@blamejs/blamejs-shop 0.3.4 → 0.3.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +4 -0
- package/lib/admin.js +428 -6
- package/lib/asset-manifest.json +1 -1
- package/lib/vendor/MANIFEST.json +3 -3
- package/lib/vendor/blamejs/CHANGELOG.md +14 -0
- package/lib/vendor/blamejs/api-snapshot.json +2 -2
- package/lib/vendor/blamejs/lib/_test/crypto-fixtures.js +3 -3
- package/lib/vendor/blamejs/lib/a2a-tasks.js +24 -24
- package/lib/vendor/blamejs/lib/a2a.js +4 -4
- package/lib/vendor/blamejs/lib/acme.js +3 -3
- package/lib/vendor/blamejs/lib/agent-idempotency.js +1 -1
- package/lib/vendor/blamejs/lib/agent-orchestrator.js +8 -8
- package/lib/vendor/blamejs/lib/agent-posture-chain.js +2 -2
- package/lib/vendor/blamejs/lib/agent-saga.js +1 -1
- package/lib/vendor/blamejs/lib/agent-snapshot.js +1 -1
- package/lib/vendor/blamejs/lib/agent-stream.js +1 -1
- package/lib/vendor/blamejs/lib/agent-tenant.js +1 -1
- package/lib/vendor/blamejs/lib/agent-trace.js +3 -3
- package/lib/vendor/blamejs/lib/ai-capability.js +1 -1
- package/lib/vendor/blamejs/lib/ai-dp.js +4 -4
- package/lib/vendor/blamejs/lib/ai-input.js +4 -4
- package/lib/vendor/blamejs/lib/ai-model-manifest.js +7 -7
- package/lib/vendor/blamejs/lib/ai-pref.js +3 -3
- package/lib/vendor/blamejs/lib/archive-gz.js +2 -2
- package/lib/vendor/blamejs/lib/archive-read.js +25 -25
- package/lib/vendor/blamejs/lib/archive-tar-read.js +2 -2
- package/lib/vendor/blamejs/lib/archive-tar.js +20 -20
- package/lib/vendor/blamejs/lib/archive-wrap.js +10 -10
- package/lib/vendor/blamejs/lib/argon2-builtin.js +1 -1
- package/lib/vendor/blamejs/lib/asn1-der.js +45 -34
- package/lib/vendor/blamejs/lib/atomic-file.js +2 -2
- package/lib/vendor/blamejs/lib/audit-daily-review.js +3 -3
- package/lib/vendor/blamejs/lib/audit-sign.js +5 -5
- package/lib/vendor/blamejs/lib/audit-tools.js +1 -1
- package/lib/vendor/blamejs/lib/audit.js +2 -2
- package/lib/vendor/blamejs/lib/auth/acr-vocabulary.js +2 -2
- package/lib/vendor/blamejs/lib/auth/bot-challenge.js +3 -3
- package/lib/vendor/blamejs/lib/auth/ciba.js +7 -7
- package/lib/vendor/blamejs/lib/auth/dpop.js +3 -3
- package/lib/vendor/blamejs/lib/auth/fido-mds3.js +8 -8
- package/lib/vendor/blamejs/lib/auth/jar.js +11 -0
- package/lib/vendor/blamejs/lib/auth/jwt-external.js +5 -5
- package/lib/vendor/blamejs/lib/auth/oauth.js +7 -9
- package/lib/vendor/blamejs/lib/auth/oid4vci.js +10 -10
- package/lib/vendor/blamejs/lib/auth/oid4vp.js +2 -2
- package/lib/vendor/blamejs/lib/auth/openid-federation.js +2 -2
- package/lib/vendor/blamejs/lib/auth/passkey.js +3 -3
- package/lib/vendor/blamejs/lib/auth/saml.js +31 -43
- package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-disclosure.js +1 -1
- package/lib/vendor/blamejs/lib/auth/sd-jwt-vc.js +5 -5
- package/lib/vendor/blamejs/lib/auth/status-list.js +10 -10
- package/lib/vendor/blamejs/lib/auth/step-up.js +1 -1
- package/lib/vendor/blamejs/lib/auth-bot-challenge.js +1 -1
- package/lib/vendor/blamejs/lib/backup/index.js +7 -7
- package/lib/vendor/blamejs/lib/base32.js +8 -8
- package/lib/vendor/blamejs/lib/budr.js +2 -2
- package/lib/vendor/blamejs/lib/cache-status.js +2 -2
- package/lib/vendor/blamejs/lib/calendar.js +29 -29
- package/lib/vendor/blamejs/lib/cbor.js +12 -12
- package/lib/vendor/blamejs/lib/cdn-cache-control.js +1 -1
- package/lib/vendor/blamejs/lib/cert.js +5 -5
- package/lib/vendor/blamejs/lib/cloud-events.js +5 -5
- package/lib/vendor/blamejs/lib/cms-codec.js +21 -21
- package/lib/vendor/blamejs/lib/codepoint-class.js +12 -12
- package/lib/vendor/blamejs/lib/compliance-sanctions-fuzzy.js +4 -4
- package/lib/vendor/blamejs/lib/compliance-sanctions.js +4 -4
- package/lib/vendor/blamejs/lib/compliance.js +29 -29
- package/lib/vendor/blamejs/lib/content-credentials.js +38 -38
- package/lib/vendor/blamejs/lib/cookies.js +1 -1
- package/lib/vendor/blamejs/lib/cose.js +13 -13
- package/lib/vendor/blamejs/lib/cra-report.js +1 -1
- package/lib/vendor/blamejs/lib/crdt.js +1 -1
- package/lib/vendor/blamejs/lib/crypto-field.js +2 -2
- package/lib/vendor/blamejs/lib/crypto-xwing.js +7 -7
- package/lib/vendor/blamejs/lib/crypto.js +6 -6
- package/lib/vendor/blamejs/lib/csp.js +2 -2
- package/lib/vendor/blamejs/lib/cwt.js +4 -4
- package/lib/vendor/blamejs/lib/dark-patterns.js +2 -2
- package/lib/vendor/blamejs/lib/data-act.js +2 -2
- package/lib/vendor/blamejs/lib/db-file-lifecycle.js +4 -4
- package/lib/vendor/blamejs/lib/db-query.js +1 -1
- package/lib/vendor/blamejs/lib/db.js +6 -6
- package/lib/vendor/blamejs/lib/dbsc.js +13 -13
- package/lib/vendor/blamejs/lib/did.js +17 -17
- package/lib/vendor/blamejs/lib/dora.js +4 -4
- package/lib/vendor/blamejs/lib/dsr.js +1 -1
- package/lib/vendor/blamejs/lib/early-hints.js +2 -2
- package/lib/vendor/blamejs/lib/eat.js +4 -4
- package/lib/vendor/blamejs/lib/external-db-migrate.js +1 -1
- package/lib/vendor/blamejs/lib/external-db.js +1 -1
- package/lib/vendor/blamejs/lib/flag-cache.js +1 -1
- package/lib/vendor/blamejs/lib/flag-evaluation-context.js +2 -2
- package/lib/vendor/blamejs/lib/graphql-federation.js +13 -6
- package/lib/vendor/blamejs/lib/guard-agent-registry.js +5 -5
- package/lib/vendor/blamejs/lib/guard-archive.js +24 -24
- package/lib/vendor/blamejs/lib/guard-cidr.js +34 -34
- package/lib/vendor/blamejs/lib/guard-csv.js +1 -1
- package/lib/vendor/blamejs/lib/guard-domain.js +10 -10
- package/lib/vendor/blamejs/lib/guard-dsn.js +4 -4
- package/lib/vendor/blamejs/lib/guard-email.js +19 -19
- package/lib/vendor/blamejs/lib/guard-event-bus-payload.js +4 -4
- package/lib/vendor/blamejs/lib/guard-event-bus-topic.js +6 -6
- package/lib/vendor/blamejs/lib/guard-filename.js +7 -7
- package/lib/vendor/blamejs/lib/guard-graphql.js +9 -9
- package/lib/vendor/blamejs/lib/guard-html-wcag-tagwalk.js +1 -1
- package/lib/vendor/blamejs/lib/guard-html-wcag.js +4 -4
- package/lib/vendor/blamejs/lib/guard-html.js +7 -7
- package/lib/vendor/blamejs/lib/guard-idempotency-key.js +6 -6
- package/lib/vendor/blamejs/lib/guard-image.js +4 -4
- package/lib/vendor/blamejs/lib/guard-imap-command.js +17 -17
- package/lib/vendor/blamejs/lib/guard-jmap.js +20 -20
- package/lib/vendor/blamejs/lib/guard-json.js +12 -12
- package/lib/vendor/blamejs/lib/guard-jsonpath.js +3 -3
- package/lib/vendor/blamejs/lib/guard-jwt.js +4 -4
- package/lib/vendor/blamejs/lib/guard-list-id.js +7 -7
- package/lib/vendor/blamejs/lib/guard-list-unsubscribe.js +8 -8
- package/lib/vendor/blamejs/lib/guard-mail-compose.js +4 -4
- package/lib/vendor/blamejs/lib/guard-mail-move.js +5 -5
- package/lib/vendor/blamejs/lib/guard-mail-query.js +3 -3
- package/lib/vendor/blamejs/lib/guard-mail-reply.js +3 -3
- package/lib/vendor/blamejs/lib/guard-mail-sieve.js +6 -6
- package/lib/vendor/blamejs/lib/guard-managesieve-command.js +25 -25
- package/lib/vendor/blamejs/lib/guard-markdown.js +31 -31
- package/lib/vendor/blamejs/lib/guard-message-id.js +5 -5
- package/lib/vendor/blamejs/lib/guard-mime.js +1 -1
- package/lib/vendor/blamejs/lib/guard-oauth.js +3 -3
- package/lib/vendor/blamejs/lib/guard-pdf.js +6 -6
- package/lib/vendor/blamejs/lib/guard-pop3-command.js +11 -11
- package/lib/vendor/blamejs/lib/guard-posture-chain.js +5 -5
- package/lib/vendor/blamejs/lib/guard-regex.js +10 -10
- package/lib/vendor/blamejs/lib/guard-saga-config.js +5 -5
- package/lib/vendor/blamejs/lib/guard-smtp-command.js +6 -6
- package/lib/vendor/blamejs/lib/guard-snapshot-envelope.js +3 -3
- package/lib/vendor/blamejs/lib/guard-stream-args.js +4 -4
- package/lib/vendor/blamejs/lib/guard-svg.js +11 -11
- package/lib/vendor/blamejs/lib/guard-tenant-id.js +5 -5
- package/lib/vendor/blamejs/lib/guard-time.js +15 -15
- package/lib/vendor/blamejs/lib/guard-trace-context.js +4 -4
- package/lib/vendor/blamejs/lib/guard-uuid.js +11 -11
- package/lib/vendor/blamejs/lib/guard-xml.js +12 -12
- package/lib/vendor/blamejs/lib/guard-yaml.js +16 -16
- package/lib/vendor/blamejs/lib/honeytoken.js +5 -5
- package/lib/vendor/blamejs/lib/http-client-cache.js +18 -1
- package/lib/vendor/blamejs/lib/http-client.js +13 -10
- package/lib/vendor/blamejs/lib/http-message-signature.js +2 -2
- package/lib/vendor/blamejs/lib/iab-mspa.js +3 -3
- package/lib/vendor/blamejs/lib/iab-tcf.js +70 -70
- package/lib/vendor/blamejs/lib/inbox.js +4 -4
- package/lib/vendor/blamejs/lib/ip-utils.js +15 -15
- package/lib/vendor/blamejs/lib/jose-jwe-experimental.js +2 -2
- package/lib/vendor/blamejs/lib/json-path.js +3 -3
- package/lib/vendor/blamejs/lib/json-schema.js +1 -1
- package/lib/vendor/blamejs/lib/jsonapi.js +3 -3
- package/lib/vendor/blamejs/lib/jtd.js +2 -2
- package/lib/vendor/blamejs/lib/link-header.js +1 -1
- package/lib/vendor/blamejs/lib/local-db-thin.js +1 -1
- package/lib/vendor/blamejs/lib/log.js +8 -3
- package/lib/vendor/blamejs/lib/lro.js +4 -4
- package/lib/vendor/blamejs/lib/mail-agent.js +1 -1
