@blamejs/blamejs-shop 0.4.31 → 0.4.32

package/lib/vendor/blamejs/test/smoke.js

@@ -116,11 +116,7 @@ function _layerDirFor(layerNum) {
   return dir;
 }
 
-// Run a single test file. Backward compat with the legacy
-// run() / groups[] export shapes; new files only need run().
-async function _runTestModule(modulePath, displayName) {
-  var mod = require(modulePath);
-  var fileStart = Date.now();
+async function _runModuleBody(mod, displayName) {
   if (typeof mod.run === "function") {
     try { await mod.run(); }
     catch (err) {
@@ -150,6 +146,37 @@ async function _runTestModule(modulePath, displayName) {
       }
     }
   }
+}
+
+// Run a single test file. Backward compat with the legacy
+// run() / groups[] export shapes; new files only need run().
+//
+// The sequential layers (1-5) run in-process, so unlike the forked
+// layer-0 children they have no per-fork watchdog. A hung async op here
+// (a blocking native call starved on the libuv threadpool, a leaked
+// handle, an awaited promise that never settles) would otherwise ride
+// to the CI job's wall-clock limit as an unattributable multi-hour
+// hang. This in-process watchdog races the file body against the same
+// FILE_TIMEOUT_MS budget: the main loop stays responsive while a
+// threadpool thread is stuck, so the timer fires, names the file, and
+// fails fast and diagnosably.
+async function _runTestModule(modulePath, displayName) {
+  var mod = require(modulePath);
+  var fileStart = Date.now();
+  var watchdog = null;
+  var timed = new Promise(function (_resolve, reject) {
+    watchdog = setTimeout(function () {
+      reject(new Error(displayName + ": sequential-layer watchdog — exceeded " +
+        FILE_TIMEOUT_MS + "ms with no completion (likely a hung async op: " +
+        "libuv-threadpool starvation, a leaked handle, or a blocking native call)"));
+    }, FILE_TIMEOUT_MS);
+    if (typeof watchdog.unref === "function") watchdog.unref();
+  });
+  try {
+    await Promise.race([_runModuleBody(mod, displayName), timed]);
+  } finally {
+    if (watchdog !== null) clearTimeout(watchdog);
+  }
   return Date.now() - fileStart;
 }
 
@@ -350,23 +377,51 @@ async function _runLayer(layerNum, legacyPath, layerName) {
   // pure-primitive and don't share db/cluster/vault state. Layers 1+
   // stay sequential.
   if (PARALLEL > 1 && layerNum === 0) {
-    // LPT (Longest-Processing-Time-first) scheduling — sort by recorded
-    // historical duration descending so the long-tail test starts on
-    // worker 1 instead of landing in the last batch. Continuous worker
-    // queue: each worker pulls the next file as soon as it finishes.
-    // Provably within 4/3 of optimal makespan vs. batched-by-name
-    // scheduling that idled workers behind a 19s long-tail test.
+    var totalChecks = 0;
+    var firstFailure = null;
+    var resultsByFile = {};
+    var newTimings = {};
+
+    // A file that declares the SMOKE_RUN_SOLO marker (a CPU-bound test
+    // that itself fans out across worker_threads — e.g. the pattern-
+    // catalog duplicate-scan) runs ALONE with the whole box, NOT in the
+    // parallel pool. On a low-core runner (macos-latest = 3 cores) its
+    // internal workers plus the sibling forks oversubscribe the CPU and
+    // the scan overruns its per-file budget; given the whole box it
+    // finishes in its normal time. Marker-based, not timing-based, so it
+    // works on a fresh CI runner that has no persisted timings yet.
+    var soloFiles = [];
+    var poolFiles = [];
+    for (var pf = 0; pf < files.length; pf += 1) {
+      var solo = false;
+      try {
+        solo = fs.readFileSync(path.join(dir, files[pf]), "utf8")
+          .slice(0, 2048).indexOf("SMOKE_RUN_SOLO") !== -1;
+      } catch (_e) { solo = false; }
+      (solo ? soloFiles : poolFiles).push(files[pf]);
+    }
+
+    // Solo phase — heavy files one at a time, each with the full box.
+    for (var si = 0; si < soloFiles.length && !firstFailure; si += 1) {
+      var sName = soloFiles[si];
+      var srv = await _runFileForked(path.join(dir, sName), layerName + " / " + sName);
+      resultsByFile[sName] = srv;
+      newTimings[sName] = srv.ms;
+      if (!srv.ok && !firstFailure) firstFailure = srv;
+    }
+
+    // Pool phase — light remainder, LPT (Longest-Processing-Time-first)
+    // scheduled: sort by recorded historical duration descending so the
+    // long-tail file starts on worker 1 instead of landing in the last
+    // batch (within 4/3 of optimal makespan). Continuous queue: each
+    // worker pulls the next file as soon as it finishes.
     var timings = _readTimings();
-    var ordered = files.slice().sort(function (a, b) {
+    var ordered = poolFiles.slice().sort(function (a, b) {
       var ta = timings[a] || Infinity;                                          // unknown → Infinity → schedule early on first run
       var tb = timings[b] || Infinity;
       return tb - ta;
     });
     var cursor = 0;
-    var totalChecks = 0;
-    var firstFailure = null;
-    var resultsByFile = {};
-    var newTimings = {};
     async function worker() {
       while (true) {
         if (firstFailure) return;
@@ -379,14 +434,17 @@ async function _runLayer(layerNum, legacyPath, layerName) {
         if (!rv.ok && !firstFailure) firstFailure = rv;
       }
     }
-    var pool = [];
-    for (var w = 0; w < PARALLEL; w += 1) pool.push(worker());
-    await Promise.all(pool);
+    if (!firstFailure) {
+      var pool = [];
+      for (var w = 0; w < PARALLEL; w += 1) pool.push(worker());
+      await Promise.all(pool);
+    }
+
     // Print in original sort() order so the per-run output is stable
-    // for diff-based comparison (the LPT order is internal scheduling).
+    // for diff-based comparison (the solo/LPT order is internal scheduling).
     for (var p = 0; p < files.length; p += 1) {
       var rf = resultsByFile[files[p]];
-      if (!rf) continue;                                                         // worker pool aborted before this file ran
+      if (!rf) continue;                                                         // pool aborted before this file ran
       totalChecks += rf.checks;
       if (!rf.ok) {
         if (rf.stderr) process.stderr.write(rf.stderr);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/blamejs-shop",
-  "version": "0.4.31",
+  "version": "0.4.32",
   "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
   "main": "lib/index.js",
   "scripts": {

