@blamejs/blamejs-shop 0.4.32 → 0.4.37

package/lib/vendor/blamejs/test/layer-0-primitives/pipl-cn.test.js

@@ -0,0 +1,172 @@
+"use strict";
+// b.pipl.sccFilingAssessment + b.pipl.securityAssessmentCertificate —
+// China PIPL Art. 38/40/55 cross-border transfer record-builders (pure;
+// no DB). Drives the real b.pipl.* consumer path, asserts frozen records +
+// audit emission via a captured injected sink, and the config-time throws.
+
+var helpers = require("../helpers");
+var b       = helpers.b;
+var check   = helpers.check;
+
+// A b.audit-shaped capture sink — the builder prefers an injected
+// opts.audit object over the global b.audit (drop-silent without a DB
+// handler), so this is how the test asserts emission.
+function _captureAudit() {
+  var events = [];
+  return { events: events, safeEmit: function (ev) { events.push(ev); } };
+}
+
+function expectCode(label, fn, code) {
+  var threw = null;
+  try { fn(); } catch (e) { threw = e; }
+  check(label, threw && (threw.code || "") === code);
+}
+
+function expectThrows(label, fn) {
+  var threw = null;
+  try { fn(); } catch (e) { threw = e; }
+  check(label, threw instanceof Error);
+}
+
+function run() {
+  check("sccFilingAssessment is a function", typeof b.pipl.sccFilingAssessment === "function");
+  check("securityAssessmentCertificate is a function", typeof b.pipl.securityAssessmentCertificate === "function");
+  check("PiplError exposed on b.frameworkError", typeof b.frameworkError.PiplError === "function");
+  check("b.pipl.PiplError is the same constructor", b.pipl.PiplError === b.frameworkError.PiplError);
+  check("LEGAL_BASES is the Art. 38(1) triad",
+    b.pipl.LEGAL_BASES.length === 3 &&
+    b.pipl.LEGAL_BASES.indexOf("standard-contract") !== -1 &&
+    b.pipl.LEGAL_BASES.indexOf("security-assessment") !== -1 &&
+    b.pipl.LEGAL_BASES.indexOf("certification") !== -1);
+  check("pipl-cn is a cross-border-regulated posture",
+    b.compliance.isCrossBorderRegulated("pipl-cn") === true);
+
+  var recordedAt = 1700000000000;
+
+  // ---- sccFilingAssessment: below-threshold standard contract ----
+  var sink1 = _captureAudit();
+  var scc = b.pipl.sccFilingAssessment({
+    assessmentId: "xfer-1", transferType: "processor", recipientJurisdiction: "US",
+    dataCategories: ["contact", "billing"], legalBasis: "standard-contract",
+    volume: 5000, sensitivePI: false, recordedAt: recordedAt, audit: sink1,
+  });
+  check("scc: honors standard-contract below thresholds", scc.mechanismRequired === "standard-contract");
+  check("scc: securityAssessmentRequired false", scc.securityAssessmentRequired === false);
+  check("scc: record frozen", Object.isFrozen(scc));
+  check("scc: dataCategories frozen", Object.isFrozen(scc.dataCategories));
+  check("scc: nextReviewDueBy = recordedAt + 1 year",
+    scc.nextReviewDueBy === recordedAt + b.constants.TIME.days(365));
+  check("scc: emitted pipl.transfer.assessed",
+    sink1.events.length === 1 && sink1.events[0].action === "pipl.transfer.assessed");
+  check("scc: audit carries mechanismRequired",
+    sink1.events[0].metadata.mechanismRequired === "standard-contract");
+
+  // ---- CIIO forces security assessment over declared basis ----
+  var ciio = b.pipl.sccFilingAssessment({
+    assessmentId: "xfer-2", transferType: "controller-to-controller", recipientJurisdiction: "EU",
+    dataCategories: ["health"], legalBasis: "standard-contract",
+    volume: 100, sensitivePI: true, ciio: true, recordedAt: recordedAt,
+  });
+  check("scc: CIIO forces security-assessment", ciio.mechanismRequired === "security-assessment");