- package/lib/vendor/blamejs/lib/mail-arc-sign.js +6 -6
- package/lib/vendor/blamejs/lib/mail-auth.js +44 -44
- package/lib/vendor/blamejs/lib/mail-bimi.js +3 -3
- package/lib/vendor/blamejs/lib/mail-crypto-pgp.js +53 -45
- package/lib/vendor/blamejs/lib/mail-crypto-smime.js +6 -6
- package/lib/vendor/blamejs/lib/mail-dav.js +1 -1
- package/lib/vendor/blamejs/lib/mail-deploy.js +40 -40
- package/lib/vendor/blamejs/lib/mail-dkim.js +12 -12
- package/lib/vendor/blamejs/lib/mail-greylist.js +12 -12
- package/lib/vendor/blamejs/lib/mail-helo.js +1 -1
- package/lib/vendor/blamejs/lib/mail-journal.js +8 -8
- package/lib/vendor/blamejs/lib/mail-rbl.js +7 -7
- package/lib/vendor/blamejs/lib/mail-scan.js +7 -7
- package/lib/vendor/blamejs/lib/mail-send-deliver.js +2 -2
- package/lib/vendor/blamejs/lib/mail-server-imap.js +12 -12
- package/lib/vendor/blamejs/lib/mail-server-jmap.js +18 -20
- package/lib/vendor/blamejs/lib/mail-server-managesieve.js +4 -4
- package/lib/vendor/blamejs/lib/mail-server-mx.js +17 -17
- package/lib/vendor/blamejs/lib/mail-server-pop3.js +4 -4
- package/lib/vendor/blamejs/lib/mail-server-rate-limit.js +2 -2
- package/lib/vendor/blamejs/lib/mail-server-submission.js +21 -21
- package/lib/vendor/blamejs/lib/mail-sieve.js +2 -2
- package/lib/vendor/blamejs/lib/mail-spam-score.js +5 -5
- package/lib/vendor/blamejs/lib/mail-srs.js +12 -12
- package/lib/vendor/blamejs/lib/mail-store-fts.js +2 -2
- package/lib/vendor/blamejs/lib/mail-store.js +8 -8
- package/lib/vendor/blamejs/lib/mail-unsubscribe.js +4 -4
- package/lib/vendor/blamejs/lib/mail.js +4 -4
- package/lib/vendor/blamejs/lib/mcp-tool-registry.js +4 -4
- package/lib/vendor/blamejs/lib/mcp.js +15 -15
- package/lib/vendor/blamejs/lib/mdoc.js +2 -2
- package/lib/vendor/blamejs/lib/metrics.js +8 -8
- package/lib/vendor/blamejs/lib/middleware/age-gate.js +15 -3
- package/lib/vendor/blamejs/lib/middleware/ai-act-disclosure.js +11 -4
- package/lib/vendor/blamejs/lib/middleware/api-encrypt.js +7 -7
- package/lib/vendor/blamejs/lib/middleware/assetlinks.js +2 -2
- package/lib/vendor/blamejs/lib/middleware/asyncapi-serve.js +2 -2
- package/lib/vendor/blamejs/lib/middleware/bearer-auth.js +5 -5
- package/lib/vendor/blamejs/lib/middleware/body-parser.js +5 -5
- package/lib/vendor/blamejs/lib/middleware/compose-pipeline.js +16 -16
- package/lib/vendor/blamejs/lib/middleware/csp-report.js +4 -4
- package/lib/vendor/blamejs/lib/middleware/daily-byte-quota.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/dpop.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/headers.js +2 -2
- package/lib/vendor/blamejs/lib/middleware/host-allowlist.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/idempotency-key.js +12 -12
- package/lib/vendor/blamejs/lib/middleware/nel.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/openapi-serve.js +2 -2
- package/lib/vendor/blamejs/lib/middleware/protected-resource-metadata.js +2 -2
- package/lib/vendor/blamejs/lib/middleware/rate-limit.js +14 -5
- package/lib/vendor/blamejs/lib/middleware/require-aal.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/require-bound-key.js +2 -2
- package/lib/vendor/blamejs/lib/middleware/require-content-type.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/require-methods.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/require-step-up.js +2 -2
- package/lib/vendor/blamejs/lib/middleware/scim-server.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/security-txt.js +3 -3
- package/lib/vendor/blamejs/lib/middleware/sse.js +14 -8
- package/lib/vendor/blamejs/lib/middleware/tus-upload.js +12 -12
- package/lib/vendor/blamejs/lib/middleware/web-app-manifest.js +2 -2
- package/lib/vendor/blamejs/lib/network-byte-quota.js +1 -1
- package/lib/vendor/blamejs/lib/network-dns-resolver.js +23 -23
- package/lib/vendor/blamejs/lib/network-dns.js +29 -29
- package/lib/vendor/blamejs/lib/network-dnssec.js +33 -33
- package/lib/vendor/blamejs/lib/network-smtp-policy.js +10 -10
- package/lib/vendor/blamejs/lib/network-tls.js +100 -98
- package/lib/vendor/blamejs/lib/network-tsig.js +33 -33
- package/lib/vendor/blamejs/lib/nis2-report.js +1 -1
- package/lib/vendor/blamejs/lib/ntp-check.js +3 -3
- package/lib/vendor/blamejs/lib/observability-otlp-exporter.js +17 -17
- package/lib/vendor/blamejs/lib/observability-tracer.js +6 -6
- package/lib/vendor/blamejs/lib/observability.js +8 -8
- package/lib/vendor/blamejs/lib/openapi-yaml.js +1 -1
- package/lib/vendor/blamejs/lib/openapi.js +1 -1
- package/lib/vendor/blamejs/lib/outbox.js +6 -6
- package/lib/vendor/blamejs/lib/pqc-agent.js +4 -4
- package/lib/vendor/blamejs/lib/pqc-software.js +1 -1
- package/lib/vendor/blamejs/lib/privacy-pass.js +5 -5
- package/lib/vendor/blamejs/lib/problem-details.js +5 -5
- package/lib/vendor/blamejs/lib/promise-pool.js +1 -1
- package/lib/vendor/blamejs/lib/protobuf-encoder.js +9 -1
- package/lib/vendor/blamejs/lib/queue.js +4 -2
- package/lib/vendor/blamejs/lib/redact.js +2 -2
- package/lib/vendor/blamejs/lib/request-helpers.js +1 -1
- package/lib/vendor/blamejs/lib/router.js +10 -10
- package/lib/vendor/blamejs/lib/safe-async.js +2 -2
- package/lib/vendor/blamejs/lib/safe-decompress.js +1 -1
- package/lib/vendor/blamejs/lib/safe-dns.js +71 -71
- package/lib/vendor/blamejs/lib/safe-ical.js +19 -19
- package/lib/vendor/blamejs/lib/safe-icap.js +24 -24
- package/lib/vendor/blamejs/lib/safe-jsonpath.js +2 -2
- package/lib/vendor/blamejs/lib/safe-mime.js +10 -10
- package/lib/vendor/blamejs/lib/safe-mount-info.js +3 -3
- package/lib/vendor/blamejs/lib/safe-redirect.js +1 -1
- package/lib/vendor/blamejs/lib/safe-sieve.js +23 -23
- package/lib/vendor/blamejs/lib/safe-smtp.js +1 -1
- package/lib/vendor/blamejs/lib/safe-url.js +1 -1
- package/lib/vendor/blamejs/lib/safe-vcard.js +14 -14
- package/lib/vendor/blamejs/lib/sandbox.js +5 -5
- package/lib/vendor/blamejs/lib/sec-cyber.js +1 -1
- package/lib/vendor/blamejs/lib/self-update-standalone-verifier.js +3 -3
- package/lib/vendor/blamejs/lib/self-update.js +3 -3
- package/lib/vendor/blamejs/lib/server-timing.js +3 -3
- package/lib/vendor/blamejs/lib/session-device-binding.js +7 -7
- package/lib/vendor/blamejs/lib/session.js +8 -8
- package/lib/vendor/blamejs/lib/sse.js +12 -5
- package/lib/vendor/blamejs/lib/standard-webhooks.js +4 -4
- package/lib/vendor/blamejs/lib/storage.js +2 -2
- package/lib/vendor/blamejs/lib/stream-throttle.js +3 -3
- package/lib/vendor/blamejs/lib/structured-fields.js +15 -15
- package/lib/vendor/blamejs/lib/subject.js +1 -1
- package/lib/vendor/blamejs/lib/tcpa-10dlc.js +1 -1
- package/lib/vendor/blamejs/lib/tenant-quota.js +3 -3
- package/lib/vendor/blamejs/lib/test-harness.js +1 -1
- package/lib/vendor/blamejs/lib/tracing.js +1 -1
- package/lib/vendor/blamejs/lib/tsa.js +5 -5
- package/lib/vendor/blamejs/lib/uri-template.js +5 -5
- package/lib/vendor/blamejs/lib/vault/index.js +2 -2
- package/lib/vendor/blamejs/lib/vault/seal-pem-file.js +4 -4
- package/lib/vendor/blamejs/lib/vc.js +2 -2
- package/lib/vendor/blamejs/lib/vendor-data.js +1 -1
- package/lib/vendor/blamejs/lib/watcher.js +4 -4
- package/lib/vendor/blamejs/lib/web-push-vapid.js +21 -21
- package/lib/vendor/blamejs/lib/webhook.js +2 -2
- package/lib/vendor/blamejs/lib/websocket.js +5 -5
- package/lib/vendor/blamejs/lib/worker-pool.js +3 -3
- package/lib/vendor/blamejs/lib/ws-client.js +24 -24
- package/lib/vendor/blamejs/lib/xml-c14n.js +2 -2
- package/lib/vendor/blamejs/package.json +1 -1
- package/lib/vendor/blamejs/release-notes/v0.13.x.json +1248 -0
- package/lib/vendor/blamejs/release-notes/v0.14.0.json +43 -0
- package/lib/vendor/blamejs/release-notes/v0.14.1.json +60 -0
- package/lib/vendor/blamejs/release-notes/v0.14.2.json +18 -0
- package/lib/vendor/blamejs/release-notes/v0.14.3.json +18 -0
- package/lib/vendor/blamejs/release-notes/v0.14.4.json +18 -0
- package/lib/vendor/blamejs/release-notes/v0.14.5.json +18 -0
- package/lib/vendor/blamejs/test/00-primitives.js +15 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/age-gate.test.js +22 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/auth-jar.test.js +29 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +105 -9
- package/lib/vendor/blamejs/test/layer-0-primitives/compliance-ai-act.test.js +15 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/graphql-federation.test.js +10 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/http-client-cache.test.js +12 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-crypto-pgp.test.js +7 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/network-tls.test.js +11 -5
- package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-registry.test.js +34 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/sse.test.js +12 -0
- package/package.json +1 -1
- package/lib/vendor/blamejs/release-notes/v0.13.0.json +0 -22
