@blamejs/blamejs-shop 0.2.24 → 0.2.25

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (63) hide show
  1. package/CHANGELOG.md +2 -0
  2. package/lib/admin.js +42 -9
  3. package/lib/asset-manifest.json +1 -1
  4. package/lib/storefront.js +98 -21
  5. package/lib/vendor/MANIFEST.json +2 -2
  6. package/lib/vendor/blamejs/CHANGELOG.md +2 -0
  7. package/lib/vendor/blamejs/api-snapshot.json +2 -2
  8. package/lib/vendor/blamejs/lib/a2a.js +11 -11
  9. package/lib/vendor/blamejs/lib/agent-snapshot.js +1 -1
  10. package/lib/vendor/blamejs/lib/ai-capability.js +20 -20
  11. package/lib/vendor/blamejs/lib/ai-dp.js +17 -17
  12. package/lib/vendor/blamejs/lib/ai-input.js +3 -3
  13. package/lib/vendor/blamejs/lib/ai-pref.js +9 -9
  14. package/lib/vendor/blamejs/lib/ai-quota.js +17 -17
  15. package/lib/vendor/blamejs/lib/arg-parser.js +38 -38
  16. package/lib/vendor/blamejs/lib/audit-sign.js +4 -4
  17. package/lib/vendor/blamejs/lib/auth/acr-vocabulary.js +4 -4
  18. package/lib/vendor/blamejs/lib/auth/auth-time-tracker.js +1 -1
  19. package/lib/vendor/blamejs/lib/auth/elevation-grant.js +10 -10
  20. package/lib/vendor/blamejs/lib/auth/step-up-policy.js +12 -12
  21. package/lib/vendor/blamejs/lib/auth/step-up.js +15 -15
  22. package/lib/vendor/blamejs/lib/boot-gates.js +6 -6
  23. package/lib/vendor/blamejs/lib/budr.js +6 -6
  24. package/lib/vendor/blamejs/lib/content-credentials.js +13 -13
  25. package/lib/vendor/blamejs/lib/dark-patterns.js +15 -15
  26. package/lib/vendor/blamejs/lib/ddl-change-control.js +37 -37
  27. package/lib/vendor/blamejs/lib/dr-runbook.js +7 -7
  28. package/lib/vendor/blamejs/lib/fapi2.js +9 -9
  29. package/lib/vendor/blamejs/lib/fdx.js +7 -7
  30. package/lib/vendor/blamejs/lib/graphql-federation.js +2 -2
  31. package/lib/vendor/blamejs/lib/iab-mspa.js +5 -5
  32. package/lib/vendor/blamejs/lib/iab-tcf.js +18 -18
  33. package/lib/vendor/blamejs/lib/mcp.js +13 -13
  34. package/lib/vendor/blamejs/lib/middleware/require-step-up.js +3 -3
  35. package/lib/vendor/blamejs/lib/sec-cyber.js +3 -3
  36. package/lib/vendor/blamejs/lib/sse.js +14 -14
  37. package/lib/vendor/blamejs/lib/tcpa-10dlc.js +5 -5
  38. package/lib/vendor/blamejs/lib/tenant-quota.js +18 -18
  39. package/lib/vendor/blamejs/package.json +1 -1
  40. package/lib/vendor/blamejs/release-notes/v0.13.44.json +31 -0
  41. package/lib/vendor/blamejs/test/layer-0-primitives/a2a.test.js +1 -1
  42. package/lib/vendor/blamejs/test/layer-0-primitives/ai-capability.test.js +15 -15
  43. package/lib/vendor/blamejs/test/layer-0-primitives/ai-dp.test.js +16 -16
  44. package/lib/vendor/blamejs/test/layer-0-primitives/ai-input.test.js +2 -2
  45. package/lib/vendor/blamejs/test/layer-0-primitives/ai-pref.test.js +2 -2
  46. package/lib/vendor/blamejs/test/layer-0-primitives/ai-quota.test.js +19 -19
  47. package/lib/vendor/blamejs/test/layer-0-primitives/audit-sign-ml-dsa-65.test.js +1 -1
  48. package/lib/vendor/blamejs/test/layer-0-primitives/boot-gates.test.js +1 -1
  49. package/lib/vendor/blamejs/test/layer-0-primitives/budr.test.js +3 -3
  50. package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +52 -0
  51. package/lib/vendor/blamejs/test/layer-0-primitives/content-credentials.test.js +3 -3
  52. package/lib/vendor/blamejs/test/layer-0-primitives/dark-patterns.test.js +2 -2
  53. package/lib/vendor/blamejs/test/layer-0-primitives/dr-runbook.test.js +1 -1
  54. package/lib/vendor/blamejs/test/layer-0-primitives/fapi2.test.js +6 -6
  55. package/lib/vendor/blamejs/test/layer-0-primitives/fdx.test.js +2 -2
  56. package/lib/vendor/blamejs/test/layer-0-primitives/graphql-federation.test.js +1 -1
  57. package/lib/vendor/blamejs/test/layer-0-primitives/iab-mspa.test.js +3 -3
  58. package/lib/vendor/blamejs/test/layer-0-primitives/iab-tcf.test.js +7 -7
  59. package/lib/vendor/blamejs/test/layer-0-primitives/mcp.test.js +5 -5
  60. package/lib/vendor/blamejs/test/layer-0-primitives/sse.test.js +1 -1
  61. package/lib/vendor/blamejs/test/layer-0-primitives/tcpa-10dlc.test.js +3 -3
  62. package/lib/vendor/blamejs/test/layer-0-primitives/tenant-quota.test.js +3 -3
  63. package/package.json +1 -1
@@ -68,9 +68,9 @@ async function run() {
68
68
  try { fn(); } catch (e) { threw = e; }
69
69
  check(label, threw && threw.code === code);
70
70
  }
71
- rejects("refuses bad train", function () { b.aiPref.serializeHeader({ train: "maybe" }); }, "BAD_TRAIN");
71
+ rejects("refuses bad train", function () { b.aiPref.serializeHeader({ train: "maybe" }); }, "ai-pref/bad-train");
72
72
  rejects("refuses paid without price",
73
- function () { b.aiPref.serializeHeader({ train: "paid", infer: "allow", snippet: "allow" }); }, "BAD_PRICE");
73
+ function () { b.aiPref.serializeHeader({ train: "paid", infer: "allow", snippet: "allow" }); }, "ai-pref/bad-price");
74
74
  }
75
75
 
