@blamejs/blamejs-shop 0.4.30 → 0.4.32

package/lib/vendor/blamejs/test/layer-0-primitives/db-stream-and-payload-shape.test.js

@@ -0,0 +1,267 @@
+"use strict";
+/**
+ * b.db.stream OOM-safety + streamLimit cap, and sealed-column byte-
+ * fidelity across hostile payload shapes.
+ *
+ * Two guarantees under test, both on the production encrypted-at-rest
+ * path (real wrapped vault + sealed db.enc + audit chain via
+ * setupTestDb):
+ *
+ *   (a) b.db.stream yields rows from node:sqlite's iterate() WITHOUT
+ *       materializing the whole result set (the documented win over
+ *       .all()), preserves row order, and DESTROYS the stream with a
+ *       db/stream-limit-exceeded error once the per-call streamLimit
+ *       cap is crossed rather than accumulating unboundedly.
+ *
+ *   (b) A sealed column round-trips seal -> store -> read -> unseal
+ *       byte-identical for the payload shapes a real column carries.
+ *       This is where a silent value-corruption bug would hide: the
+ *       seal layer must not lose bytes on the way through the AEAD
+ *       envelope.
+ */
+
+var helpers     = require("../helpers");
+var b           = helpers.b;
+var check       = helpers.check;
+var fs          = helpers.fs;
+var os          = helpers.os;
+var path        = helpers.path;
+var setupTestDb = helpers.setupTestDb;
+var waitUntil   = helpers.waitUntil;
+
+// Stream-test table: a sealed column so the stream's auto-unseal path
+// (opts.table) is exercised, plus an ordering column.
+// Payload-fidelity table: one sealed TEXT column (seal layer) and one
+// NON-sealed BLOB column (raw node:sqlite storage), so the two
+// round-trip paths are isolated from each other.
+var SCHEMA = [
+  {
+    name: "events",
+    columns: {
+      _id:   "TEXT PRIMARY KEY",
+      seq:   "INTEGER NOT NULL",
+      payload: "TEXT",
+    },
+    indexes: ["seq"],
+    sealedFields: ["payload"],
+  },
+  {
+    name: "blobs",
+    columns: {
+      _id:    "TEXT PRIMARY KEY",
+      sealedText: "TEXT",   // routed through the seal layer
+      rawBlob:    "BLOB",   // stored as a raw node:sqlite BLOB, not sealed
+    },
+    sealedFields: ["sealedText"],
+  },
+];
+
+// Drain a Readable into an array of rows, honoring backpressure-free
+// flowing mode but capturing order. Rejects on stream error.
+function collectStream(stream) {
+  return new Promise(function (resolve, reject) {
+    var rows = [];
+    stream.on("data", function (row) { rows.push(row); });
+    stream.on("end", function () { resolve(rows); });
+    stream.on("error", function (err) { reject(err); });
+  });
+}
+
+// Capture the error a stream destroys with (the cap path). Resolves
+// with { errored, err, rowsBeforeError }.
+function collectStreamError(stream) {
+  return new Promise(function (resolve) {
+    var rows = [];
+    stream.on("data", function (row) { rows.push(row); });
+    stream.on("end", function () { resolve({ errored: false, err: null, rowsBeforeError: rows }); });
+    stream.on("error", function (err) { resolve({ errored: true, err: err, rowsBeforeError: rows }); });
+  });
+}
+
+function bufEqual(a, exp) {
+  return Buffer.isBuffer(a) || a instanceof Uint8Array
+    ? Buffer.compare(Buffer.from(a), exp) === 0
+    : false;
+}
+
+async function run() {
+  var tmp = fs.mkdtempSync(path.join(os.tmpdir(), "blamejs-db-stream-shape-"));
+  await setupTestDb(tmp, SCHEMA);
+
+  // ====================================================================
+  // (a) b.db.stream — non-materializing, ordered, capped
+  // ====================================================================
+
+  // Insert a few thousand rows so the stream has real work to do and
+  // the cap can fire well before the end of the set.