package/lib/vendor/blamejs/release-notes/v0.14.0.json

@@ -1,43 +0,0 @@
-{
-  "$schema": "../scripts/release-notes-schema.json",
-  "version": "0.14.0",
-  "date": "2026-05-29",
-  "headline": "Operator-configurable header and field names across SSE, request-id, rate-limit, age-gate, AI-Act disclosure, GraphQL federation, and the HTTP cache",
-  "summary": "This release makes operator-facing identifiers that were hardcoded configurable. The framework already let operators rename most names (CSRF cookie/field, cookie parser, i18n header/query/cookie, mTLS CA name, and so on); this closes the remaining gaps so a custom or framework-specific name is never frozen. Every new option defaults to the value emitted today, so upgrading changes no behavior — these are additive knobs. It also fixes a request-id asymmetry (the response header is now written on the same name the inbound id is read from) and wires an SSE proxy-buffering option whose escape hatch was documented but never implemented.",
-  "sections": [
-    {
-      "heading": "Added",
-      "items": [
-        {
-          "title": "Configurable cache-status header on the HTTP client",
-          "body": "The outbound HTTP client annotated every cached response with a hardcoded `x-blamejs-cache: HIT|MISS|STALE|REVALIDATED` header. `b.httpClient.cache.create` now takes `statusHeader` (default \"x-blamejs-cache\") — pass a custom name (e.g. \"x-cache\") to rename it, or null/false to suppress it entirely. The decision remains available programmatically on `res.cacheStatus`."
-        },
-        {
-          "title": "Configurable rate-limit header names",
-          "body": "`b.middleware.rateLimit` emitted the de-facto `X-RateLimit-Limit` / `X-RateLimit-Remaining` headers (which are not RFC-pinned). It now accepts `headerPrefix` (default \"X-RateLimit-\") so operators can match the unprefixed IETF-draft `RateLimit-*` names or an upstream gateway's convention; the limit/remaining pair is always built from the same prefix."
-        },
-        {
-          "title": "Configurable age-gate and AI-Act disclosure header names",
-          "body": "`b.middleware.ageGate` now takes `privacyPostureHeader` (default \"X-Privacy-Posture\"; null/false to suppress), and `b.middleware.aiActDisclosure` takes `headerPrefix` (default \"AI-Act-\") that prefixes the emitted Notice / Article / Policy headers. The EU AI Act mandates the disclosure, not the HTTP spelling, so operators matching a downstream convention can rename these."
-        },
-        {
-          "title": "Configurable GraphQL-federation replay-nonce header",
-          "body": "`b.graphqlFederation.guardSdl` read the replay nonce from the Apollo-vendor `x-apollographql-router-nonce` header with no override. It now accepts `nonceHeader` (default unchanged) so an operator fronting the gateway with a non-Apollo router can point the replay check at their own header."
-        },
-        {
-          "title": "SSE proxy-buffering opt-out",
-          "body": "`b.sse.create` and `b.middleware.sse` set `X-Accel-Buffering: no` (the nginx hint that disables proxy buffering). They now accept `proxyBuffer` (default true) — pass false when not behind nginx, or when buffering is controlled at the load balancer, to suppress the nginx-specific header. The opt-out was previously referenced in the documentation but not implemented."
-        }
-      ]
-    },
-    {
-      "heading": "Fixed",
-      "items": [
-        {
-          "title": "Request-id middleware reflects the configured header name",
-          "body": "`b.log.middleware` read the inbound request id from a configurable `headerName` but always wrote the response on the literal `X-Request-Id`. An operator who set a custom `headerName` (e.g. `X-Correlation-Id`) therefore read from one header and emitted another. The response is now written on the same configured name; the default remains `X-Request-Id`, so deployments that did not set `headerName` are unaffected."
-        }
-      ]
-    }
-  ]
-}

