@blamejs/blamejs-shop 0.3.70 → 0.3.72

package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js

@@ -507,6 +507,11 @@ function testNoRawTimeLiterals() {
         .replace(/'(?:[^'\\]|\\.)*'/g, "")
         .replace(/`(?:[^`\\]|\\.)*`/g, "")
         .replace(/\/(?:[^/\\\n]|\\.)+\/[gimsuy]*/g, "")
+        // Strip a trailing `//` line comment AFTER string/regex removal so
+        // a `// RFC 7800` / `// draft §4.1` annotation can't seed a phantom
+        // time-shape literal. String literals are already gone, so any
+        // remaining `//` opens a real comment; everything to EOL is prose.
+        .replace(/\/\/.*$/, "")
         .replace(/0x[0-9a-fA-F]+/g, "");
       var hit = false;
       // Any `* 1000` that isn't part of `* 1000 * 1000` (already caught
@@ -2590,13 +2595,44 @@ async function testNoDuplicateCodeBlocks() {
       ],
       reason: "v0.14.18 — coincidental shingle of the import-public-key-then-wrap-failure idiom (try { keyObj = nodeCrypto.createPublicKey({ key, format }); } catch (e) { throw new AuthError(code, msg + ((e && e.message) || String(e))); }). The alg/key-type cross-check (CVE-2026-22817) is ALREADY routed through the shared jwtExternal._assertAlgKtyMatch helper; what repeats here is only the per-primitive createPublicKey + typed-catch shell. oid4vci._verifyProofJwt imports an OID4VCI proof-JWT holder key and throws auth-oid4vci/*; openid-federation.verifyEntityStatement imports an entity-statement JWS key and throws auth-openid-federation/*; saml._decryptEncryptedAssertion / verifyResponse import SAML XML-DSig / EncryptedAssertion keys (a different signature mechanism entirely) and throw auth-saml/*. Each carries a primitive-local error code namespace operators grep for; consolidating would couple three unrelated credential formats on the createPublicKey boilerplate.",
     },
+    {
+      mode:  "family-subset",
+      files: [
+        "lib/archive-adapters.js:fs",
+        "lib/archive-adapters.js:http",
+        "lib/archive-adapters.js:close",
+        "lib/crypto-field.js:declarePerRowKey",
+        "lib/crypto-field.js:assertColumnResidency",
+        "lib/network-smtp-policy.js:mtaStsFetch",
+        "lib/parsers/safe-env.js:readVar",
+        "lib/mail-crypto-pgp.js:sign",
+        "lib/metrics.js:shadowRegistry",
+        "lib/tracing.js:spanSync",
+      ],
+      reason: "v0.14.20 — generic validate/guard control-flow shingle that the crypto-field plain-Error → typed-CryptoFieldError(code, msg) conversion tipped over the 3-file threshold. The throw now normalizes to `throw new _ID ( _STR , _STR )` (two-arg framework-error contract) instead of the keyword-`Error` one-arg form, so the early-return + typed-throw prelude in crypto-field.declarePerRowKey / assertColumnResidency now exact-matches the same prelude shape in unrelated primitives: archive-adapters fs/http/close adapter methods, network-smtp-policy.mtaStsFetch (MTA-STS policy fetch), parsers/safe-env.readVar (env-var read), mail-crypto-pgp.sign (PGP detached signature), metrics.shadowRegistry (Prometheus shadow registry), tracing.spanSync (OTEL span helper). Members are unrelated subsystems with primitive-local error namespaces operators grep for; there is no shared behaviour to extract — consolidating would couple field-level encryption, archive I/O, SMTP policy, env parsing, PGP, metrics, and tracing on a trivial guard-then-throw shell.",
+    },
     {
       files: ["lib/api-key.js:issue", "lib/db-query.js:<top>", "lib/session.js:create"],
       reason: "Generic JS array helper / lambda shape — Object.keys(...).map(fn) + similar functional idioms appearing in any code that walks a column-or-key list.",
     },
     {
-      files: ["lib/guard-filename.js:verifyExtractionPath", "lib/hal.js:resource", "lib/vault-aad.js:_canonicalize"],
-      reason: "v0.13.13 — coincidental token shingle of the generic split-then-walk-segments idiom (`x.split(sep); for (...) { var seg = ...; if (...) throw/continue }`). guard-filename verifyExtractionPath walks path components refusing per-segment Windows-extraction hazards (reserved names / NTFS-ADS / trailing-dot); hal.js:resource builds a HAL resource by walking link/embedded keys; vault-aad.js:_canonicalize canonicalizes AAD key-value segments. Three unrelated domains (path safety / hypermedia link assembly / crypto AAD canonicalization) — no shared behaviour to extract; the only commonality is the universal split-and-loop control-flow shape.",
+      mode:  "family-subset",
+      files: [
+        "lib/auth/oauth.js:buildClientAttestation",
+        "lib/guard-filename.js:verifyExtractionPath",
+        "lib/hal.js:resource",
+        "lib/vault-aad.js:_canonicalize",
+      ],
+      reason: "v0.13.13 — coincidental token shingle of the generic split-then-walk-segments / walk-own-keys idiom (`x.split(sep)` or `Object.keys(x)` then `for (...) { var seg = ...; if (...) throw/continue }`). guard-filename verifyExtractionPath walks path components refusing per-segment Windows-extraction hazards (reserved names / NTFS-ADS / trailing-dot); hal.js:resource builds a HAL resource by walking link/embedded keys; vault-aad.js:_canonicalize canonicalizes AAD key-value segments; oauth.js:buildClientAttestation merges operator extra-claims by walking Object.keys with a prototype-pollution + spec-field-collision guard before signing. Unrelated domains (path safety / hypermedia link assembly / crypto AAD canonicalization / attestation claim merge) — no shared behaviour to extract; the only commonality is the universal walk-and-loop control-flow shape.",
