@blamejs/blamejs-shop 0.4.33 → 0.4.38

package/lib/vendor/blamejs/lib/log-stream-otlp.js

@@ -58,6 +58,11 @@ var httpClient = require("./http-client");
 var safeAsync = require("./safe-async");
 var safeUrl = require("./safe-url");
 var authHeader = require("./auth-header");
+var lazyRequire = require("./lazy-require");
+// Lazy to break the observability <-> log-stream require cycle (observability's
+// log path can reach a log-stream sink). Used only to scrub attribute values
+// through the telemetry redactor before they cross the OTLP egress boundary.
+var observability = lazyRequire(function () { return require("./observability"); });
 
 var MAX_RESPONSE_BYTES = C.BYTES.mib(1);
 var FRAMEWORK_VERSION = (pkg && pkg.version) || "unknown";
@@ -141,7 +146,10 @@ function _toLogRecord(record) {
   var sev = SEVERITY[record.level] || SEVERITY.info;
   // OTel timeUnixNano is a string (JSON can't safely represent 64-bit ints).
   var nanos = String(BigInt(record.ts) * 1000000n);
-  var attrs = record.meta ? _encodeAttrs(record.meta) : [];
+  // Telemetry is a first-class EGRESS sink: scrub every meta value through the
+  // redactor before it reaches the collector wire (CWE-532), the same contract
+  // the span/metric exporters hold.
+  var attrs = record.meta ? _encodeAttrs(observability().redactAttrs(record.meta)) : [];
   return {
     timeUnixNano:     nanos,
     observedTimeUnixNano: nanos,
@@ -158,7 +166,7 @@ function _serializeBatch(records, cfg, scopeVersion) {
     resourceLogs: [
       {
         resource: {
-          attributes: _encodeAttrs(resourceAttrs),
+          attributes: _encodeAttrs(observability().redactAttrs(resourceAttrs)),
         },
         scopeLogs: [
           {
@@ -291,10 +299,11 @@ function create(config) {
 }
 
 module.exports = {
-  create:       create,
+  create:         create,
   // Exposed for tests + advanced operator wiring.
-  _resolveUrl:  _resolveUrl,
-  _encodeAttrs: _encodeAttrs,
-  _toLogRecord: _toLogRecord,
-  SEVERITY:     SEVERITY,
+  _resolveUrl:    _resolveUrl,
+  _encodeAttrs:   _encodeAttrs,
+  _toLogRecord:   _toLogRecord,
+  _serializeBatch: _serializeBatch,
+  SEVERITY:       SEVERITY,
 };

package/lib/vendor/blamejs/lib/middleware/clear-site-data.js

@@ -87,29 +87,51 @@ var DEFAULT_TYPES = ["cookies", "storage", "cache", "executionContexts"];
  *     },
  *   ]);
  */
-function create(opts) {
-  opts = opts || {};
-  validateOpts(opts, ["types"], "middleware.clearSiteData");
-  var types = opts.types === undefined ? DEFAULT_TYPES : opts.types;
+/**
+ * @primitive b.middleware.clearSiteData.headerValue
+ * @signature b.middleware.clearSiteData.headerValue(types, label?)
+ * @since      0.15.9
+ * @status     stable
+ * @related    b.middleware.clearSiteData, b.session.logout
+ *
+ * Build the RFC 9527 §3 Clear-Site-Data header value from a list of directive
+ * types — a comma-separated list of double-quoted tokens — validating each
+ * against the known set (`cookies`, `storage`, `cache`, `executionContexts`).
+ * The middleware factory and `b.session.logout` both compose it so every
+ * emitter produces the same validated header instead of hand-rolling the
+ * quoting. Throws a `TypeError` on an unknown directive or a non-array input
+ * (config-time / entry-point tier).
+ *
+ * @example
+ *   b.middleware.clearSiteData.headerValue(["cookies", "storage"]);
+ *   // → '"cookies", "storage"'
+ */
+function headerValue(types, label) {
+  label = label || "middleware.clearSiteData";
   if (!Array.isArray(types) || types.length === 0) {
-    throw new TypeError("middleware.clearSiteData: opts.types must be a non-empty array");
+    throw new TypeError(label + ": types must be a non-empty array");
   }
   for (var i = 0; i < types.length; i += 1) {
     var t = types[i];
     if (typeof t !== "string" || !KNOWN_TYPES[t]) {
       throw new TypeError(
-        "middleware.clearSiteData: unknown type '" + t +
+        label + ": unknown type '" + t +
         "' (expected one of: " + Object.keys(KNOWN_TYPES).join(", ") + ")");
     }
   }
-  // Header value is a comma-separated list of double-quoted tokens
-  // per RFC 9527 §3 (Structured Field Value List of Strings). Build
-  // once at construction time — runtime cost is one setHeader call.
-  var headerValue = types.map(function (t) { return '"' + t + '"'; }).join(", ");
+  return types.map(function (t) { return '"' + t + '"'; }).join(", ");
+}
+
+function create(opts) {
+  opts = opts || {};
+  validateOpts(opts, ["types"], "middleware.clearSiteData");
+  var types = opts.types === undefined ? DEFAULT_TYPES : opts.types;
+  // Header value built once at construction; runtime cost is one setHeader.
+  var headerVal = headerValue(types, "middleware.clearSiteData");
 