76
76
  module.exports = { run: run };
@@ -34,7 +34,7 @@ async function testHardConditionalReserve() {
34
34
  check("hard: at-limit charge allowed", q.check("t", "m").used === 3);
35
35
  var refused = null;
36
36
  try { q.consume("t", "m", 1); } catch (e) { refused = e; }
37
- check("hard: over-limit consume throws", refused && refused.code === "aiQuota/exceeded");
37
+ check("hard: over-limit consume throws", refused && refused.code === "ai-quota/exceeded");
38
38
  check("hard: rejected consume never charges (counter unchanged)", q.check("t", "m").used === 3);
39
39
  }
40
40
 
@@ -48,7 +48,7 @@ async function testHardReserveNoTransientOvercount() {
48
48
  q.consume("t", "m", 8);
49
49
  var refused = null;
50
50
  try { q.consume("t", "m", 3); } catch (e) { refused = e; } // 8+3=11 > 10 → refused
51
- check("reserve: over-budget call refused", refused && refused.code === "aiQuota/exceeded");
51
+ check("reserve: over-budget call refused", refused && refused.code === "ai-quota/exceeded");
52
52
  check("reserve: refused call left counter at 8 (no transient charge)", q.check("t", "m").used === 8);
53
53
  var fits = q.consume("t", "m", 1); // 8+1=9 ≤ 10 → allowed
54
54
  check("reserve: smaller call that fits is not falsely denied", fits.allowed === true && fits.used === 9);
@@ -78,7 +78,7 @@ async function testPerCallEnforcementOverride() {
78
78
  check("override: result reports the effective (overridden) enforcement", over.enforcement === "warn");
79
79
  var bad = null;
80
80
  try { q.consume("t", "m", 1, { enforcement: "nope" }); } catch (e) { bad = e; }
81
- check("override: bad per-call enforcement refused", bad && bad.code === "aiQuota/bad-enforcement");
81
+ check("override: bad per-call enforcement refused", bad && bad.code === "ai-quota/bad-enforcement");
82
82
  }
83
83
 
84
84
  async function testLimitResolutionMostSpecificWins() {
@@ -101,7 +101,7 @@ async function testFloatCostDimension() {
101
101
  q.consume("t", "m", 0.4);
102
102
  var refused = null;
103
103
  try { q.consume("t", "m", 0.4); } catch (e) { refused = e; }
104
- check("cost-usd: fractional overage refused under hard", refused && refused.code === "aiQuota/exceeded");
104
+ check("cost-usd: fractional overage refused under hard", refused && refused.code === "ai-quota/exceeded");
105
105
  check("cost-usd: refund keeps fractional total", Math.abs(q.check("t", "m").used - 0.8) < 1e-9);
106
106
  }
107
107
 
@@ -141,7 +141,7 @@ async function testSharedStoreAggregatesAcrossEnforcers() {
141
141
  check("shared-store: node B sees node A's charges", bView.used === 9);
142
142
  var refused = null;
143
143
  try { nodeB.consume("t", "m", 2); } catch (e) { refused = e; }
144
- check("shared-store: aggregate ceiling enforced across nodes", refused && refused.code === "aiQuota/exceeded");
144
+ check("shared-store: aggregate ceiling enforced across nodes", refused && refused.code === "ai-quota/exceeded");
145
145
  }
146
146
 
