npm - @blamejs/blamejs-shop - Versions diffs - 0.3.69 → 0.3.71 - Mend

@blamejs/blamejs-shop 0.3.69 → 0.3.71

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (92) hide show

package/lib/vendor/blamejs/test/layer-0-primitives/fetch-metadata.test.js ADDED Viewed

@@ -0,0 +1,190 @@
+"use strict";
+/**
+ * b.middleware.fetchMetadata — Sec-Fetch-* resource-isolation gate.
+ *
+ * Covers the destination-vocabulary surface added for FedCM /
+ * Storage Access API traffic (Fetch Metadata Request Headers spec):
+ *
+ *   - default behavior unchanged when the new opts are unset;
+ *   - deniedDest refuses a "webidentity" (FedCM) Sec-Fetch-Dest on a
+ *     non-identity route, regardless of Sec-Fetch-Site;
+ *   - allowStorageAccess:false refuses the cross-site
+ *     Sec-Fetch-Storage-Access: active|inactive escalation, and "none"
+ *     passes through;
+ *   - strictDest throws at config time on an unknown destination value;
+ *   - membership tests are exact (no substring / prototype-pollution
+ *     bypass).
+ */
+var helpers   = require("../helpers");
+var b         = helpers.b;
+var check     = helpers.check;
+var _bodyReq  = helpers._bodyReq;
+var _bodyRes  = helpers._bodyRes;
+function _run(mw, req, res) {
+  return new Promise(function (resolve) {
+    var settled = false;
+    function done(via) {
+      if (settled) return;
+      settled = true;
+      resolve({ next: via === "next", status: res._endedStatus, captured: res._captured });
+    }
+    // Register the finish listener BEFORE invoking the middleware: the
+    // refusal path is fully synchronous (writeHead + end → emit "finish")
+    // so a listener attached after mw() would miss the event entirely.
+    res.on("finish", function () { done("finish"); });
+    mw(req, res, function () { done("next"); });
+  });
+}
+function _post(headers) {
+  return _bodyReq("POST", headers || {}, "");
+}
+function _reason(captured) {
+  try { return JSON.parse(captured || "{}").error || ""; }
+  catch (_e) { return ""; }
+}
+// Default surface: opts unset → prior behavior is preserved. A FedCM
+// webidentity Sec-Fetch-Dest cross-site is still refused by the existing
+// cross-site rule (not by the new deniedDest path), and a same-origin
+// webidentity passes through.
+async function testDefaultUnchanged() {
+  check("middleware.fetchMetadata exposed",
+        typeof b.middleware.fetchMetadata === "function");
+  var mw = b.middleware.fetchMetadata({});
+  var sameOrigin = await _run(mw, _post({
+    "sec-fetch-site": "same-origin", "sec-fetch-dest": "webidentity",
+  }), _bodyRes());
+  check("same-origin webidentity passes through by default",
+        sameOrigin.next === true);
+  var cross = await _run(mw, _post({
+    "sec-fetch-site": "cross-site", "sec-fetch-dest": "webidentity",
+  }), _bodyRes());
+  check("cross-site request still refused by default (unchanged)",
+        cross.next === false && cross.status === 403);
+}
+// deniedDest gates webidentity first-class — refused even when the
+// request is same-origin (a route that is not a FedCM endpoint should
+// never see a webidentity destination).
+async function testDeniedDestWebIdentity() {
+  var mw = b.middleware.fetchMetadata({ deniedDest: ["webidentity"] });
+  var denied = await _run(mw, _post({
+    "sec-fetch-site": "same-origin", "sec-fetch-dest": "webidentity",
+  }), _bodyRes());
+  check("deniedDest webidentity → 403 even same-origin",
+        denied.next === false && denied.status === 403);
+  check("deniedDest refusal carries the dest-not-allowed message",
+        /destination not allowed/i.test(_reason(denied.captured)));
+  // A non-denied destination on the same gate still passes through.
+  var allowed = await _run(mw, _post({
+    "sec-fetch-site": "same-origin", "sec-fetch-dest": "document",
+  }), _bodyRes());
+  check("non-denied destination passes through with deniedDest set",
+        allowed.next === true);
+}
