@blamejs/blamejs-shop 0.3.69 → 0.3.71

package/lib/vendor/blamejs/lib/problem-details.js

@@ -132,19 +132,28 @@ function getBase() {
  *   - `status` (recommended) must be an integer 100..599.
  *   - `detail` (optional) must be a string when given.
  *   - `instance` (optional) must be a URI reference string when given.
- *   - Extensions: every additional key whose name is NOT in
+ *   - Extensions: every additional top-level key whose name is NOT in
  *     `RESERVED_FIELDS` is preserved at the top level. Reserved-name
- *     collisions throw `problem-details/reserved-extension`.
+ *     collisions throw `problem-details/reserved-extension`;
+ *     prototype-pollution-shaped top-level keys throw the same.
+ *   - `extensions`: a plain object whose keys are spread as top-level
+ *     sibling members (RFC 9457 §3.2) — the literal `extensions`
+ *     member is never emitted. Keys colliding with `RESERVED_FIELDS`
+ *     are ignored (reserved fields can't be overridden by an
+ *     extension); prototype-pollution-shaped keys are dropped
+ *     silently. When the same name appears both as a direct top-level
+ *     key and inside `extensions`, the direct top-level key wins.
  *
  * Returns a frozen plain object suitable for `JSON.stringify`.
  *
  * @opts
- *   type:     string,   // problem-type URI reference (default "about:blank")
- *   title:    string,   // short summary
- *   status:   number,   // integer 100..599
- *   detail:   string,   // human-readable explanation
- *   instance: string,   // URI reference for this specific occurrence
- *   ...extensions       // additional fields preserved as-is
+ *   type:       string,   // problem-type URI reference (default "about:blank")
+ *   title:      string,   // short summary
+ *   status:     number,   // integer 100..599
+ *   detail:     string,   // human-readable explanation
+ *   instance:   string,   // URI reference for this specific occurrence
+ *   extensions: object,   // keys spread as top-level siblings (§3.2); direct top-level key wins on collision
+ *   ...extensions         // additional top-level keys preserved as-is
  *
  * @example
  *   var p = b.problemDetails.create({
@@ -213,15 +222,44 @@ function create(opts) {
 
   // Extensions — every additional key. §3.2 endorses sibling
   // extensions as long as their names don't collide with reserved.
+  // The `extensions` key itself is NOT emitted as a literal nested
+  // member: a plain-object value is spread so each of its keys lands
+  // as a top-level sibling, subject to the same reserved / poisoned
+  // guards as direct top-level keys. A direct top-level extension key
+  // wins over the same name nested under `extensions`.
   var keys = Object.keys(opts);
-  for (var i = 0; i < keys.length; i += 1) {
-    var k = keys[i];
+  var directKeys = Object.create(null);
+  var i, k;
+  for (i = 0; i < keys.length; i += 1) {
+    k = keys[i];
+    if (k === "extensions") continue;
     if (RESERVED_FIELDS.indexOf(k) !== -1) continue;
     if (POISONED_KEYS.indexOf(k) !== -1) {
       throw new ProblemDetailsError("problem-details/reserved-extension",
         "create: extension key '" + k + "' refused (prototype-pollution shape)", true);
     }
     out[k] = opts[k];
+    directKeys[k] = true;
+  }
+
+  // Spread `extensions` (RFC 9457 §3.2 sibling members). Reserved
+  // names can't be overridden by an extension key; poisoned keys are
+  // dropped silently (an inbound extension map is a less-trusted shape
+  // than a hand-authored top-level key — a direct poisoned key still
+  // throws). A direct top-level key already present wins.
+  if (opts.extensions !== undefined && opts.extensions !== null) {
+    if (typeof opts.extensions !== "object" || Array.isArray(opts.extensions)) {
+      throw new ProblemDetailsError("problem-details/bad-extensions",
+        "create: extensions must be a plain object when provided", true);
+    }
+    var extKeys = Object.keys(opts.extensions);
+    for (i = 0; i < extKeys.length; i += 1) {
+      k = extKeys[i];
+      if (RESERVED_FIELDS.indexOf(k) !== -1) continue;
+      if (POISONED_KEYS.indexOf(k) !== -1) continue;
+      if (directKeys[k]) continue;
+      out[k] = opts.extensions[k];
+    }
   }
 
