@blamejs/blamejs-shop 0.4.32 → 0.4.37

package/CHANGELOG.md

@@ -8,6 +8,16 @@ upgrading across more than a few patches at a time.
 
 ## v0.4.x
 
+- v0.4.37 (2026-06-13) — **Restore the production container — accept the node-owned tmpDir on Cloudflare Containers — and adopt blamejs 0.15.9 on Node 24.16.** The deploy-recovery release that fixes the container startup crash-loop at its root, and moves the framework forward. blamejs 0.15.0 made db.init fail-closed when the encrypted-at-rest working-copy tmpDir is not a recognized tmpfs mount (/dev/shm, /run/shm, /run/user, /tmp), so the decrypted copy can't leak to a persistent disk. The container sets BLAMEJS_TMPDIR=/app/tmp — a node-owned persistent path, used because Cloudflare's Firecracker runtime does not grant the non-root node user write access to /dev/shm — so every 0.15.x boot threw db/tmpdir-not-tmpfs and the container crash-looped, while edge-served pages stayed up. The container's filesystem is ephemeral (destroyed on stop, never snapshotted or replicated), so the disk-residency the guard protects against does not exist here; this release passes the documented opt-out (the db.allowNonTmpfsTmpDir flag on createApp) rather than weakening encryption-at-rest. With the container booting again, the release also adopts the latest blamejs 0.15.9 — SQLite parse-time resource caps on the raw-SQL surface, an atomic-rename retry that rides out transient file locks, and a one-call secure logout that emits Clear-Site-Data — and raises the Node floor to 24.16, the version 0.15.9 requires (the runtime was never implicated in the outage). Account, cart, checkout, and admin respond again. No migration to apply. **Changed:** *Vendored blamejs advanced to 0.15.9; Node floor raised to 24.16* — The vendored framework moves to 0.15.9 — node:sqlite handles construct with SQLITE_LIMIT_* caps (a 1 MiB statement parse-time cap and ATTACH denied on the raw-SQL surface), every final temp-to-destination rename retries through a transient file lock, and b.session.logout destroys a session and emits an RFC 9527 Clear-Site-Data header in one call. 0.15.9's engines floor is Node 24.16, so the package engines, the container base image, .nvmrc, and CI all move to 24.16; the runtime change is independent of and was not the cause of the startup issue fixed above. **Fixed:** *Container boots on Cloudflare Containers under blamejs 0.15.x* — The application now passes the documented db.allowNonTmpfsTmpDir opt-out to createApp, so the encrypted-at-rest tmpDir check accepts the node-owned /app/tmp path the container is forced to use on Cloudflare's Firecracker runtime (where the non-root node user cannot write /dev/shm). Encryption-at-rest stays on; the opt-out is sound because the container filesystem is ephemeral and is never snapshotted or replicated. Without it, blamejs 0.15.0+ fail-closes db.init at boot and the container crash-loops — which is what took account, cart, checkout, and admin offline. Operators running the container on a platform without a writable tmpfs for the app user need this flag; operators with a real tmpfs should point BLAMEJS_TMPDIR at it instead.
+
+- v0.4.36 (2026-06-13) — **Pin vendored blamejs to 0.15.6 — the production container crash-loops on 0.15.7 and 0.15.8.** A deploy-recovery release that pins the vendored framework to the last version the production container booted on. The prior release attributed the container startup crash-loop to the Node minimum, but the container stayed down on Node 24.14.1 with vendored blamejs 0.15.8 — isolating the cause to the vendored framework: blamejs 0.15.7 and 0.15.8 crash-loop the deployed container's live cluster + database-bridge startup (the process exits cleanly during boot instead of staying up and listening, so the health check fails and it restarts in a loop). The in-image build smoke runs the test suite, not the production server boot, so it passes on every version and cannot catch this. This release pins the vendored blamejs back to 0.15.6 — the last version the container booted and served on — restoring account, cart, checkout, and admin. The Node minimum stays 24.14.1; it is not implicated (the container failed on 0.15.8 with 24.14.1 too). Re-adopting blamejs 0.15.7 or later is held until the startup regression is fixed. No migration to apply. **Fixed:** *Production container boots and serves again on vendored blamejs 0.15.6* — The vendored framework is pinned back to 0.15.6, the last version the deployed container completed startup on, so account, cart, checkout, and admin respond again. blamejs 0.15.7 and 0.15.8 left the container exiting during the live cluster + database-bridge boot — a path the in-image build smoke (which runs the test suite, not the production server boot) does not exercise — so they passed every build gate yet failed to stay up once deployed. The vendored tree is pinned through the vendor pipeline with integrity hashes re-stamped.
+
+- v0.4.35 (2026-06-13) — **Restore the production container — revert the Node floor to 24.14.1 (24.16.0 crash-loops the container) and advance vendored blamejs to 0.15.8.** A deploy-recovery release that also moves the vendored framework forward. Raising the Node floor to 24.16.0 (in the prior releases) put the production container into a startup crash-loop: the application process exits cleanly during the live cluster boot instead of staying up and listening, so the platform health check fails and the container restarts in a loop. The in-image build smoke runs on Node 24.16.0 and passes — it does not exercise the live cluster + database-bridge startup the deployed container runs, so the incompatibility only surfaces on deploy. Container-backed routes (account, cart writes, checkout, admin) went down while edge-served pages stayed up. This release reverts the Node minimum to 24.14.1 — the runtime the container booted and served on — restoring those routes, and advances the vendored blamejs to 0.15.8 (whose Node floor is 24.14.1), so the framework still moves to the latest release on a runtime that works. Operators who deployed a 24.16.0-floor build on a container platform should move to this release. The Node 24.16.0 move is held pending a fix for the container-runtime incompatibility. No migration to apply. **Changed:** *Vendored blamejs advanced to 0.15.8* — The vendored framework moves to 0.15.8 (engines floor 24.14.1), refreshed through the vendor pipeline with integrity hashes re-stamped. It carries the 0.15.7/0.15.8 security and correctness work — federated-sign-in authorized-party enforcement, URL/host canonicalizer hardening, OTLP log-sink attribute redaction, and EU DSA / China PIPL compliance record-builders — none of which was implicated in the container startup issue (that was the Node runtime, confirmed by the container failing on 0.15.6 under the 24.16.0 floor too). **Fixed:** *Production container boots and serves again on Node 24.14.1* — The Node minimum is back to 24.14.1 across the container image, CI, and the package engines floor. The previous 24.16.0 floor left the deployed container exiting during the live cluster + database-bridge startup — a path the in-image build smoke (which runs the test suite, not the production server boot) cannot reach — so it passed every build gate yet failed to stay up once deployed. Account, cart, checkout, and admin respond again.
+
+- v0.4.34 (2026-06-13) — **Pin the vendored blamejs back to 0.15.6 to restore the production container; the Node 24.16.0 floor stays.** A deploy-recovery release. The vendored blamejs 0.15.7 adopted in the previous release introduced a regression on the production container's startup path: the application process completed early and exited cleanly instead of staying up and listening, so the platform health check failed and the container was restarted in a loop. Edge-served pages (home, search, product pages) stayed up throughout because they render at the edge, but container-backed routes — account, cart writes, checkout, and the admin console — stopped responding. This release pins the vendored framework back to 0.15.6, the last version the container booted and served on, restoring those routes. The Node 24.16.0 minimum from the previous release is retained — the in-image build smoke runs on Node 24.16.0 and passes, so the runtime bump is not implicated. Re-adopting blamejs 0.15.7 is deferred until its startup-path change is understood and confirmed against a live container. No migration to apply. **Fixed:** *Container-backed routes serve again* — The production container boots and stays up on vendored blamejs 0.15.6, so account, cart, checkout, and admin respond again. The previous release's 0.15.7 left the container exiting during startup — passing the in-image build smoke but failing to stay listening once deployed, which only the live boot path (cluster startup + the D1 bridge) exercises. The vendored tree is pinned back through the vendor pipeline with integrity hashes re-stamped; the Node 24.16.0 floor is unchanged.
+
+- v0.4.33 (2026-06-13) — **Raise the Node floor to 24.16.0 and refresh the vendored blamejs to 0.15.7.** A runtime and framework modernization. The minimum Node version is now 24.16.0 (the current LTS line) — the container base image, CI, and the package's engines floor all move together, so a deploy now runs on a Node that carries the latest LTS security patches. The vendored blamejs advances 0.15.6 → 0.15.7, a security and correctness release whose hardening reaches the shop by composition rather than new code: the OIDC ID-token verifier now enforces the authorized-party (azp) check, so a multi-audience token minted for a different client that also lists this shop in its audience array no longer verifies — closing a confused-deputy hole on Sign in with Google and Apple; the URL and host canonicalizer folds IPv4-mapped IPv6 addresses to their embedded IPv4 and strips trailing dots, so a dotted-IPv4 allowlist and a host comparison can't be slipped by an encoding trick on the outbound webhook and payment dials; and audited correctness fixes land in the background scheduler (a watchdog-abandoned run can no longer clobber the next run's state), the retention compliance floor (it now inherits the active compliance posture), credential rehashing (a digest shorter than the configured length is now flagged for upgrade), and SD-JWT key binding (audience and nonce now compare in constant time). No migration to apply. **Changed:** *Minimum Node is now 24.16.0* — The package engines floor, the container Dockerfile base image, the .nvmrc, and every CI runner move from Node 24.14.1 to 24.16.0 (LTS). Operators self-hosting the container or running the app directly must be on Node >= 24.16.0; it is a patch-level move within the same LTS line, so an existing 24.x install updates in place. The deployed container already builds on the new base. · *Vendored blamejs advanced 0.15.6 → 0.15.7* — The shop carries blamejs as a vendored, zero-runtime-dependency copy, refreshed through the vendor pipeline (not hand-edited) with per-file integrity hashes re-stamped. The shop's surface is unchanged — every primitive it composes kept its contract — so there is nothing to migrate; the security and correctness fixes below ride along because the shop already composes the affected primitives. **Security:** *Federated sign-in enforces the OIDC authorized-party check* — The OIDC verifier behind Sign in with Google and Apple now rejects a multi-audience ID token that omits an authorized-party (azp) claim, and any token whose azp is not this shop's client id — per OIDC Core 3.1.3.7. This closes a confused-deputy gap where a token minted for a different relying party, but whose audience array also listed this shop, would verify clean. Single-audience tokens (the common case) are unaffected. · *Outbound-host allowlist comparison resists encoding tricks* — The URL and host canonicalizer the shop runs on operator-supplied webhook endpoints (and the payment-provider dials) now folds an IPv4-mapped IPv6 address to its embedded IPv4 and strips trailing dots before any allowlist or SSRF comparison, so a dual-stack peer can no longer present one host form to the allowlist and resolve to another, and host. / host.. no longer evade a host check.