+    },
+    {
+      mode:  "family-subset",
+      files: [
+        "lib/auth/oauth.js:_validateAuthorizationDetailsArray",
+        "lib/auth/step-up.js:parseAuthorizationDetails",
+        "lib/middleware/speculation-rules.js:_validateRules",
+      ],
+      reason: "Coincidental shingle of the array-of-typed-objects validation loop (`if (!Array.isArray(value)) throw; for (...) { var entry = value[i]; if (!entry || typeof entry !== 'object' || Array.isArray(entry)) throw; if (typeof entry.type !== 'string' ...) throw; }`). oauth._validateAuthorizationDetailsArray and step-up.parseAuthorizationDetails both gate RFC 9396 authorization_details entries (one pre-parsed, one parsing a request string) and throw auth-oauth/* and auth-step-up/* respectively; speculation-rules._validateRules gates W3C Speculation-Rules prerender/prefetch rule objects and throws a speculation-rules error. The loop shape is the only commonality; each enforces a distinct spec grammar with its own per-entry field requirements and error-code namespace, so there is no shared validator to extract without coupling unrelated request grammars.",
     },
     {
       mode:  "family-subset",
@@ -3107,6 +3143,9 @@ async function testNoDuplicateCodeBlocks() {
         "lib/auth/oauth.js:exchangeToken",
         "lib/auth/oauth.js:nativeSsoExchange",
         "lib/auth/oauth.js:pollDeviceCode",
+        "lib/auth/oauth.js:_signAttestationJws",
+        "lib/auth/oauth.js:_verifyAttestationJws",
+        "lib/auth/oauth.js:verifyClientAttestation",
         "lib/auth/oid4vci.js:_verifyProofJwt",
         "lib/auth/oid4vci.js:createCredentialOffer",
         "lib/auth/oid4vci.js:exchangePreAuthorizedCode",
@@ -3122,6 +3161,7 @@ async function testNoDuplicateCodeBlocks() {
         "lib/auth/ciba.js:_registerInitialInterval",
         "lib/backup/index.js:scheduleTest",
         "lib/dsr.js:submit",
+        "lib/fda-21cfr11.js:_validateSignatureInput",
         "lib/fedcm.js:accountsResponse",
         "lib/guard-saga-config.js:validate",
         "lib/guard-snapshot-envelope.js:validate",
@@ -3138,7 +3178,7 @@ async function testNoDuplicateCodeBlocks() {
         "lib/self-update.js:poll",
         "lib/self-update.js:verify",
       ],
-      reason: "v0.10.16 — JOSE / signature-verify / posture-check prelude across heterogeneous primitives: each verify/check pattern decomposes a token / envelope / posture set, asserts spec-required shape (header.alg in allowlist / kty in allowlist / iss CT-compare / aud match / time-window), and dispatches per-alg via shared helpers. The shingle similarity is the boilerplate header-parse + alg-allowlist + timing-safe compare; each primitive enforces a distinct spec (RFC 7519 JWT / RFC 7515 JWS / RFC 9449 DPoP / OASIS CSAF VEX / FIDO MDS / SAML 2.0 / RFC 9528 SD-JWT / W3C FedCM 2024 / RFC 8917 backchannel-logout / SBOM compliance / OIDC Federation / OID4VCI / CIBA / RFC 8460 TLS-RPT / restore-rollback). Consolidating would lose per-spec error code namespacing.",
+      reason: "v0.10.16 — JOSE / signature-verify / posture-check prelude across heterogeneous primitives: each verify/check pattern decomposes a token / envelope / posture set, asserts spec-required shape (header.alg in allowlist / kty in allowlist / iss CT-compare / aud match / time-window), and dispatches per-alg via shared helpers. The shingle similarity is the boilerplate header-parse + alg-allowlist + timing-safe compare; each primitive enforces a distinct spec (RFC 7519 JWT / RFC 7515 JWS / RFC 9449 DPoP / OAuth 2.0 Client Attestation draft / OASIS CSAF VEX / FIDO MDS / SAML 2.0 / RFC 9528 SD-JWT / W3C FedCM 2024 / RFC 8917 backchannel-logout / SBOM compliance / OIDC Federation / OID4VCI / CIBA / RFC 8460 TLS-RPT / restore-rollback). The OAuth client-attestation sign/verify path (_signAttestationJws / _verifyAttestationJws / verifyClientAttestation) shares the JWS header-parse + per-alg nodeCrypto.sign/verify + constant-time aud/jti compare shell while throwing its own auth-oauth/attestation-* code namespace. Consolidating would lose per-spec error code namespacing.",
     },
     {
       mode:  "family-subset",
@@ -5227,14 +5267,18 @@ async function testNoDuplicateCodeBlocks() {
       files: [
         "lib/ai-adverse-decision.js:wrap",
         "lib/audit-daily-review.js:create",
+        "lib/auth/oauth.js:buildClientAttestationPop",
+        "lib/auth/saml.js:create",
         "lib/cloud-events.js:wrap",
+        "lib/data-act.js:shareWithThirdParty",
         "lib/ddl-change-control.js:create",
         "lib/external-db-migrate.js:create",
         "lib/fda-21cfr11.js:posture",
         "lib/observability-tracer.js:create",
+        "lib/outbox.js:create",
         "lib/redact.js:installOutboundDlp",
       ],
-      reason: "Observability-emit + validateOpts prelude family — each primitive opens with the validateOpts cascade then attaches an observability.event call (tracer span / decision audit / DDL approval / migration / 21 CFR signature / DLP scan). Eight different domains; consolidating would force a single emit shape and lose per-primitive event-name conventions.",