   return Object.freeze(out);
@@ -386,13 +424,20 @@ function respond(res, problem, req) {
  * `Cache-Control: no-store` are written; status code defaults to
  * 500 when omitted.
  *
+ * `extensions` keys are spread as top-level sibling members (RFC 9457
+ * §3.2) via `create` — the literal `extensions` member is never
+ * emitted. Keys colliding with the reserved `type` / `title` /
+ * `status` / `detail` / `instance` are ignored; prototype-pollution-
+ * shaped keys are dropped. A direct top-level key wins over the same
+ * name nested under `extensions`.
+ *
  * @opts
  *   status:    number,           // HTTP status code (100..599); default 500
  *   title:     string,           // operator-supplied short title
  *   detail:    string,           // operator-supplied human-readable explanation
  *   type:      string,           // problem-type URI (defaults to "about:blank")
  *   instance:  string,           // optional per-occurrence URI
- *   extensions: object,          // operator-specific extension fields
+ *   extensions: object,          // keys spread as top-level siblings (§3.2); direct top-level key wins on collision
  *
  * @example
  *   // Migrating from inline JSON-error shape:

package/lib/vendor/blamejs/lib/pubsub-cluster.js

@@ -24,18 +24,31 @@
 var clusterStorage = require("./cluster-storage");
 var C = require("./constants");
 var lazyRequire = require("./lazy-require");
+var validateOpts = require("./validate-opts");
+var { defineClass } = require("./framework-error");
 
 var logger = lazyRequire(function () { return require("./log").boot("pubsub-cluster"); });
 
+var PubsubError = defineClass("PubsubError");
+
 var DEFAULT_POLL_INTERVAL_MS = 100;
 var DEFAULT_RETENTION_MS     = C.TIME.minutes(1);
 var DEFAULT_PRUNE_EVERY_MS   = C.TIME.minutes(5);
 
 function create(opts) {
   var clusterInstance = opts.cluster;
-  var pollIntervalMs = Number(opts.pollIntervalMs) || DEFAULT_POLL_INTERVAL_MS;
-  var retentionMs    = Number(opts.retentionMs)    || DEFAULT_RETENTION_MS;
-  var pruneEveryMs   = Number(opts.pruneEveryMs)   || DEFAULT_PRUNE_EVERY_MS;
+  // Config-time: a typo (NaN-coercing string / negative / fractional) must
+  // surface at create, not silently fall back to the default and ship a
+  // mis-tuned poll loop. THROW on present-but-bad; absent keeps the default.
+  validateOpts.optionalPositiveInt(opts.pollIntervalMs,
+    "pubsub: pollIntervalMs", PubsubError, "BAD_OPT");
+  validateOpts.optionalPositiveInt(opts.retentionMs,
+    "pubsub: retentionMs", PubsubError, "BAD_OPT");
+  validateOpts.optionalPositiveInt(opts.pruneEveryMs,
+    "pubsub: pruneEveryMs", PubsubError, "BAD_OPT");
+  var pollIntervalMs = opts.pollIntervalMs !== undefined ? opts.pollIntervalMs : DEFAULT_POLL_INTERVAL_MS;
+  var retentionMs    = opts.retentionMs    !== undefined ? opts.retentionMs    : DEFAULT_RETENTION_MS;
+  var pruneEveryMs   = opts.pruneEveryMs   !== undefined ? opts.pruneEveryMs   : DEFAULT_PRUNE_EVERY_MS;
 
   var lastSeenId  = 0;
   var primed      = false;

package/lib/vendor/blamejs/lib/queue-sqs.js

@@ -50,6 +50,7 @@ var httpClient = require("./http-client");
 var cryptoField = require("./crypto-field");
 var safeJson = require("./safe-json");
 var safeUrl = require("./safe-url");
+var validateOpts = require("./validate-opts");
 var { generateToken } = require("./crypto");
 var { QueueError } = require("./framework-error");
 
@@ -102,8 +103,25 @@ function create(opts) {
   var accountId       = opts.accountId ? String(opts.accountId) : null;
   var timeoutMs       = opts.timeoutMs;
   var allowInternal   = opts.allowInternal != null ? opts.allowInternal : null;
-  var visibilityTimeoutSec = Number(opts.visibilityTimeoutSec) || DEFAULT_VISIBILITY_TIMEOUT_SEC;
-  var waitTimeSec     = Number(opts.waitTimeSec) || DEFAULT_WAIT_TIME_SEC;
+  // Config-time: a typo (NaN-coercing string / negative / fractional)
+  // must surface at create, not silently fall back to the default and ship
+  // a mis-tuned lease loop. THROW on present-but-bad; absent keeps default.
+  validateOpts.optionalPositiveInt(opts.visibilityTimeoutSec,
+    "queue-sqs: visibilityTimeoutSec", QueueError, "INVALID_CONFIG");
+  // waitTimeSec=0 is the valid SQS short-poll sentinel (the default), so a
+  // positive-int check would wrongly reject it — allow non-negative integers.
+  if (opts.waitTimeSec !== undefined &&
+      (typeof opts.waitTimeSec !== "number" || !isFinite(opts.waitTimeSec) ||
+       opts.waitTimeSec < 0 || Math.floor(opts.waitTimeSec) !== opts.waitTimeSec)) {
+    throw _err("INVALID_CONFIG",
+      "queue-sqs: waitTimeSec must be a non-negative integer (0 = short-poll), got " +
+      (typeof opts.waitTimeSec === "number" ? String(opts.waitTimeSec) : typeof opts.waitTimeSec),
+      true);
+  }
+  var visibilityTimeoutSec = opts.visibilityTimeoutSec !== undefined
+    ? opts.visibilityTimeoutSec : DEFAULT_VISIBILITY_TIMEOUT_SEC;
+  var waitTimeSec = opts.waitTimeSec !== undefined
+    ? opts.waitTimeSec : DEFAULT_WAIT_TIME_SEC;
 
