@blamejs/blamejs-shop 0.4.32 → 0.4.37

package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js

@@ -2601,10 +2601,22 @@ async function testNoDuplicateCodeBlocks() {
       var w = new Worker(WORKER_PATH, {
         workerData: Object.assign({ files: shardFiles }, SHINGLE_OPTS_FOR_WORKER),
       });
-      w.once("message", function (msg) { resolve(msg); w.terminate(); });
-      w.once("error", reject);
+      // Reap the worker on EVERY settle path (#123). Previously the error and
+      // exit handlers rejected without terminate(), so an errored worker thread
+      // stayed alive holding its event-loop handles — the parent could not exit
+      // and the smoke run ran to the 25-min watchdog on memory-starved
+      // macOS-arm64 runners. settle() terminates first, idempotently.
+      var settled = false;
+      function settle(fn, arg) {
+        if (settled) return;
+        settled = true;
+        try { w.terminate(); } catch (_e) { /* already terminating */ }
+        fn(arg);
+      }
+      w.once("message", function (msg) { settle(resolve, msg); });
+      w.once("error", function (e) { settle(reject, e); });
       w.once("exit", function (code) {
-        if (code !== 0 && code !== null) reject(new Error("shingle worker exited " + code));
+        if (code !== 0 && code !== null) settle(reject, new Error("shingle worker exited " + code));
       });
     });
   }
@@ -2991,6 +3003,79 @@ async function testNoDuplicateCodeBlocks() {
       ],
       reason: "Config-time validateOpts cascade family — `validateOpts(opts, KEYS, label)` followed by per-field requireNonEmptyString / optionalPositiveInt / optionalFunction checks at a factory or builder entry point. jar.js:build joined in v0.14.22 (the RFC 9101 request-object builder validates clientId / audience / key / expiresInMs before minting). Each member emits its own error class and code namespace over a different opts vocabulary; the shared helper (validateOpts) is the extraction, and consolidating the cascades past the call boundary would surface the wrong error code for operator typos.",
     },
+    {
+      // The b.dsa (EU DSA) + b.pipl (China PIPL) compliance record-builders
+      // are a fresh pair of validateOpts-cascade + Object.freeze-record +
+      // audit.safeEmit functions. Each validates a DIFFERENT opts vocabulary
+      // (notice / statement-of-reasons / transparency-report; cross-border
+      // assessment / security-assessment certificate), builds a DIFFERENT
+      // frozen record, and emits a DIFFERENT audit action — so their 50/60-tok
+      // shingles coincide with the large existing compliance/builder family
+      // (validateOpts cascade + audit-emit), bridging the config-validation
+      // and audit-emit clusters. Shape-only: the shared primitives
+      // (validateOpts, audit.safeEmit, Object.freeze) ARE the extraction;
+      // collapsing the per-builder bodies would surface the wrong error code
+      // and the wrong audit action for each regulation. Union of the clusters
+      // the two new files participate in.
+      mode:  "family-subset",
+      files: [
+        "lib/ai-adverse-decision.js:wrap",
+        "lib/ai-dp.js:budget",
+        "lib/api-key.js:_validateIssueOpts",
+        "lib/audit-daily-review.js:create",
+        "lib/auth/jar.js:build",
+        "lib/auth/oauth.js:buildClientAttestationPop",
+        "lib/auth/oid4vci.js:create",
+        "lib/auth/saml.js:create",
+        "lib/auth/sd-jwt-vc-issuer.js:create",
+        "lib/break-glass.js:_validatePolicySet",
+        "lib/budr.js:declare",
+        "lib/calendar.js:validate",
+        "lib/cloud-events.js:wrap",
+        "lib/compliance-eaa.js:create",
+        "lib/compliance-sanctions-fetcher.js:create",
+        "lib/cose.js:macVerify0",
+        "lib/cose.js:verify",
+        "lib/crypto-field.js:declarePerRowResidency",
+        "lib/daemon.js:_validateStartOpts",
+        "lib/daemon.js:_validateStopOpts",
+        "lib/data-act.js:recordSwitchRequest",
+        "lib/data-act.js:shareWithThirdParty",
+        "lib/db.js:declareRequireDualControl",
+        "lib/ddl-change-control.js:create",
+        "lib/dsa.js:noticeAndAction",
+        "lib/dsa.js:statementOfReasons",
+        "lib/dsr.js:create",
+        "lib/external-db-migrate.js:create",
+        "lib/fda-21cfr11.js:posture",
+        "lib/fdx.js:consentReceipt",
+        "lib/fedcm.js:wellKnown",
+        "lib/file-upload.js:_validateCreateOpts",
+        "lib/http-client-cache.js:create",
+        "lib/http-client.js:_validateDownloadOpts",
+        "lib/mcp-tool-registry.js:verifyCall",
+        "lib/middleware/assetlinks.js:create",
+        "lib/middleware/protected-resource-metadata.js:create",
+        "lib/middleware/span-http-server.js:create",
+        "lib/network-heartbeat.js:start",
+        "lib/network-tls.js:_emitAuditAdd",
+        "lib/network-tls.js:_emitAuditRemove",
+        "lib/observability-tracer.js:create",
+        "lib/outbox.js:create",
+        "lib/pipl-cn.js:sccFilingAssessment",
+        "lib/pipl-cn.js:securityAssessmentCertificate",
+        "lib/privacy.js:vendorReview",
+        "lib/redact.js:installOutboundDlp",
+        "lib/sec-cyber.js:eightKArtifact",
+        "lib/self-update.js:_validatePollOpts",
+        "lib/self-update.js:_validateVerifyOpts",
+        "lib/static.js:_validateCreateOpts",
+        "lib/tcpa-10dlc.js:recordConsent",
+        "lib/vex.js:document",
+        "lib/watcher.js:_validateOpts",
+      ],
+      reason: "v0.15.8 — b.dsa (EU Digital Services Act) + b.pipl (China PIPL) cross-border record-builders join the config-time validateOpts-cascade + Object.freeze-record + audit.safeEmit family. Each validates a distinct opts vocabulary, builds a distinct frozen record, and emits a distinct audit action; the shared primitives (validateOpts / audit.safeEmit / Object.freeze) are the extraction. Shape-only — collapsing the per-builder bodies would emit the wrong error code and audit action per regulation. Union of the 50/60-tok clusters the two new files participate in.",
+    },
     {
       mode:  "family-subset",
       files: [
@@ -6997,6 +7082,74 @@ var KNOWN_ANTIPATTERNS = [
     allowlist: [],
     reason: "CWE-532 — span/metric/resource attributes are a first-class egress sink. #69 fixed lib/otel-export.js _attrsToOtlp but pinned its detector to that one function name, leaving the SPAN exporter's two sibling encoders (lib/observability-otlp-exporter.js _attrToOtlp JSON + _attrsToProto protobuf) shipping attribute values verbatim to the collector (#125). The shared root is 'an attribute-map encoder that serializes without scrubbing'; every such encoder must pass each value through observability.redactAttrs() (default composes b.redact.redact, fail-toward-dropping on a throwing redactor) before the wire payload. The negative lookahead exempts the per-value type-encoders (_valueToOtlp/_anyValueToProto) which run after redaction; the {0,4000} bound is a ReDoS backstop well above the real encoder bodies (<2000 chars).",