+
 - v0.4.32 (2026-06-13) — **Refresh the vendored blamejs framework to 0.15.6 — sign-in token hardening, SSRF-safe host canonicalization, and background-delivery reliability fixes.** A vendored-framework refresh from blamejs 0.14.22 to 0.15.6, picking up a run of security and correctness fixes in the foundation the shop is built on. The most shop-relevant: federated sign-in (Sign in with Google / Apple) is hardened — a SAML response whose subject confirmation omits an expiry is rejected instead of treated as fresh forever, and the OIDC ID-token verifier no longer lets a normal token skip expiry validation; the SSRF guard now canonicalizes obfuscated host and IP forms to one string before any allowlist comparison, so encoding tricks can't slip a request past the media-upload fetch or an outbound payment dial; and background delivery is more durable — a crashed publisher's in-flight outbox job is reclaimed, a server-sent-event connection caps its outbound buffer and evicts a stalled client instead of growing the heap, and a worker-pool task queued behind one that timed out is no longer dropped. The vendored tree is the single source of truth and was refreshed through the vendor pipeline, not hand-edited; per-file integrity hashes are re-stamped. No migration to apply. **Changed:** *Vendored blamejs advanced 0.14.22 → 0.15.6* — The shop carries blamejs as a vendored, zero-runtime-dependency copy; this release refreshes it across the 0.15 line. The shop's own surface is unchanged — every primitive it composes kept its contract — so there is nothing to migrate. The improvements below ride along in the foundation. **Fixed:** *Background delivery survives a crashed publisher and a slow client* — The outbox now reclaims a job left in-flight by a publisher that crashed mid-delivery, restoring at-least-once delivery for the shop's queued mail and outbound webhooks; server-sent-event connections cap their per-connection outbound buffer and evict a stalled client instead of growing memory without bound; and a background worker-pool task queued behind one that timed out is no longer silently dropped. A membership query against a sealed (encrypted) column now hashes each candidate so it returns results instead of failing, and a retention preview no longer rewrites the whole database file. **Security:** *Federated sign-in rejects unbounded and expiry-skipped assertions* — On the OIDC and SAML paths the shop uses for Sign in with Google and Apple, a SAML response whose Bearer or Holder-of-Key subject confirmation has no NotOnOrAfter is now refused rather than accepted as never-expiring, and the OIDC ID-token verifier restricts the expiry-validation bypass to back-channel-logout tokens bounded by an issued-at floor — a normal ID token can no longer be accepted past its expiry. · *SSRF allowlist comparison canonicalizes host and IP forms first* — Outbound fetches — the operator media-upload-from-URL path and the payment-provider dials — go through an SSRF guard that now collapses obfuscated host and IP encodings to a single canonical form before checking them, closing the gap where an encoding trick could present one string to the allowlist and resolve to another.
 
 - v0.4.31 (2026-06-13) — **A partial refund on a split-tender order no longer re-credits the gift card on top of the cash refund.** A refund-accounting fix. When an order was paid partly by gift card or redeemed loyalty and partly by cash, a partial refund of the cash slice returned the cash through the payment provider AND ALSO re-credited a proportional share to the gift card and loyalty balance — handing back more value than the refund. On a $50 order paid with a $20 gift card and $30 cash, a $30 refund returned $30 in cash plus $12 to the card: $42 for a $30 refund, and the over-credit landed on spendable balance. Refund accounting is now cash-first: a partial refund draws against the cash captured at checkout, and the gift-card and loyalty tenders are re-credited only for the portion of the cumulative refund that exceeds that cash. A full refund still returns every tender in full, exactly once. The gift-card and loyalty share each order was paid with is recorded at checkout so the refund path apportions correctly; orders placed before this release carry no recorded split and are treated as cash-only on partial refunds, with the full-refund path unchanged. No migration to apply. **Fixed:** *Partial refunds are cash-first on split-tender orders* — A partial refund returns value to the tender the customer was actually charged: the cash captured by the payment provider. The gift-card and loyalty balances are re-credited only once a refund exceeds the cash captured — so refunding the cash portion of a split-tender order returns just the cash, and the card is restored only by a refund that reaches into the credit-paid share or by a full refund. Previously a partial refund re-minted a proportional slice of the gift card and loyalty on every refund, returning more than the amount refunded; because that credit landed on spendable balance, the excess was real and re-usable. · *Reconcile gift-card balances touched by earlier split-tender partial refunds* — Operators who issued partial refunds on orders paid partly by gift card or loyalty before this release should review the affected gift-card balances and loyalty ledgers: those refunds may have credited value above the amount refunded. Full refunds were unaffected — they return each tender once. New refunds apportion correctly.

package/README.md

@@ -12,7 +12,7 @@ Homepage: **https://blamejs.shop**
 
 ## Requirements
 
-- Node.js LTS (>= 24.14.1)
+- Node.js LTS (>= 24.16.0)
 - For a deployable shop: a Cloudflare account (Workers, Containers, D1, R2, KV, Durable Objects). Local development works without it via `node:sqlite`.
 
 ## Install

package/lib/asset-manifest.json

@@ -1,5 +1,5 @@
 {
-  "version": "0.4.32",
+  "version": "0.4.37",
   "assets": {
     "css/admin.css": {
       "integrity": "sha384-imfe0otYErcB8rr2h6KLSGTtStirysptpXETSPY4zLv3bZoIT75Lo1dOvkOav+xL",

package/lib/vendor/MANIFEST.json

@@ -3,8 +3,8 @@
   "_about": "blamejs.shop vendors a single framework — blamejs — which itself bundles every server-side crypto/identity dependency. The transitive packages blamejs ships are surfaced in its own MANIFEST.json at lib/vendor/blamejs/lib/vendor/MANIFEST.json — Trivy / Grype rely on that nested data for CVE attribution.",
   "packages": {
     "blamejs": {
-      "version": "0.15.6",
-      "tag": "v0.15.6",
+      "version": "0.15.9",
+      "tag": "v0.15.9",
       "license": "Apache-2.0",
       "author": "blamejs contributors",
       "source": "https://github.com/blamejs/blamejs",
@@ -406,6 +406,7 @@
         "lib/did.js": "lib/vendor/blamejs/lib/did.js",
         "lib/dora.js": "lib/vendor/blamejs/lib/dora.js",
         "lib/dr-runbook.js": "lib/vendor/blamejs/lib/dr-runbook.js",
+        "lib/dsa.js": "lib/vendor/blamejs/lib/dsa.js",
         "lib/dsr.js": "lib/vendor/blamejs/lib/dsr.js",
         "lib/dual-control.js": "lib/vendor/blamejs/lib/dual-control.js",
         "lib/early-hints.js": "lib/vendor/blamejs/lib/early-hints.js",
@@ -682,6 +683,7 @@
         "lib/parsers/safe-yaml.js": "lib/vendor/blamejs/lib/parsers/safe-yaml.js",
         "lib/permissions.js": "lib/vendor/blamejs/lib/permissions.js",
         "lib/pick.js": "lib/vendor/blamejs/lib/pick.js",
+        "lib/pipl-cn.js": "lib/vendor/blamejs/lib/pipl-cn.js",
         "lib/pqc-agent.js": "lib/vendor/blamejs/lib/pqc-agent.js",
         "lib/pqc-gate.js": "lib/vendor/blamejs/lib/pqc-gate.js",
         "lib/pqc-software.js": "lib/vendor/blamejs/lib/pqc-software.js",
@@ -821,6 +823,9 @@
         "release-notes/v0.15.4.json": "lib/vendor/blamejs/release-notes/v0.15.4.json",
         "release-notes/v0.15.5.json": "lib/vendor/blamejs/release-notes/v0.15.5.json",
         "release-notes/v0.15.6.json": "lib/vendor/blamejs/release-notes/v0.15.6.json",
+        "release-notes/v0.15.7.json": "lib/vendor/blamejs/release-notes/v0.15.7.json",
+        "release-notes/v0.15.8.json": "lib/vendor/blamejs/release-notes/v0.15.8.json",
+        "release-notes/v0.15.9.json": "lib/vendor/blamejs/release-notes/v0.15.9.json",
         "release-notes/v0.2.x.json": "lib/vendor/blamejs/release-notes/v0.2.x.json",
