@blamejs/blamejs-shop 0.3.69 → 0.3.71

package/lib/vendor/blamejs/test/layer-0-primitives/oauth-callback.test.js

@@ -5,9 +5,13 @@
  *   - parseJarmResponse (OAuth 2.0 JARM signed authorization response)
  *   - refreshAccessToken seen() callback (RFC 9700 §4.13 / OAuth 2.1 §6.1)
  *   - authorizationUrl PKCE-downgrade refusal (RFC 9700 §4.13 / RFC 7636)
+ *   - authorizationUrl / exchangeCode authorization_details (RFC 9396 RAR)
+ *   - buildClientAttestation / buildClientAttestationPop /
+ *     verifyClientAttestation (draft-ietf-oauth-attestation-based-client-auth)
  */
 
 var http    = require("node:http");
+var crypto  = require("node:crypto");
 var helpers = require("../helpers");
 var b       = helpers.b;
 var check   = helpers.check;
@@ -140,6 +144,271 @@ async function run() {
   try { await oaStatic.authorizationUrl(); } catch (e) { staticErr = e; }
   check("oauth.authorizationUrl: static endpoints skip discovery (no fetch, no refusal)",
         staticErr === null);
+
+  // ---- RFC 9396 Rich Authorization Requests (RAR) ----
+  var oaRar = b.auth.oauth.create({
+    issuer:                "https://static.example",
+    clientId:              "rp-rar",
+    redirectUri:           "https://rp.example/cb",
+    isOidc:                true,
+    authorizationEndpoint: "https://static.example/auth",
+    tokenEndpoint:         "https://static.example/token",
+  });
+  var requested = [
+    { type: "payment_initiation", actions: ["initiate", "status"],
+      locations: ["https://rs.example/pay"] },
+  ];
+  var rar = await oaRar.authorizationUrl({ authorizationDetails: requested });
+  check("oauth.authorizationUrl: serializes authorization_details (RFC 9396)",
+        /[?&]authorization_details=/.test(rar.url));
+  check("oauth.authorizationUrl: returns validated authorizationDetails",
+        Array.isArray(rar.authorizationDetails) && rar.authorizationDetails.length === 1);
+  // back-compat — a client that omits the opt emits no authorization_details
+  var noRar = await oaRar.authorizationUrl();
+  check("oauth.authorizationUrl: omitted authorizationDetails → no param (back-compat)",
+        !/authorization_details=/.test(noRar.url) && noRar.authorizationDetails === null);
+  // config-time refusal on malformed shape
+  var rarThrew = null;
+  try { await oaRar.authorizationUrl({ authorizationDetails: [{ noType: 1 }] }); }
+  catch (e) { rarThrew = e; }
+  check("oauth.authorizationUrl: authorization_details missing type refused",
+        rarThrew && rarThrew.code === "auth-oauth/bad-authorization-details");
+  rarThrew = null;
+  try { await oaRar.authorizationUrl({ authorizationDetails: "not-an-array" }); }
+  catch (e) { rarThrew = e; }
+  check("oauth.authorizationUrl: non-array authorization_details refused",
+        rarThrew && rarThrew.code === "auth-oauth/bad-authorization-details");
+
+  // granted-vs-requested cross-check (the security-relevant subset rule)
+  var X = b.auth.oauth;
+  var subset = X._crossCheckGrantedAuthorizationDetails(
+    [{ type: "payment_initiation", actions: ["status"], locations: ["https://rs.example/pay"] }],
+    requested, true);
+  check("oauth: granted authorization_details subset accepted",
+        Array.isArray(subset) && subset.length === 1);
+  var overThrew = null;
+  try {
+    X._crossCheckGrantedAuthorizationDetails(
+      [{ type: "payment_initiation", actions: ["initiate", "transfer"] }], requested, true);
+  } catch (e) { overThrew = e; }
+  check("oauth: granted action beyond request refused (RFC 9396 over-grant)",
+        overThrew && overThrew.code === "auth-oauth/authorization-details-over-grant");
+  overThrew = null;
+  try {
+    X._crossCheckGrantedAuthorizationDetails([{ type: "account_access" }], requested, true);
+  } catch (e) { overThrew = e; }
+  check("oauth: granted unrequested type refused (RFC 9396 over-grant)",
