@blamejs/blamejs-shop 0.3.5 → 0.3.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (353) hide show
  1. package/CHANGELOG.md +2 -0
  2. package/lib/asset-manifest.json +1 -1
  3. package/lib/vendor/MANIFEST.json +3 -3
  4. package/lib/vendor/blamejs/CHANGELOG.md +14 -0
  5. package/lib/vendor/blamejs/api-snapshot.json +2 -2
  6. package/lib/vendor/blamejs/lib/_test/crypto-fixtures.js +3 -3
  7. package/lib/vendor/blamejs/lib/a2a-tasks.js +24 -24
  8. package/lib/vendor/blamejs/lib/a2a.js +4 -4
  9. package/lib/vendor/blamejs/lib/acme.js +3 -3
  10. package/lib/vendor/blamejs/lib/agent-idempotency.js +1 -1
  11. package/lib/vendor/blamejs/lib/agent-orchestrator.js +8 -8
  12. package/lib/vendor/blamejs/lib/agent-posture-chain.js +2 -2
  13. package/lib/vendor/blamejs/lib/agent-saga.js +1 -1
  14. package/lib/vendor/blamejs/lib/agent-snapshot.js +1 -1
  15. package/lib/vendor/blamejs/lib/agent-stream.js +1 -1
  16. package/lib/vendor/blamejs/lib/agent-tenant.js +1 -1
  17. package/lib/vendor/blamejs/lib/agent-trace.js +3 -3
  18. package/lib/vendor/blamejs/lib/ai-capability.js +1 -1
  19. package/lib/vendor/blamejs/lib/ai-dp.js +4 -4
  20. package/lib/vendor/blamejs/lib/ai-input.js +4 -4
  21. package/lib/vendor/blamejs/lib/ai-model-manifest.js +7 -7
  22. package/lib/vendor/blamejs/lib/ai-pref.js +3 -3
  23. package/lib/vendor/blamejs/lib/archive-gz.js +2 -2
  24. package/lib/vendor/blamejs/lib/archive-read.js +25 -25
  25. package/lib/vendor/blamejs/lib/archive-tar-read.js +2 -2
  26. package/lib/vendor/blamejs/lib/archive-tar.js +20 -20
  27. package/lib/vendor/blamejs/lib/archive-wrap.js +10 -10
  28. package/lib/vendor/blamejs/lib/argon2-builtin.js +1 -1
  29. package/lib/vendor/blamejs/lib/asn1-der.js +45 -34
  30. package/lib/vendor/blamejs/lib/atomic-file.js +2 -2
  31. package/lib/vendor/blamejs/lib/audit-daily-review.js +3 -3
  32. package/lib/vendor/blamejs/lib/audit-sign.js +5 -5
  33. package/lib/vendor/blamejs/lib/audit-tools.js +1 -1
  34. package/lib/vendor/blamejs/lib/audit.js +2 -2
  35. package/lib/vendor/blamejs/lib/auth/acr-vocabulary.js +2 -2
  36. package/lib/vendor/blamejs/lib/auth/bot-challenge.js +3 -3
  37. package/lib/vendor/blamejs/lib/auth/ciba.js +7 -7
  38. package/lib/vendor/blamejs/lib/auth/dpop.js +3 -3
  39. package/lib/vendor/blamejs/lib/auth/fido-mds3.js +8 -8
  40. package/lib/vendor/blamejs/lib/auth/jar.js +11 -0
  41. package/lib/vendor/blamejs/lib/auth/jwt-external.js +5 -5
  42. package/lib/vendor/blamejs/lib/auth/oauth.js +7 -9
  43. package/lib/vendor/blamejs/lib/auth/oid4vci.js +10 -10
  44. package/lib/vendor/blamejs/lib/auth/oid4vp.js +2 -2
  45. package/lib/vendor/blamejs/lib/auth/openid-federation.js +2 -2
  46. package/lib/vendor/blamejs/lib/auth/passkey.js +3 -3
  47. package/lib/vendor/blamejs/lib/auth/saml.js +31 -43
  48. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-disclosure.js +1 -1
  49. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc.js +5 -5
  50. package/lib/vendor/blamejs/lib/auth/status-list.js +10 -10
  51. package/lib/vendor/blamejs/lib/auth/step-up.js +1 -1
  52. package/lib/vendor/blamejs/lib/auth-bot-challenge.js +1 -1
  53. package/lib/vendor/blamejs/lib/backup/index.js +7 -7
  54. package/lib/vendor/blamejs/lib/base32.js +8 -8
  55. package/lib/vendor/blamejs/lib/budr.js +2 -2
  56. package/lib/vendor/blamejs/lib/cache-status.js +2 -2
  57. package/lib/vendor/blamejs/lib/calendar.js +29 -29
  58. package/lib/vendor/blamejs/lib/cbor.js +12 -12
  59. package/lib/vendor/blamejs/lib/cdn-cache-control.js +1 -1
  60. package/lib/vendor/blamejs/lib/cert.js +5 -5
  61. package/lib/vendor/blamejs/lib/cloud-events.js +5 -5
  62. package/lib/vendor/blamejs/lib/cms-codec.js +21 -21
  63. package/lib/vendor/blamejs/lib/codepoint-class.js +12 -12
  64. package/lib/vendor/blamejs/lib/compliance-sanctions-fuzzy.js +4 -4
  65. package/lib/vendor/blamejs/lib/compliance-sanctions.js +4 -4
  66. package/lib/vendor/blamejs/lib/compliance.js +29 -29
  67. package/lib/vendor/blamejs/lib/content-credentials.js +38 -38
  68. package/lib/vendor/blamejs/lib/cookies.js +1 -1
  69. package/lib/vendor/blamejs/lib/cose.js +13 -13
  70. package/lib/vendor/blamejs/lib/cra-report.js +1 -1
  71. package/lib/vendor/blamejs/lib/crdt.js +1 -1
  72. package/lib/vendor/blamejs/lib/crypto-field.js +2 -2
  73. package/lib/vendor/blamejs/lib/crypto-xwing.js +7 -7
  74. package/lib/vendor/blamejs/lib/crypto.js +6 -6
  75. package/lib/vendor/blamejs/lib/csp.js +2 -2
  76. package/lib/vendor/blamejs/lib/cwt.js +4 -4
  77. package/lib/vendor/blamejs/lib/dark-patterns.js +2 -2
  78. package/lib/vendor/blamejs/lib/data-act.js +2 -2
  79. package/lib/vendor/blamejs/lib/db-file-lifecycle.js +4 -4
  80. package/lib/vendor/blamejs/lib/db-query.js +1 -1
  81. package/lib/vendor/blamejs/lib/db.js +6 -6
  82. package/lib/vendor/blamejs/lib/dbsc.js +13 -13
  83. package/lib/vendor/blamejs/lib/did.js +17 -17
  84. package/lib/vendor/blamejs/lib/dora.js +4 -4
  85. package/lib/vendor/blamejs/lib/dsr.js +1 -1
  86. package/lib/vendor/blamejs/lib/early-hints.js +2 -2
  87. package/lib/vendor/blamejs/lib/eat.js +4 -4
  88. package/lib/vendor/blamejs/lib/external-db-migrate.js +1 -1
  89. package/lib/vendor/blamejs/lib/external-db.js +1 -1
  90. package/lib/vendor/blamejs/lib/flag-cache.js +1 -1
  91. package/lib/vendor/blamejs/lib/flag-evaluation-context.js +2 -2
  92. package/lib/vendor/blamejs/lib/graphql-federation.js +13 -6
  93. package/lib/vendor/blamejs/lib/guard-agent-registry.js +5 -5
  94. package/lib/vendor/blamejs/lib/guard-archive.js +24 -24
  95. package/lib/vendor/blamejs/lib/guard-cidr.js +34 -34
  96. package/lib/vendor/blamejs/lib/guard-csv.js +1 -1
  97. package/lib/vendor/blamejs/lib/guard-domain.js +10 -10
  98. package/lib/vendor/blamejs/lib/guard-dsn.js +4 -4
  99. package/lib/vendor/blamejs/lib/guard-email.js +19 -19
  100. package/lib/vendor/blamejs/lib/guard-event-bus-payload.js +4 -4
  101. package/lib/vendor/blamejs/lib/guard-event-bus-topic.js +6 -6
  102. package/lib/vendor/blamejs/lib/guard-filename.js +7 -7
  103. package/lib/vendor/blamejs/lib/guard-graphql.js +9 -9
  104. package/lib/vendor/blamejs/lib/guard-html-wcag-tagwalk.js +1 -1
  105. package/lib/vendor/blamejs/lib/guard-html-wcag.js +4 -4
  106. package/lib/vendor/blamejs/lib/guard-html.js +7 -7
  107. package/lib/vendor/blamejs/lib/guard-idempotency-key.js +6 -6
  108. package/lib/vendor/blamejs/lib/guard-image.js +4 -4
  109. package/lib/vendor/blamejs/lib/guard-imap-command.js +17 -17
  110. package/lib/vendor/blamejs/lib/guard-jmap.js +20 -20
  111. package/lib/vendor/blamejs/lib/guard-json.js +12 -12
  112. package/lib/vendor/blamejs/lib/guard-jsonpath.js +3 -3
  113. package/lib/vendor/blamejs/lib/guard-jwt.js +4 -4
  114. package/lib/vendor/blamejs/lib/guard-list-id.js +7 -7
  115. package/lib/vendor/blamejs/lib/guard-list-unsubscribe.js +8 -8
  116. package/lib/vendor/blamejs/lib/guard-mail-compose.js +4 -4
  117. package/lib/vendor/blamejs/lib/guard-mail-move.js +5 -5
  118. package/lib/vendor/blamejs/lib/guard-mail-query.js +3 -3
  119. package/lib/vendor/blamejs/lib/guard-mail-reply.js +3 -3
  120. package/lib/vendor/blamejs/lib/guard-mail-sieve.js +6 -6
  121. package/lib/vendor/blamejs/lib/guard-managesieve-command.js +25 -25
  122. package/lib/vendor/blamejs/lib/guard-markdown.js +31 -31
  123. package/lib/vendor/blamejs/lib/guard-message-id.js +5 -5
  124. package/lib/vendor/blamejs/lib/guard-mime.js +1 -1
  125. package/lib/vendor/blamejs/lib/guard-oauth.js +3 -3
  126. package/lib/vendor/blamejs/lib/guard-pdf.js +6 -6
  127. package/lib/vendor/blamejs/lib/guard-pop3-command.js +11 -11
  128. package/lib/vendor/blamejs/lib/guard-posture-chain.js +5 -5
  129. package/lib/vendor/blamejs/lib/guard-regex.js +10 -10
  130. package/lib/vendor/blamejs/lib/guard-saga-config.js +5 -5
  131. package/lib/vendor/blamejs/lib/guard-smtp-command.js +6 -6
  132. package/lib/vendor/blamejs/lib/guard-snapshot-envelope.js +3 -3
  133. package/lib/vendor/blamejs/lib/guard-stream-args.js +4 -4
  134. package/lib/vendor/blamejs/lib/guard-svg.js +11 -11
  135. package/lib/vendor/blamejs/lib/guard-tenant-id.js +5 -5
  136. package/lib/vendor/blamejs/lib/guard-time.js +15 -15
  137. package/lib/vendor/blamejs/lib/guard-trace-context.js +4 -4
  138. package/lib/vendor/blamejs/lib/guard-uuid.js +11 -11
  139. package/lib/vendor/blamejs/lib/guard-xml.js +12 -12
  140. package/lib/vendor/blamejs/lib/guard-yaml.js +16 -16
  141. package/lib/vendor/blamejs/lib/honeytoken.js +5 -5
  142. package/lib/vendor/blamejs/lib/http-client-cache.js +18 -1
  143. package/lib/vendor/blamejs/lib/http-client.js +13 -10
  144. package/lib/vendor/blamejs/lib/http-message-signature.js +2 -2
  145. package/lib/vendor/blamejs/lib/iab-mspa.js +3 -3
  146. package/lib/vendor/blamejs/lib/iab-tcf.js +70 -70
  147. package/lib/vendor/blamejs/lib/inbox.js +4 -4
  148. package/lib/vendor/blamejs/lib/ip-utils.js +15 -15