         "release-notes/v0.3.x.json": "lib/vendor/blamejs/release-notes/v0.3.x.json",
         "release-notes/v0.4.x.json": "lib/vendor/blamejs/release-notes/v0.4.x.json",
@@ -840,6 +845,7 @@
         "scripts/gen-migrating.js": "lib/vendor/blamejs/scripts/gen-migrating.js",
         "scripts/generate-changelog-entry.js": "lib/vendor/blamejs/scripts/generate-changelog-entry.js",
         "scripts/generate-release-signing-key.js": "lib/vendor/blamejs/scripts/generate-release-signing-key.js",
+        "scripts/generate-ssdf-attestation.js": "lib/vendor/blamejs/scripts/generate-ssdf-attestation.js",
         "scripts/publish-dep-confusion-placeholder.sh": "lib/vendor/blamejs/scripts/publish-dep-confusion-placeholder.sh",
         "scripts/refresh-api-snapshot.js": "lib/vendor/blamejs/scripts/refresh-api-snapshot.js",
         "scripts/refresh-vendor-manifest.js": "lib/vendor/blamejs/scripts/refresh-vendor-manifest.js",
@@ -965,6 +971,7 @@
         "test/layer-0-primitives/asyncapi.test.js": "lib/vendor/blamejs/test/layer-0-primitives/asyncapi.test.js",
         "test/layer-0-primitives/atomic-file-conflict-path.test.js": "lib/vendor/blamejs/test/layer-0-primitives/atomic-file-conflict-path.test.js",
         "test/layer-0-primitives/atomic-file-exclusive-temp.test.js": "lib/vendor/blamejs/test/layer-0-primitives/atomic-file-exclusive-temp.test.js",
+        "test/layer-0-primitives/atomic-file-rename-retry.test.js": "lib/vendor/blamejs/test/layer-0-primitives/atomic-file-rename-retry.test.js",
         "test/layer-0-primitives/attach-user-bearer-scheme.test.js": "lib/vendor/blamejs/test/layer-0-primitives/attach-user-bearer-scheme.test.js",
         "test/layer-0-primitives/audit-checkpoint-false-rollback.test.js": "lib/vendor/blamejs/test/layer-0-primitives/audit-checkpoint-false-rollback.test.js",
         "test/layer-0-primitives/audit-cve-defensive.test.js": "lib/vendor/blamejs/test/layer-0-primitives/audit-cve-defensive.test.js",
@@ -1112,6 +1119,7 @@
         "test/layer-0-primitives/dora.test.js": "lib/vendor/blamejs/test/layer-0-primitives/dora.test.js",
         "test/layer-0-primitives/dpop-middleware-replaystore-required.test.js": "lib/vendor/blamejs/test/layer-0-primitives/dpop-middleware-replaystore-required.test.js",
         "test/layer-0-primitives/dr-runbook.test.js": "lib/vendor/blamejs/test/layer-0-primitives/dr-runbook.test.js",
+        "test/layer-0-primitives/dsa.test.js": "lib/vendor/blamejs/test/layer-0-primitives/dsa.test.js",
         "test/layer-0-primitives/dsr-state-rules.test.js": "lib/vendor/blamejs/test/layer-0-primitives/dsr-state-rules.test.js",
         "test/layer-0-primitives/dsr.test.js": "lib/vendor/blamejs/test/layer-0-primitives/dsr.test.js",
         "test/layer-0-primitives/dual-control.test.js": "lib/vendor/blamejs/test/layer-0-primitives/dual-control.test.js",
@@ -1282,6 +1290,7 @@
         "test/layer-0-primitives/passkey-real-vectors.test.js": "lib/vendor/blamejs/test/layer-0-primitives/passkey-real-vectors.test.js",
         "test/layer-0-primitives/passkey.test.js": "lib/vendor/blamejs/test/layer-0-primitives/passkey.test.js",
         "test/layer-0-primitives/permissions.test.js": "lib/vendor/blamejs/test/layer-0-primitives/permissions.test.js",
+        "test/layer-0-primitives/pipl-cn.test.js": "lib/vendor/blamejs/test/layer-0-primitives/pipl-cn.test.js",
         "test/layer-0-primitives/pqc-agent-curve.test.js": "lib/vendor/blamejs/test/layer-0-primitives/pqc-agent-curve.test.js",
         "test/layer-0-primitives/pqc-software.test.js": "lib/vendor/blamejs/test/layer-0-primitives/pqc-software.test.js",
         "test/layer-0-primitives/privacy-pass.test.js": "lib/vendor/blamejs/test/layer-0-primitives/privacy-pass.test.js",
@@ -1337,6 +1346,7 @@
         "test/layer-0-primitives/saml-subjectconfirmation-notonorafter.test.js": "lib/vendor/blamejs/test/layer-0-primitives/saml-subjectconfirmation-notonorafter.test.js",
         "test/layer-0-primitives/sandbox.test.js": "lib/vendor/blamejs/test/layer-0-primitives/sandbox.test.js",
         "test/layer-0-primitives/scheduler-exactly-once.test.js": "lib/vendor/blamejs/test/layer-0-primitives/scheduler-exactly-once.test.js",
+        "test/layer-0-primitives/scheduler-watchdog-stale-settle.test.js": "lib/vendor/blamejs/test/layer-0-primitives/scheduler-watchdog-stale-settle.test.js",
         "test/layer-0-primitives/scim-server.test.js": "lib/vendor/blamejs/test/layer-0-primitives/scim-server.test.js",
         "test/layer-0-primitives/scitt.test.js": "lib/vendor/blamejs/test/layer-0-primitives/scitt.test.js",
         "test/layer-0-primitives/sd-jwt-vc-ecdsa-p1363.test.js": "lib/vendor/blamejs/test/layer-0-primitives/sd-jwt-vc-ecdsa-p1363.test.js",
@@ -1429,10 +1439,10 @@
         ".github/workflows/actions-lint.yml": "sha256:d108da8e5eb9041ea245d9e5d6b8386f7d18b89e866663adb7fe78e0801ab68b",
         ".github/workflows/cflite_batch.yml": "sha256:802702ebad6b041b3f2f960aa4c645017e51f6455de40eb7ee92e8f83374d485",
         ".github/workflows/cflite_pr.yml": "sha256:618131bb2e66b07a74e9a70ac652aec15611ba271ca676832b7592048cd95ce7",
-        ".github/workflows/ci.yml": "sha256:d163b789948ca41f47029cd8dd0a233a96039aaa11fa71ca7243023a15201434",
+        ".github/workflows/ci.yml": "sha256:c7c0c8e22307348ff51993dc9d5cafe1f6f270bb8fa2a5aacaaaf2e223c14a9b",
         ".github/workflows/codeql.yml": "sha256:d314708c984aca73e52f888c7372d7eb1d41866ee93354302d22e6b3553fcef4",
-        ".github/workflows/npm-publish.yml": "sha256:00ef436956059ab355d312b941618dcae49037715fd24e8a3501c25e6740ceec",
-        ".github/workflows/release-container.yml": "sha256:a70fdc7a548fab4da5df8643c3082d29f9ca450470e9946b3cede3cc5ba4f734",
+        ".github/workflows/npm-publish.yml": "sha256:d7ca54674d8ba343a0b5e2e6d3a7d3c11242b54ffea1f4cc6e4b036ff51415aa",
+        ".github/workflows/release-container.yml": "sha256:12f101dd4c08590e5b109259849a2f527f767d520990663cd67a7ba51d00b605",
         ".github/workflows/scorecard.yml": "sha256:aa71fc1bb925b2e69aec2bd8dabe2f8831f0bac660ed6b0905131155af550b3d",
         ".github/workflows/sha-to-tag-verify.yml": "sha256:48166f90ab60835d9cb1dc3852389d7e39821a54353dea85b6d43fccf12779c1",
         ".github/zizmor.yml": "sha256:fe08e66c5763dfb4edf1ea33e715f04e514b1baceb3a242241d8a60793db51d2",
@@ -1442,17 +1452,17 @@
         ".npmrc": "sha256:66f104e7d07c496d2d0409988225e8c0e4ceb8d247dbcac3be75b2128d20ce66",
         ".pinact.yaml": "sha256:0213ffda55961dc49b64c0a5dfa3c0567419633b1499d57eaf7c8d842d7da6c7",
         "ARCHITECTURE.md": "sha256:9b1c8d2b1b7a41838eb348b0a008e4b4369718fd72bfe2974b37155f7536d35b",
-        "CHANGELOG.md": "sha256:5996fad1d3ec3c5ee3e9ddbbd827ae161daf913e9cf9e97729b9597370e1eade",
+        "CHANGELOG.md": "sha256:1fbff6fbb09ea0afa8f4d36223613903e7de64115e81678a6dad6731b9389aef",
         "CODE_OF_CONDUCT.md": "sha256:148a281960fff7c2fe6554dab66da572c72245ddeb00b0d14811558397bff386",
         "CONTRIBUTING.md": "sha256:bb4dbdbc8598da31dbce653a8ed322e08ff46560173f2eb67a4d684653948332",
         "GOVERNANCE.md": "sha256:906df6afb1f552b27b9acb50f7f96c47b917a2f1021cd4e987dbf4ee0e0a821b",
         "LICENSE": "sha256:d1b40781c0774cb3b2936beb466709994d164b0f7466000be5279b5ed522af65",
         "LTS-CALENDAR.md": "sha256:8ed8c0051c3d4e14637a24555751b07758fbac2678688d9e1aca2ce312bcf585",
-        "MIGRATING.md": "sha256:1d35327ec3cc92df2d967b66a9591209fca3c39db9a64163624cac5456d072b3",
+        "MIGRATING.md": "sha256:3dcc952a3d4a77d53ff60fb67cb5eb5c3a3db2449d7c71f9c4dc7f868097153c",
         "NOTICE": "sha256:f487fa47a11aca0f89e2615cdd3c713e9842abf7a30d8d328eeeae1c864aa774",
-        "README.md": "sha256:60752c2d89287fa6843132b7ab293a7ca71b7e9acb59a1b3f974366b193893c3",
-        "SECURITY.md": "sha256:be834921a43958cb7514854718c86d5d73f9d873be8fd0891822f1508c465cd5",
-        "api-snapshot.json": "sha256:a6727498f1c93ba296b9ef410b888c46436bf5fd005bc0915ede42b0d0410e04",
+        "README.md": "sha256:150eb46744302c8bc7fbb49140e7e9cf4ca9591527b25ca4d81d7ba62ce0b587",
+        "SECURITY.md": "sha256:169b7977a8d5927208df6e93f753a15324b2d14a2de17ba571bf459f5e4fa8c8",
+        "api-snapshot.json": "sha256:44c0e14ab3374aa4e06ff6d427f58de8dd2fbd052e759399154c2cbe84dd0a18",
         "assets/BlameJS_Logo.png": "sha256:3c65699753c771b48ef9ac7f45bb40815ec19a23afcdd0cd30ef4601bbbe293e",