package/lib/vendor/blamejs/release-notes/v0.14.1.json

@@ -1,60 +0,0 @@
-{
-  "$schema": "../scripts/release-notes-schema.json",
-  "version": "0.14.1",
-  "date": "2026-05-29",
-  "headline": "Correctness fixes: JAR request-object typ enforcement, byte-faithful PGP multipart/signed, and SAML InResponseTo binding",
-  "summary": "A set of correctness fixes across the auth, mail-crypto, TLS, and encoder surfaces. The most important: JWT-secured authorization requests (RFC 9101) now require the request object to carry the registered `oauth-authz-req+jwt` typ, closing a cross-JWT-confusion vector; the PGP multipart/signed wrapper is now assembled byte-faithfully so non-ASCII signed content can't be corrupted; and SAML response verification now returns the InResponseTo of the SubjectConfirmation that actually validated. Two of these change behavior — see Changed — and are bug fixes rather than new features.",
-  "sections": [
-    {
-      "heading": "Security",
-      "items": [
-        {
-          "title": "JAR request objects must carry the registered typ (RFC 9101)",
-          "body": "`b.auth.jar.parse` now requires the request-object JWS header to carry `typ: \"oauth-authz-req+jwt\"` (with or without the `application/` prefix); a request object with an absent or different typ is refused with `auth-jar/bad-typ`. RFC 9101 §10.8 specifies this media type precisely to stop a JWT minted for another purpose (an ID token, an access token, a logout token) and signed by the same client key from being replayed as a request object. The existing `iss` / `aud` / `client_id` bindings already constrained that; this restores the explicit type check as well. This is stricter than before — see Changed."
-        }
-      ]
-    },
-    {
-      "heading": "Changed",
-      "items": [
-        {
-          "title": "JAR parsing rejects untyped request objects (breaking)",
-          "body": "Following the typ enforcement above, a request object whose header omits `typ` is now refused. An authorization server whose clients sign request objects without the `oauth-authz-req+jwt` typ must update those clients to set it."
-        },
-        {
-          "title": "PGP sign() returns multipartSigned as a Buffer (breaking)",
-          "body": "`b.mail.crypto.pgp.sign(...).multipartSigned` is now a Buffer instead of a string. The OpenPGP signature covers the signed-part bytes exactly, and a JS-string round trip through latin1/utf8 could corrupt non-ASCII signed content and break verification, so the RFC 3156 multipart/signed wrapper is now assembled as bytes. Code that wrote the previous string to the wire works unchanged when it writes the Buffer; code that did string operations on the value should treat it as a Buffer (its `indexOf` / `toString` still work)."
-        }
-      ]
-    },
-    {
-      "heading": "Fixed",
-      "items": [
-        {
-          "title": "SAML response verification binds InResponseTo to the validated confirmation",
-          "body": "`verifyResponse` returned the InResponseTo of the first SubjectConfirmationData in the assertion rather than of the SubjectConfirmation that actually passed bearer validation. When a response carried more than one SubjectConfirmation, the returned value could come from a non-validated confirmation. It is now the InResponseTo of the confirmation that validated."
-        },
-        {
-          "title": "checkServerIdentity9525 emits the documented CN-fallback audit code",
-          "body": "A CN-only legacy certificate (a Common Name present, no subjectAltName) is now refused by the exported `b.network.tls.checkServerIdentity9525` with the distinct `tls/pkix-cn-fallback-refused` code its documentation promised, so audit logs can tell a CN-only certificate apart from one carrying neither a SAN nor a CN (which still yields `tls/pkix-san-required`). The accept/refuse outcome is unchanged — both are refused; only the audit granularity improved."
-        },
-        {
-          "title": "OIDC back-channel logout / JARM no longer accept dead override parameters",
-          "body": "`verifyBackchannelLogoutToken` and `parseJarmResponse` passed `acceptedAlgs` / `jwksUri` / `maxClockSkewMs` through to the ID-token verifier, which ignored them and applied the configured (create()-time) values. The pass-throughs are removed so the code no longer reads as if those can be overridden per call; the configured trust anchor was — and remains — what applies."
-        },
-        {
-          "title": "Queue lease failures are logged",
-          "body": "The consumer loop's lease-acquisition error path swallowed the backend error silently; it now logs at debug so a flapping backend that has not yet tripped the circuit breaker is visible."
-        },
-        {
-          "title": "Protobuf and ASN.1 encoders reject out-of-range tags",
-          "body": "The protobuf tag encoder rejected nothing and would have emitted a wrong tag for field numbers at or above 2^28 (where the 32-bit shift overflows); the ASN.1 context-tag writers silently truncated tag numbers above 30 (which require the multi-byte high-tag-number form). Both now throw a RangeError rather than encode silently-wrong output. The values these encoders serve are well within range, so no current caller is affected."