+  check("scc: CIIO sets securityAssessmentRequired", ciio.securityAssessmentRequired === true);
+  check("scc: CIIO trigger named", ciio.securityAssessmentTriggers.indexOf("ciio") !== -1);
+  check("scc: mandated assessment carries 3-year clock",
+    ciio.nextReviewDueBy === recordedAt + b.constants.TIME.days(365 * 3));
+
+  // ---- >1M non-sensitive PI forces it ----
+  var bigVol = b.pipl.sccFilingAssessment({
+    assessmentId: "xfer-3", transferType: "processor", recipientJurisdiction: "SG",
+    dataCategories: ["contact"], legalBasis: "certification",
+    volume: 1000001, sensitivePI: false, recordedAt: recordedAt,
+  });
+  check("scc: >1M non-sensitive volume forces security-assessment",
+    bigVol.mechanismRequired === "security-assessment" &&
+    bigVol.securityAssessmentTriggers.indexOf("non-sensitive-pi-volume") !== -1);
+
+  // ---- 100k-1M non-sensitive band is SCC, NOT security-assessment (the
+  //      100k cumulative threshold is the standard-contract tier per the CAC
+  //      2024 Provisions; a 200k non-sensitive transfer must not over-classify) ----
+  var midBand = b.pipl.sccFilingAssessment({
+    assessmentId: "xfer-3b", transferType: "processor", recipientJurisdiction: "US",
+    dataCategories: ["contact"], legalBasis: "standard-contract",
+    volume: 200000, sensitivePI: false, recordedAt: recordedAt,
+  });
+  check("scc: 200k non-sensitive stays standard-contract (no over-classify)",
+    midBand.mechanismRequired === "standard-contract" &&
+    midBand.securityAssessmentRequired === false);
+
+  // ---- THIS transfer's volume counts toward the cumulative sensitive
+  //      threshold: a first transfer of 10,001 sensitive subjects forces it
+  //      even with cumulativeSensitivePI omitted (defaults 0) ----
+  var firstSens = b.pipl.sccFilingAssessment({
+    assessmentId: "xfer-3c", transferType: "processor", recipientJurisdiction: "US",
+    dataCategories: ["biometric"], legalBasis: "standard-contract",
+    volume: 10001, sensitivePI: true, recordedAt: recordedAt,
+  });
+  check("scc: first 10,001 sensitive-PI transfer forces it (own volume counts)",
+    firstSens.securityAssessmentRequired === true &&
+    firstSens.securityAssessmentTriggers.indexOf("sensitive-pi-volume") !== -1);
+
+  // ---- cumulative sensitive-PI threshold (this transfer + prior cumulative) ----
+  var cumSens = b.pipl.sccFilingAssessment({
+    assessmentId: "xfer-4", transferType: "processor", recipientJurisdiction: "US",
+    dataCategories: ["biometric"], legalBasis: "standard-contract",
+    volume: 200, sensitivePI: true, cumulativeSensitivePI: 10001, recordedAt: recordedAt,
+  });
+  check("scc: >10k cumulative sensitive-PI forces it",
+    cumSens.securityAssessmentRequired === true &&
+    cumSens.securityAssessmentTriggers.indexOf("sensitive-pi-volume") !== -1);
+
+  // ---- securityAssessmentCertificate: happy path ----
+  var sink3 = _captureAudit();
+  var cert = b.pipl.securityAssessmentCertificate({
+    certId: "sa-1", assessmentScope: "CRM outbound replication",
+    dataExporter: "Acme (Shanghai) Co., Ltd.", overseasRecipient: "Acme Inc.",
+    riskRating: "medium", safeguards: ["XChaCha20 at rest", "standard contractual clauses"],
+    filingRef: "CAC-2026-0042", recordedAt: recordedAt, audit: sink3,
+  });
+  check("cert: record frozen", Object.isFrozen(cert));
+  check("cert: safeguards frozen", Object.isFrozen(cert.safeguards));
+  check("cert: validUntil = recordedAt + 3 years",
+    cert.validUntil === recordedAt + b.constants.TIME.days(365 * 3));