         "assets/BlameJS_Logo.svg": "sha256:dda44f3fb1343d5de9db6b1fcdb75fc649c57e7a99a8e8239fcf852e3841e1a8",
         "bench/README.md": "sha256:74202f2507fd840bfc1ac6c681975d9273cf36cca6e0f72655f138337304033c",
@@ -1506,7 +1516,7 @@
         "examples/wiki/lib/opts-resolver.js": "sha256:d5a7f1153e265a267b899515a42726afad6ecd8921f22fe5f3d17e9b81783c05",
         "examples/wiki/lib/page-generator.js": "sha256:056cf57ad85ff89f3708e5eec54ceda40ff7fccd7ee074d9553ed74788f4eceb",
         "examples/wiki/lib/section.js": "sha256:373d86c66fbd20ad086c3929fffca5da1fd1fb4ca43bc969c43bc5f826f67eb9",
-        "examples/wiki/lib/source-comment-block-validator.js": "sha256:78713d26dcf2e3d3472989998e2526370c7df8daba7664dc35457f369f0d7f16",
+        "examples/wiki/lib/source-comment-block-validator.js": "sha256:68159925581eda94f292c8063e494835e371f33c7cda16883bab86a8495e037f",
         "examples/wiki/lib/source-doc-parser.js": "sha256:ef3dd07420e8b8e6ac8f3eedc0764b06953acb67ebb8c53bba967fceb450abd0",
         "examples/wiki/lib/symbol-index.js": "sha256:4f2bcffecf2106409c8d6e09db244fc5469402c0abf5d7c65a68bb63b7bec60b",
         "examples/wiki/migrations/0001-pages-schema.js": "sha256:2760bf17df257d9e8c96ef5740ec258782c0bf316e6ae6f9409d63c3efe0d28b",
@@ -1647,7 +1657,7 @@
         "fuzz/safe-url_seed_corpus/05-ipv6.txt": "sha256:b210575d6e9f91b70d1616c89a38bf81e66e4356dcf204a3d40f1932961d01cc",
         "fuzz/safe-url_seed_corpus/06-idn.txt": "sha256:9f163641afe7046491b09f95684e30aac38b3cbf243afb115c556ae4fc0339f0",
         "fuzz/safe-vcard.fuzz.js": "sha256:20ef167055ea75b6138bc6dc9d8cbdcf108d92be2792571a0162b849671354bd",
-        "index.js": "sha256:a9db24cac5ee729560a707a97758a2f5034fc0c6656fd477bf05f7f95e61974d",
+        "index.js": "sha256:c6eb60de189308bf427f4028d532b6bb61ac36c2df9771faad04cb3fd07fa6a9",
         "keys/release-pqc-pub.json": "sha256:38fb7f580ccc06c5682c5c3f12b43441d4fdd3e79cf57afb8b3dab3a73af290d",
         "lib/_test/crypto-fixtures.js": "sha256:91470fc813e41eeed06dee1e8fbb92d179af77eb01109c1256f7330cb2fc0980",
         "lib/a2a-tasks.js": "sha256:8308a8a00790035090ae2912030c288e0cf4eaa29134f4c73bb38ddef02a4e59",
@@ -1683,8 +1693,8 @@
         "lib/app.js": "sha256:a3633c332d36dc6ffa6bd9aa4ff25361aaf9a78a2b1e70ca7dd8f379787191e6",
         "lib/archive-adapters.js": "sha256:36bc6f985740ae6880a61b196956c909f47cb880c12bc0c601ba393e88ff9ff3",
         "lib/archive-gz.js": "sha256:18af2eab4098555abe82ad76851541ebb601f34d75ee9368a57dbd8933676a64",
-        "lib/archive-read.js": "sha256:9d9bfd0a572177b3fe542f07ed922413c76f4b8e7d7db2ff927aef2de3e99fab",
-        "lib/archive-tar-read.js": "sha256:2a4705067f42d0989ed1b5ef878a1334ef63c50c43894d780f57fb3b82180a59",
+        "lib/archive-read.js": "sha256:985869aa1bb195a5e9e421aa2a1060e15f7c8a2f235cbf9bdc953faf0b181175",
+        "lib/archive-tar-read.js": "sha256:7397b7d51e442f17ba08eee126687a99de8812379e2cf1631405c0e20938f7ad",
         "lib/archive-tar.js": "sha256:2723c58ca3dd715a15082cba958e2a4fb335356de3f3405faf23f72026f79c4d",
         "lib/archive-wrap.js": "sha256:57e075cdf386b0eea63bdbfeb856ca82931d3b6d410dfde2c6dfc595c2dbb56a",
         "lib/archive.js": "sha256:7f95e586bd50db04dc899480fbd26c771ceb7d8416de5e86d1a9e72d7d49e17f",
@@ -1694,12 +1704,12 @@
         "lib/asyncapi-bindings.js": "sha256:2f6f3d7ea836d0483e40f08b8202d78bae54bdc3d76b5faf57d918e699ebeac8",
         "lib/asyncapi-traits.js": "sha256:e6e4dc44462d14cb8f56ca87e5b2fa6df3ef78ff54d45b0730196acb85c9b00b",
         "lib/asyncapi.js": "sha256:c26da54ab6760da0043178abb85960e857b6e8f77f31dc3ced8db95760e25a00",
-        "lib/atomic-file.js": "sha256:5286a0c34812872eb9382fe3a0b6630115ba53153a6b2082d54fca74c95978b5",
+        "lib/atomic-file.js": "sha256:bf17551e8cf7bb7a5cf1950cb96552eea1d80c294db79571266cb4bd21991522",
         "lib/audit-chain.js": "sha256:4b668e4e17c858661cbe59d3234c38f25854ae4e4d960e9c870d91d9bb29fdf0",
         "lib/audit-daily-review.js": "sha256:e7214791f9682079e70ff4d9ad942ac867128782d78db1d0b53883d57bbe31b5",
         "lib/audit-sign.js": "sha256:b84ca212181a2a6181d7e26b6315638e95d7459ecdb0142705d0daab9d26714c",
         "lib/audit-tools.js": "sha256:b870b4f988b6dfb604ec1e81d51a6cc8713ca6ff0204a894106641a0c2cb01f6",
-        "lib/audit.js": "sha256:448c7b96b4f9c7e8fd58d1521684bddd4e3c130f18e12d85535ce418eaa18a02",
+        "lib/audit.js": "sha256:e64185cc31c6728f1278306db0cb723674ba6533e395012450f58996ebef172d",
         "lib/auth-bot-challenge.js": "sha256:9c9a0e0b07d4da63afc02fc88a0a8c9dd22364836718a8e8152d2e83dd04d022",
         "lib/auth-header.js": "sha256:5cc83773b69e1641d6b50929f1d6183b9532dbbff3ba53e479ac1e1056b5d01d",
         "lib/auth/aal.js": "sha256:085846a97f30310f3687837dc64368c231497bfbc9ed6e9a2cb7fdcc06ccc302",
@@ -1710,14 +1720,14 @@
         "lib/auth/bot-challenge.js": "sha256:544cc9060a68170e97ae2039d1220982f525e94eb6606837123f78143e545114",
         "lib/auth/ciba.js": "sha256:cc031a5de93632d830791c406330261fb6d5d9a8ac92adaa5f97a4844a1170bb",
         "lib/auth/dpop.js": "sha256:8d61e8bf0c54abfd0c509daf662f9cccd98e2fe5fcb3713cd5b50600842cb32c",
-        "lib/auth/elevation-grant.js": "sha256:c152c403050b08106f687e46ee85b5d80f160f6e346b5c2d278381f039eca143",
+        "lib/auth/elevation-grant.js": "sha256:cf1c498359073a29d0192f390fe767731025d7cd65c5272298ae06ee10e307e7",
         "lib/auth/fal.js": "sha256:aabf6d8095dd41dcda8a2efdb48e00e95bffe70c78991c93fbef827816918692",
         "lib/auth/fido-mds3.js": "sha256:5ddd58557a0331bb39e7606c15cb0f29fbc38fd85f51c99c93d16621db99261e",
         "lib/auth/jar.js": "sha256:f333f25a87b8c60f5f19c51d68aefba8ae8ed304e0f54a957560475359e11f7f",
         "lib/auth/jwt-external.js": "sha256:4fcf0443decf374aed4d0a328ce769df2d321981afe5a9496c57e1ef90938db7",
         "lib/auth/jwt.js": "sha256:032dec9c7a117ef728ded26ac681b846ff4b98112074aa890c499c97902cbec4",
         "lib/auth/lockout.js": "sha256:44afb265e064401fc2bedfb46673f822fb24c1ffae05cdb116949ce0f841a813",
-        "lib/auth/oauth.js": "sha256:ee0065e47039f7d3aec6d06dbc3cea04de705b6e14d44fc97ff3cca79122dc40",
+        "lib/auth/oauth.js": "sha256:9329431279faeca8021670b9c9ae9ec05071871dd389fe719e1c6b1932353495",
         "lib/auth/oid4vci.js": "sha256:f8595472abd01beb635ce03fc79e305e288ae7802587ec8f75229d2efa2c8294",
         "lib/auth/oid4vp.js": "sha256:ec2098480638e70d8b7b450242b5d158d52ac3d0f2aea59d6dfc345e8451a29f",
         "lib/auth/openid-federation.js": "sha256:04e44d1ec9c8a813bdcfb815fdc06eb09cb319ebc4bd712c9e8a8d527fa63cd3",
@@ -1727,7 +1737,7 @@
         "lib/auth/sd-jwt-vc-disclosure.js": "sha256:bc1eff5def71d2eedb6f17c8bede650050af9d790145e8697871c75ddc8431ae",
         "lib/auth/sd-jwt-vc-holder.js": "sha256:c24c447bd2ea84976ff31d66526ac90227309da20a1f8ee73e4d4425fb48f2e2",
         "lib/auth/sd-jwt-vc-issuer.js": "sha256:11a2d76bfd5fd6c24fcf9a84178b6af1efdc82bca40e12a874057fc05ed5e27f",
-        "lib/auth/sd-jwt-vc.js": "sha256:6dc4193c8ab15bae58ed23811426ed6077f15d994309b48d4441b5f2f8b9b093",
+        "lib/auth/sd-jwt-vc.js": "sha256:30c9b88e43c784e5a8e7375354311d43417947f66b052010a5448286c35fec46",
         "lib/auth/status-list.js": "sha256:354c612e45819359dd15112405d2299220772e7994cfa9f014d61688676b406f",
         "lib/auth/step-up-policy.js": "sha256:dca5810bd13d1e4d279b9d34b3e777cf2455c938502b25b41c773e513d90b379",
         "lib/auth/step-up.js": "sha256:a78833d06c3ee66ba980cb446784273ed505300dc4a84ae2b1b43558987105d0",
@@ -1753,7 +1763,7 @@
         "lib/chain-writer.js": "sha256:15ba5a9235d8692e72b3da008e330907e34d62f19c60ccc2063df83e48e3f56d",
         "lib/circuit-breaker.js": "sha256:54244401ef17e588341176cece113b39f42c55ac3cfefe8f46b5172835b26f8c",
         "lib/cli-helpers.js": "sha256:ab292718a0076b66c32fc4a19a8150c25030cb7cff4bef9363612c29cb66f119",
-        "lib/cli.js": "sha256:f7690955a08c5f1cf79eba07e38a0162c29d5d922a60f1fea05b2000498d6563",
+        "lib/cli.js": "sha256:b1adbb76040121723b26d80a34a18bc5ccf1790e9ccccdaa9c6634d70c33b992",
         "lib/client-hints.js": "sha256:946a874a97eec85beec55281cb577becc5cbac3a732ae7ac2ba9e948f61ed880",
         "lib/cloud-events.js": "sha256:001043964b61e36f62dc7f97874df3e12bbf81f75b491514b8ef18b696800ccb",
         "lib/cluster-provider-db.js": "sha256:d480a0afe22b5a083b4bfbdcf337d08a3a4a79307f35fb819c4e9a75f03bd02e",