  149. package/lib/vendor/blamejs/lib/jose-jwe-experimental.js +2 -2
  150. package/lib/vendor/blamejs/lib/json-path.js +3 -3
  151. package/lib/vendor/blamejs/lib/json-schema.js +1 -1
  152. package/lib/vendor/blamejs/lib/jsonapi.js +3 -3
  153. package/lib/vendor/blamejs/lib/jtd.js +2 -2
  154. package/lib/vendor/blamejs/lib/link-header.js +1 -1
  155. package/lib/vendor/blamejs/lib/local-db-thin.js +1 -1
  156. package/lib/vendor/blamejs/lib/log.js +8 -3
  157. package/lib/vendor/blamejs/lib/lro.js +4 -4
  158. package/lib/vendor/blamejs/lib/mail-agent.js +1 -1
  159. package/lib/vendor/blamejs/lib/mail-arc-sign.js +6 -6
  160. package/lib/vendor/blamejs/lib/mail-auth.js +44 -44
  161. package/lib/vendor/blamejs/lib/mail-bimi.js +3 -3
  162. package/lib/vendor/blamejs/lib/mail-crypto-pgp.js +53 -45
  163. package/lib/vendor/blamejs/lib/mail-crypto-smime.js +6 -6
  164. package/lib/vendor/blamejs/lib/mail-dav.js +1 -1
  165. package/lib/vendor/blamejs/lib/mail-deploy.js +40 -40
  166. package/lib/vendor/blamejs/lib/mail-dkim.js +12 -12
  167. package/lib/vendor/blamejs/lib/mail-greylist.js +12 -12
  168. package/lib/vendor/blamejs/lib/mail-helo.js +1 -1
  169. package/lib/vendor/blamejs/lib/mail-journal.js +8 -8
  170. package/lib/vendor/blamejs/lib/mail-rbl.js +7 -7
  171. package/lib/vendor/blamejs/lib/mail-scan.js +7 -7
  172. package/lib/vendor/blamejs/lib/mail-send-deliver.js +2 -2
  173. package/lib/vendor/blamejs/lib/mail-server-imap.js +12 -12
  174. package/lib/vendor/blamejs/lib/mail-server-jmap.js +18 -20
  175. package/lib/vendor/blamejs/lib/mail-server-managesieve.js +4 -4
  176. package/lib/vendor/blamejs/lib/mail-server-mx.js +17 -17
  177. package/lib/vendor/blamejs/lib/mail-server-pop3.js +4 -4
  178. package/lib/vendor/blamejs/lib/mail-server-rate-limit.js +2 -2
  179. package/lib/vendor/blamejs/lib/mail-server-submission.js +21 -21
  180. package/lib/vendor/blamejs/lib/mail-sieve.js +2 -2
  181. package/lib/vendor/blamejs/lib/mail-spam-score.js +5 -5
  182. package/lib/vendor/blamejs/lib/mail-srs.js +12 -12
  183. package/lib/vendor/blamejs/lib/mail-store-fts.js +2 -2
  184. package/lib/vendor/blamejs/lib/mail-store.js +8 -8
  185. package/lib/vendor/blamejs/lib/mail-unsubscribe.js +4 -4
  186. package/lib/vendor/blamejs/lib/mail.js +4 -4
  187. package/lib/vendor/blamejs/lib/mcp-tool-registry.js +4 -4
  188. package/lib/vendor/blamejs/lib/mcp.js +15 -15
  189. package/lib/vendor/blamejs/lib/mdoc.js +2 -2
  190. package/lib/vendor/blamejs/lib/metrics.js +8 -8
  191. package/lib/vendor/blamejs/lib/middleware/age-gate.js +15 -3
  192. package/lib/vendor/blamejs/lib/middleware/ai-act-disclosure.js +11 -4
  193. package/lib/vendor/blamejs/lib/middleware/api-encrypt.js +7 -7
  194. package/lib/vendor/blamejs/lib/middleware/assetlinks.js +2 -2
  195. package/lib/vendor/blamejs/lib/middleware/asyncapi-serve.js +2 -2
  196. package/lib/vendor/blamejs/lib/middleware/bearer-auth.js +5 -5
  197. package/lib/vendor/blamejs/lib/middleware/body-parser.js +5 -5
  198. package/lib/vendor/blamejs/lib/middleware/compose-pipeline.js +16 -16
  199. package/lib/vendor/blamejs/lib/middleware/csp-report.js +4 -4
  200. package/lib/vendor/blamejs/lib/middleware/daily-byte-quota.js +1 -1
  201. package/lib/vendor/blamejs/lib/middleware/dpop.js +1 -1
  202. package/lib/vendor/blamejs/lib/middleware/headers.js +2 -2
  203. package/lib/vendor/blamejs/lib/middleware/host-allowlist.js +1 -1
  204. package/lib/vendor/blamejs/lib/middleware/idempotency-key.js +12 -12
  205. package/lib/vendor/blamejs/lib/middleware/nel.js +1 -1
  206. package/lib/vendor/blamejs/lib/middleware/openapi-serve.js +2 -2
  207. package/lib/vendor/blamejs/lib/middleware/protected-resource-metadata.js +2 -2
  208. package/lib/vendor/blamejs/lib/middleware/rate-limit.js +14 -5
  209. package/lib/vendor/blamejs/lib/middleware/require-aal.js +1 -1
  210. package/lib/vendor/blamejs/lib/middleware/require-bound-key.js +2 -2
  211. package/lib/vendor/blamejs/lib/middleware/require-content-type.js +1 -1
  212. package/lib/vendor/blamejs/lib/middleware/require-methods.js +1 -1
  213. package/lib/vendor/blamejs/lib/middleware/require-step-up.js +2 -2
  214. package/lib/vendor/blamejs/lib/middleware/scim-server.js +1 -1
  215. package/lib/vendor/blamejs/lib/middleware/security-txt.js +3 -3
  216. package/lib/vendor/blamejs/lib/middleware/sse.js +14 -8
  217. package/lib/vendor/blamejs/lib/middleware/tus-upload.js +12 -12
  218. package/lib/vendor/blamejs/lib/middleware/web-app-manifest.js +2 -2
  219. package/lib/vendor/blamejs/lib/network-byte-quota.js +1 -1
  220. package/lib/vendor/blamejs/lib/network-dns-resolver.js +23 -23
  221. package/lib/vendor/blamejs/lib/network-dns.js +29 -29
  222. package/lib/vendor/blamejs/lib/network-dnssec.js +33 -33
  223. package/lib/vendor/blamejs/lib/network-smtp-policy.js +10 -10
  224. package/lib/vendor/blamejs/lib/network-tls.js +100 -98
  225. package/lib/vendor/blamejs/lib/network-tsig.js +33 -33
  226. package/lib/vendor/blamejs/lib/nis2-report.js +1 -1
  227. package/lib/vendor/blamejs/lib/ntp-check.js +3 -3
  228. package/lib/vendor/blamejs/lib/observability-otlp-exporter.js +17 -17
  229. package/lib/vendor/blamejs/lib/observability-tracer.js +6 -6
  230. package/lib/vendor/blamejs/lib/observability.js +8 -8
  231. package/lib/vendor/blamejs/lib/openapi-yaml.js +1 -1
  232. package/lib/vendor/blamejs/lib/openapi.js +1 -1
  233. package/lib/vendor/blamejs/lib/outbox.js +6 -6
  234. package/lib/vendor/blamejs/lib/pqc-agent.js +4 -4
  235. package/lib/vendor/blamejs/lib/pqc-software.js +1 -1
  236. package/lib/vendor/blamejs/lib/privacy-pass.js +5 -5
  237. package/lib/vendor/blamejs/lib/problem-details.js +5 -5
  238. package/lib/vendor/blamejs/lib/promise-pool.js +1 -1
  239. package/lib/vendor/blamejs/lib/protobuf-encoder.js +9 -1
  240. package/lib/vendor/blamejs/lib/queue.js +4 -2
  241. package/lib/vendor/blamejs/lib/redact.js +2 -2
  242. package/lib/vendor/blamejs/lib/request-helpers.js +1 -1
  243. package/lib/vendor/blamejs/lib/router.js +10 -10
  244. package/lib/vendor/blamejs/lib/safe-async.js +2 -2
  245. package/lib/vendor/blamejs/lib/safe-decompress.js +1 -1
  246. package/lib/vendor/blamejs/lib/safe-dns.js +71 -71
  247. package/lib/vendor/blamejs/lib/safe-ical.js +19 -19
  248. package/lib/vendor/blamejs/lib/safe-icap.js +24 -24
  249. package/lib/vendor/blamejs/lib/safe-jsonpath.js +2 -2
  250. package/lib/vendor/blamejs/lib/safe-mime.js +10 -10
  251. package/lib/vendor/blamejs/lib/safe-mount-info.js +3 -3
  252. package/lib/vendor/blamejs/lib/safe-redirect.js +1 -1
  253. package/lib/vendor/blamejs/lib/safe-sieve.js +23 -23
  254. package/lib/vendor/blamejs/lib/safe-smtp.js +1 -1
  255. package/lib/vendor/blamejs/lib/safe-url.js +1 -1
  256. package/lib/vendor/blamejs/lib/safe-vcard.js +14 -14
  257. package/lib/vendor/blamejs/lib/sandbox.js +5 -5
  258. package/lib/vendor/blamejs/lib/sec-cyber.js +1 -1
  259. package/lib/vendor/blamejs/lib/self-update-standalone-verifier.js +3 -3
  260. package/lib/vendor/blamejs/lib/self-update.js +3 -3
  261. package/lib/vendor/blamejs/lib/server-timing.js +3 -3
  262. package/lib/vendor/blamejs/lib/session-device-binding.js +7 -7
  263. package/lib/vendor/blamejs/lib/session.js +8 -8
  264. package/lib/vendor/blamejs/lib/sse.js +12 -5
  265. package/lib/vendor/blamejs/lib/standard-webhooks.js +4 -4
  266. package/lib/vendor/blamejs/lib/storage.js +2 -2
  267. package/lib/vendor/blamejs/lib/stream-throttle.js +3 -3
  268. package/lib/vendor/blamejs/lib/structured-fields.js +15 -15
  269. package/lib/vendor/blamejs/lib/subject.js +1 -1
  270. package/lib/vendor/blamejs/lib/tcpa-10dlc.js +1 -1
  271. package/lib/vendor/blamejs/lib/tenant-quota.js +3 -3
  272. package/lib/vendor/blamejs/lib/test-harness.js +1 -1
  273. package/lib/vendor/blamejs/lib/tracing.js +1 -1
  274. package/lib/vendor/blamejs/lib/tsa.js +5 -5
  275. package/lib/vendor/blamejs/lib/uri-template.js +5 -5
  276. package/lib/vendor/blamejs/lib/vault/index.js +2 -2
  277. package/lib/vendor/blamejs/lib/vault/seal-pem-file.js +4 -4
  278. package/lib/vendor/blamejs/lib/vc.js +2 -2
  279. package/lib/vendor/blamejs/lib/vendor-data.js +1 -1
  280. package/lib/vendor/blamejs/lib/watcher.js +4 -4
  281. package/lib/vendor/blamejs/lib/web-push-vapid.js +21 -21
  282. package/lib/vendor/blamejs/lib/webhook.js +2 -2
  283. package/lib/vendor/blamejs/lib/websocket.js +5 -5
  284. package/lib/vendor/blamejs/lib/worker-pool.js +3 -3
  285. package/lib/vendor/blamejs/lib/ws-client.js +24 -24
  286. package/lib/vendor/blamejs/lib/xml-c14n.js +2 -2
  287. package/lib/vendor/blamejs/package.json +1 -1
  288. package/lib/vendor/blamejs/release-notes/v0.13.x.json +1248 -0
  289. package/lib/vendor/blamejs/release-notes/v0.14.0.json +43 -0
  290. package/lib/vendor/blamejs/release-notes/v0.14.1.json +60 -0
  291. package/lib/vendor/blamejs/release-notes/v0.14.2.json +18 -0
