@blamejs/blamejs-shop 0.4.30 → 0.4.32

package/lib/vendor/blamejs/test/integration/mail-crypto-smime.test.js

@@ -25,6 +25,62 @@ var nodeCrypto = require("node:crypto");
 var helpers = require("../helpers");
 var check = helpers.check;
 var b = require("../../");
+var asn1 = require("../../lib/asn1-der");
+var cms  = require("../../lib/cms-codec");
+
+// The S/MIME signer is pure-PQC (ML-DSA-65). Trust-chain validation in
+// b.mail.crypto.smime.verify (since v0.13.42) binds the chain leaf to the
+// key that actually verified the signature: it refuses unless a cert in
+// SignedData.certificates carries that exact public key. b.mtlsCa issues
+// classical (RSA/EC) leaf certs, whose key can never equal the ML-DSA
+// signer key — so the chain leaf has to be an X.509 cert that embeds the
+// ML-DSA-65 public key in its SubjectPublicKeyInfo. The framework has no
+// ML-DSA X.509 issuer (ML-DSA in X.509 is still draft), so this builds a
+// minimal RFC 5280 cert over the b.asn1Der writer + b.cms ML-DSA OID and
+// signs the TBS with ML-DSA-65. node:crypto.X509Certificate parses it,
+// exports the SPKI, and verifies the ML-DSA signature natively.
+function _x509Name(cn) {
+  var atv = asn1.writeSequence([asn1.writeOid("2.5.4.3"), asn1.writeUtf8String(cn)]);
+  return asn1.writeSequence([asn1.writeSet([atv])]);
+}
+function _x509GeneralizedTime(d) {
+  function pad2(n) { return String(n).length >= 2 ? String(n) : "0" + n; }
+  var s = d.getUTCFullYear() +
+    pad2(d.getUTCMonth() + 1) + pad2(d.getUTCDate()) +
+    pad2(d.getUTCHours()) + pad2(d.getUTCMinutes()) + pad2(d.getUTCSeconds()) + "Z";
+  return asn1.writeNode(0x18, Buffer.from(s, "ascii"));   // 0x18 = GeneralizedTime
+}
+function _buildMlDsaCert(opts) {
+  // opts: { subjectCn, subjectPubKey, issuerCn, issuerSecretKey, serial,
+  //         notBefore, notAfter }. signatureAlgorithm == subject key alg
+  // (ML-DSA-65) for both self-signed (CA) and issued (leaf) shapes.
+  var algId = asn1.writeSequence([asn1.writeOid(cms.OID.mldsa65)]);
+  var spki  = asn1.writeSequence([algId, asn1.writeBitString(Buffer.from(opts.subjectPubKey), 0)]);
+  var tbs = asn1.writeSequence([
+    asn1.writeContextExplicit(0, asn1.writeInteger(Buffer.from([2]))),   // version v3
+    asn1.writeInteger(Buffer.from([opts.serial])),                       // serialNumber
+    algId,                                                               // signature AlgorithmIdentifier
+    _x509Name(opts.issuerCn),                                            // issuer
+    asn1.writeSequence([_x509GeneralizedTime(opts.notBefore),
+                        _x509GeneralizedTime(opts.notAfter)]),           // validity
+    _x509Name(opts.subjectCn),                                           // subject
+    spki,                                                                // SubjectPublicKeyInfo
+  ]);
+  var sig = b.pqcSoftware.ml_dsa_65.sign(new Uint8Array(tbs), opts.issuerSecretKey);
+  return asn1.writeSequence([tbs, algId, asn1.writeBitString(Buffer.from(sig), 0)]);
+}
+function _derToPem(der) {
+  // 64-char line wrap. A regex replace adds a trailing newline when the
+  // base64 length is an exact multiple of 64, which (combined with the
+  // closing newline) yields a blank line mid-block that OpenSSL's PEM
+  // reader treats as end-of-data — silently truncating the cert. Slice
+  // explicitly so every line is full except the last.
+  var b64 = Buffer.from(der).toString("base64");
+  var lines = [];
+  for (var i = 0; i < b64.length; i += 64) { lines.push(b64.slice(i, i + 64)); }
+  return "-----BEGIN CERTIFICATE-----\n" + lines.join("\n") +
+    "\n-----END CERTIFICATE-----\n";
+}
 
