@blamejs/blamejs-shop 0.4.23 → 0.4.25

package/lib/payment.js

@@ -177,6 +177,56 @@ function _formEncode(obj, prefix) {
   return parts.filter(Boolean).join("&");
 }
 
+// ---- egress hardening + outbound idempotency-key validation ----------------
+//
+// b.httpClient already routes every dial through b.ssrfGuard (private /
+// loopback / link-local / reserved / cloud-metadata IP classes refused) and
+// pins the TCP connect to the guard's resolved IP set even on the PSP path's
+// caller-supplied TLS agent, so DNS rebinding can't flip the answer between
+// check and connect. The remaining gap is a HOST allowlist: nothing today
+// stops an `opts.apiBase` pointed at an unexpected public host (config
+// injection, or a future code path that derives the base from request data)
+// from reaching a non-PSP upstream. We pin `allowedHosts` to the configured
+// PSP host on every dial so a compromised process can only ever talk to the
+// host the adapter was constructed against — defense-in-depth layered on top
+// of the IP-class SSRF gate.
+
+// Extract the lowercase hostname from a PSP base URL. Throws a TypeError on a
+// non-string / non-https / hostless base — config-time validation (entry
+// point), so an operator's typo'd apiBase surfaces at adapter construction
+// rather than on the first charge.
+function _pspHost(baseUrl, label) {
+  if (typeof baseUrl !== "string" || !baseUrl.length) {
+    throw new TypeError("payment: " + label + " must be a non-empty URL string");
+  }
+  var parsed;
+  try { parsed = new URL(baseUrl); } catch (_e) {
+    throw new TypeError("payment: " + label + " must be a valid absolute URL (got " + JSON.stringify(baseUrl) + ")");
+  }
+  if (parsed.protocol !== "https:") {
+    throw new TypeError("payment: " + label + " must be https (a payment processor is never dialed over plaintext)");
+  }
+  if (!parsed.hostname) {
+    throw new TypeError("payment: " + label + " has no hostname");
+  }
+  return parsed.hostname.toLowerCase();
+}
+
+// Validate + normalize an idempotency key that crosses the wire as an
+// outbound header (Stripe `Idempotency-Key` / PayPal `PayPal-Request-Id`).
+// Composes b.guardIdempotencyKey (strict profile): bounded length, control-
+// char / path-traversal / slash refusal, ASCII-only — so a key carrying a
+// log-injection or traversal shape never reaches the processor or the local
+// replay cache. Returns the validated key; throws TypeError on refusal (the
+// caller's bad-shape path is a clean 400, matching every other field guard).
+function _assertOutboundKey(key, label) {
+  try {
+    return b.guardIdempotencyKey.validate(key, { profile: "strict" });
+  } catch (e) {
+    throw new TypeError("payment: " + (label || "idempotency key") + " — " + ((e && e.message) || "invalid idempotency key"));
+  }
+}
+
 // ---- webhook verifier -----------------------------------------------------
 //
 // Composes b.webhook.verify (alg: "hmac-sha256-stripe") — the
@@ -239,7 +289,12 @@ async function _verifyWebhook(headers, rawBody, secret, opts) {
 // ---- Stripe API call ------------------------------------------------------
 