- package/lib/vendor/blamejs/release-notes/v0.13.1.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.10.json +0 -44
- package/lib/vendor/blamejs/release-notes/v0.13.11.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.12.json +0 -36
- package/lib/vendor/blamejs/release-notes/v0.13.13.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.14.json +0 -22
- package/lib/vendor/blamejs/release-notes/v0.13.15.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.16.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.17.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.18.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.19.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.2.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.20.json +0 -22
- package/lib/vendor/blamejs/release-notes/v0.13.21.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.22.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.23.json +0 -42
- package/lib/vendor/blamejs/release-notes/v0.13.24.json +0 -26
- package/lib/vendor/blamejs/release-notes/v0.13.25.json +0 -39
- package/lib/vendor/blamejs/release-notes/v0.13.26.json +0 -31
- package/lib/vendor/blamejs/release-notes/v0.13.27.json +0 -34
- package/lib/vendor/blamejs/release-notes/v0.13.28.json +0 -30
- package/lib/vendor/blamejs/release-notes/v0.13.29.json +0 -30
- package/lib/vendor/blamejs/release-notes/v0.13.3.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.30.json +0 -30
- package/lib/vendor/blamejs/release-notes/v0.13.31.json +0 -26
- package/lib/vendor/blamejs/release-notes/v0.13.32.json +0 -34
- package/lib/vendor/blamejs/release-notes/v0.13.33.json +0 -26
- package/lib/vendor/blamejs/release-notes/v0.13.34.json +0 -48
- package/lib/vendor/blamejs/release-notes/v0.13.35.json +0 -35
- package/lib/vendor/blamejs/release-notes/v0.13.36.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.37.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.38.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.39.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.4.json +0 -23
- package/lib/vendor/blamejs/release-notes/v0.13.40.json +0 -22
- package/lib/vendor/blamejs/release-notes/v0.13.41.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.42.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.43.json +0 -39
- package/lib/vendor/blamejs/release-notes/v0.13.44.json +0 -31
- package/lib/vendor/blamejs/release-notes/v0.13.45.json +0 -31
- package/lib/vendor/blamejs/release-notes/v0.13.46.json +0 -35
- package/lib/vendor/blamejs/release-notes/v0.13.5.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.6.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.7.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.8.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.9.json +0 -27
|
@@ -1,34 +0,0 @@
|
|
|
1
|
-
{
|
|
2
|
-
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
-
"version": "0.13.27",
|
|
4
|
-
"date": "2026-05-28",
|
|
5
|
-
"headline": "Documentation corrected across api-encrypt, mail-crypto, mail-store, and calendar",
|
|
6
|
-
"summary": "A set of JSDoc corrections where the documented contract had drifted from the code. The most actionable: b.middleware.apiEncrypt's @opts named the keypair fields secretKey / ecSecretKey, but the middleware requires privateKey / ecPrivateKey (the shape b.crypto.generateEncryptionKeyPair returns), so a keypair built from the docs threw INVALID_KEYPAIR at construction; the same block documented a wrong custom-nonceStore interface and an example calling a non-existent b.crypto.keypair(). Also corrected: the b.mail.crypto facade and the PGP module described S/MIME sign/verify and PGP encrypt/decrypt/WKD as deferred when they ship and are live; b.mail.crypto.smime.checkCert documented a return shape whose field names did not match what it returns; and b.mailStore.create listed a destroy method it does not expose. No code behavior changed — only the docs were wrong.",
|
|
7
|
-
"sections": [
|
|
8
|
-
{
|
|
9
|
-
"heading": "Fixed",
|
|
10
|
-
"items": [
|
|
11
|
-
{
|
|
12
|
-
"title": "`b.middleware.apiEncrypt` options documented with the correct field names",
|
|
13
|
-
"body": "The `@opts` listed the keypair as `{ publicKey, secretKey, ecPublicKey, ecSecretKey }`, but the middleware requires `{ publicKey, privateKey, ecPublicKey, ecPrivateKey }` — the shape `b.crypto.generateEncryptionKeyPair()` returns — and threw `INVALID_KEYPAIR` for the documented shape. The custom `nonceStore` interface was documented as `{ has, add, prune }` but the middleware calls `{ checkAndInsert, purgeExpired, close }`, and the example called a non-existent `b.crypto.keypair()`. All three now match the implementation (`b.crypto.generateEncryptionKeyPair()`)."
|
|
14
|
-
},
|
|
15
|
-
{
|
|
16
|
-
"title": "`b.mail.crypto` S/MIME and PGP availability described accurately",
|
|
17
|
-
"body": "The `b.mail.crypto` facade said S/MIME `sign()` / `verify()` were deferred, and the PGP module's intro said in-process encrypt / decrypt and WKD discovery would 'ship in v0.10.14'. All of these are implemented and live (PGP encrypt/decrypt/WKD were promoted to the stable surface in v0.11.32; S/MIME sign/verify/verifyAll run on the `b.cms` substrate). The docs now describe them as available; the genuinely-deferred PGP v6-signature-packet support remains noted as deferred."
|
|
18
|
-
},
|
|
19
|
-
{
|
|
20
|
-
"title": "`b.mail.crypto.smime.checkCert` return shape documented correctly",
|
|
21
|
-
"body": "The doc and example described the result as `{ subjectCN, issuerCN, validFrom, validTo, keyAlg, keyBits, sigAlg }`; the function returns `{ subject, issuer, validFrom, validTo, sigAlgName, sigAlgOid, keyType, fingerprint256 }` (full DN strings, no key-size field). The documented shape now matches."
|
|
22
|
-
},
|
|
23
|
-
{
|
|
24
|
-
"title": "`b.mailStore.create` method list matches the returned handle",
|
|
25
|
-
"body": "The doc listed a `destroy` method the handle does not expose and omitted `search` / `moveMessages` / `hardExpunge` that it does. The list now reflects the actual methods."
|
|
26
|
-
},
|
|
27
|
-
{
|
|
28
|
-
"title": "Smaller doc corrections",
|
|
29
|
-
"body": "`b.calendar` fromIcal / toIcal / validate now document that they also handle Task (VTODO), Note (VJOURNAL), and Group, not just Event. `b.middleware.requireAuth`'s `prefersJson` default is documented as Accept / X-Requested-With only (Content-Type is intentionally not a signal, as the module already noted). The default CSP nonce is 24 base64 chars (16 bytes), not 22. `b.mail.bimi`'s returned `evidenceDocument` is noted as echoed from the operator-supplied option rather than pulled from the certificate."
|
|
30
|
-
}
|
|
31
|
-
]
|
|
32
|
-
}
|
|
33
|
-
]
|
|
34
|
-
}
|
|
@@ -1,30 +0,0 @@
|
|
|
1
|
-
{
|
|
2
|
-
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
-
"version": "0.13.28",
|
|
4
|
-
"date": "2026-05-28",
|
|
5
|
-
"headline": "Queue retry backoff now applies on the Redis backend; static-serve path-containment edge closed",
|
|
6
|
-
"summary": "Two behavioral fixes plus doc corrections. The Redis queue backend silently discarded the documented retry backoff: b.queue.consume passes the delay as `{ retryDelayMs }` (the shape the local backend reads), but the Redis backend's fail() accepted only a bare-number third argument, so the object failed its numeric check and the delay was forced to 0 — a failing job re-leased immediately instead of waiting 1s/2s/4s/…, a retry storm under failure. The Redis backend now accepts the object form, so the exponential backoff applies as documented (verified by an integration test against real Redis). Separately, b.router.serveStatic's path-containment check used a bare string prefix, so a sibling directory whose name extends the root (root `/srv/public` vs `/srv/public-evil`) could pass; it now anchors on a path separator. Also: b.fileUpload now surfaces (via an observability counter) when a configured content-safety gate is skipped because an upload streamed past the reassembly cap, and documents that boundary; and b.cookies.parse's example output is corrected.",
|
|
7
|
-
"sections": [
|
|
8
|
-
{
|
|
9
|
-
"heading": "Fixed",
|
|
10
|
-
"items": [
|
|
11
|
-
{
|
|
12
|
-
"title": "Redis queue backend honors the documented retry backoff",
|
|
13
|
-
"body": "`b.queue.consume` re-pends a failed job with deterministic exponential backoff (1s base, 5min cap) by calling the backend's `fail()` with `{ retryDelayMs }`. The Redis backend's `fail()` accepted only a bare-number third argument, so the object failed its `typeof === \"number\"` check and the delay was reset to 0 — a failing job became immediately re-leasable, hot-looping instead of backing off. `fail()` now accepts both the object form (as the local backend does) and a bare number, so the backoff applies on Redis. An integration test against real Redis pins it."
