@blamejs/blamejs-shop 0.3.5 → 0.3.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +2 -0
- package/lib/asset-manifest.json +1 -1
- package/lib/vendor/MANIFEST.json +3 -3
- package/lib/vendor/blamejs/CHANGELOG.md +14 -0
- package/lib/vendor/blamejs/api-snapshot.json +2 -2
- package/lib/vendor/blamejs/lib/_test/crypto-fixtures.js +3 -3
- package/lib/vendor/blamejs/lib/a2a-tasks.js +24 -24
- package/lib/vendor/blamejs/lib/a2a.js +4 -4
- package/lib/vendor/blamejs/lib/acme.js +3 -3
- package/lib/vendor/blamejs/lib/agent-idempotency.js +1 -1
- package/lib/vendor/blamejs/lib/agent-orchestrator.js +8 -8
- package/lib/vendor/blamejs/lib/agent-posture-chain.js +2 -2
- package/lib/vendor/blamejs/lib/agent-saga.js +1 -1
- package/lib/vendor/blamejs/lib/agent-snapshot.js +1 -1
- package/lib/vendor/blamejs/lib/agent-stream.js +1 -1
- package/lib/vendor/blamejs/lib/agent-tenant.js +1 -1
- package/lib/vendor/blamejs/lib/agent-trace.js +3 -3
- package/lib/vendor/blamejs/lib/ai-capability.js +1 -1
- package/lib/vendor/blamejs/lib/ai-dp.js +4 -4
- package/lib/vendor/blamejs/lib/ai-input.js +4 -4
- package/lib/vendor/blamejs/lib/ai-model-manifest.js +7 -7
- package/lib/vendor/blamejs/lib/ai-pref.js +3 -3
- package/lib/vendor/blamejs/lib/archive-gz.js +2 -2
- package/lib/vendor/blamejs/lib/archive-read.js +25 -25
- package/lib/vendor/blamejs/lib/archive-tar-read.js +2 -2
- package/lib/vendor/blamejs/lib/archive-tar.js +20 -20
- package/lib/vendor/blamejs/lib/archive-wrap.js +10 -10
- package/lib/vendor/blamejs/lib/argon2-builtin.js +1 -1
- package/lib/vendor/blamejs/lib/asn1-der.js +45 -34
- package/lib/vendor/blamejs/lib/atomic-file.js +2 -2
- package/lib/vendor/blamejs/lib/audit-daily-review.js +3 -3
- package/lib/vendor/blamejs/lib/audit-sign.js +5 -5
- package/lib/vendor/blamejs/lib/audit-tools.js +1 -1
- package/lib/vendor/blamejs/lib/audit.js +2 -2
- package/lib/vendor/blamejs/lib/auth/acr-vocabulary.js +2 -2
- package/lib/vendor/blamejs/lib/auth/bot-challenge.js +3 -3
- package/lib/vendor/blamejs/lib/auth/ciba.js +7 -7
- package/lib/vendor/blamejs/lib/auth/dpop.js +3 -3
- package/lib/vendor/blamejs/lib/auth/fido-mds3.js +8 -8
- package/lib/vendor/blamejs/lib/auth/jar.js +11 -0
- package/lib/vendor/blamejs/lib/auth/jwt-external.js +5 -5
- package/lib/vendor/blamejs/lib/auth/oauth.js +7 -9
- package/lib/vendor/blamejs/lib/auth/oid4vci.js +10 -10
- package/lib/vendor/blamejs/lib/auth/oid4vp.js +2 -2
- package/lib/vendor/blamejs/lib/auth/openid-federation.js +2 -2
- package/lib/vendor/blamejs/lib/auth/passkey.js +3 -3
- package/lib/vendor/blamejs/lib/auth/saml.js +31 -43
- package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-disclosure.js +1 -1
- package/lib/vendor/blamejs/lib/auth/sd-jwt-vc.js +5 -5
- package/lib/vendor/blamejs/lib/auth/status-list.js +10 -10
- package/lib/vendor/blamejs/lib/auth/step-up.js +1 -1
- package/lib/vendor/blamejs/lib/auth-bot-challenge.js +1 -1
- package/lib/vendor/blamejs/lib/backup/index.js +7 -7
- package/lib/vendor/blamejs/lib/base32.js +8 -8
- package/lib/vendor/blamejs/lib/budr.js +2 -2
- package/lib/vendor/blamejs/lib/cache-status.js +2 -2
- package/lib/vendor/blamejs/lib/calendar.js +29 -29
- package/lib/vendor/blamejs/lib/cbor.js +12 -12
- package/lib/vendor/blamejs/lib/cdn-cache-control.js +1 -1
- package/lib/vendor/blamejs/lib/cert.js +5 -5
- package/lib/vendor/blamejs/lib/cloud-events.js +5 -5
- package/lib/vendor/blamejs/lib/cms-codec.js +21 -21
- package/lib/vendor/blamejs/lib/codepoint-class.js +12 -12
- package/lib/vendor/blamejs/lib/compliance-sanctions-fuzzy.js +4 -4
- package/lib/vendor/blamejs/lib/compliance-sanctions.js +4 -4
- package/lib/vendor/blamejs/lib/compliance.js +29 -29
- package/lib/vendor/blamejs/lib/content-credentials.js +38 -38
- package/lib/vendor/blamejs/lib/cookies.js +1 -1
- package/lib/vendor/blamejs/lib/cose.js +13 -13
- package/lib/vendor/blamejs/lib/cra-report.js +1 -1
- package/lib/vendor/blamejs/lib/crdt.js +1 -1
- package/lib/vendor/blamejs/lib/crypto-field.js +2 -2
- package/lib/vendor/blamejs/lib/crypto-xwing.js +7 -7
- package/lib/vendor/blamejs/lib/crypto.js +6 -6
- package/lib/vendor/blamejs/lib/csp.js +2 -2
- package/lib/vendor/blamejs/lib/cwt.js +4 -4
- package/lib/vendor/blamejs/lib/dark-patterns.js +2 -2
- package/lib/vendor/blamejs/lib/data-act.js +2 -2
- package/lib/vendor/blamejs/lib/db-file-lifecycle.js +4 -4
- package/lib/vendor/blamejs/lib/db-query.js +1 -1
- package/lib/vendor/blamejs/lib/db.js +6 -6
- package/lib/vendor/blamejs/lib/dbsc.js +13 -13
- package/lib/vendor/blamejs/lib/did.js +17 -17
- package/lib/vendor/blamejs/lib/dora.js +4 -4
- package/lib/vendor/blamejs/lib/dsr.js +1 -1
- package/lib/vendor/blamejs/lib/early-hints.js +2 -2
- package/lib/vendor/blamejs/lib/eat.js +4 -4
- package/lib/vendor/blamejs/lib/external-db-migrate.js +1 -1
- package/lib/vendor/blamejs/lib/external-db.js +1 -1
- package/lib/vendor/blamejs/lib/flag-cache.js +1 -1
- package/lib/vendor/blamejs/lib/flag-evaluation-context.js +2 -2
- package/lib/vendor/blamejs/lib/graphql-federation.js +13 -6
- package/lib/vendor/blamejs/lib/guard-agent-registry.js +5 -5
- package/lib/vendor/blamejs/lib/guard-archive.js +24 -24
- package/lib/vendor/blamejs/lib/guard-cidr.js +34 -34
- package/lib/vendor/blamejs/lib/guard-csv.js +1 -1
- package/lib/vendor/blamejs/lib/guard-domain.js +10 -10
- package/lib/vendor/blamejs/lib/guard-dsn.js +4 -4
- package/lib/vendor/blamejs/lib/guard-email.js +19 -19
- package/lib/vendor/blamejs/lib/guard-event-bus-payload.js +4 -4
- package/lib/vendor/blamejs/lib/guard-event-bus-topic.js +6 -6
- package/lib/vendor/blamejs/lib/guard-filename.js +7 -7
- package/lib/vendor/blamejs/lib/guard-graphql.js +9 -9
- package/lib/vendor/blamejs/lib/guard-html-wcag-tagwalk.js +1 -1
- package/lib/vendor/blamejs/lib/guard-html-wcag.js +4 -4
- package/lib/vendor/blamejs/lib/guard-html.js +7 -7
- package/lib/vendor/blamejs/lib/guard-idempotency-key.js +6 -6
- package/lib/vendor/blamejs/lib/guard-image.js +4 -4
- package/lib/vendor/blamejs/lib/guard-imap-command.js +17 -17
- package/lib/vendor/blamejs/lib/guard-jmap.js +20 -20
- package/lib/vendor/blamejs/lib/guard-json.js +12 -12