   },
+  // Same CWE-532 class, the OTHER OTLP egress family the span/metric detector
+  // above could not see: the LOG sinks (lib/log-stream-otlp.js HTTP-JSON +
+  // lib/log-stream-otlp-grpc.js gRPC). Their encoders are named per the OTLP
+  // logs schema (_toLogRecord / _serializeBatch / _encodeLogRecord /
+  // _encodeResourceLogs), not _attr*, so the function-name-anchored detector
+  // never matched them — the #125 span fix left the log record-meta + resource
+  // attributes shipping verbatim. Anchor on the buggy SHAPE instead: a raw
+  // `record.meta` / `resourceAttrs` / `_resourceAttrs(cfg)` handed straight to an
+  // _encode* call. The fix wraps the arg in observability().redactAttrs(...), so
+  // the first token inside the paren becomes `observability` and the match dies.
+  {
+    id: "otlp-log-sink-encodes-attrs-without-redactor",
+    primitive: "the OTLP LOG sinks (log-stream-otlp / log-stream-otlp-grpc) must run record.meta and resource attributes through observability.redactAttrs() before encoding — a log line's meta or a resource attribute holding a bearer token / password / API key ships to the collector verbatim otherwise (CWE-532), the same egress class as the span/metric exporters",
+    scanScope: "lib",
+    regex: /_encode(?:Attrs|Attributes|Resource)\(\s*(?:record\.meta\b|resourceAttrs\b|_resourceAttrs\(cfg\))/,
+    allowlist: [],
+    reason: "CWE-532 secret/PII egress. v0.15.4 (#125) baked observability.redactAttrs() into every SPAN + METRIC attribute encoder but the detector was anchored on the _attr* function names, so it was blind to the LOG sinks whose encoders carry the OTLP-logs schema names. lib/log-stream-otlp.js (_toLogRecord meta + _serializeBatch resource) and lib/log-stream-otlp-grpc.js (_encodeLogRecord meta + _encodeResourceLogs resource) handed record.meta and resourceAttrs straight to _encodeAttrs/_encodeAttributes/_encodeResource — a log record's meta or a resource attribute holding a credential reached the collector unscrubbed. Root: 'every OTLP egress encoder redacts'; the span detector saw spans/metrics, this one sees logs. Fires on the raw `_encode*(record.meta` / `_encode*(resourceAttrs` / `_encodeResource(_resourceAttrs(cfg)` shape; the fix wraps the arg in observability().redactAttrs(...) (the span/metric contract), making the first paren token `observability` so the match goes silent.",
+  },
+  // #146 — every FINAL temp->dest rename must route through
+  // atomicFile.renameWithRetry, the bounded retry on a Windows-transient
+  // destination lock (EPERM/EACCES/EBUSY from AV / the search indexer /
+  // Dropbox / OneDrive briefly holding the target). A bare nodeFs.renameSync
+  // surfaces a transient lock as a hard failure (httpClient.downloadStream
+  // shipped exactly that) and re-hand-rolls a retry the framework already owns
+  // as a primitive. The ONLY legitimate bare renameSync is inside the
+  // primitive itself (atomic-file.js _renameWithRetry).
+  {
+    id: "bare-renamesync-not-via-renamewithretry",
+    primitive: "route every final temp->dest rename through atomicFile.renameWithRetry (the Windows rename-lock retry) instead of a bare nodeFs.renameSync / fs.renameSync — a transient AV / indexer / cloud-sync lock on the destination must be retried, not surfaced as a hard failure",
+    scanScope: "lib",
+    regex: /\b(?:nodeFs|fs)\.renameSync\(/,
+    allowlist: [
+      // atomic-file.js IS the primitive — _renameWithRetry wraps the one real
+      // nodeFs.renameSync with the bounded transient-lock retry loop.
+      "lib/atomic-file.js",
+    ],
+    reason: "#146 (user-surfaced). atomicFile.writeSync retries its final rename on a Windows-transient destination lock; httpClient.downloadStream's final rename was a bare nodeFs.renameSync, so a download into a cloud-synced / AV-scanned directory surfaced the transient lock as a hard failure. The retry was also hand-rolled and un-reusable. The fix exports atomic-file's _renameWithRetry as atomicFile.renameWithRetry and routes EVERY final temp->dest rename through it (downloadStream + vault/passphrase-ops + mtls-ca + log-stream-local + self-update + config-drift + archive-read + archive-tar-read + local-db-thin + restore-rollback). Fires on any bare nodeFs.renameSync/fs.renameSync; the only allowlisted use is atomic-file.js where the primitive's retry loop lives.",
+  },
+  // v0.15.9 — db.init() must construct its DatabaseSync with the SQLITE_LIMIT_*
+  // sqlLength cap: a parse-time DoS floor that rejects a megaquery on the
+  // raw-SQL surface. The ephemeral storage headroom probe (new DatabaseSync(p))
+  // is a different construction and is not anchored. Fires if the main db handle
+  // is built without the limits shape.
+  {
+    id: "db-databasesync-without-sqlite-limits",
+    primitive: "construct the main db.init DatabaseSync(dbPath, ...) with the node:sqlite limits option (sqlLength) — a parse-time DoS floor complementary to streamLimit",
+    scanScope: "lib",
+    regex: /new DatabaseSync\(dbPath\b/,
+    requires: /limits:\s*\{[\s\S]{0,200}?sqlLength/,
+    skipCommentLines: true,
+    allowlist: [],
+    reason: "v0.15.9 Node-24.16 adoption. The framework parameterizes every builder value, so SQLITE_LIMIT_LENGTH (sqlLength) guards the raw-SQL surface (b.db.runSql) against an attacker-influenced megaquery the parser would otherwise chew (SQLite default is 1 GB). Fires when the main db handle `new DatabaseSync(dbPath` is constructed without the `limits: { ... sqlLength` shape; the headroom probe `new DatabaseSync(p)` is intentionally not matched (ephemeral, no attacker input). (SQLITE_LIMIT_ATTACHED is left at the SQLite default — the snapshot/backup path uses ATTACH.)",
+  },
+  // v0.15.9 — the RFC 9527 Clear-Site-Data header value must be built via the
+  // shared middleware/clear-site-data headerValue() helper (which validates
+  // each directive against the known set), not a hand-rolled quoted-token
+  // string. A literal `setHeader("Clear-Site-Data", '"cookies", ...')` skips
+  // the directive validation and re-hand-rolls the RFC 9527 quoting the
+  // primitive owns (the b.session.logout extraction lesson).
+  {
+    id: "clear-site-data-header-hand-rolled",
+    primitive: "build the Clear-Site-Data response header via clearSiteData.headerValue(types) (validated RFC 9527 quoting) — do not hand-roll the quoted-directive string literal in setHeader",
+    scanScope: "lib",
+    regex: /setHeader\(\s*["']Clear-Site-Data["']\s*,\s*["']/,
+    skipCommentLines: true,
+    allowlist: [],