|
|
14
|
-
},
|
|
15
|
-
{
|
|
16
|
-
"title": "`b.router.serveStatic` path-containment anchors on a separator",
|
|
17
|
-
"body": "The containment check was `resolvedPath.startsWith(root)`, which a sibling directory sharing the root's name as a prefix (root `/srv/public` vs `/srv/public-evil`) could satisfy. It now requires the resolved path to equal `root` or start with `root + path.sep`, closing the sibling-prefix edge (`b.staticServe.create` remains the hardened serving path, with realpath + filename gating)."
|
|
18
|
-
},
|
|
19
|
-
{
|
|
20
|
-
"title": "`b.fileUpload` surfaces content-safety gate skips on oversized streamed uploads",
|
|
21
|
-
"body": "The byte-level content-safety gate inspects the reassembled buffer, so it runs on uploads up to `maxStreamReassemblyBytes` (default 64 MiB); a larger upload is handed to `onFinalize` as a stream and the byte-content gate is skipped (MIME-sniff and filename gates still run). That skip now emits a `fileUpload.content_safety_skipped_streamed` observability counter instead of passing silently, and the limit is documented. To guarantee content-gating of a type, cap `maxFileBytes` at or below `maxStreamReassemblyBytes`."
|
|
22
|
-
},
|
|
23
|
-
{
|
|
24
|
-
"title": "`b.cookies.parse` example output corrected",
|
|
25
|
-
"body": "The example claimed `theme=%22dark%22` parses to `theme: \"dark\"`, but quote-stripping runs before percent-decoding, so the literal quotes survive. The example now uses `theme=dark%20mode` → `theme: \"dark mode\"`, which demonstrates percent-decoding without the quote-strip-ordering quirk."
|
|
26
|
-
}
|
|
27
|
-
]
|
|
28
|
-
}
|
|
29
|
-
]
|
|
30
|
-
}
|
|
@@ -1,30 +0,0 @@
|
|
|
1
|
-
{
|
|
2
|
-
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
-
"version": "0.13.29",
|
|
4
|
-
"date": "2026-05-28",
|
|
5
|
-
"headline": "Doc corrections: AI Act disclosure kind values, SQS queue model, age-gate coupling",
|
|
6
|
-
"summary": "Documentation corrections. The most actionable: b.middleware.aiActDisclosure's @opts listed two EU AI Act transparency `kind` values (`deepfake` and `synthetic-content`) that the middleware does not accept, so they threw at construction; the accepted values use the hyphenated Art. 50 spellings (e.g. `deep-fake`) and include a text-public-interest variant the enum omitted — an operator copying the documented values crashed a compliance middleware at boot. The b.queue docs implied the SQS backend is driven by the generic b.queue.consume loop like local/redis; SQS is actually an SQS-native adapter (complete/fail by message receipt handle, server-side redrive) driven directly, and the docs now say so. b.middleware.ageGate's `requireAge` 451 floor is documented as taking effect only alongside `consentRequired` (it was silently inert without it). Plus a compose-pipeline @since and a flag-context @related correction. No code behavior changed.",
|
|
7
|
-
"sections": [
|
|
8
|
-
{
|
|
9
|
-
"heading": "Fixed",
|
|
10
|
-
"items": [
|
|
11
|
-
{
|
|
12
|
-
"title": "`b.middleware.aiActDisclosure` documents the accepted `kind` values",
|
|
13
|
-
"body": "The `@opts` listed `kind` as `ai-interaction | deepfake | emotion-recognition | biometric-categorisation | synthetic-content`. Two of those — `deepfake` and `synthetic-content` — are not accepted and threw at construction; the EU AI Act Art. 50 values use hyphenated spellings (e.g. `deep-fake`, the generated-content variant) and include `ai-text-public-interest`, which the documented enum omitted. The `@opts` now lists the full set the middleware accepts."
|
|
14
|
-
},
|
|
15
|
-
{
|
|
16
|
-
"title": "`b.queue` SQS backend documented as SQS-native, not consume-driven",
|
|
17
|
-
"body": "The module docs implied the `sqs` backend is interchangeable with `local`/`redis` under the generic `b.queue.consume` loop. SQS is an SQS-native adapter: `complete` / `fail` act on the message's `receiptHandle` (returned by `lease()`, threaded back by the caller), and DLQ + visibility-expiry are handled server-side by the queue's RedrivePolicy. The docs now state that `sqs` is driven directly (lease → handle → complete/fail) rather than by `b.queue.consume`, and does not use the framework DLQ / sweep."
|
|
18
|
-
},
|
|
19
|
-
{
|
|
20
|
-
"title": "`b.middleware.ageGate` documents the `requireAge` / `consentRequired` coupling",
|
|
21
|
-
"body": "`requireAge` (the HTTP 451 legal floor) is evaluated within the consent classification, so it takes effect only when `consentRequired` is also set — `requireAge` alone, with `consentRequired: null`, never classifies a request as below-threshold and the 451 never fires. The `@opts` and prose now state this coupling instead of presenting `requireAge` as a standalone threshold."
|
|
22
|
-
},
|
|
23
|
-
{
|
|
24
|
-
"title": "Smaller doc corrections",
|
|
25
|
-
"body": "`b.middleware.composePipeline`'s `@since` is corrected to 0.9.43 (its actual ship version). `b.middleware.flagContext`'s `@related` pointed at a non-existent `b.flagClient.getBoolean`; it now references `b.flag.create`."
|
|
26
|
-
}
|
|
27
|
-
]
|
|
28
|
-
}
|
|
29
|
-
]
|
|
30
|
-
}
|
|
@@ -1,18 +0,0 @@
|
|
|
1
|
-
{
|
|
2
|
-
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
-
"version": "0.13.3",
|
|
4
|
-
"date": "2026-05-26",
|
|
5
|
-
"headline": "`b.crypto.xwing` — X-Wing hybrid post-quantum KEM",
|
|
6
|
-
"summary": "b.crypto.xwing adds the X-Wing hybrid key-encapsulation mechanism (draft-connolly-cfrg-xwing-kem): it runs ML-KEM-768 and X25519 side by side and binds their shared secrets with SHA3-256, so an encapsulated key stays secure as long as either ML-KEM-768 or X25519 holds. That is the conservative shape for moving off classical ECDH today — a harvest-now-decrypt-later attacker must break the lattice KEM, and a hypothetical ML-KEM break still leaves X25519 standing. keygen() produces a 32-byte decapsulation seed and a 1216-byte public key; encapsulate(publicKey) returns a 1120-byte ciphertext and a 32-byte shared secret; decapsulate(secretKey, ciphertext) recovers it. The X-Wing combiner is frozen, but its specification is still an IETF Internet-Draft, so this primitive is marked experimental and sits beside the existing pre-RFC post-quantum HPKE drafts; it composes the framework's vendored ML-KEM-768 and X25519 with SHA3 and adds no new cryptographic core. The combiner is known-answer-tested byte-for-byte against the draft's definition.",
|
|
7
|
-
"sections": [
|
|
8
|
-
{
|
|
9
|
-
"heading": "Added",
|
|
10
|
-
"items": [
|
|
11
|
-
{
|
|
12
|
-
"title": "`b.crypto.xwing` — X-Wing hybrid PQ/T KEM (experimental)",
|
|
13
|
-
"body": "`keygen(seed?)` → `{ publicKey (1216 B), secretKey (32-byte seed) }`; `encapsulate(publicKey, eseed?)` → `{ ciphertext (1120 B), sharedSecret (32 B) }`; `decapsulate(secretKey, ciphertext)` → the 32-byte shared secret. Both `keygen` and `encapsulate` accept an optional seed for deterministic operation. The combiner — `SHA3-256(ssMLKEM ‖ ssX25519 ‖ ctX25519 ‖ pkX25519 ‖ label)` — is exposed as `combiner` for advanced use. Marked `experimental` while draft-connolly-cfrg-xwing-kem remains an Internet-Draft; the algorithm itself is frozen."
|
|
14
|
-
}
|
|
15
|
-
]
|
|
16
|
-
}
|
|
17
|
-
]
|
|
18
|
-
}
|
|
@@ -1,30 +0,0 @@
|
|
|
1
|
-
{
|
|
2
|
-
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
-
"version": "0.13.30",
|
|
4
|
-
"date": "2026-05-28",
|
|
5
|
-
"headline": "Doc corrections in the safe-* parsers (defaults, an error code, an example, a status list)",
|
|
6
|
-
"summary": "Four documentation corrections in the safe-* input parsers; no code behavior changed. The parsers' enforced limits and controls are unchanged — these align the docs with what the code already does. b.safeMime.parse's documented default transfer-encoding allowlist listed `binary`, which is excluded by default (opt-in per RFC 3030 BINARYMIME). b.safeDecompress documented a refusal code (`output-too-large`) it never emits — an absolute-size bomb surfaces under `decompress-failed`. b.safeSmtp.findDotTerminator's example output was off by one. b.safeIcap's intro status-code summary omitted 404 / 405 / 408 (the detailed block already listed them).",
|
|
7
|
-
"sections": [
|
|
8
|
-
{
|
|
9
|
-
"heading": "Fixed",
|
|
10
|
-
"items": [
|
|
11
|
-
{
|
|
12
|
-
"title": "`b.safeMime.parse` documents the actual default transfer-encoding allowlist",
|
|
13
|
-
"body": "The `@opts` default listed `7bit/8bit/binary/qp/base64`, but `binary` is deliberately excluded by default (RFC 3030 BINARYMIME is opt-in); the default is `7bit/8bit/quoted-printable/base64`. The doc now matches, so operators don't expect inbound `Content-Transfer-Encoding: binary` parts to pass without opting in."
|
|
14
|
-
},
|
|
15
|
-
{
|
|
16
|
-
"title": "`b.safeDecompress` names the real absolute-size-bomb refusal code",
|
|
17
|
-
"body": "The refusal-posture list documented `safe-decompress/output-too-large` for a bomb-by-absolute-size, but that code is never emitted — zlib's `maxOutputLength` throws before allocation and the failure surfaces as `safe-decompress/decompress-failed`. The doc now names the code an operator branching on the result will actually see (the ratio, output-byte, and compressed-input caps are unchanged and enforced)."
|
|
18
|
-
},
|
|
19
|
-
{
|
|
20
|
-
"title": "`b.safeSmtp.findDotTerminator` example output corrected",
|
|
21
|
-
"body": "The example claimed the `\\r\\n.\\r\\n` terminator in `\"Hello world.\\r\\n.\\r\\n\"` is at index 13; it is at index 12. The example now shows 12 (the implementation was already correct)."
