|
520
|
+
"configured engine does not implement generateCrl(); use the " +
|
|
521
|
+
"framework's bundled CA engine, which supports it");
|
|
522
522
|
}
|
|
523
523
|
var ca = await initCA();
|
|
524
524
|
var revocations = _loadRevocations().revocations;
|
|
@@ -22,10 +22,11 @@
|
|
|
22
22
|
* pipeline manually.
|
|
23
23
|
*
|
|
24
24
|
* Format auto-detection sniffs the first ~512 bytes for magic
|
|
25
|
-
* signatures
|
|
26
|
-
*
|
|
27
|
-
* wrapped
|
|
28
|
-
*
|
|
25
|
+
* signatures: ZIP (LFH magic `0x04034b50` + EOCD magic `0x06054b50`),
|
|
26
|
+
* tar (`ustar` at offset 257), gzip / tar.gz (RFC 1952 magic), and
|
|
27
|
+
* `b.crypto.encryptPacked`-wrapped envelopes (auto-unwrapped before
|
|
28
|
+
* format detection). Unrecognized inputs are flagged
|
|
29
|
+
* `safe-archive/format-unsupported`.
|
|
29
30
|
*
|
|
30
31
|
* The orchestrator refuses the WHOLE archive on any single critical
|
|
31
32
|
* guard issue — no partial extraction. Cleanup is `fs.rm`-recursive
|
|
@@ -148,7 +149,7 @@ async function _collectSourceBytes(source) {
|
|
|
148
149
|
* @opts
|
|
149
150
|
* source: b.archive.adapters.* | Buffer | string,
|
|
150
151
|
* destination: string (target directory; created if missing),
|
|
151
|
-
* format: "auto" | "zip"
|
|
152
|
+
* format: "auto" | "zip" | "tar" | "tar.gz",
|
|
152
153
|
* bombPolicy: b.guardArchive.zipBombPolicy(...) | { ... },
|
|
153
154
|
* entryTypePolicy: b.guardArchive.entryTypePolicy(...) | { ... },
|
|
154
155
|
* guardProfile: "strict" | "balanced" | "permissive" | "hipaa" | ...,
|
|
@@ -275,8 +276,8 @@ async function extract(opts) {
|
|
|
275
276
|
});
|
|
276
277
|
} else {
|
|
277
278
|
throw new SafeArchiveError("safe-archive/format-unsupported",
|
|
278
|
-
"extract: format=" + JSON.stringify(format) + " —
|
|
279
|
-
"
|
|
279
|
+
"extract: format=" + JSON.stringify(format) + " — supported formats are " +
|
|
280
|
+
"zip, tar, tar.gz; b.crypto.encryptPacked-wrapped archives are auto-unwrapped first");
|
|
280
281
|
}
|
|
281
282
|
var result = await reader.extract({
|
|
282
283
|
destination: opts.destination,
|
|
@@ -91,13 +91,13 @@ function _addBusinessDays(startMs, days) {
|
|
|
91
91
|
|
|
92
92
|
function eightKArtifact(opts) {
|
|
93
93
|
if (!opts || typeof opts !== "object") {
|
|
94
|
-
throw SecCyberError.factory("
|
|
94
|
+
throw SecCyberError.factory("sec-cyber/bad-opts",
|
|
95
95
|
"secCyber.eightKArtifact: opts required");
|
|
96
96
|
}
|
|
97
97
|
validateOpts.requireNonEmptyString(opts.incidentId,
|
|
98
98
|
"secCyber.eightKArtifact: incidentId", SecCyberError, "BAD_INCIDENT_ID");
|
|
99
99
|
if (!opts.registrant || typeof opts.registrant !== "object") {
|
|
100
|
-
throw SecCyberError.factory("
|
|
100
|
+
throw SecCyberError.factory("sec-cyber/bad-registrant",
|
|
101
101
|
"secCyber.eightKArtifact: registrant object required");
|
|
102
102
|
}
|
|
103
103
|
validateOpts.requireNonEmptyString(opts.registrant.name,
|
|
@@ -110,7 +110,7 @@ function eightKArtifact(opts) {
|
|
|
110
110
|
"secCyber.eightKArtifact: materialityDeterminedAt", SecCyberError, "BAD_MAT_AT");
|
|
111
111
|
|
|
112
112
|
if (FINDINGS.indexOf(opts.materialityFinding) === -1) {
|
|
113
|
-
throw SecCyberError.factory("
|
|
113