+      reason: "Observability-emit + validateOpts prelude family — each primitive opens with the `validateOpts(opts, [keys], label)` key-set cascade then a sequence of validateOpts.requireX / optionalX field checks (and most attach an observability.event call: tracer span / decision audit / DDL approval / migration / 21 CFR signature / DLP scan / third-party data share). The OAuth buildClientAttestationPop opens with the same validateOpts key-set + requireNonEmptyString / optionalPositiveInt prelude before minting the PoP JWT. Different domains; consolidating would force a single emit shape and lose per-primitive event-name conventions and error-code namespaces.",
     },
     {
       mode:  "family-subset",
@@ -5253,6 +5297,41 @@ async function testNoDuplicateCodeBlocks() {
       ],
       reason: "Factory-create() opts-resolution scaffolding family — `var X = applyDefaults(opts, DEFAULTS); validateOpts.optionalY(...); validateOpts.optionalZ(...)` cascades. Eleven different domains (daily review / sanctions fetcher / migration / 21 CFR / FDX / db-role middleware / DPoP / TUS / outbox / static / sealed-PEM); each closure captures a different downstream binding. Same factory-prelude convention as the JSON-envelope cluster above; tracked separately because the file-set varies.",
     },
+    {
+      mode:  "family-subset",
+      files: [
+        "lib/auth/oauth.js:buildClientAttestationPop",
+        "lib/auth/saml.js:create",
+        "lib/compliance-sanctions-fetcher.js:create",
+        "lib/data-act.js:shareWithThirdParty",
+        "lib/external-db-migrate.js:create",
+        "lib/fda-21cfr11.js:posture",
+        "lib/http-client.js:_validateDownloadOpts",
+        "lib/http-client.js:_validateUploadOpts",
+        "lib/mail-send-deliver.js:create",
+        "lib/middleware/db-role-for.js:create",
+        "lib/middleware/no-cache.js:create",
+        "lib/middleware/tus-upload.js:create",
+        "lib/outbox.js:create",
+        "lib/pubsub-cluster.js:create",
+        "lib/queue-sqs.js:create",
+        "lib/storage.js:chunkScratch",
+        "lib/vault/seal-pem-file.js:sealPemFile",
+        "lib/watcher.js:_validateOpts",
+        "lib/web-push-vapid.js:buildVapidAuthHeader",
+      ],
+      reason: "Config-time numeric-validation prelude family — `validateOpts.optionalPositiveInt(opts.X, label, ErrClass, code); var x = opts.X !== undefined ? opts.X : DEFAULT;` cascades at factory entry points. pubsub-cluster / queue-sqs / mail-send-deliver joined when their coerce-or-default numerics were converted to config-time throws; the older members (saml / sanctions / 21 CFR / data-act / outbox / watcher / http-client / vapid / sealed-PEM / storage chunkScratch / no-cache / tus / db-role) carry the same prelude convention. Each domain emits its own error class, code namespace, and opts vocabulary — consolidating past the call boundary would surface the wrong error code for operator typos; the shared helper (validateOpts) IS the extraction.",
+    },
+    {
+      mode:  "family-subset",
+      files: [
+        "lib/auth/bot-challenge.js:_normaliseAllowlist",
+        "lib/auth/oid4vci.js:_parseX5cChain",
+        "lib/middleware/cors.js:create",
+        "lib/network-dns.js:setServers",
+      ],
+      reason: "Loop-over-string-array with per-entry shape refusal — bot-challenge normalises a provider allowlist, cors validates configured origins, network-dns validates resolver addresses, oid4vci validates RFC 7515 x5c base64-DER chain entries. Each refuses with its own domain error class and a per-entry indexed message (the message IS the operator diagnostic); the loop scaffold is the only shared shape.",
+    },
     {
       files: [
         "lib/auth/sd-jwt-vc-holder.js:_emitAudit",
@@ -6110,6 +6189,7 @@ var KNOWN_ANTIPATTERNS = [
     regex: /var\s+\w+\s*=\s*\w+\.get\s*\([^;]+\)\s*;\s*\n\s*if\s*\(\s*!\s*\w+\s*\)\s*\{[\s\S]{0,300}?\.set\s*\(/,
     allowlist: [
       "lib/cache.js",                          // tagIndex (Map<tag, Set<key>>) — Set factory
+      "lib/crypto-field.js",                   // _rateFailWindows (Map<actor:table:column, ts[]>) in _rateNoteFailure — timestamp-array factory
       "lib/deprecate.js",                      // _seen (Map<name:since, entry>) — object-literal factory
       "lib/i18n-messageformat.js",             // _pluralRulesCache (Map<key, Intl.PluralRules>) — Intl factory
       "lib/i18n.js",                           // formatter cache (Map<key, formatter>) — closure factory
@@ -6169,6 +6249,106 @@ var KNOWN_ANTIPATTERNS = [
     allowlist: [],
     reason: "Codex P2 on v0.10.15 PR #104 flagged Number(summary['total-successful-session-count']) || 0 — silently accepted Infinity / NaN / negative on an audit-emitted summed path. Detector forces explicit validation discipline on new code.",
   },
+  {
+    // v0.14.21 — redis-client coerced entry-point numerics with bare
+    // `Number(opts.X) || DEFAULT`: connectTimeoutMs:"abc" → NaN
+    // silently became the default, a negative timeout sailed into
+    // setTimeout, and maxReconnectAttempts:"abc" → NaN made the
+    // `>= 0` reconnect-cap check false — silently DISABLING the
+    // reconnect bound. Config-time entry-point opts THROW on bad
+    // input; the coerce-or-default shape swallows exactly the typo
+    // that tier exists to surface. Same class found and fixed in
+    // pubsub-cluster + queue-sqs in the same release.
