npm - @blamejs/blamejs-shop - Versions diffs - 0.4.31 → 0.4.33 - Mend

@blamejs/blamejs-shop 0.4.31 → 0.4.33

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (343) hide show

package/lib/vendor/blamejs/test/layer-0-primitives/passkey-real-vectors.test.js ADDED Viewed

@@ -0,0 +1,429 @@
+"use strict";
+/**
+ * b.auth.passkey — REAL WebAuthn signature verification.
+ *
+ * The companion suite (passkey.test.js) stubs the vendored verifier via a
+ * require-cache override, so the actual attestation / assertion signature
+ * verification never executes there — a forged-assertion-accepted
+ * regression would pass that suite green. This suite closes that gap: it
+ * drives verifyRegistration + verifyAuthentication through the vendored
+ * verifier UNTOUCHED, with genuine WebAuthn material produced by a
+ * software authenticator built on Node's crypto.
+ *
+ * The software authenticator mints a real EC P-256 keypair, builds a
+ * spec-shaped attestationObject ("none" fmt) + authenticatorData +
+ * clientDataJSON, and signs `authenticatorData || SHA-256(clientDataJSON)`
+ * with ECDSA/SHA-256 in DER form exactly as a hardware authenticator
+ * does. The vendor's real ECDSA path (DER unwrap to raw r||s, COSE key
+ * decode, WebCrypto subtle.verify) runs against this material.
+ *
+ * Load-bearing assertions: a genuine attestation/assertion VERIFIES, and
+ * every tamper — flipped signature byte, wrong challenge, wrong origin,
+ * wrong RP ID, mutated authenticatorData, a different signing key against
+ * the victim's stored public key — is REJECTED (either verified:false or
+ * a thrown binding error). The forged-key + tampered-signature cases are
+ * the phishing-resistance proof: they only hold if the cryptographic
+ * verification actually ran.
+ */
+var crypto  = require("crypto");
+var helpers = require("../helpers");
+var b       = helpers.b;
+var check   = helpers.check;
+var passkey = b.auth.passkey;
+var RP_ID  = "example.test";
+var ORIGIN = "https://example.test";
+// ---- byte helpers ----
+function b64url(buf) { return Buffer.from(buf).toString("base64url"); }
+function sha256(buf) { return crypto.createHash("sha256").update(buf).digest(); }
+// ---- minimal deterministic CBOR encoder (ints / neg-ints / bytes / text
+// / maps) — only the subset COSE keys + the "none" attestationObject need.
+// Not a general CBOR library; just enough to feed the real verifier.
+function cborHead(major, n) {
+  if (n < 24)    return Buffer.from([(major << 5) | n]);
+  if (n < 256)   return Buffer.from([(major << 5) | 24, n]);
+  if (n < 65536) return Buffer.from([(major << 5) | 25, (n >> 8) & 0xff, n & 0xff]);
+  return Buffer.from([(major << 5) | 26,
+    (n >>> 24) & 0xff, (n >>> 16) & 0xff, (n >>> 8) & 0xff, n & 0xff]);
+}
+function cborInt(n)    { return n >= 0 ? cborHead(0, n) : cborHead(1, -n - 1); }
+function cborBytes(buf){ return Buffer.concat([cborHead(2, buf.length), buf]); }
+function cborText(s)   { var bb = Buffer.from(s, "utf8"); return Buffer.concat([cborHead(3, bb.length), bb]); }
+function cborMap(pairs){
+  var parts = [cborHead(5, pairs.length)];
+  for (var i = 0; i < pairs.length; i++) { parts.push(pairs[i][0], pairs[i][1]); }
+  return Buffer.concat(parts);
+}
+// COSE_Key for an EC2 P-256 / ES256 public key, derived from the real
+// JWK export of the Node KeyObject. { 1:2, 3:-7, -1:1, -2:x, -3:y }.