+// Storage Access API escalation: active|inactive refused when
+// allowStorageAccess:false; none passes through; default (unset) lets it
+// through.
+async function testStorageAccessGate() {
+  var strict = b.middleware.fetchMetadata({ allowStorageAccess: false });
+  var active = await _run(strict, _post({
+    "sec-fetch-site": "cross-site", "sec-fetch-storage-access": "active",
+  }), _bodyRes());
+  check("allowStorageAccess:false refuses cross-site active escalation",
+        active.next === false && active.status === 403 &&
+        /storage access/i.test(_reason(active.captured)));
+  var inactive = await _run(strict, _post({
+    "sec-fetch-site": "cross-site", "sec-fetch-storage-access": "inactive",
+  }), _bodyRes());
+  check("allowStorageAccess:false refuses cross-site inactive escalation",
+        inactive.next === false && inactive.status === 403);
+  var none = await _run(strict, _post({
+    "sec-fetch-site": "same-origin", "sec-fetch-storage-access": "none",
+  }), _bodyRes());
+  check("storage-access none on same-origin passes through",
+        none.next === true);
+  // Default (opt unset) does not refuse the escalation.
+  var dflt = b.middleware.fetchMetadata({ allowCrossSite: true });
+  var permitted = await _run(dflt, _post({
+    "sec-fetch-site": "cross-site", "sec-fetch-storage-access": "active",
+  }), _bodyRes());
+  check("storage-access escalation permitted by default",
+        permitted.next === true);
+}
+// strictDest is a config-time tier opt — an unknown Sec-Fetch-Dest value
+// throws at construction so an operator typo surfaces at boot.
+function testStrictDestThrows() {
+  var threw = null;
+  try {
+    b.middleware.fetchMetadata({ strictDest: true, deniedDest: ["web-identity"] });
+  } catch (e) { threw = e; }
+  check("strictDest rejects an unknown Sec-Fetch-Dest value at config time",
+        threw && /not a known Sec-Fetch-Dest value/.test(threw.message || ""));
+  // A known value under strictDest constructs cleanly.
+  var ok = true;
+  try {
+    b.middleware.fetchMetadata({ strictDest: true, deniedDest: ["webidentity"], allowedDest: ["empty"] });
+  } catch (_e) { ok = false; }
+  check("strictDest accepts known destination values", ok === true);
+}
+// Exact membership — a header value that is a substring of, or a
+// prototype name relative to, a denied value must NOT match.
+async function testExactMembershipNoBypass() {
+  var mw = b.middleware.fetchMetadata({ deniedDest: ["webidentity"] });
+  // Substring of the denied value — must not be treated as denied.
+  var substr = await _run(mw, _post({
+    "sec-fetch-site": "same-origin", "sec-fetch-dest": "web",
+  }), _bodyRes());
+  check("substring of a denied dest is not refused (exact match only)",
+        substr.next === true);
+  // Prototype-name header value must not satisfy the membership map.
+  var proto = await _run(mw, _post({
+    "sec-fetch-site": "same-origin", "sec-fetch-dest": "__proto__",
+  }), _bodyRes());
+  check("__proto__ as Sec-Fetch-Dest does not match the deny map",
+        proto.next === true);
+  // deniedDest rejects a prototype-name value at config time (non-empty
+  // string array validation passes it; it simply never matches a real
+  // header). Construction with such a value must not pollute.
+  var safe = b.middleware.fetchMetadata({ deniedDest: ["constructor"] });
+  var plain = await _run(safe, _post({
+    "sec-fetch-site": "same-origin", "sec-fetch-dest": "image",
+  }), _bodyRes());
+  check("deniedDest with a reserved-name entry does not pollute the map",
+        plain.next === true);
+}
+async function run() {
+  await testDefaultUnchanged();
+  await testDeniedDestWebIdentity();
+  await testStorageAccessGate();
+  testStrictDestThrows();
+  await testExactMembershipNoBypass();
+}
+module.exports = { run: run };
+if (require.main === module) {
+  run().then(function () { console.log("OK"); })
+       .catch(function (e) { process.exitCode = 1; throw e; });
+}