 async function _stripeCall(opts, method, path, params, idempotencyKey) {
-  var url = (opts.apiBase || STRIPE_API_BASE_DEFAULT) + path;
+  var apiBase = opts.apiBase || STRIPE_API_BASE_DEFAULT;
+  var url = apiBase + path;
+  // Pin the dial to the configured Stripe host (computed once per adapter).
+  // Layered on top of b.httpClient's IP-class SSRF gate — the process can
+  // only ever reach the host the adapter was built against.
+  if (opts._allowedHost === undefined) opts._allowedHost = _pspHost(apiBase, "apiBase");
   var headers = {
     "authorization": "Bearer " + opts.apiKey,
     "accept":         "application/json",
@@ -252,7 +307,9 @@ async function _stripeCall(opts, method, path, params, idempotencyKey) {
     headers["content-length"] = Buffer.byteLength(body, "utf8");
   }
   if (idempotencyKey) {
-    headers["idempotency-key"] = idempotencyKey;
+    // The key crosses the wire as the `Idempotency-Key` header — validate +
+    // refuse traversal / control-char / oversize shapes before it leaves.
+    headers["idempotency-key"] = _assertOutboundKey(idempotencyKey, "idempotency_key");
   }
   var httpClient = opts.httpClient || b.httpClient;
   // A GET read is always idempotent; a write is idempotent only when it
@@ -268,12 +325,13 @@ async function _stripeCall(opts, method, path, params, idempotencyKey) {
   // acceptable since a sustained stream of 4xx is itself a degraded state.
   var json = await _dial(opts._breaker, idempotent, async function () {
     var res = await httpClient.request({
-      method:    method,
-      url:       url,
-      headers:   headers,
-      body:      body || undefined,
-      timeoutMs: opts.timeoutMs || STRIPE_HTTP_TIMEOUT_MS,
-      agent:     _PSP_TLS_AGENT,
+      method:       method,
+      url:          url,
+      headers:      headers,
+      body:         body || undefined,
+      timeoutMs:    opts.timeoutMs || STRIPE_HTTP_TIMEOUT_MS,
+      agent:        _PSP_TLS_AGENT,
+      allowedHosts: [opts._allowedHost],
     });
     var text = res.body && res.body.toString ? res.body.toString("utf8") : "";
     var parsed = null;
@@ -709,6 +767,14 @@ function _paypalApiBase(opts) {
   return opts.sandbox ? PAYPAL_API_BASE_SANDBOX : PAYPAL_API_BASE_LIVE;
 }
 
+// The PayPal host the adapter is allowed to dial (computed once, cached on
+// opts). Pins every PayPal dial — token exchange + Orders-v2 — to the
+// configured host, layered on b.httpClient's IP-class SSRF gate.
+function _paypalAllowedHost(opts) {
+  if (opts._allowedHost === undefined) opts._allowedHost = _pspHost(_paypalApiBase(opts), "apiBase");
+  return opts._allowedHost;
+}
+
 function _minorToDecimalString(minor, currency) {
   var dec = PAYPAL_ZERO_DECIMAL[currency] ? 0 : 2;
   var neg = minor < 0;
@@ -745,9 +811,10 @@ async function _paypalToken(opts, state) {
         "content-type":   "application/x-www-form-urlencoded",
         "user-agent":     "blamejs-shop (zero-dep)",
       },
-      body:      "grant_type=client_credentials",
-      timeoutMs: opts.timeoutMs || PAYPAL_HTTP_TIMEOUT_MS,
-      agent:     _PSP_TLS_AGENT,
+      body:         "grant_type=client_credentials",
+      timeoutMs:    opts.timeoutMs || PAYPAL_HTTP_TIMEOUT_MS,
+      agent:        _PSP_TLS_AGENT,
+      allowedHosts: [_paypalAllowedHost(opts)],
     });
     var text = res.body && res.body.toString ? res.body.toString("utf8") : "";
     var parsed; try { parsed = text.length ? JSON.parse(text) : {}; } catch (_e) { parsed = {}; }
@@ -774,10 +841,15 @@ async function _paypalCall(opts, state, method, path, bodyObj, requestId) {
     "content-type":  "application/json",
     "user-agent":    "blamejs-shop (zero-dep)",
   };
-  if (requestId) headers["paypal-request-id"] = requestId;
+  // The request id crosses the wire as the `PayPal-Request-Id` header —
+  // validate + refuse traversal / control-char / oversize shapes before it
+  // leaves (covers both operator-supplied keys and the adapter-constructed
+  // `order:`/`capture:` ids).
+  if (requestId) headers["paypal-request-id"] = _assertOutboundKey(requestId, "paypal_request_id");
   var body = bodyObj != null ? JSON.stringify(bodyObj) : undefined;
   if (body) headers["content-length"] = Buffer.byteLength(body, "utf8");
   var httpClient = opts.httpClient || b.httpClient;
+  var allowedHost = _paypalAllowedHost(opts);
   // A GET is idempotent; a write is idempotent only when it carries a
   // PayPal-Request-Id (PayPal dedupes a replay of the SAME id, and the
   // same id rides every retry attempt within one call). A keyless write
@@ -785,12 +857,13 @@ async function _paypalCall(opts, state, method, path, bodyObj, requestId) {
   var idempotent = method === "GET" || !!requestId;
   var json = await _dial(opts._breaker, idempotent, async function () {
     var res = await httpClient.request({
-      method:    method,
-      url:       _paypalApiBase(opts) + path,
-      headers:   headers,
-      body:      body,
-      timeoutMs: opts.timeoutMs || PAYPAL_HTTP_TIMEOUT_MS,
-      agent:     _PSP_TLS_AGENT,
+      method:       method,
+      url:          _paypalApiBase(opts) + path,
+      headers:      headers,
+      body:         body,
+      timeoutMs:    opts.timeoutMs || PAYPAL_HTTP_TIMEOUT_MS,
+      agent:        _PSP_TLS_AGENT,
+      allowedHosts: [allowedHost],
     });
     var text = res.body && res.body.toString ? res.body.toString("utf8") : "";
     var parsed; try { parsed = text.length ? JSON.parse(text) : {}; } catch (_e) { parsed = { _raw: text }; }