+    reason: "v0.15.9 (Clear-Site-Data logout wiring). The middleware/clear-site-data headerValue() helper is the single builder of the RFC 9527 §3 quoted-token list and validates every directive against KNOWN_TYPES; both emitters (the middleware's create() and b.session.logout) route through it. A literal `setHeader(\"Clear-Site-Data\", '\"cookies\", ...')` hand-rolls the quoting and skips the validation. Fires when the second setHeader arg is a string literal; the live emitters pass a var/call so they stay silent.",
+  },
   // #131 — the b.middleware.dpop factory must REQUIRE its replayStore at config
   // time. The store is DPoP's jti-replay defense (RFC 9449 §11.1); reading it
   // optionally and gating the check behind `if (replayStore)` silently mounts a
@@ -7034,6 +7187,82 @@ var KNOWN_ANTIPATTERNS = [
     allowlist: [],
     reason: "#137 — verifyIdToken wrapped its exp validation in `if (!vopts.skipExpCheck) { ... }` so any external caller (verifyIdToken is a public API) could pass skipExpCheck: true and verify an EXPIRED id_token clean — token-replay of expired-but-once-valid credentials. skipExpCheck exists only because OIDC Back-Channel Logout 1.0 §2.4 logout tokens carry no exp; the internal verifyBackchannelLogoutToken passes it. The fix flips the branch to `if (vopts.skipExpCheck) { <require the backchannel-logout events claim> + <iat freshness floor> } else { <exp check> }`, so skipExpCheck is refused (auth-oauth/skip-exp-check-not-allowed) on any token lacking the logout event claim and a stale logout token is refused (auth-oauth/logout-token-stale). The detector anchors on the bare negative gate and requires the new refusal code in-file; after the fix the bare gate is gone and the code is present, so it stays silent.",
   },
+  // #130 — scheduler _runFire settle handlers must guard on the run generation.
+  {
+    id: "scheduler-runfire-settle-no-generation-guard",
+    primitive: "scheduler._runFire's promise settle handlers must ignore a stale settle (if task.runGeneration !== gen return) before writing task state / emitting success|failure — the watchdog force-clears running and re-fires, so an abandoned run's late resolve otherwise clobbers the current run's state and double-emits",
+    scanScope: "lib",
+    regex: /Promise\.resolve\(promise\)\.then\(function \([^)]*\)\s*\{\s*task\.running = false/,
+    allowlist: [],
+    reason: "#130 — _runFire attaches success/failure settle handlers that unconditionally wrote task.running=false / runningSince=0 / lastFinish / lastError and emitted system.scheduler.task.success|failure. But the watchdog (maxJobMs) force-clears task.running on a hung run and _fireOnce re-fires, so the original slow promise settles LATE and clobbers the new run's running flag (disabling the watchdog for it / allowing a third concurrent fire) and emits a stale success for a run the watchdog already reported as a watchdog failure. The fix tags each run (task.runGeneration, bumped by _runFire AND the watchdog) and the settle handlers `return` early when the tag is stale. The detector fires while the success handler sets task.running=false with no intervening generation guard and goes silent once the `if (task.runGeneration !== gen) return;` guard precedes it; behavioral guard is scheduler-watchdog-stale-settle.test.js.",
+  },
+  // #121 — retention.complianceFloor must inherit the active posture.
+  {
+    id: "retention-compliancefloor-ignores-active-posture",
+    primitive: "retention.complianceFloor must fall back to STATE.activePosture (set by applyPosture / the b.compliance.set cascade) when no explicit posture is passed — it hard-required a string posture and never read the active value, so the advertised optional-posture inheritance was unimplemented dead state",
+    scanScope: "lib",
+    regex: /function complianceFloor\s*\([^)]*\)\s*\{(?:(?!STATE\.activePosture)[\s\S]){0,300}?must be a string/,
+    allowlist: [],
+    reason: "#121 — applyPosture() records STATE.activePosture + STATE.activeFloorMs and both its docstring and the STATE comment advertise that complianceFloor callers without an explicit posture inherit the active value. But complianceFloor threw `posture must be a string` immediately and never consulted STATE.activePosture, so the inheritance never worked and activeFloorMs was a dead write. The fix inherits STATE.activePosture when posture is omitted (a numeric first arg is taken as candidateTtlMs so complianceFloor(ttl) works), and applyPosture(null) now clears the state (was a silent no-op, so b.compliance.clear couldn't reset it). The tempered span fires while complianceFloor reaches its `must be a string` throw without first reading STATE.activePosture; the behavioral guard is retention-floor.test.js.",
+  },
+  // #111 — credential-hash needsRehash must drive SHAKE256 length-rotation.
+  {
+    id: "credentialhash-needsrehash-ignores-shake256-length",
+    primitive: "credentialHash.needsRehash must compare the stored SHAKE256 digest length against the configured/default length — without it, raising the SHAKE256 output length never triggers a rehash and the advertised length-rotation is a silent no-op",
+    scanScope: "lib",
+    regex: /function needsRehash\s*\([^)]*\)\s*\{(?=[\s\S]*?CRED_HASH_IDS\.ARGON2ID)(?:(?!CRED_HASH_IDS\.SHAKE256)(?!\n\})[\s\S]){0,1200}\n\}/,
+    allowlist: [],
+    reason: "#111 — needsRehash short-circuited the SHAKE256 case to `return false`: it checked the algorithm id and (for Argon2id) deferred to the password module's parameter-lag check, but never compared decoded.payload.length against the configured target length. So once an operator raised the SHAKE256 output length, every existing shorter digest reported needsRehash === false and the length-rotation the primitive advertises never fired (b.apiKey.verify's rehash-on-verify silently kept the old length). The fix adds, for the SHAKE256 branch, a compare of decoded.payload.length to (opts.params.length || SHAKE256_DEFAULT_LENGTH) → rehash when they differ. The tempered span anchors on needsRehash and fires while its body never references SHAKE256_DEFAULT_LENGTH (the length-target constant); the behavioral guard is credential-hash.test.js.",
+  },
+  // #136 — SD-JWT KB-JWT aud / nonce must compare constant-time.
+  {
+    id: "sdjwt-kbjwt-aud-nonce-non-consttime-compare",
+    primitive: "the SD-JWT KB-JWT audience + nonce checks must compare with the constant-time _timingSafeEqStr helper (as the sd_hash check already does), not a bare !== — the nonce is a verifier-issued replay-defense value and a timing channel leaks a guess oracle; constant-time-ness cannot be asserted behaviorally, so this structural detector is the guard",
+    scanScope: "lib",
+    regex: /kbParsed\.payload\.(?:aud|nonce)\s*!==\s*opts\.(?:audience|nonce)/,
+    allowlist: [],