  292. package/lib/vendor/blamejs/release-notes/v0.14.3.json +18 -0
  293. package/lib/vendor/blamejs/release-notes/v0.14.4.json +18 -0
  294. package/lib/vendor/blamejs/release-notes/v0.14.5.json +18 -0
  295. package/lib/vendor/blamejs/test/00-primitives.js +15 -0
  296. package/lib/vendor/blamejs/test/layer-0-primitives/age-gate.test.js +22 -0
  297. package/lib/vendor/blamejs/test/layer-0-primitives/auth-jar.test.js +29 -0
  298. package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +105 -9
  299. package/lib/vendor/blamejs/test/layer-0-primitives/compliance-ai-act.test.js +15 -0
  300. package/lib/vendor/blamejs/test/layer-0-primitives/graphql-federation.test.js +10 -0
  301. package/lib/vendor/blamejs/test/layer-0-primitives/http-client-cache.test.js +12 -0
  302. package/lib/vendor/blamejs/test/layer-0-primitives/mail-crypto-pgp.test.js +7 -0
  303. package/lib/vendor/blamejs/test/layer-0-primitives/network-tls.test.js +11 -5
  304. package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-registry.test.js +34 -0
  305. package/lib/vendor/blamejs/test/layer-0-primitives/sse.test.js +12 -0
  306. package/package.json +1 -1
  307. package/lib/vendor/blamejs/release-notes/v0.13.0.json +0 -22
  308. package/lib/vendor/blamejs/release-notes/v0.13.1.json +0 -18
  309. package/lib/vendor/blamejs/release-notes/v0.13.10.json +0 -44
  310. package/lib/vendor/blamejs/release-notes/v0.13.11.json +0 -27
  311. package/lib/vendor/blamejs/release-notes/v0.13.12.json +0 -36
  312. package/lib/vendor/blamejs/release-notes/v0.13.13.json +0 -18
  313. package/lib/vendor/blamejs/release-notes/v0.13.14.json +0 -22
  314. package/lib/vendor/blamejs/release-notes/v0.13.15.json +0 -27
  315. package/lib/vendor/blamejs/release-notes/v0.13.16.json +0 -27
  316. package/lib/vendor/blamejs/release-notes/v0.13.17.json +0 -27
  317. package/lib/vendor/blamejs/release-notes/v0.13.18.json +0 -18
  318. package/lib/vendor/blamejs/release-notes/v0.13.19.json +0 -27
  319. package/lib/vendor/blamejs/release-notes/v0.13.2.json +0 -27
  320. package/lib/vendor/blamejs/release-notes/v0.13.20.json +0 -22
  321. package/lib/vendor/blamejs/release-notes/v0.13.21.json +0 -18
  322. package/lib/vendor/blamejs/release-notes/v0.13.22.json +0 -18
  323. package/lib/vendor/blamejs/release-notes/v0.13.23.json +0 -42
  324. package/lib/vendor/blamejs/release-notes/v0.13.24.json +0 -26
  325. package/lib/vendor/blamejs/release-notes/v0.13.25.json +0 -39
  326. package/lib/vendor/blamejs/release-notes/v0.13.26.json +0 -31
  327. package/lib/vendor/blamejs/release-notes/v0.13.27.json +0 -34
  328. package/lib/vendor/blamejs/release-notes/v0.13.28.json +0 -30
  329. package/lib/vendor/blamejs/release-notes/v0.13.29.json +0 -30
  330. package/lib/vendor/blamejs/release-notes/v0.13.3.json +0 -18
  331. package/lib/vendor/blamejs/release-notes/v0.13.30.json +0 -30
  332. package/lib/vendor/blamejs/release-notes/v0.13.31.json +0 -26
  333. package/lib/vendor/blamejs/release-notes/v0.13.32.json +0 -34
  334. package/lib/vendor/blamejs/release-notes/v0.13.33.json +0 -26
  335. package/lib/vendor/blamejs/release-notes/v0.13.34.json +0 -48
  336. package/lib/vendor/blamejs/release-notes/v0.13.35.json +0 -35
  337. package/lib/vendor/blamejs/release-notes/v0.13.36.json +0 -27
  338. package/lib/vendor/blamejs/release-notes/v0.13.37.json +0 -18
  339. package/lib/vendor/blamejs/release-notes/v0.13.38.json +0 -27
  340. package/lib/vendor/blamejs/release-notes/v0.13.39.json +0 -27
  341. package/lib/vendor/blamejs/release-notes/v0.13.4.json +0 -23
  342. package/lib/vendor/blamejs/release-notes/v0.13.40.json +0 -22
  343. package/lib/vendor/blamejs/release-notes/v0.13.41.json +0 -27
  344. package/lib/vendor/blamejs/release-notes/v0.13.42.json +0 -18
  345. package/lib/vendor/blamejs/release-notes/v0.13.43.json +0 -39
  346. package/lib/vendor/blamejs/release-notes/v0.13.44.json +0 -31
  347. package/lib/vendor/blamejs/release-notes/v0.13.45.json +0 -31
  348. package/lib/vendor/blamejs/release-notes/v0.13.46.json +0 -35
  349. package/lib/vendor/blamejs/release-notes/v0.13.5.json +0 -18
  350. package/lib/vendor/blamejs/release-notes/v0.13.6.json +0 -18
  351. package/lib/vendor/blamejs/release-notes/v0.13.7.json +0 -27
  352. package/lib/vendor/blamejs/release-notes/v0.13.8.json +0 -27
  353. package/lib/vendor/blamejs/release-notes/v0.13.9.json +0 -27
@@ -574,7 +574,7 @@ function _parseMultipartHeaders(rawHeaders) {
574
574
  var line = lines[i];
575
575
  if (!line) continue;
576
576
  var first = line.charCodeAt(0);
577
- if (first === 32 || first === 9) { // allow:raw-byte-literal — SP/HTAB obs-fold sentinels
577
+ if (first === 32 || first === 9) { // SP/HTAB obs-fold sentinels
578
578
  throw new BodyParserError(
579
579
  "body-parser/multipart-obs-fold",
580
580
  "multipart part header uses obsolete line folding (RFC 9112 §5.2)",
@@ -587,7 +587,7 @@ function _parseMultipartHeaders(rawHeaders) {
587
587
  var v = line.slice(idx + 1).trim();
588
588
  for (var j = 0; j < v.length; j++) {
589
589
  var c = v.charCodeAt(j);
590
- if (c === 0 || c === 10 || c === 13) { // allow:raw-byte-literal — NUL/LF/CR forbidden in field-value (RFC 9110 §5.5)
590
+ if (c === 0 || c === 10 || c === 13) { // NUL/LF/CR forbidden in field-value (RFC 9110 §5.5)
591
591
  throw new BodyParserError(
592
592
  "body-parser/multipart-bad-header-value",
593
593
  "multipart part header `" + k + "` contains CR/LF/NUL (RFC 9110 §5.5)",
@@ -674,8 +674,8 @@ async function _parseMultipart(req, opts, ctParams) {
674
674
  // newlines) drive quadratic match cost in scanners. Refuse at
675
675
  // the parse boundary so the rest of the engine doesn't have to
676
676
  // defend against them.
677
- if (boundary.length > 70 || // allow:raw-byte-literal — RFC 2046 §5.1.1 boundary length cap
678
- !/^[A-Za-z0-9'()+_,\-./:=?]{1,70}$/.test(boundary)) { // allow:raw-byte-literal — RFC 2046 §5.1.1 bchars + cap
677
+ if (boundary.length > 70 || // RFC 2046 §5.1.1 boundary length cap
678
+ !/^[A-Za-z0-9'()+_,\-./:=?]{1,70}$/.test(boundary)) { // RFC 2046 §5.1.1 bchars + cap
679
679
  throw new BodyParserError(
680
680
  "body-parser/multipart-bad-boundary",
681
681
  "multipart boundary violates RFC 2046 §5.1.1 (1-70 chars, bcharsnospace grammar)",
@@ -1353,7 +1353,7 @@ function create(opts) {
1353
1353
  outcome: "denied",
1354
1354
  metadata: {
1355
1355
  code: e.code || null,
1356
- message: (e && e.message) ? String(e.message).slice(0, 256) : "", // allow:raw-byte-literal — diagnostic-message clamp characters, not bytes
1356
+ message: (e && e.message) ? String(e.message).slice(0, 256) : "", // diagnostic-message clamp characters, not bytes
1357
1357
  },
1358
1358
  });
1359
1359
  } catch (_e) { /* audit best-effort */ }
@@ -85,20 +85,20 @@ var ComposePipelineError = defineClass("ComposePipelineError", { alwaysPermanent
85
85
  // 60-89 : application handlers
86
86
  // >= 90 : error-handler (must be last; trailing catch)
87
87
  var CANONICAL_POSITIONS = Object.freeze({
88
- requestId: 5, // allow:raw-byte-literal — canonical position bucket
89
- apiEncrypt: 10, // allow:raw-byte-literal — canonical position bucket
90
- bodyParser: 20, // allow:raw-byte-literal — canonical position bucket
91
- cspNonce: 22, // allow:raw-byte-literal — canonical position bucket
92
- securityHeaders: 25, // allow:raw-byte-literal — canonical position bucket
93
- csrf: 30, // allow:raw-byte-literal — canonical position bucket
94
- idempotency: 30, // allow:raw-byte-literal — canonical position bucket (same as csrf)
95
- fetchMetadata: 32, // allow:raw-byte-literal — canonical position bucket
96
- rateLimit: 40, // allow:raw-byte-literal — canonical position bucket
97
- botGuard: 42, // allow:raw-byte-literal — canonical position bucket
98
- requireAuth: 50, // allow:raw-byte-literal — canonical position bucket
99
- attachUser: 52, // allow:raw-byte-literal — canonical position bucket
100
- handler: 60, // allow:raw-byte-literal — canonical position bucket // allow:raw-time-literal — pipeline position int, not seconds
101
- errorHandler: 90, // allow:raw-byte-literal — canonical position bucket
88
+ requestId: 5, // canonical position bucket
89
+ apiEncrypt: 10, // canonical position bucket
90
+ bodyParser: 20, // canonical position bucket
91
+ cspNonce: 22, // canonical position bucket
92
+ securityHeaders: 25, // canonical position bucket
93
+ csrf: 30, // canonical position bucket
94
+ idempotency: 30, // canonical position bucket (same as csrf)
95
+ fetchMetadata: 32, // canonical position bucket
96
+ rateLimit: 40, // canonical position bucket
97
+ botGuard: 42, // canonical position bucket
98
+ requireAuth: 50, // canonical position bucket
99
+ attachUser: 52, // canonical position bucket
100
+ handler: 60, // allow:raw-time-literal — pipeline position int, not seconds
101
+ errorHandler: 90, // canonical position bucket
102
102
  });
103
103
 