+        overThrew && overThrew.code === "auth-oauth/authorization-details-over-grant");
+  // non-strict mode surfaces over-grant without throwing
+  var surfaced = X._crossCheckGrantedAuthorizationDetails([{ type: "account_access" }], requested, false);
+  check("oauth: non-strict cross-check surfaces granted without refusal",
+        Array.isArray(surfaced) && surfaced.length === 1);
+  // location over-grant
+  overThrew = null;
+  try {
+    X._crossCheckGrantedAuthorizationDetails(
+      [{ type: "payment_initiation", locations: ["https://rs.example/pay", "https://evil.example"] }],
+      requested, true);
+  } catch (e) { overThrew = e; }
+  check("oauth: granted location beyond request refused (RFC 9396 over-grant)",
+        overThrew && overThrew.code === "auth-oauth/authorization-details-over-grant");
+  // privileges over-grant — `privileges` is a registered array-valued common
+  // data field (RFC 9396 §2.1); a granted privileges array the request never
+  // constrained is the sharpest escalation and must be refused.
+  overThrew = null;
+  try {
+    X._crossCheckGrantedAuthorizationDetails(
+      [{ type: "payment_initiation", privileges: ["admin"] }], requested, true);
+  } catch (e) { overThrew = e; }
+  check("oauth: granted privilege beyond request refused (RFC 9396 over-grant)",
+        overThrew && overThrew.code === "auth-oauth/authorization-details-over-grant");
+
+  // ---- draft-ietf-oauth-attestation-based-client-auth ----
+  var attesterKp = crypto.generateKeyPairSync("ec", { namedCurve: "P-256" });
+  var instanceKp = crypto.generateKeyPairSync("ec", { namedCurve: "P-256" });
+  var instancePubJwk = instanceKp.publicKey.export({ format: "jwk" });
+  var attesterPubJwk = attesterKp.publicKey.export({ format: "jwk" });
+
+  var attestation = b.auth.oauth.buildClientAttestation({
+    clientId:           "wallet-app",
+    attesterPrivateKey: attesterKp.privateKey,
+    instanceKeyJwk:     instancePubJwk,
+  });
+  var pop = b.auth.oauth.buildClientAttestationPop({
+    instancePrivateKey: instanceKp.privateKey,
+    audience:           "https://as.example.com",
+  });
+  // header typ values per draft §4 / §5
+  var attHeader = JSON.parse(Buffer.from(attestation.split(".")[0], "base64url").toString("utf8"));
+  var popHeader = JSON.parse(Buffer.from(pop.split(".")[0], "base64url").toString("utf8"));
+  check("oauth.attestation: attestation typ is oauth-client-attestation+jwt",
+        attHeader.typ === "oauth-client-attestation+jwt");
+  check("oauth.attestation: pop typ is oauth-client-attestation-pop+jwt",
+        popHeader.typ === "oauth-client-attestation-pop+jwt");
+
+  var jtiSeen = {};
+  var seenJti = function (jti) { if (jtiSeen[jti]) { return false; } jtiSeen[jti] = 1; return true; };
+  var verified = await b.auth.oauth.verifyClientAttestation(attestation, pop, {
+    attesterJwk:      attesterPubJwk,
+    expectedAudience: "https://as.example.com",
+    expectedClientId: "wallet-app",
+    seenJti:          seenJti,
+  });
+  check("oauth.verifyClientAttestation: valid pair → clientId from sub",
+        verified.clientId === "wallet-app");
+  check("oauth.verifyClientAttestation: returns the cnf key",
+        verified.cnfJwk && verified.cnfJwk.kty === "EC");
+
+  // replay (jti already seen) refused — draft §12.1
+  var attThrew = null;
+  try {
+    await b.auth.oauth.verifyClientAttestation(attestation, pop, {
+      attesterJwk: attesterPubJwk, expectedAudience: "https://as.example.com", seenJti: seenJti });
+  } catch (e) { attThrew = e; }
+  check("oauth.verifyClientAttestation: jti replay refused (draft §12.1)",
+        attThrew && attThrew.code === "auth-oauth/attestation-pop-replay");
+
+  // wrong audience refused — draft §8 step 7
+  attThrew = null;
+  try {
+    await b.auth.oauth.verifyClientAttestation(attestation, pop, {
+      attesterJwk: attesterPubJwk, expectedAudience: "https://other.example.com" });