147
147
  async function testResetSemantics() {
@@ -163,19 +163,19 @@ async function testResetTenantWideUnsupportedWithExternalStore() {
163
163
  var q = b.ai.quota.create({ dimension: "requests", period: "hour", limit: 5, store: store, audit: false });
164
164
  var refused = null;
165
165
  try { q.reset("t"); } catch (e) { refused = e; }
166
- check("reset: tenant-wide without model refused on external store", refused && refused.code === "aiQuota/reset-unsupported");
166
+ check("reset: tenant-wide without model refused on external store", refused && refused.code === "ai-quota/reset-unsupported");
167
167
  }
168
168
 
169
169
  async function testConfigValidation() {
170
170
  var cases = [
171
- [{ dimension: "bogus", period: "hour", limit: 1 }, "aiQuota/bad-dimension"],
172
- [{ dimension: "tokens", period: "fortnight", limit: 1 }, "aiQuota/bad-period"],
173
- [{ dimension: "tokens", period: "hour", limit: 0 }, "aiQuota/bad-limit"],
174
- [{ dimension: "tokens", period: "hour", limit: -1 }, "aiQuota/bad-limit"],
175
- [{ dimension: "tokens", period: "hour", limit: 1, enforcement: "nope" }, "aiQuota/bad-enforcement"],
176
- [{ dimension: "tokens", period: "hour", limit: 1, perTenant: { x: -3 } }, "aiQuota/bad-override"],
177
- [{ dimension: "tokens", period: "hour", limit: 1, perModel: [] }, "aiQuota/bad-override"],
178
- [{ dimension: "tokens", period: "hour", limit: 1, store: { reserve: function () {} } }, "aiQuota/bad-store"],
171
+ [{ dimension: "bogus", period: "hour", limit: 1 }, "ai-quota/bad-dimension"],
172
+ [{ dimension: "tokens", period: "fortnight", limit: 1 }, "ai-quota/bad-period"],
173
+ [{ dimension: "tokens", period: "hour", limit: 0 }, "ai-quota/bad-limit"],
174
+ [{ dimension: "tokens", period: "hour", limit: -1 }, "ai-quota/bad-limit"],
175
+ [{ dimension: "tokens", period: "hour", limit: 1, enforcement: "nope" }, "ai-quota/bad-enforcement"],
176
+ [{ dimension: "tokens", period: "hour", limit: 1, perTenant: { x: -3 } }, "ai-quota/bad-override"],
177
+ [{ dimension: "tokens", period: "hour", limit: 1, perModel: [] }, "ai-quota/bad-override"],
178
+ [{ dimension: "tokens", period: "hour", limit: 1, store: { reserve: function () {} } }, "ai-quota/bad-store"],
179
179
  ];
180
180
  var allCorrect = true;
181
181
  for (var i = 0; i < cases.length; i++) {
@@ -196,11 +196,11 @@ async function testConfigValidation() {
196
196
  async function testConsumeArgValidation() {
197
197
  var q = _q();
198
198
  var bads = [
199
- [function () { q.consume("", "m", 1); }, "aiQuota/bad-tenant"],
200
- [function () { q.consume("t", "", 1); }, "aiQuota/bad-model"],
201
- [function () { q.consume("t", "m", -1); }, "aiQuota/bad-amount"],
202
- [function () { q.consume("t", "m", NaN); }, "aiQuota/bad-amount"],
203
- [function () { q.consume("t", "m", Infinity); }, "aiQuota/bad-amount"],
199
+ [function () { q.consume("", "m", 1); }, "ai-quota/bad-tenant"],
200
+ [function () { q.consume("t", "", 1); }, "ai-quota/bad-model"],
201
+ [function () { q.consume("t", "m", -1); }, "ai-quota/bad-amount"],
202
+ [function () { q.consume("t", "m", NaN); }, "ai-quota/bad-amount"],
203
+ [function () { q.consume("t", "m", Infinity); }, "ai-quota/bad-amount"],
204
204
  ];
205
205
  var ok = true;
206
206
  for (var i = 0; i < bads.length; i++) {
@@ -72,7 +72,7 @@ async function testAuditSignBadAlg() {
72
72
  });
73
73
  } catch (e) { threw = e; }
74
74
  check("audit-sign refuses non-PQC algorithm",
75
- threw && threw.code === "auditSign/bad-algorithm");
75
+ threw && threw.code === "audit-sign/bad-algorithm");
76
76
  } finally {
77
77
  b.auditSign._resetForTest();
78
78
  fs.rmSync(tmp, { recursive: true, force: true });
@@ -54,7 +54,7 @@ async function testNoExitHandlerThrows() {
54
54
  ], { log: function () {} });
55
55
  } catch (e) {
56
56
  threw = true;
57
- check("error code is no-exit-wired", e.code === "bootgates/no-exit-wired");
57
+ check("error code is no-exit-wired", e.code === "boot-gates/no-exit-wired");
58
58
  }
59
59
  check("missing opts.exit throws", threw);
60
60
  }
@@ -37,19 +37,19 @@ async function run() {
37
37
  var threw = null;
38
38
  try { b.budr.declare({ service: "", rtoMs: 1, rpoMs: 1 }); }
39
39
  catch (e) { threw = e; }
40
- check("declare refuses empty service", threw && threw.code === "BAD_SERVICE");
40
+ check("declare refuses empty service", threw && threw.code === "budr/bad-service");
41
41
 