+  var N = 4000;
+  var events = b.db.from("events");
+  for (var i = 0; i < N; i++) {
+    events.insertOne({ seq: i, payload: "payload-row-" + i });
+  }
+  check("inserted N rows", b.db.from("events").count() === N);
+
+  // ---- order + completeness: every row arrives, in seq order, unsealed
+  var streamed = await collectStream(
+    b.db.stream("SELECT * FROM events ORDER BY seq ASC", { table: "events" })
+  );
+  check("stream yielded every row", streamed.length === N);
+  var ordered = true;
+  var unsealedOk = true;
+  for (var j = 0; j < streamed.length; j++) {
+    if (streamed[j].seq !== j) ordered = false;
+    if (streamed[j].payload !== "payload-row-" + j) unsealedOk = false;
+  }
+  check("stream preserved row order", ordered);
+  check("stream auto-unsealed the sealed column", unsealedOk);
+
+  // ---- non-materialization: the stream is pull-based. Pause it after
+  // the first row and prove no further rows are delivered while paused
+  // (a .all()-style eager materialization could not honor this), then
+  // resume and confirm the rest flow. This demonstrates the iterate()
+  // generator is pulled lazily, not collected up-front.
+  var pullStream = b.db.stream("SELECT * FROM events ORDER BY seq ASC", { table: "events" });
+  var seen = [];
+  var pausedAtCount = -1;
+  pullStream.on("data", function (row) {
+    seen.push(row);
+    if (seen.length === 1) {
+      pullStream.pause();
+      pausedAtCount = seen.length;
+      // Resume on the next tick; while paused, no more 'data' must fire.
+      setImmediate(function () {
+        // Confirm the stream did NOT race ahead and buffer the whole
+        // set while we were paused: at most a tiny highWaterMark of
+        // rows can be in flight, never the full N.
+        check("paused stream did not materialize the full set",
+          seen.length < N);
+        pullStream.resume();
+      });
+    }
+  });
+  var pulled = await new Promise(function (resolve, reject) {
+    pullStream.on("end", function () { resolve(seen); });
+    pullStream.on("error", reject);
+  });
+  check("paused-then-resumed stream still delivered every row", pulled.length === N);
+  check("pause point was the first row", pausedAtCount === 1);
+
+  // ---- cap: a per-call streamLimit BELOW the row count must destroy
+  // the stream with db/stream-limit-exceeded, not silently truncate or
+  // run to completion.
+  var CAP = 100;
+  var capResult = await collectStreamError(
+    b.db.stream("SELECT * FROM events ORDER BY seq ASC", { table: "events", streamLimit: CAP })
+  );
+  check("over-cap stream errored (did not run to completion)", capResult.errored === true);
+  check("over-cap stream error carries db/stream-limit-exceeded code",
+    !!capResult.err && capResult.err.code === "db/stream-limit-exceeded");
+  check("over-cap stream stopped at the cap (no unbounded accumulation)",
+    capResult.rowsBeforeError.length <= CAP);
+
+  // ---- a streamLimit AT OR ABOVE the row count runs clean to the end.
+  var underCap = await collectStream(
+    b.db.stream("SELECT * FROM events ORDER BY seq ASC", { table: "events", streamLimit: N + 10 })
+  );
+  check("within-cap stream completes without error", underCap.length === N);
+
+  // ---- a bad streamLimit shape throws at call time (config-time tier).
+  var badLimitThrew = false;
+  try { b.db.stream("SELECT * FROM events", { table: "events", streamLimit: -1 }); }
+  catch (e) { badLimitThrew = e && e.code === "db/bad-stream-limit"; }
+  check("negative streamLimit throws db/bad-stream-limit at call time", badLimitThrew);
+
+  // ====================================================================
+  // (b) sealed-column byte-fidelity across hostile payload shapes
+  // ====================================================================
+  //
+  // For each shape, drive the PRODUCTION seal path
+  // (cryptoField.sealRow -> store via db -> read -> auto-unseal) and
+  // assert byte-identical recovery. Any shape that does not round-trip
+  // byte-identical is a real data-integrity bug — the column was
+  // declared sealed by the operator and silently corrupting its value
+  // defeats the at-rest-encryption guarantee.