+    id: "number-opts-coerce-or-default",
+    primitive: "validateOpts.optionalPositiveInt / optionalPositiveFinite / optionalFiniteNonNegative (config-time throw) — never `Number(opts.X) || DEFAULT` coerce-or-default on an entry-point opt",
+    regex: /=\s*Number\s*\(\s*opts\.\w+\s*\)\s*\|\|/,
+    skipCommentLines: true,
+    allowlist: [],
+    reason: "v0.14.21 — `Number(opts.X) || DEFAULT` on a config-time entry-point opt silently converts an operator typo (string, NaN, negative-via-||-passthrough) into the default or into garbage downstream (negative setTimeout, NaN disabling a `>= 0` cap check). Entry-point numerics route through the validateOpts helpers so the typo throws at boot. A genuinely defensive request-shape reader (returns-defaults tier) reads from a request object, not `opts.`, and is out of this regex's scope by construction.",
+  },
+  {
+    // v0.14.21 — openapi-serve / asyncapi-serve admitted HEAD at the
+    // dispatcher (`method !== "GET" && method !== "HEAD"` → handle)
+    // but the body writer had no HEAD branch: it set Content-Length
+    // AND wrote the full payload body for HEAD, violating RFC 9110
+    // §9.3.2 (a HEAD response carries no body). The framework
+    // convention (assetlinks / web-app-manifest / security-txt /
+    // health / static / protected-resource-metadata) is per-middleware
+    // suppression: headers as for GET, then `if (req.method ===
+    // "HEAD") { res.end(); return; }`. Any file admitting HEAD
+    // alongside GET must carry that suppression somewhere.
+    id: "head-admitted-without-body-suppression",
+    primitive: "after writeHead: `if (req.method === \"HEAD\") { res.end(); return; }` — HEAD carries the GET headers (incl. Content-Length) with no body (RFC 9110 §9.3.2)",
+    regex: /!==\s*["']GET["']\s*&&\s*[\w.]+\s*!==\s*["']HEAD["']/,
+    requires: /===\s*["']HEAD["']/,
+    skipCommentLines: true,
+    allowlist: [
+      // CSRF-token method gate on the form BUILDER — decides whether a
+      // hidden token field is emitted; no HTTP response is written, so
+      // there is no body to suppress.
+      "lib/forms.js",
+      // CLIENT-side cache-eligibility check (RFC 9111 — only GET/HEAD
+      // responses are cacheable) — consumes responses, never writes one.
+      "lib/http-client-cache.js",
+    ],
+    reason: "v0.14.21 — openapi-serve/asyncapi-serve served the full JSON/YAML payload as a HEAD response body (RFC 9110 §9.3.2 violation; tests only drove GET). A dispatcher that admits HEAD promises HEAD semantics; the response writer must suppress the body. The `requires` companion is satisfied by the framework-standard `req.method === \"HEAD\"` end-without-body branch anywhere in the file.",
+  },
+  {
+    // v0.14.21 (Codex P2 on PR #301) — the apiEncrypt per-session
+    // (sid, ctr) replay claim expired with the staleness window
+    // (`now + replayWindowMs`). The post-handler session write is
+    // best-effort, so a failed write leaves lastReqCtr stale, and the
+    // envelope `_ts` is plaintext metadata not bound into the AEAD —
+    // an expired claim let the same captured (sid, ctr, _ct) replay
+    // later with a fresh _ts and execute twice. The claim must live
+    // until session.expiresAt.
+    id: "session-replay-claim-window-expiry",
+    primitive: "nonceStore.checkAndInsert(ctrKey, session.expiresAt) — a session-scoped replay claim lives as long as the session can accept requests, never just the staleness window",
+    regex: /checkAndInsert\s*\(\s*ctrKey\s*,\s*now\s*\+/,
+    skipCommentLines: true,
+    allowlist: [],
+    reason: "Codex P2 on v0.14.21 PR #301 — a replay claim that expires with the staleness window re-opens late replay when the post-handler session write fails best-effort and the request timestamp is not authenticated with the ciphertext. The (sid, ctr) tuple stays burned until session.expiresAt; per-session claim count is bounded by sessionMaxResponses.",
+  },
+  {
+    // v0.14.21 — the api-encrypt envelope's plaintext metadata
+    // (_ts/_nonce/_sid/_ctr) rode OUTSIDE the AEAD: a captured
+    // bootstrap/per-request envelope could be replayed past the
+    // staleness window with a rewritten _ts, and a captured response
+    // could be replayed to the client under a bumped _ctr (the
+    // client's monotonic check reads the plaintext field). Every
+    // packed AEAD call in the envelope protocol now binds the
+    // canonical _requestAad/_responseAad string; a two-arg
+    // encryptPacked/decryptPacked on a protocol key is the regression.