 async function run() {
   // ---- Spin up an isolated mTLS CA (caKeySealedMode=disabled keeps
@@ -117,21 +173,46 @@ async function run() {
       threw === "mail-crypto/smime/signature-mismatch");
 
     // ---- Trust-anchor chain validation — opts.trustAnchorCertsPem.
-    //      The CMS SignedData carries the leaf cert (we embedded it
-    //      via the encodeSignedData certificates field). With the CA
-    //      PEM as the trust anchor, verify walks leaf → CA.
-    //
-    //      For this composition to work we need to re-encode the
-    //      SignedData with the leaf cert in the certificates [0]
-    //      block — the sign() path above only embedded it via the
-    //      SignerInfo's issuerAndSerialNumber pointer. Re-encode
-    //      manually here to exercise the chain path.
+    //      verify() walks leaf → CA against the operator's trust anchor
+    //      AND binds the leaf to the key that verified the signature
+    //      (since v0.13.42): the chain leaf must be the cert carrying
+    //      signerPublicKey, else the chain-validated result would assert
+    //      a cert↔signer binding the code never made. The signer is
+    //      ML-DSA-65, so the chain leaf must embed that ML-DSA key in its
+    //      SubjectPublicKeyInfo — build a real ML-DSA cert chain (CA →
+    //      leaf) carrying signerKp.publicKey, with the CA PEM as the
+    //      trust anchor. The leaf goes into SignedData.certificates so
+    //      verify() can locate + bind it.
+    var caKp = b.pqcSoftware.ml_dsa_65.keygen();
+    var nowD = new Date();
+    var notBefore = new Date(nowD.getTime() - 60 * 60 * 1000);
+    var notAfter  = new Date(nowD.getTime() + 7 * 24 * 60 * 60 * 1000);
+    var caCertDer = _buildMlDsaCert({
+      subjectCn:      "smime-pqc-ca.blamejs-test.example",
+      subjectPubKey:  caKp.publicKey,
+      issuerCn:       "smime-pqc-ca.blamejs-test.example",
+      issuerSecretKey: caKp.secretKey,                                    // self-signed
+      serial:         1,
+      notBefore:      notBefore,
+      notAfter:       notAfter,
+    });
+    var pqcLeafCertDer = _buildMlDsaCert({
+      subjectCn:      "smime-signer.blamejs-test.example",
+      subjectPubKey:  signerKp.publicKey,                                 // == the verified signer key
+      issuerCn:       "smime-pqc-ca.blamejs-test.example",
+      issuerSecretKey: caKp.secretKey,                                    // issued by the CA
+      serial:         2,
+      notBefore:      notBefore,
+      notAfter:       notAfter,
+    });
+    var caCertPem = _derToPem(caCertDer);
+
     var signedWithCerts = b.cms.encodeSignedData({
       encapContent: Buffer.from(message, "utf8"),
       digestAlg:    "sha3-512",
-      certificates: [leafCertDer],
+      certificates: [pqcLeafCertDer],
       signers: [{
-        certificate: leafCertDer,
+        certificate: pqcLeafCertDer,
         secretKey:   signerKp.secretKey,
         sigAlg:      "ML-DSA-65",
       }],
@@ -140,30 +221,74 @@ async function run() {
       message:             Buffer.from(message, "utf8"),
       signature:           signedWithCerts,
       signerPublicKey:     signerKp.publicKey,
-      trustAnchorCertsPem: [caBundle.caCertPem],
+      trustAnchorCertsPem: [caCertPem],
     });
     check("smime.verify: chain validates against trust anchor",
       verifiedChain && verifiedChain.valid === true &&
       verifiedChain.chainVerified === true);
 