-        },
-        {
-          "title": "oid4vci proofAlgorithms default documented accurately",
-          "body": "The documented default proof-algorithm list now matches the code (`[\"ES256\", \"ES384\", \"EdDSA\"]`); the doc previously omitted EdDSA, which the runtime has always accepted by default."
-        }
-      ]
-    }
-  ]
-}

package/lib/vendor/blamejs/release-notes/v0.14.10.json

@@ -1,54 +0,0 @@
-{
-  "$schema": "../scripts/release-notes-schema.json",
-  "version": "0.14.10",
-  "date": "2026-05-31",
-  "headline": "Full-text-search token hashes move to a keyed MAC; existing mail-store search indexes rebuild automatically on upgrade",
-  "summary": "The mail-store full-text-search index hashed its tokens with a hand-rolled salted-SHA3 derived hash. It now routes through the framework's sealed-column hashing primitive in keyed mode (HMAC-SHAKE256 off the per-deployment MAC key), so a search-index token hash is unforgeable and un-correlatable across deployments without that key — the same posture the sealed-column lookup hashes already use. Because the keyed hash changes the stored token values, a mail-store opened after upgrade detects its index as old-format and rebuilds it once from the sealed message rows. The rebuild runs under a format marker: the index is marked `rebuilding` before it is cleared and only marked current after every row is re-hashed inside an explicit transaction, and search falls back to its cursor path (rather than returning partial hits) whenever the marker is not current — so an interrupted rebuild leaves the old index intact and queryable and retries on the next open, never serving a half-built index. A new `b.cryptoField.computeNamespacedHash` primitive backs the keyed hashing for callers that hash outside the registered-column path.",
-  "sections": [
-    {
-      "heading": "Added",
-      "items": [
-        {
-          "title": "`b.cryptoField.computeNamespacedHash`",
-          "body": "A mode-aware namespaced hash for indexed-lookup callers that hash a value outside the registered-column derived-hash path. `computeNamespacedHash(ns, value, { mode, truncateBytes })` routes through the same engine as `computeDerived` — `salted-sha3` (default) or the keyed `hmac-shake256` — with optional hex truncation. The mail-store full-text index is the first consumer."
-        }
-      ]
-    },
-    {
-      "heading": "Changed",
-      "items": [
-        {
-          "title": "Mail-store full-text index rehashes to a keyed MAC on upgrade",
-          "body": "The full-text-search token hash now uses `b.cryptoField.computeNamespacedHash` in `hmac-shake256` mode instead of a hand-rolled salted-SHA3. The first time a store is opened after upgrade, its index is detected as old-format and rebuilt once from the sealed message rows; subsequent opens are no-ops. Search is unaffected once the rebuild completes. The rebuild requires the vault to be initialized and fails closed (a clear error) at construction if it is not, rather than leaving a stale searchable index."
-        }
-      ]
-    },
-    {
-      "heading": "Security",
-      "items": [
-        {
-          "title": "Keyed, un-correlatable full-text-search token hashes",
-          "body": "A search-index token hash is now a keyed MAC over a per-deployment key, not a static-salted digest — it cannot be forged or correlated across deployments without that key, closing the low-entropy-token correlation gap on the search index. The index remains unrecoverable from a database dump alone, as before."
-        }
-      ]
-    },
-    {
-      "heading": "Detectors",
-      "items": [
-        {
-          "title": "Hand-rolled lookup-hash check covers the split form",
-          "body": "The check that requires sealed-column lookup hashes to compose the framework primitive now also catches the across-lines hand-roll (`var salt = getDerivedHashSalt(); var hex = salt.toString(...); sha3(hex + ns + value)`), not only the single-expression form, so the bypass that the mail-store index used can't reappear."
-        }
-      ]
-    },
-    {
-      "heading": "Migration",
-      "items": [
-        {
-          "title": "Automatic, one-time full-text index rebuild",
-          "body": "No operator action is required: the rebuild runs automatically and idempotently on first open after upgrade, atomically and crash-safe (an interrupted rebuild keeps the old index and retries). The only requirement is that the vault is initialized before the mail-store is constructed. One caveat for shared stores: do not run a pre-upgrade and post-upgrade node against the same backend file concurrently across this format change — the old node would write old-format hashes the new node cannot match. Roll the deployment fully across the upgrade. This re-open condition is lifted once all nodes are on 0.14.10 or later."
-        }
-      ]
-    }
-  ]
-}