   var queueUrlResolver = typeof opts.queueUrlByName === "function"
     ? opts.queueUrlByName

package/lib/vendor/blamejs/lib/redis-client.js

@@ -169,11 +169,36 @@ function create(opts) {
   var useTls = opts.tls !== undefined ? !!opts.tls : parsed.tls;
   var password = opts.password !== undefined ? opts.password : parsed.password;
   var username = opts.username !== undefined ? opts.username : parsed.username;
-  var db = opts.db !== undefined ? Number(opts.db) : parsed.db;
-  var connectTimeoutMs = Number(opts.connectTimeoutMs) || 5000;
-  var commandTimeoutMs = Number(opts.commandTimeoutMs) || 10000;
+  // Config-time entry-point opts: a bad type must fail at create() rather
+  // than coerce-or-default silently. connectTimeoutMs:"abc" → NaN would
+  // otherwise fall through to the default; a negative timeout would sail
+  // into setTimeout; maxReconnectAttempts:"abc" → NaN would make the
+  // `>= 0` reconnect-cap check below false and SILENTLY disable the bound
+  // (unbounded reconnects). db and maxReconnectAttempts must allow 0
+  // (db 0 = no SELECT; maxReconnectAttempts 0 = give up immediately).
+  if (opts.db !== undefined &&
+      (typeof opts.db !== "number" || !Number.isInteger(opts.db) || opts.db < 0)) {
+    throw _err("BAD_OPTS",
+      "redis.create: opts.db must be a non-negative integer, got " +
+      (typeof opts.db === "number" ? String(opts.db) : typeof opts.db));
+  }
+  if (opts.maxReconnectAttempts !== undefined &&
+      (typeof opts.maxReconnectAttempts !== "number" ||
+       !Number.isInteger(opts.maxReconnectAttempts) || opts.maxReconnectAttempts < 0)) {
+    throw _err("BAD_OPTS",
+      "redis.create: opts.maxReconnectAttempts must be a non-negative integer, got " +
+      (typeof opts.maxReconnectAttempts === "number"
+        ? String(opts.maxReconnectAttempts) : typeof opts.maxReconnectAttempts));
+  }
+  validateOpts.optionalPositiveInt(opts.connectTimeoutMs,
+    "redis.create: opts.connectTimeoutMs", RedisError, "BAD_OPTS");
+  validateOpts.optionalPositiveInt(opts.commandTimeoutMs,
+    "redis.create: opts.commandTimeoutMs", RedisError, "BAD_OPTS");
+  var db = opts.db !== undefined ? opts.db : parsed.db;
+  var connectTimeoutMs = opts.connectTimeoutMs !== undefined ? opts.connectTimeoutMs : 5000;
+  var commandTimeoutMs = opts.commandTimeoutMs !== undefined ? opts.commandTimeoutMs : 10000;
   var maxReconnectAttempts = opts.maxReconnectAttempts === undefined ? 10
-                                                                    : Number(opts.maxReconnectAttempts);
+                                                                    : opts.maxReconnectAttempts;
   // TLS verification controls. Operators using rediss:// against private
   // CAs (managed Redis services, on-prem clusters with internal PKI)
   // pin the trust roots via opts.ca; rejectUnauthorized stays on by
@@ -470,6 +495,9 @@ function create(opts) {
         pending:   pending.length, backlog: backlog.length,
         reconnect: reconnectAttempt,
         host:      host, port: port, db: db, tls: useTls,
+        connectTimeoutMs:     connectTimeoutMs,
+        commandTimeoutMs:     commandTimeoutMs,
+        maxReconnectAttempts: maxReconnectAttempts,
       };
     },
   };