@@ -1771,8 +1781,8 @@
         "lib/compliance-sanctions-fetcher.js": "sha256:a059b095c1e3c287339678ab55d7dbcd0f6f3ce813d106746379cd4a07b9293e",
         "lib/compliance-sanctions-fuzzy.js": "sha256:ec6f76fc40a245ff40a36f59a4d81ac8f20c16c2dbf9462e5c78bb58cbe36ba4",
         "lib/compliance-sanctions.js": "sha256:9c924bce4d6fbdd884f6aac385537b5798006569f6370184530f3ef39a64f712",
-        "lib/compliance.js": "sha256:1c2d779d1a208c20f2847915f96aa7374b2c21d81fbbfb4af2638cd398f2eeee",
-        "lib/config-drift.js": "sha256:94609b873a75c82d21671ebb4c22b2bf4135bdae7b5a355600f68c4caddd02f3",
+        "lib/compliance.js": "sha256:c6fe0a6398a511f7d8f607345f603e91c2c1708e841527ba9e4b5747a7eff5bc",
+        "lib/config-drift.js": "sha256:24496ad850c4ca473ceb1478e642613480a813a16704d93ada3d19901087a606",
         "lib/config.js": "sha256:07e20539293e9e365690addc902bc623e213c5ece972dc5b72199b375a17e66d",
         "lib/consent.js": "sha256:7a101c997ad040a2845648670b866425935c3cda96a48dc678723ca2cd20f76d",
         "lib/constants.js": "sha256:b64ae02d0ad14def9b572d446aab267f67c458de7e9073c6701786159a6e7960",
@@ -1782,7 +1792,7 @@
         "lib/cose.js": "sha256:8fccd8381b9a4135aeae54b1b951e9639a8df5f9764440122c93c42b748e6e23",
         "lib/cra-report.js": "sha256:cbfba4d6646f4d32e798594dbc8994cb8b49df65c965691122a93ddf7129539a",
         "lib/crdt.js": "sha256:66389cd4aa692b0b6c23404ab3ad1e33de97aebbb4c2c94beb66c09420244fea",
-        "lib/credential-hash.js": "sha256:963e2cac21590d42bbe2b56e3d21311396600428589df93e66831f3cc3ce3d2f",
+        "lib/credential-hash.js": "sha256:9f4bf10f3ee86f03fba90e32778d99e0f9eb5966b826cbd1dc83e6c55000400e",
         "lib/crypto-field.js": "sha256:a321452dd8f36da31eca75676c646e00b3d8134963e09478e2060c185f2ae024",
         "lib/crypto-hpke-pq.js": "sha256:f086e23f4f80de9d0713826890bf8bafc0a8ddfa53fe7e87f5a0fed8ffa35caf",
         "lib/crypto-hpke.js": "sha256:e9fb595fc16206237edeb738bfe4b037eeee91de9558e09ffe41e0f1e37558a7",
@@ -1802,7 +1812,7 @@
         "lib/db-query.js": "sha256:ff10f1ff5be12be39b6fe6f000562fa03165b4e58b0b2e862c575659be8fd75d",
         "lib/db-role-context.js": "sha256:fa97dd17a8de1278a76a01d7979c3c847295c5efe1f14ab90701ca0e98f9bd3b",
         "lib/db-schema.js": "sha256:b504b64f47b07c4756f81a4c585c009401be06bffe9bd993af3afd1c0c92e28d",
-        "lib/db.js": "sha256:95bc3a11af666e28b2c93fbc0ee7e75baee53e6451f9f5be7c59b94b34b264b7",
+        "lib/db.js": "sha256:62b43de136f62548867a048a27f9f5b9cda0329fd07bcc98bc3b9c4674e2eb49",
         "lib/dbsc.js": "sha256:37942972918443cf6ce192524dff61c2ac360b95f27d5e514ce7d665a288ea93",
         "lib/ddl-change-control.js": "sha256:efda2a1618e0bf0b5221d59a8eaebec1958cea5394c3b101daf7e209724e3e5c",
         "lib/deprecate.js": "sha256:95d227e20cd0b7f1ba5314e0c09432c23ebd405de0d5057f2527e2602cdcf21c",
@@ -1810,6 +1820,7 @@
         "lib/did.js": "sha256:1836e2c7ddbe84cf02576bab00972e142e33b502f54e97132c2e003e522b3c2d",
         "lib/dora.js": "sha256:21f1cfc8f4fc0a3c95023459e406ff5624cbfd4dba79025fa81a211a01cbf9d1",
         "lib/dr-runbook.js": "sha256:b11c0f229f1a410ca4268456eefb14a1c0eca16a5d972bd883f97840896dedf0",
+        "lib/dsa.js": "sha256:f056992797b0bc9ab1b83423a440773e68dcc874173f349d8b3ea72826354f40",
         "lib/dsr.js": "sha256:ef74ea980fb327350e7bfcf3d3570b6c3e17a6670f751bded5412a7c02b38b76",
         "lib/dual-control.js": "sha256:7b0bc61722be7df45d2ae161ed2a2ec7e33ac5f118175f29b4c58fec364b54e3",
         "lib/early-hints.js": "sha256:c50ffcf15192bc37a51d0a76d451da01583f288aefbbf9cb57423f05944031da",
@@ -1830,7 +1841,7 @@
         "lib/flag-targeting.js": "sha256:c2b5096e04dcaa98435c66cfa6b1aae02d0da708ca7e96f810627ef38e669309",
         "lib/flag.js": "sha256:3eab2c7e2f86fdf0a099d4ba287ec69486ee985c5496077ce79167979f6fccaf",
         "lib/forms.js": "sha256:ffe0cbff94588efc021038164f44eef87909a6588e84df6cddbfa994975b33d5",
-        "lib/framework-error.js": "sha256:805ca4e37afa442a77f4f4d746c54f72971ecce6a5b8188fa52609306d56cc50",
+        "lib/framework-error.js": "sha256:930000ec6163ebcbf8ecf8c6e9d088f934a59991f53d221b049e044c038c8295",
         "lib/framework-files.js": "sha256:689fb8e65ef70633c8ab40f874346fd5f818bdc182690f362545667bf9b5e607",
         "lib/framework-schema.js": "sha256:9fa41be8dce62f7516c46d1d62f98ead1b663658b81030ba034ab904ca234d52",
         "lib/framework-sha1-hibp.js": "sha256:07f0e4032c988e3543872ab03a0898e3d1c0791b02a2089686da9d0032b5ffeb",
@@ -1901,7 +1912,7 @@
         "lib/html-balance.js": "sha256:325db4349ac4c968704e295f2c8cbec330c2d64908c89e9192ab443572c14910",
         "lib/http-client-cache.js": "sha256:5bc95d801cffbde654d5216963dec888ff12ff150c2e82129f0f6d1dbb88b6cf",
         "lib/http-client-cookie-jar.js": "sha256:d0e859a9b548a3dc97e3418a1698b27336021f8f7d6c5327b2004dd710fa06dc",
-        "lib/http-client.js": "sha256:729bb0b99f37f0bc2240baa1f4fadbb8c4663e33498560fd54e89dcab343d771",
+        "lib/http-client.js": "sha256:812c9261a86a2133d158ce80883263f755656619998aedb140beb02df03e5101",
         "lib/http-message-signature.js": "sha256:9aae3f9231c607d4fdc7693aa8b473744af807bff07b7c50c3cf1bd0b07a3283",
         "lib/http2-teardown.js": "sha256:61d291c34e321e18b64d60a4c0253e638550fff7dc32568b980d3aa13bb178e2",
         "lib/i18n-messageformat.js": "sha256:9f7cc5761f9343e87a210b58706eed01fbfb66c563ad479e75a492b1365a25a1",
@@ -1926,11 +1937,11 @@
         "lib/lazy-require.js": "sha256:1ac3c23e6d59e7c2d5c58e9245703506d4a88244f214b37b972c30b2d947b60c",
         "lib/legal-hold.js": "sha256:acb087dfdd857157e012de19e576c6b73e2ca0cc9f9d5235dda394da815bab24",
         "lib/link-header.js": "sha256:145387aeccc1eb6cfa63d42a7690c166673df5b0fc2dd77b69654d293f36a153",
-        "lib/local-db-thin.js": "sha256:a159fa3020233c9c81fba00668a2cee91238b42c2a6c26543399550d2751c235",
+        "lib/local-db-thin.js": "sha256:8f563e6c7fe1c52458405fd23d3f43ade5289c982101b76f9abf87c1eb7db484",
         "lib/log-stream-cloudwatch.js": "sha256:0482086871bfb0de4a0039a8d90556a2730fa61c59da9749e09380f754967b73",
-        "lib/log-stream-local.js": "sha256:4ce394dd251504c5a280e0d7c2e5e570110a7a648789ccb7b3069733604f6611",
-        "lib/log-stream-otlp-grpc.js": "sha256:9881f4634a32a34621b230085cc388714d2e22194e7a01a59961131b16880b97",
-        "lib/log-stream-otlp.js": "sha256:1d1f15b95dd2eaf3600962e3a381f9f4f4a03818ad29d21ac5ddabd60bfb3626",
+        "lib/log-stream-local.js": "sha256:1b0926149cf08fb61f2dd55914c5442b1659d322fe6235e473f941e19483d37e",
+        "lib/log-stream-otlp-grpc.js": "sha256:cc1dea9411030d0c468e86331143fad25a0f79757b25dd0866646be55abae298",
+        "lib/log-stream-otlp.js": "sha256:715c666c29e822fe48881edde0520009dc4c0506f6ae39a75560d99e8e74e319",
         "lib/log-stream-syslog.js": "sha256:21ded5786bb01d1791e5687d77c2dd710f8a0330750d32a740afb9c4700ffb77",
         "lib/log-stream-webhook.js": "sha256:390d771da48b3b084d1438f05a348ca34390084d5972074f75742110718e4622",
         "lib/log-stream.js": "sha256:9ffda79044835670fba447876b617b1d5cef0592abf08b52167e2ae7b6bcdba7",
@@ -1986,7 +1997,7 @@
         "lib/middleware/body-parser.js": "sha256:2016447bd64afe411ca6b4fc322408de032663da646577fba635c70d362c7bdb",
         "lib/middleware/bot-disclose.js": "sha256:823431fadefe867ab4e60f25fd53cce8c9e67563bf56e003fa35e8a29881ae0f",
         "lib/middleware/bot-guard.js": "sha256:804c5925d87583ccb7660dfe597d37234f1ae823e6751f4121de5626629f6102",
-        "lib/middleware/clear-site-data.js": "sha256:3a5e232119d39c0fa8148fd5483c52464a1cf6b12147d72f0078d420a4f18d7e",
+        "lib/middleware/clear-site-data.js": "sha256:6bd806673e0a12ac284bad04ab3dbce7ece25ab523e81ed057665acb593b5023",
         "lib/middleware/compose-pipeline.js": "sha256:160719627523db40f35bfada8c9df670c93ffec042890698936497c2c0f20bdb",
         "lib/middleware/compression.js": "sha256:0c51bab49458af588e8e74725e3d40b281940c4bd942a8ee47c756f999b9c7a6",
         "lib/middleware/cookies.js": "sha256:a286f947b343313c21f620c4a36eed66fe44dea4c8bc32b230559d877aaf9b4c",
@@ -2036,7 +2047,7 @@
         "lib/migrations.js": "sha256:eba38bb3b30ce7915576087af0ef8baaf37b1db9c27f3b0fb32b262592a34933",
         "lib/mime-parse.js": "sha256:9f6e685e1c18883fbd219823a11b4e06e602d5453add8cc845d2d78df93f1781",
         "lib/money.js": "sha256:423e7f03bb490fc5ede6dab0c624b39629cf8cce2d9871e62f8e0d7d4d3abca8",