+function coseEC2PublicKey(publicKey) {
+  var jwk = publicKey.export({ format: "jwk" });
+  var x = Buffer.from(jwk.x, "base64url");
+  var y = Buffer.from(jwk.y, "base64url");
+  return cborMap([
+    [cborInt(1),  cborInt(2)],     // kty: EC2
+    [cborInt(3),  cborInt(-7)],    // alg: ES256
+    [cborInt(-1), cborInt(1)],     // crv: P-256
+    [cborInt(-2), cborBytes(x)],   // x
+    [cborInt(-3), cborBytes(y)],   // y
+  ]);
+}
+// authenticatorData = rpIdHash(32) || flags(1) || signCount(4) [|| attestedCredentialData]
+function buildAuthData(rpId, flags, signCount, attestedCredData) {
+  var rpIdHash = sha256(Buffer.from(rpId, "utf8"));
+  var f = Buffer.from([flags & 0xff]);
+  var c = Buffer.alloc(4); c.writeUInt32BE(signCount >>> 0, 0);
+  return attestedCredData
+    ? Buffer.concat([rpIdHash, f, c, attestedCredData])
+    : Buffer.concat([rpIdHash, f, c]);
+}
+// attestedCredentialData = aaguid(16) || credIdLen(2) || credId || COSE pubkey
+function buildAttestedCredData(aaguid, credId, cosePub) {
+  var len = Buffer.alloc(2); len.writeUInt16BE(credId.length, 0);
+  return Buffer.concat([aaguid, len, credId, cosePub]);
+}
+// ECDSA/SHA-256 over `data`, DER-encoded — the wire shape a real
+// WebAuthn authenticator emits (the vendor unwraps DER to raw r||s).
+function signDER(privateKey, data) {
+  return crypto.sign("sha256", data, { key: privateKey, dsaEncoding: "der" });
+}
+// authData flag bits: UP 0x01, UV 0x04, AT 0x40.
+var FLAG_UP = 0x01, FLAG_UV = 0x04, FLAG_AT = 0x40;
+// Build a fresh genuine credential + its registration response bound to a
+// given challenge. Returns the keypair, credId, COSE pubkey, and the
+// PublicKeyCredential-shaped registration response.
+function makeRegistration(challenge) {
+  var kp     = crypto.generateKeyPairSync("ec", { namedCurve: "P-256" });
+  var cose   = coseEC2PublicKey(kp.publicKey);
+  var credId = crypto.randomBytes(32);
+  var aaguid = Buffer.alloc(16, 0);
+  var authData = buildAuthData(RP_ID, FLAG_UP | FLAG_UV | FLAG_AT, 0,
+    buildAttestedCredData(aaguid, credId, cose));
+  var attObj = cborMap([
+    [cborText("fmt"),      cborText("none")],
+    [cborText("attStmt"),  cborMap([])],
+    [cborText("authData"), cborBytes(authData)],
+  ]);
+  var clientData = Buffer.from(JSON.stringify({
+    type: "webauthn.create", challenge: challenge, origin: ORIGIN, crossOrigin: false,
+  }), "utf8");
+  return {
+    keyPair: kp,
+    credId:  credId,
+    response: {
+      id:    b64url(credId),
+      rawId: b64url(credId),
+      type:  "public-key",
+      response: {
+        clientDataJSON:    b64url(clientData),
+        attestationObject: b64url(attObj),
+      },
+      clientExtensionResults: {},
+    },
+  };
+}
+// Build a genuine authentication assertion for a stored credential, signed
+// by `signingKey` (which is the real key for the genuine case, or an
+// attacker key for the forged case). signCount controls counter advance.