package/lib/vendor/blamejs/release-notes/v0.14.11.json

@@ -1,72 +0,0 @@
-{
-  "$schema": "../scripts/release-notes-schema.json",
-  "version": "0.14.11",
-  "date": "2026-05-31",
-  "headline": "Defensive LLM model-I/O primitives, C2PA timestamp countersignatures with CAWG identity assertions, and signed EU AI Act GPAI adherence declarations",
-  "summary": "Closes the output side of the LLM trust boundary and hardens content provenance and AI-Act attestation. b.ai.output.sanitize treats model output as untrusted and neutralizes XSS, gates every markdown-image / link and HTML src/href URL against SSRF (the EchoLeak zero-click exfiltration class, CVE-2025-32711), and flags SQL- and command-shaped fragments; b.ai.output.redact strips PII and secret disclosures. b.ai.input.classifyWithSources classifies a prompt together with its retrieval-augmented sources under a stricter, trust-tier-relative threshold, and the new b.ai.prompt namespace assembles prompts with escape-by-default boundaries — untrusted context / user segments are fenced in a per-render crypto-nonce delimiter the content cannot forge and stripped of bidi, control, zero-width, and Unicode-Tags smuggling characters. b.contentCredentials COSE signatures now carry an RFC 3161 timestamp countersignature (C2PA sigTst2, RFC 9921) verified entirely through b.tsa, so a signed manifest stays verifiable after its signing certificate expires, plus a CAWG identity assertion with trust-anchored verification. b.compliance.aiAct.gpai.declareAdherence emits a tamper-evident, ML-DSA-87-signed GPAI Code-of-Practice adherence declaration whose obligation set is derived from the regulation rather than operator-asserted.",
-  "sections": [
-    {
-      "heading": "Added",
-      "items": [
-        {
-          "title": "`b.ai.output.sanitize` and `b.ai.output.redact`",
-          "body": "A new `b.ai.output` namespace that treats LLM output as untrusted before it reaches a browser, a downstream fetcher, a SQL / command sink, or a log. `sanitize(text, opts)` neutralizes active markup via `b.guardHtml`, gates every markdown image / link and HTML `src` / `href` URL through `b.safeUrl.parse` (scheme + credential) and `b.ssrfGuard.classify` (internal / loopback / link-local / cloud-metadata IP-range) so auto-fetch URLs to attacker or internal hosts are neutralized, and flags SQL- and command-shaped fragments rather than silently repairing them. `redact(text, opts)` strips PII and secret disclosures via `b.redact` plus an entity-selectable pass (`pan` / `ssn` / `ein` / `iban` / `jwt` / `aws` / `phi` / `email` / `phone`). Defends OWASP LLM05:2025 Improper Output Handling and LLM02:2025 Sensitive Information Disclosure; the markdown-image URL gate closes the EchoLeak zero-click exfiltration class (CVE-2025-32711, CVSS 9.3)."
-        },
-        {
-          "title": "`b.ai.input.classifyWithSources`",
-          "body": "Classifies a prompt together with its retrieval-augmented (RAG) sources, applying a stricter, trust-tier-relative threshold to retrieved data. Each source is `{ id, text, trust? }` with `trust` of `trusted` / `internal` / `untrusted` (unset defaults to `untrusted`, fail-closed); untrusted and internal sources escalate to `suspicious` on a single severity-2 signal and to `malicious` on any severity-3, where the direct prompt keeps the baseline threshold. The aggregate verdict is the worst across the prompt and all sources, and every malicious source is reported in `taintedSources`. Defends indirect prompt injection from poisoned context (OWASP LLM01:2025; NIST AI 600-1)."
-        },
-        {
-          "title": "`b.ai.prompt.template`",
-          "body": "A new `b.ai.prompt` namespace for assembling LLM prompts with escape-by-default boundaries. The `system` segment is operator-trusted; `context` and `user` segments are treated as untrusted (no global opt-out — mark a segment `{ text, trusted: true }` individually). Untrusted segments are wrapped in a per-render, high-entropy delimiter nonce the content cannot forge, with any forged boundary stripped before wrapping (spotlighting / datamarking, Microsoft 2024; NIST AI 100-2e2025), and stripped of bidi overrides (CVE-2021-42574 Trojan Source), C0 controls, zero-width characters, null bytes, and Unicode Tags (U+E0000..U+E007F ASCII-smuggling). Run `b.ai.input.refuseIfMalicious` on the untrusted content as defense in depth."
-        },
-        {
-          "title": "C2PA RFC 3161 timestamp countersignature and CAWG identity assertion",
-          "body": "`b.contentCredentials.signCose` attaches an RFC 3161 timestamp countersignature (C2PA `sigTst2`, RFC 9921) and `b.contentCredentials.verifyCose` verifies it. Pass `timestamp:{ token }` to embed a TimeStampToken, or `timestamp:{}` to get back the DER `application/timestamp-query` to POST to a timestamp authority. `b.contentCredentials.attachIdentityAssertion` / `verifyIdentityAssertion` add the CAWG Identity Assertion v1.2: a signed creator / organization identity hash-bound to a manifest's referenced assertions, where the `x509` binding reports `verified:true` only when an identity trust anchor is supplied and the leaf chain verifies, and the `identity-claims-aggregator` and self-asserted paths stay `verified:false`."
-        },
-        {
-          "title": "`b.compliance.aiAct.gpai.declareAdherence` / `verifyAdherence`",
-          "body": "Signed, tamper-evident GPAI Code-of-Practice adherence declarations (Regulation (EU) 2024/1689 Art. 53(1)(a-d); Art. 55 for systemic-risk models under Art. 51(2)). The in-scope obligation set is derived from the classifier, never operator-asserted — a model at or above the 10^25-FLOP systemic-risk threshold that omits the Art. 55 chapter is refused. Each commitment's evidence reference must be a SHA3-512 digest; a malformed hash is rejected so a hollow attestation cannot bind. The declaration ships inside an ML-DSA-87-signed CycloneDX 1.6 ML-BOM via `b.ai.modelManifest`; verify re-canonicalizes before trusting any field and rejects a declaration past its validity window. Cites the GPAI Code of Practice (10 July 2025), Annex XI/XII, and Directive (EU) 2019/790 Art. 4(3)."
-        }
-      ]
-    },
-    {
-      "heading": "Security",
-      "items": [
-        {
-          "title": "Model output is now an untrusted channel by default",
-          "body": "When feeding retrieved documents into an LLM, classify them with `b.ai.input.classifyWithSources` (untrusted sources escalate on a single signal) rather than trusting model input; assemble prompts with `b.ai.prompt.template` so untrusted context / user text is fenced in a per-render crypto-nonce boundary it cannot forge; and pass model output through `b.ai.output.sanitize` / `b.ai.output.redact` before it is rendered, fetched, or logged. Each primitive is on by default and fail-closed — no opt-in flag enables the protection."
-        },
-        {
-          "title": "Timestamp verification routes only through `b.tsa.verifyToken`",
-          "body": "C2PA `sigTst2` verification performs the full RFC 3161 check (CMS signature over the signed attributes, messageDigest recompute, critical sole `id-kp-timeStamping` EKU) — never a chain-only shortcut — closing the timestamp-validation-bypass class (CVE-2025-52556, CWE-347). Supply `timestampTrustAnchorsPem` to `verifyCose` to check the timestamp certificate chain; `verifyCose` returns `{ valid, reason, claims, alg, timestamp }` and never throws."
-        }
-      ]
-    },
-    {
-      "heading": "Detectors",
-      "items": [
-        {
-          "title": "LLM output URLs must keep the SSRF gate",
-          "body": "A new check requires the output sanitizer to gate every extracted URL through both `b.safeUrl.parse` and `b.ssrfGuard.classify`, so the markdown-image SSRF gate (the EchoLeak class) cannot be silently dropped."
-        },
-        {
-          "title": "RAG sources must compose `classifyWithSources`",
-          "body": "A new check flags any code that maps `b.ai.input.classify` over a sources array by hand, which would lose the trust-tier-relative threshold for retrieved data."
-        },
-        {
-          "title": "Prompt boundaries must use a per-render nonce",
-          "body": "A new check flags prompt-assembly that wraps untrusted content in a fixed, guessable literal fence (`<user_input>`, `[DATA]`) instead of a per-render high-entropy delimiter the content cannot forge."
-        },
-        {
-          "title": "C2PA timestamp verification must route through `b.tsa`",
-          "body": "A new check flags any bespoke certificate-chain-only walk on a timestamp token in place of `b.tsa.verifyToken`, preventing a re-introduction of the timestamp-validation-bypass class."
-        },
-        {
-          "title": "GPAI adherence declarations must be signed",
-          "body": "A new check flags any code that emits the GPAI Code-of-Practice adherence property without routing it through the `b.ai.modelManifest` signed envelope, keeping the declaration tamper-evident."
-        }
-      ]
-    }
-  ]
-}