+  check("cert: filingRef carried", cert.filingRef === "CAC-2026-0042");
+  check("cert: emitted pipl.security_assessment.recorded",
+    sink3.events.length === 1 && sink3.events[0].action === "pipl.security_assessment.recorded");
+  check("cert: filingRef omitted defaults null",
+    b.pipl.securityAssessmentCertificate({
+      certId: "sa-2", assessmentScope: "s", dataExporter: "e", overseasRecipient: "r",
+      riskRating: "low", safeguards: ["x"], recordedAt: recordedAt,
+    }).filingRef === null);
+
+  // ---- Config-time throws ----
+  expectCode("scc: non-object opts throws",
+    function () { b.pipl.sccFilingAssessment("nope"); }, "pipl/bad-opts");
+  expectThrows("scc: unknown opt key throws",
+    function () { b.pipl.sccFilingAssessment({ assessmentId: "x", bogusKey: 1 }); });
+  expectCode("scc: missing assessmentId throws",
+    function () { b.pipl.sccFilingAssessment({ transferType: "p", recipientJurisdiction: "US", dataCategories: ["c"], legalBasis: "standard-contract", volume: 1, sensitivePI: false, recordedAt: recordedAt }); }, "pipl/bad-assessment-id");
+  expectCode("scc: empty dataCategories throws",
+    function () { b.pipl.sccFilingAssessment({ assessmentId: "x", transferType: "p", recipientJurisdiction: "US", dataCategories: [], legalBasis: "standard-contract", volume: 1, sensitivePI: false, recordedAt: recordedAt }); }, "pipl/bad-data-categories");
+  expectCode("scc: bad legalBasis throws",
+    function () { b.pipl.sccFilingAssessment({ assessmentId: "x", transferType: "p", recipientJurisdiction: "US", dataCategories: ["c"], legalBasis: "bogus", volume: 1, sensitivePI: false, recordedAt: recordedAt }); }, "pipl/bad-legal-basis");
+  expectCode("scc: non-boolean sensitivePI throws",
+    function () { b.pipl.sccFilingAssessment({ assessmentId: "x", transferType: "p", recipientJurisdiction: "US", dataCategories: ["c"], legalBasis: "standard-contract", volume: 1, sensitivePI: "yes", recordedAt: recordedAt }); }, "pipl/bad-sensitive-pi");
+  expectCode("scc: missing recordedAt throws",
+    function () { b.pipl.sccFilingAssessment({ assessmentId: "x", transferType: "p", recipientJurisdiction: "US", dataCategories: ["c"], legalBasis: "standard-contract", volume: 1, sensitivePI: false }); }, "pipl/bad-recorded-at");
+
+  expectCode("cert: missing certId throws",
+    function () { b.pipl.securityAssessmentCertificate({ assessmentScope: "s", dataExporter: "e", overseasRecipient: "r", riskRating: "low", safeguards: ["x"], recordedAt: recordedAt }); }, "pipl/bad-cert-id");
+  expectCode("cert: bad riskRating throws",
+    function () { b.pipl.securityAssessmentCertificate({ certId: "c", assessmentScope: "s", dataExporter: "e", overseasRecipient: "r", riskRating: "critical", safeguards: ["x"], recordedAt: recordedAt }); }, "pipl/bad-risk-rating");
+  expectCode("cert: empty safeguards throws",
+    function () { b.pipl.securityAssessmentCertificate({ certId: "c", assessmentScope: "s", dataExporter: "e", overseasRecipient: "r", riskRating: "low", safeguards: [], recordedAt: recordedAt }); }, "pipl/bad-safeguards");
+  expectCode("cert: bad audit sink shape throws",
+    function () { b.pipl.securityAssessmentCertificate({ certId: "c", assessmentScope: "s", dataExporter: "e", overseasRecipient: "r", riskRating: "low", safeguards: ["x"], recordedAt: recordedAt, audit: { nope: 1 } }); }, "pipl/bad-audit");
+}
+
+module.exports = { run: run };
+
+if (require.main === module) {
+  try { run(); console.log("[pipl-cn] OK"); }
+  catch (e) { console.error("FAIL:", e && e.stack || e); process.exit(1); }
+}