|
+
throw SecCyberError.factory("sec-cyber/bad-finding",
|
|
114
114
|
"secCyber.eightKArtifact: materialityFinding must be one of " + FINDINGS.join(", "));
|
|
115
115
|
}
|
|
116
116
|
validateOpts.requireNonEmptyString(opts.materialityReasoning,
|
|
@@ -89,7 +89,7 @@ function _validateRetry(retry, errorClass) {
|
|
|
89
89
|
if (retry === undefined || retry === null) return null;
|
|
90
90
|
if (typeof retry !== "number" || !isFinite(retry) || retry < 0 ||
|
|
91
91
|
Math.floor(retry) !== retry) {
|
|
92
|
-
throw errorClass.factory("
|
|
92
|
+
throw errorClass.factory("sse/bad-retry",
|
|
93
93
|
"sse.send: retry must be a non-negative finite integer (got " +
|
|
94
94
|
JSON.stringify(retry) + ")");
|
|
95
95
|
}
|
|
@@ -98,14 +98,14 @@ function _validateRetry(retry, errorClass) {
|
|
|
98
98
|
|
|
99
99
|
function _refuseInjection(field, value, errorClass) {
|
|
100
100
|
if (typeof value !== "string") {
|
|
101
|
-
throw errorClass.factory("
|
|
101
|
+
throw errorClass.factory("sse/bad-field",
|
|
102
102
|
"sse.send: " + field + " must be a string");
|
|
103
103
|
}
|
|
104
104
|
// Length-bound BEFORE the regex test — _capField applies a tighter
|
|
105
105
|
// cap further along, but the regex itself runs against the full
|
|
106
106
|
// value so we bound here too.
|
|
107
107
|
if (value.length > MAX_DATA_BYTES) {
|
|
108
|
-
throw errorClass.factory("
|
|
108
|
+
throw errorClass.factory("sse/field-too-large",
|
|
109
109
|
"sse.send: " + field + " too large for injection scan");
|
|
110
110
|
}
|
|
111
111
|
if (INJECTION_RE.test(value)) { // allow:regex-no-length-cap — value length capped above
|
|
@@ -114,7 +114,7 @@ function _refuseInjection(field, value, errorClass) {
|
|
|
114
114
|
outcome: "denied",
|
|
115
115
|
metadata: { field: field, length: value.length },
|
|
116
116
|
});
|
|
117
|
-
throw errorClass.factory("
|
|
117
|
+
throw errorClass.factory("sse/injection",
|
|
118
118
|
"sse.send: " + field + " contains LF/CR/NUL — refused " +
|
|
119
119
|
"(CVE-2026-33128 / 29085 / 44217 class)");
|
|
120
120
|
}
|
|
@@ -130,7 +130,7 @@ var MAX_DATA_BYTES = C.BYTES.mib(1);
|
|
|
130
130
|
function _capField(field, value, capBytes, errorClass) {
|
|
131
131
|
var len = Buffer.byteLength(value, "utf8");
|
|
132
132
|
if (len > capBytes) {
|
|
133
|
-
throw errorClass.factory("
|
|
133
|
+
throw errorClass.factory("sse/field-too-large",
|
|
134
134
|
"sse.send: " + field + " exceeds cap (" + len + " > " +
|
|
135
135
|
capBytes + " bytes)");
|
|
136
136
|
}
|
|
@@ -139,7 +139,7 @@ function _capField(field, value, capBytes, errorClass) {
|
|
|
139
139
|
function serializeEvent(opts, errorClass) {
|
|
140
140
|
errorClass = errorClass || SseError;
|
|
141
141
|
if (!opts || typeof opts !== "object") {
|
|
142
|
-
throw errorClass.factory("
|
|
142
|
+
throw errorClass.factory("sse/bad-opts", "sse.serializeEvent: opts required");
|
|
143
143
|
}
|
|
144
144
|
var out = "";
|
|
145
145
|
// Field order: id, event, retry, data — matches the framework's
|
|
@@ -162,7 +162,7 @@ function serializeEvent(opts, errorClass) {
|
|
|
162
162
|
}
|
|
163
163
|
if (opts.data !== undefined && opts.data !== null) {
|
|
164
164
|
if (typeof opts.data !== "string") {
|
|
165
|
-