     // ---- Untrusted-chain refusal: supply an UNRELATED trust anchor.
-    var unrelatedCa = b.mtlsCa.create({
-      dataDir:           fs.mkdtempSync(path.join(os.tmpdir(), "blamejs-smime-other-")),
-      caKeySealedMode:   "disabled",
+    //      A second, independent ML-DSA CA did not issue the leaf, so no
+    //      chain link reaches it.
+    var otherCaKp = b.pqcSoftware.ml_dsa_65.keygen();
+    var unrelatedCaDer = _buildMlDsaCert({
+      subjectCn:      "smime-pqc-other-ca.blamejs-test.example",
+      subjectPubKey:  otherCaKp.publicKey,
+      issuerCn:       "smime-pqc-other-ca.blamejs-test.example",
+      issuerSecretKey: otherCaKp.secretKey,
+      serial:         1,
+      notBefore:      notBefore,
+      notAfter:       notAfter,
     });
-    var unrelatedBundle = await unrelatedCa.initCA();
     threw = null;
     try {
       b.mail.crypto.smime.verify({
         message:             Buffer.from(message, "utf8"),
         signature:           signedWithCerts,
         signerPublicKey:     signerKp.publicKey,
-        trustAnchorCertsPem: [unrelatedBundle.caCertPem],
+        trustAnchorCertsPem: [_derToPem(unrelatedCaDer)],
       });
     } catch (eC) { threw = eC.code; }
     check("smime.verify: refuses unrelated trust anchor",
       threw === "mail-crypto/smime/untrusted-chain");
 
+    // ---- Binding refusal: a validly-chained cert for a DIFFERENT key
+    //      must NOT pass chain validation when the signature was verified
+    //      under signerKp. Build a leaf carrying an UNRELATED ML-DSA key
+    //      but properly issued by the trusted CA; verify() must refuse
+    //      because no cert in the chain carries the verified signer key.
+    var strangerKp = b.pqcSoftware.ml_dsa_65.keygen();
+    var strangerLeafDer = _buildMlDsaCert({
+      subjectCn:      "smime-stranger.blamejs-test.example",
+      subjectPubKey:  strangerKp.publicKey,
+      issuerCn:       "smime-pqc-ca.blamejs-test.example",
+      issuerSecretKey: caKp.secretKey,
+      serial:         3,
+      notBefore:      notBefore,
+      notAfter:       notAfter,
+    });
+    var signedWithStrangerCert = b.cms.encodeSignedData({
+      encapContent: Buffer.from(message, "utf8"),
+      digestAlg:    "sha3-512",
+      certificates: [strangerLeafDer],
+      signers: [{
+        certificate: pqcLeafCertDer,
+        secretKey:   signerKp.secretKey,
+        sigAlg:      "ML-DSA-65",
+      }],
+    });
+    threw = null;
+    try {
+      b.mail.crypto.smime.verify({
+        message:             Buffer.from(message, "utf8"),
+        signature:           signedWithStrangerCert,
+        signerPublicKey:     signerKp.publicKey,
+        trustAnchorCertsPem: [caCertPem],
+      });
+    } catch (eB) { threw = eB.code; }
+    check("smime.verify: refuses chain leaf bound to a different key",
+      threw === "mail-crypto/smime/signer-not-in-chain");
+
     // ---- X.509 sanity — confirm node:crypto can parse the leaf and
     //      verify its issuer matches the CA subject.
     var leafX509 = new nodeCrypto.X509Certificate(leaf.cert);

package/lib/vendor/blamejs/test/integration/network-heartbeat.test.js

@@ -58,33 +58,48 @@ async function run() {
     ],
   });
 