42
42
  // Missing rtoMs
43
43
  threw = null;
44
44
  try { b.budr.declare({ service: "x", rpoMs: 1 }); }
45
45
  catch (e) { threw = e; }
46
- check("declare refuses missing rtoMs", threw && threw.code === "BAD_TARGETS");
46
+ check("declare refuses missing rtoMs", threw && threw.code === "budr/bad-targets");
47
47
 
48
48
  // Bad tier
49
49
  threw = null;
50
50
  try { b.budr.declare({ service: "x", rtoMs: 1, rpoMs: 1, tier: "platinum-99" }); }
51
51
  catch (e) { threw = e; }
52
- check("declare refuses bad tier", threw && threw.code === "BAD_TIER");
52
+ check("declare refuses bad tier", threw && threw.code === "budr/bad-tier");
53
53
  }
54
54
 
55
55
  module.exports = { run: run };
@@ -9796,6 +9796,57 @@ function testWikiPortAgreesAcrossArtifacts() {
9796
9796
  bad);
9797
9797
  }
9798
9798
 
9799
+ // v1 — error codes are the operator-grep contract and must be
9800
+ // `namespace/kebab-case`. The first string argument to `new XError(...)`
9801
+ // and `XError.factory(...)` IS the code (defineClass constructor signature
9802
+ // is (code, message, ...)). Two anti-patterns this locks out, both swept
9803
+ // for v1: a bare UPPER_SNAKE code with no namespace (`"BAD_JSON"`), and a
9804
+ // camelCase namespace segment (`"aiDp/..."`). Codes built through a
9805
+ // `var _err = XError.factory` alias in not-yet-swept modules use the bare
9806
+ // `_err("X")` call shape (no literal `.factory(` / `new XError(` at the
9807
+ // site), so they are not matched here — they land in the v1.0 namespaced-
9808
+ // error sweep. Node-native codes (ETIMEDOUT / ENOENT / ABORT) are set by
9809
+ // assignment, not constructed via these literals, so they are untouched.
9810
+ function testErrorCodesNamespacedKebab() {
9811
+ // Native error constructors (TypeError, RangeError, ...) take the MESSAGE
9812
+ // first, not a code — only framework defineClass errors are (code, msg).
9813
+ var NATIVE = { Error: 1, TypeError: 1, RangeError: 1, SyntaxError: 1,
9814
+ ReferenceError: 1, EvalError: 1, URIError: 1, AggregateError: 1, InternalError: 1 };
9815
+ var bad = [];
9816
+ var files = _libFiles();
9817
+ var re = /(?:new\s+(\w+Error)\(|(\w+)\.factory\()\s*"([^"]+)"/g;
9818
+ for (var fi = 0; fi < files.length; fi += 1) {
9819
+ var rel = _relPath(files[fi]);
9820
+ if (rel === "lib/framework-error.js") continue; // the definition site
9821
+ var content;
9822
+ try { content = fs.readFileSync(files[fi], "utf8"); }
9823
+ catch (_e) { continue; }
9824
+ var lines = content.split(/\r?\n/);
9825
+ for (var li = 0; li < lines.length; li += 1) {
9826
+ var line = lines[li];
9827
+ if (/^\s*(\/\/|\*|\/\*)/.test(line)) continue; // skip comment lines
9828
+ var m;
9829
+ re.lastIndex = 0;
9830
+ while ((m = re.exec(line)) !== null) {
9831
+ var ctor = m[1]; // class name for the `new XError(` form
9832
+ if (ctor && NATIVE[ctor]) continue; // native error — first arg is the message
9833
+ var code = m[3];
9834
+ var slash = code.indexOf("/");
9835
+ if (/^[A-Z][A-Z0-9_]*$/.test(code)) {
9836
+ bad.push({ file: rel, line: li + 1,
9837
+ content: "error code \"" + code + "\" is bare UPPER_SNAKE — use namespace/kebab-case (e.g. \"" +
9838
+ rel.replace(/^lib\//, "").replace(/\.js$/, "") + "/" + code.toLowerCase().replace(/_/g, "-") + "\")" });
9839
+ } else if (slash > 0 && /[a-z0-9][A-Z]/.test(code.slice(0, slash))) {
9840
+ bad.push({ file: rel, line: li + 1,
9841
+ content: "error code \"" + code + "\" has a camelCase namespace segment — use a kebab-case namespace" });
9842
+ }
9843
+ }
9844
+ }
9845
+ }
9846
+ bad = _filterMarkers(bad, "error-code-namespace-kebab");
9847
+ _report("error codes are namespace/kebab-case (v1 — no bare UPPER_SNAKE or camelCase-namespace codes via new XError / factory)", bad);
9848
+ }
9849
+
9799
9850
  // v0.13.34 — the wiki compose stop_grace_period MUST exceed the app
9800
9851
  // shutdown orchestrator's total grace budget (graceMs) plus the forced-
9801
9852
  // exit watchdog margin. Otherwise `docker stop` / a rolling redeploy
@@ -10463,6 +10514,7 @@ async function run() {
10463
10514
  testWikiPortAgreesAcrossArtifacts();
10464
10515
  testWikiStopGraceExceedsShutdownBudget();
10465
10516
  testOrchestratorRegistryReadsTenantScoped();
10517
+ testErrorCodesNamespacedKebab();
10466
10518
  // v0.13.19 CI hang backstop: every workflow job that runs the test
10467
10519
  // suite must declare timeout-minutes so a hung child can't ride
10468
10520
  // GitHub's 6-hour default.
@@ -55,14 +55,14 @@ async function run() {
55
55
  provider: "x", system: "x", systemVersion: "not.semver",
56
56
  contentId: "y",
57
57
  }); } catch (e) { threw = e; }
58
- check("refuses bad systemVersion", threw && threw.code === "BAD_VERSION");
58
+ check("refuses bad systemVersion", threw && threw.code === "content-credentials/bad-version");
59
59
 