throw errorClass.factory("
|
|
165
|
+
throw errorClass.factory("sse/bad-field",
|
|
166
166
|
"sse.send: data must be a string");
|
|
167
167
|
}
|
|
168
168
|
_capField("data", opts.data, MAX_DATA_BYTES, errorClass);
|
|
@@ -174,7 +174,7 @@ function serializeEvent(opts, errorClass) {
|
|
|
174
174
|
outcome: "denied",
|
|
175
175
|
metadata: { field: "data", length: opts.data.length, char: "cr-or-nul" },
|
|
176
176
|
});
|
|
177
|
-
throw errorClass.factory("
|
|
177
|
+
throw errorClass.factory("sse/injection",
|
|
178
178
|
"sse.send: data contains CR or NUL — refused");
|
|
179
179
|
}
|
|
180
180
|
var lines = opts.data.split("\n");
|
|
@@ -189,11 +189,11 @@ function serializeEvent(opts, errorClass) {
|
|
|
189
189
|
|
|
190
190
|
function _validateComment(text, errorClass) {
|
|
191
191
|
if (typeof text !== "string") {
|
|
192
|
-
throw errorClass.factory("
|
|
192
|
+
throw errorClass.factory("sse/bad-field",
|
|
193
193
|
"sse.comment: text must be a string");
|
|
194
194
|
}
|
|
195
195
|
if (text.length > MAX_DATA_BYTES) {
|
|
196
|
-
throw errorClass.factory("
|
|
196
|
+
throw errorClass.factory("sse/field-too-large",
|
|
197
197
|
"sse.comment: text too large for injection scan");
|
|
198
198
|
}
|
|
199
199
|
if (INJECTION_RE.test(text)) { // allow:regex-no-length-cap — text length capped above
|
|
@@ -202,7 +202,7 @@ function _validateComment(text, errorClass) {
|
|
|
202
202
|
outcome: "denied",
|
|
203
203
|
metadata: { field: "comment", length: text.length },
|
|
204
204
|
});
|
|
205
|
-
throw errorClass.factory("
|
|
205
|
+
throw errorClass.factory("sse/injection",
|
|
206
206
|
"sse.comment: text contains LF/CR/NUL — refused");
|
|
207
207
|
}
|
|
208
208
|
}
|
|
@@ -224,14 +224,14 @@ function create(req, res, opts) {
|
|
|
224
224
|
opts = opts || {};
|
|
225
225
|
var errorClass = opts.errorClass || SseError;
|
|
226
226
|
if (!res || typeof res.write !== "function" || typeof res.end !== "function") {
|
|
227
|
-
throw errorClass.factory("
|
|
227
|
+
throw errorClass.factory("sse/bad-res",
|
|
228
228
|
"sse.create: res must be a writable response stream");
|
|
229
229
|
}
|
|
230
230
|
var heartbeatMs = opts.heartbeatMs;
|
|
231
231
|
if (heartbeatMs === undefined) heartbeatMs = C.TIME.seconds(15);
|
|
232
232
|
if (typeof heartbeatMs !== "number" || !isFinite(heartbeatMs) ||
|
|
233
233
|
heartbeatMs < 0 || Math.floor(heartbeatMs) !== heartbeatMs) {
|
|
234
|
-
throw errorClass.factory("
|
|
234
|
+
throw errorClass.factory("sse/bad-opts",
|
|
235
235
|
"sse.create: heartbeatMs must be a non-negative integer ms (got " +
|
|
236
236
|
JSON.stringify(heartbeatMs) + ")");
|
|
237
237
|
}
|
|
@@ -264,7 +264,7 @@ function create(req, res, opts) {
|
|
|
264
264
|
|
|
265
265
|
function _writeRaw(s) {
|
|
266
266
|
if (closed) {
|
|
267
|
-
throw errorClass.factory("
|
|
267
|
+
throw errorClass.factory("sse/closed",
|
|
268
268
|
"sse.send: channel closed");
|
|
269
269
|
}
|
|
270
270
|
res.write(s);
|
|
@@ -72,11 +72,11 @@ var records = new Map(); // phoneE164 → record
|
|
|
72
72
|
|
|
73
73
|
function recordConsent(opts) {
|
|
74
74
|
if (!opts || typeof opts !== "object") {
|
|
75
|
-
throw Tcpa10dlcError.factory("
|
|
75
|
+
throw Tcpa10dlcError.factory("tcpa-10dlc/bad-opts",