-        "lib/mtls-ca.js": "sha256:da4b527a88a4ab2c1299f814ac2d3b32597c094865e29e5751a3c6c500fef1bd",
+        "lib/mtls-ca.js": "sha256:30b620b58e30f322dc32542b65a5db8ae770b9e9d05127664a38e18b9eb68bd4",
         "lib/mtls-engine-default.js": "sha256:bb2e47de5b8a6fa03f433c4c8ecc02fc7e7841f9eff97a36e7a4379880c81cd7",
         "lib/network-byte-quota.js": "sha256:f07b3eb80e7091101b8eeae069f41aaaba91f93ebe703513e1195e9f41464a2a",
         "lib/network-dane.js": "sha256:1ef443337d0b954735932271e3f60452fb60d83fd1e8d24b5d363d9b93458bf4",
@@ -2069,7 +2080,7 @@
         "lib/object-store/sigv4.js": "sha256:a0342e3107d208ae46fbe9db77a8e5bdc911ed8aba72efb2c4a905b6df2be3b5",
         "lib/observability-otlp-exporter.js": "sha256:8a78ce733f87f8b83414b050a85ce243b13e2a268c501504f5e2f153dfcf04f6",
         "lib/observability-tracer.js": "sha256:ab005ecba1ac73c776f038a3957637497fe71fe871cb6a8ec3dbd79339ec9e96",
-        "lib/observability.js": "sha256:59348e1956aad86bc5a9de90304293c720cf54642a013066ab759aab934ed9da",
+        "lib/observability.js": "sha256:fd581572fb0116f1be8a74b25a7b96d9ccb5722af2a51832d1f88819f30ed7bf",
         "lib/openapi-paths-builder.js": "sha256:dee2b700562b6f7c8815f00bae7fc0928dd391ce5379ab970ba2c2b5f8134175",
         "lib/openapi-schema-walk.js": "sha256:8a46b681dce7887902f59a86adf3fc6226eeb903e5205228a7397f7fec036efe",
         "lib/openapi-security.js": "sha256:091ca0f5ee89bda7474850eecb90be9501054f28390e9825139e1cad2bf997d7",
@@ -2086,6 +2097,7 @@
         "lib/parsers/safe-yaml.js": "sha256:0b0edde55ccdd7b76da6e215baa3dd43519371157841db16246247ff818ffdfc",
         "lib/permissions.js": "sha256:86ecd3bbf80c65dacdf4a98101d421fa9d97a8632d11c34e578c9b23334b4e9d",
         "lib/pick.js": "sha256:928f912af380154ff2aa380419e5a5fbd979f85d90b49bb0b538d75cfb016852",
+        "lib/pipl-cn.js": "sha256:3cc63a68fda3db7210c5c7fa35a5f4c38d389ce8e20acec7d314c811b25699ea",
         "lib/pqc-agent.js": "sha256:47319cf87a43d93ded8e8b4e3e52d156c8d57b0053fe6ca53ed2b8b8d8259c40",
         "lib/pqc-gate.js": "sha256:18a8c7bc9f01a5ce2a87f22474e4601ae0ad99d4264f0f7c5c85e5ca0c2c68c2",
         "lib/pqc-software.js": "sha256:0945fa073cbf3683b6e524a868155eb966285d7409432cef6de85f7b1a9290e7",
@@ -2110,9 +2122,9 @@
         "lib/request-helpers.js": "sha256:d42afee7dbcc34d654d6d73cf3328cce8dfdff5c87930f87c61837591f7c7441",
         "lib/resource-access-lock.js": "sha256:87d2efdf2e1a3b8ee58f693c40718590d725d2fbd4b08a93be01aaa8917833f7",
         "lib/restore-bundle.js": "sha256:ad3b5cf880a38724bb5aa1b1bb5bdf6995a856ff1e8bbb34097c2082d1ce18d5",
-        "lib/restore-rollback.js": "sha256:d318a1af8224d0528a76016369b185e06e70967c696c775170af07dbfaa83ab6",
+        "lib/restore-rollback.js": "sha256:5de724d418a48f1c9c3332a2c6d20ab734f2c0cf76382f11a8e939a66f89d9f5",
         "lib/restore.js": "sha256:bb2607ac36c2ab4d94115fba14f6ed71bf071bdddf74bd8e6c1be939982d3de4",
-        "lib/retention.js": "sha256:c52b7b274a7c38569a6fada92ff5be2a7e950d218c06cc7dcee574aa688beaee",
+        "lib/retention.js": "sha256:c63a61c6145f694a9acdbda68466a80d21e59835f66e8cdfa842941c11d64ea0",
         "lib/retry.js": "sha256:785a4e7bad551354b8b84d5c01092fcfde88b49bf8ff646557b28fbb3d25302e",
         "lib/rfc3339.js": "sha256:b318c45be3834ccbcddfa5d4773d88c6a558cd184e21c15a4021d1b5693c55f6",
         "lib/router.js": "sha256:88c2f3883e2f174a3a0970b2c36a0a01fe6be352a5087ee02924705da054dc6e",
@@ -2137,22 +2149,22 @@
         "lib/safe-vcard.js": "sha256:7dc386eda93567c5ce5bea020268067507a5de0a4655212a5809eeb0ece71c74",
         "lib/sandbox-worker.js": "sha256:d3c1ddc96f1ebee2a31ec9d788dff064bc5a969478f0a434594498013ab50cb0",
         "lib/sandbox.js": "sha256:4a29b5ddb067c0ebbd9680ef0e55b562e1da9472b942c7fbe4915d7936e7c0a5",
-        "lib/scheduler.js": "sha256:aa98b96e5ad557834e2d45d6614a60f5010d32797f6c46776aaaa0f9b3678320",
+        "lib/scheduler.js": "sha256:f71e251e085475ee8bedac8379ee05c66d5eb12b7496f58ece9db2c5f18a0041",
         "lib/scitt.js": "sha256:c094cef31630aed5dc7adbf494701ab0a825c79a4e406277cbc757ce54bfec9f",
         "lib/sd-notify.js": "sha256:2ef7395bbdab2ac4eb96083c57d401921c94278545f14427fc88cdd970bdb9eb",
         "lib/sec-cyber.js": "sha256:1af157cc5024f5c0b408e8f921d7b671df56315f9e438415eafc7fb031c4a76c",
         "lib/security-assert.js": "sha256:4a98cec339c0b421534fc650c9500fe8a1b39f89181d651a58a13e2ff9a8ae0f",
         "lib/seeders.js": "sha256:3a1582bef19a24aab5c6253c6e273210901f3cad5ae66d713a147214f7694c52",
         "lib/self-update-standalone-verifier.js": "sha256:66a946cf9a1567a0ad6f288a4a919085e46e388c634fd6de341033df6ac56b94",
-        "lib/self-update.js": "sha256:060ccb505345f724d5e85669523406646474534cd37a0055c9b2042117e355e1",
+        "lib/self-update.js": "sha256:1b44a062249705a7c4b8cc7fb5b5de81da6d08d0833aadc690d16e48d67d982b",
         "lib/server-timing.js": "sha256:74f2556480363c860a7c80a3f2bc1adb68fee53aa4335059069fae66a1eb627c",
         "lib/session-device-binding.js": "sha256:9bdae416fef6f0ece95a49f047531af7119c3e5384a7dced8af89c0c45e7874e",
         "lib/session-stores.js": "sha256:b79de919061a2bfeb090185bcc511919fb01d3e7a495fe0a7c711cf6cf65137b",
-        "lib/session.js": "sha256:37e2e1ac9af5a9404e40abaeb059600e1fbaacac23c6d87671ba07e775c58a49",
+        "lib/session.js": "sha256:08631c5e2a2f8c80d61f7a800637ab4f92ecc4b3b7bc305eb90a8eb591c6e3d2",
         "lib/slug.js": "sha256:bcebb078559528e6bb50a6244633d425ffdd861bb7a708c2b201eae3b3c44b35",
         "lib/sql.js": "sha256:1a2ce0a5ab1b0aef28b667572c3ea655b287f58aa61983ed6fb6e2375c820f59",
         "lib/sse.js": "sha256:bdadec1c0ed962908275716dd635c3f30517d1a9bef19782564cb6ad2ad02b16",
-        "lib/ssrf-guard.js": "sha256:6b9043e6b2889e6deb901d627a8b46a7bfe456def4b59c4d5c78a11128192341",
+        "lib/ssrf-guard.js": "sha256:65d3d1bf6841064cdf9b9e7ffb5a0a3ac9358e462943f5de09087640353dfac4",
         "lib/standard-webhooks.js": "sha256:e604534d48202a41f2c9f6954a990731db80d0693794d3a80f371f843490ff57",
         "lib/static.js": "sha256:e9a3d3b3b6d1f67eac9d76b37dfcd14c996f1199453164994e9767dadb066867",
         "lib/storage.js": "sha256:cbafff8732f6220001ab65eb8d6faae932a2515648e2f7cbd6f3ff372b4d2e20",
@@ -2174,7 +2186,7 @@
         "lib/validate-opts.js": "sha256:cefcb9256f8676f6ce6fa3c796467643ae44692078bb00c4c5b49ec20652aba9",
         "lib/vault-aad.js": "sha256:c728cfdc38cdd0e6a38b2c3353431a22aca7724b7bb0b8eebaf8f00c0087aa7b",
         "lib/vault/index.js": "sha256:47dc94fac353d6457f0456ce3ef1dfb225f10fcd2d1b479337b42f46a8bdbaa6",
-        "lib/vault/passphrase-ops.js": "sha256:b789bb3e1430ade152fb60df4aa81c2cdce58b399c752a55c5ff93202f070868",
+        "lib/vault/passphrase-ops.js": "sha256:094883b5c33a436b467d5e27a4ff6f6349256d9e1fe58d3d22ba02dd743c8925",
         "lib/vault/passphrase-source.js": "sha256:33d869d7d3aa55dd96dda7b82be50253b844c2f5b2a546a3f67e5e2c483d9306",
         "lib/vault/rotate.js": "sha256:b6828edeae90f6448d0e382d599ae7b22ac7552772a76b7f48035bb8d4fd0723",
         "lib/vault/seal-pem-file.js": "sha256:b3df47212003e23d8283a2d9d18389893af10018dc7c3f9c8afb02aa9ba31ee8",
@@ -2196,7 +2208,7 @@
         "lib/vendor/simplewebauthn-server.cjs": "sha256:f359a782ac57e3ff56ac71083d17f5c082f88ab49d645fc2bede398b47adebdb",
         "lib/vendor/vendor-data-pubkey.js": "sha256:a12afa34cd7472e2eaebad2fcd44714102d3edd0601e45769404124a513926d0",
         "lib/vex.js": "sha256:9eed3a322ce4679fe1930f83d406f0fcabb05d6f2cde18beafa2371774f894bf",
-        "lib/watcher.js": "sha256:e2b0809107673ffcffaa03e6c8eb26d1d4b4c5badff5b106b3ca17c7120a032a",
+        "lib/watcher.js": "sha256:8618da919affabbe4c4d33915647b3ee4b27e6ea091638f032d4bfead797baf8",
         "lib/web-push-vapid.js": "sha256:55b2e1243f9d846b30a75746f0a98b2b6f75cacba3ea82d6422ea5bf084abefb",
         "lib/webhook.js": "sha256:36d86e9ee329256a0d6bfe6598a4758dc2cb873a0fa535d3a4dcc96e748d9bd3",
         "lib/websocket-channels.js": "sha256:3f89d92906d9a4fcc13786e996ddc140d2792d6d689ed550391fe28a247442c8",
@@ -2210,7 +2222,7 @@
         "oss-fuzz/projects/blamejs/README.md": "sha256:ae13b7bb79ed8d69b1b3276e5562807a0349fb6e6b7d11cf1f683aad1eafdb4b",
         "oss-fuzz/projects/blamejs/build.sh": "sha256:0ced1cf21782c97be7f8d74faf5e27a308b60b2f858836fb5ca3b8c4e939a8f7",