package/lib/quotes.js

@@ -764,17 +764,26 @@ function create(opts) {
 
       // Update header + each line. The line update sets
       // unit_price_minor + currency per-line so a future single-line
-      // re-quote (out of scope here) has a place to land.
-      await query(
+      // re-quote (out of scope here) has a place to land. The header
+      // UPDATE claims the requested -> responded transition atomically
+      // (`AND status = 'requested'`) so a concurrent cancel/respond can't
+      // both commit against the same row.
+      var claim = await query(
         "UPDATE quotes SET status = 'responded', shipping_minor = ?1, " +
         "tax_minor = ?2, total_minor = ?3, currency = ?4, valid_until = ?5, " +
         "operator_notes = ?6, " +
         "delivery_terms = COALESCE(?7, delivery_terms), " +
         "payment_terms  = COALESCE(?8, payment_terms),  " +
-        "updated_at = ?9 WHERE id = ?10",
+        "updated_at = ?9 WHERE id = ?10 AND status = 'requested'",
         [shipping, tax, total, currency, validUntil, operatorNotes,
          delivery, payment, ts, quoteId],
       );
+      if (Number(claim.rowCount || 0) !== 1) {
+        var raced = new Error("quotes.respondToQuote: refused — quote " + quoteId +
+          " is no longer in the requested state (settled by a concurrent call)");
+        raced.code = "QUOTE_TRANSITION_REFUSED";
+        throw raced;
+      }
       for (var j = 0; j < lines.length; j += 1) {
         var line = lines[j];
         await query(
@@ -810,11 +819,23 @@ function create(opts) {
         expired.code = "QUOTE_EXPIRED";
         throw expired;
       }
-      await query(
+      // Claim the responded -> accepted transition atomically. The in-memory
+      // FSM assert above only checks the row we read; the `AND status =
+      // 'responded'` clause is what serializes a concurrent double-accept (two
+      // customerAccept calls on one responded quote) and a withdraw-vs-accept
+      // race (an operator cancelQuote running alongside) — only one wins, so a
+      // single accept lands and a later convert can't fire twice.
+      var claim = await query(
         "UPDATE quotes SET status = 'accepted', accepted_at = ?1, " +
-        "accepted_by_customer = ?2, updated_at = ?1 WHERE id = ?3",
+        "accepted_by_customer = ?2, updated_at = ?1 WHERE id = ?3 AND status = 'responded'",
         [ts, acceptedBy, quoteId],
       );
+      if (Number(claim.rowCount || 0) !== 1) {
+        var raced = new Error("quotes.customerAccept: refused — quote " + quoteId +
+          " is no longer responded (accepted, rejected, or withdrawn by a concurrent call)");
+        raced.code = "QUOTE_TRANSITION_REFUSED";
+        throw raced;
+      }
       return await _hydrated(quoteId);
     },
 
@@ -835,11 +856,19 @@ function create(opts) {
       }
       _assertTransition(current.status, "reject", "customerReject");
       var ts = _now();
-      await query(
+      // Claim the responded -> rejected transition atomically so a concurrent
+      // accept / cancel can't both commit against the same responded quote.
+      var claim = await query(
         "UPDATE quotes SET status = 'rejected', rejected_at = ?1, " +
-        "reject_reason = ?2, updated_at = ?1 WHERE id = ?3",
+        "reject_reason = ?2, updated_at = ?1 WHERE id = ?3 AND status = 'responded'",
         [ts, reason, quoteId],
       );
+      if (Number(claim.rowCount || 0) !== 1) {
+        var raced = new Error("quotes.customerReject: refused — quote " + quoteId +
+          " is no longer responded (settled by a concurrent call)");
+        raced.code = "QUOTE_TRANSITION_REFUSED";
+        throw raced;
+      }
       return await _hydrated(quoteId);
     },
 