|
|
76
76
|
"tcpa10dlc.recordConsent: opts required");
|
|
77
77
|
}
|
|
78
78
|
if (typeof opts.phoneE164 !== "string" || !E164_RE.test(opts.phoneE164)) {
|
|
79
|
-
throw Tcpa10dlcError.factory("
|
|
79
|
+
throw Tcpa10dlcError.factory("tcpa-10dlc/bad-phone",
|
|
80
80
|
"tcpa10dlc.recordConsent: phoneE164 must match " + E164_RE);
|
|
81
81
|
}
|
|
82
82
|
validateOpts.requireNonEmptyString(opts.brand,
|
|
@@ -86,7 +86,7 @@ function recordConsent(opts) {
|
|
|
86
86
|
validateOpts.requireNonEmptyString(opts.formUrl,
|
|
87
87
|
"tcpa10dlc.recordConsent: formUrl", Tcpa10dlcError, "BAD_FORM_URL");
|
|
88
88
|
if (DISCLOSURE_PARTIES.indexOf(opts.disclosurePartyKind) === -1) {
|
|
89
|
-
throw Tcpa10dlcError.factory("
|
|
89
|
+
throw Tcpa10dlcError.factory("tcpa-10dlc/bad-disclosure-party",
|
|
90
90
|
"tcpa10dlc.recordConsent: disclosurePartyKind must be one of " +
|
|
91
91
|
DISCLOSURE_PARTIES.join(", "));
|
|
92
92
|
}
|
|
@@ -133,12 +133,12 @@ function lookup(phoneE164) {
|
|
|
133
133
|
|
|
134
134
|
function revoke(phoneE164, reason) {
|
|
135
135
|
if (typeof phoneE164 !== "string" || !E164_RE.test(phoneE164)) {
|
|
136
|
-
throw Tcpa10dlcError.factory("
|
|
136
|
+
throw Tcpa10dlcError.factory("tcpa-10dlc/bad-phone",
|
|
137
137
|
"tcpa10dlc.revoke: phoneE164 must match " + E164_RE);
|
|
138
138
|
}
|
|
139
139
|
var existing = records.get(phoneE164);
|
|
140
140
|
if (!existing) {
|
|
141
|
-
throw Tcpa10dlcError.factory("
|
|
141
|
+
throw Tcpa10dlcError.factory("tcpa-10dlc/no-record",
|
|
142
142
|
"tcpa10dlc.revoke: no consent record for " + phoneE164);
|
|
143
143
|
}
|
|
144
144
|
if (existing.revoked) {
|
|
@@ -113,23 +113,23 @@ function create(opts) {
|
|
|
113
113
|
|
|
114
114
|
if (!opts.db || typeof opts.db.from !== "function" ||
|
|
115
115
|
typeof opts.db.getTableMetadata !== "function") {
|
|
116
|
-
throw new TenantQuotaError("
|
|
116
|
+
throw new TenantQuotaError("tenant-quota/bad-db",
|
|
117
117
|
"tenantQuota.create: opts.db must be the framework's b.db namespace");
|
|
118
118
|
}
|
|
119
119
|
validateOpts.requireNonEmptyString(opts.tenantField,
|
|
120
|
-
"tenantQuota.create: tenantField", TenantQuotaError, "
|
|
120
|
+
"tenantQuota.create: tenantField", TenantQuotaError, "tenant-quota/bad-field");
|
|
121
121
|
|
|
122
122
|
var defaultBytesCap = (opts.defaultBytesCap == null)
|
|
123
123
|
? DEFAULT_BYTES_CAP
|
|
124
124
|
: opts.defaultBytesCap;
|
|
125
125
|
if (typeof defaultBytesCap !== "number" || !isFinite(defaultBytesCap) || defaultBytesCap <= 0) {
|
|
126
|
-
throw new TenantQuotaError("
|
|
126
|
+
throw new TenantQuotaError("tenant-quota/bad-cap",
|
|
127
127
|
"tenantQuota.create: defaultBytesCap must be a positive finite number");
|
|
128
128
|
}
|
|
129
129
|
|
|
130
130
|
var perTenantBytesCap = opts.perTenantBytesCap || {};
|
|
131
131
|
if (typeof perTenantBytesCap !== "object" || Array.isArray(perTenantBytesCap)) {
|
|
132
|
-
throw new TenantQuotaError("
|
|
132
|
+
throw new TenantQuotaError("tenant-quota/bad-per-tenant",
|
|
133
133
|
"tenantQuota.create: perTenantBytesCap must be a plain object {tenantId: bytes}");
|
|
134
134
|
}
|
|
135
135
|
// Validate every per-tenant override at config time so a typo