+function makeAssertion(signingKey, credId, challenge, signCount) {
+  var authData   = buildAuthData(RP_ID, FLAG_UP | FLAG_UV, signCount, null);
+  var clientData = Buffer.from(JSON.stringify({
+    type: "webauthn.get", challenge: challenge, origin: ORIGIN, crossOrigin: false,
+  }), "utf8");
+  var signed = Buffer.concat([authData, sha256(clientData)]);
+  var sig    = signDER(signingKey, signed);
+  return {
+    authData:   authData,
+    clientData: clientData,
+    signed:     signed,
+    sig:        sig,
+    response: {
+      id:    b64url(credId),
+      rawId: b64url(credId),
+      type:  "public-key",
+      response: {
+        clientDataJSON:    b64url(clientData),
+        authenticatorData: b64url(authData),
+        signature:         b64url(sig),
+      },
+      clientExtensionResults: {},
+    },
+  };
+}
+// Read the stored public key off a registration result across
+// vendor-version field shapes (credential.publicKey | credentialPublicKey).
+function storedPublicKey(regResult) {
+  var ri = (regResult && regResult.registrationInfo) || {};
+  if (ri.credential && ri.credential.publicKey) return ri.credential.publicKey;
+  return ri.credentialPublicKey;
+}
+// Verify and normalize the outcome to { ok, threw, code }. The verifier
+// rejects either by returning verified:false OR by throwing a binding
+// error (wrong challenge / origin / RP ID); both are "rejected".
+async function authOutcome(args) {
+  try {
+    var rv = await passkey.verifyAuthentication(args);
+    return { ok: rv && rv.verified === true, threw: false, rv: rv };
+  } catch (e) {
+    return { ok: false, threw: true, code: e.code || e.message };
+  }
+}
+async function regOutcome(args) {
+  try {
+    var rv = await passkey.verifyRegistration(args);
+    return { ok: rv && rv.verified === true, threw: false, rv: rv };
+  } catch (e) {
+    return { ok: false, threw: true, code: e.code || e.message };
+  }
+}
+// ---- Registration: genuine attestation verifies; tampers rejected ----
+async function testRegistrationGenuineAndTampered() {
+  // Mint the challenge through the real generateRegistrationOptions path.
+  var regOpts   = await passkey.startRegistration({ rpName: "Example", rpId: RP_ID, userName: "alice" });
+  var challenge = regOpts.challenge;
+  check("startRegistration returns a base64url challenge",
+        typeof challenge === "string" && helpers.b.safeBuffer.BASE64URL_RE.test(challenge));
+  var reg = makeRegistration(challenge);
+  // Genuine attestation — the real verifier must accept it.
+  var good = await regOutcome({
+    response:          reg.response,
+    expectedChallenge: challenge,
+    expectedOrigin:    ORIGIN,
+    expectedRPID:      RP_ID,
+  });
+  check("genuine registration verifies (real attestation path)", good.ok === true);
+  var pub = storedPublicKey(good.rv);
+  check("registration surfaces a COSE public key to persist",
+        Buffer.isBuffer(pub) || pub instanceof Uint8Array);
+  check("registration BE/BS flags map (single-device, not backed up)",
+        good.rv.backupEligible === false && good.rv.backupState === false);
+  // Wrong expected challenge — clientDataJSON's challenge no longer matches.
+  var badChallenge = await regOutcome({
+    response:          reg.response,
+    expectedChallenge: b64url(crypto.randomBytes(32)),
+    expectedOrigin:    ORIGIN,
+    expectedRPID:      RP_ID,
+  });
+  check("registration with wrong expectedChallenge is rejected", badChallenge.ok === false);
+  // Wrong expected origin.
+  var badOrigin = await regOutcome({
+    response:          reg.response,
+    expectedChallenge: challenge,
+    expectedOrigin:    "https://evil.test",
+    expectedRPID:      RP_ID,
+  });
+  check("registration with wrong expectedOrigin is rejected", badOrigin.ok === false);
+  // Wrong expected RP ID — the rpIdHash inside authData won't match.