-  // Wait until probes have fired across all three configured targets.
+  // start() registers every target in the status table synchronously,
+  // before any probe has run — so a bare `statuses().length >= 3` is
+  // satisfied while every entry is still in its initial state with no
+  // probe recorded. Wait until each target has actually completed a
+  // probe (lastProbeAt set) so the assertions below read real outcomes.
   var statuses = await helpers.waitUntil(function () {
     var s = b.network.heartbeat.statuses();
-    var count = Array.isArray(s) ? s.length : Object.keys(s).length;
-    return count >= 3 ? s : false;
-  }, { label: "heartbeat: 3+ probe statuses available" });
+    var arr = Array.isArray(s) ? s : Object.keys(s).map(function (k) { return s[k]; });
+    if (arr.length < 3) return false;
+    return arr.every(function (e) { return e && e.lastProbeAt !== null; }) ? s : false;
+  }, { label: "heartbeat: all 3 targets completed a probe" });
   check("statuses: returns at least one entry",
         Array.isArray(statuses) ? statuses.length >= 3 : Object.keys(statuses).length >= 3);
 
+  // Assert the reported `state` field directly. Matching a keyword
+  // against JSON.stringify(status) is meaningless here — the status
+  // object carries `name` ("caddy-up" / "caddy-down"), so the blob
+  // always contains "up"/"down" regardless of the real probe outcome.
   var caddyUp = b.network.heartbeat.status("caddy-up");
   check("caddy-up: status object returned",
         typeof caddyUp === "object" && caddyUp !== null);
-  check("caddy-up: marked as up/healthy",
-        /up|healthy|ok|success/i.test(JSON.stringify(caddyUp)));
+  check("caddy-up: marked as healthy (200 from /healthz)",
+        caddyUp.state === "healthy");
 
   var caddyDown = b.network.heartbeat.status("caddy-down");
   check("caddy-down: status object returned",
         typeof caddyDown === "object" && caddyDown !== null);
-  check("caddy-down: marked as down/failure",
-        /down|fail|error|unhealthy/i.test(JSON.stringify(caddyDown)));
+  check("caddy-down: marked as down (connection refused)",
+        caddyDown.state === "down");
 
   var squidTcp = b.network.heartbeat.status("squid-tcp");
   check("squid-tcp: TCP target probe returned status",
         typeof squidTcp === "object" && squidTcp !== null);
-  check("squid-tcp: marked as up (port is open)",
-        /up|healthy|ok|success/i.test(JSON.stringify(squidTcp)));
+  check("squid-tcp: marked as healthy (port 3128 open)",
+        squidTcp.state === "healthy");
 
+  // caddy-down probes a dead port and crosses healthy → down on its
+  // first failing probe (threshold 1), which fires onStateChange. Poll
+  // rather than read synchronously — the transition lands on the probe
+  // callback, which may settle a tick after lastProbeAt is recorded.
+  await helpers.waitUntil(function () { return stateChanges.length >= 1; },
+    { label: "heartbeat: onStateChange fired for at least one target" });
   check("onStateChange: fired for at least one target",
         stateChanges.length >= 1);
 