- package/lib/vendor/blamejs/lib/guard-jsonpath.js +3 -3
- package/lib/vendor/blamejs/lib/guard-jwt.js +4 -4
- package/lib/vendor/blamejs/lib/guard-list-id.js +7 -7
- package/lib/vendor/blamejs/lib/guard-list-unsubscribe.js +8 -8
- package/lib/vendor/blamejs/lib/guard-mail-compose.js +4 -4
- package/lib/vendor/blamejs/lib/guard-mail-move.js +5 -5
- package/lib/vendor/blamejs/lib/guard-mail-query.js +3 -3
- package/lib/vendor/blamejs/lib/guard-mail-reply.js +3 -3
- package/lib/vendor/blamejs/lib/guard-mail-sieve.js +6 -6
- package/lib/vendor/blamejs/lib/guard-managesieve-command.js +25 -25
- package/lib/vendor/blamejs/lib/guard-markdown.js +31 -31
- package/lib/vendor/blamejs/lib/guard-message-id.js +5 -5
- package/lib/vendor/blamejs/lib/guard-mime.js +1 -1
- package/lib/vendor/blamejs/lib/guard-oauth.js +3 -3
- package/lib/vendor/blamejs/lib/guard-pdf.js +6 -6
- package/lib/vendor/blamejs/lib/guard-pop3-command.js +11 -11
- package/lib/vendor/blamejs/lib/guard-posture-chain.js +5 -5
- package/lib/vendor/blamejs/lib/guard-regex.js +10 -10
- package/lib/vendor/blamejs/lib/guard-saga-config.js +5 -5
- package/lib/vendor/blamejs/lib/guard-smtp-command.js +6 -6
- package/lib/vendor/blamejs/lib/guard-snapshot-envelope.js +3 -3
- package/lib/vendor/blamejs/lib/guard-stream-args.js +4 -4
- package/lib/vendor/blamejs/lib/guard-svg.js +11 -11
- package/lib/vendor/blamejs/lib/guard-tenant-id.js +5 -5
- package/lib/vendor/blamejs/lib/guard-time.js +15 -15
- package/lib/vendor/blamejs/lib/guard-trace-context.js +4 -4
- package/lib/vendor/blamejs/lib/guard-uuid.js +11 -11
- package/lib/vendor/blamejs/lib/guard-xml.js +12 -12
- package/lib/vendor/blamejs/lib/guard-yaml.js +16 -16
- package/lib/vendor/blamejs/lib/honeytoken.js +5 -5
- package/lib/vendor/blamejs/lib/http-client-cache.js +18 -1
- package/lib/vendor/blamejs/lib/http-client.js +13 -10
- package/lib/vendor/blamejs/lib/http-message-signature.js +2 -2
- package/lib/vendor/blamejs/lib/iab-mspa.js +3 -3
- package/lib/vendor/blamejs/lib/iab-tcf.js +70 -70
- package/lib/vendor/blamejs/lib/inbox.js +4 -4
- package/lib/vendor/blamejs/lib/ip-utils.js +15 -15
- package/lib/vendor/blamejs/lib/jose-jwe-experimental.js +2 -2
- package/lib/vendor/blamejs/lib/json-path.js +3 -3
- package/lib/vendor/blamejs/lib/json-schema.js +1 -1
- package/lib/vendor/blamejs/lib/jsonapi.js +3 -3
- package/lib/vendor/blamejs/lib/jtd.js +2 -2
- package/lib/vendor/blamejs/lib/link-header.js +1 -1
- package/lib/vendor/blamejs/lib/local-db-thin.js +1 -1
- package/lib/vendor/blamejs/lib/log.js +8 -3
- package/lib/vendor/blamejs/lib/lro.js +4 -4
- package/lib/vendor/blamejs/lib/mail-agent.js +1 -1
- package/lib/vendor/blamejs/lib/mail-arc-sign.js +6 -6
- package/lib/vendor/blamejs/lib/mail-auth.js +44 -44
- package/lib/vendor/blamejs/lib/mail-bimi.js +3 -3
- package/lib/vendor/blamejs/lib/mail-crypto-pgp.js +53 -45
- package/lib/vendor/blamejs/lib/mail-crypto-smime.js +6 -6
- package/lib/vendor/blamejs/lib/mail-dav.js +1 -1
- package/lib/vendor/blamejs/lib/mail-deploy.js +40 -40
- package/lib/vendor/blamejs/lib/mail-dkim.js +12 -12
- package/lib/vendor/blamejs/lib/mail-greylist.js +12 -12
- package/lib/vendor/blamejs/lib/mail-helo.js +1 -1
- package/lib/vendor/blamejs/lib/mail-journal.js +8 -8
- package/lib/vendor/blamejs/lib/mail-rbl.js +7 -7
- package/lib/vendor/blamejs/lib/mail-scan.js +7 -7
- package/lib/vendor/blamejs/lib/mail-send-deliver.js +2 -2
- package/lib/vendor/blamejs/lib/mail-server-imap.js +12 -12
- package/lib/vendor/blamejs/lib/mail-server-jmap.js +18 -20
- package/lib/vendor/blamejs/lib/mail-server-managesieve.js +4 -4
- package/lib/vendor/blamejs/lib/mail-server-mx.js +17 -17
- package/lib/vendor/blamejs/lib/mail-server-pop3.js +4 -4
- package/lib/vendor/blamejs/lib/mail-server-rate-limit.js +2 -2
- package/lib/vendor/blamejs/lib/mail-server-submission.js +21 -21
- package/lib/vendor/blamejs/lib/mail-sieve.js +2 -2
- package/lib/vendor/blamejs/lib/mail-spam-score.js +5 -5
- package/lib/vendor/blamejs/lib/mail-srs.js +12 -12
- package/lib/vendor/blamejs/lib/mail-store-fts.js +2 -2
- package/lib/vendor/blamejs/lib/mail-store.js +8 -8
- package/lib/vendor/blamejs/lib/mail-unsubscribe.js +4 -4
- package/lib/vendor/blamejs/lib/mail.js +4 -4
- package/lib/vendor/blamejs/lib/mcp-tool-registry.js +4 -4
- package/lib/vendor/blamejs/lib/mcp.js +15 -15
- package/lib/vendor/blamejs/lib/mdoc.js +2 -2
- package/lib/vendor/blamejs/lib/metrics.js +8 -8
- package/lib/vendor/blamejs/lib/middleware/age-gate.js +15 -3
- package/lib/vendor/blamejs/lib/middleware/ai-act-disclosure.js +11 -4
- package/lib/vendor/blamejs/lib/middleware/api-encrypt.js +7 -7
- package/lib/vendor/blamejs/lib/middleware/assetlinks.js +2 -2
- package/lib/vendor/blamejs/lib/middleware/asyncapi-serve.js +2 -2
- package/lib/vendor/blamejs/lib/middleware/bearer-auth.js +5 -5
- package/lib/vendor/blamejs/lib/middleware/body-parser.js +5 -5
- package/lib/vendor/blamejs/lib/middleware/compose-pipeline.js +16 -16
- package/lib/vendor/blamejs/lib/middleware/csp-report.js +4 -4
- package/lib/vendor/blamejs/lib/middleware/daily-byte-quota.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/dpop.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/headers.js +2 -2
- package/lib/vendor/blamejs/lib/middleware/host-allowlist.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/idempotency-key.js +12 -12
- package/lib/vendor/blamejs/lib/middleware/nel.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/openapi-serve.js +2 -2
- package/lib/vendor/blamejs/lib/middleware/protected-resource-metadata.js +2 -2
- package/lib/vendor/blamejs/lib/middleware/rate-limit.js +14 -5
- package/lib/vendor/blamejs/lib/middleware/require-aal.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/require-bound-key.js +2 -2
- package/lib/vendor/blamejs/lib/middleware/require-content-type.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/require-methods.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/require-step-up.js +2 -2
- package/lib/vendor/blamejs/lib/middleware/scim-server.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/security-txt.js +3 -3