104
104
  /**
@@ -154,7 +154,7 @@ function composePipeline(entries, opts) {
154
154
  throw new ComposePipelineError("compose-pipeline/bad-entry",
155
155
  "composePipeline: entry at index " + i + " must be an object");
156
156
  }
157
- if (typeof e.name !== "string" || e.name.length === 0 || e.name.length > 64) { // allow:raw-byte-literal — middleware-name cap
157
+ if (typeof e.name !== "string" || e.name.length === 0 || e.name.length > 64) { // middleware-name cap
158
158
  throw new ComposePipelineError("compose-pipeline/bad-entry",
159
159
  "composePipeline: entries[" + i + "].name must be a non-empty string ≤ 64 bytes");
160
160
  }
@@ -187,7 +187,7 @@ function composePipeline(entries, opts) {
187
187
  // natural sequential flow. Use 100 so canonical positions
188
188
  // (5..90) can interleave without colliding when an operator
189
189
  // mixes named + unnamed entries.
190
- position = (i + 1) * 100; // allow:raw-byte-literal — index→position scale; canonical-pos ceiling is 90
190
+ position = (i + 1) * 100; // index→position scale; canonical-pos ceiling is 90
191
191
  }
192
192
 
193
193
  if (Object.prototype.hasOwnProperty.call(seenPositions, position)) {
@@ -125,7 +125,7 @@ function create(opts) {
125
125
 