@@ -863,11 +892,24 @@ function create(opts) {
       }
       _assertTransition(current.status, "cancel", "cancelQuote");
       var ts = _now();
-      await query(
+      // Claim the (requested|responded) -> cancelled transition atomically.
+      // The `AND status IN (...)` clause closes the withdraw-vs-accept race:
+      // an operator cancelQuote and a customer customerAccept on the same
+      // responded quote can't both commit — whichever UPDATE lands first wins,
+      // and the loser refuses instead of silently clobbering the other side's
+      // transition (a cancel clobbering an accept would otherwise kill an
+      // order the operator thought was live, and vice-versa).
+      var claim = await query(
         "UPDATE quotes SET status = 'cancelled', cancelled_at = ?1, " +
-        "cancel_reason = ?2, updated_at = ?1 WHERE id = ?3",
+        "cancel_reason = ?2, updated_at = ?1 WHERE id = ?3 AND status IN ('requested', 'responded')",
         [ts, reason, quoteId],
       );
+      if (Number(claim.rowCount || 0) !== 1) {
+        var raced = new Error("quotes.cancelQuote: refused — quote " + quoteId +
+          " is no longer cancellable (accepted, rejected, or settled by a concurrent call)");
+        raced.code = "QUOTE_TRANSITION_REFUSED";
+        throw raced;
+      }
       return await _hydrated(quoteId);
     },
 
@@ -890,10 +932,45 @@ function create(opts) {
       }
       _assertTransition(current.status, "convert", "convertToOrder");
 
-      var lines = await _getLinesRaw(quoteId);
       var ts = _now();
+      // Claim the accepted -> converted transition atomically BEFORE placing
+      // inventory holds or creating the pending order. The in-memory FSM
+      // `_assertTransition` above only answers "is this edge legal for the row
+      // I read?" — two concurrent convertToOrder calls both read 'accepted'
+      // and both pass it. The conditional UPDATE is the real serialization
+      // point: only one matches `status = 'accepted'`, so only one mints holds
+      // + an order. (Without it both would create a pending order + double the
+      // inventory holds from a single accepted quote.) converted_order_id is
+      // backfilled once the order id is known; on any failure the claim is
+      // released back to 'accepted' so the operator can retry.
+      var claim = await query(
+        "UPDATE quotes SET status = 'converted', converted_at = ?1, updated_at = ?1 " +
+        "WHERE id = ?2 AND status = 'accepted'",
+        [ts, quoteId],
+      );
+      if (Number(claim.rowCount || 0) !== 1) {
+        var raced = new Error("quotes.convertToOrder: refused — quote " + quoteId +
+          " is no longer accepted (converted by a concurrent call)");
+        raced.code = "QUOTE_TRANSITION_REFUSED";
+        throw raced;
+      }
+
+      // Release the claim back to 'accepted' so a retry is possible after a
+      // downstream (hold / order-creation) failure leaves no order behind.
+      async function _releaseConvertClaim() {
+        try {
+          await query(
+            "UPDATE quotes SET status = 'accepted', converted_at = NULL, updated_at = ?1 " +
+            "WHERE id = ?2 AND status = 'converted' AND converted_order_id IS NULL",
+            [_now(), quoteId],
+          );
+        } catch (_e0) { /* drop-silent — the downstream error is the caller's signal */ }
+      }
+
+      var lines = await _getLinesRaw(quoteId);
       var orderId;
 
+      try {
       if (orderHandle) {
         // The order primitive requires cart_id + session_id as
         // UUID-shape inputs. For a quote-driven order, the operator
@@ -982,11 +1059,18 @@ function create(opts) {
         }
         orderId = input.converted_order_id;
       }
+      } catch (eConvert) {
+        // The claim already flipped status to 'converted'; nothing downstream
+        // produced an order, so release it back to 'accepted' for a retry.
+        await _releaseConvertClaim();
+        throw eConvert;
+      }
 