package/lib/vendor/blamejs/lib/safe-redirect.js

@@ -76,8 +76,21 @@ function resolve(rawTarget, opts) {
   // Full URL — parse and check against allowlist.
   var allowedOrigins = Array.isArray(opts.allowedOrigins) ? opts.allowedOrigins : null;
   var allowedHosts   = Array.isArray(opts.allowedHosts)   ? opts.allowedHosts   : null;
-  if (!allowedOrigins && !allowedHosts) {
-    // Operator gave no allowlist — refuse all full URLs (the safe default).
+
+  // The application's own origin (opts.base) is same-origin by
+  // definition, so a full URL pointing at it is safe even when the
+  // operator supplied no explicit allowedOrigins / allowedHosts. Derive
+  // the origin from base and treat it as an implicitly-allowed origin.
+  var baseOrigin = null;
+  if (typeof opts.base === "string" && opts.base.length > 0) {
+    try {
+      baseOrigin = safeUrl.parse(opts.base, { allowedProtocols: safeUrl.ALLOW_HTTP_TLS }).origin;
+    } catch (_e) { baseOrigin = null; }
+  }
+
+  if (!allowedOrigins && !allowedHosts && baseOrigin === null) {
+    // Operator gave no allowlist and no usable base — refuse all full
+    // URLs (the safe default).
     return fallback;
   }
 
@@ -85,6 +98,7 @@ function resolve(rawTarget, opts) {
   try { parsed = safeUrl.parse(rawTarget, { allowedProtocols: safeUrl.ALLOW_HTTP_TLS }); }
   catch (_e) { return fallback; }
 
+  if (baseOrigin !== null && parsed.origin === baseOrigin) return rawTarget;
   if (allowedOrigins) {
     for (var i = 0; i < allowedOrigins.length; i += 1) {
       if (parsed.origin === allowedOrigins[i]) return rawTarget;

package/lib/vendor/blamejs/memory/specs/node-26-map-getorinsert-migration.md

@@ -94,6 +94,7 @@ shapes, no get-or-insert.)
 | `lib/mail-server-rate-limit.js`   | 209, 261, 291      | `connectionTimes` / `authFailureTimes` / `rcptFailureTimes` | `[]` (array)     |
 | `lib/middleware/rate-limit.js`    | 130                | `buckets`                                                  | object-literal   |
 | `lib/network-byte-quota.js`       | 82                 | `store`                                                    | `_newEntry()`    |
+| `lib/crypto-field.js`             | 592                | `_rateFailWindows` (in `_rateNoteFailure`)                 | `[]` (array)     |
 
 ### Pubsub / websocket-channels
 
@@ -111,8 +112,8 @@ shapes, no get-or-insert.)
 
 ### Totals
 
-- **Migratable call sites:** ~17 across 11 files (variants A + B; metrics + rate-limit + otel each have multiple sites per file).
-- **Files allowlisted (migratable):** 12 (`cache.js`, `deprecate.js`, `i18n-messageformat.js`, `i18n.js`, `mail-server-rate-limit.js`, `metrics.js`, `middleware/rate-limit.js`, `network-byte-quota.js`, `observability-otlp-exporter.js`, `otel-export.js`, `pubsub.js`, `websocket-channels.js`).
+- **Migratable call sites:** ~18 across 12 files (variants A + B; metrics + rate-limit + otel each have multiple sites per file).
+- **Files allowlisted (migratable):** 13 (`cache.js`, `crypto-field.js`, `deprecate.js`, `i18n-messageformat.js`, `i18n.js`, `mail-server-rate-limit.js`, `metrics.js`, `middleware/rate-limit.js`, `network-byte-quota.js`, `observability-otlp-exporter.js`, `otel-export.js`, `pubsub.js`, `websocket-channels.js`).
 - **Files allowlisted (do-not-migrate edge cases):** 2 (`mail-greylist.js`, `dsr.js`).
 
 The user-supplied "~137 sites across 80+ files" figure was an estimate

package/lib/vendor/blamejs/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.14.19",
+  "version": "0.14.21",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/lib/vendor/blamejs/release-notes/v0.14.20.json