package/lib/vendor/blamejs/test/layer-0-primitives/flag.test.js CHANGED Viewed

@@ -145,6 +145,29 @@ function run() {
   var ctxAnon = b.flag.context.fromRequest({ headers: { "x-forwarded-for": "1.2.3.4", "user-agent": "ua" } });
   check("fromRequest: anon targetingKey",        ctxAnon.targetingKey.indexOf("anon:") === 0);
+  // explicit tenantKey supplies the tenant id (gateway-resolved tenancy)
+  var ctxTenant = b.flag.context.fromRequest(
+    { user: { id: "u-1" }, headers: {} },
+    { tenantKey: "tenant-explicit" });
+  check("fromRequest: tenantKey sets tenantId",  ctxTenant.tenantId === "tenant-explicit");
+  // tenantKey overrides the tenant id derived from req.user.tenantId
+  var ctxTenantOverride = b.flag.context.fromRequest(
+    { user: { id: "u-2", tenantId: "from-user" }, headers: {} },
+    { tenantKey: "from-opts" });
+  check("fromRequest: tenantKey overrides req.user.tenantId", ctxTenantOverride.tenantId === "from-opts");
+  // default unchanged: no tenantKey → tenantId still derived from req.user
+  var ctxTenantDefault = b.flag.context.fromRequest(
+    { user: { id: "u-3", tenantId: "user-tenant" }, headers: {} });
+  check("fromRequest: no tenantKey keeps req.user.tenantId", ctxTenantDefault.tenantId === "user-tenant");
+  // empty-string tenantKey is ignored (falls back to req.user.tenantId)
+  var ctxTenantEmpty = b.flag.context.fromRequest(
+    { user: { id: "u-4", tenantId: "user-tenant" }, headers: {} },
+    { tenantKey: "" });
+  check("fromRequest: empty tenantKey ignored",  ctxTenantEmpty.tenantId === "user-tenant");
   // ---- targeting evaluation ----
   var t = b.flag.targeting;
   check("targeting.VALID_OPS",                   Array.isArray(t.VALID_OPS) && t.VALID_OPS.length > 10);

package/lib/vendor/blamejs/test/layer-0-primitives/guard-html-wcag.test.js CHANGED Viewed

@@ -331,6 +331,62 @@ function testFindingFields() {
         imgFinding && imgFinding.level === "A");
 }
+// ---- de-advertised opts ----
+function testAuditRejectsCheckAll() {
+  // checkAll was an accepted-but-never-read knob; it is no longer in the
+  // validateOpts allowlist, so passing it is now a config-time error.
+  var threw = false;
+  try { wcag.audit("<html lang=\"en\"><head><title>Real page title</title></head><body></body></html>",
+                   { checkAll: true }); }
+  catch (_e) { threw = true; }
+  check("audit: unknown checkAll opt throws", threw);
+}
+// ---- scopeUrl stamped onto sub-scanner findings ----
+function testSubScannerScopeUrlStamped() {
+  var url = "https://example.com/page";
+  var ariaFindings = wcag.aria.audit('<div role="invalidrole"></div>', { scopeUrl: url });
+  check("aria sub-scanner: scopeUrl stamped on finding",
+        ariaFindings.length >= 1 &&
+        ariaFindings.every(function (f) { return f.scopeUrl === url; }));
+  var tableFindings = wcag.tables.audit('<table><tbody><tr><td>1</td></tr></tbody></table>', { scopeUrl: url });
+  check("tables sub-scanner: scopeUrl stamped on finding",
+        tableFindings.length >= 1 &&
+        tableFindings.every(function (f) { return f.scopeUrl === url; }));
+  var formFindings = wcag.forms.audit('<textarea></textarea>', { scopeUrl: url });
+  check("forms sub-scanner: scopeUrl stamped on finding",
+        formFindings.length >= 1 &&
+        formFindings.every(function (f) { return f.scopeUrl === url; }));
+}
+function testSubScannerScopeUrlDefaultUnchanged() {
+  // No scopeUrl → findings carry no scopeUrl field (default behavior).
+  var ariaFindings = wcag.aria.audit('<div role="invalidrole"></div>');
+  check("aria sub-scanner: no scopeUrl field by default",
+        ariaFindings.length >= 1 &&
+        ariaFindings.every(function (f) { return f.scopeUrl === undefined; }));
+  var tableFindings = wcag.tables.audit('<table><tbody><tr><td>1</td></tr></tbody></table>');
+  check("tables sub-scanner: no scopeUrl field by default",
+        tableFindings.length >= 1 &&
+        tableFindings.every(function (f) { return f.scopeUrl === undefined; }));
+  var formFindings = wcag.forms.audit('<textarea></textarea>');
+  check("forms sub-scanner: no scopeUrl field by default",
+        formFindings.length >= 1 &&
+        formFindings.every(function (f) { return f.scopeUrl === undefined; }));
+  // Empty-string scopeUrl is treated as absent (no stamp).
+  var emptyScope = wcag.aria.audit('<div role="invalidrole"></div>', { scopeUrl: "" });
+  check("aria sub-scanner: empty scopeUrl not stamped",
+        emptyScope.every(function (f) { return f.scopeUrl === undefined; }));
+}
 // ---- SC registry ----
 function testRegistryShape() {
@@ -820,6 +876,9 @@ function testFormsStandalone() {
   testScoreFullClean();
   testScoreManyErrors();
   testAuditValidation();
+  testAuditRejectsCheckAll();
+  testSubScannerScopeUrlStamped();
+  testSubScannerScopeUrlDefaultUnchanged();
   testReportShape();
   testFindingFields();
   testRegistryShape();