+
+  // --- Shape 1: astral-plane Unicode (emoji + CJK Extension B) ---
+  var astral = "rocket\u{1F680} cjkB\u{20000}\u{2A6B2} family\u{1F468}\u{200D}\u{1F469}\u{200D}\u{1F467}";
+  b.db.from("blobs").insertOne({ _id: "astral", sealedText: astral });
+  var gotAstral = b.db.from("blobs").where({ _id: "astral" }).first();
+  check("astral-plane Unicode round-trips byte-identical through sealed column",
+    gotAstral.sealedText === astral);
+
+  // --- Shape 2: a string containing embedded NUL bytes ---
+  var withNul = "beforemiddleafter";
+  b.db.from("blobs").insertOne({ _id: "nul", sealedText: withNul });
+  var gotNul = b.db.from("blobs").where({ _id: "nul" }).first();
+  check("string with embedded NUL bytes round-trips byte-identical through sealed column",
+    gotNul.sealedText === withNul);
+
+  // --- Shape 3: a large (~256 KiB) value ---
+  var large = "";
+  var chunk = "0123456789abcdef";                 // 16 bytes
+  while (large.length < 256 * 1024) large += chunk; // ~256 KiB
+  b.db.from("blobs").insertOne({ _id: "large", sealedText: large });
+  var gotLarge = b.db.from("blobs").where({ _id: "large" }).first();
+  check("large (~256 KiB) value round-trips byte-identical through sealed column",
+    gotLarge.sealedText === large && gotLarge.sealedText.length === large.length);
+
+  // --- Shape 4: a binary Buffer/BLOB carrying all 256 byte values ---
+  // First prove the DB BLOB column itself preserves bytes (the storage
+  // floor), so any seal-layer corruption can't be blamed on sqlite.
+  var allBytes = Buffer.alloc(256);
+  for (var bb = 0; bb < 256; bb++) allBytes[bb] = bb;
+  b.db.from("blobs").insertOne({ _id: "rawblob", rawBlob: allBytes });
+  var gotRawBlob = b.db.from("blobs").where({ _id: "rawblob" }).first();
+  check("raw (non-sealed) BLOB column preserves all 256 byte values byte-identical",
+    bufEqual(gotRawBlob.rawBlob, allBytes));
+
+  // Now the same all-256-bytes Buffer through a SEALED column. A sealed
+  // column is the operator's declaration that the value holds protected
+  // data; a binary column (e.g. a sealed encryption sub-key, a packed
+  // protobuf, a thumbnail) is a legitimate sealed payload. The seal
+  // path MUST either preserve the bytes or refuse — silently mangling
+  // them is the bug.
+  b.db.from("blobs").insertOne({ _id: "sealedblob", sealedText: allBytes });
+  var gotSealedBlob = b.db.from("blobs").where({ _id: "sealedblob" }).first();
+  var sealedBlobBytes = Buffer.isBuffer(gotSealedBlob.sealedText) || gotSealedBlob.sealedText instanceof Uint8Array
+    ? Buffer.from(gotSealedBlob.sealedText)
+    : Buffer.from(String(gotSealedBlob.sealedText), "utf8");
+  check("all-256-byte Buffer round-trips byte-identical through a SEALED column",
+    Buffer.compare(sealedBlobBytes, allBytes) === 0);
+
+  // --- Shape 5: a deeply-nested JSON object ---
+  // A sealed column declared to hold a structured value (the framework
+  // even JSON.stringify's containment values elsewhere) must recover the
+  // SAME object — not a coerced "[object Object]" / lossy string.
+  var nested = { a: { b: { c: { d: [1, 2, { e: "deep", f: [null, true, "xy"] }] } } }, n: 42 };
+  b.db.from("blobs").insertOne({ _id: "nested", sealedText: nested });
+  var gotNested = b.db.from("blobs").where({ _id: "nested" }).first();
+  var recovered;
+  try {
+    recovered = typeof gotNested.sealedText === "string"
+      ? JSON.parse(gotNested.sealedText)
+      : gotNested.sealedText;
+  } catch (_e) { recovered = gotNested.sealedText; }
+  check("deeply-nested object round-trips structurally through a SEALED column",
+    JSON.stringify(recovered) === JSON.stringify(nested));
+
+  // Touch waitUntil so the import is exercised even though every assert
+  // above is synchronous against the local sqlite path (keeps the
+  // helper dependency honest for future async growth).
+  await waitUntil(function () { return true; }, { timeoutMs: 1000, label: "db-stream-shape: trivial settle" });
+
+  b.db.close();
+  b.audit._resetForTest();
+  b.db._resetForTest();
+  b.vault._resetForTest();
+  b.cluster._resetForTest();
+  try { fs.rmSync(tmp, { recursive: true, force: true }); } catch (_e) {}
+
+  console.log("OK — db.stream OOM-safety + cap, sealed-column byte-fidelity");
+}
+
+module.exports = { run: run };
+if (require.main === module) {
+  run().then(function () { process.exit(0); })
+       .catch(function (err) { process.exitCode = 1; throw err; });
+}

package/lib/vendor/blamejs/test/layer-0-primitives/db-worm.test.js

@@ -25,6 +25,27 @@ async function run() {
       },
       indexes: ["userId"],
     },
+    {
+      // Erasure target for the eraseHard happy-path proof. NOT a WORM
+      // table (eraseHard's raw DELETE would trip a WORM BEFORE-DELETE
+      // trigger), but gated by dual-control so the destructive op only
+      // runs against a consumed m-of-n grant.