60
60
  threw = null;
61
61
  try { b.contentCredentials.build({
62
62
  provider: "x", system: "x", systemVersion: "1.0.0",
63
63
  contentId: "y", contentType: "not-a-mime",
64
64
  }); } catch (e) { threw = e; }
65
- check("refuses bad contentType", threw && threw.code === "BAD_CONTENT_TYPE");
65
+ check("refuses bad contentType", threw && threw.code === "content-credentials/bad-content-type");
66
66
 
67
67
  // ---- v0.8.77: COSE_Sign1 interop ----
68
68
  check("COSE_ALGS table exported", typeof b.contentCredentials.COSE_ALGS === "object");
@@ -88,7 +88,7 @@ async function run() {
88
88
  threw = null;
89
89
  try { b.contentCredentials.signCose(manifest2, { privateKeyPem: pair.privateKey, alg: "unknown" }); }
90
90
  catch (e) { threw = e; }
91
- check("signCose: unknown alg refused", threw && threw.code === "BAD_ALG");
91
+ check("signCose: unknown alg refused", threw && threw.code === "content-credentials/bad-alg");
92
92
  }
93
93
 
94
94
  module.exports = { run: run };
@@ -54,13 +54,13 @@ async function run() {
54
54
  var threw = null;
55
55
  try { b.darkPatterns.recordSignupFlow({ channel: "fax", clickCount: 1, cta: {}, confirmations: 0, resourceId: "x" }); }
56
56
  catch (e) { threw = e; }
57
- check("recordSignupFlow refuses bad channel", threw && threw.code === "BAD_CHANNEL");
57
+ check("recordSignupFlow refuses bad channel", threw && threw.code === "dark-patterns/bad-channel");
58
58
 
59
59
  // Resource ID mismatch
60
60
  threw = null;
61
61
  try { b.darkPatterns.assertParity(s, { kind: "cancel", resourceId: "different" }); }
62
62
  catch (e) { threw = e; }
63
- check("assertParity refuses resource mismatch", threw && threw.code === "RESOURCE_MISMATCH");
63
+ check("assertParity refuses resource mismatch", threw && threw.code === "dark-patterns/resource-mismatch");
64
64
  }
65
65
 
66
66
  module.exports = { run: run };
@@ -53,7 +53,7 @@ async function run() {
53
53
  });
54
54
  } catch (e) { threwBadPosture = e; }
55
55
  check("emit refuses unknown posture",
56
- threwBadPosture && threwBadPosture.code === "drRunbook/unknown-posture");
56
+ threwBadPosture && threwBadPosture.code === "dr-runbook/unknown-posture");
57
57
  }
58
58
 