@@ -0,0 +1,73 @@
+{
+  "$schema": "../scripts/release-notes-schema.json",
+  "version": "0.14.20",
+  "date": "2026-06-02",
+  "headline": "OAuth Rich Authorization Requests and client attestation, a sealed-field unseal rate cap, DMARC forensic-report parsing, monitor-mode browser-isolation headers, and FedCM / Storage-Access fetch-metadata",
+  "summary": "This release extends several standards surfaces the framework already covered in part. The OAuth client gains RFC 9396 Rich Authorization Requests: a typed `authorizationDetails` array is validated before the request and the granted details in the token response are cross-checked, refusing a grant the OP broadened beyond what was asked. The client also gains the OAuth 2.0 Attestation-Based Client Authentication primitives — it can build the `OAuth-Client-Attestation` / `-PoP` JWT pair and verify an inbound attestation. Sealed-field reads gain an opt-in unseal-failure rate cap that throttles a decryption-oracle / brute-force burst against attacker-written sealed columns (CWE-307). The inbound mail stack gains a DMARC forensic (RUF) report parser, the inverse of the aggregate-report parser. On the browser side, the security-headers middleware adds report-only COOP / COEP / Document-Policy variants for safe cross-origin-isolation rollout plus the embedder Require-Document-Policy and Service-Worker-Allowed headers, and the fetch-metadata middleware recognizes the FedCM `webidentity` destination and the Storage-Access request headers first-class. Observability adds a batch of current OpenTelemetry semantic-convention attributes. Every addition is additive or opt-in: an operator who sets no new option, and configures no rate cap, sees prior behavior unchanged.",
+  "sections": [
+    {
+      "heading": "Added",
+      "items": [
+        {
+          "title": "OAuth client: RFC 9396 Rich Authorization Requests (`authorizationDetails`)",
+          "body": "The OAuth / OIDC client accepts an `authorizationDetails` array (RFC 9396 §2 — each element a typed object) on the authorization and pushed-authorization-request paths; it is validated at config time (every element must be an object carrying a string `type`) and serialized as the `authorization_details` parameter, with a cap on the serialized payload. When `verifyAuthorizationDetails` is set, the granted `authorization_details` returned in the token response (RFC 9396 §7) is cross-checked against the request, and a grant that exceeds what was requested is refused — defending against an upstream broadened-grant privilege escalation. Without `authorizationDetails`, the request is unchanged."
+        },
+        {
+          "title": "OAuth 2.0 Attestation-Based Client Authentication",
+          "body": "`b.auth.oauth.buildClientAttestation` and `buildClientAttestationPop` mint the `OAuth-Client-Attestation` JWT (a client-backend-signed assertion binding a per-instance key, `typ: oauth-client-attestation+jwt`) and its per-instance `OAuth-Client-Attestation-PoP` proof; `verifyClientAttestation` validates the pair, including the alg allowlist (`ATTESTATION_ALGS`), the audience, and a constant-time `jti` check. This is the wallet / per-device client-authentication shape used in OpenID4VCI and the EUDI Wallet, an alternative to a shared `client_secret`."
+        },
+        {
+          "title": "`b.cryptoField.configureUnsealRateCap` — sealed-field decryption-oracle throttle",
+          "body": "An opt-in per-(actor, table, column) sliding-window cap on sealed-column unseal failures. A DB-write attacker who can place crafted `vault:` / `vault.aad:` bytes in sealed columns can force KEM decapsulation / AEAD verification on attacker-controlled input on every read; past `threshold` failures within `windowMs`, further unseal attempts for that tuple are refused for `cooldownMs` with a typed `CryptoFieldRateError` and a distinct `system.crypto.unseal_rate_exceeded` audit event (CWE-307; OWASP ASVS v5 §2.2.1; NIST SP 800-63B §5.2.2). Default off — with no cap configured, `unsealRow` behaves exactly as before (null the field, emit `system.crypto.unseal_failed`); the cap is count-based and lazily pruned, with no background timer."
+        },
+        {
+          "title": "`b.mail.dmarc.parseForensicReport` — RFC 6591 forensic (RUF) report parser",
+          "body": "Parses a DMARC failure (forensic) report: a `multipart/report; report-type=feedback-report` message (RFC 6591 §3) whose `message/feedback-report` subpart carries the `Feedback-Type: auth-failure` fields, with the required-field set validated (`Auth-Failure` and the other §3.1 fields) and a part-count and byte cap bounding a hostile report. It is the inbound inverse of the aggregate-report path, so an operator ingesting RUF mail has a parser symmetric with the existing aggregate parser and the v0.14.19 aggregate builder."
+        },
+        {
+          "title": "Monitor-mode cross-origin-isolation and embedder headers",