+      // Status + converted_at were claimed atomically above; backfill the
+      // resolved order id onto the (already-converted) quote.
       await query(
-        "UPDATE quotes SET status = 'converted', converted_at = ?1, " +
-        "converted_order_id = ?2, updated_at = ?1 WHERE id = ?3",
-        [ts, orderId, quoteId],
+        "UPDATE quotes SET converted_order_id = ?1, updated_at = ?2 WHERE id = ?3",
+        [orderId, _now(), quoteId],
       );
       return await _hydrated(quoteId);
     },
@@ -1145,10 +1229,18 @@ function create(opts) {
         notYet.code = "QUOTE_NOT_EXPIRED";
         throw notYet;
       }
-      await query(
-        "UPDATE quotes SET status = 'expired', updated_at = ?1 WHERE id = ?2",
+      // Claim the responded -> expired transition atomically so a concurrent
+      // accept / cancel can't both commit against the same responded quote.
+      var claim = await query(
+        "UPDATE quotes SET status = 'expired', updated_at = ?1 WHERE id = ?2 AND status = 'responded'",
         [asOf, quoteId],
       );
+      if (Number(claim.rowCount || 0) !== 1) {
+        var raced = new Error("quotes.markExpired: refused — quote " + quoteId +
+          " is no longer responded (settled by a concurrent call)");
+        raced.code = "QUOTE_TRANSITION_REFUSED";
+        throw raced;
+      }
       return await _hydrated(quoteId);
     },
   };

package/lib/referrals.js

@@ -452,6 +452,77 @@ function create(opts) {
       return out;
     },
 
+    // Reverse the funnel completion when the order that qualified it is
+    // refunded or cancelled — the counterpart to trackPurchase on an order's
+    // terminal refund / cancel edge. trackPurchase flips the invitation to
+    // `both-rewarded`, pins the first qualifying order, and bumps the
+    // referrer's leaderboard `referrals_count`; without this, a referred
+    // customer can buy (completing the funnel + ticking the leaderboard) then
+    // refund and keep the completion — buy-then-refund reward farming.
+    //
+    // Keyed on the ORDER id (first_order_id) — the qualifying purchase whose
+    // settlement is reversing the funnel. Rolls the invitation back to
+    // `pending`, clears first_purchase_at / first_order_id, and decrements the
+    // referrer's referrals_count (floored at zero by the schema CHECK + the
+    // `referrals_count > 0` guard). Unlike the money tenders this is BINARY,
+    // not pro-rata: a refund of the qualifying order — partial or full —
+    // un-completes the funnel (the purchase that earned the reward was
+    // reversed), so the operator's actual payouts (rewardReferrer /
+    // rewardReferee) are NOT touched here — they're separate instruments the
+    // operator claws back manually; this only rolls back the funnel state +
+    // the leaderboard counter the FSM auto-advanced.
+    //
+    // Idempotent + concurrency-safe: the invitation is claimed with
+    // `WHERE first_order_id = ? AND reversed_at IS NULL` so a re-delivered
+    // refund webhook reverses the funnel exactly once; a row whose
+    // reward_status is no longer `both-rewarded` (an operator already advanced
+    // it past trackPurchase) keeps its reward_status but still drops out of
+    // the leaderboard count. A no-op for an order that never completed a
+    // funnel (organic purchase, or one already reversed). Returns the reversed
+    // invitation row, or null when there was nothing to reverse.
+    reverseForOrder: async function (orderId) {
+      var oid = _uuid(orderId, "order_id");
+      var r = await query(
+        "SELECT id, referral_code_id, reward_status FROM referral_invitations " +
+        "WHERE first_order_id = ?1 AND reversed_at IS NULL LIMIT 1",
+        [oid],
+      );
+      if (!r.rows.length) return null;
+      var inv = r.rows[0];
+      var ts = _now();
+      // Claim the invitation — the reversed_at predicate is the
+      // serialization point so two concurrent reversals can't both
+      // decrement the leaderboard. Roll reward_status back to `pending`
+      // only from the `both-rewarded` completion trackPurchase set; an
+      // operator-advanced terminal (`expired` / `voided`) or an
+      // operator-issued payout state is left as the operator chose.
+      var claim = await query(
+        "UPDATE referral_invitations SET reversed_at = ?1, " +
+        "first_purchase_at = NULL, first_order_id = NULL, " +
+        "reward_status = CASE WHEN reward_status = 'both-rewarded' THEN 'pending' ELSE reward_status END " +
+        "WHERE id = ?2 AND reversed_at IS NULL",
+        [ts, inv.id],
+      );
+      if (Number(claim.rowCount || 0) === 0) return null;   // lost the claim
+      // Decrement the referrer's leaderboard count, floored at zero (the
+      // `> 0` guard plus the schema CHECK keep it non-negative even if the
+      // count drifted).
+      await query(
+        "UPDATE referral_codes " +
+        "SET referrals_count = referrals_count - 1, updated_at = ?1 " +
+        "WHERE id = ?2 AND referrals_count > 0",
+        [ts, inv.referral_code_id],
+      );
+      var after = await query(
+        "SELECT id, referral_code_id, reward_status, first_purchase_at, first_order_id, reversed_at " +
+        "FROM referral_invitations WHERE id = ?1",
+        [inv.id],
+      );
+      var out = after.rows[0] || null;
+      if (out) out.status = "reversed";
+      return out;
+    },
+
     // Operator records that the referrer payout has been issued.
     // `reward_id` is opaque (operator's gift-card id, discount-code
     // id, ledger-credit id — whatever instrument they chose). The