+    id: "apienc-envelope-metadata-unbound",
+    primitive: "bCrypto.encryptPacked/decryptPacked with _requestAad(ts, nonce, sid, ctr) / _responseAad(sid, ctr) — the api-encrypt envelope's plaintext metadata is AEAD-bound on both protocol halves",
+    regex: /\b(?:encryptPacked|decryptPacked)\s*\(\s*\w+\s*,\s*(?:perSessionKey|sessionKey)\s*\)/,
+    skipCommentLines: true,
+    allowlist: [
+      // OpenPGP message session key (RFC 9580 vocabulary, same variable
+      // name by coincidence) — the PGP packet format carries no plaintext
+      // framework-envelope metadata; integrity is the OpenPGP MDC/AEAD
+      // packet's own concern.
+      "lib/mail-crypto-pgp.js",
+    ],
+    reason: "v0.14.21 — envelope freshness/routing fields (_ts/_nonce/_sid/_ctr) were not authenticated with the ciphertext, so capture-and-rewrite defeated the staleness gate (requests) and the monotonic counter check (responses). All six packed AEAD calls in lib/middleware/api-encrypt.js carry the canonical AAD; both protocol halves live in that one module and must stay byte-identical.",
+  },
+  {
+    // v0.14.21 (Codex P2 on PR #301) — the SCIM bulk dependency
+    // planner scanned only operation DATA for bulkId references;
+    // a reference in the operation PATH ("PATCH /Groups/bulkId:g1")
+    // was neither ordered nor substituted, so the adapter could
+    // receive the literal token as a resource id, or the operation
+    // failed despite the referenced POST succeeding. Planner and
+    // executor must scan/substitute path segments alongside data
+    // (RFC 7644 §3.7.2 — path references resolve like data references).
+    id: "bulk-ref-scan-misses-path",
+    primitive: "_pathBulkIdRefs(op) feeding the dependency plan + _resolvePathBulkIdRefs(path, bulkIdMap) before path parsing — every operator-visible bulkId reference surface resolves",
+    regex: /_collectBulkIdRefs\s*\(/,
+    requires: /_pathBulkIdRefs/,
+    skipCommentLines: true,
+    allowlist: [],
+    reason: "Codex P2 on v0.14.21 PR #301 — bulkId cross-references appear in operation paths as well as operation data (RFC 7644 §3.7.2); a planner that scans only data leaves path-referencing operations unordered and lets the literal bulkId:<id> token reach the resource adapter. Any file collecting data refs must collect and substitute path refs too.",
+  },
   {
     // v0.10.15 — `zlib.gunzipSync` / `zlib.createGunzip` /
     // `zlib.brotliDecompress` without an output-size cap is the
@@ -6601,6 +6781,12 @@ var KNOWN_ANTIPATTERNS = [
 
   { id: "regex-polynomial-whitespace-in-repeated-group", primitive: "a regex literal must not place an optional-whitespace `\\s*` / `\\s+` at the END of a repeated group (the `(?:…\\s*)*` / `…\\s*)+` shape) — the same whitespace can be consumed either inside the group or by surrounding whitespace, so a crafted input backtracks polynomially (CWE-1333 ReDoS). Consume whitespace as a single disjoint alternative `(?:\\s|…)*` instead, and match block comments with the star-not-slash form, never a lazy `[\\s\\S]*?`.", scanScope: "lib", skipCommentLines: true, regex: /\\s[*+]\)[*+]/, allowlist: [], reason: "CodeQL js/polynomial-redos (alert 330) flagged lib/external-db.js's leading-keyword classifier `/^\\s*(?:\\/\\*…\\s*|--…\\s*)*([A-Za-z]+)/` — the `\\s*` both before AND at the tail of the repeated group gives two ways to consume the same whitespace run, so a SQL string of nested `/**/` or `*/--` comment runs backtracks polynomially; reused by the new OTel db.operation path it became a taint sink. Rewritten to `/^(?:\\s|\\/\\*(?:[^*]|\\*(?!\\/))*\\*\\/|--[^\\n]*\\n)*([A-Za-z]+)/` (disjoint single-char alternatives). codebase-patterns is a curated detector set, not a taint/ReDoS analyzer like CodeQL — this closes the specific shape locally so the next agent-authored comment-skip regex trips the gate before CI. Empty allowlist — a `\\s*)*` / `\\s+)+` tail in a lib regex is the ReDoS tell; allowlist a genuinely-anchored case with its structural reason." },
 
+  { id: "attestation-pop-replay-store-must-await-thenable", primitive: "verifyClientAttestation's jti replay check (vopts.seenJti) MUST handle an async (Promise-returning) store — its result is awaited when it is a thenable so a Redis/DB store's resolved `false` (a replayed jti) refuses, instead of comparing a never-`false` Promise object with `=== false` and silently accepting the replay", scanScope: "lib", skipCommentLines: true, regex: /vopts\.seenJti\s*\(/, requires: /typeof\s+unseen\.then\s*===\s*["']function["']|unseen\s*=\s*await\s+unseen/, allowlist: [], reason: "v0.14.20 Codex P1 on PR #300 (replay-defense bypass, CWE-294) — verifyClientAttestation read `unseen = vopts.seenJti(jti, iat)` then `if (unseen === false) throw replay`. With an async (Redis/DB) atomic check-and-insert the callback returns a Promise; a Promise is never `=== false`, so a replayed jti was ACCEPTED and the draft-ietf-oauth-attestation-based-client-auth §12.1 replay defense was disabled for every multi-instance AS deployment. The verifier is now async and awaits a thenable result (`if (unseen && typeof unseen.then === \"function\") unseen = await unseen;`). The other oauth replay sinks (refreshAccessToken's ropts.checkAndInsert / ropts.seen, _normalizeTokens' vopts.seen) already await at the call site; only this path deviated. Anchored on the vopts.seenJti( token unique to this verifier; the requires-companion fails if a future edit drops the thenable-await, re-opening the silent-accept window. Empty allowlist — a seenJti result that is neither awaited nor thenable-checked is the bug." },