package/lib/vendor/blamejs/test/layer-0-primitives/retention-floor.test.js

@@ -51,12 +51,71 @@ function testUnknownPostureThrows() {
         threw && /unknown-posture/.test(threw.code || threw.message || ""));
 }
 
+function testOptionalPostureInheritance() {
+  // #121 — applyPosture(posture) records an active posture that
+  // complianceFloor() callers without an explicit posture inherit (the
+  // advertised cascade behavior). complianceFloor hard-required a string and
+  // never read STATE.activePosture, so the inheritance was unimplemented dead
+  // state; applyPosture(null) now also clears it (was a no-op).
+  var r = b.retention;
+  var prior = r.activePosture();
+  try {
+    r.applyPosture(null);
+    check("#121 applyPosture(null) clears the active posture",
+          r.activePosture() === null);
+    var threwNoActive = null;
+    try { r.complianceFloor(b.constants.TIME.days(30)); } catch (e) { threwNoActive = e; }
+    check("#121 no active posture + omitted posture → throws clearly",
+          threwNoActive !== null);
+
+    r.applyPosture("hipaa");
+    check("#121 activePosture reflects the set value", r.activePosture() === "hipaa");
+    check("#121 complianceFloor(ttl) inherits the active posture (single numeric arg)",
+          r.complianceFloor(b.constants.TIME.days(30)) === b.constants.TIME.days(365 * 6));
+    check("#121 complianceFloor(undefined, ttl) inherits the active posture",
+          r.complianceFloor(undefined, b.constants.TIME.days(30)) === b.constants.TIME.days(365 * 6));
+    check("#121 a candidate longer than the inherited floor still wins",
+          r.complianceFloor(b.constants.TIME.days(365 * 10)) === b.constants.TIME.days(365 * 10));
+    check("#121 an explicit posture still overrides the active one",
+          r.complianceFloor("pci-dss", 0) === b.constants.TIME.days(365));
+  } finally {
+    if (typeof prior === "string") r.applyPosture(prior); else r.applyPosture(null);
+  }
+}
+
+function testComplianceClearCascadesToRetention() {
+  // b.compliance.set cascades the posture into retention (via applyPosture), so
+  // b.compliance.clear must cascade the clear too — otherwise complianceFloor
+  // keeps inheriting the stale posture after the global posture was cleared.
+  if (!b.compliance || typeof b.compliance.set !== "function") return;
+  var r = b.retention;
+  try {
+    if (b.compliance.current()) b.compliance.clear();
+    r.applyPosture(null);
+    b.compliance.set("hipaa");
+    check("compliance.set cascades the posture into retention",
+          r.activePosture() === "hipaa");
+    b.compliance.clear();
+    check("compliance.clear cascades the clear into retention (no stale inheritance)",
+          r.activePosture() === null);
+    var threw = null;
+    try { r.complianceFloor(b.constants.TIME.days(30)); } catch (e) { threw = e; }
+    check("after clear, complianceFloor with no explicit posture throws (not the stale floor)",
+          threw !== null);
+  } finally {
+    try { if (b.compliance.current()) b.compliance.clear(); } catch (_e) { /* best-effort restore */ }
+    try { r.applyPosture(null); } catch (_e) { /* best-effort restore */ }
+  }
+}
+
 async function run() {
   testSurface();
   testKnownPostures();
   testCandidateGreaterThanFloor();
   testCandidateShorterThanFloor();
   testUnknownPostureThrows();
+  testOptionalPostureInheritance();
+  testComplianceClearCascadesToRetention();
 }
 