126
126
  return async function cspReport(req, res, _next) {
127
127
  if (req.method !== "POST") {
128
- res.writeHead(405, { "Allow": "POST" }); // allow:raw-byte-literal — HTTP 405 status
128
+ res.writeHead(405, { "Allow": "POST" }); // HTTP 405 status
129
129
  res.end();
130
130
  return;
131
131
  }
@@ -133,14 +133,14 @@ function create(opts) {
133
133
  try {
134
134
  body = await safeBuffer.boundedChunkCollector(req, { maxBytes: maxBytes });
135
135
  } catch (_e) {
136
- res.writeHead(413); // allow:raw-byte-literal — HTTP 413 status
136
+ res.writeHead(413); // HTTP 413 status
137
137
  res.end();
138
138
  return;
139
139
  }
140
140
  var parsed;
141
141
  try { parsed = safeJson.parse(body.toString("utf8")); }
142
142
  catch (_e) {
143
- res.writeHead(400); // allow:raw-byte-literal — HTTP 400 status
143
+ res.writeHead(400); // HTTP 400 status
144
144
  res.end();
145
145
  return;
146
146
  }
@@ -159,7 +159,7 @@ function create(opts) {
159
159
  try { onReport(normalized); } catch (_e) { /* hook best-effort */ }
160
160
  }
161
161
  }
162
- res.writeHead(204); // allow:raw-byte-literal — HTTP 204 status
162
+ res.writeHead(204); // HTTP 204 status
163
163
  res.end();
164
164
  };
165
165
  }
@@ -199,7 +199,7 @@ function create(opts) {
199
199
  var keys = Object.keys(req.headers);
200
200
  for (var hi = 0; hi < keys.length; hi++) {
201
201
  var v = req.headers[keys[hi]];
202
- inboundBytes += keys[hi].length + 2 + (typeof v === "string" ? v.length : 0) + 2; // allow:raw-byte-literal — ": " + "\r\n" overhead
202
+ inboundBytes += keys[hi].length + 2 + (typeof v === "string" ? v.length : 0) + 2; // ": " + "\r\n" overhead
203
203
  }
204
204
  }
205
205
  if (req.headers && req.headers["content-length"]) {
@@ -55,7 +55,7 @@ function _writeUnauthorized(res, errorCode, description, freshNonce) {
55
55
  // RFC 9449 §7 — error code is invalid_dpop_proof OR use_dpop_nonce.
56
56
  var challenge = 'DPoP error="' + errorCode + '", error_description="' +
57
57
  description.replace(/"/g, "'") + '"';
58
- var headers = { // allow:raw-byte-literal — HTTP 401 status
58
+ var headers = { // HTTP 401 status
59
59
  "Content-Type": "application/json; charset=utf-8",
60
60
  "Content-Length": Buffer.byteLength(body),
61
61
  "WWW-Authenticate": challenge,
@@ -104,7 +104,7 @@ function _detectIssues(headers, opts) {
104
104
  }
105
105
  for (var ci = 0; ci < v.length; ci += 1) {
106
106
  var cc = v.charCodeAt(ci);
107
- if (cc === 0x0D || cc === 0x0A || cc === 0x00) { // allow:raw-byte-literal — CR / LF / NUL forbidden in header value
107
+ if (cc === 0x0D || cc === 0x0A || cc === 0x00) { // CR / LF / NUL forbidden in header value
108
108
  issues.push({
109
109
  kind: "header-value-control-byte", severity: "high", header: name,
110
110
  snippet: "header `" + name + "` value contains CR / LF / NUL " +
@@ -200,7 +200,7 @@ function create(opts) {
200
200
  var refuseOnHigh = opts.refuseOnHigh !== false && mode === "enforce";
201
201
  var audit = opts.audit || null;
202
202
  var resolved = {
203
- maxHeaderCount: opts.maxHeaderCount || 100, // allow:raw-byte-literal — header count ceiling
203
+ maxHeaderCount: opts.maxHeaderCount || 100, // header count ceiling
204
204
  maxValueBytes: opts.maxValueBytes || 8 * 1024, // allow:raw-byte-literal — header value cap (8 KiB)
205
205
  trustProxy: !!opts.trustProxy,
206
206
  };
@@ -131,7 +131,7 @@ function create(opts) {
131
131
  hosts.push(n);
132
132
  }
133
133
 