+  } catch (e) { attThrew = e; }
+  check("oauth.verifyClientAttestation: PoP aud mismatch refused",
+        attThrew && attThrew.code === "auth-oauth/attestation-pop-aud-mismatch");
+
+  // PoP forged with a key not in the cnf claim refused — possession proof
+  var attackerKp = crypto.generateKeyPairSync("ec", { namedCurve: "P-256" });
+  var forgedPop = b.auth.oauth.buildClientAttestationPop({
+    instancePrivateKey: attackerKp.privateKey, audience: "https://as.example.com" });
+  attThrew = null;
+  try {
+    await b.auth.oauth.verifyClientAttestation(attestation, forgedPop, {
+      attesterJwk: attesterPubJwk, expectedAudience: "https://as.example.com" });
+  } catch (e) { attThrew = e; }
+  check("oauth.verifyClientAttestation: PoP not signed by cnf key refused",
+        attThrew && attThrew.code === "auth-oauth/attestation-bad-signature");
+
+  // attestation forged by an untrusted attester refused
+  attThrew = null;
+  var rogueAtt = b.auth.oauth.buildClientAttestation({
+    clientId: "wallet-app", attesterPrivateKey: attackerKp.privateKey, instanceKeyJwk: instancePubJwk });
+  try {
+    await b.auth.oauth.verifyClientAttestation(rogueAtt, b.auth.oauth.buildClientAttestationPop({
+      instancePrivateKey: instanceKp.privateKey, audience: "https://as.example.com" }), {
+      attesterJwk: attesterPubJwk, expectedAudience: "https://as.example.com" });
+  } catch (e) { attThrew = e; }
+  check("oauth.verifyClientAttestation: untrusted attester signature refused",
+        attThrew && attThrew.code === "auth-oauth/attestation-bad-signature");
+
+  // client_id mismatch refused — draft §8 step 10
+  attThrew = null;
+  try {
+    await b.auth.oauth.verifyClientAttestation(attestation, b.auth.oauth.buildClientAttestationPop({
+      instancePrivateKey: instanceKp.privateKey, audience: "https://as.example.com" }), {
+      attesterJwk: attesterPubJwk, expectedAudience: "https://as.example.com",
+      expectedClientId: "different-client" });
+  } catch (e) { attThrew = e; }
+  check("oauth.verifyClientAttestation: client_id != attestation sub refused",
+        attThrew && attThrew.code === "auth-oauth/attestation-client-id-mismatch");
+
+  // challenge binding — draft §8 step 5/6
+  var popChal = b.auth.oauth.buildClientAttestationPop({
+    instancePrivateKey: instanceKp.privateKey, audience: "https://as.example.com", challenge: "srv-nonce-1" });
+  var vChal = await b.auth.oauth.verifyClientAttestation(attestation, popChal, {
+    attesterJwk: attesterPubJwk, expectedAudience: "https://as.example.com", challenge: "srv-nonce-1" });
+  check("oauth.verifyClientAttestation: matching challenge accepted", vChal.clientId === "wallet-app");
+  attThrew = null;
+  try {
+    await b.auth.oauth.verifyClientAttestation(attestation, popChal, {
+      attesterJwk: attesterPubJwk, expectedAudience: "https://as.example.com", challenge: "WRONG" });
+  } catch (e) { attThrew = e; }
+  check("oauth.verifyClientAttestation: challenge mismatch refused",
+        attThrew && attThrew.code === "auth-oauth/attestation-pop-challenge-mismatch");
+
+  // HMAC alg refused at build (no symmetric attestation)
+  attThrew = null;
+  try {
+    b.auth.oauth.buildClientAttestation({ clientId: "w", attesterPrivateKey: attesterKp.privateKey,
+      instanceKeyJwk: instancePubJwk, algorithm: "HS256" });
+  } catch (e) { attThrew = e; }
+  check("oauth.buildClientAttestation: HMAC alg refused",
+        attThrew && attThrew.code === "auth-oauth/attestation-alg-not-accepted");
+
+  // 5-segment JWE refused on the verifier path
+  attThrew = null;
+  try {
+    await b.auth.oauth.verifyClientAttestation("a.b.c.d.e", pop, {
+      attesterJwk: attesterPubJwk, expectedAudience: "https://as.example.com" });
+  } catch (e) { attThrew = e; }
+  check("oauth.verifyClientAttestation: 5-segment JWE attestation refused",
+        attThrew && attThrew.code === "auth-oauth/attestation-jwe-refused");