package/lib/vendor/blamejs/test/integration/object-store-azure.test.js

@@ -0,0 +1,101 @@
+"use strict";
+/**
+ * Live Azure Blob (Shared Key) round-trip against the Azurite emulator in
+ * docker-compose.test.yml, over TLS with the test CA (NODE_EXTRA_CA_CERTS set
+ * by scripts/test-integration.js — no rejectUnauthorized:false).
+ *
+ * Azurite is PATH-STYLE: the account is the first URL path segment
+ * (https://127.0.0.1:10000/devstoreaccount1/<container>/<blob>), unlike
+ * production Azure's host-based <account>.blob.core.windows.net. A successful
+ * authenticated round-trip is itself the proof that the Shared-Key canonical
+ * resource carries the account exactly once — a doubled account (the prior
+ * behavior) returns 403 AuthenticationFailed and put() would throw. Also a
+ * deterministic buildStringToSign check that path-style does not double it.
+ */
+var helpers = require("../helpers");
+var check = helpers.check;
+var services = require("../helpers/services");
+var b = require("../../");
+var azureBlob = require("../../lib/object-store/azure-blob");
+
+// Azurite's well-known emulator account + key (public, documented).
+var ENDPOINT = "https://127.0.0.1:10000";
+var ACCOUNT  = "devstoreaccount1";
+var KEY      = "Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==";
+
+async function run() {
+  var az = await services.requireService("azurite");
+  if (!az.ok) throw new Error("azurite unreachable: " + az.reason);
+
+  // --- deterministic: canonical resource is "/" + account + the request's
+  // absolute path. For a PATH-STYLE URL (account already the first path
+  // segment, as with Azurite) that yields the account twice — the form a
+  // path-style server expects (verified live below). For a HOST-BASED URL
+  // (account only in the host) it appears once. ---
+  var HDRS = { "x-ms-date": "Mon, 01 Jan 2024 00:00:00 GMT", "x-ms-version": azureBlob.DEFAULT_API_VERSION };
+  var stsPath = azureBlob.buildStringToSign({
+    method: "GET", accountName: ACCOUNT,
+    url: new URL(ENDPOINT + "/" + ACCOUNT + "/c1/blob.txt"), headers: HDRS,
+  });
+  check("path-style canonical resource is the doubled-account form a path-style server expects",
+    stsPath.indexOf("/" + ACCOUNT + "/" + ACCOUNT + "/c1/blob.txt") !== -1);
+  var stsHost = azureBlob.buildStringToSign({
+    method: "GET", accountName: ACCOUNT,
+    url: new URL("https://" + ACCOUNT + ".blob.core.windows.net/c1/blob.txt"), headers: HDRS,
+  });
+  check("host-based canonical resource carries the account exactly once",
+    stsHost.indexOf("/" + ACCOUNT + "/c1/blob.txt") !== -1 &&
+    stsHost.indexOf("/" + ACCOUNT + "/" + ACCOUNT + "/") === -1);
+
+  var container = "blamejs-az-" + process.pid;
+  var commonCfg = {
+    protocol: "azure-blob", accountName: ACCOUNT, accountKey: KEY,
+    endpoint: ENDPOINT, allowInternal: true,
+    pathStyle: true,   // Azurite addresses the account as the first path segment
+  };
+
+  // --- container lifecycle (path-style auto-detected from the IP host) ---
+  var ops = b.objectStore.bucketOps.create(commonCfg);
+  await ops.create(container);
+  check("createContainer accepted (signature verified by Azurite)", true);
+  var containers = await ops.list();
+  check("listContainers includes the new container",
+    containers.some(function (c) { return c.name === container; }));
+
+  // --- blob round-trip ---
+  var be = b.objectStore.buildBackend(Object.assign({ container: container }, commonCfg));
+  var key = "folder/object.bin";
+  var payload = Buffer.from("azure-roundtrip-" + process.pid + "-" + "Z".repeat(64), "utf8");
+
+  var putRes = await be.put(key, payload, { contentType: "application/octet-stream" });
+  check("put returns the byte length", putRes.size === payload.length);
+
+  var got = await be.get(key);
+  check("get returns byte-identical content", Buffer.isBuffer(got) && Buffer.compare(got, payload) === 0);
+
+  var h = await be.head(key);
+  check("head reports the correct size", h.size === payload.length);
+
+  var listed = await be.list("");
+  check("list surfaces the uploaded key",
+    listed.items.some(function (it) { return it.key === key; }));
+
+  var deleted = await be.delete(key);
+  check("delete returns true for an existing blob", deleted === true);
+
+  var afterDelete = await be.list("");
+  check("list no longer surfaces the deleted key",
+    !afterDelete.items.some(function (it) { return it.key === key; }));
+
+  await ops.delete(container);
+  check("deleteContainer accepted", true);
+}
+
+module.exports = { run: run };
+
+if (require.main === module) {
+  run().then(
+    function () { console.log("OK — " + helpers.getChecks() + " checks passed"); process.exit(0); },
+    function (e) { console.error("FAIL:", e.stack || e); process.exit(1); }
+  );
+}