package/lib/vendor/blamejs/test/layer-0-primitives/honeytoken.test.js CHANGED Viewed

@@ -38,6 +38,32 @@ async function run() {
   check("honeytoken.HoneytokenError class registered",
     typeof b.honeytoken.HoneytokenError === "function");
+  // ---- injected audit sink (opts.audit) ----
+  // The documented `audit: b.audit` sink must receive issued + tripped
+  // rows when supplied, instead of the module's default audit log.
+  var captured = [];
+  var sink = { safeEmit: function (rec) { captured.push(rec); } };
+  var honeyInj = b.honeytoken.create({ audit: sink });
+  var injIssued = honeyInj.issue({ kind: "url", metadata: { plantedAt: "admin-listing" } });
+  check("honeytoken.audit: injected sink received issued row",
+    captured.length === 1 && captured[0].action === "honeytoken.issued" &&
+    captured[0].metadata.id === injIssued.id && captured[0].metadata.kind === "url");
+  honeyInj.lookup(injIssued.value, { ip: "198.51.100.7" });
+  check("honeytoken.audit: injected sink received tripped row",
+    captured.length === 2 && captured[1].action === "honeytoken.tripped" &&
+    captured[1].outcome === "failure" && captured[1].metadata.id === injIssued.id &&
+    captured[1].metadata.observedActor && captured[1].metadata.observedActor.ip === "198.51.100.7");
+  check("honeytoken.audit: lookup miss emits nothing to the sink",
+    honeyInj.lookup("not-a-canary") === null && captured.length === 2);
+  // Default path (no sink) still emits to the module audit log without
+  // throwing — exercised by the surface tests above, asserted here via
+  // a fresh registry whose issue/lookup don't blow up.
+  var honeyDefault = b.honeytoken.create({});
+  var d = honeyDefault.issue({ kind: "rowId", metadata: null });
+  check("honeytoken.audit: default sink path issues without throwing",
+    typeof d.value === "string" && d.value.indexOf("ht_canary_") === 0);
 }
 module.exports = { run: run };

package/lib/vendor/blamejs/test/layer-0-primitives/mail-auth.test.js CHANGED Viewed