+    reason: "#136 — verify()'s KB-JWT binding checks compared `kbParsed.payload.aud !== opts.audience` and `kbParsed.payload.nonce !== opts.nonce` with a short-circuiting !==, while the adjacent sd_hash check already used the constant-time _timingSafeEqStr. The nonce is a per-presentation replay-defense value the verifier issued; a non-constant-time compare leaks a matching-prefix timing oracle. The fix routes both through _timingSafeEqStr (the framework's hash/token-compare discipline). A behavioral test can prove the accept/reject correctness but NOT the timing property, so this detector is the primary guard per the test-with-fix rule's structural-drift exception; it fires on the bare !== shape and goes silent once both use _timingSafeEqStr.",
+  },
+  // canonicalizeHost must fold an IPv4-mapped IPv6 address to its IPv4 form.
+  {
+    id: "ssrf-canonicalizehost-v4mapped-not-folded",
+    primitive: "ssrfGuard.canonicalizeHost must fold an IPv4-mapped IPv6 address (::ffff:0:0/96) to its dotted IPv4 form — leaving it as IPv6 means a dual-stack peer on ::ffff:1.2.3.4 never unifies with an operator's 1.2.3.4 allowlist entry (an SSRF allowlist bypass the canonicalizer exists to defend)",
+    scanScope: "lib",
+    regex: /if \(family === 6\)\s*\{(?:(?!IPV6_V4_MAPPED_PREFIX)[\s\S]){0,400}?_ipv6BytesToString/,
+    allowlist: [],
+    reason: "canonicalizeHost's IPv6 branch emitted the RFC 5952 hex string for every IPv6 input, including IPv4-mapped (::ffff:a.b.c.d). But an IPv4-mapped address IS the IPv4 address a.b.c.d for routing/access — classify() already re-classifies it by the embedded v4, and a dual-stack listener reaching ::ffff:1.2.3.4 is the same host as 1.2.3.4. Without folding, canonicalize(::ffff:1.2.3.4) !== canonicalize(1.2.3.4), so an allowlist/dedup/SSRF comparison built on the canonical form is bypassed by presenting the dual-stack spelling. The fix folds the ::ffff:0:0/96 block to dotted IPv4 (only that block — 6to4/NAT64 are translation mechanisms, and a v4 suffix in any other prefix is a distinct address). The tempered span fires while the family-6 branch reaches _ipv6BytesToString with no IPV6_V4_MAPPED_PREFIX check first; the behavioral guard is safe-url-canonicalize.test.js.",
+  },
+  // compliance.clear must cascade the posture-clear to the primitives.
+  {
+    id: "compliance-clear-no-cascade",
+    primitive: "compliance.clear() must cascade the posture reset to the primitives (_applyPostureCascade(null)) just as set() cascades the posture — otherwise a primitive that inherits the active posture (retention.complianceFloor) keeps applying the stale floor after b.compliance.clear()",
+    scanScope: "lib",
+    regex: /_emitAudit\("compliance\.posture\.cleared"/,
+    requires: /_applyPostureCascade\(null\)/,
+    skipCommentLines: true,
+    allowlist: [],
+    reason: "Codex P2 — b.compliance.set(posture) calls _applyPostureCascade(posture), which walks retention/audit/db/cryptoField calling applyPosture(posture); retention records it so complianceFloor() inherits it. b.compliance.clear() nulled only compliance's own STATE.posture and never cascaded, so after set(\"hipaa\") then clear(), compliance.current() is null but retention still inherits the stale HIPAA floor. clear() must call _applyPostureCascade(null) so each primitive's applyPosture(null) resets it (retention.applyPosture(null) clears its active posture). The detector fires while clear() exists with no _applyPostureCascade(null) call anywhere in the file (set() passes the posture, not null) and goes silent once clear() cascades the reset; the behavioral guard is retention-floor.test.js.",
+  },
+  // canonicalizeHost must NOT fold NAT64/6to4 (would flip an SSRF classify verdict).
+  {
+    id: "ssrf-canonicalizehost-folds-nat64",
+    primitive: "ssrfGuard.canonicalizeHost must fold ONLY the IPv4-mapped block (::ffff:0:0/96) to IPv4 — NOT NAT64 (64:ff9b::/96). classify() treats a NAT64 literal as `classify(v4) || \"reserved\"`, so folding a public NAT64 address to its embedded IPv4 turns a blocked verdict into an allowed one (canonicalize-then-classify must agree with classify alone)",
+    scanScope: "lib",
+    regex: /_ipv6PrefixMatch\(\s*IPV6_NAT64_PREFIX\s*,\s*C\.BYTES\.bytes\(96\)\s*,\s*v6bytes\s*\)/,
+    allowlist: [],
+    reason: "canonicalizeHost folds an IPv4-mapped IPv6 host to its embedded IPv4 because classify(::ffff:x) === classify(x) (that branch has no reserved fallback), so the fold can't change an SSRF verdict. NAT64 is different: classify('64:ff9b::8.8.8.8') is `classify('8.8.8.8') || 'reserved'` = 'reserved' (blocked) while classify('8.8.8.8') is null (allowed) — so folding a public NAT64 literal to 8.8.8.8 before an allowlist/classify check flips a blocked address to an allowed public IPv4 (Codex P2). canonicalizeHost must leave NAT64 / 6to4 as IPv6; classify still reaches the embedded v4 for the deny side. The detector anchors on canonicalizeHost's NAT64 prefix-match (it uses the local `v6bytes`, so classify()'s own legitimate NAT64 extraction — which uses `bytes` — is not matched) and goes silent once canonicalizeHost no longer folds NAT64. The behavioral guard is the classify-agreement invariant in safe-url-canonicalize.test.js.",
+  },
+  // #134 — verifyIdToken must check azp on multi-audience ID tokens.
+  {
+    id: "oauth-verifyidtoken-no-azp-check",
+    primitive: "verifyIdToken must verify the azp (authorized party) claim — OIDC Core §3.1.3.7: a multi-audience ID token requires an azp, and a present azp MUST equal the RP's client_id. Checking only that aud contains clientId lets a token minted for a DIFFERENT authorized party (that merely lists this RP in a multi-aud array) verify clean (confused deputy)",
+    scanScope: "lib",
+    regex: /throw new OAuthError\("auth-oauth\/aud-mismatch"/,
+    requires: /auth-oauth\/azp-mismatch/,
+    skipCommentLines: true,
+    allowlist: [],
+    reason: "#134 — verifyIdToken validated only `aud.indexOf(clientId) !== -1` (throwing auth-oauth/aud-mismatch) and ignored azp. OIDC Core §3.1.3.7 requires: if the ID token carries multiple audiences the Client must verify an azp is present, and if azp is present its value must be the Client's client_id. Without it, an IdP-issued token whose authorized party is a DIFFERENT client but whose aud array also lists this RP verifies clean — a confused-deputy / token-substitution hole. The fix adds, right after the aud check: reject when aud.length > 1 and no azp (auth-oauth/azp-required), and reject when azp is present and !== clientId (auth-oauth/azp-mismatch). The detector anchors on verifyIdToken's unique aud-mismatch throw and requires the azp-mismatch code in-file; the single-aud no-azp token (the common case) is unaffected.",
+  },
   // #116 — crypto-field upgrade-on-read rewrite must honor the handle's dialect.
   {
     id: "cryptofield-upgrade-on-read-hardcodes-sqlite-dialect",
@@ -9298,6 +9527,24 @@ var KNOWN_ANTIPATTERNS = [
   // detector encoded. These 5 are the highest-priority subset (P1 +
   // P2 by audit ranking). The remaining 8 are scoped for follow-up.
 