|
|
@@ -138,7 +138,7 @@ function create(opts) {
|
|
|
138
138
|
for (var pi = 0; pi < ptKeys.length; pi++) {
|
|
139
139
|
var v = perTenantBytesCap[ptKeys[pi]];
|
|
140
140
|
if (typeof v !== "number" || !isFinite(v) || v <= 0) {
|
|
141
|
-
throw new TenantQuotaError("
|
|
141
|
+
throw new TenantQuotaError("tenant-quota/bad-per-tenant",
|
|
142
142
|
"tenantQuota.create: perTenantBytesCap['" + ptKeys[pi] +
|
|
143
143
|
"'] must be a positive finite number");
|
|
144
144
|
}
|
|
@@ -147,7 +147,7 @@ function create(opts) {
|
|
|
147
147
|
var auditOn = opts.audit !== false;
|
|
148
148
|
var cacheTtlMs = (opts.cacheTtlMs == null) ? DEFAULT_CACHE_TTL_MS : opts.cacheTtlMs;
|
|
149
149
|
if (typeof cacheTtlMs !== "number" || !isFinite(cacheTtlMs) || cacheTtlMs < 0) {
|
|
150
|
-
throw new TenantQuotaError("
|
|
150
|
+
throw new TenantQuotaError("tenant-quota/bad-ttl",
|
|
151
151
|
"tenantQuota.create: cacheTtlMs must be a non-negative finite number");
|
|
152
152
|
}
|
|
153
153
|
|
|
@@ -230,7 +230,7 @@ function create(opts) {
|
|
|
230
230
|
|
|
231
231
|
async function snapshot(tenantId) {
|
|
232
232
|
validateOpts.requireNonEmptyString(tenantId,
|
|
233
|
-
"tenantQuota.snapshot: tenantId", TenantQuotaError, "
|
|
233
|
+
"tenantQuota.snapshot: tenantId", TenantQuotaError, "tenant-quota/bad-tenant");
|
|
234
234
|
var now = Date.now();
|
|
235
235
|
var cached = cache.get(tenantId);
|
|
236
236
|
var bytesUsed;
|
|
@@ -258,7 +258,7 @@ function create(opts) {
|
|
|
258
258
|
bytesCap: snap.bytesCap,
|
|
259
259
|
});
|
|
260
260
|
_emitMetric("tenant.quota.exceeded", 1);
|
|
261
|
-
throw new TenantQuotaError("
|
|
261
|
+
throw new TenantQuotaError("tenant-quota/exceeded",
|
|
262
262
|
"tenantQuota.assert: tenant '" + tenantId + "' is at " +
|
|
263
263
|
snap.bytesUsed + " of " + snap.bytesCap + " bytes; insert refused");
|
|
264
264
|
}
|
|
@@ -344,21 +344,21 @@ function budget(opts) {
|
|
|
344
344
|
], "tenantQuota.budget");
|
|
345
345
|
|
|
346
346
|
validateOpts.requireNonEmptyString(opts.tenantField,
|
|
347
|
-
"tenantQuota.budget: tenantField", TenantQuotaError, "
|
|
347
|
+
"tenantQuota.budget: tenantField", TenantQuotaError, "tenant-quota/bad-field");
|
|
348
348
|
|
|
349
349
|
var qpsCap = (opts.perTenantQpsCap == null) ? DEFAULT_QPS_CAP : opts.perTenantQpsCap;
|
|
350
350
|
if (typeof qpsCap !== "number" || !isFinite(qpsCap) || qpsCap <= 0) {
|
|
351
|
-
throw new TenantQuotaError("
|
|
351
|
+
throw new TenantQuotaError("tenant-quota/bad-qps",
|
|
352
352
|
"tenantQuota.budget: perTenantQpsCap must be a positive finite number");
|
|
353
353
|
}
|
|
354
354
|
var rowsCap = (opts.perTenantTotalRowsRead == null) ? DEFAULT_ROWS_READ : opts.perTenantTotalRowsRead;
|
|
355
355
|
if (typeof rowsCap !== "number" || !isFinite(rowsCap) || rowsCap <= 0) {
|
|
356
|
-
throw new TenantQuotaError("
|
|
356
|
+
throw new TenantQuotaError("tenant-quota/bad-rows",
|
|
357
357
|
"tenantQuota.budget: perTenantTotalRowsRead must be a positive finite number");
|
|
358
358
|
}
|
|
359
359
|
var windowMs = (opts.window == null) ? DEFAULT_WINDOW_MS : opts.window;
|
|
360
360
|
if (typeof windowMs !== "number" || !isFinite(windowMs) || windowMs <= 0) {
|
|
361
|
-
throw new TenantQuotaError("