59
59
  module.exports = { run: run };
@@ -32,19 +32,19 @@ async function run() {
32
32
  check(label, threw && threw.code === code);
33
33
  }
34
34
  rejects("refuses bad sender-constraint",
35
- function () { b.fapi2.assertConformance({ senderConstraint: "none" }); }, "BAD_SENDER_CONSTRAINT");
35
+ function () { b.fapi2.assertConformance({ senderConstraint: "none" }); }, "fapi2/bad-sender-constraint");
36
36
  rejects("refuses non-S256 PKCE",
37
- function () { b.fapi2.assertConformance({ senderConstraint: "dpop", pkceMethod: "plain" }); }, "BAD_PKCE");
37
+ function () { b.fapi2.assertConformance({ senderConstraint: "dpop", pkceMethod: "plain" }); }, "fapi2/bad-pkce");
38
38
 
39
39
  // assertOAuthConfig
40
40
  rejects("oauth: refuses pkce: false",
41
- function () { b.fapi2.assertOAuthConfig({ pkce: false, dpop: true, par: true }); }, "PKCE_DISABLED");
41
+ function () { b.fapi2.assertOAuthConfig({ pkce: false, dpop: true, par: true }); }, "fapi2/pkce-disabled");
42
42
  rejects("oauth: refuses no sender-constraint",
43
- function () { b.fapi2.assertOAuthConfig({ pkce: true, par: true }); }, "NO_SENDER_CONSTRAINT");
43
+ function () { b.fapi2.assertOAuthConfig({ pkce: true, par: true }); }, "fapi2/no-sender-constraint");
44
44
  rejects("oauth: refuses both sender-constraints",
45
- function () { b.fapi2.assertOAuthConfig({ pkce: true, dpop: true, mtls: true, par: true }); }, "BOTH_SENDER_CONSTRAINTS");
45
+ function () { b.fapi2.assertOAuthConfig({ pkce: true, dpop: true, mtls: true, par: true }); }, "fapi2/both-sender-constraints");
46
46
  rejects("oauth: refuses par: false",
47
- function () { b.fapi2.assertOAuthConfig({ pkce: true, dpop: true, par: false }); }, "PAR_DISABLED");
47
+ function () { b.fapi2.assertOAuthConfig({ pkce: true, dpop: true, par: false }); }, "fapi2/par-disabled");
48
48
 
49
49
  // Clean call
50
50
  b.fapi2.assertOAuthConfig({ pkce: true, dpop: true, par: true });
@@ -64,12 +64,12 @@ async function run() {
64
64
  }
65
65
  rejects("bind refuses empty resources",
66
66
  function () { b.fdx.bind({ authServer: { issuer: "x", jwksUri: "y" }, resources: [] }); },
67
- "BAD_RESOURCES");
67
+ "fdx/bad-resources");
68
68
  rejects("bind refuses unknown resource",
69
69
  function () { b.fdx.bind({
70
70
  authServer: { issuer: "x", jwksUri: "y", fapi2: { pkce: true, dpop: true, par: true } },
71
71
  resources: ["bogus"],
72
- }); }, "UNKNOWN_RESOURCE");
72
+ }); }, "fdx/unknown-resource");
73
73
  rejects("consent receipt refuses missing thirdParty",
74
74
  function () { b.fdx.consentReceipt({
75
75
  dataProvider: "x", consumerRef: "y", scopes: ["a"], revocationUrl: "z",
@@ -20,7 +20,7 @@ async function run() {
20
20
  // ---- guardSdl opts validation ----
21
21
  var threw = null;
22
22
  try { b.graphqlFederation.guardSdl({}); } catch (e) { threw = e; }
23
- check("guardSdl: requires routerToken", threw && threw.code === "BAD_OPTS");
23
+ check("guardSdl: requires routerToken", threw && threw.code === "graphql-federation/bad-opts");
24
24
 
25
25
  var ok = b.graphqlFederation.guardSdl({ routerToken: "a".repeat(64) });
26
26
  check("guardSdl: returns middleware", typeof ok === "function");
@@ -46,7 +46,7 @@ async function run() {
46
46
  var threw = null;
47
47
  try { b.iabMspa.refuseProcessing(withDecode, { dataUse: "sale" }); }
48
48
  catch (e) { threw = e; }
49
- check("refuseProcessing throws on opt-out", threw && threw.code === "OPT_OUT_HONORED");
49
+ check("refuseProcessing throws on opt-out", threw && threw.code === "iab-mspa/opt-out-honored");
50
50
 