 module.exports = { run: run };

package/lib/vendor/blamejs/test/layer-0-primitives/safe-url-canonicalize.test.js

@@ -51,23 +51,75 @@ function testIpv4LoopbackEquivalenceClass() {
 }
 
 function testIpv6MappedEquivalenceClass() {
-  // IPv4-mapped IPv6 in dotted, hex, and fully-expanded spellings — all the
-  // same 16 bytes, all collapse to one bracketed RFC 5952 form.
-  var forms = [
+  // An IPv4-mapped IPv6 address (::ffff:a.b.c.d, the ::ffff:0:0/96 block) IS
+  // the IPv4 address a.b.c.d for routing / access-control: a dual-stack peer
+  // arriving on ::ffff:1.2.3.4 reaches the same host as 1.2.3.4, and the SSRF
+  // classifier already re-classifies it by the embedded v4. So the canonical
+  // form must FOLD it to the IPv4 dotted form — otherwise a dual-stack peer
+  // never unifies with an operator's IPv4 allowlist entry (the exact bypass).
+  var mappedForms = [
     "http://[::ffff:127.0.0.1]/",
     "http://[::ffff:7f00:1]/",
     "http://[0:0:0:0:0:ffff:7f00:1]/",
     "http://[0:0:0:0:0:FFFF:7F00:1]/",   // mixed-case hex
   ];
-  var first = b.safeUrl.canonicalize(forms[0]);
-  check("ipv4-mapped IPv6 canonical is bracketed RFC 5952",
-        first === "http://[::ffff:7f00:1]/");
-  for (var i = 1; i < forms.length; i += 1) {
-    check("ipv4-mapped form '" + forms[i] + "' === first canonical",
-          b.safeUrl.canonicalize(forms[i]) === first);
-    check("raw '" + forms[i] + "' !== raw '" + forms[0] + "' (old-world unequal)",
-          forms[i] !== forms[0]);
+  var bareV4 = b.safeUrl.canonicalize("http://127.0.0.1/");
+  check("plain IPv4 canonical is the dotted form", bareV4 === "http://127.0.0.1/");
+  for (var i = 0; i < mappedForms.length; i += 1) {
+    check("ipv4-mapped '" + mappedForms[i] + "' folds to the bare IPv4 form",
+          b.safeUrl.canonicalize(mappedForms[i]) === bareV4);
+    check("raw '" + mappedForms[i] + "' !== 'http://127.0.0.1/' (old-world unequal)",
+          mappedForms[i] !== "http://127.0.0.1/");
   }
+  // canonicalizeHost folds the host-only form too (used for host allowlists).
+  check("canonicalizeHost folds ::ffff:1.2.3.4 to 1.2.3.4",
+        b.ssrfGuard.canonicalizeHost("::ffff:1.2.3.4") === "1.2.3.4");
+  check("canonicalizeHost folds the all-hex mapped spelling too",
+        b.ssrfGuard.canonicalizeHost("::ffff:102:304") === "1.2.3.4");
+  // A non-mapped IPv6 (no ::ffff:0:0/96 prefix) stays IPv6 — only the
+  // v4-mapped block is an IPv4 alias; an embedded-v4 in a documentation
+  // prefix is a distinct address.