+  {
+    // #123 — a worker_threads Worker whose error/exit handler rejects WITHOUT
+    // terminating leaves the thread alive holding its event-loop handles, so the
+    // parent process can't exit and the smoke run hangs under the watchdog on
+    // memory-starved CI runners (macOS-arm64). Every Promise-settle path
+    // (message / error / exit) must reap the worker via w.terminate() first; the
+    // fix funnels all three through a settle() guard that terminates before
+    // resolve/reject. Structural resource-hygiene drift a behavioral test can't
+    // assert — the harness closure isn't exported and the hang is a slow-runner
+    // race — so the detector is the guard.
+    id: "test-worker-reject-without-terminate",
+    primitive: "a worker_threads Worker error/exit handler must terminate() the worker before rejecting (route message/error/exit through a settle() helper) — a bare reject leaks the thread's handles and hangs process exit on slow CI runners",
+    scanScope: "test",
+    regex: /\bw\.once\("error",\s*reject\)/,
+    skipCommentLines: true,
+    allowlist: [],
+    reason: "#123 macOS codebase-patterns watchdog hang. _scanShardInWorker rejected on worker error/exit without w.terminate(), so an errored worker thread stayed alive holding open handles; the parent then could not exit and the smoke run ran to the 25-min watchdog on memory-starved macOS-arm64 runners (it hung this very release's CI). Every settle path must reap the worker via w.terminate() first; the fix funnels message/error/exit through a settle() guard that terminates before resolve/reject. Fires on the bare `w.once(\"error\", reject)` shape; silent once error/exit route through settle().",
+  },
   {
     // `Promise + setTimeout` direct sleep in tests is forbidden;
     // tests waiting on an asynchronous condition MUST use