+          "body": "`b.middleware.securityHeaders` gains `coopReportOnly`, `coepReportOnly`, and `documentPolicyReportOnly` — set a policy string to emit the matching `*-Report-Only` header so a UA evaluates and reports violations without enforcing, the safe way to stage a COOP / COEP / Document-Policy rollout (WHATWG HTML cross-origin isolation; W3C Document Policy). `requireDocumentPolicy` emits the embedder `Require-Document-Policy` a parent demands of subframes, and `serviceWorkerAllowed` emits `Service-Worker-Allowed` to broaden a service worker's registration scope (W3C Service Workers). All default off."
+        },
+        {
+          "title": "fetch-metadata: FedCM `webidentity` and Storage-Access headers",
+          "body": "`b.middleware.fetchMetadata` recognizes the `webidentity` `Sec-Fetch-Dest` (a FedCM credentialed request) first-class and adds `deniedDest` — a list of destinations refused outright on the gated methods regardless of site, so a `webidentity` request hitting a route that is not an identity endpoint is refused. `allowStorageAccess` (default true) governs whether a request carrying `Sec-Fetch-Storage-Access: active` / `inactive` (the Storage Access API headers) is allowed, and `strictDest` throws at config time on an `allowedDest` / `deniedDest` value outside the known `Sec-Fetch-Dest` vocabulary, catching a typo at boot."
+        },
+        {
+          "title": "OpenTelemetry semantic-convention attributes",
+          "body": "The observability semantic-convention map gains a batch of current stable attributes: `peer.service`, the `faas.*` function attributes (`name` / `version` / `instance` / `trigger`), `deployment.environment.name`, `telemetry.distro.*`, `otel.scope.*`, and a Kubernetes subset (`k8s.cluster.name` and the node / container / cronjob / daemonset / job / replicaset / statefulset names), so a span or metric carrying these keys is recognized and emitted under the canonical name."
+        }
+      ]
+    },
+    {
+      "heading": "Fixed",
+      "items": [
+        {
+          "title": "`b.auth.sdJwtVc.holder` signed the key-binding JWT with a non-key-derived algorithm",
+          "body": "The holder helper defaulted the key-binding JWT (KB-JWT) signing algorithm to a fixed `ES256` regardless of the holder key type, so a non-EC-P-256 holder key produced a presentation that either could not be built (an Ed25519 or P-384 key) or whose KB-JWT header advertised `ES256` while the signature used the actual key — a self-invalid token a verifier rejects. The algorithm is now derived from the holder key: ES256 / ES384 by EC curve, EdDSA for Ed25519 / Ed448, and ML-DSA-87 / ML-DSA-65 for an ML-DSA key. An RSA holder key, which has no supported KB-JWT algorithm, is refused at `holder.create` with a clear error instead of producing a broken presentation. An EC P-256 holder key, and any explicit `algorithm`, behave exactly as before."
+        }
+      ]
+    },
+    {
+      "heading": "Security",
+      "items": [
+        {
+          "title": "Throttle a sealed-column decryption oracle (opt-in)",
+          "body": "`b.cryptoField.configureUnsealRateCap` lets an operator bound repeated unseal failures against sealed columns, so an attacker who can write crafted bytes into a sealed field cannot hammer the KEM / AEAD verify path indefinitely while only an off-band alert rule notices the burst (CWE-307). It is opt-in because a sensible threshold and window depend on a deployment's legitimate sealed-read volume; the always-on defense (null the field plus an audit event on every unseal failure) is unchanged."
+        },
+        {
+          "title": "Refuse a broadened OAuth grant",
+          "body": "With `verifyAuthorizationDetails` enabled, the OAuth client refuses a token response whose granted `authorization_details` exceed the requested set (RFC 9396 §7), so a compromised or misbehaving authorization server cannot silently widen a client's authorization beyond what the request asked for."
+        }
+      ]
+    },
+    {
+      "heading": "Migration",
+      "items": [
+        {
+          "title": "No action required; additions are additive or opt-in",
+          "body": "The OAuth `authorizationDetails` request parameter, the granted-details cross-check, the client-attestation builders / verifier, the sealed-field unseal rate cap, the DMARC forensic-report parser, the monitor-mode and embedder browser headers, the fetch-metadata FedCM / Storage-Access options, and the new OpenTelemetry attribute keys are all additive or opt-in. A client that passes no `authorizationDetails`, an operator who calls no `configureUnsealRateCap`, and a security-headers / fetch-metadata configuration that sets none of the new options all see prior behavior byte-for-byte unchanged. The one behavior change is the SD-JWT VC holder fix: a `b.auth.sdJwtVc.holder` built with an RSA holder key is now refused at `holder.create` (RSA has no supported KB-JWT algorithm; it previously produced a self-invalid presentation) — switch such a holder to an EC P-256 / P-384, Ed25519, or ML-DSA key. EC P-256 holders and any explicit `algorithm` are unaffected."
+        }
+      ]
+    }
+  ]
+}