package/lib/vendor/blamejs/test/integration/object-store-gcs.test.js

@@ -0,0 +1,239 @@
+"use strict";
+/**
+ * Live GCS object-store round-trip against the docker-compose fake-gcs
+ * fixture (fsouza/fake-gcs-server, TLS-terminated with the test CA).
+ *
+ * What this proves: the framework's GCS JSON-API client
+ * (lib/object-store/gcs.js) marshals create-bucket / upload / download /
+ * list / head / delete onto the real GCS wire shape, routes them to a
+ * configurable endpoint, parses the real JSON responses, and round-trips
+ * bytes unchanged — over TLS, trusting the test CA with no
+ * rejectUnauthorized override anywhere.
+ *
+ * The OAuth2 hop. The framework ALWAYS exchanges the service-account
+ * RSA-SHA256-signed JWT for an access token before any storage call
+ * (gcs.js _ensureToken). fake-gcs has no token endpoint (POST /token →
+ * 404), so it cannot be targeted on its own — the client would fail at
+ * AUTH_FAILED before reaching the storage API. The framework exposes
+ * `config.tokenEndpoint` to point the OAuth2 leg elsewhere; this test
+ * stands up a tiny in-process HTTPS token issuer using the test CA's
+ * own gcs.crt / gcs.key (valid for 127.0.0.1, CA-signed, so the
+ * framework's http-client trusts it via NODE_EXTRA_CA_CERTS — no
+ * bypass). The framework's real OAuth2 wire exchange (JWT assertion
+ * POST, x-www-form-urlencoded, parse access_token) runs end-to-end over
+ * TLS against that issuer; every storage call then carries the issued
+ * bearer to fake-gcs.
+ *
+ * Honest scope — what is NOT proven here:
+ *   - fake-gcs does NOT verify the bearer token or any signature; the
+ *     in-test issuer does NOT verify the JWT assertion. So this is a
+ *     wire / URL / JSON-marshalling / TLS-trust / endpoint-routing /
+ *     OAuth2-exchange-shape proof, NOT a token- or signature-CORRECTNESS
+ *     proof (RSA-SHA256 JWT signing + V4 presign signing stay covered by
+ *     unit vectors in the layer-0 suite).
+ *   - bucket DELETE: real GCS returns 204; fake-gcs returns 200 on an
+ *     existing bucket (an emulator quirk). The framework correctly
+ *     accepts 204 / 404 and refuses the unexpected 200, so we assert the
+ *     correct delete-missing path (404 → false) against fake-gcs and
+ *     leave the created bucket for the container reset to sweep rather
+ *     than assert against the emulator's non-spec status.
+ */
+var fs = require("node:fs");
+var os = require("node:os");
+var path = require("node:path");
+var https = require("node:https");
+var nodeCrypto = require("node:crypto");
+var child = require("node:child_process");
+var helpers = require("../helpers");
+var check = helpers.check;
+var services = require("../helpers/services");
+var b = require("../../");
+
+// A service account whose RSA keypair is generated fresh per run — the
+// JWT signing path in gcs.js is exercised for real even though neither
+// the local issuer nor fake-gcs verifies the assertion.
+function _serviceAccount() {
+  var pair = nodeCrypto.generateKeyPairSync("rsa", {
+    modulusLength: 2048,
+    publicKeyEncoding:  { type: "spki",  format: "pem" },
+    privateKeyEncoding: { type: "pkcs8", format: "pem" },
+  });
+  return {
+    type:           "service_account",
+    project_id:     "blamejs-emu-project",
+    client_email:   "emu-sa@blamejs-emu-project.iam.gserviceaccount.com",
+    private_key:    pair.privateKey,
+    private_key_id: "emu-key-001",
+  };
+}
+
+// Copy a file out of the certs volume into the host tmpdir via a running