134
- var denyStatus = (typeof opts.denyStatus === "number") ? opts.denyStatus : 421; // allow:raw-byte-literal — HTTP 421 status
134
+ var denyStatus = (typeof opts.denyStatus === "number") ? opts.denyStatus : 421; // HTTP 421 status
135
135
  var denyBody = typeof opts.denyBody === "string" ? opts.denyBody : "Misdirected Request";
136
136
  var auditOn = opts.audit !== false;
137
137
 
@@ -69,8 +69,8 @@ var DEFAULT_METHODS = Object.freeze(["POST", "PUT", "PATCH", "DELETE"]);
69
69
  // control chars, length 1..255 (typical client implementations cap
70
70
  // at 36 for UUID + a few extra for vendor prefixes; 255 is the
71
71
  // upper bound that still fits a single HTTP header line).
72
- var KEY_RE = /^[\x21-\x7E]+$/; // allow:raw-byte-literal — printable ASCII codepoint range
73
- var KEY_MAX_LEN = 255; // allow:raw-byte-literal — draft §2 upper bound
72
+ var KEY_RE = /^[\x21-\x7E]+$/; // printable ASCII codepoint range
73
+ var KEY_MAX_LEN = 255; // draft §2 upper bound
74
74
 
75
75
  /**
76
76
  * @primitive b.middleware.idempotencyKey.memoryStore
@@ -101,7 +101,7 @@ function memoryStore(opts) {
101
101
  opts = opts || {};
102
102
  numericBounds.requirePositiveFiniteIntIfPresent(
103
103
  opts.maxEntries, "memoryStore.maxEntries", IdempotencyError, "idempotency/bad-max-entries");
104
- var maxEntries = opts.maxEntries !== undefined ? opts.maxEntries : 10000; // allow:raw-byte-literal — default in-memory cap, not bytes
104
+ var maxEntries = opts.maxEntries !== undefined ? opts.maxEntries : 10000; // default in-memory cap, not bytes
105
105
  var data = new Map();
106
106
  return {
107
107
  get: function (key) {
@@ -705,7 +705,7 @@ function create(opts) {
705
705
  var missing = problemDetails().create({
706
706
  type: problemDetails().getBase() + "/idempotency/missing-key",
707
707
  title: "Idempotency-Key header required",
708
- status: 400, // allow:raw-byte-literal — HTTP status 400 Bad Request
708
+ status: 400, // HTTP status 400 Bad Request
709
709
  detail: "This endpoint requires an Idempotency-Key header (draft-ietf-httpapi-idempotency-key).",
710
710
  });
711
711
  _emitAudit("idempotency.missing_key", { method: method, path: req.url }, "denied");
@@ -716,7 +716,7 @@ function create(opts) {
716
716
  var bad = problemDetails().create({
717
717
  type: problemDetails().getBase() + "/idempotency/bad-key",
718
718
  title: "Idempotency-Key malformed",
719
- status: 400, // allow:raw-byte-literal — HTTP status 400
719
+ status: 400, // HTTP status 400
720
720
  detail: "Idempotency-Key must be ASCII printable, length 1.." + KEY_MAX_LEN + " (draft §2).",
721
721
  });
722
722
  _emitAudit("idempotency.bad_key", { method: method, keyLen: key.length }, "denied");
@@ -781,7 +781,7 @@ function create(opts) {
781
781
  var missingBody = problemDetails().create({
782
782
  type: problemDetails().getBase() + "/idempotency/missing-body-fingerprint",
783
783
  title: "Idempotency body fingerprint unavailable",
784
- status: 400, // allow:raw-byte-literal — HTTP status 400 Bad Request
784
+ status: 400, // HTTP status 400 Bad Request
785
785
  detail: "The idempotency middleware could not derive a body fingerprint for this " +
786
786
  "request. Mount body-parser BEFORE the idempotency middleware, OR provide an " +
787
787
  "opts.bodyFingerprint(req) hook. To restore the pre-0.9.58 method+path-only " +
@@ -809,7 +809,7 @@ function create(opts) {
809
809
  var mismatch = problemDetails().create({
810
810
  type: problemDetails().getBase() + "/idempotency/key-reuse-mismatch",
811
811
  title: "Idempotency-Key reused with different request",
812
- status: 422, // allow:raw-byte-literal — HTTP status 422 Unprocessable Content (RFC 9110)
812
+ status: 422, // HTTP status 422 Unprocessable Content (RFC 9110)
813
813
  detail: "The Idempotency-Key matches a prior request but the request body/method/path differs (draft §4.3).",
814
814
  });
815
815
  _emitAudit("idempotency.key_reuse_mismatch",
@@ -865,10 +865,10 @@ function create(opts) {
865
865
  if (!captured) {
866
866
  captured = true;
867
867
  _pushChunk(chunk, encoding);
868
- var status = res.statusCode || 200; // allow:raw-byte-literal — default HTTP status 200
868
+ var status = res.statusCode || 200; // default HTTP status 200
869
869
  // Only persist 2xx-4xx responses; 5xx is transient infra
870
870
  // failure that should be retried fresh, not replayed.
871
- if (!oversized && status >= 200 && status < 500) { // allow:raw-byte-literal — HTTP status class boundaries
871
+ if (!oversized && status >= 200 && status < 500) { // HTTP status class boundaries
872
872
  var headerMap = {};
873
873
  try {
874
874
  var allHeaders = typeof res.getHeaders === "function" ? res.getHeaders() : {};
@@ -913,13 +913,13 @@ function _hashKey(key) {
913
913
  // Hash before logging — operator's audit chain shouldn't carry raw
914
914
  // idempotency keys (clients sometimes inadvertently put PII / order
915
915
  // numbers in them).
916
- return nodeCrypto.createHash("sha3-256").update(key, "utf8").digest("hex").slice(0, 16); // allow:raw-byte-literal — log-truncation length, not bytes
916
+ return nodeCrypto.createHash("sha3-256").update(key, "utf8").digest("hex").slice(0, 16); // log-truncation length, not bytes
917
917
  }
918
918
 
919
919
  function _redactKey(key) {
920
920
  if (typeof key !== "string") return "<non-string>";
921
- if (key.length <= 8) return "<short:" + key.length + ">"; // allow:raw-byte-literal — log-redaction length threshold
922
- return key.slice(0, 4) + "..." + key.slice(-2) + " (len=" + key.length + ")"; // allow:raw-byte-literal — log-redaction prefix/suffix lengths
921
+ if (key.length <= 8) return "<short:" + key.length + ">"; // log-redaction length threshold
922
+ return key.slice(0, 4) + "..." + key.slice(-2) + " (len=" + key.length + ")"; // log-redaction prefix/suffix lengths
923
923
  }
924
924
 
925
925
  /**
@@ -149,7 +149,7 @@ function create(opts) {
149
149
  // honor secure-origin report endpoints. Refusing at config-time so
150
150
  // an operator typo (`http://`) surfaces at boot, not as silent
151
151
  // never-fires-in-production.
152
- if (opts.collectorUrl.slice(0, 8) !== "https://") { // allow:raw-byte-literal — string-prefix length, not bytes
152
+ if (opts.collectorUrl.slice(0, 8) !== "https://") { // string-prefix length, not bytes
153
153
  throw new TypeError(
154
154
  "middleware.nel: opts.collectorUrl must be https:// (browsers " +
155
155
  "ignore non-secure NEL collectors); got " + opts.collectorUrl);
@@ -113,7 +113,7 @@ function create(opts) {
113
113
  function _writeBody(req, res, body, etag, contentType) {
114
114
  var requestEtag = (req.headers && req.headers["if-none-match"]) || null;
115
115
  if (requestEtag && requestEtag === etag) {
116
- res.writeHead(304, { "ETag": etag, "Cache-Control": cacheControl }); // allow:raw-byte-literal — HTTP 304
116
+ res.writeHead(304, { "ETag": etag, "Cache-Control": cacheControl }); // HTTP 304
117
117
  res.end();
118
118
  return;
119
119
  }
@@ -126,7 +126,7 @@ function create(opts) {
126
126
  if (accessControl === "public") {
127
127
  headers["Access-Control-Allow-Origin"] = "*";
128
128
  }
129
- res.writeHead(200, headers); // allow:raw-byte-literal — HTTP 200
129
+ res.writeHead(200, headers); // HTTP 200
130
130
  res.end(body);
131
131
  }
132
132
 