|
|
22
|
-
},
|
|
23
|
-
{
|
|
24
|
-
"title": "`b.safeIcap` intro status-code summary lists 404 / 405 / 408",
|
|
25
|
-
"body": "The intro summary said only `100 / 200 / 204 / 400 / 403 / 5xx` are honored, but the parser also accepts `404 / 405 / 408` (legitimate RFC 3507 §4.3.3 codes, already listed in the detailed `parse` block). The intro summary now matches."
|
|
26
|
-
}
|
|
27
|
-
]
|
|
28
|
-
}
|
|
29
|
-
]
|
|
30
|
-
}
|
|
@@ -1,26 +0,0 @@
|
|
|
1
|
-
{
|
|
2
|
-
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
-
"version": "0.13.31",
|
|
4
|
-
"date": "2026-05-28",
|
|
5
|
-
"headline": "Circuit-breaker onStateChange callback now fires; mcp / vault-aad doc corrections",
|
|
6
|
-
"summary": "b.circuitBreaker documented an `onStateChange` callback (both an option and an `onStateChange(handler)` registration method) plus a state-change payload, but the callback was never invoked — only an observability event fired. The callback is now implemented: it fires on every transition with `{ name, from, to, at }`, the registration method works, and a non-function handler is rejected at construction. The same primitive's docs are corrected to name the real accessor (`getState()`, not `state()`) and drop a never-read `audit` option. Plus two doc-only corrections: b.mcp.toolResult.sanitize described composing b.guardHtml / b.ai.input.classify (it uses built-in detection) and documented a `classifyInput` option it never read; and b.vault.aad's prose said HKDF-SHAKE256 where the derivation is SHAKE256 (the AEAD AAD-binding itself is unchanged and sound).",
|
|
7
|
-
"sections": [
|
|
8
|
-
{
|
|
9
|
-
"heading": "Fixed",
|
|
10
|
-
"items": [
|
|
11
|
-
{
|
|
12
|
-
"title": "`b.circuitBreaker` onStateChange callback is invoked on every transition",
|
|
13
|
-
"body": "The `onStateChange` option and the `onStateChange(handler)` registration method are now wired: each registered handler is called with `{ name, from, to, at }` on every state transition (closed→open, open→half, half→closed/open), alongside the existing `breaker.state.change` observability event. A non-function `onStateChange` is rejected at construction. Previously the documented callback never fired. The docs are also corrected to name the real state accessor `getState()` (there is a `state` property, so `state()` was never a method) and to drop a never-read `audit` option."
|
|
14
|
-
},
|
|
15
|
-
{
|
|
16
|
-
"title": "`b.mcp.toolResult.sanitize` documents its actual detection and options",
|
|
17
|
-
"body": "The prose said the sanitizer composes `b.guardHtml`'s strict profile and `b.ai.input.classify`; it uses built-in dangerous-HTML and prompt-injection-marker detection. The `@opts` also listed a `classifyInput` override the function never read. The prose now describes the built-in detection and the unwired `classifyInput` option is removed. The fail-closed refusal behavior (default `posture: \"refuse\"`) is unchanged."
|
|
18
|
-
},
|
|
19
|
-
{
|
|
20
|
-
"title": "`b.vault.aad` derivation named correctly (SHAKE256)",
|
|
21
|
-
"body": "The module prose described the per-binding key derivation as HKDF-SHAKE256; it is SHAKE256 over the vault root concatenated with the binding inputs (no HKDF extract/expand). The AEAD AAD-binding to (table, row, column, schema version) — the file's actual security guarantee — is unchanged and sound; only the KDF name in the doc was wrong."
|
|
22
|
-
}
|
|
23
|
-
]
|
|
24
|
-
}
|
|
25
|
-
]
|
|
26
|
-
}
|
|
@@ -1,34 +0,0 @@
|
|
|
1
|
-
{
|
|
2
|
-
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
-
"version": "0.13.32",
|
|
4
|
-
"date": "2026-05-28",
|
|
5
|
-
"headline": "`b.auditDailyReview` enforces notify under the sox-404 posture; compliance doc corrections",
|
|
6
|
-
"summary": "b.auditDailyReview documented `sox-404` (SOX §404 ICFR — the internal-controls regime this primitive serves) as one of the postures that make a `notify` callback mandatory at construction, but the enforcement set used only `sox`, so pinning `posture: \"sox-404\"` without a notify channel was silently accepted. `sox-404` is now in the mandatory-notify set, so the advertised guarantee holds (a regression test pins it). The rest are documentation corrections with no behavior change: b.compliance.posturesByDomain / posturesByJurisdiction examples showed small fixed arrays where the functions return every matching posture (the catalog has grown); b.dataAct's surface list named two methods that do not exist (the real surface is declareProduct / recordUserAccess / shareWithThirdParty / recordSwitchRequest, with gatekeeper refusal folded into shareWithThirdParty); b.secCyber.eightKArtifact's documented return key `audit` is actually `deadlineBusinessDays`; and b.compliance.aiAct.transparency's helper summary named `cspMetaTag` / a `watermark({ kind })` argument that are really `metaTags` / `watermark({ mediaKind })`.",
|
|
7
|
-
"sections": [
|
|
8
|
-
{
|
|
9
|
-
"heading": "Fixed",
|
|
10
|
-
"items": [
|
|
11
|
-
{
|
|
12
|
-
"title": "`b.auditDailyReview` requires a notify channel under the `sox-404` posture",
|
|
13
|
-
"body": "The docs listed `sox-404` among the postures that make a `notify` callback mandatory at create-time, but the enforcement set contained only `sox` — so `posture: \"sox-404\"` without `notify` was accepted instead of refused. `sox-404` (SOX §404 ICFR) is now in the mandatory-notify set, matching the documented guarantee; constructing without a notify channel under it throws `auditDailyReview/notify-required-under-posture`."
|
|
14
|
-
},
|
|
15
|
-
{
|
|
16
|
-
"title": "`b.compliance` jurisdiction/domain lister examples no longer enumerate a stale fixed set",
|
|
17
|
-
"body": "`posturesByDomain` and `posturesByJurisdiction` return every posture matching the domain/jurisdiction, but their `@example`s showed small fixed arrays from before the posture catalog grew. The examples now show a representative prefix with `...` and note they return the full matching set."
|
|
18
|
-
},
|
|
19
|
-
{
|
|
20
|
-
"title": "`b.dataAct` surface list matches the real methods",
|
|
21
|
-
"body": "The module surface listed `userAccessible(...)` and `refuseGatekeeper(...)`, neither of which exists. The real surface is `declareProduct` / `recordUserAccess` / `shareWithThirdParty` / `recordSwitchRequest`, and DMA-gatekeeper refusal (Art 32 §1) is enforced inside `shareWithThirdParty`. The doc now reflects that."
|
|
22
|
-
},
|
|
23
|
-
{
|
|
24
|
-
"title": "`b.secCyber.eightKArtifact` documented return shape corrected",
|
|
25
|
-
"body": "The signature line showed `{ artifact, deadline, audit }`; the function returns `{ artifact, deadline, deadlineBusinessDays }` (there is no `audit` key). The doc now matches."
|
|
26
|
-
},
|
|
27
|
-
{
|
|
28
|
-
"title": "`b.compliance.aiAct.transparency` helper names corrected",
|
|
29
|
-
"body": "The helper summary named a `cspMetaTag(...)` function and a `watermark({ kind })` argument; the real names are `metaTags(...)` and `watermark({ mediaKind })`. Calling the documented names threw. Also corrected: a `b.aiAdverseDecision` illustration showed an ECOA `statutoryDeadlines` shape that didn't match the regime's actual deadlines."
|
|
30
|
-
}
|
|
31
|
-
]
|
|
32
|
-
}
|
|
33
|
-
]
|
|
34
|
-
}
|
|
@@ -1,26 +0,0 @@
|
|
|
1
|
-
{
|
|
2
|
-
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
-
"version": "0.13.33",
|
|
4
|
-
"date": "2026-05-28",
|
|
5
|
-
"headline": "Encrypted-mode DB recovers from a corrupt tmpfs working copy instead of crash-looping",
|
|
6
|
-
"summary": "In encrypted-at-rest mode the live SQLite copy is decrypted into a tmpfs working file and re-encrypted to db.enc periodically. If that working copy was corrupted (an unclean shutdown, or a full tmpfs — Docker's /dev/shm defaults to 64 MiB), the boot path trusted it because its mtime was newer than db.enc, so db.init failed its integrity gate with \"database disk image is malformed\" identically on every boot — an unrecoverable crash loop. db now integrity-probes the newer working copy before trusting it: if it is unreadable, the working copy is discarded and db.enc (the last-good encrypted snapshot) is re-decrypted, so the next boot self-heals. db.enc is never modified by this path, and a genuinely-corrupt db.enc still fails loudly rather than wiping data. The boot error on an unreadable database is now actionable (it names the tmpfs-size cause and the recovery). The wiki production compose also gains the storage settings encrypted mode needs.",
|
|
7
|
-
"sections": [
|
|
8
|
-
{
|
|
9
|
-
"heading": "Fixed",
|
|
10
|
-
"items": [
|
|
11
|
-
{
|
|
12
|
-
"title": "Corrupt tmpfs working copy no longer causes a boot crash loop (encrypted-at-rest mode)",
|
|
13
|
-
"body": "`db.init`'s crash-recovery path preferred a newer tmpfs working copy over `db.enc` unconditionally. When that copy was corrupt (truncated by an unclean shutdown or a full `/dev/shm`), every boot trusted it and failed the integrity gate the same way — an unrecoverable loop. The newer working copy is now integrity-probed (`PRAGMA quick_check`); if it is unreadable it is discarded and `db.enc` — the last-good encrypted snapshot — is re-decrypted, so boot self-heals. `db.enc` is never modified, so this only ever rolls back to the persistent copy; if `db.enc` is also corrupt, boot still fails loudly (no silent data loss). A regression test pins the recovery."
|
|
14
|
-
},
|
|
15
|
-
{
|
|
16
|
-
"title": "Actionable boot error when the database is unreadable",
|
|
17
|
-
"body": "When SQLite reports a database too corrupt to even run an integrity check, the boot error now names the likely cause and recovery instead of surfacing the raw \"database disk image is malformed\": in encrypted mode it points at the tmpfs working copy and the most common operational cause (Docker's 64 MiB `/dev/shm` default — raise it via `shm_size` / `--shm-size`), or restoring `db.enc` / the DB file from backup."