+  check("a non-mapped IPv6 stays IPv6 (::1)",
+        b.ssrfGuard.canonicalizeHost("::1") === "::1");
+  check("2001:db8::1.2.3.4 (v4 suffix, NOT v4-mapped) stays IPv6",
+        b.ssrfGuard.canonicalizeHost("2001:db8::1.2.3.4").indexOf(".") === -1);
+}
+
+function testEmbeddedV4AndTrailingDotUnification() {
+  // The canonical form must never flip an SSRF classify() verdict from blocked
+  // to allowed. Only the IPv4-mapped block (::ffff:0:0/96) folds, because
+  // classify(::ffff:x) === classify(x) — its branch returns classify(mappedV4)
+  // with NO reserved fallback. NAT64 (64:ff9b::/96) and 6to4 (2002::/16) are
+  // NOT folded: classify treats a NAT64 literal as `classify(v4) || "reserved"`,
+  // so classify("64:ff9b::8.8.8.8") is "reserved" while classify("8.8.8.8") is
+  // null — folding would turn a blocked NAT64 address into an allowed public
+  // IPv4 verdict. The invariant below pins that: canonicalizing then classifying
+  // must agree with classifying the original.
+  var classify = b.ssrfGuard.classify;
+  function classifyAgrees(host) {
+    return classify(b.ssrfGuard.canonicalizeHost(host)) === classify(host);
+  }
+  check("NAT64 stays IPv6 (a public NAT64 literal must not become an allowed IPv4)",
+        b.ssrfGuard.canonicalizeHost("64:ff9b::8.8.8.8").indexOf(".") === -1);
+  check("canonicalize agrees with classify on a public NAT64 literal",
+        classifyAgrees("64:ff9b::8.8.8.8"));
+  check("canonicalize agrees with classify on a NAT64 loopback literal",
+        classifyAgrees("64:ff9b::127.0.0.1"));
+  check("canonicalize agrees with classify on a public IPv4-mapped literal",
+        classifyAgrees("::ffff:8.8.8.8"));
+  // 6to4 (2002::/16) is a /48 PREFIX, not a 1:1 alias — it must stay IPv6
+  // (folding it would collapse a whole subnet onto one IPv4).
+  check("6to4 2002:7f00:1:: stays IPv6 (not a 1:1 v4 alias)",
+        b.ssrfGuard.canonicalizeHost("2002:7f00:1::").indexOf(".") === -1);
+
+  // Trailing dots are not significant for host identity — every count must
+  // collapse to the bare name so host / host. / host.. all unify.
+  check("single trailing dot strips to the bare name",
+        b.ssrfGuard.canonicalizeHost("example.com.") === "example.com");
+  check("multiple trailing dots all strip to the bare name",
+        b.ssrfGuard.canonicalizeHost("example.com..") === "example.com");
+  check("canonicalize unifies a trailing-dot URL host with the bare host",
+        b.safeUrl.canonicalize("http://example.com./p") === b.safeUrl.canonicalize("http://example.com/p"));
 }
 