@@ -214,8 +214,8 @@ function create(opts) {
214
214
  var signAlgo = null;
215
215
  if (sm.alg === "ES256") { signAlgo = "sha256"; signParams.dsaEncoding = "ieee-p1363"; }
216
216
  else if (sm.alg === "ES384") { signAlgo = "sha384"; signParams.dsaEncoding = "ieee-p1363"; }
217
- else if (sm.alg === "PS256") { signAlgo = "sha256"; signParams.padding = nodeCrypto.constants.RSA_PKCS1_PSS_PADDING; signParams.saltLength = 32; } // allow:raw-byte-literal — RFC 7518 PS256 salt
218
- else if (sm.alg === "PS384") { signAlgo = "sha384"; signParams.padding = nodeCrypto.constants.RSA_PKCS1_PSS_PADDING; signParams.saltLength = 48; } // allow:raw-byte-literal — RFC 7518 PS384 salt
217
+ else if (sm.alg === "PS256") { signAlgo = "sha256"; signParams.padding = nodeCrypto.constants.RSA_PKCS1_PSS_PADDING; signParams.saltLength = 32; } // RFC 7518 PS256 salt
218
+ else if (sm.alg === "PS384") { signAlgo = "sha384"; signParams.padding = nodeCrypto.constants.RSA_PKCS1_PSS_PADDING; signParams.saltLength = 48; } // RFC 7518 PS384 salt
219
219
  var sig = nodeCrypto.sign(signAlgo, Buffer.from(input, "ascii"), signParams);
220
220
  signedJwt = input + "." + _b64url(sig);
221
221
  }
@@ -364,6 +364,7 @@ function _resolveBackend(opts) {
364
364
  * statusOnLimit: number, // default 429
365
365
  * bodyOnLimit: string, // default "Too Many Requests"
366
366
  * header: boolean, // default true
367
+ * headerPrefix: string, // default "X-RateLimit-" — builds <prefix>Limit / <prefix>Remaining (e.g. "RateLimit-" for the IETF draft names)
367
368
  * skipPaths: Array<string|RegExp>,
368
369
  * scope: "global"|"per-route",
369
370
  * backend: "memory"|"cluster"|{ take, reset },
@@ -390,7 +391,7 @@ function _resolveBackend(opts) {
390
391
  function create(opts) {
391
392
  opts = opts || {};
392
393
  validateOpts(opts, [
393
- "keyFn", "statusOnLimit", "bodyOnLimit", "header", "skipPaths", "scope",
394
+ "keyFn", "statusOnLimit", "bodyOnLimit", "header", "headerPrefix", "skipPaths", "scope",
394
395
  "backend", "trustProxy", "algorithm",
395
396
  // memory backend (token-bucket)
396
397
  "burst", "refillPerSecond",
@@ -404,6 +405,14 @@ function create(opts) {
404
405
  var statusOnLimit = opts.statusOnLimit || 429;
405
406
  var bodyOnLimit = opts.bodyOnLimit !== undefined ? opts.bodyOnLimit : "Too Many Requests";
406
407
  var emitHeaders = opts.header !== false;
408
+ // headerPrefix (default "X-RateLimit-") builds the limit/remaining header
409
+ // names as <prefix>Limit / <prefix>Remaining. The X-RateLimit-* family is a
410
+ // de-facto convention, not RFC-pinned — operators matching the IETF draft
411
+ // pass "RateLimit-", or a gateway's own prefix. Kept as a matched pair.
412
+ var headerPrefix = (typeof opts.headerPrefix === "string" && opts.headerPrefix.length > 0)
413
+ ? opts.headerPrefix : "X-RateLimit-";
414
+ var limitHeader = headerPrefix + "Limit";
415
+ var remainingHeader = headerPrefix + "Remaining";
407
416
  var skipPaths = opts.skipPaths || [];
408
417
  // Throw at create(): each entry must be a string prefix or a RegExp.
409
418
  // Anything else would crash _shouldSkip with TypeError on the first request.
@@ -429,8 +438,8 @@ function create(opts) {
429
438
 
430
439
  function _writeBlocked(req, res, k, verdict) {
431
440
  if (emitHeaders && typeof res.setHeader === "function") {
432
- res.setHeader("X-RateLimit-Limit", String(verdict.limit));
433
- res.setHeader("X-RateLimit-Remaining", String(verdict.remaining));
441
+ res.setHeader(limitHeader, String(verdict.limit));
442
+ res.setHeader(remainingHeader, String(verdict.remaining));
434
443
  if (verdict.retryAfter > 0) res.setHeader("Retry-After", String(verdict.retryAfter));
435
444
  }
436
445
  try {
@@ -459,8 +468,8 @@ function create(opts) {
459
468
 
460
469
  function _handle(verdict) {
461
470
  if (emitHeaders && typeof res.setHeader === "function") {
462
- res.setHeader("X-RateLimit-Limit", String(verdict.limit));
463
- res.setHeader("X-RateLimit-Remaining", String(verdict.remaining));
471
+ res.setHeader(limitHeader, String(verdict.limit));
472
+ res.setHeader(remainingHeader, String(verdict.remaining));
464
473
  }
465
474
  if (!verdict.allowed) return _writeBlocked(req, res, k, verdict);
466
475
  next();
@@ -36,7 +36,7 @@ function _writeUnauthorized(res, requiredBand, actualBand, realm) {
36
36
  });
37
37
  var realmStr = realm ? ' realm="' + realm + '"' : "";
38
38
  var challenge = "AAL-StepUp" + realmStr + ', required="' + requiredBand + '"';
39
- res.writeHead(401, { // allow:raw-byte-literal — HTTP 401 status
39
+ res.writeHead(401, { // HTTP 401 status
40
40
  "Content-Type": "application/json; charset=utf-8",
41
41
  "Content-Length": Buffer.byteLength(body),
42
42
  "WWW-Authenticate": challenge,
@@ -215,12 +215,12 @@ function create(opts) {
215
215
  var presented;
216
216
  try { presented = getter(req); }
217
217
  catch (e) {
218
- return _refuse(res, 400, "bound-field-getter-threw", { // allow:raw-byte-literal — HTTP 400
218
+ return _refuse(res, 400, "bound-field-getter-threw", { // HTTP 400
219
219
  field: fieldName, error: (e && e.message) || String(e),
220
220
  });
221
221
  }
222
222
  if (typeof presented !== "string" || presented.length === 0) {
223
- return _refuse(res, 400, "bound-field-missing", { // allow:raw-byte-literal — HTTP 400
223
+ return _refuse(res, 400, "bound-field-missing", { // HTTP 400
224
224
  field: fieldName, keyId: record.id || null,
225
225
  });
226
226
  }
@@ -91,7 +91,7 @@ function create(allowed, opts) {
91
91
  if (bare.length > 0 && normalized.indexOf(bare) !== -1) return next();
92
92
  if (!res.headersSent) {
93
93
  var body = "Unsupported Media Type";
94
- res.writeHead(415, { // allow:raw-byte-literal — HTTP 415 status
94
+ res.writeHead(415, { // HTTP 415 status
95
95
  "Accept": normalized.join(", "),
96
96
  "Content-Type": "text/plain; charset=utf-8",
97
97
  "Content-Length": Buffer.byteLength(body),
@@ -75,7 +75,7 @@ function create(allowed, opts) {
75
75
  if (normalized.indexOf(m) !== -1) return next();
76
76
  if (!res.headersSent) {
77
77
  var body = "Method Not Allowed";
78
- res.writeHead(405, { // allow:raw-byte-literal — HTTP 405 status
78
+ res.writeHead(405, { // HTTP 405 status
79
79
  "Allow": allowHeader,
80
80
  "Content-Type": "text/plain; charset=utf-8",
81
81
  "Content-Length": Buffer.byteLength(body),
@@ -67,7 +67,7 @@ function _defaultGetClaims(req) {
67
67
  function _writeChallenge(res, challenge, body, statusCode) {
68
68
  if (res.headersSent) return;
69
69
  var json = JSON.stringify(body);
70
- res.writeHead(statusCode, { // allow:raw-byte-literal — HTTP status passthrough
70
+ res.writeHead(statusCode, { // HTTP status passthrough
71
71
  "Content-Type": "application/json; charset=utf-8",
72
72
  "Content-Length": Buffer.byteLength(json),
73
73
  "WWW-Authenticate": challenge,
@@ -218,7 +218,7 @@ function create(opts) {
218
218
  error: stepUp().INSUFFICIENT_USER_AUTHENTICATION,
219
219
  error_description: errorDesc || "A higher level of authentication is required",
220
220
  },
221
- 401 // allow:raw-byte-literal — HTTP 401
221
+ 401 // HTTP 401
222
222
  );
223
223
  };
224
224
  }
@@ -61,7 +61,7 @@ function create(opts) {
61
61
  if (opts.groups) _validateResourceImpl(opts.groups, "groups");
62
62
 
63
63
  var basePath = opts.basePath || "/scim/v2";
64
- var maxPageSize = opts.maxPageSize || 200; // allow:raw-byte-literal — page-size count, not bytes
64
+ var maxPageSize = opts.maxPageSize || 200; // page-size count, not bytes
65
65
  var bearer = opts.bearer || null;
66
66
 