- package/lib/vendor/blamejs/lib/middleware/sse.js +14 -8
- package/lib/vendor/blamejs/lib/middleware/tus-upload.js +12 -12
- package/lib/vendor/blamejs/lib/middleware/web-app-manifest.js +2 -2
- package/lib/vendor/blamejs/lib/network-byte-quota.js +1 -1
- package/lib/vendor/blamejs/lib/network-dns-resolver.js +23 -23
- package/lib/vendor/blamejs/lib/network-dns.js +29 -29
- package/lib/vendor/blamejs/lib/network-dnssec.js +33 -33
- package/lib/vendor/blamejs/lib/network-smtp-policy.js +10 -10
- package/lib/vendor/blamejs/lib/network-tls.js +100 -98
- package/lib/vendor/blamejs/lib/network-tsig.js +33 -33
- package/lib/vendor/blamejs/lib/nis2-report.js +1 -1
- package/lib/vendor/blamejs/lib/ntp-check.js +3 -3
- package/lib/vendor/blamejs/lib/observability-otlp-exporter.js +17 -17
- package/lib/vendor/blamejs/lib/observability-tracer.js +6 -6
- package/lib/vendor/blamejs/lib/observability.js +8 -8
- package/lib/vendor/blamejs/lib/openapi-yaml.js +1 -1
- package/lib/vendor/blamejs/lib/openapi.js +1 -1
- package/lib/vendor/blamejs/lib/outbox.js +6 -6
- package/lib/vendor/blamejs/lib/pqc-agent.js +4 -4
- package/lib/vendor/blamejs/lib/pqc-software.js +1 -1
- package/lib/vendor/blamejs/lib/privacy-pass.js +5 -5
- package/lib/vendor/blamejs/lib/problem-details.js +5 -5
- package/lib/vendor/blamejs/lib/promise-pool.js +1 -1
- package/lib/vendor/blamejs/lib/protobuf-encoder.js +9 -1
- package/lib/vendor/blamejs/lib/queue.js +4 -2
- package/lib/vendor/blamejs/lib/redact.js +2 -2
- package/lib/vendor/blamejs/lib/request-helpers.js +1 -1
- package/lib/vendor/blamejs/lib/router.js +10 -10
- package/lib/vendor/blamejs/lib/safe-async.js +2 -2
- package/lib/vendor/blamejs/lib/safe-decompress.js +1 -1
- package/lib/vendor/blamejs/lib/safe-dns.js +71 -71
- package/lib/vendor/blamejs/lib/safe-ical.js +19 -19
- package/lib/vendor/blamejs/lib/safe-icap.js +24 -24
- package/lib/vendor/blamejs/lib/safe-jsonpath.js +2 -2
- package/lib/vendor/blamejs/lib/safe-mime.js +10 -10
- package/lib/vendor/blamejs/lib/safe-mount-info.js +3 -3
- package/lib/vendor/blamejs/lib/safe-redirect.js +1 -1
- package/lib/vendor/blamejs/lib/safe-sieve.js +23 -23
- package/lib/vendor/blamejs/lib/safe-smtp.js +1 -1
- package/lib/vendor/blamejs/lib/safe-url.js +1 -1
- package/lib/vendor/blamejs/lib/safe-vcard.js +14 -14
- package/lib/vendor/blamejs/lib/sandbox.js +5 -5
- package/lib/vendor/blamejs/lib/sec-cyber.js +1 -1
- package/lib/vendor/blamejs/lib/self-update-standalone-verifier.js +3 -3
- package/lib/vendor/blamejs/lib/self-update.js +3 -3
- package/lib/vendor/blamejs/lib/server-timing.js +3 -3
- package/lib/vendor/blamejs/lib/session-device-binding.js +7 -7
- package/lib/vendor/blamejs/lib/session.js +8 -8
- package/lib/vendor/blamejs/lib/sse.js +12 -5
- package/lib/vendor/blamejs/lib/standard-webhooks.js +4 -4
- package/lib/vendor/blamejs/lib/storage.js +2 -2
- package/lib/vendor/blamejs/lib/stream-throttle.js +3 -3
- package/lib/vendor/blamejs/lib/structured-fields.js +15 -15
- package/lib/vendor/blamejs/lib/subject.js +1 -1
- package/lib/vendor/blamejs/lib/tcpa-10dlc.js +1 -1
- package/lib/vendor/blamejs/lib/tenant-quota.js +3 -3
- package/lib/vendor/blamejs/lib/test-harness.js +1 -1
- package/lib/vendor/blamejs/lib/tracing.js +1 -1
- package/lib/vendor/blamejs/lib/tsa.js +5 -5
- package/lib/vendor/blamejs/lib/uri-template.js +5 -5
- package/lib/vendor/blamejs/lib/vault/index.js +2 -2
- package/lib/vendor/blamejs/lib/vault/seal-pem-file.js +4 -4
- package/lib/vendor/blamejs/lib/vc.js +2 -2
- package/lib/vendor/blamejs/lib/vendor-data.js +1 -1
- package/lib/vendor/blamejs/lib/watcher.js +4 -4
- package/lib/vendor/blamejs/lib/web-push-vapid.js +21 -21
- package/lib/vendor/blamejs/lib/webhook.js +2 -2
- package/lib/vendor/blamejs/lib/websocket.js +5 -5
- package/lib/vendor/blamejs/lib/worker-pool.js +3 -3
- package/lib/vendor/blamejs/lib/ws-client.js +24 -24
- package/lib/vendor/blamejs/lib/xml-c14n.js +2 -2
- package/lib/vendor/blamejs/package.json +1 -1
- package/lib/vendor/blamejs/release-notes/v0.13.x.json +1248 -0
- package/lib/vendor/blamejs/release-notes/v0.14.0.json +43 -0
- package/lib/vendor/blamejs/release-notes/v0.14.1.json +60 -0
- package/lib/vendor/blamejs/release-notes/v0.14.2.json +18 -0
- package/lib/vendor/blamejs/release-notes/v0.14.3.json +18 -0
- package/lib/vendor/blamejs/release-notes/v0.14.4.json +18 -0
- package/lib/vendor/blamejs/release-notes/v0.14.5.json +18 -0
- package/lib/vendor/blamejs/test/00-primitives.js +15 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/age-gate.test.js +22 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/auth-jar.test.js +29 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +105 -9
- package/lib/vendor/blamejs/test/layer-0-primitives/compliance-ai-act.test.js +15 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/graphql-federation.test.js +10 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/http-client-cache.test.js +12 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-crypto-pgp.test.js +7 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/network-tls.test.js +11 -5
- package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-registry.test.js +34 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/sse.test.js +12 -0
- package/package.json +1 -1
- package/lib/vendor/blamejs/release-notes/v0.13.0.json +0 -22
- package/lib/vendor/blamejs/release-notes/v0.13.1.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.10.json +0 -44
- package/lib/vendor/blamejs/release-notes/v0.13.11.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.12.json +0 -36
- package/lib/vendor/blamejs/release-notes/v0.13.13.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.14.json +0 -22
- package/lib/vendor/blamejs/release-notes/v0.13.15.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.16.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.17.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.18.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.19.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.2.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.20.json +0 -22