@@ -766,6 +766,178 @@ function testDmarcRuaBuildBadInput() {
   }
 }
+// RFC 6591 §4.1 / RFC 7489 §7.3 — a DMARC forensic (RUF) failure
+// report: multipart/report (report-type=feedback-report) whose
+// message/feedback-report part carries Feedback-Type: auth-failure plus
+// the forensic-specific fields (Auth-Failure, Delivery-Result,
+// Identity-Alignment, DKIM-*/SPF-*), and a message/rfc822 part with the
+// reported message.
+var DMARC_RUF_SAMPLE =
+  "From: <postmaster@example.com>\r\n" +
+  "Date: Fri, 15 May 2026 12:00:00 -0400\r\n" +
+  "Subject: FW: DMARC failure report\r\n" +
+  "To: <ruf@sender.example>\r\n" +
+  "MIME-Version: 1.0\r\n" +
+  "Content-Type: multipart/report; report-type=feedback-report;\r\n" +
+  '\tboundary="ruf_boundary_abc"\r\n' +
+  "\r\n" +
+  "--ruf_boundary_abc\r\n" +
+  "Content-Type: text/plain; charset=\"US-ASCII\"\r\n" +
+  "\r\n" +
+  "This is a DMARC authentication-failure report.\r\n" +
+  "\r\n" +
+  "--ruf_boundary_abc\r\n" +
+  "Content-Type: message/feedback-report\r\n" +
+  "\r\n" +
+  "Feedback-Type: auth-failure\r\n" +
+  "User-Agent: ExampleReporter/1.0\r\n" +
+  "Version: 1\r\n" +
+  "Original-Mail-From: <bounce@sender.example>\r\n" +
+  "Original-Rcpt-To: <victim@example.com>\r\n" +
+  "Arrival-Date: Fri, 15 May 2026 11:59:00 -0400\r\n" +
+  "Source-IP: 203.0.113.7\r\n" +
+  "Reported-Domain: sender.example\r\n" +
+  "Authentication-Results: mx.example.com; dmarc=fail header.from=sender.example\r\n" +
+  "Auth-Failure: dmarc\r\n" +
+  "Delivery-Result: reject\r\n" +
+  "Identity-Alignment: none\r\n" +
+  "DKIM-Domain: sender.example\r\n" +
+  "DKIM-Identity: @sender.example\r\n" +
+  "DKIM-Selector: sel2026\r\n" +
+  "DKIM-Canonicalized-Header: from:Sender <noreply@sender.example>\r\n" +
+  "SPF-DNS: txt sender.example \"v=spf1 ip4:198.51.100.0/24 -all\"\r\n" +
+  "\r\n" +
+  "--ruf_boundary_abc\r\n" +
+  "Content-Type: message/rfc822\r\n" +
+  "\r\n" +
+  "From: Sender <noreply@sender.example>\r\n" +
+  "To: <victim@example.com>\r\n" +
+  "Subject: You have won\r\n" +
+  "Message-ID: <forged-123@sender.example>\r\n" +
+  "\r\n" +
+  "Body of the reported message.\r\n" +
+  "--ruf_boundary_abc--\r\n";
+function testDmarcForensicSurface() {
+  check("dmarc.parseForensicReport is a function",
+        typeof b.mail.dmarc.parseForensicReport === "function");
+}
+function testDmarcForensicParse() {
+  var rv = b.mail.dmarc.parseForensicReport(DMARC_RUF_SAMPLE);
+  check("dmarc.parseForensicReport: ok envelope on a valid report",
+        rv && rv.ok === true && rv.report && typeof rv.report === "object");
+  var rep = rv.report;
+  check("dmarc.parseForensicReport: feedbackType=auth-failure",
+        rep.feedbackType === "auth-failure");
+  check("dmarc.parseForensicReport: authFailure=dmarc (RFC 6591 §3.1)",
+        rep.authFailure === "dmarc");
+  check("dmarc.parseForensicReport: deliveryResult=reject",
+        rep.deliveryResult === "reject");
+  check("dmarc.parseForensicReport: identityAlignment=none (RFC 7489 §7.3)",
+        rep.identityAlignment === "none");
+  check("dmarc.parseForensicReport: DKIM-* fields shaped",
+        rep.dkim && rep.dkim.domain === "sender.example" &&
+        rep.dkim.selector === "sel2026" &&
+        rep.dkim.identity === "@sender.example" &&
+        /noreply@sender\.example/.test(rep.dkim.canonicalizedHeader || ""));
+  check("dmarc.parseForensicReport: spf.dns captured",
+        rep.spf && /v=spf1/.test(rep.spf.dns || ""));
+  check("dmarc.parseForensicReport: base ARF fields carried through",
+        rep.sourceIp === "203.0.113.7" &&
+        rep.reportedDomain === "sender.example" &&
+        /dmarc=fail/.test(rep.authenticationResults || ""));
+  check("dmarc.parseForensicReport: reported message headers parsed",
+        Array.isArray(rep.reportedHeaders) &&
+        rep.reportedHeaderMap["message-id"] === "<forged-123@sender.example>" &&
+        rep.reportedHeaderMap.subject === "You have won");
+  check("dmarc.parseForensicReport: reportedHeaderMap is null-prototype",
+        Object.getPrototypeOf(rep.reportedHeaderMap) === null);
+}
+function testDmarcForensicNotAuthFailure() {
+  // An RFC 5965 abuse report is a valid ARF report but NOT a DMARC
+  // forensic report — Feedback-Type must be auth-failure (RFC 7489 §7.3).
+  var abuseReport = DMARC_RUF_SAMPLE.replace(
+    "Feedback-Type: auth-failure", "Feedback-Type: abuse");
+  var rv = b.mail.dmarc.parseForensicReport(abuseReport);