package/lib/vendor/blamejs/release-notes/v0.14.21.json

@@ -0,0 +1,98 @@
+{
+  "$schema": "../scripts/release-notes-schema.json",
+  "version": "0.14.21",
+  "date": "2026-06-04",
+  "headline": "SCIM Bulk forward references, an atomic api-encrypt replay gate, OID4VCI `x5c` proofs, HEAD responses without bodies, and a sweep that makes every accepted option do what its documentation says",
+  "summary": "This release closes correctness and conformance gaps across recently shipped standards surfaces, plus a framework-wide sweep for options that were accepted but never read. SCIM `/Bulk` resolves `bulkId` cross-references regardless of operation order; the `apiEncrypt` middleware closes a concurrent-replay window on multi-replica session stores and validates its numeric options at boot; OID4VCI accepts `x5c` holder-key binding; `problemDetails` spreads its documented `extensions` object as RFC 9457 sibling members; `openapiServe` / `asyncapiServe` answer HEAD without a body; and a batch of entry points now throw on mistyped numeric options instead of silently defaulting. Options whose documented behavior was never implemented are now wired; options that could never do anything are removed and refuse as unknown.",
+  "sections": [
+    {
+      "heading": "Fixed",
+      "items": [
+        {
+          "title": "SCIM `/Bulk` resolves `bulkId` cross-references regardless of operation order (RFC 7644 §3.7.2)",
+          "body": "Forward references (an operation referencing a resource a later operation creates — the shape Okta and Entra emit) now execute in dependency order; circular references are refused with status 409; a reference to an undeclared `bulkId`, or to an operation that failed, fails that operation with `invalidValue`. References are resolved on BOTH surfaces the spec allows: operation data (`\"value\": \"bulkId:u1\"`) and the operation path (`PATCH /Groups/bulkId:g1` targeting a group created in the same request) — path references order, substitute, and fail exactly like data references. Previously an unresolvable reference passed the literal `bulkId:<id>` token through to your resource adapter as if it were a real id. The Bulk response keeps results in original request order, and `failOnErrors` still short-circuits."
+        },
+        {
+          "title": "OID4VCI `x5c` holder-key binding implemented (RFC 7515 §4.1.6; OID4VCI §8.2.1.1)",
+          "body": "The proof-JWT verifier named `x5c` as a valid holder-key binding in its own error message but always refused `x5c`-only proofs. The certificate chain is now shape-validated (standard base64 DER, leaf first), the leaf certificate's public key becomes the holder key at the same self-asserted trust level as an inline `jwk`, and a new optional `validateX5c(chainDerBuffers, header)` hook lets the issuer enforce chain trust (PKI anchoring, EKU checks, attestation-CA allowlists) before the key is accepted."
+        },
+        {
+          "title": "OID4VCI expired `c_nonce` refuses with a typed error",
+          "body": "A wallet whose access token outlived the shorter `c_nonce` TTL hit an untyped `TypeError` from the nonce comparison; issuance now refuses with `auth-oid4vci/c-nonce-expired` so handlers keying on typed codes respond correctly. The refusal direction is unchanged — no credential was ever minted on this path."
+        },
+        {
+          "title": "OID4VP DCQL numeric claim-path segments must be non-negative integers (OpenID4VP 1.0 §7.1.1)",
+          "body": "A query carrying `-1`, `1.5`, `NaN`, or `Infinity` as an array-index segment previously validated and then silently never matched; it now throws at build time, surfacing the malformed query to the verifier author instead of degrading to a silent non-match."
+        },
+        {
+          "title": "`problemDetails` `extensions` spread as sibling members (RFC 9457 §3.2)",
+          "body": "`send` and `create` documented an `extensions` object as the way to attach extension members, but emitted it as a literal nested `extensions` member instead. The keys now land as top-level siblings; reserved fields (`type` / `title` / `status` / `detail` / `instance`) cannot be overridden by an extension key, prototype-pollution-shaped keys are dropped, and a direct top-level key wins on collision."
+        },
+        {
+          "title": "`cspReport` honors `audit: false`",
+          "body": "The documented audit knob was accepted but never read; the `csp.violation` audit row fired unconditionally for every report. `audit: false` now suppresses the row while reports are still normalized and delivered to `onReport`. The default (audit on) is unchanged, and `maxBytes` now throws at config time on a non-positive-integer value instead of silently reverting to 64 KiB."
+        },
+        {
+          "title": "`openapiServe` / `asyncapiServe` HEAD responses carry no body (RFC 9110 §9.3.2)",
+          "body": "Both middlewares advertised GET/HEAD but answered HEAD with the full JSON / YAML document as a body. HEAD now returns the GET headers (including `Content-Length`) with an empty body, matching the rest of the framework's document-serving middlewares."
+        },
+        {
+          "title": "Config-time numeric options throw on bad input across entry points",
+          "body": "A mistyped numeric option now throws at `create()` instead of silently becoming the default or garbage downstream: `scimServer` `maxPageSize` (a non-number propagated `NaN` into your `impl.list({ count })` and `ServiceProviderConfig`), `mail.send.deliver` `retry.maxAttempts` / `timeouts.mxLookupMs` / `timeouts.perHostMs`, the `redis` client `db` / `connectTimeoutMs` / `commandTimeoutMs` / `maxReconnectAttempts` (a non-numeric value made the reconnect-cap check false and silently disabled the bound entirely), `pubsub` cluster `pollIntervalMs` / `retentionMs` / `pruneEveryMs`, and SQS queue `visibilityTimeoutSec` / `waitTimeSec` (`0` short-polling stays valid)."