         "oss-fuzz/projects/blamejs/project.yaml": "sha256:59f2cb83aa622325a175b77416fe155be15b70a9c798bd1a78bba05763b1b03d",
-        "package.json": "sha256:b2f31aa548f6a3843f1eb6bae5a6793b5588d200ace97d8220883853c2d94150",
+        "package.json": "sha256:694b07eb18afa4c73f5bcb288b4b6d98365da7473857950af3d3d35a14e19292",
         "release-notes/v0.0.x.json": "sha256:7a49819f30068ee119000cad7010194882bb8bfaa12acbdab4dfc066efb7982f",
         "release-notes/v0.1.x.json": "sha256:6742a8c17f947c5cb76f69dead7eea86b942d80621d914b774ba5488e09937e5",
         "release-notes/v0.10.x.json": "sha256:fe498045daf88337bd3d987e5964aa42c99a50e1685b6f09e51f698b8687726f",
@@ -2225,6 +2237,9 @@
         "release-notes/v0.15.4.json": "sha256:6ac7fa0ef1728c27e71b2050d1b07a810f9b4b1440ccddbf28ad56e2f54d8585",
         "release-notes/v0.15.5.json": "sha256:cca1d0edd5d6fc41b512d19d98be224b990dcab41478622c11962f0fcb1bb09a",
         "release-notes/v0.15.6.json": "sha256:0e3b9e5e43b70b61dd258c3003d1b8729cd3c26c62a34dedcca81bbec5d31077",
+        "release-notes/v0.15.7.json": "sha256:b7d153b3528bae9415739cae57202eea18085d0b6214e10dfe69c1486acae783",
+        "release-notes/v0.15.8.json": "sha256:1026125b050f9a155f3b4c595556de0fe3bc2675261aab5db1eef01590208364",
+        "release-notes/v0.15.9.json": "sha256:df705aab619e6105db447da5f53995a0db0916495257c704a2ffe3890f135529",
         "release-notes/v0.2.x.json": "sha256:985e27ff5de04cfc7869a3986dd0b9f0fcdfcddfb67d3fae3f4ae70856722d7e",
         "release-notes/v0.3.x.json": "sha256:e2db5eae66977b272bb185cad668386afb8fd33998a17c22eb6e411c0f8ca588",
         "release-notes/v0.4.x.json": "sha256:c3d19cb9c50a976432fc0bb612c87741d8728ae37562b501e6f1eccd01dd574d",
@@ -2241,9 +2256,10 @@
         "scripts/check-services.js": "sha256:8c07b049fc899827c2d1ef2c136a3d0c3c43143b1546f28e44739ecec187f777",
         "scripts/check-vendor-currency.js": "sha256:652482b3b228fe933946082646a6cac203a2bae7ba0c45fead11627bbd179c31",
         "scripts/consolidate-release-notes.js": "sha256:620de442c834fa99a7b668b93cf8788384a0aa802ce419953459c88451d8ec73",
-        "scripts/gen-migrating.js": "sha256:1e652c28f348dd8b08e19794541824450ff3fe5ce92b8740ae3c97a6f3e92c08",
+        "scripts/gen-migrating.js": "sha256:2177f6b9bf60d6e9c161a0419caa248d2bef9eb7beb5223a10e8cab3ecc555b1",
         "scripts/generate-changelog-entry.js": "sha256:2c0a1a395d2d1b30c1679883c694e27dc6f8e73d950c4deeb118ef5a4f01fd12",
         "scripts/generate-release-signing-key.js": "sha256:3d4cc30a446a8a358b6180a5be7e4e88f2e1722fb1567f4379a335ffc03a50d9",
+        "scripts/generate-ssdf-attestation.js": "sha256:7e57ed8e47375ff48f1e505812bd2a8d7d3dbc555d3d5fa935a6ca8ac9b2810e",
         "scripts/publish-dep-confusion-placeholder.sh": "sha256:f6ea193c7f79fe08ba86df8533fad093381b4786fcac71aecdfff47fb115c9b6",
         "scripts/refresh-api-snapshot.js": "sha256:1f6830a5d23aeeb3c93cb2eea00a016a2ed0de201d350e891b21374010613a6b",
         "scripts/refresh-vendor-manifest.js": "sha256:48fc297ff66ed907a979bc07ffc747ccd7c2aa63c3bb3001d729239ee1e967d5",
@@ -2256,7 +2272,7 @@
         "scripts/vendor-data-gen.js": "sha256:76b627bc6e19b4a122edfca6f514bcb8ca11af02902f0957e641f503337a8a0f",
         "scripts/vendor-data-keygen.js": "sha256:94eaa4d8f832b4aac9ccbcb2a07e6b99cd35cf7b044e1412079cebdefc1f4c0e",
         "scripts/vendor-update.sh": "sha256:c1c879ee620f064a06d776c1d330749b5128a35581352ef385fa8baf4a35f79a",
-        "test/00-primitives.js": "sha256:582f2dceeee49a6cbaed860689caa5851c6c6c41ad2d3d50b1a24df992102750",
+        "test/00-primitives.js": "sha256:0a6c6b44c22c692372b072fc109cb734ac9e7812df1d122bbd94a12116c36d35",
         "test/10-state.js": "sha256:0f0cb26460e61b17c747a6a6cb65bd20325e0a4f1af854713e599b2cc9277367",
         "test/20-db.js": "sha256:241ef6b7ef305d077aeafb22ee3bcc75b6b549a8fa9b1a6b5d6d5fba43b48d7d",
         "test/30-chain.js": "sha256:6025201505a4c86ab385180147342d60edc1c5dd5728e2b78fb32b8b04ce7242",
@@ -2369,6 +2385,7 @@
         "test/layer-0-primitives/asyncapi.test.js": "sha256:835f999d8cb96d7d94b35d950d71bd1995af088ec6296e82256959972fb4d7fb",
         "test/layer-0-primitives/atomic-file-conflict-path.test.js": "sha256:b1e95ff12e5f6871762cc23ed6b862b4cf18097b743e5d4f90abaa4e53601794",
         "test/layer-0-primitives/atomic-file-exclusive-temp.test.js": "sha256:9a0a6193b8051caf1a5e34a7f0be6b12ec92abcadb26468384b0484c55984144",
+        "test/layer-0-primitives/atomic-file-rename-retry.test.js": "sha256:4669ec79347c38427d4d2229a884d705c1deddb3a88e2b55376a3420ae0c7f4c",
         "test/layer-0-primitives/attach-user-bearer-scheme.test.js": "sha256:ceaae361e8678ce81ca7cd3bdfb4b9ae2ae075f69d8e99685372f4a025dc4f92",
         "test/layer-0-primitives/audit-checkpoint-false-rollback.test.js": "sha256:1b1d3136fe37f7bb1cd6de6350d312d9549d5a6b0e2a7ce9f0873dfe5361ad22",
         "test/layer-0-primitives/audit-cve-defensive.test.js": "sha256:641406414b62a0927cd2500b95426b4ad6b72fb4f9baccd2c5d650a6e1e65782",
@@ -2443,7 +2460,7 @@
         "test/layer-0-primitives/cluster-storage.test.js": "sha256:5627e621dff001e236b668e04336eb39c9fe08a4a7d45a640e6e7fccce37a022",
         "test/layer-0-primitives/cluster-vault-rotation.test.js": "sha256:3514e9e71d6c39e805248f58ad2f41528d091e196c0f3766a032675677161b2d",
         "test/layer-0-primitives/cms-codec.test.js": "sha256:7e46078ed82be5b69d22c48f22dba37ea5015371c2a8cf5f94fb1a792fb7bb78",
-        "test/layer-0-primitives/codebase-patterns.test.js": "sha256:cffb4907580ceceac16af5533321e8b0f001696327a65f8836d5a0620a3c43bb",
+        "test/layer-0-primitives/codebase-patterns.test.js": "sha256:1a2cc84dd43a4bf53379ac219e5cc5a36d3371e429b6a89efcf7ed83b0c8daed",
         "test/layer-0-primitives/compliance-ai-act.test.js": "sha256:5ee4ad05d12233cb3c5457ef10a727833710bbc1ce1318838f9f9ef5d2cb8d4b",
         "test/layer-0-primitives/compliance-cascade.test.js": "sha256:ee02cf14541a837a9d7977c6ea6bf7f9210bed293925d93c976e31f270aebec4",
         "test/layer-0-primitives/compliance-eaa.test.js": "sha256:8afb3fa66f3f9452592995e77f5e0644d8c82de2321c551c6f5be6002b2c27a4",
@@ -2459,7 +2476,7 @@
         "test/layer-0-primitives/cose.test.js": "sha256:70940306703c96d6a9c7f77f35625257b3f578c98a0650af6761cd21916dff97",
         "test/layer-0-primitives/cra-report.test.js": "sha256:204a32da15ed26acb0f6b43b2bf33128cea954885acf29828445f30dfa4fadbe",
         "test/layer-0-primitives/crdt.test.js": "sha256:b9259d8ba12e5e8feb2f982c8357ec7b0254f0f5276754af7e807c427bbe49b0",
-        "test/layer-0-primitives/credential-hash.test.js": "sha256:550c645c05cc18a691f276ca7f4dfdd9e9e81c989dfd1623d8fabf90570130b1",
+        "test/layer-0-primitives/credential-hash.test.js": "sha256:cab340489726da55b986f7d92f1e0784da45917387179524e6ce914b125669f8",
         "test/layer-0-primitives/crypto-base64url.test.js": "sha256:7bb8b221b2cbb421c855f0fb3f220a641430cbd6f08ae8e039f0f997d5287cc0",
         "test/layer-0-primitives/crypto-envelope.test.js": "sha256:e9ea0ed1b3d8e9bf0a026901d64ce999541fa53215d405a501b267b841c588fe",
         "test/layer-0-primitives/crypto-field-derived-hash.test.js": "sha256:3d8e29b5fa44fe20f27c1b3678253dac0a16b3af7ec5c1c97a88b38c7a5c7839",
@@ -2492,7 +2509,7 @@
         "test/layer-0-primitives/db-collection-extensions.test.js": "sha256:324e0c243c054f8bcdb2e0a160fdce2abe90430b253e95dc7b8739e0a18ef886",
         "test/layer-0-primitives/db-collection.test.js": "sha256:cadc965ed6b3388cd2c871ba45319f30627218fdf75a7708e55571f4a4e778fe",
         "test/layer-0-primitives/db-column-gate.test.js": "sha256:b57c1465907f8db7c23a0dfdca77c7f81ec4cdc4afbd33b2ea4b7ad7c8f6ac93",
-        "test/layer-0-primitives/db-init-extensions.test.js": "sha256:bd6e313c4aee7c39e74cc308d79e540aaaa7487f0b2ff613b395cf9161d3188b",
+        "test/layer-0-primitives/db-init-extensions.test.js": "sha256:77963608dac33cdc8d22688d3ca2227f7fe1ddc1419ff6524f806f1b94dbdbcf",
         "test/layer-0-primitives/db-key-aad.test.js": "sha256:4facf830efd0b5b8af394b9fbc1a5c0f0b26788287013248ade7542cea6aa331",
         "test/layer-0-primitives/db-query-cross-schema.test.js": "sha256:9a21cab75881299f160032f388e9494232d4d4cade53c9550c734124dde5a785",
         "test/layer-0-primitives/db-query-extensions.test.js": "sha256:312e5bf181274bea8017861d9c02b848c8058dde402c9e28cd3b043fb6e5ac78",
@@ -2516,6 +2533,7 @@