+  check("dmarc.parseForensicReport: non-auth-failure Feedback-Type → typed error (not a throw)",
+        rv && rv.ok === false &&
+        /dmarc-ruf-not-auth-failure/.test(rv.error.code || ""));
+}
+function testDmarcForensicMissingAuthFailure() {
+  // RFC 6591 §3.1 — Auth-Failure is required in an auth-failure report.
+  var noAuthFailure = DMARC_RUF_SAMPLE.replace("Auth-Failure: dmarc\r\n", "");
+  var rv = b.mail.dmarc.parseForensicReport(noAuthFailure);
+  check("dmarc.parseForensicReport: missing Auth-Failure → typed error",
+        rv && rv.ok === false &&
+        /dmarc-ruf-missing-auth-failure/.test(rv.error.code || ""));
+}
+function testDmarcForensicHostileInputDoesNotThrow() {
+  // Defensive reader — hostile / malformed input MUST return a typed
+  // error, never throw in the hot path that ingested the report.
+  var cases = [null, 12345, "", "not-a-multipart-report",
+               Buffer.from("garbage"),
+               "Content-Type: text/plain\r\n\r\nnope"];
+  for (var i = 0; i < cases.length; i += 1) {
+    var threw = null;
+    var rv = null;
+    try { rv = b.mail.dmarc.parseForensicReport(cases[i]); }
+    catch (e) { threw = e; }
+    check("dmarc.parseForensicReport: hostile input #" + i + " returns typed error, no throw",
+          threw === null && rv && rv.ok === false &&
+          rv.error && typeof rv.error.code === "string");
+  }
+}
+function testDmarcForensicReportedHeaderCap() {
+  // RFC 6591 §3.2 reported-header cap — a report whose reported message
+  // carries > the header cap clips the parsed list and flags it, while
+  // still surfacing the verbatim message. Build a reported message with
+  // many headers.
+  var lines = [];
+  for (var i = 0; i < 400; i += 1) lines.push("X-Pad-" + i + ": v" + i);
+  var bigReported = lines.join("\r\n") + "\r\n\r\nbody\r\n";
+  var sample = DMARC_RUF_SAMPLE.replace(
+    "From: Sender <noreply@sender.example>\r\n" +
+    "To: <victim@example.com>\r\n" +
+    "Subject: You have won\r\n" +
+    "Message-ID: <forged-123@sender.example>\r\n" +
+    "\r\n" +
+    "Body of the reported message.\r\n",
+    bigReported);
+  var rv = b.mail.dmarc.parseForensicReport(sample);
+  check("dmarc.parseForensicReport: over-cap reported headers are clipped + flagged",
+        rv && rv.ok === true &&
+        rv.report.reportedHeaders.length === 256 &&
+        rv.report.reportedHeadersTruncated === true);
+}
+function testDmarcForensicPrototypePollutionSafe() {
+  // A hostile report naming a feedback-report field or a reported-message
+  // header `__proto__` / `constructor` must not pollute Object.prototype.
+  var sample = DMARC_RUF_SAMPLE
+    // feedback-report field block — exercises the extraFields path.
+    .replace("Auth-Failure: dmarc\r\n",
+             "Auth-Failure: dmarc\r\n__proto__: fieldpoison\r\n")
+    // reported message header block — exercises the reportedHeaderMap path.
+    .replace("From: Sender <noreply@sender.example>\r\n",
+             "From: Sender <noreply@sender.example>\r\n__proto__: hdrpoison\r\n");
+  var rv = b.mail.dmarc.parseForensicReport(sample);
+  check("dmarc.parseForensicReport: __proto__ in feedback field → own data on null-prototype extraFields",
+        rv && rv.ok === true &&
+        Object.getPrototypeOf(rv.report.extraFields) === null &&
+        rv.report.extraFields["__proto__"] === "fieldpoison");
+  check("dmarc.parseForensicReport: __proto__ reported header → own data, no prototype pollution",
+        rv.report.reportedHeaderMap["__proto__"] === "hdrpoison" &&
+        ({}).fieldpoison === undefined &&
+        ({}).hdrpoison === undefined &&
+        Object.prototype.fieldpoison === undefined &&
+        Object.prototype.hdrpoison === undefined);
+}
 async function testIprevValidatesPtrShape() {
   // MAIL-50 — PTR result MUST be a valid DNS-name shape (LDH labels,
   // 1..63 octets, total 1..253 octets). Synthesize via a mocked
@@ -1072,6 +1244,13 @@ async function run() {
   testDmarcRuaGunzipBombDistinguished();
   testDmarcRuaBuildRoundTrip();
   testDmarcRuaBuildBadInput();
+  testDmarcForensicSurface();
+  testDmarcForensicParse();
+  testDmarcForensicNotAuthFailure();
+  testDmarcForensicMissingAuthFailure();
+  testDmarcForensicHostileInputDoesNotThrow();
+  testDmarcForensicReportedHeaderCap();
+  testDmarcForensicPrototypePollutionSafe();
   await testIprevValidatesPtrShape();
   await testArcHeaderSourceOrder();
 }