+
+  // builder infers the JWS alg from the key type — a non-EC attester key
+  // with no explicit `algorithm` must produce a self-consistent JWS (header
+  // alg matches the signing key), not a fixed ES256 header the verifier's
+  // alg/kty cross-check would reject.
+  var edAttKp = crypto.generateKeyPairSync("ed25519");
+  var edAtt = b.auth.oauth.buildClientAttestation({
+    clientId: "wallet-app", attesterPrivateKey: edAttKp.privateKey, instanceKeyJwk: instancePubJwk });
+  var edAttHdr = JSON.parse(Buffer.from(edAtt.split(".")[0], "base64url").toString("utf8"));
+  check("oauth.buildClientAttestation: Ed25519 key infers EdDSA alg", edAttHdr.alg === "EdDSA");
+  var edVerified = await b.auth.oauth.verifyClientAttestation(edAtt, b.auth.oauth.buildClientAttestationPop({
+    instancePrivateKey: instanceKp.privateKey, audience: "https://as.example.com" }), {
+    attesterJwk: edAttKp.publicKey.export({ format: "jwk" }), expectedAudience: "https://as.example.com" });
+  check("oauth.verifyClientAttestation: Ed25519-signed attestation verifies", edVerified.clientId === "wallet-app");
+
+  var rsaAttKp = crypto.generateKeyPairSync("rsa", { modulusLength: 2048 });
+  var rsaAttHdr = JSON.parse(Buffer.from(b.auth.oauth.buildClientAttestation({
+    clientId: "wallet-app", attesterPrivateKey: rsaAttKp.privateKey, instanceKeyJwk: instancePubJwk
+  }).split(".")[0], "base64url").toString("utf8"));
+  check("oauth.buildClientAttestation: RSA key infers RS256 alg", rsaAttHdr.alg === "RS256");
+
+  // an explicit alg incompatible with the key is refused BEFORE signing
+  // (a P-256 key cannot produce an RS256 signature).
+  attThrew = null;
+  try {
+    b.auth.oauth.buildClientAttestation({ clientId: "w", attesterPrivateKey: attesterKp.privateKey,
+      instanceKeyJwk: instancePubJwk, algorithm: "RS256" });
+  } catch (e) { attThrew = e; }
+  check("oauth.buildClientAttestation: explicit alg incompatible with key refused",
+        attThrew && attThrew.code === "auth-oauth/attestation-alg-key-mismatch");
+
+  // async (Promise) replay store is awaited — a Redis/DB seenJti returns a
+  // Promise; the verifier must await it so a resolved `false` (replayed
+  // jti) refuses instead of comparing a never-`false` Promise object.
+  var asyncSeen = {};
+  var asyncSeenJti = function (jti) {
+    return Promise.resolve().then(function () {
+      if (asyncSeen[jti]) { return false; }
+      asyncSeen[jti] = 1;
+      return true;
+    });
+  };
+  var popAsync = b.auth.oauth.buildClientAttestationPop({
+    instancePrivateKey: instanceKp.privateKey, audience: "https://as.example.com" });
+  var asyncOk = await b.auth.oauth.verifyClientAttestation(attestation, popAsync, {
+    attesterJwk: attesterPubJwk, expectedAudience: "https://as.example.com", seenJti: asyncSeenJti });
+  check("oauth.verifyClientAttestation: async seenJti first sighting accepted",
+        asyncOk.clientId === "wallet-app");
+  attThrew = null;
+  try {
+    await b.auth.oauth.verifyClientAttestation(attestation, popAsync, {
+      attesterJwk: attesterPubJwk, expectedAudience: "https://as.example.com", seenJti: asyncSeenJti });
+  } catch (e) { attThrew = e; }
+  check("oauth.verifyClientAttestation: async seenJti replay refused (Promise awaited)",
+        attThrew && attThrew.code === "auth-oauth/attestation-pop-replay");
+
+  // instance-bound convenience builder produces both headers
+  var hdrs = oaRar.clientAttestationHeaders({
+    attesterPrivateKey: attesterKp.privateKey,
+    instanceKeyJwk:     instancePubJwk,
+    instancePrivateKey: instanceKp.privateKey,
+    audience:           "https://as.example.com",
+  });
+  check("oauth.clientAttestationHeaders: emits both header fields",
+        typeof hdrs.headers["OAuth-Client-Attestation"] === "string" &&
+        typeof hdrs.headers["OAuth-Client-Attestation-PoP"] === "string");
 }
 