+
+  { id: "jose-jws-builder-fixed-classical-alg-default", primitive: "a JWS builder that signs with an operator-supplied key MUST NOT default `opts.algorithm` to a fixed classical JOSE alg (ES256/384/512, RS/PS*) via `|| \"<alg>\"` — that signs a key of a different type (RSA / Ed25519 / non-matching EC curve) under a header alg that disagrees with the key (un-signable, or a self-invalid JWS the verifier's alg/kty check rejects). Derive the alg from the key type (mirroring oauth _resolveAttestationAlg / sd-jwt-vc-holder _resolveHolderAlg), or use a PQC pass-through default that works with any key", scanScope: "lib", skipCommentLines: true, regex: /\.algorithm\s*\|\|\s*["'](?:ES256|ES384|ES512|RS256|RS384|RS512|PS256|PS384|PS512)["']/, allowlist: [], reason: "v0.14.20 — the OAuth client-attestation builders (Codex P2 on PR #300) AND the sd-jwt-vc holder (`var algorithm = opts.algorithm || \"ES256\"`, found by the post-fix adversarial review) both hardcoded a fixed ES256 default that overrode any key-type reconciliation. ES256 is only self-consistent for an EC P-256 key; an RSA / Ed25519 / EC-P384 key signed under an ES256 header is un-signable or yields a JWS whose header alg disagrees with the signature, which every alg/kty-checking verifier rejects (self-invalid token; broken authentication / presentation). Both are now key-derived (_resolveAttestationAlg / _resolveHolderAlg). This detector flags any lib JWS builder reintroducing a fixed CLASSICAL JOSE alg as the `opts.algorithm ||` default — it deliberately does NOT match a PQC pass-through default (`|| \"ML-DSA-87\"` / `|| DEFAULT_ALG` / `|| \"SLH-DSA-...\"`, which sign with a null digest and work for the matching key) nor non-JOSE alg selectors (hash `\"sha384\"`, DKIM `\"rsa-sha256\"`, `\"token-bucket\"`). Empty allowlist — a fixed classical-alg default on a sign path is the self-invalid-JWS bug; a genuine EC-P256-only builder should still derive/validate the key, not assume." },
+
+  { id: "attestation-alg-must-derive-from-key", primitive: "the OAuth client-attestation / PoP JWS builders must resolve the signing alg from the key type via _resolveAttestationAlg (infer a key-compatible default; refuse an explicit alg incompatible with the key) — never a fixed `opts.algorithm || \"ES256\"` default, which signs a non-EC key (RSA / Ed25519) under an ES256 header that verifyClientAttestation's alg/kty cross-check then rejects (self-invalid attestation)", scanScope: "lib", skipCommentLines: true, regex: /oauth-client-attestation(?:-pop)?\+jwt/, requires: /_resolveAttestationAlg\s*\(/, allowlist: [], reason: "v0.14.20 Codex P2 on PR #300 — buildClientAttestation / buildClientAttestationPop defaulted `var alg = opts.algorithm || \"ES256\"`, so an RSA / Ed25519 attester or instance key produced a compact JWS whose header said ES256 but whose signature was made with the real key; verifyClientAttestation's alg⇄kty cross-check then rejected the builder's OWN output for any non-P-256 key. Both builders now resolve the alg through _resolveAttestationAlg(explicitAlg, key): it infers a key-matched default (ES256/384/512 by curve, RS256 for RSA, EdDSA for Ed25519/Ed448) and refuses an explicit alg incompatible with the key BEFORE signing (auth-oauth/attestation-alg-key-mismatch). Anchored on the attestation `+jwt` typ literals unique to these builders (does NOT touch the generic `.algorithm || \"<selector>\"` strings in rate-limit / crypto / dkim, nor the sd-jwt holder KB-JWT path); the requires-companion fails if a future edit reverts to a hardcoded alg default. Empty allowlist — a fixed alg default on the attestation signing path is the self-invalid-JWS bug." },
+
   {
     // ROTATION-EPOCH ACCEPT (v0.14.x): a vault-key rotation (b.vault.rotate)
     // re-keys the local dataDir, which changes the SHA3-512 fingerprint of
@@ -7667,8 +7853,12 @@ var KNOWN_ANTIPATTERNS = [
       // formatted message details that don't fit the helper's
       // (label + description) shape.
       "lib/protocol-dispatcher.js",
+      // problem-details throws ProblemDetailsError with the 3rd
+      // `permanent: true` arg (same class as external-db above) — the
+      // validateOpts._throw factory signature would silently drop it.