package/lib/vendor/blamejs/release-notes/v0.14.12.json

@@ -1,95 +0,0 @@
-{
-  "$schema": "../scripts/release-notes-schema.json",
-  "version": "0.14.12",
-  "date": "2026-05-31",
-  "headline": "Vault key rotation re-seals AAD-bound storage under the new root instead of silently orphaning it",
-  "summary": "Every AAD-sealed cell derives its key from the live vault root, so rotating the vault keypair changes those keys. `b.vaultRotate.rotate` previously re-sealed only legacy `vault:`-prefixed cells in `db.enc` and skipped `vault.aad:` cells, AAD-bound at-rest files, and operator-supplied AAD stores — leaving them encrypted under the retired keypair while still returning a success result and a passing round-trip verify, so the loss was invisible until the old keypair was discarded and the cells became permanently undecryptable. Rotation now re-seals `db.enc` (preserving its dataDir-bound AAD), `db.key.enc` (location-bound), every `{ aad: true }` table column, and the overflow store under the new root; refuses up front with a fail-closed error when operator-supplied AAD stores (agent idempotency / orchestrator / tenant / snapshot) are reachable unless each has been re-sealed via its module hook and explicitly acknowledged; and the round-trip verify now decrypts AAD-sealed cells under the new root and treats any cell that still opens under the old root as a regression. New explicit-root `b.vault.aad` seal / unseal / reseal primitives carry a cell from the old root to the new one while preserving its AAD tuple; `b.archive.rewrapTenant` re-wraps tenant-scoped archive envelopes; and `b.cluster` can adopt a rotated vault-key fingerprint instead of partitioning the membership during a rolling rotation.",
-  "sections": [
-    {
-      "heading": "Added",
-      "items": [
-        {
-          "title": "`b.vault.aad.sealRoot` / `unsealRoot` / `resealRoot`",
-          "body": "Explicit-root variants of the AAD seal / unseal that take a root-keypair JSON (`b.vault.getKeysJson()` output) instead of reading the live vault singleton. `resealRoot(value, aadParts, oldRootJson, newRootJson)` opens a cell under the old root and re-seals it under the new one while preserving the same AAD tuple (`table` / `rowId` / `column` / `schemaVersion`), which is what lets a rotation worker move AAD-bound state across a keypair change without altering the bound context. The default-root `b.vault.aad.seal` / `unseal` behaviour is unchanged."
-        },
-        {
-          "title": "Per-store AAD re-seal hooks on the agent primitives",
-          "body": "`b.agent.idempotency.reseal`, `b.agent.orchestrator.reseal`, `b.agent.snapshot.reseal`, and the `b.agent.tenant` registry / tenant-cell reseal paths re-seal that module's AAD-bound rows from an old root to a new root over the operator's own store. Each module also exposes an `AAD_ROTATION` descriptor naming the store the rotation pipeline cannot reach on its own, so an operator can enumerate exactly what to re-seal before a rotation."
-        },
-        {
-          "title": "`b.archive.rewrapTenant`",
-          "body": "Re-wraps a `recipient: \"tenant\"` archive envelope from an old vault root to a new one for a given `tenantId`, so a keypair rotation does not strand tenant-scoped archives. Opens the blob under the old root + tenantId, refuses a blob that is not a tenant-recipient envelope or that does not open under the supplied old root, and emits a fresh envelope bound to the new root. This is offered alongside the documented re-export path (decrypt with the old keypair, re-archive with the new one) for operators who hold the envelope but not the source."
-        },
-        {
-          "title": "Cluster vault-key rotation acceptance",
-          "body": "A vault-key rotation changes the public-key fingerprint recorded in the canonical cluster-state row, which a peer would otherwise report as `VAULT_KEY_DRIFT`. `b.cluster` configuration gains `acceptVaultKeyRotation: true` to declare the change legitimate — the node adopts the rotated fingerprint and bumps a rotation epoch instead of refusing — and an optional `expectedVaultKeyFp` that narrows acceptance to a single blessed post-rotation fingerprint. The drift guard stays in force whenever a rotation is not declared; supplying `expectedVaultKeyFp` without `acceptVaultKeyRotation` is rejected at configuration time as a misconfiguration."
-        }
-      ]
-    },
-    {
-      "heading": "Changed",
-      "items": [
-        {
-          "title": "`b.vaultRotate.rotate` refuses when reachable AAD stores are not acknowledged",
-          "body": "Because the rotation pipeline walks only `db.enc` and cannot introspect an operator's own AAD-backed stores, it now detects which AAD-store modules are loadable and throws `vault-rotate/external-aad-unresealed` unless `opts.externalAadResealed` is either `true` (you do not use those features) or an array naming every detected store (you have re-sealed each via its hook). This converts a path that previously discarded data and reported success into a fail-closed gate. The error names each store and the hook to call."
-        }
-      ]
-    },
-    {
-      "heading": "Fixed",
-      "items": [
-        {
-          "title": "Rotation re-seals `vault.aad:` cells and AAD-bound at-rest files",
-          "body": "`db.enc` is re-written bound to its dataDir-scoped AAD (it was previously re-written un-bound, silently stripping the at-rest AAD binding on every rotation), `db.key.enc` retains its location-bound AAD, and every `{ aad: true }` table column plus the overflow store is re-sealed under the new root. Previously only `vault:`-prefixed cells were carried across, so AAD-sealed data was left encrypted under the retired keypair and lost once it was discarded."
-        },
-        {
-          "title": "Round-trip verify no longer reports a false success",
-          "body": "`b.vaultRotate.verify` now samples and decrypts AAD-sealed cells under the new root and treats any cell that still decrypts under the old root as a regression, so an incomplete rotation fails verification instead of passing it. The prior verify checked only `vault:` cells and therefore reported `ok` even when AAD-sealed cells had been orphaned."
-        }
-      ]
-    },
-    {
-      "heading": "Security",
-      "items": [
-        {
-          "title": "A vault key rotation can no longer silently destroy encrypted data",
-          "body": "The orphaning path lost agent idempotency / orchestrator / tenant / snapshot state, `{ aad: true }` columns, and tenant archives with no error and a passing verify; the data became unrecoverable the moment the old keypair was retired. Rotation is now fail-closed end to end: it re-seals what it can reach, refuses to proceed past what it cannot until you acknowledge it, and verifies the result under the new root. If you performed a rotation on v0.14.11 or earlier and still hold the retired keypair, re-seal the affected cells under the current root with the explicit-root primitives before discarding it."
-        }
-      ]
-    },
-    {
-      "heading": "Detectors",
-      "items": [
-        {
-          "title": "AAD-backed store modules must expose a rotation reseal path",
-          "body": "A new check flags a module that registers an external `{ aad: true }` store but does not expose an `AAD_ROTATION` descriptor and reseal hook, which would leave its state unreachable by the rotation pipeline."
-        },
-        {
-          "title": "A root-keyed seal family must ship its reseal",
-          "body": "A new check flags adding a `sealRoot` / `unsealRoot` pair without the matching `resealRoot`, since without it a rotated cell cannot be carried from the old root to the new one."
-        },
-        {
-          "title": "Live-root AAD seals need a reseal path",
-          "body": "A new check flags a primitive that AAD-seals under the live vault root without a way to re-seal that state under a new root during rotation."
-        },
-        {
-          "title": "Tenant archive re-wrapping must compose `b.archive.rewrapTenant`",
-          "body": "A new check flags tenant-scoped archive re-wrapping that opens and re-seals a tenant envelope by hand instead of routing through `b.archive.rewrapTenant`."
-        },
-        {
-          "title": "Cluster vault-key drift needs the rotation-epoch accept gate",
-          "body": "A new check flags a cluster vault-key fingerprint comparison that hard-rejects a mismatch without honouring the `acceptVaultKeyRotation` epoch window."
-        }
-      ]
-    },
-    {
-      "heading": "Migration",
-      "items": [
-        {
-          "title": "Re-seal operator AAD stores before rotating",
-          "body": "Before calling `b.vaultRotate.rotate`, re-seal each AAD-backed store you use via its hook (`b.agent.idempotency.reseal`, `b.agent.orchestrator.reseal`, `b.agent.snapshot.reseal`, the `b.agent.tenant` `AAD_ROTATION` reseal paths) with the old and new root JSON, re-wrap tenant archives with `b.archive.rewrapTenant`, then pass `opts.externalAadResealed` as an array naming each re-sealed store. If you use none of these features, pass `opts.externalAadResealed: true`. Declare the rotation to each cluster node with `acceptVaultKeyRotation: true` so the membership adopts the new fingerprint rather than reporting drift."
-        }
-      ]
-    }
-  ]
-}