package/lib/vendor/blamejs/test/layer-0-primitives/credential-hash.test.js

@@ -52,6 +52,24 @@ async function testShake256ConfigurableLength() {
   check("verify 64-byte envelope",             (await ch.verify("hi", env64)) === true);
   check("verify 192-byte envelope",            (await ch.verify("hi", env192)) === true);
   check("64 envelope can't verify against 192", env64 !== env192);
+
+  // #111 — needsRehash must drive the advertised SHAKE256 length-rotation: a
+  // digest stored at the old length must be flagged for rehash when the
+  // configured/default length is larger. needsRehash ignored payload length,
+  // so raising the output length was a silent no-op.
+  check("#111 a 64-byte digest needs rehash under the 128-byte default",
+        ch.needsRehash(env64) === true);
+  check("#111 a 64-byte digest needs rehash when the target length is raised to 192",
+        ch.needsRehash(env64, { params: { length: 192 } }) === true);
+  check("#111 a 64-byte digest does NOT need rehash when the target stays 64",
+        ch.needsRehash(env64, { params: { length: 64 } }) === false);
+  check("#111 a default-length (128) digest does not need rehash at the default",
+        ch.needsRehash(await ch.hash("hi")) === false);
+  // Upgrade-only, matching the Argon2 needsRehash convention (rehash when the
+  // stored strength is BELOW target, never to actively shorten): a 192-byte
+  // digest must NOT be rehashed down to a 128-byte target.
+  check("#111 a longer (192) digest is NOT rehashed down to a smaller target (128)",
+        ch.needsRehash(env192, { params: { length: 128 } }) === false);
 }
 
 async function testShake256BufferSecret() {

package/lib/vendor/blamejs/test/layer-0-primitives/db-init-extensions.test.js

@@ -146,6 +146,37 @@ async function testSnapshotPlainMode() {
   await b.db.close();
 }
 
+async function testSqliteResourceLimits() {
+  // The node:sqlite `limits` option caps SQLITE_LIMIT_* at construction: a
+  // parse-time DoS floor. A statement over 1 MiB is rejected before SQLite's
+  // parser processes it, and ATTACH DATABASE is denied (the framework never
+  // uses it). RED on a tree without the limits option: the megaquery parses.
+  var tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "sqlim-"));
+  await _resetState();
+  await b.vault.init({ dataDir: tmpDir, mode: "plaintext" });
+  await b.db.init({
+    dataDir: tmpDir,
+    atRest:  "plain",
+    schema:  [{ name: "t", columns: { _id: "TEXT PRIMARY KEY" } }],
+  });
+
+  // A raw statement whose SQL TEXT exceeds 1 MiB is rejected at parse
+  // (sqlLength caps statement text, not bound-parameter values — the builder
+  // path always parameterizes, so this cap guards the raw-SQL surface).
+  var hugeSql = "SELECT '" + "x".repeat(1100000) + "' AS big";
+  var threw = null;
+  try { b.db.runSql(hugeSql); }
+  catch (e) { threw = e; }
+  check("sqlite limits: a >1 MiB raw statement is rejected at parse", threw !== null);
+
+  // A normal statement under the cap is unaffected.
+  b.db.from("t").insertOne({ _id: "normal" });
+  check("sqlite limits: a normal statement is unaffected",
+    b.db.from("t").where({ _id: "normal" }).first()._id === "normal");
+
+  await b.db.close();
+}
+
 async function run() {
   await testFrameworkTablesOff();
   await testAuditSigningOff();
@@ -153,6 +184,7 @@ async function run() {
   await testDbKeyPathOverride();
   await testSnapshot();
   await testSnapshotPlainMode();
+  await testSqliteResourceLimits();
 }
 
 module.exports = { run: run };