+  var badRpId = await regOutcome({
+    response:          reg.response,
+    expectedChallenge: challenge,
+    expectedOrigin:    ORIGIN,
+    expectedRPID:      "evil.test",
+  });
+  check("registration with wrong expectedRPID is rejected", badRpId.ok === false);
+  // Substituted clientDataJSON challenge — re-encode the client data with
+  // a different challenge than the server expects. The verifier compares
+  // the challenge embedded in clientDataJSON against expectedChallenge, so
+  // a credential captured for one ceremony can't be replayed into another.
+  // (fmt:"none" carries no attestation signature, so attestationObject-byte
+  //  integrity is out of scope by spec — clientData binding is what guards
+  //  the registration ceremony.)
+  var swapped = JSON.parse(JSON.stringify(reg.response));
+  var otherChallenge = b64url(crypto.randomBytes(32));
+  swapped.response.clientDataJSON = b64url(Buffer.from(JSON.stringify({
+    type: "webauthn.create", challenge: otherChallenge, origin: ORIGIN, crossOrigin: false,
+  }), "utf8"));
+  var badClientData = await regOutcome({
+    response:          swapped,
+    expectedChallenge: challenge,          // server still expects the original
+    expectedOrigin:    ORIGIN,
+    expectedRPID:      RP_ID,
+  });
+  check("registration with a substituted clientDataJSON challenge is rejected",
+        badClientData.ok === false);
+}
+// ---- Authentication: genuine assertion verifies; tampers rejected ----
+async function testAuthenticationGenuineAndTampered() {
+  // Register a real credential first so we have a genuine stored pubkey.
+  var regOpts = await passkey.startRegistration({ rpName: "Example", rpId: RP_ID, userName: "bob" });
+  var reg     = makeRegistration(regOpts.challenge);
+  var regRes  = await regOutcome({
+    response:          reg.response,
+    expectedChallenge: regOpts.challenge,
+    expectedOrigin:    ORIGIN,
+    expectedRPID:      RP_ID,
+  });
+  check("setup: credential registers", regRes.ok === true);
+  var storedPub = storedPublicKey(regRes.rv);
+  // Mint an authentication challenge via the real options path.
+  var authOpts  = await passkey.startAuthentication({ rpId: RP_ID });
+  var challenge = authOpts.challenge;
+  var credential = function () {
+    return { id: b64url(reg.credId), publicKey: storedPub, counter: 0 };
+  };
+  // Genuine assertion signed with the real private key — must verify, and
+  // the signature counter must advance (clone-detection material).
+  var assertion = makeAssertion(reg.keyPair.privateKey, reg.credId, challenge, 7);
+  var good = await authOutcome({
+    response:          assertion.response,
+    expectedChallenge: challenge,
+    expectedOrigin:    ORIGIN,
+    expectedRPID:      RP_ID,
+    credential:        credential(),
+  });
+  check("genuine assertion verifies (real ECDSA signature path)", good.ok === true);
+  check("genuine assertion advances the signature counter",
+        good.rv.authenticationInfo && good.rv.authenticationInfo.newCounter === 7);
+  // --- THE LOAD-BEARING TAMPER CASES ---
+  // 1. Flipped signature byte — the cryptographic core must reject it.
+  var flipped = JSON.parse(JSON.stringify(assertion.response));
+  var sigBuf  = Buffer.from(flipped.response.signature, "base64url");
+  sigBuf[sigBuf.length - 1] ^= 0x01;
+  flipped.response.signature = b64url(sigBuf);
+  var t1 = await authOutcome({
+    response:          flipped,
+    expectedChallenge: challenge,
+    expectedOrigin:    ORIGIN,
+    expectedRPID:      RP_ID,
+    credential:        credential(),
+  });
+  check("tampered signature (1 byte flipped) is REJECTED", t1.ok === false);
+  check("tampered signature rejection comes from verification, not a throw",
+        t1.threw === false && t1.rv.verified === false);
+  // 2. Wrong expected challenge — replay/binding defense.