package/lib/security-middleware.js

@@ -103,6 +103,23 @@ var INTERNAL_BRIDGE_PATHS = [
   "/_/stale-order-reap",
 ];
 
+// Public well-known paths fetched by third-party verification crawlers
+// rather than browsers. Apple's Apple Pay domain-verification crawl GETs
+// the merchantid association file and is not guaranteed to send
+// Accept-Language, which the bot-guard's missing-Accept-Language heuristic
+// would 403 — silently hiding the Apple Pay button (the same
+// machine-caller-blocked-before-its-real-gate failure the worker→container
+// paths above hit). The file is a static, unauthenticated, state-free
+// public resource (the route 404s when unconfigured and only ever serves
+// the operator-supplied association bytes), so skipping the browser
+// fingerprint check on it weakens nothing. In production the crawl lands on
+// the edge Worker, which serves the file before any container hop; this
+// skip keeps a direct-to-container fetch (or an edge-serving-off deploy)
+// from refusing the verification crawl.
+var PUBLIC_WELL_KNOWN_PATHS = [
+  "/.well-known/apple-developer-merchantid-domain-association",
+];
+
 // The abusable endpoints — POST / auth surfaces where a human does
 // well under five requests a minute. Each gets its own per-client-IP
 // budget so a spray against one can't borrow another's headroom, and a
@@ -145,6 +162,12 @@ var TIGHT_PREFIXES = [
   "/orders/",
   "/stock-alert/",
   "/cart/coupon",
+  // Public suggestion box — anonymous submit + vote POSTs. The submit writes
+  // a free-text row and the vote bumps a counter; on the loose global bucket
+  // alone an anonymous sprayer could flood the backlog or grind a vote. The
+  // tight per-(IP+path) budget caps the rate. Container-only (CSRF-tokened),
+  // so it is NOT in EDGE_POST_PATHS — the page carries a per-session token.
+  "/suggestions",
 ];
 
 // Edge-served state-changing POST endpoints. These forms are rendered at
@@ -584,7 +607,15 @@ function globalRateLimitOpts() {
  */
 function botGuardOpts() {
   return {
-    skipPaths: INTERNAL_BRIDGE_PATHS.slice().concat([/^\/admin(\/|$)/]),
+    skipPaths: INTERNAL_BRIDGE_PATHS.slice()
+      // EXACT-match the well-known paths. A bare-string skip is matched as a
+      // PREFIX by the bot guard, which would also exempt any sibling under the
+      // directory (e.g. /.well-known/apple-...-association/anything), re-opening
+      // the guard on routes that aren't the single static association file.
+      .concat(PUBLIC_WELL_KNOWN_PATHS.map(function (p) {
+        return new RegExp("^" + p.replace(/[-/\\^$*+?.()|[\]{}]/g, "\\$&") + "$");
+      }))
+      .concat([/^\/admin(\/|$)/]),
   };
 }
 
@@ -733,4 +764,5 @@ module.exports = {
   HEALTH_PATH:          HEALTH_PATH,
   TIGHT_PREFIXES:       TIGHT_PREFIXES,
   EDGE_POST_PATHS:      EDGE_POST_PATHS,
+  PUBLIC_WELL_KNOWN_PATHS: PUBLIC_WELL_KNOWN_PATHS,
 };