package/lib/vendor/blamejs/release-notes/v0.14.13.json

@@ -1,52 +0,0 @@
-{
-  "$schema": "../scripts/release-notes-schema.json",
-  "version": "0.14.13",
-  "date": "2026-05-31",
-  "headline": "Close advertised-but-missing surface: SRS1 chained forwarding, DCQL array-wildcard claim paths, and in-memory safe-archive extraction",
-  "summary": "Three primitives advertised a capability in their documentation or card but refused or omitted it at runtime; this release implements each. b.mail.srs gains srs1Rewrite for the SRS1 double-forward (and multi-hop) case — previously the @intro described SRS1 and create() threw, pointing at a function that was never exported. b.safeArchive gains extractToMemory, the in-memory counterpart to extract for read-only / serverless filesystems — previously the card advertised in-memory extraction but the orchestrator required a destination directory. b.auth.oid4vp.matchDcql now honours a null claims-path segment as the array wildcard the OpenID4VP DCQL spec defines, rather than refusing it as unsupported while the card advertised DCQL. A stale version-pinned wording in a safe-archive error message is corrected. Every change is additive or message-only — no existing caller changes behaviour.",
-  "sections": [
-    {
-      "heading": "Added",
-      "items": [
-        {
-          "title": "`b.mail.srs` SRS1 chained forwarding — `srs1Rewrite`",
-          "body": "`b.mail.srs.create(...)` now returns `srs1Rewrite` alongside `rewrite` / `reverse`. `srs1Rewrite(srsAddress)` chains an already-SRS0 (or SRS1) envelope-from for a further forwarding hop: it keeps the original SRS0 body verbatim, prepends the SRS0 originator's domain, and binds the pair with this forwarder's own HMAC-SHA-256 tag — no new timestamp, no repeated original local-part — emitting `SRS1=tag=originator==<SRS0-body>@thisForwarder`. `reverse()` now detects an SRS1 address, verifies this hop's tag and forwarder-domain binding, and unwraps exactly one hop back to the originator's SRS0 so a multi-hop bounce routes straight to the forwarder that can recover the original sender. Typed failure modes: `srs/not-srs0` (input not SRS-encoded), `srs/malformed` (missing the `==` separator), `srs/bad-tag` (tampered), `srs/too-long` (chain exceeds the RFC 5321 256-octet path limit). Implements the Sender Rewriting Scheme SRS1 wire format; the second-hop SPF rationale is RFC 7208 §2.4."
-        },
-        {
-          "title": "`b.safeArchive.extractToMemory` — in-memory safe extraction",
-          "body": "An async generator counterpart to `b.safeArchive.extract` for read-only / serverless filesystems: it resolves the source, sniffs the format, auto-unwraps recipient (`BAWRP`) / passphrase (`BAWPP`) envelopes, and dispatches to the zip / tar / tar.gz reader's in-memory `extractEntries()`, yielding `{ name, bytes, size }` per regular-file entry without ever writing to disk. It takes no `destination`. Every defense the disk path runs applies unchanged: the zip-bomb caps (entry-count / per-entry / total / expansion-ratio), the `b.guardArchive` metadata cascade (Zip-Slip / path-traversal / symlink-escape / encrypted-entry refusal, CVE-2025-3445 class), and the entry-type policy. The disk-only realpath-agreement check (CVE-2025-4517 PATH_MAX TOCTOU defense) is intentionally absent — there is no extraction root — so the archive-level name refusals carry containment. Trusted-stream sources are refused upfront (the adversarial-safe central-directory walk needs random access). gzip magic per RFC 1952 §2.3.1."
-        }
-      ]
-    },
-    {
-      "heading": "Fixed",
-      "items": [
-        {
-          "title": "OID4VP DCQL `null` claim-path segment now resolves the array wildcard",
-          "body": "`b.auth.oid4vp.matchDcql` previously threw `auth-oid4vp/null-path-segment-not-supported` for a `null` claims-path segment while the namespace card advertised DCQL — under-disclosing a legitimate presentation (CWE-863). Per OpenID4VP 1.0 §7.1.1 a `null` segment selects all elements of the array at that depth; the matcher now recurses over array elements with existence semantics (with DCQL value-matching applied to any selected leaf), composed to arbitrary depth. A `null` segment on a non-array node — like an integer index into a non-array, or a string key into an array — is a clean non-match, not a thrown error, because the matcher walks holder credential data rather than operator config. String and integer claim paths are byte-identical to before; only queries that previously threw now succeed or fail cleanly."
-        },
-        {
-          "title": "safe-archive trusted-stream refusal message no longer cites a stale version",
-          "body": "The thrown `safe-archive/trusted-stream-unsupported` message and its comment claimed trusted-stream extraction was \"deferred to v0.12.8 / when the v0.12.8 sequential extract path lands.\" That path shipped long ago — `b.archive.read.zip.fromTrustedStream` and the tar sequential mode exist — so the message now points at them as present capabilities and drops the version-pinned wording. The error code is unchanged."
-        }
-      ]
-    },
-    {
-      "heading": "Detectors",
-      "items": [
-        {
-          "title": "A primitive may not advertise a capability and then throw an unimplemented stub",
-          "body": "A new check flags a bare `not yet supported` / `operator demand TBD` / `not supported in v1` refusal in a lib throw string (comments excluded). A defer is only complete with a written re-open condition; the SRS1 and DCQL stubs that this release implements both carried this bare-defer shape, and the detector keeps it from re-entering."
-        },
-        {
-          "title": "DCQL `null` path segments must recurse, never refuse",
-          "body": "A new check flags the `null path segment not supported` refusal shape in `lib/auth/oid4vp.js`, so the spec-mandated array wildcard cannot be re-stubbed."
-        },
-        {
-          "title": "`extractToMemory` must stay disk-free",
-          "body": "A new check flags any `writeFileSync` / `renameSync` / `mkdirSync` / `createWriteStream` inside the `extractToMemory` generator body, so the read-only / serverless contract cannot regress into a disk write."
-        }
-      ]
-    }
-  ]
-}