+  var t2 = await authOutcome({
+    response:          assertion.response,
+    expectedChallenge: b64url(crypto.randomBytes(32)),
+    expectedOrigin:    ORIGIN,
+    expectedRPID:      RP_ID,
+    credential:        credential(),
+  });
+  check("assertion with wrong expectedChallenge is REJECTED", t2.ok === false);
+  // 3. Wrong expected origin — phishing-resistance binding.
+  var t3 = await authOutcome({
+    response:          assertion.response,
+    expectedChallenge: challenge,
+    expectedOrigin:    "https://evil.test",
+    expectedRPID:      RP_ID,
+    credential:        credential(),
+  });
+  check("assertion with wrong expectedOrigin is REJECTED (phishing-resistance)", t3.ok === false);
+  // 4. Wrong expected RP ID — rpIdHash binding.
+  var t4 = await authOutcome({
+    response:          assertion.response,
+    expectedChallenge: challenge,
+    expectedOrigin:    ORIGIN,
+    expectedRPID:      "evil.test",
+    credential:        credential(),
+  });
+  check("assertion with wrong expectedRPID is REJECTED", t4.ok === false);
+  // 5. Mutated authenticatorData — the signature covers authData, so a
+  //    flipped counter byte must break verification.
+  var mutAd  = JSON.parse(JSON.stringify(assertion.response));
+  var adBuf  = Buffer.from(mutAd.response.authenticatorData, "base64url");
+  adBuf[adBuf.length - 1] ^= 0xff;
+  mutAd.response.authenticatorData = b64url(adBuf);
+  var t5 = await authOutcome({
+    response:          mutAd,
+    expectedChallenge: challenge,
+    expectedOrigin:    ORIGIN,
+    expectedRPID:      RP_ID,
+    credential:        credential(),
+  });
+  check("assertion with mutated authenticatorData is REJECTED", t5.ok === false);
+  // 6. FORGED KEY — an attacker signs with their own private key but
+  //    presents the victim's stored public key. Only a real signature
+  //    check rejects this; a stubbed verifier would accept it.
+  var attacker = crypto.generateKeyPairSync("ec", { namedCurve: "P-256" });
+  var forged   = makeAssertion(attacker.privateKey, reg.credId, challenge, 7);
+  var t6 = await authOutcome({
+    response:          forged.response,
+    expectedChallenge: challenge,
+    expectedOrigin:    ORIGIN,
+    expectedRPID:      RP_ID,
+    credential:        credential(),
+  });
+  check("FORGED assertion (attacker key vs victim pubkey) is REJECTED", t6.ok === false);
+  check("forged-key rejection comes from signature verification, not a throw",
+        t6.threw === false && t6.rv.verified === false);
+  // 7. Sanity: the same forged assertion, verified against the ATTACKER's
+  //    own public key, DOES verify — proving the forged case above fails
+  //    specifically because the key doesn't match, not for an unrelated
+  //    reason (the test is exercising the real verification, not a no-op).
+  var attackerCose = coseEC2PublicKey(attacker.publicKey);
+  var attackerReg  = makeRegistration(regOpts.challenge);
+  // build a stored-pubkey for the attacker by registering it
+  var attReg = await regOutcome({
+    response:          attackerReg.response,
+    expectedChallenge: regOpts.challenge,
+    expectedOrigin:    ORIGIN,
+    expectedRPID:      RP_ID,
+  });
+  // Re-sign with the attacker's actual registered key for an apples-to-apples check.