 module.exports = { run: run };

package/lib/vendor/blamejs/test/layer-0-primitives/observability-tracing.test.js

@@ -607,6 +607,32 @@ async function testOtlpExporterRetryOn5xx() {
   await exporter.shutdown();
 }
 
+function testTraceLogCorrelationRejectsAuditOpt() {
+  // The `audit` opt was an accepted-but-unread no-op (the middleware
+  // only wraps a logger — no audit-worthy event). De-advertised: it is
+  // no longer in the allowlist, so passing it throws at config time.
+  var threw = false;
+  try {
+    b.middleware.traceLogCorrelation({ logger: { info: function () {} }, audit: true });
+  } catch (_e) { threw = true; }
+  check("traceLogCorrelation: unknown 'audit' opt rejected", threw);
+  // Default surface still constructs without the key.
+  var mw = b.middleware.traceLogCorrelation({ logger: { info: function () {} } });
+  check("traceLogCorrelation: constructs without audit opt", typeof mw === "function");
+}
+
+function testTracerRejectsAuditOpt() {
+  // `audit` was accepted by tracer.create but never read (the tracer is
+  // a pure observability primitive — span lifecycle goes to observability
+  // counters, not the audit log). De-advertised.
+  var threw = false;
+  try { b.observability.tracer.create({ service: "test", audit: true }); }
+  catch (_e) { threw = true; }
+  check("tracer.create: unknown 'audit' opt rejected", threw);
+  var tracer = b.observability.tracer.create({ service: "test" });
+  check("tracer.create: constructs without audit opt", typeof tracer.start === "function");
+}
+
 function testTracerToJSONIsImmutable() {
   var tracer = b.observability.tracer.create({ service: "test" });
   var span = tracer.start("op");
@@ -649,4 +675,6 @@ function testTracerToJSONIsImmutable() {
   testTracerStatusCodeValidation();
   await testOtlpExporterRetryOn5xx();
   testTracerToJSONIsImmutable();
+  testTraceLogCorrelationRejectsAuditOpt();
+  testTracerRejectsAuditOpt();
 })().catch(function (e) { console.error(e); process.exit(1); });

package/lib/vendor/blamejs/test/layer-0-primitives/observability.test.js

@@ -164,6 +164,43 @@ function testObservabilityEventDropsBadName() {
   m.deactivate();
 }
 
+function testObservabilitySemconvResourceAttributes() {
+  var S = b.observability.SEMCONV;
+  check("SEMCONV is frozen", Object.isFrozen(S));
+  // Resource / general additions (OTel semconv).
+  check("SEMCONV.PEER_SERVICE", S.PEER_SERVICE === "peer.service");
+  check("SEMCONV.DEPLOYMENT_ENVIRONMENT_NAME",
+        S.DEPLOYMENT_ENVIRONMENT_NAME === "deployment.environment.name");
+  check("SEMCONV.TELEMETRY_DISTRO_NAME",
+        S.TELEMETRY_DISTRO_NAME === "telemetry.distro.name");
+  check("SEMCONV.TELEMETRY_DISTRO_VERSION",
+        S.TELEMETRY_DISTRO_VERSION === "telemetry.distro.version");
+  check("SEMCONV.OTEL_SCOPE_NAME", S.OTEL_SCOPE_NAME === "otel.scope.name");
+  check("SEMCONV.OTEL_SCOPE_VERSION", S.OTEL_SCOPE_VERSION === "otel.scope.version");
+  // FaaS (serverless).
+  check("SEMCONV.FAAS_NAME", S.FAAS_NAME === "faas.name");
+  check("SEMCONV.FAAS_VERSION", S.FAAS_VERSION === "faas.version");
+  check("SEMCONV.FAAS_INSTANCE", S.FAAS_INSTANCE === "faas.instance");
+  check("SEMCONV.FAAS_TRIGGER", S.FAAS_TRIGGER === "faas.trigger");
+}
+
+function testObservabilitySemconvK8sAttributes() {
+  var S = b.observability.SEMCONV;
+  // Pre-existing trio kept.
+  check("SEMCONV.K8S_NAMESPACE_NAME", S.K8S_NAMESPACE_NAME === "k8s.namespace.name");
+  check("SEMCONV.K8S_POD_NAME", S.K8S_POD_NAME === "k8s.pod.name");
+  check("SEMCONV.K8S_DEPLOYMENT_NAME", S.K8S_DEPLOYMENT_NAME === "k8s.deployment.name");
+  // New workload + node + cluster subset.
+  check("SEMCONV.K8S_NODE_NAME", S.K8S_NODE_NAME === "k8s.node.name");
+  check("SEMCONV.K8S_CLUSTER_NAME", S.K8S_CLUSTER_NAME === "k8s.cluster.name");
+  check("SEMCONV.K8S_CONTAINER_NAME", S.K8S_CONTAINER_NAME === "k8s.container.name");
+  check("SEMCONV.K8S_STATEFULSET_NAME", S.K8S_STATEFULSET_NAME === "k8s.statefulset.name");
+  check("SEMCONV.K8S_DAEMONSET_NAME", S.K8S_DAEMONSET_NAME === "k8s.daemonset.name");
+  check("SEMCONV.K8S_JOB_NAME", S.K8S_JOB_NAME === "k8s.job.name");
+  check("SEMCONV.K8S_CRONJOB_NAME", S.K8S_CRONJOB_NAME === "k8s.cronjob.name");
+  check("SEMCONV.K8S_REPLICASET_NAME", S.K8S_REPLICASET_NAME === "k8s.replicaset.name");
+}
+
 async function run() {
   testObservabilitySurface();
   testObservabilityTapRunsFnWithoutRegistries();
@@ -178,6 +215,8 @@ async function run() {
   testObservabilityTapRejectsBadFn();
   testObservabilityTapRejectsBadName();
   testObservabilityEventDropsBadName();
+  testObservabilitySemconvResourceAttributes();
+  testObservabilitySemconvK8sAttributes();
 }
 
 module.exports = { run: run };

package/lib/vendor/blamejs/test/layer-0-primitives/openapi.test.js

@@ -733,6 +733,43 @@ function run() {
 
   check("openapiServe.forceRebuild is fn",       typeof serve.forceRebuild === "function");
 