+// container (dev tooling — same mechanism services.exportCaCert uses).
+function _exportCert(name, dest) {
+  return new Promise(function (resolve, reject) {
+    var p = child.spawn("docker", ["cp", "blamejs-test-gcs:/certs/" + name, dest], {
+      stdio: ["ignore", "pipe", "pipe"],
+    });
+    var err = "";
+    p.stderr.on("data", function (d) { err += d.toString(); });
+    p.on("close", function (code) {
+      if (code !== 0) return reject(new Error("docker cp " + name + " failed (exit " + code + "): " + err.trim()));
+      resolve(dest);
+    });
+    p.on("error", reject);
+  });
+}
+
+// In-process HTTPS token issuer using the CA-signed gcs cert (valid for
+// 127.0.0.1). Returns { url, hits(), close() }. The framework's
+// http-client trusts it via NODE_EXTRA_CA_CERTS; no rejectUnauthorized
+// override is set anywhere.
+async function _startTokenIssuer() {
+  var tmp = os.tmpdir();
+  var crtPath = path.join(tmp, "blamejs-gcs-issuer.crt");
+  var keyPath = path.join(tmp, "blamejs-gcs-issuer.key");
+  await _exportCert("gcs.crt", crtPath);
+  await _exportCert("gcs.key", keyPath);
+  var hits = 0;
+  var lastAssertionSeen = false;
+  var srv = https.createServer({
+    cert: fs.readFileSync(crtPath),
+    key:  fs.readFileSync(keyPath),
+  }, function (req, res) {
+    var chunks = [];
+    req.on("data", function (c) { chunks.push(c); });
+    req.on("end", function () {
+      var body = Buffer.concat(chunks).toString("utf8");
+      // Confirm the framework actually sent the JWT-bearer assertion the
+      // real OAuth2 service-account flow requires.
+      if (/grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer/.test(body) &&
+          /assertion=/.test(body)) {
+        lastAssertionSeen = true;
+      }
+      hits++;
+      res.statusCode = 200;
+      res.setHeader("Content-Type", "application/json");
+      res.end(JSON.stringify({ access_token: "emu-access-token", expires_in: 3600 }));
+    });
+  });
+  await new Promise(function (resolve) { srv.listen(0, "127.0.0.1", resolve); });
+  var port = srv.address().port;
+  return {
+    url:      "https://127.0.0.1:" + port + "/token",
+    hits:     function () { return hits; },
+    sawJwtAssertion: function () { return lastAssertionSeen; },
+    close:    function () { return new Promise(function (r) { srv.close(r); }); },
+  };
+}
+
+async function _runRoundTrip(issuer) {
+  var sa = _serviceAccount();
+  var endpoint = services.URLS.gcs;            // https://127.0.0.1:4443
+  var bucket   = "blamejs-gcs-live-" + Date.now();
+  var common = {
+    serviceAccount: sa,
+    endpoint:       endpoint,
+    tokenEndpoint:  issuer.url,
+    allowInternal:  true,
+    timeoutMs:      8000,
+  };
+
+  // ---- bucket create ----
+  var ops = b.objectStore.bucketOps.create(Object.assign({
+    protocol:  "gcs",
+    projectId: sa.project_id,
+  }, common));
+  var created = await ops.create(bucket, { location: "US" });
+  check("bucketOps.create returns the bucket name", created.name === bucket);
+  check("OAuth2 token exchange happened before the storage call",
+        issuer.hits() >= 1);
+  check("framework sent the JWT-bearer assertion on the OAuth2 leg",
+        issuer.sawJwtAssertion() === true);
+
+  // ---- backend put / get / list / head / delete ----
+  var backend = b.objectStore.buildBackend(Object.assign({
+    name:            "gcs-live",
+    protocol:        "gcs",
+    bucket:          bucket,
+    classifications: ["operational"],
+    residencyTag:    "unrestricted",