|
|
361
|
+
throw new TenantQuotaError("tenant-quota/bad-window",
|
|
362
362
|
"tenantQuota.budget: window must be a positive finite number");
|
|
363
363
|
}
|
|
364
364
|
var auditOn = opts.audit !== false;
|
|
@@ -393,7 +393,7 @@ function budget(opts) {
|
|
|
393
393
|
|
|
394
394
|
function observe(tenantId, info) {
|
|
395
395
|
validateOpts.requireNonEmptyString(tenantId,
|
|
396
|
-
"tenantQuota.budget.observe: tenantId", TenantQuotaError, "
|
|
396
|
+
"tenantQuota.budget.observe: tenantId", TenantQuotaError, "tenant-quota/bad-tenant");
|
|
397
397
|
info = info || {};
|
|
398
398
|
var rowsRead = (typeof info.rowsRead === "number" && info.rowsRead >= 0) ? info.rowsRead : 0;
|
|
399
399
|
var now = Date.now();
|
|
@@ -411,7 +411,7 @@ function budget(opts) {
|
|
|
411
411
|
windowMs: windowMs,
|
|
412
412
|
});
|
|
413
413
|
_emitMetric("tenant.budget.exceeded", 1);
|
|
414
|
-
throw new TenantQuotaError("
|
|
414
|
+
throw new TenantQuotaError("tenant-quota/budget-exceeded",
|
|
415
415
|
"tenantQuota.budget: tenant '" + tenantId + "' exceeded budget " +
|
|
416
416
|
"(calls=" + c.calls + "/" + maxCalls + ", rowsRead=" + c.rowsRead +
|
|
417
417
|
"/" + rowsCap + ", windowMs=" + windowMs + ")");
|
|
@@ -486,7 +486,7 @@ function budget(opts) {
|
|
|
486
486
|
*/
|
|
487
487
|
function instrumentQuery(opts) {
|
|
488
488
|
if (!opts || typeof opts !== "object") {
|
|
489
|
-
throw new TenantQuotaError("
|
|
489
|
+
throw new TenantQuotaError("tenant-quota/bad-instr",
|
|
490
490
|
"tenantQuota.instrumentQuery: opts object is required");
|
|
491
491
|
}
|
|
492
492
|
validateOpts(opts, [
|
|
@@ -494,13 +494,13 @@ function instrumentQuery(opts) {
|
|
|
494
494
|
], "tenantQuota.instrumentQuery");
|
|
495
495
|
|
|
496
496
|
if (!Array.isArray(opts.rows)) {
|
|
497
|
-
throw new TenantQuotaError("
|
|
497
|
+
throw new TenantQuotaError("tenant-quota/bad-rows",
|
|
498
498
|
"tenantQuota.instrumentQuery: rows must be an array");
|
|
499
499
|
}
|
|
500
500
|
validateOpts.requireNonEmptyString(opts.tenantField,
|
|
501
|
-
"tenantQuota.instrumentQuery: tenantField", TenantQuotaError, "
|
|
501
|
+
"tenantQuota.instrumentQuery: tenantField", TenantQuotaError, "tenant-quota/bad-field");
|
|
502
502
|
validateOpts.requireNonEmptyString(opts.tenantId,
|
|
503
|
-
"tenantQuota.instrumentQuery: tenantId", TenantQuotaError, "
|
|
503
|
+
"tenantQuota.instrumentQuery: tenantId", TenantQuotaError, "tenant-quota/bad-tenant");
|
|
504
504
|
var auditOn = opts.audit !== false;
|
|
505
505
|
|
|
506
506
|
var crossover = [];
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
{
|
|
2
|
+
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
+
"version": "0.13.43",
|
|
4
|
+
"date": "2026-05-29",
|
|
5
|
+
"headline": "LTS window stated consistently as 24 months, experimental primitives declared semver-exempt, and stale version references cleaned up",
|
|
6
|
+