+        },
+        {
+          "title": "Accepted-but-unread options now do what their documentation says",
+          "body": "The db-backed `config` reloader's `audit` knob gates its `config.reload.*` rows; `honeytoken` honors the documented injectable audit sink (`{ audit: yourSink }`) instead of always emitting to the global sink; `dora`'s `observability` knob gates its report counter, and that counter now actually emits (it previously called a method the observability module doesn't export, and the failure was swallowed); flag evaluation-context `tenantKey` sets the tenant axis; the WCAG `aria` / `forms` / `tables` sub-scanners stamp `scopeUrl` on every finding so direct callers can correlate findings to a source document; `safeRedirect`'s documented `base` lets a same-origin absolute URL pass without an explicit allowlist (cross-origin still refused); and object-store bucket operations honor a per-call `actor` override on audit rows."
+        }
+      ]
+    },
+    {
+      "heading": "Removed",
+      "items": [
+        {
+          "title": "Options that could never do anything now refuse as unknown",
+          "body": "The sweep removed accepted-but-impossible option keys: the `securityTxt` / `traceLogCorrelation` / tracer / TLS-RPT `audit` keys (these surfaces emit no audit rows), TLS-RPT `reportingMta` (not an RFC 8460 report field), `dsr.create` `observability` and create-time `verifyContext` (the per-call `process()` option of the same name is unchanged), `breakGlass.init` `now` (a single init-time timestamp cannot coherently override later time reads), WCAG `checkAll`, mail-deploy `compliance`, and bucket-ops `ca` (TLS trust is owned by the PQC agent — use `NODE_EXTRA_CA_CERTS` or `opts.agent`). Passing one of these now throws the standard unknown-option error."
+        }
+      ]
+    },
+    {
+      "heading": "Security",
+      "items": [
+        {
+          "title": "api-encrypt concurrent-replay window closed (CWE-367)",
+          "body": "On a multi-replica session store, two concurrent requests carrying the same valid counter could both pass the monotonic replay check and execute twice — an attacker who captured one encrypted request could replay it concurrently and have a non-idempotent route run twice. The per-session path now claims each `(session, counter)` tuple through the same atomic nonce store the bootstrap path uses; exactly one concurrent request wins and the loser is refused with the standard rejection shape. The claim lives until the session expires (not just the staleness window), so a failed best-effort session write cannot re-open the tuple for late replay. The bootstrap response counter is also persisted correctly on serializing session stores, fixing a response-replay false positive on the second request of a session."
+        },
+        {
+          "title": "api-encrypt envelope metadata is authenticated (AEAD-bound)",
+          "body": "The envelope's plaintext fields — `_ts`, `_nonce`, `_sid`, `_ctr` — were not bound into the ciphertext, so a captured request could be replayed past the staleness window with a rewritten `_ts`, and a captured response could be replayed to the client under a bumped `_ctr` (the client's monotonic check reads the plaintext field). Every request and response envelope now binds its metadata as AEAD associated data on both protocol halves; any rewrite fails authenticated decryption and is refused (server: standard rejection; client: typed `CLIENT_RESPONSE_TAMPERED`). The client also advances its response counter only after authenticated decryption, so a refused forgery cannot poison the monotonic check and block subsequent genuine responses."
+        },
+        {
+          "title": "api-encrypt numeric options validated at boot",
+          "body": "A mistyped `replayWindowMs` (for example the string `\"5m\"`) made the timestamp-staleness comparison always false and silently disabled that replay defense. `replayWindowMs`, `maxDecryptedBytes`, and `pruneIntervalMs` now throw at config time across `create`, `client`, and `httpClient.encrypted`."
+        }
+      ]
+    },
+    {
+      "heading": "Detectors",
+      "items": [
+        {
+          "title": "Three new codebase-pattern gates",
+          "body": "An option key accepted by a validation allowlist must be read by the file that accepts it (an accepted-but-never-read key is an advertised knob with no implementation); entry-point numeric options must validate rather than coerce-or-default (`Number(opts.x) || DEFAULT` swallows exactly the typo the config-time tier exists to surface); and a dispatcher that admits HEAD must suppress the response body somewhere in the same file."
+        }
+      ]
+    },
+    {
+      "heading": "Migration",
+      "items": [
+        {
+          "title": "Delete removed option keys; everything else is a behavioral fix or additive",
+          "body": "If you pass one of the removed keys listed under Removed, delete it — it did nothing before and now throws the standard unknown-option error. Callers passing valid options see conforming behavior with no code change; the new `validateX5c` hook and the per-finding `scopeUrl` stamp are additive."
+        },
+        {
+          "title": "apiEncrypt middleware and client must upgrade together",
+          "body": "Binding the envelope metadata into the AEAD changes what the ciphertext authenticates, so a pre-0.14.21 client cannot talk to a 0.14.21 middleware or vice versa — mixed-version peers fail authenticated decryption and are refused. Both halves ship in this package; a single service upgrading normally is unaffected. If separate services pin different framework versions and speak apiEncrypt to each other, upgrade them together."
+        }
+      ]
+    }
+  ]
+}