+  // HEAD carries the GET response headers (incl. Content-Length) with an
+  // EMPTY body (RFC 9110 §9.3.2). GET unchanged: it still returns the
+  // body. Asserts the head-suppression against both JSON and YAML mounts.
+  var sentHeadJson = { status: null, headers: null, body: undefined, ended: false };
+  serve({ method: "HEAD", url: "/openapi.json", pathname: "/openapi.json", headers: {} },
+        { writeHead: function (s, h) { sentHeadJson.status = s; sentHeadJson.headers = h; },
+          end:       function (bdy) { sentHeadJson.body = bdy; sentHeadJson.ended = true; } },
+        function () {});
+  check("openapiServe HEAD JSON: 200",           sentHeadJson.status === 200);
+  check("openapiServe HEAD JSON: Content-Length set like GET",
+        sentHeadJson.headers["Content-Length"] === sentJson.headers["Content-Length"]);
+  check("openapiServe HEAD JSON: Content-Type set like GET",
+        sentHeadJson.headers["Content-Type"] === sentJson.headers["Content-Type"]);
+  check("openapiServe HEAD JSON: empty body",
+        sentHeadJson.ended === true && (sentHeadJson.body === undefined || sentHeadJson.body == null));
+
+  var sentHeadYaml = { status: null, headers: null, body: undefined, ended: false };
+  serve({ method: "HEAD", url: "/openapi.yaml", pathname: "/openapi.yaml", headers: {} },
+        { writeHead: function (s, h) { sentHeadYaml.status = s; sentHeadYaml.headers = h; },
+          end:       function (bdy) { sentHeadYaml.body = bdy; sentHeadYaml.ended = true; } },
+        function () {});
+  check("openapiServe HEAD YAML: 200",           sentHeadYaml.status === 200);
+  check("openapiServe HEAD YAML: Content-Length set like GET",
+        sentHeadYaml.headers["Content-Length"] === sentYaml.headers["Content-Length"]);
+  check("openapiServe HEAD YAML: empty body",
+        sentHeadYaml.ended === true && (sentHeadYaml.body === undefined || sentHeadYaml.body == null));
+
+  // GET still returns the body after the HEAD path was added.
+  var sentGetAfter = { status: null, headers: null, body: null };
+  serve({ method: "GET", url: "/openapi.json", pathname: "/openapi.json", headers: {} },
+        { writeHead: function (s, h) { sentGetAfter.status = s; sentGetAfter.headers = h; },
+          end:       function (bdy) { sentGetAfter.body = bdy; } },
+        function () {});
+  check("openapiServe GET still returns body",
+        sentGetAfter.status === 200 && typeof sentGetAfter.body === "string" &&
+        sentGetAfter.body.length > 0);
+
   // ---- bigger schema-walk coverage ----
   var arrSchema = b.openapi.schemaWalk({
     type:  "array",

package/lib/vendor/blamejs/test/layer-0-primitives/problem-details.test.js

@@ -63,6 +63,83 @@ function testCreateRefusesBadShape() {
              "problem-details/reserved-extension");
 }
 