- package/lib/vendor/blamejs/release-notes/v0.13.21.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.22.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.23.json +0 -42
- package/lib/vendor/blamejs/release-notes/v0.13.24.json +0 -26
- package/lib/vendor/blamejs/release-notes/v0.13.25.json +0 -39
- package/lib/vendor/blamejs/release-notes/v0.13.26.json +0 -31
- package/lib/vendor/blamejs/release-notes/v0.13.27.json +0 -34
- package/lib/vendor/blamejs/release-notes/v0.13.28.json +0 -30
- package/lib/vendor/blamejs/release-notes/v0.13.29.json +0 -30
- package/lib/vendor/blamejs/release-notes/v0.13.3.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.30.json +0 -30
- package/lib/vendor/blamejs/release-notes/v0.13.31.json +0 -26
- package/lib/vendor/blamejs/release-notes/v0.13.32.json +0 -34
- package/lib/vendor/blamejs/release-notes/v0.13.33.json +0 -26
- package/lib/vendor/blamejs/release-notes/v0.13.34.json +0 -48
- package/lib/vendor/blamejs/release-notes/v0.13.35.json +0 -35
- package/lib/vendor/blamejs/release-notes/v0.13.36.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.37.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.38.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.39.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.4.json +0 -23
- package/lib/vendor/blamejs/release-notes/v0.13.40.json +0 -22
- package/lib/vendor/blamejs/release-notes/v0.13.41.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.42.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.43.json +0 -39
- package/lib/vendor/blamejs/release-notes/v0.13.44.json +0 -31
- package/lib/vendor/blamejs/release-notes/v0.13.45.json +0 -31
- package/lib/vendor/blamejs/release-notes/v0.13.46.json +0 -35
- package/lib/vendor/blamejs/release-notes/v0.13.5.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.6.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.7.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.8.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.9.json +0 -27
|
@@ -592,10 +592,14 @@ function create(opts) {
|
|
|
592
592
|
var nameId = _textContent(nameIdEl);
|
|
593
593
|
var nameIdFormat = _attr(nameIdEl, "Format");
|
|
594
594
|
|
|
595
|
-
var nowSec = Math.floor((vopts.now || Date.now()) / 1000); //
|
|
595
|
+
var nowSec = Math.floor((vopts.now || Date.now()) / 1000); // ms→s
|
|
596
596
|
var confirmations = _findAllChildren(subject, "SubjectConfirmation", SAML_NS.assertion);
|
|
597
597
|
var bearerOk = false;
|
|
598
598
|
var hokOk = false;
|
|
599
|
+
// InResponseTo of the SubjectConfirmation that actually passed bearer
|
|
600
|
+
// validation — captured so the returned value can't be sourced from a
|
|
601
|
+
// different (non-validated) confirmation when several are present.
|
|
602
|
+
var matchedInResponseTo = null;
|
|
599
603
|
var hokFingerprint = null;
|
|
600
604
|
// Holder-of-Key SubjectConfirmation per SAML 2.0 Profile §3.1
|
|
601
605
|
// (urn:oasis:names:tc:SAML:2.0:cm:holder-of-key). The IdP binds
|
|
@@ -680,10 +684,10 @@ function create(opts) {
|
|
|
680
684
|
// as Bearer (Profile §3.1 incorporates §3 by reference).
|
|
681
685
|
var nbHok = _attr(scdHok, "NotBefore");
|
|
682
686
|
var noaHok = _attr(scdHok, "NotOnOrAfter");
|
|
683
|
-
if (nbHok && isFinite(Date.parse(nbHok) / 1000) && //
|
|
684
|
-
Date.parse(nbHok) / 1000 > nowSec + clockSkewSec) continue; //
|
|
685
|
-
if (noaHok && isFinite(Date.parse(noaHok) / 1000) && //
|
|
686
|
-
Date.parse(noaHok) / 1000 < nowSec - clockSkewSec) continue; //
|
|
687
|
+
if (nbHok && isFinite(Date.parse(nbHok) / 1000) && // ms→s
|
|
688
|
+
Date.parse(nbHok) / 1000 > nowSec + clockSkewSec) continue; // ms→s
|
|
689
|
+
if (noaHok && isFinite(Date.parse(noaHok) / 1000) && // ms→s
|
|
690
|
+
Date.parse(noaHok) / 1000 < nowSec - clockSkewSec) continue; // ms→s
|
|
687
691
|
var recipHok = _attr(scdHok, "Recipient");
|
|
688
692
|
if (recipHok && recipHok !== opts.assertionConsumerServiceUrl) continue;
|
|
689
693
|
hokOk = true;
|
|
@@ -694,14 +698,14 @@ function create(opts) {
|
|
|
694
698
|
if (!scd) continue;
|
|
695
699
|
var notOnOrAfter = _attr(scd, "NotOnOrAfter");
|
|
696
700
|
if (notOnOrAfter) {
|
|
697
|
-
var t = Date.parse(notOnOrAfter) / 1000; //
|
|
701
|
+
var t = Date.parse(notOnOrAfter) / 1000; // ms→s
|
|
698
702
|
if (!isFinite(t) || t < nowSec - clockSkewSec) {
|
|
699
703
|
continue; // expired confirmation — try next
|
|
700
704
|
}
|
|
701
705
|
}
|
|
702
706
|
var notBefore = _attr(scd, "NotBefore");
|
|
703
707
|
if (notBefore) {
|
|
704
|
-
var nb = Date.parse(notBefore) / 1000; //
|
|
708
|
+
var nb = Date.parse(notBefore) / 1000; // ms→s
|
|
705
709
|
if (isFinite(nb) && nb > nowSec + clockSkewSec) continue;
|
|
706
710
|
}
|
|
707
711
|
var recipient = _attr(scd, "Recipient");
|
|
@@ -721,6 +725,7 @@ function create(opts) {
|
|
|
721
725
|
"AuthnRequest ID (replay defense)");
|
|
722
726
|
}
|
|
723
727
|
}
|
|
728
|
+
matchedInResponseTo = inResponseTo;
|
|
724
729
|
bearerOk = true;
|
|
725
730
|
break;
|
|
726
731
|
}
|
|
@@ -736,14 +741,14 @@ function create(opts) {
|
|
|
736
741
|
var cNotBefore = _attr(conditions, "NotBefore");
|
|
737
742
|
var cNotOnOrAfter = _attr(conditions, "NotOnOrAfter");
|
|
738
743
|
if (cNotBefore) {
|
|
739
|
-
var cnb = Date.parse(cNotBefore) / 1000; //
|
|
744
|
+
var cnb = Date.parse(cNotBefore) / 1000; // ms→s
|
|
740
745
|
if (isFinite(cnb) && cnb > nowSec + clockSkewSec) {
|
|
741
746
|
throw new AuthError("auth-saml/conditions-not-yet-valid",
|
|
742
747
|
"Conditions NotBefore is in the future");
|
|
743
748
|
}
|
|
744
749
|
}
|
|
745
750
|
if (cNotOnOrAfter) {
|
|
746
|
-
var cnoa = Date.parse(cNotOnOrAfter) / 1000; //
|
|
751
|
+
var cnoa = Date.parse(cNotOnOrAfter) / 1000; // ms→s
|
|
747
752
|
if (isFinite(cnoa) && cnoa < nowSec - clockSkewSec) {
|
|
748
753
|
throw new AuthError("auth-saml/conditions-expired",
|
|
749
754
|
"Conditions NotOnOrAfter has passed");
|
|
@@ -787,8 +792,7 @@ function create(opts) {
|
|
|
787
792
|
sessionIndex: sessionIndex,
|
|
788
793
|
attributes: attributes,
|
|
789
794
|
audience: audience,
|
|
790
|
-
inResponseTo: bearerOk ?