         "test/layer-0-primitives/dora.test.js": "sha256:868bec1df000111db68b6bbbc036fb1d690ad54d431120624cd212fe6c26a405",
         "test/layer-0-primitives/dpop-middleware-replaystore-required.test.js": "sha256:d9545ff47438cc57e0d9d65fdb411d8f064a19d0d23e203e59d2ba41f4a5c829",
         "test/layer-0-primitives/dr-runbook.test.js": "sha256:9665caaa90f356d0237e0e6c6889c56a3467b20c7eaf78d2e2afa51c4b3af2cb",
+        "test/layer-0-primitives/dsa.test.js": "sha256:2cdbdd29b9c58d738920bb4f82f73492eab56e7d7f8111f1cdb14838de3a3ab3",
         "test/layer-0-primitives/dsr-state-rules.test.js": "sha256:0ddc7fd6d5d3f8817d8f4aad7bb66c6bf6e64eafe61fdedaafa8f60957d20bd0",
         "test/layer-0-primitives/dsr.test.js": "sha256:4e2e099658cc77d6ba5ebdaa48d1362adaee5b4aec109ddcb7bc1cf6bf4f112f",
         "test/layer-0-primitives/dual-control.test.js": "sha256:2d9255f96bddbb45d75182ef826a355536e40caeb5864483c56eaf5ba3c7e0ac",
@@ -2679,13 +2697,14 @@
         "test/layer-0-primitives/observability.test.js": "sha256:969600b4e53437d0efdb326cd7e4df06f807afd5c5d4f21100091f1c1e764258",
         "test/layer-0-primitives/openapi.test.js": "sha256:2e552cbb27b70ac28688632364defc9d063b3b26ff45788012e656bce8ba31e3",
         "test/layer-0-primitives/otel-export.test.js": "sha256:78c0103b69f04270b35f1d4f14471c4aa085bdad0b55667e2f182f94c2a3f7b6",
-        "test/layer-0-primitives/otlp-attr-redaction.test.js": "sha256:a9cfc7474d30216dab17226323ae48aad61e34981795d4d3a58a8dec19b2d3a1",
+        "test/layer-0-primitives/otlp-attr-redaction.test.js": "sha256:1285109e41bd7d225b1ee78f7f5df8f4604c2d35dc1c0410e7c9795cff7db3d7",
         "test/layer-0-primitives/outbox-inflight-reaper.test.js": "sha256:b4d65c14c7d8aa7712424f2a685fd7bc44b306650c14e3ff5047b2f021ac81f4",
         "test/layer-0-primitives/pagination.test.js": "sha256:432bbead37b57079f91429c2f3998aed28eb947086f8b0b8ebbd111fa3abdb07",
         "test/layer-0-primitives/parsers-standalone.test.js": "sha256:165683dd46724386493f5acb11f102123517ed7d07754f02065e8e0a9f9e57b5",
         "test/layer-0-primitives/passkey-real-vectors.test.js": "sha256:c8d986440e9c6d7ca78f8b03054d077f7b11af8326b6319aaaa569fb9cebf0bd",
         "test/layer-0-primitives/passkey.test.js": "sha256:ae7b213deb42dc8412d496eab91071b4f65518ca0d37e24f17ecb31c095dc7fe",
         "test/layer-0-primitives/permissions.test.js": "sha256:b8cc87f2e5b2bc39c784d3cf372620eaa37037e33c43c16addc4ad000c802ba2",
+        "test/layer-0-primitives/pipl-cn.test.js": "sha256:8d01dec33a47e9e3d7e403f33db3165d7bdc69eb78cef9a949edd6c69902305f",
         "test/layer-0-primitives/pqc-agent-curve.test.js": "sha256:c0eac9ba5e8eb254661cd8b42b49fa006de626db2d18574550b79b9542b02998",
         "test/layer-0-primitives/pqc-software.test.js": "sha256:d744e9640e9ae1acafb7218be446a58c5739707b86b8c64a8c4c1304cca8ff5b",
         "test/layer-0-primitives/privacy-pass.test.js": "sha256:54f6002ac9c22df44710c9d1db130cfec292bea98185cc9f819dd3c7d2aeacfa",
@@ -2713,7 +2732,7 @@
         "test/layer-0-primitives/require-mtls.test.js": "sha256:ba041e00d098090b4ffa578bb8b3f01927043842a5057069502dc69ade2dc23d",
         "test/layer-0-primitives/resource-access-lock.test.js": "sha256:f436bcd187b317229266b4f27d89e7f87cb28c7dc400643594b22d05232dbac4",
         "test/layer-0-primitives/retention-dryrun-no-vacuum.test.js": "sha256:b454fb508b22418097839a20f7b1ff5240a57f8ee37e575768780e7b8cc772b6",
-        "test/layer-0-primitives/retention-floor.test.js": "sha256:392f17c8372d14cb265d526771fa4c3d2b1497bd0c64520ea97d73dffeaca08b",
+        "test/layer-0-primitives/retention-floor.test.js": "sha256:c841932447a1ed9be5c1aec5d0819f112e9730305af410aa44d346487e6a3490",
         "test/layer-0-primitives/retry.test.js": "sha256:4e14bf1acfc73d3018e8a7b914c5fc0a9a768f41e81b76ee427fd520b3bbc935",
         "test/layer-0-primitives/router-cross-origin-redirect.test.js": "sha256:716d665c29eed2c5acdfd32a9cac717cb2c70ba6af6e9ab16477b527ee46594d",
         "test/layer-0-primitives/router-tls0rtt.test.js": "sha256:dd44b9358847e6bab34e02f65a4361cddb907ab3acafd7722f2c240c27a46fb7",
@@ -2733,7 +2752,7 @@
         "test/layer-0-primitives/safe-redirect.test.js": "sha256:3435b29c5fed535442e71f9801c24805a5f35aef0f3b4972ed253a9163dd4802",
         "test/layer-0-primitives/safe-sieve.test.js": "sha256:55351060c1cefc55adbba060d5cad75c75a07e5735ce70f94458d7f6deabf49c",
         "test/layer-0-primitives/safe-smtp.test.js": "sha256:c0969bc61e66744e672df89740f9c09ab0d955d946f12648cb936d1bf2a31d70",
-        "test/layer-0-primitives/safe-url-canonicalize.test.js": "sha256:399a1856d0ee71536560ffc1b31a94bb4fedec74402dc6a1f33549ca4534e1cc",
+        "test/layer-0-primitives/safe-url-canonicalize.test.js": "sha256:5a85baeec34770f9efef04fe8036fc75f80278188ed6f09adcb97f72d39a0dc8",
         "test/layer-0-primitives/safe-url-idn-homograph.test.js": "sha256:a68b8307a0711270ce865d80937793c3bd48445f0ac6adb5814bd9b948e06193",
         "test/layer-0-primitives/safe-vcard.test.js": "sha256:10a0695050afee64599411352b34382e15b8f9bd9045ed3951cc6bc561918c89",
         "test/layer-0-primitives/safe-xml.test.js": "sha256:dc94bdc968449a87843a2403e4f9d402cd22fb7479cae30ae42e297ffec5a449",
@@ -2741,6 +2760,7 @@
         "test/layer-0-primitives/saml-subjectconfirmation-notonorafter.test.js": "sha256:fbf0c44b64b102805e6ac76fa39b297cddd44ba6089faf2c99e77930f1bf0628",
         "test/layer-0-primitives/sandbox.test.js": "sha256:498a6f1e79950bfb625d58f009be5f429506c07000b9fdcf86e8400e32fc5ee3",
         "test/layer-0-primitives/scheduler-exactly-once.test.js": "sha256:f269740eba98d12f05f6fa50c7aa4f6ac49a5a69e1dff23898257405a51089fa",
+        "test/layer-0-primitives/scheduler-watchdog-stale-settle.test.js": "sha256:7ee8fc92151f36fcfefb7506e5c274599b6f6df8b83639bbe73738b1f263bb43",
         "test/layer-0-primitives/scim-server.test.js": "sha256:2df544430e780f677491b71e08ac77f88fabaecf0c23d838fb3081d3deb84315",
         "test/layer-0-primitives/scitt.test.js": "sha256:a3030351ec0092516c5eaea4824dae8f466f239133d6a189875d38faf236a232",
         "test/layer-0-primitives/sd-jwt-vc-ecdsa-p1363.test.js": "sha256:d26d4a066458fe37634abf58bf41a66ef913172e5cb601f64751a2c2a03fd8fb",
@@ -2755,7 +2775,7 @@
         "test/layer-0-primitives/self-update.test.js": "sha256:fa9d1ccab264806f61973bc2292950d0b12ed56c8e220960dc1f1f2c163d35ae",
         "test/layer-0-primitives/server-timing.test.js": "sha256:03fbad2878a8d629c0abf59c175d6de7b113e49b3eaffbdcd950b03920e54693",
         "test/layer-0-primitives/session-device-binding.test.js": "sha256:1d9c4dcbe972f1036293cdafe3313a16883afbacdb25af58bbdbd6211d85d27a",
-        "test/layer-0-primitives/session-extensions.test.js": "sha256:b3f00f0048772f92c9a85b10e73fa54f154daf415f53dcf2a06e63cb01016d74",
+        "test/layer-0-primitives/session-extensions.test.js": "sha256:b1144768ad7556fcb86cdfdc00768b61324a2cba5784a0533ef20efa2b839a3d",
         "test/layer-0-primitives/shape-match.test.js": "sha256:ce63e3be16ff7055fe0a24ffd314e6878a8d2145043a2e2bbc3821f3d9d48b7d",
         "test/layer-0-primitives/sigv4-bucket-ops.test.js": "sha256:72891b4f6d053dbbc40d58c6fa413191d71e7d37dea068f46ec0d96299cf7696",
         "test/layer-0-primitives/sigv4-multipart-sse.test.js": "sha256:8572b0293afd4ce0dab01af66184b033527556f4907db8f1d87f09fed956cc24",
@@ -2799,7 +2819,7 @@
         "test/layer-0-primitives/vendor-data.test.js": "sha256:e216ae83b187c66f1002c419e4af2701573e5743666007b564a0257332bc0c9b",
         "test/layer-0-primitives/vendor-manifest.test.js": "sha256:55685bd11686bf76495ec29769470de05a6aaf4648d2b5722d96f213d9e32587",
         "test/layer-0-primitives/vex.test.js": "sha256:4a06e3e9a6ea8ffe3ab2c0af69cbe2835c1d50768c184308bb2e40638c8998cc",
-        "test/layer-0-primitives/watcher.test.js": "sha256:60f0d256d570654fc4bf9d0a7ba4b8435dfb100373bcc3661d31b9f10fc4744d",
+        "test/layer-0-primitives/watcher.test.js": "sha256:346ef70ff89e9d4b6ba27f6a1859be0cd782b8224930c7c3d2ead5d495c08dd7",
         "test/layer-0-primitives/web-push-vapid.test.js": "sha256:4634dcf1c3fdae300b291d20473285a9d9fe2f49f9c54e4e3a2e149768d3fe32",
         "test/layer-0-primitives/webhook.test.js": "sha256:1cccad47005af4806e4253379434d9518e1965ec05bf6f7ddc957442b9fac737",
         "test/layer-0-primitives/websocket-channels.test.js": "sha256:8e1249fd11c4ae1253c8b76cc8638c9cdce2081046d6b80a9a6db0cd71d2716c",