+      //   ssn  — sealed at rest (exercises cryptoField.eraseRow)
+      //   tag  — non-sealed, INDEXED plaintext column. This is the
+      //          forensic target: its plaintext lands in the SQLite
+      //          table-leaf AND index B-tree pages, so DELETE + REINDEX
+      //          (+ the advertised vacuumAfterErase companion) must
+      //          leave no on-disk residual.
+      name: "stale_pii",
+      columns: {
+        _id:    "TEXT PRIMARY KEY",
+        ssn:    "TEXT",
+        tag:    "TEXT",
+        keepId: "TEXT",
+      },
+      indexes:      ["tag"],
+      sealedFields: ["ssn"],
+    },
   ]);
 
   // Insert a row before WORM declaration to exercise the trigger gate.
@@ -83,6 +104,135 @@ async function run() {
   catch (e) { noGrantRefused = /dual-control/i.test(e.message); }
   check("eraseHard: dual-control gate refuses without grant", noGrantRefused);
 
+  // ---------------------------------------------------------------------
+  // Happy path — eraseHard ACTUALLY destroys data (DELETE + crypto-erase
+  // + REINDEX) under a real consumed dual-control grant, and leaves no
+  // forensic residual on disk.
+  // ---------------------------------------------------------------------
+
+  // A unique, high-entropy sentinel so a byte-scan of the on-disk files
+  // can't false-positive on incidental bytes. Stored in the non-sealed,
+  // INDEXED `tag` column → its plaintext is in both the table-leaf and
+  // the index B-tree pages of the working SQLite file.
+  var SENTINEL = "ERASE-SENTINEL-" +
+    b.crypto.generateToken(b.constants.BYTES.bytes(24)) + "-ZZ";
+  var SSN_PLAIN = "987-65-4321";
+
+  b.db.from("stale_pii").insertOne({ _id: "doomed", ssn: SSN_PLAIN, tag: SENTINEL, keepId: "k1" });
+  // A second row that must SURVIVE the erase — proves eraseHard scopes
+  // to the named rowId and doesn't wipe the table.
+  var SURVIVOR = "SURVIVOR-SENTINEL-" +
+    b.crypto.generateToken(b.constants.BYTES.bytes(16)) + "-YY";
+  b.db.from("stale_pii").insertOne({ _id: "keeper", ssn: "111-22-3333", tag: SURVIVOR, keepId: "k2" });
+
+  // Gate the erase behind dual-control (m=2, n=3).
+  b.db.declareRequireDualControl({ tables: ["stale_pii"], m: 2, n: 3, posture: "gdpr" });
+
+  // Sealed round-trip: the row reads back with plaintext ssn (proves the
+  // value was genuinely sealed-then-unsealed, i.e. encryption is live).
+  var before = b.db.from("stale_pii").where({ _id: "doomed" }).first();
+  check("eraseHard happy: sealed row reads back before erase", !!before && before.ssn === SSN_PLAIN);
+  check("eraseHard happy: tag present in-row before erase",    !!before && before.tag === SENTINEL);
+
+  // Locate the on-disk files. In encrypted-at-rest mode the working
+  // SQLite file lives in tmpfs (getDbPath); the durable sealed copy is
+  // <dataDir>/db.enc. Force a checkpoint + WAL flush so committed pages
+  // are visible in the main file for the forensic scan.
+  var dbFile  = b.db.getDbPath();
+  var walFile = dbFile + "-wal";
+  var encFile = path.join(tmpDir, "db.enc");
+  b.db.flushToDisk(); // checkpoint(TRUNCATE) + re-seal db.enc
+
+  function fileHasSentinel(p, needle) {
+    if (!fs.existsSync(p)) return false;
+    return fs.readFileSync(p).includes(Buffer.from(needle, "utf8"));
+  }
+  function diskHasSentinel(needle) {
+    return fileHasSentinel(dbFile, needle) ||
+           fileHasSentinel(walFile, needle);
+  }
+
+  // CONTROL — before erase the sentinel plaintext IS recoverable from the
+  // working SQLite file (table-leaf and/or index pages). Without this the
+  // "absent after" assertion below would be vacuous.