51
51
  // Validation
52
52
  function rejects(label, fn, code) {
@@ -55,9 +55,9 @@ async function run() {
55
55
  check(label, t && t.code === code);
56
56
  }
57
57
  rejects("parseGpp refuses non-string",
58
- function () { b.iabMspa.parseGpp(null); }, "BAD_INPUT");
58
+ function () { b.iabMspa.parseGpp(null); }, "iab-mspa/bad-input");
59
59
  rejects("checkOptOut refuses bad dataUse",
60
- function () { b.iabMspa.checkOptOut(parsed, { dataUse: "marketing" }); }, "BAD_DATA_USE");
60
+ function () { b.iabMspa.checkOptOut(parsed, { dataUse: "marketing" }); }, "iab-mspa/bad-data-use");
61
61
  }
62
62
 
63
63
  module.exports = { run: run };
@@ -20,15 +20,15 @@ async function run() {
20
20
  try { fn(); } catch (e) { threw = e; }
21
21
  check(label, threw && threw.code === code);
22
22
  }
23
- rejects("refuses non-string", function () { b.iabTcf.parseString(null); }, "BAD_INPUT");
24
- rejects("refuses empty string", function () { b.iabTcf.parseString(""); }, "BAD_INPUT");
23
+ rejects("refuses non-string", function () { b.iabTcf.parseString(null); }, "iab-tcf/bad-input");
24
+ rejects("refuses empty string", function () { b.iabTcf.parseString(""); }, "iab-tcf/bad-input");
25
25
  // Garbage-input rejection — could be BAD_BASE64 (decode failure) or
26
26
  // BAD_LENGTH (decoded buffer too short for the core's bit reads).
27
27
  // Both surface from the core parse and are equivalent operator
28
28
  // signals.
29
29
  var threw = null;
30
30
  try { b.iabTcf.parseString("not-base64-!"); } catch (e) { threw = e; }
31
- check("refuses garbage core", threw && (threw.code === "BAD_BASE64" || threw.code === "BAD_LENGTH"));
31
+ check("refuses garbage core", threw && (threw.code === "iab-tcf/bad-base64" || threw.code === "iab-tcf/bad-length"));
32
32
 
33
33
  // Construct a minimal TC string with v=2 (NOT v2.3) — should fail
34
34
  // requireV23Disclosed.
@@ -52,7 +52,7 @@ async function run() {
52
52
 
53
53
  var v22Core = _makeMinimalCore(2);
54
54
  rejects("requireV23 refuses v=2", function () { b.iabTcf.requireV23Disclosed(v22Core, { audit: false }); },
55
- "WRONG_CORE_VERSION");
55
+ "iab-tcf/wrong-core-version");
56
56
 
57
57
  // v=4 core but missing DisclosedVendors → MISSING_DISCLOSED_VENDORS
58
58
  var v23OnlyCore = _makeMinimalCore(4);
@@ -61,7 +61,7 @@ async function run() {
61
61
  // Test that v=4 + bad-policy raises WRONG_POLICY_VERSION instead.
62
62
  rejects("requireV23 refuses bad policy version",
63
63
  function () { b.iabTcf.requireV23Disclosed(v23OnlyCore, { audit: false }); },
64
- "WRONG_POLICY_VERSION");
64
+ "iab-tcf/wrong-policy-version");
65
65
 
66
66
  // checkVendor on a parsed object
67
67
  var parsed = b.iabTcf.parseString(v23OnlyCore);
@@ -125,9 +125,9 @@ async function run() {
125
125
  // NumPubRestrictions field) must NOT validate — the reader's bounds check
126
126
  // rejects it rather than treating the gap as "no restrictions".
127
127
  check("isValid false for a truncated core", b.iabTcf.isValid(SPEC_CORE.slice(0, -1)) === false);
128
- rejects("encode without core throws", function () { b.iabTcf.encode({}); }, "BAD_INPUT");
128
+ rejects("encode without core throws", function () { b.iabTcf.encode({}); }, "iab-tcf/bad-input");
129
129
  rejects("encode rejects a non-positive id",
130
- function () { b.iabTcf.encode({ core: { consentLanguage: "EN", publisherCC: "DE", vendorConsents: [0], vendorLIs: [] } }); }, "BAD_VALUE");
130
+ function () { b.iabTcf.encode({ core: { consentLanguage: "EN", publisherCC: "DE", vendorConsents: [0], vendorLIs: [] } }); }, "iab-tcf/bad-value");
131
131
  }
132
132
 