package/lib/vendor/blamejs/test/layer-0-primitives/mail-deploy-tlsrpt.test.js CHANGED Viewed

@@ -331,6 +331,21 @@ function testHttpAuthenticateHookValidatesType() {
   check("authenticate non-function refused at construct", threw);
 }
+function testHttpRejectsRemovedComplianceOpt() {
+  // `compliance` was an accepted-but-never-read allowlist key (it was not
+  // documented in @opts and nothing consumed it). It is removed from the
+  // validateOpts allowlist, so passing it is now a config-time error.
+  var threw = false;
+  try { b.mail.deploy.tlsRptIngestHttp({ compliance: "hipaa" }); }
+  catch (_e) { threw = true; }
+  check("tlsRptIngestHttp: removed `compliance` opt refused at construct", threw);
+  // Default construct still works (no opts).
+  var threwBare = false;
+  try { b.mail.deploy.tlsRptIngestHttp({}); } catch (_e) { threwBare = true; }
+  check("tlsRptIngestHttp: bare construct still works", !threwBare);
+}
 function testTlsRptParseErrorClassExported() {
   check("b.mail.deploy.TlsRptParseError is a constructor",
     typeof b.mail.deploy.TlsRptParseError === "function");
@@ -359,6 +374,7 @@ async function run() {
   testRefusesNonFiniteSummary();
   await testHttpAuthenticateHookSyncFalsy();
   testHttpAuthenticateHookValidatesType();
+  testHttpRejectsRemovedComplianceOpt();
   testTlsRptParseErrorClassExported();
 }

package/lib/vendor/blamejs/test/layer-0-primitives/mail-send-deliver.test.js CHANGED Viewed