package/lib/vendor/blamejs/release-notes/v0.14.14.json

@@ -1,31 +0,0 @@
-{
-  "$schema": "../scripts/release-notes-schema.json",
-  "version": "0.14.14",
-  "date": "2026-05-31",
-  "headline": "Recognized consent purposes with lawful-basis gating, and a new b.privacy namespace for annual EdTech vendor-review attestations",
-  "summary": "Closes the student-data gap where an educational-only consent purpose and an annual third-party vendor-review report were described but never implemented. b.consent gains a recognized-purpose vocabulary: a purpose value matching a recognized key carries lawful-basis constraints that grant() enforces, and the named educational-only purpose (FERPA's school-official exception and California's SOPIPA) refuses a legitimate_interests lawful basis. The new b.privacy namespace ships vendorReview(), a builder for the dated, clause-by-clause annual EdTech third-party / processor review FERPA and SOPIPA expect a school or district to keep — it computes whether every required clause (no targeted advertising, no commercial profiling, no sale of student data, deletion on request, school-official designation, and so on) is attested, names the gaps, and stamps a 365-day re-review clock. Free-form consent purposes keep working unchanged, so the vocabulary is opt-in and additive.",
-  "sections": [
-    {
-      "heading": "Added",
-      "items": [
-        {
-          "title": "`b.consent` recognized-purpose vocabulary + lawful-basis gating",
-          "body": "`b.consent.recognizedPurpose(name)` looks up a recognized purpose and `b.consent.listPurposes()` enumerates them. When a `grant({ purpose })` value matches a recognized key, `grant()` enforces that purpose's lawful-basis constraints; the `educational-only` purpose forbids a `legitimate_interests` basis (FERPA 34 CFR 99.31(a)(1) school-official exception; California SOPIPA Cal. B&P 22584; FTC school-authorized COPPA consent 16 CFR 312.5(c)(10)) and marks the data commercial-use-prohibited. The commercial-use prohibition is an operator trust-boundary obligation — `isGranted()` does not re-derive it. Any purpose value NOT in the vocabulary stays free-form and unconstrained, so existing callers are unaffected; the hash-chain column set is unchanged, so `b.consent.verify()` over existing rows is unaffected."
-        },
-        {
-          "title": "`b.privacy.vendorReview` — annual EdTech vendor-review attestation",
-          "body": "A new `b.privacy` namespace whose `vendorReview(opts)` builds the dated third-party / processor review a FERPA school-official arrangement and California SOPIPA expect for every vendor that touches student data. The operator supplies a boolean attestation per clause (educational-purpose-only, no-targeted-advertising, no-commercial-profiling, no-sale-of-student-data, security-safeguards, deletion-on-request, sub-processor-currency, breach-notification, school-official-designation, directory-information-handling); `vendorReview` validates the shape, computes whether every required clause is attested (`attested`) and which are not (`gaps`), and stamps `reviewedAt` plus a 365-day `nextReviewDueAt` re-review clock. `b.privacy.listVendorReviewClauses()` returns the clause set with citations. Operator-feeds-metadata: the frozen report is not framework-persisted — compose it into your retention / audit / export sink. A best-effort `privacy.vendor_review.recorded` audit event fires when an audit sink is wired."
-        }
-      ]
-    },
-    {
-      "heading": "Detectors",
-      "items": [
-        {
-          "title": "A gated consent purpose must go through `b.consent`",
-          "body": "A new check flags any lib code that mints a consent row with a hardcoded `educational-only` purpose literal without composing the recognized-purpose vocabulary — which would record the value while never enforcing its FERPA / SOPIPA lawful-basis constraint."
-        }
-      ]
-    }
-  ]
-}