67
67
  function middleware(req, res, next) {
@@ -144,15 +144,15 @@ function create(opts) {
144
144
  (alsoAtRoot && path === "/security.txt");
145
145
  if (!matches) return next();
146
146
  if (req.method !== "GET" && req.method !== "HEAD") {
147
- res.writeHead(405, { // allow:raw-byte-literal — HTTP 405 status
147
+ res.writeHead(405, { // HTTP 405 status
148
148
  "Allow": "GET, HEAD",
149
149
  "Content-Type": "text/plain; charset=utf-8",
150
- "Content-Length": 18, // allow:raw-byte-literal — len of "Method Not Allowed"
150
+ "Content-Length": 18, // len of "Method Not Allowed"
151
151
  });
152
152
  res.end("Method Not Allowed");
153
153
  return;
154
154
  }
155
- res.writeHead(200, { // allow:raw-byte-literal — HTTP 200 status
155
+ res.writeHead(200, { // HTTP 200 status
156
156
  "Content-Type": "text/plain; charset=utf-8",
157
157
  "Content-Length": bodyBuf.length,
158
158
  "Cache-Control": "public, max-age=86400",
@@ -90,6 +90,7 @@ function _formatEvent(msg) {
90
90
  * {
91
91
  * heartbeatMs: number|false, // default 15000
92
92
  * headers: object, // extra response headers
93
+ * proxyBuffer: boolean, // default true — sets X-Accel-Buffering: no; false to suppress
93
94
  * }
94
95
  *
95
96
  * @example
@@ -105,13 +106,17 @@ function create(handler, opts) {
105
106
  throw new Error("middleware.sse: handler must be a function (channel, req) => ...");
106
107
  }
107
108
  opts = opts || {};
108
- validateOpts(opts, ["heartbeatMs", "headers"], "middleware.sse");
109
+ validateOpts(opts, ["heartbeatMs", "headers", "proxyBuffer"], "middleware.sse");
109
110
  var heartbeatMs = opts.heartbeatMs === false ? 0
110
111
  : (opts.heartbeatMs != null ? opts.heartbeatMs : DEFAULT_HEARTBEAT_MS);
111
112
  if (heartbeatMs !== 0 && (typeof heartbeatMs !== "number" || !isFinite(heartbeatMs) || heartbeatMs <= 0)) {
112
113
  throw new Error("middleware.sse: heartbeatMs must be a positive finite number or false");
113
114
  }
114
115
  var extraHeaders = opts.headers || {};
116
+ // proxyBuffer (default true) sets `X-Accel-Buffering: no` (the nginx hint
117
+ // that disables proxy buffering). Pass false when not behind nginx, or
118
+ // when buffering is controlled at the load balancer, to suppress it.
119
+ var proxyBuffer = opts.proxyBuffer !== false;
115
120
 
116
121
  return async function sseMiddleware(req, res) {
117
122
  if (typeof res.writeHead !== "function" || typeof res.write !== "function") {
@@ -119,13 +124,14 @@ function create(handler, opts) {
119
124
  // unusual. Fail closed rather than silently dropping the handler.
120
125
  throw new Error("middleware.sse: res does not support writeHead/write — wire SSE only on HTTP routes");
121
126
  }
122
- var headers = Object.assign({
123
- "Content-Type": "text/event-stream; charset=utf-8",
124
- "Cache-Control": "no-cache, no-transform",
125
- "Connection": "keep-alive",
126
- // Disable nginx response buffering when terminating behind it.
127
- "X-Accel-Buffering": "no",
128
- }, extraHeaders);
127
+ var baseHeaders = {
128
+ "Content-Type": "text/event-stream; charset=utf-8",
129
+ "Cache-Control": "no-cache, no-transform",
130
+ "Connection": "keep-alive",
131
+ };
132
+ // Disable nginx response buffering when terminating behind it.
133
+ if (proxyBuffer) baseHeaders["X-Accel-Buffering"] = "no";
134
+ var headers = Object.assign(baseHeaders, extraHeaders);
129
135
  // Append Vary: Accept so a proxy doesn't serve a cached non-SSE
130
136
  // response on the same URL to a future client.
131
137
  res.writeHead(requestHelpers.HTTP_STATUS.OK, headers);
@@ -59,18 +59,18 @@ var TUS_ID_BYTES = C.BYTES.bytes(18);
59
59
 
60
60
  // HTTP status codes used by TUS — hoisted to named constants so the
61
61
  // raw-byte-literal detector doesn't fire on every status path.
62
- var STATUS_OK = 200; // allow:raw-byte-literal — HTTP status
63
- var STATUS_CREATED = 201; // allow:raw-byte-literal — HTTP status
64
- var STATUS_NO_CONTENT = 204; // allow:raw-byte-literal — HTTP status
65
- var STATUS_BAD_REQUEST = 400; // allow:raw-byte-literal — HTTP status
66
- var STATUS_NOT_FOUND = 404; // allow:raw-byte-literal — HTTP status
67
- var STATUS_METHOD_NOT_ALLOWED = 405; // allow:raw-byte-literal — HTTP status
68
- var STATUS_CONFLICT = 409; // allow:raw-byte-literal — HTTP status
69
- var STATUS_PRECONDITION_FAILED = 412; // allow:raw-byte-literal — HTTP status
70
- var STATUS_PAYLOAD_TOO_LARGE = 413; // allow:raw-byte-literal — HTTP status
71
- var STATUS_UNSUPPORTED_MEDIA = 415; // allow:raw-byte-literal — HTTP status
72
- var STATUS_CHECKSUM_MISMATCH = 460; // allow:raw-byte-literal — TUS-specific status (§3.5)
73
- var STATUS_INTERNAL_ERROR = 500; // allow:raw-byte-literal — HTTP status
62
+ var STATUS_OK = 200; // HTTP status
63
+ var STATUS_CREATED = 201; // HTTP status
64
+ var STATUS_NO_CONTENT = 204; // HTTP status
65
+ var STATUS_BAD_REQUEST = 400; // HTTP status
66
+ var STATUS_NOT_FOUND = 404; // HTTP status
67
+ var STATUS_METHOD_NOT_ALLOWED = 405; // HTTP status
68
+ var STATUS_CONFLICT = 409; // HTTP status
69
+ var STATUS_PRECONDITION_FAILED = 412; // HTTP status
70
+ var STATUS_PAYLOAD_TOO_LARGE = 413; // HTTP status
71
+ var STATUS_UNSUPPORTED_MEDIA = 415; // HTTP status
72
+ var STATUS_CHECKSUM_MISMATCH = 460; // TUS-specific status (§3.5)
73
+ var STATUS_INTERNAL_ERROR = 500; // HTTP status
74
74
 
75
75
  var TusError = defineClass("TusError", { alwaysPermanent: true });
76
76
 
@@ -136,7 +136,7 @@ function create(opts) {
136
136
  if (!matches) return next();
137
137
  if (req.method !== "GET" && req.method !== "HEAD") {
138
138
  var bodyMsg = "Method Not Allowed";
139
- res.writeHead(405, { // allow:raw-byte-literal — HTTP 405 status
139
+ res.writeHead(405, { // HTTP 405 status
140
140
  "Allow": "GET, HEAD",
141
141
  "Content-Type": "text/plain; charset=utf-8",
142
142
  "Content-Length": Buffer.byteLength(bodyMsg),
@@ -144,7 +144,7 @@ function create(opts) {
144
144
  res.end(bodyMsg);
145
145
  return;
146
146
  }
147
- res.writeHead(200, { // allow:raw-byte-literal — HTTP 200 status
147
+ res.writeHead(200, { // HTTP 200 status
148
148
  "Content-Type": "application/manifest+json",
149
149
  "Content-Length": bodyBuf.length,
150
150
  "Cache-Control": "public, max-age=86400",
@@ -48,7 +48,7 @@ var observability = lazyRequire(function () { return require("./observability");
48
48
 
49
49
  var ByteQuotaError = defineClass("ByteQuotaError", { alwaysPermanent: true });
50
50
 
51
- var BINS_PER_DAY = 24; // allow:raw-byte-literal — 24 hours in a day
51
+ var BINS_PER_DAY = 24; // 24 hours in a day
52
52
  var BIN_MS = C.TIME.hours(1);
53
53
 
54
54
  function _hourBin(nowMs) { return Math.floor(nowMs / BIN_MS); }