|
|
791
|
-
"SubjectConfirmationData", SAML_NS.assertion), "InResponseTo") : null,
|
|
795
|
+
inResponseTo: bearerOk ? matchedInResponseTo : null,
|
|
792
796
|
issuer: issuer,
|
|
793
797
|
};
|
|
794
798
|
}
|
|
@@ -884,7 +888,7 @@ function create(opts) {
|
|
|
884
888
|
throw new AuthError("auth-saml/no-idp-slo",
|
|
885
889
|
"buildLogoutRequest: opts.idpSloUrl (or sp.create's opts.idpSloUrl) required");
|
|
886
890
|
}
|
|
887
|
-
var id = "_" + generateToken(20); //
|
|
891
|
+
var id = "_" + generateToken(20); // 20-byte SAML ID token
|
|
888
892
|
var issueInstant = new Date().toISOString();
|
|
889
893
|
var c14n = xmlC14n();
|
|
890
894
|
var nameIdFormatAttr = bopts.nameIdFormat
|
|
@@ -1085,7 +1089,7 @@ function create(opts) {
|
|
|
1085
1089
|
validateOpts.requireNonEmptyString(bopts.inResponseTo, "inResponseTo", AuthError, "auth-saml/no-in-response-to");
|
|
1086
1090
|
validateOpts.requireNonEmptyString(bopts.destination, "destination", AuthError, "auth-saml/no-destination");
|
|
1087
1091
|
var statusCode = bopts.statusCode || "urn:oasis:names:tc:SAML:2.0:status:Success";
|
|
1088
|
-
var id = "_" + generateToken(20); //
|
|
1092
|
+
var id = "_" + generateToken(20); // 20-byte SAML ID token
|
|
1089
1093
|
var issueInstant = new Date().toISOString();
|
|
1090
1094
|
var c14n = xmlC14n();
|
|
1091
1095
|
var xml =
|
|
@@ -1288,7 +1292,7 @@ function create(opts) {
|
|
|
1288
1292
|
throw new AuthError("auth-saml/no-idp-slo",
|
|
1289
1293
|
"buildLogoutRequestPost: opts.idpSloUrl required");
|
|
1290
1294
|
}
|
|
1291
|
-
var id = "_" + generateToken(20); //
|
|
1295
|
+
var id = "_" + generateToken(20); // 20-byte SAML ID token
|
|
1292
1296
|
var issueInstant = new Date().toISOString();
|
|
1293
1297
|
var c14n = xmlC14n();
|
|
1294
1298
|
var nameIdFormatAttr = bopts.nameIdFormat
|
|
@@ -1663,18 +1667,18 @@ function _decryptEncryptedAssertion(encAssertion, spPrivateKeyPem) {
|
|
|
1663
1667
|
var clearBytes;
|
|
1664
1668
|
if (contentAlg === "http://www.w3.org/2009/xmlenc11#aes128-gcm" ||
|
|
1665
1669
|
contentAlg === "http://www.w3.org/2009/xmlenc11#aes256-gcm") {
|
|
1666
|
-
var aesBits = contentAlg.indexOf("aes128") !== -1 ? 128 : 256; //
|
|
1667
|
-
var expectedKeyBytes = aesBits / 8; //
|
|
1670
|
+
var aesBits = contentAlg.indexOf("aes128") !== -1 ? 128 : 256; // AES key size
|
|
1671
|
+
var expectedKeyBytes = aesBits / 8; // bits→bytes
|
|
1668
1672
|
if (cek.length !== expectedKeyBytes) {
|
|
1669
1673
|
throw new AuthError("auth-saml/encrypted-wrong-cek-len",
|
|
1670
1674
|
"AES-" + aesBits + "-GCM CEK length is " + cek.length + ", expected " + expectedKeyBytes);
|
|
1671
1675
|
}
|
|
1672
|
-
if (contentBlob.length < 28) { //
|
|
1676
|
+
if (contentBlob.length < 28) { // 12 IV + 16 tag
|
|
1673
1677
|
throw new AuthError("auth-saml/encrypted-content-too-short",
|
|
1674
1678
|
"AES-GCM CipherValue too short to contain IV (12) + tag (16)");
|
|
1675
1679
|
}
|
|
1676
|
-
var iv = contentBlob.subarray(0, 12); //
|
|
1677
|
-
var tag = contentBlob.subarray(contentBlob.length - 16); //
|
|
1680
|
+
var iv = contentBlob.subarray(0, 12); // GCM IV size
|
|
1681
|
+
var tag = contentBlob.subarray(contentBlob.length - 16); // GCM tag size
|
|
1678
1682
|
var ct = contentBlob.subarray(12, contentBlob.length - 16);
|
|
1679
1683
|
var decipher = nodeCrypto.createDecipheriv("aes-" + aesBits + "-gcm", cek, iv);
|
|
1680
1684
|
decipher.setAuthTag(tag);
|
|
@@ -1684,16 +1688,16 @@ function _decryptEncryptedAssertion(encAssertion, spPrivateKeyPem) {
|
|
|
1684
1688
|
"AES-GCM authentication tag mismatch: " + ((eD && eD.message) || String(eD)));
|
|
1685
1689
|
}
|
|
1686
1690
|
} else if (contentAlg === "urn:blamejs:experimental:xmlenc:xchacha20-poly1305") {
|
|
1687
|
-
if (cek.length !== 32) { //
|
|
1691
|
+
if (cek.length !== 32) { // XChaCha20 key size
|
|
1688
1692
|
throw new AuthError("auth-saml/encrypted-wrong-cek-len",
|
|
1689
1693
|
"XChaCha20-Poly1305 CEK length is " + cek.length + ", expected 32");
|
|
1690
1694
|
}
|
|
1691
|
-
if (contentBlob.length < 40) { //
|
|
1695
|
+
if (contentBlob.length < 40) { // 24 nonce + 16 tag
|
|
1692
1696
|
throw new AuthError("auth-saml/encrypted-content-too-short",
|
|
1693
1697
|
"XChaCha20-Poly1305 CipherValue too short");
|
|
1694
1698
|
}
|
|
1695
|
-
var xnonce = contentBlob.subarray(0, 24); //
|
|
1696
|
-
var xtag = contentBlob.subarray(contentBlob.length - 16); //
|
|
1699
|
+
var xnonce = contentBlob.subarray(0, 24); // XChaCha20 nonce size
|
|
1700
|
+
var xtag = contentBlob.subarray(contentBlob.length - 16); // Poly1305 tag size
|
|
1697
1701
|
var xct = contentBlob.subarray(24, contentBlob.length - 16);
|
|
1698
1702
|
try {
|
|
1699
1703
|
clearBytes = bCrypto.aeadDecrypt({
|
|
@@ -1722,8 +1726,8 @@ function _decryptEncryptedAssertion(encAssertion, spPrivateKeyPem) {
|
|
|
1722
1726
|
|
|
1723
1727
|
// PQC SignatureMethod URIs used by the embedded XMLDSig signatures.
|
|
1724
1728
|
// Standard XMLDSig vocabulary classical signing URIs (W3C XMLDSig
|
|
1725
|
-
// Core 1.1 + RFC 9231 for Ed25519) are dispatched via _sigAlgUrn
|
|
1726
|
-
//
|
|
1729
|
+
// Core 1.1 + RFC 9231 for Ed25519) are dispatched via _sigAlgUrn (sign
|
|
1730
|
+
// side) and the SUPPORTED_SIG table (verify side). The framework adds two non-standard URNs for
|
|
1727
1731
|
// ML-DSA because no W3C/IETF XMLDSig URI registration exists for
|
|
1728
1732
|
// post-quantum signers yet (LAMPS WG has open drafts but none final).