+      "lib/problem-details.js",
     ],
-    reason: "Extracted to validateOpts.optionalPlainObject. Replaces the recurring `if (X !== undefined && X !== null) { if (typeof X !== 'object' || Array.isArray(X)) throw }` shape used to validate optional plain-object opts. Two sites allowlisted: external-db needs the permanent-flag 3rd arg the helper drops; protocol-dispatcher uses multi-line formatted error messages that don't fit the helper's description slot.",
+    reason: "Extracted to validateOpts.optionalPlainObject. Replaces the recurring `if (X !== undefined && X !== null) { if (typeof X !== 'object' || Array.isArray(X)) throw }` shape used to validate optional plain-object opts. Three sites allowlisted: external-db + problem-details need the permanent-flag 3rd arg the helper drops; protocol-dispatcher uses multi-line formatted error messages that don't fit the helper's description slot.",
   },
   {
     id: "inline-redis-client-opts-forwarding",
@@ -10049,6 +10239,122 @@ function testMailStoreFtsInTransaction() {
     bad);
 }
 
+// ---- Pattern: validateOpts-accepted key never read ----
+//
+// class: validateopts-key-never-read
+//
+// v0.14.21 — csp-report's @opts documented `audit: boolean // default
+// true` and validateOpts accepted the key, but create() never read
+// opts.audit: the documented disable knob was a silent no-op (the
+// violation audit row fired unconditionally). A sweep found the same
+// shape in honeytoken (injectable audit sink ignored), config
+// ("reserved for future" knob), and others — all wired or
+// de-advertised in the same release. The validateOpts allowlist IS
+// the operator contract: a key it accepts that no code reads is
+// advertised surface with no implementation.
+//
+// The detector: every string key in a direct
+// `validateOpts(<ident>, [ ... ])` call's array literal must be read
+// as `<ident>.<key>` (dot) or `<ident>["<key>"]` (literal bracket)
+// somewhere in the same file. Keys consumed STRUCTURALLY — via a
+// computed `ident[k]` loop over a key table, or by forwarding the
+// whole opts object to a sub-factory in another file — can't be
+// verified file-locally and carry an ALLOW entry below citing where
+// the key is actually consumed.
+function testValidateOptsAcceptedKeysAreRead() {
+  // "<relative file>::<ident>.<key>" -> consumption cite (the reason
+  // the file-local read is absent). Adding an entry requires naming
+  // the real consumption site; "we'll wire it later" is not a reason.
+  var ALLOW = Object.create(null);
+  // jwt-external: the whole opts object is forwarded as `vopts` to
+  // _selectKey; consumed as vopts.allowKidlessJwks (jwt-external.js:281).
+  ALLOW["lib/auth/jwt-external.js::opts.allowKidlessJwks"] = true;
+  // step-up: the validated `requirement` IS buildChallenge's `req`;
+  // read as req.authorizationDetails (step-up.js:266 — emits the
+  // RFC 9396 authorization_details challenge param).
+  ALLOW["lib/auth/step-up.js::requirement.authorizationDetails"] = true;
+  // cache: redis* keys are prefix-mapped via
+  // redisClient.pickClientOpts(opts, "redis") (cache.js redis backend
+  // branch → the prefix table in redis-client.js).
+  ["redis", "redisPassword", "redisUsername", "redisTls", "redisCa",
+   "redisServername", "redisConnectTimeoutMs", "redisCommandTimeoutMs",
+   "redisMaxReconnectAttempts"].forEach(function (k) {
+    ALLOW["lib/cache.js::opts." + k] = true;
+  });
+  // flag-providers: passed-through spec metadata — the whole spec is
+  // stored (flags[key] = opts.flags[key]) and returned via
+  // provider.get()/evaluate(); operator tooling reads the fields.
+  ["description", "tags", "kind"].forEach(function (k) {
+    ALLOW["lib/flag-providers.js::spec." + k] = true;
+  });
+  // body-parser: per-parser sub-configs read via the computed
+  // `opts[name]` in _resolve(name) (body-parser.js _resolve loop).
+  ["json", "urlencoded", "text", "raw", "multipart"].forEach(function (k) {
+    ALLOW["lib/middleware/body-parser.js::opts." + k] = true;
+  });
+  // web-app-manifest: manifest fields read via the computed `opts[k]`
+  // manifest-build loop (web-app-manifest.js Object.keys(opts) filter).
+  ["short_name", "description", "scope", "display", "display_override",
+   "orientation", "theme_color", "background_color", "screenshots",
+   "shortcuts", "categories", "lang", "dir", "id",
+   "prefer_related_applications", "related_applications"].forEach(function (k) {
+    ALLOW["lib/middleware/web-app-manifest.js::opts." + k] = true;
+  });
+  // sigv4-bucket-ops: per-method opts forwarded to _actor(callerOpts) →
+  // requestHelpers.resolveActorWithOverride (callerOpts.req read in
+  // request-helpers.js; callerOpts.actor is the override seed at
+  // sigv4-bucket-ops.js _actor).
+  ALLOW["lib/object-store/sigv4-bucket-ops.js::opts.req"] = true;
+  ALLOW["lib/object-store/sigv4-bucket-ops.js::opts.actor"] = true;
+  // pubsub: the whole opts object is forwarded to
+  // pubsubCluster().create(opts) / pubsubRedis().create(opts)
+  // (pubsub.js _resolveBackend); keys consumed in those backends.