package/lib/vendor/blamejs/test/layer-0-primitives/dsa.test.js

@@ -0,0 +1,169 @@
+"use strict";
+// b.dsa — EU Digital Services Act (Reg 2022/2065) record-builders:
+// Art. 16 noticeAndAction, Art. 17 statementOfReasons, Art. 15/24(3)
+// transparencyReport. Pure builders (no DB); audit emission is captured
+// by swapping b.audit.safeEmit for the duration of each assertion.
+
+var helpers = require("../helpers");
+var b       = helpers.b;
+var check   = helpers.check;
+
+// Capture the audit events a builder emits. b.dsa resolves its audit
+// sink via require("./audit"), the same module object as b.audit, so
+// swapping b.audit.safeEmit intercepts the emission. Always restore in a
+// finally so a thrown assertion can't leak the stub.
+function captureAudit(fn) {
+  var events = [];
+  var orig = b.audit.safeEmit;
+  b.audit.safeEmit = function (ev) { events.push(ev); };
+  try { fn(events); }
+  finally { b.audit.safeEmit = orig; }
+  return events;
+}
+
+function expectCode(label, fn, code) {
+  var threw = null;
+  try { fn(); } catch (e) { threw = e; }
+  check(label, threw && (threw.code || "") === code);
+}
+
+function expectThrows(label, fn) {
+  var threw = null;
+  try { fn(); } catch (e) { threw = e; }
+  check(label, threw instanceof Error);
+}
+
+function run() {
+  // ---- surface ----
+  check("noticeAndAction is a function",         typeof b.dsa.noticeAndAction === "function");
+  check("statementOfReasons is a function",      typeof b.dsa.statementOfReasons === "function");
+  check("transparencyReport is a function",      typeof b.dsa.transparencyReport === "function");
+  check("listTransparencyMetrics is a function", typeof b.dsa.listTransparencyMetrics === "function");
+  check("DsaError exposed on b.frameworkError",  typeof b.frameworkError.DsaError === "function");
+  check("b.dsa.DsaError is the same constructor", b.dsa.DsaError === b.frameworkError.DsaError);
+
+  // ===== Art. 16 — noticeAndAction =====
+  var submittedAt = 1700000000000;
+  var nEvents = captureAudit(function () {
+    var n = b.dsa.noticeAndAction({
+      contentId:     "post-9931",
+      noticeType:    "illegal-content",
+      reason:        "Depicts a sale prohibited under national law.",
+      submittedAt:   submittedAt,
+      submitterType: "trusted-flagger",
+    });
+    check("notice: record frozen",                Object.isFrozen(n));
+    check("notice: status recorded",              n.status === "recorded");
+    check("notice: default noticeId derived",     n.noticeId === "dsa-notice-" + submittedAt);
+    check("notice: actionDueBy = submittedAt+24h", n.actionDueBy === submittedAt + b.constants.TIME.hours(24));
+    check("notice: illegal-content requires SoR",  n.statementOfReasonsRequired === true);
+  });
+  check("notice: emitted one audit event",        nEvents.length === 1);
+  check("notice: audit action dsa.notice.recorded", nEvents[0] && nEvents[0].action === "dsa.notice.recorded");
+  check("notice: audit metadata carries contentId", nEvents[0] && nEvents[0].metadata.contentId === "post-9931");
+
+  var nTerms = b.dsa.noticeAndAction({
+    contentId: "post-1", noticeType: "terms-violation", reason: "Breaches guidelines.",
+    submittedAt: submittedAt, submitterType: "individual",
+    noticeId: "op-77", actionWindowMs: b.constants.TIME.hours(48),
+  });
+  check("notice: terms-violation no SoR",       nTerms.statementOfReasonsRequired === false);
+  check("notice: explicit noticeId honored",    nTerms.noticeId === "op-77");
+  check("notice: explicit actionWindow honored", nTerms.actionDueBy === submittedAt + b.constants.TIME.hours(48));
+
+  expectCode("notice: non-object opts throws",
+    function () { b.dsa.noticeAndAction("nope"); }, "dsa/bad-opts");
+  expectThrows("notice: unknown opt key throws",
+    function () { b.dsa.noticeAndAction({ contentId: "c", noticeType: "other", reason: "r", submittedAt: submittedAt, submitterType: "individual", bogus: 1 }); });
+  expectCode("notice: missing contentId throws",
+    function () { b.dsa.noticeAndAction({ noticeType: "other", reason: "r", submittedAt: submittedAt, submitterType: "individual" }); }, "dsa/bad-content-id");
+  expectCode("notice: unknown noticeType throws",
+    function () { b.dsa.noticeAndAction({ contentId: "c", noticeType: "wat", reason: "r", submittedAt: submittedAt, submitterType: "individual" }); }, "dsa/unknown-notice-type");
+  expectCode("notice: missing submittedAt throws",
+    function () { b.dsa.noticeAndAction({ contentId: "c", noticeType: "other", reason: "r", submitterType: "individual" }); }, "dsa/bad-submitted-at");
+  expectCode("notice: unknown submitterType throws",
+    function () { b.dsa.noticeAndAction({ contentId: "c", noticeType: "other", reason: "r", submittedAt: submittedAt, submitterType: "robot" }); }, "dsa/unknown-submitter-type");
+
+  // ===== Art. 17 — statementOfReasons =====
+  var sEvents = captureAudit(function () {
+    var s = b.dsa.statementOfReasons({
+      contentId: "post-9931", decision: "content-removed",
+      legalGround: "National law prohibiting the depicted sale.",
+      facts: "Listing offered a prohibited item for sale.", automated: false,
+      redressOptions: ["internal-complaint", "judicial-redress"], noticeId: "dsa-notice-" + submittedAt,
+    });
+    check("sor: record frozen",            Object.isFrozen(s));
+    check("sor: default sorId derived",    /^dsa-sor-\d+$/.test(s.sorId));
+    check("sor: groundType legal",         s.groundType === "legal");
+    check("sor: contractualGround null",   s.contractualGround === null);
+    check("sor: redressOptions frozen",    Object.isFrozen(s.redressOptions) && s.redressOptions.length === 2);
+    check("sor: noticeId linked",          s.noticeId === "dsa-notice-" + submittedAt);
+  });
+  check("sor: emitted one audit event",    sEvents.length === 1);
+  check("sor: audit action dsa.sor.recorded", sEvents[0] && sEvents[0].action === "dsa.sor.recorded");
+
+  var sC = b.dsa.statementOfReasons({
+    contentId: "post-2", decision: "account-suspended",
+    contractualGround: "Terms section 4.2 — repeated spam.", facts: "Five spam posts in 24h.",
+    automated: true, redressOptions: ["internal-complaint"],
+  });
+  check("sor: groundType contractual", sC.groundType === "contractual");
+  check("sor: legalGround null",       sC.legalGround === null);
+  check("sor: automated true",         sC.automated === true);
+
+  expectCode("sor: unknown decision throws",
+    function () { b.dsa.statementOfReasons({ contentId: "c", decision: "nuke", legalGround: "x", facts: "f", automated: false, redressOptions: ["internal-complaint"] }); }, "dsa/unknown-decision");
+  expectCode("sor: non-boolean automated throws",
+    function () { b.dsa.statementOfReasons({ contentId: "c", decision: "no-action", legalGround: "x", facts: "f", automated: "no", redressOptions: ["internal-complaint"] }); }, "dsa/bad-automated");
+  expectCode("sor: neither ground throws",
+    function () { b.dsa.statementOfReasons({ contentId: "c", decision: "no-action", facts: "f", automated: false, redressOptions: ["internal-complaint"] }); }, "dsa/ground-required");
+  expectCode("sor: both grounds throws",
+    function () { b.dsa.statementOfReasons({ contentId: "c", decision: "no-action", legalGround: "x", contractualGround: "y", facts: "f", automated: false, redressOptions: ["internal-complaint"] }); }, "dsa/ground-required");
+  expectCode("sor: empty redressOptions throws",
+    function () { b.dsa.statementOfReasons({ contentId: "c", decision: "content-removed", legalGround: "x", facts: "f", automated: false, redressOptions: [] }); }, "dsa/redress-required");
+  expectCode("sor: unknown redress option throws",
+    function () { b.dsa.statementOfReasons({ contentId: "c", decision: "content-removed", legalGround: "x", facts: "f", automated: false, redressOptions: ["call-the-mayor"] }); }, "dsa/unknown-redress-option");
+
+  // ===== Art. 15 / 24(3) — transparencyReport =====
+  var metricNames = b.dsa.listTransparencyMetrics();
+  check("metrics: frozen list", Array.isArray(metricNames) && Object.isFrozen(metricNames));
+  check("metrics: includes noticesReceived", metricNames.indexOf("noticesReceived") !== -1);
+
+  var period = { from: Date.UTC(2025, 0, 1), to: Date.UTC(2025, 11, 31) };
+  var rEvents = captureAudit(function () {
+    var r = b.dsa.transparencyReport({
+      period: period,
+      metrics: { noticesReceived: 1200, actionsTaken: 940, automatedDecisions: 610, appeals: 75 },
+      service: "example-platform",
+    });
+    check("report: record frozen",            Object.isFrozen(r));
+    check("report: metrics frozen",           Object.isFrozen(r.metrics));
+    check("report: period frozen",            Object.isFrozen(r.period));
+    check("report: supplied metric carried",  r.metrics.noticesReceived === 1200);
+    check("report: omitted metric defaults 0", r.metrics.statementsOfReasons === 0);
+    check("report: all metric fields present", metricNames.every(function (m) { return typeof r.metrics[m] === "number"; }));
+    check("report: default reportId derived", r.reportId === "dsa-transparency-" + period.to);
+    check("report: nextReportDueBy = to+365d", r.nextReportDueBy === period.to + b.constants.TIME.days(365));
+  });
+  check("report: emitted one audit event",        rEvents.length === 1);
+  check("report: audit action transparency event", rEvents[0] && rEvents[0].action === "dsa.transparency_report.generated");
+  check("report: audit metadata actionsTaken",    rEvents[0] && rEvents[0].metadata.actionsTaken === 940);
+
+  expectCode("report: missing period throws",
+    function () { b.dsa.transparencyReport({ metrics: {} }); }, "dsa/bad-period");
+  expectCode("report: from >= to throws",
+    function () { b.dsa.transparencyReport({ period: { from: period.to, to: period.from } }); }, "dsa/bad-period-order");
+  expectCode("report: unknown metric key throws",
+    function () { b.dsa.transparencyReport({ period: period, metrics: { bogusMetric: 1 } }); }, "dsa/unknown-metric");
+  expectCode("report: negative metric throws",
+    function () { b.dsa.transparencyReport({ period: period, metrics: { appeals: -3 } }); }, "dsa/bad-metric-value");
+  expectCode("report: non-integer metric throws",
+    function () { b.dsa.transparencyReport({ period: period, metrics: { appeals: 2.5 } }); }, "dsa/bad-metric-value");
+}
+
+module.exports = { run: run };
+
+if (require.main === module) {
+  try { run(); console.log("[dsa] OK"); }
+  catch (e) { console.error("FAIL:", e && e.stack || e); process.exit(1); }
+}