+  }, common));
+
+  var key     = "obj-" + Math.floor(Math.random() * 1e6) + ".bin";
+  var payload = nodeCrypto.randomBytes(4096);
+
+  var putRv = await backend.put(key, payload, { contentType: "application/octet-stream" });
+  check("put: returned a size", putRv && putRv.size === payload.length);
+
+  var got = await backend.get(key);
+  var gotBuf = Buffer.isBuffer(got) ? got : (got && got.body);
+  check("get: bytes round-trip exactly (byte-identical)",
+        Buffer.isBuffer(gotBuf) && Buffer.compare(gotBuf, payload) === 0);
+
+  var listing = await backend.list("obj-");
+  check("list: returns { items } shape",
+        listing && Array.isArray(listing.items));
+  check("list: surfaces the just-put object key",
+        listing.items.some(function (it) { return it.key === key; }));
+  check("list: item size matches the payload length",
+        listing.items.some(function (it) { return it.key === key && it.size === payload.length; }));
+
+  var emptyListing = await backend.list("does-not-exist-prefix-");
+  check("list: non-matching prefix returns empty items",
+        emptyListing && Array.isArray(emptyListing.items) && emptyListing.items.length === 0);
+
+  var meta = await backend.head(key);
+  check("head: size matches the payload length", meta && meta.size === payload.length);
+
+  var del = await backend.delete(key);
+  check("delete: returned true", del === true);
+
+  var afterDelete = await backend.list("obj-");
+  check("list after delete: object is gone",
+        !afterDelete.items.some(function (it) { return it.key === key; }));
+
+  // get on the deleted key surfaces a 404 — the framework rejects with
+  // an ObjectStoreError carrying statusCode 404 (not a silent empty).
+  var notFound = null;
+  try { await backend.get(key); } catch (e) { notFound = e; }
+  check("get on deleted key throws (404 surfaced, not swallowed)",
+        notFound && (notFound.statusCode === 404 ||
+                     /404|not.?found/i.test(String(notFound.message || notFound.code || ""))));
+
+  // ---- bucket delete-missing path (correct against fake-gcs: 404 → false) ----
+  var delMissing = await ops.delete("blamejs-gcs-never-existed-" + Date.now());
+  check("bucketOps.delete on a missing bucket returns false (404 path)",
+        delMissing === false);
+
+  // Best-effort cleanup of the created bucket. Real GCS returns 204 on
+  // bucket DELETE; fake-gcs returns 200 (an emulator quirk the framework
+  // correctly refuses as UNEXPECTED_STATUS), so this throw is expected
+  // against the emulator and is NOT a framework defect. The bucket name
+  // carries Date.now() so re-runs don't collide; the container reset
+  // sweeps it.
+  try { await ops.delete(bucket); } catch (_e) { /* fake-gcs 200-on-delete quirk */ }
+}
+
+async function run() {
+  var svc = await services.requireService("gcs");
+  if (!svc.ok) throw new Error("fake-gcs unreachable: " + svc.reason);
+  // exportCaCert is what the runner already relies on for NODE_EXTRA_CA_CERTS;
+  // calling it keeps this test self-contained if run directly.
+  await services.exportCaCert();
+
+  var issuer = await _startTokenIssuer();
+  try {
+    await _runRoundTrip(issuer);
+  } finally {
+    await issuer.close();
+  }
+}
+
+module.exports = { run: run };
+
+if (require.main === module) {
+  run().then(
+    function () { console.log("OK — " + helpers.getChecks() + " checks passed"); process.exit(0); },
+    function (e) { console.error("FAIL:", e.stack || e); process.exit(1); }
+  );
+}