133
133
  module.exports = { run: run };
@@ -37,17 +37,17 @@ async function run() {
37
37
  try { fn(); } catch (e) { threw = e; }
38
38
  check("parseRequest: " + label, threw && threw.code === reCode);
39
39
  }
40
- rejects("bad json", function () { b.mcp.parseRequest("{"); }, "BAD_JSON");
41
- rejects("bad version", function () { b.mcp.parseRequest('{"jsonrpc":"1.0","method":"x","id":1}'); }, "BAD_VERSION");
42
- rejects("missing method", function () { b.mcp.parseRequest('{"jsonrpc":"2.0","id":1}'); }, "BAD_METHOD");
43
- rejects("bad id type", function () { b.mcp.parseRequest('{"jsonrpc":"2.0","method":"x","id":{}}'); }, "BAD_ID");
40
+ rejects("bad json", function () { b.mcp.parseRequest("{"); }, "mcp/bad-json");
41
+ rejects("bad version", function () { b.mcp.parseRequest('{"jsonrpc":"1.0","method":"x","id":1}'); }, "mcp/bad-version");
42
+ rejects("missing method", function () { b.mcp.parseRequest('{"jsonrpc":"2.0","id":1}'); }, "mcp/bad-method");
43
+ rejects("bad id type", function () { b.mcp.parseRequest('{"jsonrpc":"2.0","method":"x","id":{}}'); }, "mcp/bad-id");
44
44
 
45
45
  // ---- serverGuard surface ----
46
46
  var threwBadOpts = null;
47
47
  try { b.mcp.serverGuard({ requireBearer: true }); }
48
48
  catch (e) { threwBadOpts = e; }
49
49
  check("serverGuard: requires verifyBearer when bearer required",
50
- threwBadOpts && threwBadOpts.code === "BAD_OPTS");
50
+ threwBadOpts && threwBadOpts.code === "mcp/bad-opts");
51
51
 
52
52
  var guard = b.mcp.serverGuard({
53
53
  requireBearer: false,
@@ -57,7 +57,7 @@ async function run() {
57
57
  try { b.sse.serializeEvent({ event: "fake\nevent: hijack", data: "x" }); }
58
58
  catch (e) { lowThrew = e; }
59
59
  check("b.sse.serializeEvent refuses LF in event",
60
- lowThrew && lowThrew.code === "INJECTION");
60
+ lowThrew && lowThrew.code === "sse/injection");
61
61
 
62
62
  // ---- _formatEvent ----
63
63
  var fe = sseModule._formatEvent;
@@ -52,15 +52,15 @@ async function run() {
52
52
  phoneE164: "5551234567", brand: "Acme",
53
53
  disclosureText: "x", disclosurePartyKind: "first-party",
54
54
  formUrl: "https://x", audit: false,
55
- }); }, "BAD_PHONE");
55
+ }); }, "tcpa-10dlc/bad-phone");
56
56
  rejects("refuses bad disclosure-party-kind",
57
57
  function () { b.tcpa10dlc.recordConsent({
58
58
  phoneE164: "+15551111111", brand: "Acme",
59
59
  disclosureText: "x", disclosurePartyKind: "trusted-network",
60
60
  formUrl: "https://x", audit: false,
61
- }); }, "BAD_DISCLOSURE_PARTY");
61
+ }); }, "tcpa-10dlc/bad-disclosure-party");
62
62
  rejects("revoke unknown number",
63
- function () { b.tcpa10dlc.revoke("+19998887777"); }, "NO_RECORD");
63
+ function () { b.tcpa10dlc.revoke("+19998887777"); }, "tcpa-10dlc/no-record");
64
64
  }
65
65
 
66
66
  module.exports = { run: run };
@@ -35,7 +35,7 @@ async function run() {
35
35
  try { budget.observe("tenant-acme", { rowsRead: 200 }); }
36
36
  catch (e) { threwBudget = e; }
37
37
  check("observe throws when rowsRead exceeds cap",
38
- threwBudget && threwBudget.code === "tenantQuota/budget-exceeded");
38
+ threwBudget && threwBudget.code === "tenant-quota/budget-exceeded");
39
39
 
40
40
  budget.reset("tenant-acme");
41
41
  var snapReset = budget.snapshot("tenant-acme");
@@ -76,14 +76,14 @@ async function run() {
76
76
  });
77
77
  } catch (e) { threwBadDb = e; }
78
78
  check("create rejects non-b.db handle",
79
- threwBadDb && threwBadDb.code === "tenantQuota/bad-db");
79
+ threwBadDb && threwBadDb.code === "tenant-quota/bad-db");
80
80
 
81
81
  var threwBadField = null;
82
82
  try {
83
83
  b.tenantQuota.create({ db: b.db, tenantField: "", audit: false });
84
84
  } catch (e) { threwBadField = e; }
85
85
  check("create rejects empty tenantField",
86
- threwBadField && threwBadField.code === "tenantQuota/bad-field");
86
+ threwBadField && threwBadField.code === "tenant-quota/bad-field");
87
87
  }
88
88
 
89
89
  module.exports = { run: run };
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@blamejs/blamejs-shop",
3
- "version": "0.2.24",
3
+ "version": "0.2.25",
4
4
  "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
5
5
  "main": "lib/index.js",
6
6
  "scripts": {