 function testIpv6ZeroCompressionEquivalenceClass() {
@@ -284,6 +336,7 @@ function testUserinfoDroppedFromCanonicalForm() {
 
 async function run() {
   testUserinfoDroppedFromCanonicalForm();
+  testEmbeddedV4AndTrailingDotUnification();
   testIpv4LoopbackEquivalenceClass();
   testIpv6MappedEquivalenceClass();
   testIpv6ZeroCompressionEquivalenceClass();

package/lib/vendor/blamejs/test/layer-0-primitives/scheduler-watchdog-stale-settle.test.js

@@ -0,0 +1,71 @@
+"use strict";
+// #130: the scheduler watchdog force-clears task.running after maxJobMs and
+// lets the next tick re-fire. The ORIGINAL (slow) run's promise then settles
+// late and, before the fix, unconditionally wrote back task.running/lastFinish/
+// lastError AND emitted system.scheduler.task.success|failure — clobbering the
+// state the watchdog (and the new run) had moved on from, and double-counting.
+// The fix tags each run with a generation the watchdog + each fire bump; a
+// settle whose tag is stale is ignored.
+//
+// Driven through the public scheduler with a run() whose promise the test
+// controls. RED on the buggy tree: resolving the watchdog-abandoned run emits
+// a stale success. GREEN: it emits nothing; only the current run settles.
+
+var helpers   = require("../helpers");
+var b         = helpers.b;
+var check     = helpers.check;
+var auditMod  = require("../../lib/audit");
+
+var TASK = "wd-stale-settle-test";
+
+async function run() {
+  var realEmit = auditMod.safeEmit;
+  var successes = 0;
+  auditMod.safeEmit = function (ev) {
+    if (ev && ev.action === "system.scheduler.task.success" &&
+        ev.metadata && ev.metadata.name === TASK) {
+      successes += 1;
+    }
+    return realEmit.call(auditMod, ev);
+  };
+
+  var resolvers = [];   // one resolve fn per fire — the test settles them by hand
+  var sched = b.scheduler.create({ maxJobMs: 1, audit: true });   // 1ms watchdog → any stuck run is reaped next tick
+  try {
+    sched.schedule({
+      name:  TASK,
+      every: 1000,       // builder floor is 1000ms; fire 1 ≈ 1s, watchdog re-fire ≈ 2s
+      run:   function () { return new Promise(function (resolve) { resolvers.push(resolve); }); },
+    });
+    sched.start();
+
+    // Wait until the watchdog has reaped fire 1 (still pending) and re-fired,
+    // so two runs exist: resolvers[0] (abandoned) + resolvers[1] (current).
+    await helpers.waitUntil(function () { return resolvers.length >= 2; },
+      { timeoutMs: 9000, label: "#130: watchdog re-fired the task after a stuck run" });
+
+    var before = successes;
+    // Settle the FIRST run — the one the watchdog abandoned. Its late resolve
+    // must NOT emit a success (its generation is stale).
+    resolvers[0]();
+    await helpers.passiveObserve(400, "#130: stale-settle window for the abandoned run");
+    check("#130 a watchdog-abandoned run's late resolve emits NO stale success",
+          successes === before);
+
+    // The current run still settles normally → exactly one success.
+    resolvers[1]();
+    await helpers.waitUntil(function () { return successes === before + 1; },
+      { timeoutMs: 5000, label: "#130: the current run records its success" });
+    check("#130 the current (post-watchdog) run still records its success",
+          successes === before + 1);
+  } finally {
+    sched.stop();
+    auditMod.safeEmit = realEmit;
+  }
+}
+
+module.exports = { run: run };
+if (require.main === module) {
+  run().then(function () { process.exit(0); })
+       .catch(function (err) { process.stderr.write(String(err && err.stack || err) + "\n"); process.exit(1); });
+}