|
|
1729
1733
|
// Operators integrating with PQC-aware IdPs that exchange those URNs
|
|
@@ -1971,7 +1975,7 @@ function _sigAlgUrn(alg) {
|
|
|
1971
1975
|
var keyObj = (sk && typeof sk === "object" && sk.type === "private") ? sk
|
|
1972
1976
|
: (typeof sk === "string" || (sk && sk.kty)) ? nodeCrypto.createPrivateKey(sk)
|
|
1973
1977
|
: nodeCrypto.createPrivateKey({ key: Buffer.concat([
|
|
1974
|
-
Buffer.from("302e020100300506032b657004220420", "hex"), //
|
|
1978
|
+
Buffer.from("302e020100300506032b657004220420", "hex"), // Ed25519 PKCS#8 prefix
|
|
1975
1979
|
Buffer.from(sk),
|
|
1976
1980
|
]), format: "der", type: "pkcs8" });
|
|
1977
1981
|
return nodeCrypto.sign(null, Buffer.from(bytes), keyObj);
|
|
@@ -1980,7 +1984,7 @@ function _sigAlgUrn(alg) {
|
|
|
1980
1984
|
var keyObj = (pk && typeof pk === "object" && pk.type === "public") ? pk
|
|
1981
1985
|
: (typeof pk === "string" || (pk && pk.kty)) ? nodeCrypto.createPublicKey(pk)
|
|
1982
1986
|
: nodeCrypto.createPublicKey({ key: Buffer.concat([
|
|
1983
|
-
Buffer.from("302a300506032b6570032100", "hex"), //
|
|
1987
|
+
Buffer.from("302a300506032b6570032100", "hex"), // Ed25519 SPKI prefix
|
|
1984
1988
|
Buffer.from(pk),
|
|
1985
1989
|
]), format: "der", type: "spki" });
|
|
1986
1990
|
return nodeCrypto.verify(null, Buffer.from(msg), keyObj, Buffer.from(sig));
|
|
@@ -2023,22 +2027,6 @@ function _sigAlgUrn(alg) {
|
|
|
2023
2027
|
return null;
|
|
2024
2028
|
}
|
|
2025
2029
|
|
|
2026
|
-
// Reverse lookup — SignatureMethod URI on the inbound wire → alg
|
|
2027
|
-
// shorthand for _sigAlgUrn dispatch. Used by _verifyEmbeddedXmlDsig
|
|
2028
|
-
// to pick the right verifier when an IdP signs with a classical alg.
|
|
2029
|
-
function _sigAlgFromUri(uri) {
|
|
2030
|
-
if (uri === "urn:blamejs:experimental:saml-sig-alg:ml-dsa-65") return "ml-dsa-65";
|
|
2031
|
-
if (uri === "urn:blamejs:experimental:saml-sig-alg:ml-dsa-87") return "ml-dsa-87";
|
|
2032
|
-
if (uri === "http://www.w3.org/2021/04/xmldsig-more#ed25519") return "ed25519";
|
|
2033
|
-
if (uri === "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256") return "rsa-sha256";
|
|
2034
|
-
if (uri === "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384") return "rsa-sha384";
|
|
2035
|
-
if (uri === "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512") return "rsa-sha512";
|
|
2036
|
-
if (uri === "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256") return "ecdsa-sha256";
|
|
2037
|
-
if (uri === "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384") return "ecdsa-sha384";
|
|
2038
|
-
if (uri === "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512") return "ecdsa-sha512";
|
|
2039
|
-
return null;
|
|
2040
|
-
}
|
|
2041
|
-
|
|
2042
2030
|
/**
|
|
2043
2031
|
* @primitive b.auth.saml.fetchMdq
|
|
2044
2032
|
* @signature b.auth.saml.fetchMdq(opts)
|
|
@@ -17,7 +17,7 @@ var nodeCrypto = require("node:crypto");
|
|
|
17
17
|
var safeJson = require("../safe-json");
|
|
18
18
|
var { AuthError } = require("../framework-error");
|
|
19
19
|
|
|
20
|
-
var DEFAULT_SALT_BYTES = 16; //
|
|
20
|
+
var DEFAULT_SALT_BYTES = 16; // 128-bit salt per spec recommendation
|
|
21
21
|
|
|
22
22
|
function _newSalt(opts) {
|
|
23
23
|
if (opts && opts.saltSource && typeof opts.saltSource === "function") {
|
|
@@ -239,8 +239,8 @@ function issue(opts) {
|
|
|
239
239
|
sdDigests.sort();
|
|
240
240
|
|
|
241
241
|
var now = (typeof opts.issuedAt === "number" && isFinite(opts.issuedAt))
|
|
242
|
-
? Math.floor(opts.issuedAt / 1000) : Math.floor(Date.now() / 1000); //
|
|
243
|
-
var ttlSec = opts.ttlMs ? Math.floor(opts.ttlMs / 1000) : 30 * 24 * 60 * 60; //
|
|
242
|
+
? Math.floor(opts.issuedAt / 1000) : Math.floor(Date.now() / 1000); // ms→s conversion factor
|
|
243
|
+
var ttlSec = opts.ttlMs ? Math.floor(opts.ttlMs / 1000) : 30 * 24 * 60 * 60; // ms→s conversion + 30-day default in seconds
|
|
244
244
|
|
|
245
245
|
var payload = Object.assign({}, plainClaims, {
|
|
246
246
|
iss: opts.issuer,
|
|
@@ -355,7 +355,7 @@ function present(opts) {
|
|
|
355
355
|
"present: algorithm must be one of " + SUPPORTED_ALGS.join(", "));
|
|
356
356
|
}
|
|
357
357
|
var now = (typeof opts.issuedAt === "number" && isFinite(opts.issuedAt))
|
|
358
|
-
? Math.floor(opts.issuedAt / 1000) : Math.floor(Date.now() / 1000); //
|
|
358
|
+
? Math.floor(opts.issuedAt / 1000) : Math.floor(Date.now() / 1000); // ms→s conversion factor
|
|
359
359
|
// The KB-JWT's hash binds it to the specific SD-JWT + presentation
|
|
360
360
|
var kbHashInput = presentation; // jwt~d1~d2~ (without KB)
|
|
361
361
|
// sd_hash uses the SAME hash algorithm the credential's _sd
|
|
@@ -505,7 +505,7 @@ async function verify(presentation, opts) {
|
|
|
505
505
|
|
|
506
506
|
// 2. Validate iss / iat / exp / vct
|
|
507
507
|
var nowSec = (typeof opts.now === "number" && isFinite(opts.now))
|
|
508
|
-
? Math.floor(opts.now / 1000) : Math.floor(Date.now() / 1000); //
|
|
508
|
+
? Math.floor(opts.now / 1000) : Math.floor(Date.now() / 1000); // ms→s conversion factor
|
|
509
509
|
var skew = (typeof opts.maxClockSkewSec === "number") ? opts.maxClockSkewSec : 60; // allow:raw-time-literal — default 60s clock-skew tolerance
|
|
510
510
|
if (typeof jwtParsed.payload.iat === "number" && jwtParsed.payload.iat > nowSec + skew) {
|
|
511
511
|
throw new AuthError("auth-sd-jwt-vc/iat-future",
|
|
@@ -597,7 +597,7 @@ async function verify(presentation, opts) {
|
|
|
597
597
|
}
|
|
598
598
|
// Verify KB-JWT signature
|
|
599
599
|
var kbHeaderObj;
|
|
600
|
-
try { kbHeaderObj = safeJson.parse(_b64uDecodeStr(maybeKbJwt.split(".")[0]), { maxBytes: 4096 }); } // allow:bare-json-parse — kb header from validated KB-JWT; signature verifies
|
|
600
|
+
try { kbHeaderObj = safeJson.parse(_b64uDecodeStr(maybeKbJwt.split(".")[0]), { maxBytes: 4096 }); } // allow:bare-json-parse — kb header from validated KB-JWT; signature verifies
|
|
601
601
|
catch (e) {
|
|
602
602
|
throw new AuthError("auth-sd-jwt-vc/bad-kb-header",
|
|
603
603
|
"verify: malformed KB-JWT header: " + e.message);
|
|
@@ -55,7 +55,7 @@ var { defineClass } = require("../framework-error");
|
|
|
55
55
|
|
|
56
56
|
var StatusListError = defineClass("StatusListError", { alwaysPermanent: true });
|
|
57
57
|
|
|
58
|
-
var SUPPORTED_BIT_SIZES = { 1: 1, 2: 1, 4: 1, 8: 1 }; //
|
|
58
|
+
var SUPPORTED_BIT_SIZES = { 1: 1, 2: 1, 4: 1, 8: 1 }; // bit-size enum (1/2/4/8 bits per status), not bytes
|
|
59
59
|
var STATUS_VALID = 0;
|
|
60
60
|
var STATUS_INVALID = 1;
|
|
61
61
|
var STATUS_SUSPENDED = 2;
|
|
@@ -107,7 +107,7 @@ function create(opts) {
|
|
|
107
107
|
var bits = opts.bits === undefined ? 1 : opts.bits;
|
|
108
108
|
_validateBits(bits);
|
|
109
109
|
// Allocate the bit-packed buffer up front. byteCount = ceil(size*bits/8).