"summary": "Documentation and operator-facing string hygiene ahead of the 1.0 stability contract. The LTS support window is now stated as 24 months everywhere (GOVERNANCE.md and the LTS calendar previously disagreed — 24 vs 18). The LTS calendar gains an explicit clause that primitives marked experimental are exempt from the stability/LTS contract, so operators can tell at a glance which surfaces may change between minors. Several error messages and doc blocks that pinned to long-past version numbers (\"lands in v0.10.9\", \"not supported in v0.12.7\", \"ships in v0.6.45+\") are restated version-agnostically with their escape hatch, and the S/MIME module now points operators at the live PGP encrypt/decrypt path for confidentiality today. No API or behavior changes.",
|
|
7
|
+
"sections": [
|
|
8
|
+
{
|
|
9
|
+
"heading": "Changed",
|
|
10
|
+
"items": [
|
|
11
|
+
{
|
|
12
|
+
"title": "LTS support window is consistently 24 months",
|
|
13
|
+
"body": "`GOVERNANCE.md` promised a 24-month LTS window while `LTS-CALENDAR.md` and `SECURITY.md` stated 18 — a six-month contradiction in the single most load-bearing number of the support contract. All three now state 24 months of security-only patches per major. The calendar table and the supported-versions prose are aligned."
|
|
14
|
+
},
|
|
15
|
+
{
|
|
16
|
+
"title": "Experimental primitives are declared exempt from the stability contract",
|
|
17
|
+
"body": "`LTS-CALENDAR.md` now states explicitly that primitives documented as experimental (shown as \"experimental\" on their wiki page, and via the `experimental` segment in namespaces like `b.jose.jwe.experimental`) are not covered by the stability contract or the LTS window — they may change signature, behavior, or wire format, or be removed, in any minor without a deprecation cycle. This lets the framework ship primitives that track in-flight standards without freezing an unsettled format, and tells operators precisely which surfaces are not yet frozen."
|
|
18
|
+
}
|
|
19
|
+
]
|
|
20
|
+
},
|
|
21
|
+
{
|
|
22
|
+
"heading": "Fixed",
|
|
23
|
+
"items": [
|
|
24
|
+
{
|
|
25
|
+
"title": "Stale version references removed from operator-facing errors and docs",
|
|
26
|
+
"body": "Error messages and documentation that pinned to long-past versions are restated version-agnostically with the relevant escape hatch: ZIP64 and unsupported-compression errors in archive reading, the CMS AuthEnvelopedData / fielded-decoder notes, the mTLS CRL-engine error, the safe-archive format-detection summary (which also now correctly lists the supported zip / tar / tar.gz set rather than claiming only zip), and the AI-content IPTC-reader note. None changed behavior; they no longer read as broken promises against the published version history."
|
|
27
|
+
},
|
|
28
|
+
{
|
|
29
|
+
"title": "S/MIME confidentiality deferral points to the working PGP path",
|
|
30
|
+
"body": "`b.mail.crypto.smime` ships sign + verify; encrypt/decrypt is deferred. The deferral note previously cited an open-ended internal condition; it now names the escape hatch directly — use `b.mail.crypto.pgp.encrypt` / `decrypt` for mail confidentiality today — and states the concrete trigger that would re-open S/MIME-specific (X.509-recipient) encryption."
|
|
31
|
+
},
|
|
32
|
+
{
|
|
33
|
+
"title": "Governance doc no longer references an internal file operators cannot see",
|
|
34
|
+
"body": "`GOVERNANCE.md` cited a rule number in a contributor-only file that does not ship in the repository. The deprecation-policy statement is now self-contained."