+  var attChallengeOpts = await passkey.startAuthentication({ rpId: RP_ID });
+  var attAssertion = makeAssertion(attackerReg.keyPair.privateKey, attackerReg.credId,
+                                   attChallengeOpts.challenge, 3);
+  var attGood = await authOutcome({
+    response:          attAssertion.response,
+    expectedChallenge: attChallengeOpts.challenge,
+    expectedOrigin:    ORIGIN,
+    expectedRPID:      RP_ID,
+    credential:        { id: b64url(attackerReg.credId), publicKey: storedPublicKey(attReg.rv), counter: 0 },
+  });
+  check("control: a genuine assertion under its OWN key verifies (proves the verifier isn't a no-op)",
+        attGood.ok === true);
+  // Reference the encoded attacker COSE key so lint sees it consumed.
+  check("attacker COSE key encodes to bytes", Buffer.isBuffer(attackerCose) && attackerCose.length > 0);
+}
+// ---- run ----
+async function run() {
+  await testRegistrationGenuineAndTampered();
+  await testAuthenticationGenuineAndTampered();
+}
+module.exports = { run: run };
+if (require.main === module) {
+  run().then(function () { console.log("OK", helpers.getChecks(), "checks"); })
+       .catch(function (e) { console.error(e.stack || e); process.exit(1); });
+}

package/lib/vendor/blamejs/test/layer-0-primitives/pqc-agent-curve.test.js CHANGED Viewed

@@ -2,11 +2,11 @@
 /**
  * b.pqcAgent — ecdhCurve negotiation surface.
  *
- * Covers the framework-default PQC-hybrid preference (now a 3-entry
- * list including SecP256r1MLKEM768), the narrowing path (subset of
- * the default), and the operator-supplied-group escape hatch
- * (allowOperatorGroups: true) including the audit emit on accepted
- * non-default groups.
+ * Covers the framework-default outbound group preference (the three
+ * ML-KEM hybrids plus the trailing classical X25519 fallback for peers
+ * that support no hybrid), the narrowing path (subset of the default),
+ * and the operator-supplied-group escape hatch (allowOperatorGroups:
+ * true) including the audit emit on accepted non-default groups.
  *
  * Run standalone: `node test/layer-0-primitives/pqc-agent-curve.test.js`
  * Or via smoke:   `node test/smoke.js`
@@ -35,6 +35,11 @@ async function testDefaultGroupList() {
   check("default ecdhCurve preserves preference order",
         ec.indexOf("SecP384r1MLKEM1024") < ec.indexOf("X25519MLKEM768") &&
         ec.indexOf("X25519MLKEM768") < ec.indexOf("SecP256r1MLKEM768"));
+  // The classical X25519 fallback is the LAST group — hybrids are always
+  // preferred; classical is only negotiated when the peer offers no hybrid.
+  var groups = ec.split(":");
+  check("default ecdhCurve ends with the classical X25519 fallback",
+        groups[groups.length - 1] === "X25519");
   agent.destroy();
 }
@@ -55,7 +60,10 @@ function testNarrowToFrameworkSubset() {
 function testRefuseUnknownGroupByDefault() {
   var threw = false;
   try {
-    b.pqcAgent.create({ ecdhCurve: "X25519" });
+    // secp256r1 (classical P-256) is a KNOWN_TLS_GROUPS entry but NOT in the
+    // framework outbound preference (the hybrids + the X25519 fallback), so
+    // it's refused without allowOperatorGroups.
+    b.pqcAgent.create({ ecdhCurve: "secp256r1" });
   } catch (e) {
     threw = e instanceof TypeError &&
             e.message.indexOf("not in the framework PQC-hybrid") !== -1 &&
@@ -86,12 +94,14 @@ async function testAllowOperatorGroupsAuditEmit() {
   var tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "blamejs-pqcagent-"));
   try {
     await setupTestDb(tmpDir);
+    // secp256r1 (classical P-256) is outside the framework preference, so it
+    // exercises the operator-group escape hatch + the acceptance audit.