+  ["cluster", "pollIntervalMs", "retentionMs", "pruneEveryMs",
+   "redisUrl", "redisPassword", "redisUsername", "redisTls", "redisCa",
+   "redisServername"].forEach(function (k) {
+    ALLOW["lib/pubsub.js::opts." + k] = true;
+  });
+
+  var files = _libFiles();
+  var bad = [];
+  var callRe = /\bvalidateOpts\s*\(\s*(\w+)\s*,\s*\[([\s\S]*?)\]/g;
+  for (var i = 0; i < files.length; i++) {
+    var rel = _relPath(files[i]);
+    if (rel === "lib/validate-opts.js") continue;
+    var content;
+    try { content = fs.readFileSync(files[i], "utf8"); }
+    catch (_e) { continue; }
+    callRe.lastIndex = 0;
+    var m;
+    while ((m = callRe.exec(content)) !== null) {
+      var ident = m[1];
+      var arr = m[2];
+      var keyRe = /["']([A-Za-z_$][\w$]*)["']/g;
+      var km;
+      while ((km = keyRe.exec(arr)) !== null) {
+        var key = km[1];
+        if (ALLOW[rel + "::" + ident + "." + key]) continue;
+        var readRe = new RegExp(
+          "\\b" + ident + "\\s*(?:\\.\\s*" + key + "\\b|\\[\\s*[\"']" + key + "[\"']\\s*\\])");
+        if (!readRe.test(content)) {
+          var lineNum = content.slice(0, m.index).split(/\r?\n/).length;
+          bad.push({
+            file: rel, line: lineNum,
+            content: "validateOpts accepts \"" + key + "\" on `" + ident +
+                     "` but the file never reads " + ident + "." + key +
+                     " — wire the knob, de-advertise it, or ALLOW with a consumption cite",
+          });
+        }
+      }
+    }
+  }
+  bad = _filterMarkers(bad, "validateopts-key-never-read");
+  _report("every validateOpts-accepted key is read in the same file " +
+          "(v0.14.21 — an accepted-but-never-read key is an advertised knob " +
+          "with no implementation; csp-report opts.audit shipped as a no-op)",
+    bad);
+}
+
 // ---- Pattern: b.fsm.define freezes without cloning ----
 //
 // class: fsm-define-no-clone-before-freeze
@@ -11491,6 +11797,10 @@ async function run() {
   // v0.12.1 compliance posture coverage detector: KNOWN_POSTURES ⊇
   // POSTURE_DEFAULTS + REGIME_MAP ⊇ KNOWN_POSTURES.
   testCompliancePostureCoverage();
+  // v0.14.21 audit-fix detector: a validateOpts-accepted key that no
+  // code reads is an advertised knob with no implementation
+  // (csp-report opts.audit shipped as a silent no-op).
+  testValidateOptsAcceptedKeysAreRead();
   testKnownAntipatterns();
 
   // Final cumulative assertion — every detector is a hard gate.

package/lib/vendor/blamejs/test/layer-0-primitives/config.test.js

@@ -377,6 +377,51 @@ async function _testLoadDbBackedFailedReloadDoesNotSuppressOlderValid() {
   cfg.stop();
 }
 
+async function _testLoadDbBackedAuditKnob() {
+  // The `audit` opt gates the per-poll config.reload.* audit emissions.
+  // Default (omitted) emits; audit:false silences. We drive the fetch
+  // failure path (config.reload.failed) and observe b.audit.safeEmit —
+  // config.js emits through the shared audit module instance.
+  var s = b.safeSchema;
+  var realSafeEmit = b.audit.safeEmit;
+  var reloadEvents = [];
+  b.audit.safeEmit = function (rec) {
+    if (rec && typeof rec.action === "string" && rec.action.indexOf("config.reload.") === 0) {
+      reloadEvents.push(rec.action);
+    }
+    return realSafeEmit.call(b.audit, rec);
+  };
+  try {
+    // Default — audit fires on the fetch failure.
+    var cfgDefault = b.config.loadDbBacked({
+      schema:     s.object({ K: s.string().default("d") }),
+      env:        {},
+      fetchRows:  function () { throw new Error("simulated db outage"); },
+      intervalMs: 60 * 1000,
+    });
+    await cfgDefault.hydrated;
+    helpers.check("loadDbBacked.audit default: config.reload.failed emitted",
+      reloadEvents.indexOf("config.reload.failed") !== -1);
+    cfgDefault.stop();
+
+    // audit:false — same failure, zero emissions.
+    reloadEvents.length = 0;
+    var cfgSilent = b.config.loadDbBacked({
+      schema:     s.object({ K: s.string().default("d") }),
+      env:        {},
+      fetchRows:  function () { throw new Error("simulated db outage"); },
+      intervalMs: 60 * 1000,
+      audit:      false,
+    });
+    await cfgSilent.hydrated;
+    helpers.check("loadDbBacked.audit false: no config.reload.* emissions",
+      reloadEvents.length === 0);
+    cfgSilent.stop();
+  } finally {
+    b.audit.safeEmit = realSafeEmit;
+  }
+}
+
 async function _testCryptoFieldDocAliases() {
   // sealDoc / unsealDoc are doc-shaped aliases of sealRow / unsealRow.
   helpers.check("b.cryptoField.sealDoc exists",
@@ -412,6 +457,7 @@ module.exports = { run: async function () {
   await _testLoadDbBackedRefresh();
   await _testLoadDbBackedConcurrentRefreshRace();
   await _testLoadDbBackedFailedReloadDoesNotSuppressOlderValid();
+  await _testLoadDbBackedAuditKnob();
   await _testCryptoFieldDocAliases();
   await _testHotReload();
 } };