+  check("eraseHard FORENSIC control: sentinel plaintext present on disk before erase",
+    diskHasSentinel(SENTINEL));
+  // db.enc is an encrypted envelope — the sentinel must NOT be plaintext-
+  // visible there at any point (sanity check on at-rest encryption).
+  check("eraseHard FORENSIC: db.enc never exposes sentinel plaintext (encrypted at rest)",
+    !fileHasSentinel(encFile, SENTINEL));
+
+  // Build a REAL dual-control grant: request → a different actor approves
+  // → quorum → consume. consume() returns { ready: true } which eraseHard
+  // requires. No stub — the production dual-control workflow.
+  var approvals = b.dualControl.create({
+    namespace: "stale_pii.eraseHard",
+    cache:     b.cache.create({ namespace: "dc-erase", backend: "memory" }),
+    audit:     b.audit,
+    minApprovers: 2,
+  });
+  var opened = await approvals.request({
+    action:      "stale_pii.eraseHard",
+    resource:    { kind: "stale_pii", id: "doomed" },
+    requestedBy: { id: "alice" },
+    reason:      "GDPR Art. 17 erasure request, ticket SUP-9001",
+  });
+  check("eraseHard happy: grant opened pending", opened && opened.status === "pending");
+  await approvals.approve({ grantId: opened.grantId, approver: { id: "bob" },     reason: "verified subject identity" });
+  var quorum = await approvals.approve({ grantId: opened.grantId, approver: { id: "carol" }, reason: "second approval" });
+  check("eraseHard happy: grant reached quorum", quorum && quorum.status === "approved");
+  var grant = await approvals.consume(opened.grantId, {});
+  check("eraseHard happy: grant consumed (ready)", grant && grant.ready === true);
+
+  // The destructive op under the consumed grant.
+  var result = await b.db.eraseHard("stale_pii", "doomed", {
+    reason:           "subject erasure under GDPR Art 17, ticket SUP-9001",
+    dualControlGrant: grant,
+  });
+  check("eraseHard happy: reports rowsDeleted === 1", result && result.rowsDeleted === 1);
+
+  // (a) Row is gone from the table.
+  var afterRow = b.db.from("stale_pii").where({ _id: "doomed" }).first();
+  check("eraseHard happy: erased row absent from table", afterRow === null || afterRow === undefined);
+  // The unrelated row survives — erase is row-scoped, not a table wipe.
+  var keeper = b.db.from("stale_pii").where({ _id: "keeper" }).first();
+  check("eraseHard happy: unrelated row survives", !!keeper && keeper.tag === SURVIVOR);
+
+  // (b) Audit chain still verifies end-to-end (the erase emitted a signed
+  // db.erase_hard row; the hash chain must remain intact).
+  await b.audit.flush();
+  var chain = await b.audit.verify();
+  check("eraseHard happy: audit chain verifies intact after erase", chain && chain.ok === true);
+
+  // (c) FORENSIC — the core guarantee, attributed to eraseHard ITSELF
+  // (DELETE + REINDEX), measured BEFORE any later vacuum so the scrub
+  // can't be credited to a separate VACUUM pass. Re-checkpoint + re-seal
+  // so the on-disk files reflect post-erase state, then assert the
+  // deleted row's plaintext sentinel is gone from the working SQLite +
+  // WAL. The CONTROL above proved it WAS recoverable before the erase, so
+  // this is a real before/after delta, not a vacuous read.
+  b.db.flushToDisk();
+  check("eraseHard FORENSIC: erased sentinel plaintext ABSENT from working SQLite + WAL after eraseHard+REINDEX",
+    !diskHasSentinel(SENTINEL));
+  // The survivor's plaintext is still on disk — confirms the scan is live
+  // (it isn't reporting "absent" because the whole file was wiped).
+  check("eraseHard FORENSIC: survivor sentinel still present on disk (scan is live, not whole-file wipe)",
+    diskHasSentinel(SURVIVOR));
+  // db.enc is an encrypted envelope — never plaintext-visible at any point.
+  check("eraseHard FORENSIC: db.enc holds no sentinel plaintext after erase",
+    !fileHasSentinel(encFile, SENTINEL));
+
+  // Belt-and-suspenders: the advertised vacuumAfterErase companion (full
+  // VACUUM rewrites every page) is the operator's defense against any
+  // freed-page residual a later large-scale erase batch could leave. Run
+  // it and re-confirm the sentinel stays absent and the survivor stays.