     var agent = b.pqcAgent.create({
-      ecdhCurve:           "X25519",
+      ecdhCurve:           "secp256r1",
       allowOperatorGroups: true,
     });
-    check("X25519 accepted under allowOperatorGroups",
-          agent.options.ecdhCurve === "X25519");
+    check("secp256r1 accepted under allowOperatorGroups",
+          agent.options.ecdhCurve === "secp256r1");
     agent.destroy();
     await b.audit.flush();
@@ -99,8 +109,8 @@ async function testAllowOperatorGroupsAuditEmit() {
     check("audit row written for operator-group acceptance", rows.length >= 1);
     var meta = typeof rows[0].metadata === "string"
       ? JSON.parse(rows[0].metadata) : rows[0].metadata;
-    check("audit metadata carries group=X25519", meta.group === "X25519");
-    check("audit metadata carries ecdhCurve",    meta.ecdhCurve === "X25519");
+    check("audit metadata carries group=secp256r1", meta.group === "secp256r1");
+    check("audit metadata carries ecdhCurve",    meta.ecdhCurve === "secp256r1");
   } finally {
     await teardownTestDb(tmpDir);
   }

package/lib/vendor/blamejs/test/layer-0-primitives/queue-byo-db.test.js CHANGED Viewed

@@ -292,6 +292,45 @@ async function testFlowSecondPassTargetsCustomTable() {
   }
 }
+// ---- Self-registration: seal at rest without db.init ----
+// A standalone redis/sqs queue node may never run db.init in-process, so
+// the _blamejs_jobs sealed-column declaration would be absent and
+// cryptoField.sealRow would silently pass the payload through in cleartext.
+// queue.init must self-register the seal table so payloads seal regardless.
+async function testSealRegistersWithoutDbInit() {
+  var tmpDir = _tmp();
+  await setupTestDb(tmpDir);
+  try {
+    // Simulate a process where db.init never registered _blamejs_jobs with
+    // cryptoField — clear the registry, then confirm it is genuinely gone.
+    b.cryptoField.clearForTest();
+    check("self-register precondition: _blamejs_jobs schema cleared",
+          b.cryptoField.getSchema("_blamejs_jobs") === null);
+    // queue.init must self-register the seal table.
+    b.queue.init({ backends: { primary: { protocol: "local" } } });
+    check("self-register: queue.init re-registered _blamejs_jobs seal map",
+          b.cryptoField.getSchema("_blamejs_jobs") !== null);
+    await b.queue.enqueue("seal-q", { secret: "ssn-7777", token: "bearer-abc" });
+    // Read the RAW payload column. b.db.from("_blamejs_jobs") would auto-
+    // UNSEAL (it's a registered table), masking the at-rest state — so use
+    // a raw prepared SELECT to inspect the bytes actually on disk.
+    var raw = b.db.prepare("SELECT payload FROM _blamejs_jobs WHERE queueName = ?").all("seal-q");
+    check("self-register: a row exists", raw.length === 1);
+    var stored = String(raw[0].payload || "");
+    check("self-register: payload sealed at rest (no plaintext secret)",
+          stored.length > 0 && stored.indexOf("ssn-7777") === -1 && stored.indexOf("bearer-abc") === -1);
+    check("self-register: payload carries the vault seal prefix",
+          stored.indexOf("vault:") === 0);
+  } finally {
+    try { await b.queue.shutdown({ timeoutMs: 500 }); } catch (_e) {}
+    await teardownTestDb(tmpDir);
+  }
+}
 async function run() {
   await testDefaultConfigUsesFrameworkJobsTable();
   await testCustomTableRoutesRowsThere();
@@ -300,6 +339,7 @@ async function run() {
   await testSchemaQualifierIsQuoted();
   await testRejectsUnsafeTableAndSchemaAndHandle();
   await testFlowSecondPassTargetsCustomTable();
+  await testSealRegistersWithoutDbInit();
 }
 module.exports = { run: run };

package/lib/vendor/blamejs/test/layer-0-primitives/redact-dlp.test.js CHANGED Viewed

@@ -219,6 +219,85 @@ async function testIdempotentInstall() {
   h1.uninstall();
 }
+// Bug A — installForPosture is NOT auto-called by b.compliance.set; the
+// install tracking + the boot warning replace the false advertisement.