+function testCreateExtensions() {
+  // RFC 9457 §3.2 — `extensions` keys are spread as top-level siblings;
+  // the literal `extensions` member is never emitted.
+  var p = b.problemDetails.create({
+    status: 400, title: "t", extensions: { balance: 30, accounts: ["/a"] },
+  });
+  check("create: extensions spread balance to top level", p.balance === 30);
+  check("create: extensions spread accounts to top level",
+        Array.isArray(p.accounts) && p.accounts[0] === "/a");
+  check("create: no literal extensions member", !("extensions" in p));
+  check("create: extensions output frozen",     Object.isFrozen(p));
+
+  // Reserved fields can't be overridden by an extension key.
+  var p2 = b.problemDetails.create({
+    status: 400, title: "real-title",
+    extensions: { title: "spoofed", status: 999, type: "evil", detail: "x", instance: "y" },
+  });
+  check("create: extensions cannot override title",    p2.title === "real-title");
+  check("create: extensions cannot override status",   p2.status === 400);
+  check("create: extensions cannot override type",     p2.type === "about:blank");
+  check("create: extensions cannot inject detail",     !("detail" in p2));
+  check("create: extensions cannot inject instance",   !("instance" in p2));
+
+  // Direct top-level key wins over the same name nested under extensions.
+  var p3 = b.problemDetails.create({
+    status: 400, balance: 99, extensions: { balance: 30 },
+  });
+  check("create: direct top-level key wins over extensions", p3.balance === 99);
+
+  // Poisoned keys inside extensions are dropped silently (not thrown).
+  var p4 = b.problemDetails.create({
+    status: 400, extensions: JSON.parse('{"__proto__":{"x":1},"safe":7}'),
+  });
+  check("create: poisoned extension key dropped, no throw", p4.safe === 7);
+  check("create: poisoned key did not pollute prototype",   ({}).x === undefined);
+
+  // Non-plain-object extensions throw at config time.
+  function expectCode(label, fn, code) {
+    var threw = null;
+    try { fn(); } catch (e) { threw = e; }
+    check(label, threw && (threw.code || "").indexOf(code) !== -1);
+  }
+  expectCode("create: extensions array refused",
+             function () { b.problemDetails.create({ status: 400, extensions: [] }); },
+             "problem-details/bad-extensions");
+  expectCode("create: extensions string refused",
+             function () { b.problemDetails.create({ status: 400, extensions: "x" }); },
+             "problem-details/bad-extensions");
+
+  // null / undefined extensions are a no-op (no literal member, no throw).
+  var p5 = b.problemDetails.create({ status: 400, extensions: null });
+  check("create: null extensions is a no-op", !("extensions" in p5) && p5.status === 400);
+}
+
+function testSendExtensions() {
+  // Success path end-to-end through send(): extensions spread as
+  // siblings, no nested `extensions` member emitted.
+  var headers = {};
+  var statusCode = null;
+  var body = null;
+  var fakeRes = {
+    setHeader: function (k, v) { headers[k.toLowerCase()] = v; },
+    end:       function (b2) { body = b2; },
+  };
+  Object.defineProperty(fakeRes, "statusCode", {
+    get: function () { return statusCode; },
+    set: function (v) { statusCode = v; },
+  });
+  b.problemDetails.send(fakeRes, { status: 400, extensions: { balance: 30 } });
+  var doc = JSON.parse(body);
+  check("send+extensions: statusCode 400",            statusCode === 400);
+  check("send+extensions: problem+json type",         headers["content-type"] === "application/problem+json");
+  check("send+extensions: balance is a top-level sibling", doc.balance === 30);
+  check("send+extensions: status emitted",            doc.status === 400);
+  check("send+extensions: NO nested extensions member", !("extensions" in doc));
+}
+
 function testFromError() {
   b.problemDetails._resetForTest();
   var err = new (b.frameworkError.ComplianceError)("compliance/unknown-posture", "bad posture", true);
@@ -179,6 +256,8 @@ async function run() {
   testCreateDefaults();
   testCreateFullShape();
   testCreateRefusesBadShape();
+  testCreateExtensions();
+  testSendExtensions();
   testFromError();
   testFromErrorWithStatusCode();
   testSetBase();

package/lib/vendor/blamejs/test/layer-0-primitives/pubsub.test.js

@@ -106,6 +106,54 @@ async function testPatternSubscribe() {
   await ps.close();
 }
 