|
|
18
|
-
},
|
|
19
|
-
{
|
|
20
|
-
"title": "Wiki production compose ships the storage encrypted mode needs",
|
|
21
|
-
"body": "`examples/wiki/docker-compose.prod.yml` now sets `shm_size: '512m'` (so the encrypted-mode tmpfs working copy has headroom above Docker's 64 MiB default) and mounts a persistent `wiki-data` volume at `/data` (so `db.enc` + sealed keys survive container recreate, host reboot, and image redeploys, and give a restore point). A note flags that PaaS platforms which regenerate the compose on deploy (Coolify, Dokku, CapRover, …) must set both via the platform UI — a persistent-storage mount for `/data` and a `--shm-size 512m` custom option."
|
|
22
|
-
}
|
|
23
|
-
]
|
|
24
|
-
}
|
|
25
|
-
]
|
|
26
|
-
}
|
|
@@ -1,48 +0,0 @@
|
|
|
1
|
-
{
|
|
2
|
-
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
-
"version": "0.13.34",
|
|
4
|
-
"date": "2026-05-29",
|
|
5
|
-
"headline": "Corrupt TLS certs self-heal at boot, and graceful shutdown no longer loses the final DB flush",
|
|
6
|
-
"summary": "Two failure-mode fixes in the same family as the encrypted-DB recovery in 0.13.33. The cert manager treated a corrupt sealed cert or key worse than a missing one: a missing file re-issues via ACME, but a corrupt one let a raw decrypt error escape out of start(), so the same bad file was read on every boot — an unrecoverable crash loop. A corrupt sealed cert/key is now treated like an absent one and re-issued, and a corrupt derived meta.json is re-derived rather than fatal; the ACME account key (which binds order history) instead fails with an actionable error rather than a raw throw. On the shutdown side, an encrypted database that failed its final re-encrypt used to delete its plaintext working copy anyway, discarding every write since the last periodic flush; it now keeps the working copy so the next boot recovers it. The shutdown orchestrator also gains a hard-deadline watchdog: when the operator delegates signal handling to it, a phase that never settles can no longer hold the process open until the supervisor SIGKILLs it (which would skip the final DB re-encrypt) — the watchdog forces a clean exit, so exit handlers still flush. The wiki production and base compose files set a stop_grace_period above that budget so a docker stop or rolling redeploy lets the re-encrypt finish.",
|
|
7
|
-
"sections": [
|
|
8
|
-
{
|
|
9
|
-
"heading": "Fixed",
|
|
10
|
-
"items": [
|
|
11
|
-
{
|
|
12
|
-
"title": "A corrupt sealed TLS cert or key re-issues instead of crash-looping at boot",
|
|
13
|
-
"body": "`b.cert`'s start path read the sealed `cert.pem`/`key.pem` and let a raw unseal/decrypt error escape if the file was truncated or corrupt, so a managed restart read the same bad file on every boot — a crash loop, and worse handling than an absent file (which already re-issues). A corrupt sealed cert/key is now treated like a missing one: it is logged, an audit event is emitted, and the certificate is re-issued via ACME. A corrupt derived `meta.json` is likewise re-derived rather than throwing `cert/bad-meta`."
|
|
14
|
-
},
|
|
15
|
-
{
|
|
16
|
-
"title": "Unreadable ACME account key fails with an actionable error, not a raw decrypt throw",
|
|
17
|
-
"body": "Unlike a re-issuable certificate, the ACME account key binds existing order and authorization history, so it is not silently regenerated on corruption. An unreadable `account/jwk.json.sealed` now raises `cert/account-key-unreadable` naming the file and the recovery (restore from backup, or delete to register a fresh account) instead of letting a raw decrypt/parse error escape out of start()."
|
|
18
|
-
},
|
|
19
|
-
{
|
|
20
|
-
"title": "Encrypted DB keeps its working copy when the final shutdown re-encrypt fails",
|
|
21
|
-
"body": "`db.close()` re-encrypts the tmpfs working copy to `db.enc`, then deletes the working copy. If that final re-encrypt failed (a full `/dev/shm`, a full disk), the delete still ran, discarding every write since the last periodic flush and leaving only the older `db.enc`. The working copy is now kept whenever the re-encrypt fails, so the next boot's integrity-probed recovery picks up the latest writes (and still falls back to `db.enc` if the working copy is itself corrupt). `db.enc` is never modified by this path."
|
|
22
|
-
}
|
|
23
|
-
]
|
|
24
|
-
},
|
|
25
|
-
{
|
|
26
|
-
"heading": "Changed",
|
|
27
|
-
"items": [
|
|
28
|
-
{
|
|
29
|
-
"title": "Shutdown watchdog forces a clean, DB-flushing exit if a phase hangs",
|
|
30
|
-
"body": "The graceful-shutdown orchestrator uses soft per-phase timeouts — on expiry the underlying work keeps running — so a phase that never settles could hold the event loop open past the grace window, after which a container supervisor SIGKILLs the process and skips the final DB re-encrypt. When the operator opts into signal handling, a watchdog now forces `process.exit` `graceMs + forceExitMarginMs` after the signal; exit runs the registered handlers (the DB re-encrypt), so the last flush still happens. A new `forceExitMarginMs` option (default 5000) tunes the headroom; set the container stop grace above `graceMs + forceExitMarginMs`."
|
|
31
|
-
},
|
|
32
|
-
{
|
|
33
|
-
"title": "Wiki compose sets stop_grace_period above the shutdown budget",
|
|
34
|
-
"body": "`examples/wiki/docker-compose.yml` and `docker-compose.prod.yml` now set `stop_grace_period: 40s`. Docker's 10s default would SIGKILL the container before the 30s shutdown budget reaches the DB re-encrypt phase, losing the final flush on a `docker stop` or rolling redeploy. The production note also reminds PaaS platforms that regenerate the compose (Coolify, Dokku, CapRover) to set the stop grace via the platform UI alongside the persistent-storage mount and `--shm-size`."
|
|
35
|
-
}
|
|
36
|
-
]
|
|
37
|
-
},
|
|
38
|
-
{
|
|
39
|
-
"heading": "Detectors",
|
|
40
|
-
"items": [
|
|
41
|
-
{
|
|
42
|
-
"title": "Cross-artifact guard that stop_grace_period covers the shutdown budget",
|
|
43
|
-
"body": "A new codebase check fails if either wiki compose file omits `stop_grace_period` or sets it below the orchestrator's `graceMs` plus the watchdog margin read from `lib/app-shutdown.js`, so raising the shutdown budget without bumping the compose — or dropping the setting — cannot silently reopen the SIGKILL-before-re-encrypt data-loss window."
|
|
44
|
-
}
|
|
45
|
-
]
|
|
46
|
-
}
|
|
47
|
-
]
|
|
48
|
-
}
|
|
@@ -1,35 +0,0 @@
|
|
|
1
|
-
{
|
|
2
|
-
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
-
"version": "0.13.35",
|
|
4
|
-
"date": "2026-05-29",
|
|
5
|
-
"headline": "In-memory replay, idempotency, DNS, and i18n stores gain entry-count ceilings",
|
|
6
|
-
"summary": "Several framework caches keyed on request-influenced input grew without an upper bound between their periodic sweeps, so a flood of unique keys could exhaust process memory faster than the sweep reclaimed it. Each now enforces a hard entry ceiling. The replay-protection nonce store is the security-sensitive one: rather than evict a live nonce to admit a new one — which would reopen a replay window for the evicted nonce — it purges expired entries and then fails closed at capacity, refusing the unrecordable request instead of admitting it unprotected. The idempotency, DNS, and i18n caches hold re-derivable values, so they evict the oldest entry instead (the worst case is a recomputed value or a single re-executed retry under flood). Ceilings are generous defaults that normal traffic never reaches; the nonce store and the agent idempotency in-memory backend expose options to tune them.",
|
|
7
|
-
"sections": [
|
|
8
|
-
{
|
|
9
|
-
"heading": "Security",
|
|
10
|
-
"items": [
|
|
11
|
-
{
|
|
12
|
-
"title": "Replay-nonce store bounds memory and fails closed under a nonce flood",
|
|
13
|
-
"body": "The in-memory `b.nonceStore` backend recorded every request-supplied nonce until a periodic sweep ran, so a stream of unique nonces could exhaust memory between sweeps (a memory-amplification denial of service). It now caps its entry count. Because a replay-protection store must never evict a live nonce to make room — doing so would reopen a replay window for the evicted nonce — it instead purges expired entries inline and, if still at capacity with live nonces, fails closed: the new request is refused rather than admitted without replay protection. A new `maxEntries` option tunes the ceiling (default 1,000,000)."
|
|
14
|
-
}
|
|
15
|
-
]
|
|
16
|
-
},
|
|
17
|
-
{
|
|
18
|
-
"heading": "Fixed",
|
|
19
|
-
"items": [
|
|
20
|
-
{
|
|
21
|
-
"title": "Agent idempotency in-memory backend no longer grows without bound",
|
|
22
|
-
"body": "The default in-memory backend for `b.agent.idempotency` is keyed on the request-supplied idempotency key, and its garbage collector only reclaims expired rows when an operator wires a scheduler to call it — so a flood of distinct keys could grow it until the process ran out of memory. It now caps its entry count and evicts oldest-first; a dropped record just means that one key re-executes on a later retry, never a crash. A new `maxInMemoryEntries` option tunes the ceiling (default 100,000); deployments needing a hard guarantee at scale still supply a durable `store`."
|
|
23
|
-
},
|
|
24
|
-
{
|
|
25
|
-
"title": "DNS resolver cache is bounded",
|
|
26
|
-
"body": "The positive and negative resolver caches in `b.network.dns` reclaimed an expired entry only when the same hostname was looked up again, so entries for never-requeried hostnames persisted — and hostnames reaching the resolver are request-influenced (outbound request targets, mail MX lookups). Both caches now cap their entry count and evict oldest-first; DNS simply re-resolves on the next miss."
|
|
27
|
-
},
|
|
28
|
-
{
|
|
29
|
-
"title": "i18n formatter cache is bounded",
|
|
30
|
-
"body": "Per-instance `Intl` formatter caches in `b.i18n` are keyed on the locale plus a hash of the format options. The format-options shape is open-ended and caller-supplied, so the key space was request-influenced and uncapped. The cache now enforces an entry ceiling and evicts oldest-first — a formatter is pure-derived and re-created on the next miss."