+function testIsOutboundDlpInstalledSurface() {
+  b.redact._resetForTest();
+  check("b.redact.isOutboundDlpInstalled is a function",
+    typeof b.redact.isOutboundDlpInstalled === "function");
+  check("isOutboundDlpInstalled false before any install",
+    b.redact.isOutboundDlpInstalled() === false);
+  var http = _fakeHttpClient();
+  var dlp = b.redact.installForPosture("hipaa", { httpClient: http });
+  check("isOutboundDlpInstalled true after installForPosture",
+    b.redact.isOutboundDlpInstalled() === true);
+  dlp.uninstall();
+  check("isOutboundDlpInstalled false after uninstall",
+    b.redact.isOutboundDlpInstalled() === false);
+}
+function testComplianceSetWarnsWhenDlpUnwired() {
+  b.compliance._resetForTest();
+  b.redact._resetForTest();
+  var captured = [];
+  var origAudit = b.audit.safeEmit;
+  b.audit.safeEmit = function (e) { captured.push(e); };
+  try {
+    b.compliance.set("hipaa");
+  } finally {
+    b.audit.safeEmit = origAudit;
+  }
+  var warns = captured.filter(function (e) {
+    return e.action === "compliance.posture.outbound_dlp_unwired";
+  });
+  check("compliance.set('hipaa') warns when no outbound DLP wired",
+    warns.length === 1 && warns[0].outcome === "warning" && warns[0].metadata.posture === "hipaa");
+  b.compliance._resetForTest();
+}
+function testComplianceSetNoWarnWhenDlpWired() {
+  b.compliance._resetForTest();
+  b.redact._resetForTest();
+  // Wire DLP first, then pin the posture — set() must NOT warn.
+  var http = _fakeHttpClient();
+  var dlp = b.redact.installForPosture("pci-dss", { httpClient: http });
+  var captured = [];
+  var origAudit = b.audit.safeEmit;
+  b.audit.safeEmit = function (e) { captured.push(e); };
+  try {
+    b.compliance.set("pci-dss");
+  } finally {
+    b.audit.safeEmit = origAudit;
+  }
+  var warns = captured.filter(function (e) {
+    return e.action === "compliance.posture.outbound_dlp_unwired";
+  });
+  check("compliance.set('pci-dss') does not warn when DLP wired",
+    warns.length === 0);
+  dlp.uninstall();
+  b.compliance._resetForTest();
+}
+function testComplianceSetNoWarnForNonDlpPosture() {
+  b.compliance._resetForTest();
+  b.redact._resetForTest();
+  var captured = [];
+  var origAudit = b.audit.safeEmit;
+  b.audit.safeEmit = function (e) { captured.push(e); };
+  try {
+    // sox is regulated but has no outbound-DLP classifier preset.
+    b.compliance.set("sox");
+  } finally {
+    b.audit.safeEmit = origAudit;
+  }
+  var warns = captured.filter(function (e) {
+    return e.action === "compliance.posture.outbound_dlp_unwired";
+  });
+  check("compliance.set('sox') (non-DLP-floor posture) does not warn",
+    warns.length === 0);
+  b.compliance._resetForTest();
+}
 async function run() {
   testSurface();
   testClassifierRejectsBadOpts();
@@ -232,6 +311,10 @@ async function run() {
   await testInstallWebhook();
   await testPostureWiring();
   await testIdempotentInstall();
+  testIsOutboundDlpInstalledSurface();
+  testComplianceSetWarnsWhenDlpUnwired();
+  testComplianceSetNoWarnWhenDlpWired();
+  testComplianceSetNoWarnForNonDlpPosture();
 }
 if (require.main === module) {