|
|
110
|
-
var bitBytes = Math.ceil((size * bits) / 8); //
|
|
110
|
+
var bitBytes = Math.ceil((size * bits) / 8); // bits-per-byte conversion
|
|
111
111
|
var bytes = Buffer.alloc(bitBytes);
|
|
112
112
|
if (opts.fill !== undefined && opts.fill !== 0) {
|
|
113
113
|
_validateStatus(opts.fill, bits);
|
|
@@ -184,19 +184,19 @@ function create(opts) {
|
|
|
184
184
|
// ---- bit-packed helpers ----
|
|
185
185
|
|
|
186
186
|
function _setAt(bytes, bits, idx, status) {
|
|
187
|
-
if (bits === 8) { bytes[idx] = status & 0xff; return; } //
|
|
187
|
+
if (bits === 8) { bytes[idx] = status & 0xff; return; } // byte mask
|
|
188
188
|
var bitOffset = idx * bits;
|
|
189
|
-
var byteIdx = Math.floor(bitOffset / 8); //
|
|
190
|
-
var bitInByte = bitOffset % 8; //
|
|
189
|
+
var byteIdx = Math.floor(bitOffset / 8); // bits-per-byte
|
|
190
|
+
var bitInByte = bitOffset % 8; // bits-per-byte
|
|
191
191
|
var mask = ((1 << bits) - 1) << bitInByte;
|
|
192
192
|
bytes[byteIdx] = (bytes[byteIdx] & ~mask) | ((status << bitInByte) & mask);
|
|
193
193
|
}
|
|
194
194
|
|
|
195
195
|
function _getAt(bytes, bits, idx) {
|
|
196
|
-
if (bits === 8) return bytes[idx]; //
|
|
196
|
+
if (bits === 8) return bytes[idx]; // 8-bit fast path
|
|
197
197
|
var bitOffset = idx * bits;
|
|
198
|
-
var byteIdx = Math.floor(bitOffset / 8); //
|
|
199
|
-
var bitInByte = bitOffset % 8; //
|
|
198
|
+
var byteIdx = Math.floor(bitOffset / 8); // bits-per-byte
|
|
199
|
+
var bitInByte = bitOffset % 8; // bits-per-byte
|
|
200
200
|
var mask = (1 << bits) - 1;
|
|
201
201
|
return (bytes[byteIdx] >> bitInByte) & mask;
|
|
202
202
|
}
|
|
@@ -238,13 +238,13 @@ async function fromJwt(token, opts) {
|
|
|
238
238
|
"statusList.fromJwt: compressed list exceeds " + MAX_LIST_BYTES + " bytes");
|
|
239
239
|
}
|
|
240
240
|
var inflated;
|
|
241
|
-
try { inflated = zlib.inflateRawSync(deflated, { maxOutputLength: MAX_LIST_BYTES * 8 }); } //
|
|
241
|
+
try { inflated = zlib.inflateRawSync(deflated, { maxOutputLength: MAX_LIST_BYTES * 8 }); } // 8x compression-ratio cap
|
|
242
242
|
catch (e) {
|
|
243
243
|
throw new StatusListError("status-list/inflate-failed",
|
|
244
244
|
"statusList.fromJwt: zlib inflate failed: " + ((e && e.message) || String(e)));
|
|
245
245
|
}
|
|
246
246
|
// Reconstruct the list object pointing at the inflated bytes.
|
|
247
|
-
var size = (inflated.length * 8) / bits; //
|
|
247
|
+
var size = (inflated.length * 8) / bits; // bits-per-byte
|
|
248
248
|
return {
|
|
249
249
|
list: {
|
|
250
250
|
size: size,
|
|
@@ -86,7 +86,7 @@ function _quote(value) {
|
|
|
86
86
|
// Reject CTLs and quote-injecting characters.
|
|
87
87
|
for (var i = 0; i < value.length; i += 1) {
|
|
88
88
|
var code = value.charCodeAt(i);
|
|
89
|
-
if (code < 32 || code === 127) { //
|
|
89
|
+
if (code < 32 || code === 127) { // ASCII control codepoints
|
|
90
90
|
throw new AuthError("auth-step-up/bad-challenge",
|
|
91
91
|
"challenge value contains control character at index " + i);
|
|
92
92
|
}
|
|
@@ -270,7 +270,7 @@ function create(opts) {
|
|
|
270
270
|
function _runBotGuardCheck(req) {
|
|
271
271
|
return new Promise(function (resolve) {
|
|
272
272
|
var capturedRes = {
|
|
273
|
-
statusCode: 200, //
|
|
273
|
+
statusCode: 200, // HTTP 200 status code, not bytes
|
|
274
274
|
writableEnded: false,
|
|
275
275
|
writeHead: function (status) { capturedRes.statusCode = status; },
|
|
276
276
|
end: function () { capturedRes.writableEnded = true; },
|
|
@@ -1118,7 +1118,7 @@ function bundleAdapterStorage(opts) {
|
|
|
1118
1118
|
var passphraseMinEntropyBits;
|
|
1119
1119
|
if (opts.passphraseMinEntropyBits === undefined ||
|
|
1120
1120
|
opts.passphraseMinEntropyBits === null) {
|
|
1121
|
-
passphraseMinEntropyBits = 80; //
|
|
1121
|
+
passphraseMinEntropyBits = 80; // entropy-bits default floor, not byte count
|
|
1122
1122
|
} else if (Number.isFinite(opts.passphraseMinEntropyBits) &&
|
|
1123
1123
|
opts.passphraseMinEntropyBits >= 0) {
|
|
1124
1124
|
passphraseMinEntropyBits = Math.floor(opts.passphraseMinEntropyBits);
|
|
@@ -1164,8 +1164,8 @@ function bundleAdapterStorage(opts) {
|
|
|
1164
1164
|
// v0.12.11 — passphrase strategy under HIPAA / PCI-DSS raises
|
|
1165
1165
|
// the entropy floor to 128 bits (matches the framework's
|
|
1166
1166
|
// existing crypto-grade-password discipline for sealed-storage).
|
|
1167
|
-
if (cryptoStrategy === "passphrase" && passphraseMinEntropyBits < 128) { //
|
|
1168
|
-
passphraseMinEntropyBits = 128; //
|
|
1167
|
+
if (cryptoStrategy === "passphrase" && passphraseMinEntropyBits < 128) { // entropy-bits floor, not byte count
|
|
1168
|
+
passphraseMinEntropyBits = 128; // entropy-bits floor, not byte count
|
|
1169
1169
|
}
|
|
1170
1170
|
}
|
|
1171
1171
|
// Codex P2 on v0.12.8 PR #159 — tar mode builds the whole archive
|
|
@@ -1754,7 +1754,7 @@ function bundleAdapterStorage(opts) {
|
|
|
1754
1754
|
// per-bundle rewrap.