|
|
31
|
-
}
|
|
32
|
-
]
|
|
33
|
-
}
|
|
34
|
-
]
|
|
35
|
-
}
|
|
@@ -1,27 +0,0 @@
|
|
|
1
|
-
{
|
|
2
|
-
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
-
"version": "0.13.36",
|
|
4
|
-
"date": "2026-05-29",
|
|
5
|
-
"headline": "Certificate renewal trusts the sealed cert's own expiry, not the plaintext index",
|
|
6
|
-
"summary": "The managed-certificate renewal check decided a cached cert was still fresh by reading expiresAt from the plaintext meta.json index that sits beside the sealed cert, rather than from the certificate itself. If that index drifted from — or was tampered relative to — the actual cert (a far-future expiry recorded over a certificate that is in fact near expiry), the manager would skip renewal and keep serving a cert that was about to expire or already had. Renewal now re-derives the expiry and fingerprint from the sealed certificate itself; meta.json is treated as an advisory convenience copy. A sealed cert that no longer parses is re-issued (the same recovery as an unreadable one), and a corrupt meta.json over a valid cert now loads cleanly from the cert instead of forcing a needless re-issue. The local job queue also bounds the size of a job payload it parses back from a stored row, matching the cap the dead-letter listing already used.",
|
|
7
|
-
"sections": [
|
|
8
|
-
{
|
|
9
|
-
"heading": "Security",
|
|
10
|
-
"items": [
|
|
11
|
-
{
|
|
12
|
-
"title": "Cert renewal re-derives expiry from the sealed certificate, not the meta.json index",
|
|
13
|
-
"body": "`b.cert`'s renewal short-circuit read `expiresAt` from the plaintext `meta.json` written beside each sealed cert. Because that index can drift from the actual certificate (or be altered independently of it), a far-future value over an actually-expiring cert would suppress renewal and serve a cert past — or about to pass — its validity. The renewal decision now parses the expiry and fingerprint from the sealed certificate itself on load, so `meta.json` is advisory only. A sealed cert that will not parse is treated as corrupt and re-issued; a corrupt `meta.json` over an otherwise-valid cert loads from the cert without a needless re-issue."
|
|
14
|
-
}
|
|
15
|
-
]
|
|
16
|
-
},
|
|
17
|
-
{
|
|
18
|
-
"heading": "Fixed",
|
|
19
|
-
"items": [
|
|
20
|
-
{
|
|
21
|
-
"title": "Local job queue bounds the size of a payload parsed back from a stored row",
|
|
22
|
-
"body": "When the local queue leased a job or re-enqueued a repeating one, it parsed the job payload back from its stored row without an upper size bound, unlike the dead-letter listing which already capped it. A row with an oversized payload (a corrupted or tampered store) could force an unbounded parse. Both paths now cap the parse at the same 64 MiB ceiling the dead-letter path uses."
|
|
23
|
-
}
|
|
24
|
-
]
|
|
25
|
-
}
|
|
26
|
-
]
|
|
27
|
-
}
|
|
@@ -1,18 +0,0 @@
|
|
|
1
|
-
{
|
|
2
|
-
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
-
"version": "0.13.37",
|
|
4
|
-
"date": "2026-05-29",
|
|
5
|
-
"headline": "Encrypted-mode DB refuses writes before a full tmpfs corrupts it",
|
|
6
|
-
"summary": "In encrypted-at-rest mode the live SQLite working copy is on a tmpfs (Docker's /dev/shm defaults to 64 MiB). If that fills — an append-only audit chain and session rows grow over time — SQLite hits ENOSPC and the working copy is corrupted. Earlier releases made that corruption self-heal on the next boot by rolling back to the last encrypted snapshot, but the rollback still loses writes since the last flush. This adds the prevention side: a periodic free-space probe refuses growth writes (INSERT / UPDATE / REPLACE) with a clear db/storage-low error once free space drops below a threshold, before the tmpfs fills. DELETE and reads stay available so retention can reclaim space and the application keeps serving, and the refusal lifts automatically once free space recovers. The threshold defaults to 16 MiB of headroom and is tunable; the guard is encrypted-mode only.",
|
|
7
|
-
"sections": [
|
|
8
|
-
{
|
|
9
|
-
"heading": "Security",
|
|
10
|
-
"items": [
|
|
11
|
-
{
|
|
12
|
-
"title": "Free-space guard refuses growth writes before the tmpfs working copy fills",
|
|
13
|
-
"body": "`b.db` in encrypted-at-rest mode now probes free space on the tmpfs holding the working copy and, when it falls below `minFreeBytes` (default 16 MiB), refuses `INSERT` / `UPDATE` / `REPLACE` with a clear `db/storage-low` error instead of letting the write run the mount out of space and corrupt the database. `DELETE`, reads, and DDL stay available so retention can prune and the app keeps serving; the refusal clears automatically when free space recovers. The error message points at the cause (Docker's 64 MiB `/dev/shm` default) and the fix (`shm_size` / `--shm-size`, or pruning). Set `minFreeBytes` to tune the headroom, or `0` to disable. This complements the existing boot-time recovery: prevention (fail clear, keep recent writes) ahead of recovery (roll back to the last snapshot)."
|
|
14
|
-
}
|
|
15
|
-
]
|
|
16
|
-
}
|
|
17
|
-
]
|
|
18
|
-
}
|
|
@@ -1,27 +0,0 @@
|
|
|
1
|
-
{
|
|
2
|
-
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
-
"version": "0.13.38",
|
|
4
|
-
"date": "2026-05-29",
|
|
5
|
-
"headline": "Atomic cache tag invalidation, and a clusterStorage.transaction primitive for multi-statement framework writes",
|
|
6
|
-
"summary": "The cluster cache stored a value and its tag index with separate statements, so two concurrent writes to the same key could interleave their tag updates and leave the index out of step with the value — a later tag-based invalidation would then miss the key, letting a stale (possibly authorization-bearing) value survive a wipe. The value and tag writes now commit as one atomic unit. The enabling piece is a new b.clusterStorage.transaction primitive that runs a multi-statement read-modify-write all-or-nothing against the active backend — the external DB's pooled transaction in cluster mode, and a serialized transaction on the shared SQLite connection in single-node mode (so no concurrent statement can interleave into an open transaction).",
|
|
7
|
-
"sections": [
|
|
8
|
-
{
|
|
9
|
-
"heading": "Added",
|
|
10
|
-
"items": [
|
|
11
|
-
{
|
|
12
|
-
"title": "b.clusterStorage.transaction(fn) — atomic multi-statement framework-state writes",
|
|
13
|
-
"body": "Runs `fn` inside one transaction against the active backend so a multi-statement read-modify-write commits all-or-nothing. `fn` receives a transaction handle with the same `execute` / `executeOne` / `executeAll` surface, scoped to the open transaction. Cluster mode uses the external DB's pooled transaction (with its deadlock retry); single-node mode serializes against other transactions and against `execute` on the shared SQLite connection, so a concurrent statement cannot interleave into an open transaction. Use the handle's methods inside `fn` — calling the module-level `execute` from within `fn` would wait on the very transaction it is running."
|
|
14
|
-
}
|
|
15
|
-
]
|
|
16
|
-
},
|
|
17
|
-
{
|
|
18
|
-
"heading": "Fixed",
|
|
19
|
-
"items": [
|
|
20
|
-
{
|
|
21
|
-
"title": "Cluster cache tag invalidation can no longer miss a key under concurrent writes",
|
|
22
|
-
"body": "The cluster cache wrote a value (`INSERT ... ON CONFLICT DO UPDATE`) and then rewrote its tag index (`DELETE` prior tags, `INSERT` new ones) as separate statements. Two concurrent `set()`s on the same key could interleave those tag statements, leaving the tag index inconsistent with the value — so a later `invalidateTag` could miss the key and a stale value would survive the wipe. The value and tag writes now run inside a single `clusterStorage.transaction`, so a concurrent writer observes either the whole prior state or the whole new state, never a mix."
|
|
23
|
-
}
|
|
24
|
-
]
|
|
25
|
-
}
|
|
26
|
-
]
|
|
27
|
-
}
|
|
@@ -1,27 +0,0 @@
|
|
|
1
|
-
{
|
|
2
|
-
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
-
"version": "0.13.39",
|
|
4
|
-
"date": "2026-05-29",
|
|
5
|
-
"headline": "Dual-control approvals are atomic — no quorum bypass or double-consume under concurrency",
|
|
6
|
-
"summary": "The dual-control approval store read a grant, mutated it in memory, and wrote it back with an await in between — a non-atomic read-modify-write. Under concurrent calls (two approvals, or a retried one) each could act on a stale snapshot: the same approver could be appended twice and reach the M-of-N quorum with a single human, or a single-use grant could be consumed twice. approve / consume / revoke / cancel now commit through a new atomic cache.update primitive, so the check and the mutation are one indivisible step. The new b.cache.update is available to application code too — the memory backend is atomic by single-thread, and the cluster backend uses a transaction with compare-and-set so a concurrent writer on another node cannot lose an update.",
|
|
7
|
-
"sections": [
|
|
8
|
-
{
|
|
9
|
-
"heading": "Security",
|
|
10
|
-
"items": [
|
|
11
|
-
{
|
|
12
|
-
"title": "Dual-control quorum and single-use guarantees hold under concurrent approvals",
|
|
13
|
-
"body": "`b.dualControl` persisted each grant through a cache read → in-memory mutate → write-back. Because the read and the write were separate awaited steps, two concurrent `approve` calls (or a retried one behind a load balancer) could each read the same pre-approval snapshot, so the duplicate-approver guard passed twice and the same approver was counted toward the M-of-N quorum twice — reaching quorum with one human. The same shape let two concurrent `consume` calls each see an unconsumed grant and both run the destructive operation. `approve` / `consume` / `revoke` / `cancel` now perform the check-and-mutate atomically via `cache.update`, so exactly one concurrent caller wins each transition."
|
|
14
|
-
}
|
|
15
|
-
]
|
|
16
|
-
},
|
|
17
|
-
{
|
|
18
|
-
"heading": "Added",
|
|
19
|
-
"items": [
|
|
20
|
-
{
|
|
21
|
-
"title": "b.cache.update(key, mutatorFn, opts?) — atomic read-modify-write",
|
|
22
|
-
"body": "Reads the current value, calls `mutatorFn(current | null)`, and commits the result in one operation so a concurrent writer cannot clobber the change — the lost-update race that makes a plain `get` → mutate → `set` unsafe for counters, sets, and quorum state. The memory backend is atomic by single-thread; the cluster backend runs a transaction with a compare-and-set (and retries on contention) so the guarantee holds across nodes. `mutatorFn` returns `{ value }` to commit, `{ abort: data }` to leave the entry untouched and surface `data`, or `{ delete: true }` to remove it; the call resolves to `{ updated, value }`, `{ updated, deleted }`, or `{ aborted }`."