package/lib/vendor/blamejs/test/layer-0-primitives/otlp-attr-redaction.test.js

@@ -15,7 +15,9 @@ var helpers = require("../helpers");
 var b     = helpers.b;
 var check = helpers.check;
 
-var otlp = require("../../lib/observability-otlp-exporter");
+var otlp        = require("../../lib/observability-otlp-exporter");
+var otlpLog     = require("../../lib/log-stream-otlp");
+var otlpLogGrpc = require("../../lib/log-stream-otlp-grpc");
 
 var SECRET_TOKEN = "Bearer eyJSECRETtokenABCdef.ghi.jkl";
 var SECRET_PW    = "hunter2-PLAINTEXT-PASSWORD";
@@ -89,6 +91,43 @@ async function run() {
   check("protobuf: api key redacted on the OTLP wire",      protoWire.indexOf(SECRET_API) === -1);
   check("protobuf: non-sensitive control attribute survives", protoWire.indexOf(CONTROL_VAL) !== -1);
 
+  // ---- OTLP LOG sinks are EGRESS too: record-meta + resource attrs must redact ----
+  // The span/metric exporters redact; the log sinks (HTTP-JSON + gRPC) shipped
+  // the same attribute maps to the collector UNREDACTED — a log line carrying a
+  // bearer token / password in its meta or a credential in a resource attribute
+  // reached the wire verbatim (CWE-532). Drive the serialization seam of both.
+  var logRec = otlpLog._toLogRecord({
+    ts: 1700000000000, level: "error", message: "boom",
+    meta: { "http.method": CONTROL_VAL, authorization: SECRET_TOKEN, password: SECRET_PW },
+  });
+  var logRecWire = JSON.stringify(logRec);
+  check("otlp-log json: record-meta bearer token redacted", logRecWire.indexOf(SECRET_TOKEN) === -1);
+  check("otlp-log json: record-meta password redacted",     logRecWire.indexOf(SECRET_PW) === -1);
+  check("otlp-log json: non-sensitive record-meta survives", logRecWire.indexOf(CONTROL_VAL) !== -1);
+
+  var logBatchWire = otlpLog._serializeBatch(
+    [{ ts: 1700000000000, level: "info", message: "m", meta: { api_key: SECRET_API } }],
+    { serviceName: "svc", resourceAttributes: { authorization: SECRET_TOKEN, region: CONTROL_VAL } },
+    "1.0.0"
+  ).toString("utf8");
+  check("otlp-log json: resource-attr bearer token redacted", logBatchWire.indexOf(SECRET_TOKEN) === -1);
+  check("otlp-log json: record-meta api key redacted",        logBatchWire.indexOf(SECRET_API) === -1);
+  check("otlp-log json: non-sensitive resource attr survives", logBatchWire.indexOf(CONTROL_VAL) !== -1);
+
+  var grpcRec = otlpLogGrpc._encodeLogRecord({
+    ts: 1700000000000, level: "error", message: "boom",
+    meta: { authorization: SECRET_TOKEN, password: SECRET_PW },
+  }).toString("latin1");
+  check("otlp-log grpc: record-meta bearer token redacted", grpcRec.indexOf(SECRET_TOKEN) === -1);
+  check("otlp-log grpc: record-meta password redacted",     grpcRec.indexOf(SECRET_PW) === -1);
+
+  var grpcReq = otlpLogGrpc._encodeExportRequest(
+    [{ ts: 1700000000000, level: "info", message: "m", meta: { api_key: SECRET_API } }],
+    { serviceName: "svc", resourceAttributes: { authorization: SECRET_TOKEN } }
+  ).toString("latin1");
+  check("otlp-log grpc: resource-attr bearer token redacted", grpcReq.indexOf(SECRET_TOKEN) === -1);
+  check("otlp-log grpc: record-meta api key redacted",        grpcReq.indexOf(SECRET_API) === -1);
+
   b.observability.setRedactor(null);   // restore default for other tests
   process.stdout.write("OK — otlp attribute redaction tests\n");
 }