package/lib/vendor/blamejs/test/layer-0-primitives/session-extensions.test.js

@@ -317,7 +317,64 @@ async function testRotateRekeysFingerprint() {
   }
 }
 
+async function testLogoutEmitsClearSiteData() {
+  var tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "ses-logout-"));
+  try {
+    await setupTestDb(tmpDir);
+    var s = await b.session.create({ userId: "u-logout" });
+    check("session created", typeof s.token === "string");
+
+    var headers = {};
+    var res = {
+      setHeader: function (k, v) { headers[k] = v; },
+    };
+    var destroyed = await b.session.logout(res, s.token);
+
+    check("logout returns true (session destroyed)", destroyed === true);
+    check("logout emits Clear-Site-Data header",
+      typeof headers["Clear-Site-Data"] === "string" &&
+      headers["Clear-Site-Data"].indexOf('"cookies"') !== -1 &&
+      headers["Clear-Site-Data"].indexOf('"storage"') !== -1);
+    check("logout expires the session cookie",
+      typeof headers["Set-Cookie"] === "string" &&
+      /(^|;)\s*Max-Age=0/.test(headers["Set-Cookie"]) &&
+      headers["Set-Cookie"].indexOf("sid=;") === 0);
+    check("logout cookie is Secure + HttpOnly",
+      /HttpOnly/.test(headers["Set-Cookie"]) && /Secure/.test(headers["Set-Cookie"]));
+
+    // The session is gone cluster-wide.
+    var after = await b.session.verify(s.token);
+    check("logout destroyed the session (verify returns null)", after === null);
+
+    // Custom cookie name + an unknown Clear-Site-Data directive throws.
+    var s2 = await b.session.create({ userId: "u-logout-2" });
+    var h2 = {}; var res2 = { setHeader: function (k, v) { h2[k] = v; } };
+    await b.session.logout(res2, s2.token, { cookieName: "__Host-sid" });
+    check("logout honors custom cookieName", h2["Set-Cookie"].indexOf("__Host-sid=;") === 0);
+
+    // An unknown directive throws BEFORE any side effect — the session is NOT
+    // destroyed and no client-wipe headers are queued (validate-before-revoke).
+    var s3 = await b.session.create({ userId: "u-logout-3" });
+    var h3 = {}; var res3 = { setHeader: function (k, v) { h3[k] = v; } };
+    var threw = null;
+    try { await b.session.logout(res3, s3.token, { types: ["bogus"] }); }
+    catch (e) { threw = e; }
+    check("logout rejects an unknown Clear-Site-Data directive", threw !== null);
+    check("logout did NOT queue headers on the bad-directive throw",
+      h3["Clear-Site-Data"] === undefined && h3["Set-Cookie"] === undefined);
+    check("logout did NOT destroy the session on the bad-directive throw",
+      (await b.session.verify(s3.token)) !== null);
+
+    var badRes = null;
+    try { await b.session.logout({}, "x"); } catch (e) { badRes = e; }
+    check("logout rejects a res without setHeader", badRes && badRes.code === "session/bad-res");
+  } finally {
+    await teardownTestDb(tmpDir);
+  }
+}
+
 async function run() {
+  await testLogoutEmitsClearSiteData();
   await testSealedCookieDefault();
   await testSealedCookieRotateAndDestroy();
   await testClientIpPrefixV4();

package/lib/vendor/blamejs/test/layer-0-primitives/watcher.test.js

@@ -81,8 +81,11 @@ async function run() {
       audit: false,
     });
 
-    check("watcher.create: returns stop + root",
-      typeof w.stop === "function" && w.root === path.resolve(tmpDir));
+    // .root is canonicalized (realpathSync.native) so a Windows 8.3 short-name
+    // or a macOS /var -> /private/var symlink resolves — fs.watch event paths
+    // then prefix-match the watched root.
+    check("watcher.create: returns stop + canonical root",
+      typeof w.stop === "function" && w.root === fs.realpathSync.native(path.resolve(tmpDir)));
 
     // Drop the legacy "prime the watcher with a 200ms sleep" step —
     // helpers.waitForWatcher (15s default budget) absorbs fs.watch's
@@ -151,7 +154,8 @@ async function run() {
     var shape = changes.find(function (e) { return e.relativePath === "shape.txt"; });
     check("watcher.create: onChange has type/relativePath/fullPath/size/mtime",
       shape && shape.type === "file" && shape.size === 4 &&
-      shape.fullPath === path.join(tmpDir, "shape.txt") &&
+      // fullPath is rooted at the canonical (realpath'd) watcher root.
+      shape.fullPath === path.join(w.root, "shape.txt") &&
       shape.mtime instanceof Date);
 
     // Symlinks must be skipped on the post-event lstat path. Skip on

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/blamejs-shop",
-  "version": "0.4.32",
+  "version": "0.4.37",
   "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
   "main": "lib/index.js",
   "scripts": {
@@ -12,7 +12,7 @@
     "release": "node scripts/release.js"
   },
   "engines": {
-    "node": ">=24.14.1"
+    "node": ">=24.16.0"
   },
   "files": [
     "lib/",