|
|
23
|
-
}
|
|
24
|
-
]
|
|
25
|
-
}
|
|
26
|
-
]
|
|
27
|
-
}
|
|
@@ -1,23 +0,0 @@
|
|
|
1
|
-
{
|
|
2
|
-
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
-
"version": "0.13.4",
|
|
4
|
-
"date": "2026-05-26",
|
|
5
|
-
"headline": "`b.crdt` — conflict-free replicated data types",
|
|
6
|
-
"summary": "b.crdt adds state-based Conflict-free Replicated Data Types: data structures that independent replicas update without coordination and still converge to the same value once they have exchanged state. Each type's merge is a join over a semilattice — commutative, associative, and idempotent — so replicas can merge in any order, any number of times, and agree, which makes these the substrate for active/active cluster state, offline-first clients that reconcile on reconnect, and eventually-consistent counters, sets, and maps. The release ships the full state-based family: grow-only and positive-negative counters (gCounter / pnCounter), grow-only, two-phase, and observed-remove sets (gSet / twoPSet / orSet), a last-write-wins register (lwwRegister), and an observed-remove map (orMap). Every type exposes the same contract — local mutators, merge(other) that returns a converged instance without mutating either operand, value() for the materialized value, and state() / fromState() for a JSON-serializable form to snapshot via b.archive or b.backup or ship to a peer — and carries a replicaId so per-replica contributions stay distinct.",
|
|
7
|
-
"sections": [
|
|
8
|
-
{
|
|
9
|
-
"heading": "Added",
|
|
10
|
-
"items": [
|
|
11
|
-
{
|
|
12
|
-
"title": "`b.crdt` — state-based CvRDT counters, sets, register, and map",
|
|
13
|
-
"body": "`b.crdt.gCounter` / `pnCounter` (grow-only and increment/decrement counters), `b.crdt.gSet` / `twoPSet` / `orSet` (grow-only, two-phase, and observed-remove sets — `orSet` supports re-add and resolves a concurrent add-vs-remove as add-wins), `b.crdt.lwwRegister` (last-write-wins with a deterministic replicaId tie-break), and `b.crdt.orMap` (observed-remove keys with last-write-wins values). Each exposes `merge` / `value` / `state` / `fromState` and converges by the CvRDT laws. `orSet` and `orMap` accept `tombstoneRetention` to bound tombstone memory against a remove flood."
|
|
14
|
-
}
|
|
15
|
-
]
|
|
16
|
-
}
|
|
17
|
-
],
|
|
18
|
-
"outOfScope": [
|
|
19
|
-
"Operation-based sequence CRDTs (RGA) — a different formal class (CmRDT) requiring a causal-delivery channel; ships when collaborative-text / ordered-list editing is needed.",
|
|
20
|
-
"Delta-state mutators — a bandwidth optimization over full-state merge; ships under large-state replication pressure.",
|
|
21
|
-
"The event-bus replicator for live multi-node auto-sync — the state-based types merge manually standalone; ships when live multi-node synchronization is wired, together with the causal-delivery option and its detector."
|
|
22
|
-
]
|
|
23
|
-
}
|
|
@@ -1,22 +0,0 @@
|
|
|
1
|
-
{
|
|
2
|
-
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
-
"version": "0.13.40",
|
|
4
|
-
"date": "2026-05-29",
|
|
5
|
-
"headline": "Redis client stops leaking a socket and blocking exit after close; DB exit-handler registers once",
|
|
6
|
-
"summary": "Two handle-lifecycle fixes. The Redis client's reconnect backoff used an untracked, non-unref'd timer: during a backoff window it alone could keep the event loop alive (a process that won't exit), and a reconnect scheduled before close() fired afterward and opened a fresh socket because the connect path didn't re-check the closing flag. The timer is now tracked, unref'd, cancelled in close(), and the connect path refuses to re-open once closing. Separately, the encrypted database registered its process-exit final-flush handler on every init(), so repeated init/close cycles (long test runs, hot reload) accumulated 'exit' listeners toward the MaxListenersExceeded warning; it now registers once for the process lifetime.",
|
|
7
|
-
"sections": [
|
|
8
|
-
{
|
|
9
|
-
"heading": "Fixed",
|
|
10
|
-
"items": [
|
|
11
|
-
{
|
|
12
|
-
"title": "Redis client cancels its reconnect timer on close and won't re-open a closed connection",
|
|
13
|
-
"body": "The reconnect backoff scheduled `setTimeout(reconnect, delay)` without keeping a handle, without `unref()`, and the reconnect path checked only `connected`/`connecting` — not `closing`. So a backoff window could by itself hold the process open (it won't exit), and a reconnect scheduled before `close()` would fire afterward and open a fresh socket with listeners — a leak after explicit close. The timer is now tracked and `unref()`'d (a backoff no longer blocks exit), cancelled in `close()`, and the connect path returns early once closing so no socket is opened after close."
|
|
14
|
-
},
|
|
15
|
-
{
|
|
16
|
-
"title": "Encrypted DB registers its process-exit flush handler once, not per init()",
|
|
17
|
-
"body": "`b.db.init()` in encrypted mode added a `process.on(\"exit\")` final-flush handler on every call. Across repeated init/close cycles — long test suites, hot reload, embedded re-inits — these accumulated and tripped Node's MaxListenersExceeded warning (and grew memory slightly). The handler is now registered once for the process lifetime, guarded by a module flag, and still flushes whichever encrypted DB is open at exit time."
|
|
18
|
-
}
|
|
19
|
-
]
|
|
20
|
-
}
|
|
21
|
-
]
|
|
22
|
-
}
|
|
@@ -1,27 +0,0 @@
|
|
|
1
|
-
{
|
|
2
|
-
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
-
"version": "0.13.41",
|
|
4
|
-
"date": "2026-05-29",
|
|
5
|
-
"headline": "Agent registry reads can be tenant-scoped; compliance-erasure docs clarify actor is an audit field",
|
|
6
|
-
"summary": "The agent orchestrator's registry reads (list and lookup) gated only on the flat agent-registry:read scope, so any holder could enumerate every tenant's agents and resolve a handle to one — even though the event bus already scopes subscribe and delivery by tenant. The orchestrator now mirrors that: with the new tenantScope option enabled, list returns only the actor's own tenant's agents and lookup refuses a cross-tenant name, unless the actor holds the framework cross-tenant-admin scope. Off by default, so single-tenant deployments are unaffected. Separately, the subject-erasure docs now state explicitly that the recorded actor is an audit field, not authentication — the caller must be authorized upstream.",
|
|
7
|
-
"sections": [
|
|
8
|
-
{
|
|
9
|
-
"heading": "Added",
|
|
10
|
-
"items": [
|
|
11
|
-
{
|
|
12
|
-
"title": "Tenant-scoped agent registry reads (opts.tenantScope)",
|
|
13
|
-
"body": "`b.agent.orchestrator.create({ tenantScope: true })` now scopes `list` and `lookup` to the calling actor's tenant: `list` filters out agents in other tenants and `lookup` returns null for a cross-tenant name, unless the actor holds the cross-tenant-admin scope (`b.agent.tenant.CROSS_TENANT_ADMIN_SCOPE`). This closes a cross-tenant metadata-enumeration and handle-acquisition path — `agent-registry:read` alone no longer exposes other tenants' agents — and mirrors the tenant scoping the event bus enforces on subscribe and delivery. The option defaults off; existing single-tenant orchestrators behave exactly as before. The `tenantId` argument to `list` remains a convenience filter, distinct from this authorization boundary."
|
|
14
|
-
}
|
|
15
|
-
]
|
|
16
|
-
},
|
|
17
|
-
{
|
|
18
|
-
"heading": "Changed",
|
|
19
|
-
"items": [
|
|
20
|
-
{
|
|
21
|
-
"title": "Subject-erasure docs clarify the actor is an audit field, not authentication",
|
|
22
|
-
"body": "`b.subject.erase` and `b.subject.eraseHard` gate the deletion on operator acknowledgements and the legal-hold registry, not on caller identity. Their documentation now states explicitly that the recorded `actor` is an audit-record field, not authentication — the caller MUST be authenticated and authorized by the route before invoking. No behavior change; this removes an implicit assumption that could otherwise be read as the primitive authorizing the call."
|
|
23
|
-
}
|
|
24
|
-
]
|
|
25
|
-
}
|
|
26
|
-
]
|
|
27
|
-
}
|
|
@@ -1,18 +0,0 @@
|
|
|
1
|
-
{
|
|
2
|
-
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
-
"version": "0.13.42",
|
|
4
|
-
"date": "2026-05-29",
|
|
5
|
-
"headline": "S/MIME trust-chain validation binds the leaf to the key that verified the signature",
|
|
6
|
-
"summary": "When b.mail.crypto.smime.verify is given trust anchors, it validates the supplied certificate chain — but it picked the chain leaf unconditionally (the first cert) and never tied it to signerPublicKey, the key that actually verified the signature. A SignedData blob could therefore carry a validly-chained certificate for one identity while the signature was verified under an unrelated key, and the chain-validated result would imply a cert↔signer binding the code never made. Chain validation now selects the leaf as the certificate whose public key matches signerPublicKey, and refuses (signer-not-in-chain) when no certificate in the chain carries that key — so a chain-validated signature is bound to the cert it claims.",
|
|
7
|
-
"sections": [
|
|
8
|
-
{
|
|
9
|
-
"heading": "Security",
|
|
10
|
-
"items": [
|
|
11
|
-
{
|
|
12
|
-
"title": "Trust-chain leaf is bound to the verified signer key",
|
|
13
|
-
"body": "`smime.verify({ trustAnchorCertsPem })` validated the supplied chain starting from `chain[0]` without checking that the leaf's public key was the one that verified the signature (the operator-supplied `signerPublicKey`). A crafted `SignedData` could pair a validly-chained certificate for identity A with a signature verified under an unrelated key, and the chain-valid result would assert a binding that didn't hold. The chain walk now selects the leaf as the certificate whose public key equals `signerPublicKey` (matched against the certificate's SPKI, raw key or full-encoding form), and throws `mail-crypto/smime/signer-not-in-chain` when no certificate in `SignedData.certificates` carries that key. A certificate whose key cannot be extracted is treated as a non-match, so validation fails closed rather than trusting an unverifiable binding."
|
|
14
|
-
}
|
|
15
|
-
]
|
|
16
|
-
}
|
|
17
|
-
]
|
|
18
|
-
}
|