@@ -72,6 +72,62 @@ function testFactoryRefusesBadOpts() {
   });
   check("port 0 → DeliverError (connect port must be >=1)",
     e7 && e7.code === "deliver/bad-port");
+  // retry.maxAttempts / timeouts.mxLookupMs / timeouts.perHostMs are
+  // config-time entry-point opts: a typo must throw at create(), not be
+  // swallowed by a valid-or-default fallback. Absent keeps the default.
+  var e8 = threw(function () {
+    b.mail.send.deliver({ hostname: "m.example", retry: { maxAttempts: "5" } });
+  });
+  check("retry.maxAttempts as string → DeliverError",
+    e8 && e8.code === "deliver/bad-retry-maxAttempts");
+  var e9 = threw(function () {
+    b.mail.send.deliver({ hostname: "m.example", retry: { maxAttempts: -1 } });
+  });
+  check("retry.maxAttempts negative → DeliverError",
+    e9 && e9.code === "deliver/bad-retry-maxAttempts");
+  var e10 = threw(function () {
+    b.mail.send.deliver({ hostname: "m.example", retry: { maxAttempts: 0 } });
+  });
+  check("retry.maxAttempts 0 → DeliverError (must be >= 1)",
+    e10 && e10.code === "deliver/bad-retry-maxAttempts");
+  var e11 = threw(function () {
+    b.mail.send.deliver({ hostname: "m.example", timeouts: { mxLookupMs: -1 } });
+  });
+  check("timeouts.mxLookupMs negative → DeliverError",
+    e11 && e11.code === "deliver/bad-timeout-mxLookupMs");
+  var e12 = threw(function () {
+    b.mail.send.deliver({ hostname: "m.example", timeouts: { mxLookupMs: "10000" } });
+  });
+  check("timeouts.mxLookupMs as string → DeliverError",
+    e12 && e12.code === "deliver/bad-timeout-mxLookupMs");
+  var e13 = threw(function () {
+    b.mail.send.deliver({ hostname: "m.example", timeouts: { perHostMs: 0 } });
+  });
+  check("timeouts.perHostMs 0 → DeliverError (must be >= 1)",
+    e13 && e13.code === "deliver/bad-timeout-perHostMs");
+  // Absent retry / timeouts keys keep the defaults — create() succeeds.
+  var okDefault = threw(function () {
+    b.mail.send.deliver({ hostname: "m.example", retry: {}, timeouts: {}, audit: false });
+  });
+  check("absent retry/timeouts keys keep defaults (create succeeds)", okDefault === null);
+  // Valid integer values are accepted unchanged.
+  var okValid = threw(function () {
+    b.mail.send.deliver({
+      hostname: "m.example",
+      retry:    { maxAttempts: 3 },
+      timeouts: { mxLookupMs: 2000, perHostMs: 30000 },
+      audit:    false,
+    });
+  });
+  check("valid retry/timeouts values accepted (create succeeds)", okValid === null);
 }
 // ---- Submission/smarthost port ----
@@ -288,6 +344,57 @@ async function testTransientDefersPermanentFails() {
     dsnInvocations[0].dsnHasReport === true);
 }
+// ---- retry.maxAttempts value flows through to the retry budget ----
+// A valid maxAttempts must reach the deferred-vs-failed routing, not just
+// pass validation. With maxAttempts:1, the first transient failure exhausts
+// the budget (attempts 1 >= 1) and converts transient → permanent → failed[]
+// rather than landing in deferred[]. The default (5) keeps it deferred.
+async function testMaxAttemptsFlowsThrough() {
+  var fakeResolver = {
+    queryMx: async function (domain) {
+      return [{ exchange: "mx1." + domain, priority: 10 }];
+    },
+  };
+  var transientTransport = function () {
+    return {
+      send: async function () {
+        var err = new Error("temporary failure");
+        err.smtpResponse = { code: 451 };
+        throw err;
+      },
+    };
+  };
+  var envelope = {
+    from:   "ops@example.com",
+    to:     ["transient@example.com"],
+    rfc822: Buffer.from("hi"),
+  };
+  var deliverBudget1 = b.mail.send.deliver({
+    hostname:         "mta1.example.com",
+    resolver:         fakeResolver,
+    policy:           { mtaSts: "off", dane: "off" },
+    transportFactory: transientTransport,
+    retry:            { maxAttempts: 1 },
+    audit:            false,
+  });
+  var r1 = await deliverBudget1(envelope);
+  check("maxAttempts:1 exhausts budget on first transient → failed",
+    r1.failed.length === 1 && r1.deferred.length === 0);
+  var deliverDefault = b.mail.send.deliver({
+    hostname:         "mta1.example.com",
+    resolver:         fakeResolver,
+    policy:           { mtaSts: "off", dane: "off" },
+    transportFactory: transientTransport,
+    audit:            false,
+  });
+  var r2 = await deliverDefault(envelope);
+  check("default maxAttempts keeps a single transient deferred",
+    r2.deferred.length === 1 && r2.failed.length === 0);
+}
 // ---- No-MX (RFC 7505 null MX) ----
 async function testNullMx() {
@@ -369,6 +476,7 @@ async function run() {
   await testNullMx();
   await testMxFailover();
   await testPortReachesTransport();
+  await testMaxAttemptsFlowsThrough();
 }
 module.exports = { run: run };