+async function testClusterNumericConfigValidation() {
+  // pollIntervalMs / retentionMs / pruneEveryMs are config-time numeric
+  // knobs on the cluster backend. A typo (NaN-coercing string / negative /
+  // fractional) must THROW at create rather than silently coercing to the
+  // default and shipping a mis-tuned poll loop. The throw happens before
+  // any DB is touched, so no test-db setup is needed.
+  var nodeA = { currentNodeId: function () { return "node-A"; } };
+  function shouldThrow(label, overrides) {
+    var threw = null;
+    try {
+      b.pubsub.create(Object.assign(
+        { backend: "cluster", cluster: nodeA }, overrides));
+    } catch (e) { threw = e; }
+    check("cluster-config: " + label,
+          threw && (threw.code === "BAD_OPT" || /BAD_OPT/.test(threw.code || "")));
+  }
+
+  shouldThrow("rejects NaN-coercing pollIntervalMs", { pollIntervalMs: "30ms" });
+  shouldThrow("rejects negative pollIntervalMs", { pollIntervalMs: -1 });
+  shouldThrow("rejects fractional pollIntervalMs", { pollIntervalMs: 1.5 });
+  shouldThrow("rejects zero pollIntervalMs", { pollIntervalMs: 0 });
+  shouldThrow("rejects NaN-coercing retentionMs", { retentionMs: "1m" });
+  shouldThrow("rejects negative retentionMs", { retentionMs: -100 });
+  shouldThrow("rejects NaN-coercing pruneEveryMs", { pruneEveryMs: {} });
+  shouldThrow("rejects negative pruneEveryMs", { pruneEveryMs: -5 });
+
+  // Absent keeps the default — create succeeds (returns a live instance).
+  var ok = null;
+  try {
+    ok = b.pubsub.create({ backend: "cluster", cluster: nodeA });
+  } catch (e) { ok = e; }
+  check("cluster-config: absent numeric knobs keep defaults",
+        ok && typeof ok.publish === "function");
+  if (ok && typeof ok.close === "function") { await ok.close(); }
+
+  // Valid positive integers flow through.
+  var ok2 = null;
+  try {
+    ok2 = b.pubsub.create({
+      backend: "cluster", cluster: nodeA,
+      pollIntervalMs: 50, retentionMs: 120000, pruneEveryMs: 300000,
+    });
+  } catch (e) { ok2 = e; }
+  check("cluster-config: valid numeric knobs accepted",
+        ok2 && typeof ok2.publish === "function");
+  if (ok2 && typeof ok2.close === "function") { await ok2.close(); }
+}
+
 async function testClusterFanOut() {
   // Two pubsub instances sharing the same cluster DB simulate two
   // nodes. A publish on instance A is observed by instance B's poll
@@ -218,6 +266,7 @@ async function run() {
   await testTopicPrefixIsolation();
   await testPatternSubscribe();
   await testClosedRejectsPublishSubscribe();
+  await testClusterNumericConfigValidation();
   await testClusterFanOut();
   await testCacheInvalidationFanOut();
 }

package/lib/vendor/blamejs/test/layer-0-primitives/queue-sqs.test.js

@@ -277,8 +277,56 @@ async function testSessionTokenHeader() {
   } finally { await srv.close(); }
 }
 
+async function testNumericConfigValidation() {
+  // visibilityTimeoutSec / waitTimeSec are config-time numeric knobs.
+  // A typo (NaN-coercing string / negative / fractional) must THROW at
+  // create rather than silently coercing to the default and shipping a
+  // mis-tuned lease loop.
+  function shouldThrow(label, overrides, codeRe) {
+    var threw = null;
+    try {
+      sqs.create(Object.assign({}, _baseConfig(9999), overrides));
+    } catch (e) { threw = e; }
+    check("numeric-config: " + label, threw && codeRe.test(threw.code || ""));
+  }
+  function shouldPass(label, overrides) {
+    var ok = null;
+    try {
+      ok = sqs.create(Object.assign({}, _baseConfig(9999), overrides));
+    } catch (e) { ok = e; }
+    check("numeric-config: " + label, ok && typeof ok.enqueue === "function");
+  }
+
+  // Present-but-bad visibilityTimeoutSec throws.
+  shouldThrow("rejects NaN-coercing visibilityTimeoutSec",
+    { visibilityTimeoutSec: "30s" }, /INVALID_CONFIG/);
+  shouldThrow("rejects negative visibilityTimeoutSec",
+    { visibilityTimeoutSec: -1 }, /INVALID_CONFIG/);
+  shouldThrow("rejects fractional visibilityTimeoutSec",
+    { visibilityTimeoutSec: 1.5 }, /INVALID_CONFIG/);
+  shouldThrow("rejects zero visibilityTimeoutSec (not a positive int)",
+    { visibilityTimeoutSec: 0 }, /INVALID_CONFIG/);
+
+  // Present-but-bad waitTimeSec throws — but 0 (short-poll) stays valid.
+  shouldThrow("rejects NaN-coercing waitTimeSec",
+    { waitTimeSec: "10s" }, /INVALID_CONFIG/);
+  shouldThrow("rejects negative waitTimeSec",
+    { waitTimeSec: -1 }, /INVALID_CONFIG/);
+  shouldThrow("rejects fractional waitTimeSec",
+    { waitTimeSec: 2.5 }, /INVALID_CONFIG/);
+
+  // Absent keeps the default (create succeeds, returns a live adapter).
+  shouldPass("absent numeric knobs keep defaults", {});
+  // Valid values flow through.
+  shouldPass("accepts valid visibilityTimeoutSec", { visibilityTimeoutSec: 60 });
+  shouldPass("accepts valid waitTimeSec", { waitTimeSec: 20 });
+  // waitTimeSec=0 is the valid SQS short-poll sentinel — must NOT throw.
+  shouldPass("accepts waitTimeSec=0 (short-poll sentinel)", { waitTimeSec: 0 });
+}
+
 async function run() {
   await testFactoryValidation();
+  await testNumericConfigValidation();
   await testEnqueueWireShape();
   await testDelaySecondsClampedAt900();
   await testLeaseRoundTrip();