+  b.db.vacuumAfterErase({ mode: "full" });
+  b.db.flushToDisk();
+  check("eraseHard FORENSIC: sentinel still absent after vacuumAfterErase(full)",
+    !diskHasSentinel(SENTINEL));
+  check("eraseHard FORENSIC: survivor still present after vacuumAfterErase(full)",
+    diskHasSentinel(SURVIVOR));
+
   await dbHelper.teardownTestDb(tmpDir);
 }
 

package/lib/vendor/blamejs/test/layer-0-primitives/defineguard-default-gate-posture-caps.test.js

@@ -0,0 +1,30 @@
+"use strict";
+// defineGuard's default gate must resolve the profile + posture BEFORE building
+// the gate, so a guard gated with { compliancePosture } honors that posture's
+// forensicSnippetBytes (and the profile's maxRuntimeMs). The default gate passed
+// RAW opts straight to buildGuardGate, so the posture's forensic cap was dropped
+// to 0 (forensic snapshots disabled) — a regulated-posture refusal carried no
+// evidence, defeating the forensic-capture the posture promises.
+
+var helpers = require("../helpers");
+var b     = helpers.b;
+var check = helpers.check;
+
+async function run() {
+  // guard-cidr is built via gateContract.defineGuard with the STANDARD default
+  // gate (no bespoke spec.gate), so .gate() exercises the default-gate path.
+  // Its hipaa posture sets forensicSnippetBytes = 128.
+  var bad = "999.999.999.999/99";
+  var g = b.guardCidr.gate({ compliancePosture: "hipaa" });
+  var decision = await g.check({ identifier: bad, bytes: Buffer.from(bad, "utf8") });
+  check("hipaa gate refuses a malformed CIDR", decision.action === "refuse");
+  check("hipaa posture forensicSnippetBytes is applied → refusal carries a forensic snapshot",
+        decision.forensicSnapshot != null);
+  check("the forensic snapshot is bounded by the posture cap (<= 128 bytes)",
+        decision.forensicSnapshot != null && decision.forensicSnapshot.length <= 128);
+
+  process.stdout.write("OK — defineGuard default-gate posture-cap tests\n");
+}
+
+run().then(function () { process.exit(0); })
+     .catch(function (e) { process.stderr.write((e && e.stack ? e.stack : String(e)) + "\n"); process.exit(1); });

package/lib/vendor/blamejs/test/layer-0-primitives/dpop-middleware-replaystore-required.test.js

@@ -0,0 +1,46 @@
+"use strict";
+// b.middleware.dpop must REQUIRE a replayStore. The store IS the jti-replay
+// defense: without it a captured DPoP proof can be replayed indefinitely — the
+// exact attack proof-of-possession exists to stop (RFC 9449 §11.1). The doc has
+// always listed replayStore as "required", but create() read it optionally and
+// mounted a gate that performed no replay check when it was omitted. Mounting
+// must fail closed at config time, never silently disable the defense.
+
+var helpers = require("../helpers");
+var b     = helpers.b;
+var check = helpers.check;
+
+function expectThrow(label, fn, codeNeedle) {
+  var threw = null;
+  try { fn(); } catch (e) { threw = e; }
+  check(label + " — throws at create()", threw !== null);
+  if (threw && codeNeedle) {
+    check(label + " — error names the replay store",
+          String((threw.code || threw.message) || "").toLowerCase().indexOf(codeNeedle) !== -1);
+  }
+}
+
+function run() {
+  // 1. Omitting replayStore must throw at create() — no silent replay-off mount.
+  expectThrow("dpop middleware without replayStore", function () {
+    b.middleware.dpop({ getAccessToken: function () { return null; } });
+  }, "replay");
+
+  // 2. A replayStore lacking checkAndInsert must throw at create() (fail fast on
+  //    config, not at the first request).
+  expectThrow("dpop middleware with a malformed replayStore", function () {
+    b.middleware.dpop({ replayStore: { notCheckAndInsert: true } });
+  }, "replay");
+
+  // 3. A valid replayStore mounts cleanly (control — proves the gate is not
+  //    over-tightened into refusing legitimate config).
+  var mounted = null;
+  try {
+    mounted = b.middleware.dpop({ replayStore: b.nonceStore.create({ backend: "memory" }) });
+  } catch (e) { mounted = e; }
+  check("dpop middleware with a valid replayStore mounts", typeof mounted === "function");
+
+  process.stdout.write("OK — dpop middleware replayStore-required tests\n");
+}
+
+run();