|
|
1755
1755
|
async rewrapAllBundles(opts) {
|
|
1756
1756
|
opts = opts || {};
|
|
1757
|
-
var concurrency = 4; //
|
|
1757
|
+
var concurrency = 4; // default fan-out, not byte count
|
|
1758
1758
|
if (typeof opts.concurrency === "number" && Number.isFinite(opts.concurrency) &&
|
|
1759
1759
|
opts.concurrency > 0) {
|
|
1760
1760
|
concurrency = Math.max(1, Math.floor(opts.concurrency));
|
|
@@ -1855,7 +1855,7 @@ function bundleAdapterStorage(opts) {
|
|
|
1855
1855
|
// a silent ok=0/failed=0 report on non-empty storage. Default
|
|
1856
1856
|
// 4; minimum 1; non-finite / non-positive falls back to
|
|
1857
1857
|
// default.
|
|
1858
|
-
var concurrency = 4; //
|
|
1858
|
+
var concurrency = 4; // default fan-out, not byte count
|
|
1859
1859
|
if (typeof vOpts.concurrency === "number" && Number.isFinite(vOpts.concurrency) &&
|
|
1860
1860
|
vOpts.concurrency > 0) {
|
|
1861
1861
|
concurrency = Math.max(1, Math.floor(vOpts.concurrency));
|
|
@@ -2096,7 +2096,7 @@ function bundleAdapterStorage(opts) {
|
|
|
2096
2096
|
// capped 16-byte readFile via the fallback path (still
|
|
2097
2097
|
// bounded; better than full payload).
|
|
2098
2098
|
if (typeof adapter.readPartial === "function") {
|
|
2099
|
-
var probe = await adapter.readPartial(payloadKey, 16); //
|
|
2099
|
+
var probe = await adapter.readPartial(payloadKey, 16); // 16-byte probe head, magic comparison
|
|
2100
2100
|
envelopeKind = archiveLazy().sniffEnvelope(probe);
|
|
2101
2101
|
} else {
|
|
2102
2102
|
// Legacy adapter — readPartial missing. Operators using
|
|
@@ -2389,7 +2389,7 @@ bundleAdapterStorage.objectStoreAdapter = function (client, osOpts) {
|
|
|
2389
2389
|
// is consumed. PAGINATION_CAP guards against a runaway
|
|
2390
2390
|
// server returning truncated:true forever (defense-in-depth;
|
|
2391
2391
|
// shipped backends honour the contract).
|
|
2392
|
-
var PAGINATION_CAP = 1000; //
|
|
2392
|
+
var PAGINATION_CAP = 1000; // page count cap, not byte count
|
|
2393
2393
|
var out = [];
|
|
2394
2394
|
var token = null;
|
|
2395
2395
|
var pages = 0;
|
|
@@ -42,7 +42,7 @@ Object.keys(ALPHABETS).forEach(function (v) {
|
|
|
42
42
|
LOOKUPS[v] = map;
|
|
43
43
|
});
|
|
44
44
|
|
|
45
|
-
var GROUP = 8; //
|
|
45
|
+
var GROUP = 8; // Base32 emits 8 chars per 5 input bytes (RFC 4648 §6)
|
|
46
46
|
var BITS = 5; // 5 bits per Base32 symbol
|
|
47
47
|
|
|
48
48
|
function _alphabet(variant) {
|
|
@@ -82,14 +82,14 @@ function encode(input, opts) {
|
|
|
82
82
|
var out = "";
|
|
83
83
|
var value = 0, bits = 0;
|
|
84
84
|
for (var i = 0; i < buf.length; i++) {
|
|
85
|
-
value = (value << 8) | buf[i]; //
|
|
86
|
-
bits += 8; //
|
|
85
|
+
value = (value << 8) | buf[i]; // shift in one input byte
|
|
86
|
+
bits += 8; // eight bits per input byte
|
|
87
87
|
while (bits >= BITS) {
|
|
88
|
-
out += alphabet.charAt((value >>> (bits - BITS)) & 31); //
|
|
88
|
+
out += alphabet.charAt((value >>> (bits - BITS)) & 31); // low 5 bits mask (2^5 - 1)
|
|
89
89
|
bits -= BITS;
|
|
90
90
|
}
|
|
91
91
|
}
|
|
92
|
-
if (bits > 0) out += alphabet.charAt((value << (BITS - bits)) & 31); //
|
|
92
|
+
if (bits > 0) out += alphabet.charAt((value << (BITS - bits)) & 31); // final partial group, low 5 bits
|
|
93
93
|
if (pad) while (out.length % GROUP !== 0) out += "=";
|
|
94
94
|
return out;
|
|
95
95
|
}
|
|
@@ -138,9 +138,9 @@ function decode(str, opts) {
|
|
|
138
138
|
if (idx === undefined) throw new Base32Error("base32/bad-char", "base32.decode: invalid Base32 character '" + str.charAt(i) + "' at index " + i);
|
|
139
139
|
value = (value << BITS) | idx;
|
|
140
140
|
bits += BITS;
|
|
141
|
-
if (bits >= 8) { //
|
|
142
|
-
bytes.push((value >>> (bits - 8)) & 0xff); //
|
|
143
|
-
bits -= 8; //
|
|
141
|
+
if (bits >= 8) { // emit a full output byte
|
|
142
|
+
bytes.push((value >>> (bits - 8)) & 0xff); // eight-bit output byte mask
|
|
143
|
+
bits -= 8; // consumed eight bits
|
|
144
144
|
}
|
|
145
145
|
}
|
|
146
146
|
return Buffer.from(bytes);
|
|
@@ -30,8 +30,8 @@ var audit = require("./audit");
|
|
|
30
30
|
var { defineClass } = require("./framework-error");
|
|
31
31
|
var BudrError = defineClass("BudrError", { alwaysPermanent: true });
|
|
32
32
|
|
|
33
|
-
var SERVICE_MAX = 128; //
|
|
34
|
-
var SERVICE_RE = /^[a-zA-Z0-9._:/-]{1,128}$/; //
|
|
33
|
+
var SERVICE_MAX = 128; // string-length cap, not bytes
|
|
34
|
+
var SERVICE_RE = /^[a-zA-Z0-9._:/-]{1,128}$/; // string-length cap; not bytes
|
|
35
35
|
var TIERS = ["platinum", "gold", "silver", "bronze"];
|
|
36
36
|
var CRITICALITIES = ["critical", "high", "medium", "low"];
|
|
37
37
|
|
|
@@ -47,7 +47,7 @@ var CacheStatusError = defineClass("CacheStatusError", { alwaysPermanent: true }
|
|
|
47
47
|
// per RFC 8941: starts with ALPHA or "*", continues with tchar / ":"
|
|
48
48
|
// / "/". tchar excludes `, ; " \ space and all controls.
|
|
49
49
|
var CACHE_NAME_RE = /^[A-Za-z*][!#$%&'*+\-.^_`|~0-9A-Za-z:/]*$/; // allow:duplicate-regex — sf-token shape per RFC 8941 §3.3.4
|
|
50
|
-
var CACHE_NAME_MAX = 128; //
|
|
50
|
+
var CACHE_NAME_MAX = 128; // cache-name length cap, not bytes
|
|
51
51
|
var FWD_VALUES = Object.freeze(["bypass", "method", "uri-miss", "vary-miss", "miss", "request", "stale", "partial"]);
|
|
52
52
|
var BOOLEAN_PARAMS = Object.freeze(["hit", "stored", "collapsed"]);
|
|
53
53
|
// Reserved parameter names per RFC 9211 §2 — the framework knows their
|
|
@@ -153,7 +153,7 @@ function entryString(entry) {
|
|
|
153
153
|
}
|
|
154
154
|
if (entry.fwdStatus !== undefined && entry.fwdStatus !== null) {
|
|
155
155
|
if (typeof entry.fwdStatus !== "number" || !Number.isInteger(entry.fwdStatus) ||
|
|
156
|
-
entry.fwdStatus < 100 || entry.fwdStatus > 599) { //
|
|
156
|
+
entry.fwdStatus < 100 || entry.fwdStatus > 599) { // HTTP status range
|
|
157
157
|
throw new CacheStatusError("cache-status/bad-fwd-status",
|
|
158
158
|
"entry.fwdStatus must be an integer 100..599");
|
|
159
159
|
}
|