|
|
35
|
+
}
|
|
36
|
+
]
|
|
37
|
+
}
|
|
38
|
+
]
|
|
39
|
+
}
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
{
|
|
2
|
+
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
+
"version": "0.13.44",
|
|
4
|
+
"date": "2026-05-29",
|
|
5
|
+
"headline": "Error codes on the consent, compliance, and protocol namespaces now follow the namespace/kebab-case contract",
|
|
6
|
+
"summary": "The framework's error contract is `err.code = \"namespace/kebab-case\"`, and the vast majority of namespaces already followed it. This release normalizes the holdouts: fifteen namespaces that threw bare UPPER_SNAKE codes with no namespace, and nine that used a camelCase namespace prefix. After this release every error these namespaces throw carries a `namespace/kebab-case` code, so an operator switching on `err.code` no longer has to special-case them. This is a breaking change for code that matches the old strings — pre-1.0, there is no compatibility shim, so update any `err.code` comparisons against the listed namespaces. A codebase check now enforces the convention so it cannot regress. A small set of older codes (the cluster, scheduler, circuit-breaker, object-store, and upload subsystems) is intentionally left for the 1.0 release, where it will carry a deprecation cycle.",
|
|
7
|
+
"sections": [
|
|
8
|
+
{
|
|
9
|
+
"heading": "Changed",
|
|
10
|
+
"items": [
|
|
11
|
+
{
|
|
12
|
+
"title": "Bare UPPER_SNAKE error codes are now namespaced (breaking)",
|
|
13
|
+
"body": "Fifteen namespaces threw bare UPPER_SNAKE error codes with no namespace prefix (for example `mcp` threw `BAD_JSON`, `BAD_ENVELOPE`, `BAD_METHOD`). Their `err.code` values are now `namespace/kebab-case` — `mcp/bad-json`, `mcp/bad-envelope`, and so on. The affected namespaces are `b.a2a`, `b.aiInput`, `b.aiPref`, `b.budr`, `b.contentCredentials`, `b.darkPatterns`, `b.fapi2`, `b.fdx`, `b.graphqlFederation`, `b.iabTcf`, `b.iabMspa`, `b.mcp`, `b.secCyber`, `b.sse`, and `b.tcpa10dlc`. Operators matching the old bare codes on `err.code` must update those comparisons; the error message text is unchanged."
|
|
14
|
+
},
|
|
15
|
+
{
|
|
16
|
+
"title": "camelCase error-code namespaces are now kebab-case (breaking)",
|
|
17
|
+
"body": "Nine namespaces emitted error codes whose namespace segment was camelCase (for example `aiDp/bad-bound`, `argParser/flag-duplicate`). The namespace segment is now kebab-case to match every other code: `ai-dp/`, `ai-capability/`, `ai-quota/`, `arg-parser/`, `audit-sign/`, `auth-step-up/`, `ddl-change-control/`, `dr-runbook/`, `tenant-quota/`, and `boot-gates/`. The `b.*` API namespace keys themselves are unchanged (those remain camelCase, e.g. `b.argParser`); only the `err.code` string changed. Operators matching these `err.code` strings must update them."
|
|
18
|
+
}
|
|
19
|
+
]
|
|
20
|
+
},
|
|
21
|
+
{
|
|
22
|
+
"heading": "Detectors",
|
|
23
|
+
"items": [
|
|
24
|
+
{
|
|
25
|
+
"title": "Error-code shape is enforced",
|
|
26
|
+
"body": "A codebase check now flags any error code constructed via `new XError(...)` or the per-class `factory(...)` whose value is a bare UPPER_SNAKE string or carries a camelCase namespace segment, so the `namespace/kebab-case` contract cannot silently regress. It correctly ignores native error constructors (whose first argument is the message, not a code)."
|
|
27
|
+
}
|
|
28
|
+
]
|
|
29
|
+
}
|
|
30
|
+
]
|
|
31
|
+
}
|
|
@@ -53,7 +53,7 @@ async function run() {
|
|
|
53
53
|
// Bad shape
|
|
54
54
|
var threw = null;
|
|
55
55
|
try { b.a2a.createCard({ issuer: "x" }); } catch (e) { threw = e; }
|
|
56
|
-
check("createCard refuses incomplete card", threw && threw.code === "
|
|
56
|
+
check("createCard refuses incomplete card", threw && threw.code === "a2a/missing-field");
|
|
57
57
|
}
|
|
58
58
|
|
|
59
59
|
module.exports = { run: run };
|