   return function clearSiteData(req, res, next) {
     if (typeof res.setHeader === "function") {
-      res.setHeader("Clear-Site-Data", headerValue);
+      res.setHeader("Clear-Site-Data", headerVal);
     }
     next();
   };
@@ -117,6 +139,9 @@ function create(opts) {
 
 module.exports = {
   create:        create,
+  // The shared RFC 9527 header-value builder — b.session.logout composes it so
+  // the logout path emits the same validated Clear-Site-Data header.
+  headerValue:   headerValue,
   KNOWN_TYPES:   Object.keys(KNOWN_TYPES),
   DEFAULT_TYPES: DEFAULT_TYPES,
 };

package/lib/vendor/blamejs/lib/mtls-ca.js

@@ -336,8 +336,8 @@ function create(opts) {
         _writeExclusive(keyTmp, opts2.caKeyPem, 0o600);
       }
       _writeExclusive(certTmp, opts2.caCertPem, 0o644);
-      nodeFs.renameSync(keyTmp, keyDest);
-      nodeFs.renameSync(certTmp, paths.caCert);
+      atomicFile.renameWithRetry(keyTmp, keyDest);
+      atomicFile.renameWithRetry(certTmp, paths.caCert);
     } catch (e) {
       // Best-effort cleanup of half-written tmp files; the original
       // commit error is what we re-raise. Log cleanup failures at debug

package/lib/vendor/blamejs/lib/observability.js

@@ -199,8 +199,9 @@ function getRedactor() {
  *
  * Run every value of a telemetry attribute map through the active redactor and
  * return a NEW `{ key: redactedValue }` object. The OTLP exporters call this on
- * span, span-event, metric, and resource attributes before serialization so no
- * attribute value crosses the egress boundary unscrubbed (CWE-532: insertion of
+ * span, span-event, metric, log-record, and resource attributes before
+ * serialization so no attribute value crosses the egress boundary unscrubbed
+ * (the HTTP-JSON and gRPC log sinks included) (CWE-532: insertion of
  * sensitive information into an externally-shipped sink). A key whose redactor
  * throws is DROPPED — failing toward dropping, never exporting the raw value;
  * `null` / `undefined` values pass through for the type-encoder to handle.

package/lib/vendor/blamejs/lib/pipl-cn.js

@@ -0,0 +1,377 @@
+"use strict";
+/**
+ * @module b.pipl
+ * @nav    Compliance
+ * @title  PIPL (China)
+ *
+ * @intro
+ *   China PIPL (Personal Information Protection Law) cross-border
+ *   transfer record-builders. PIPL Art. 38 sets three lawful bases for
+ *   transferring personal information outside the PRC: a CAC security
+ *   assessment (Art. 40), the CAC standard contract (SCC), or
+ *   certification by a CAC-accredited body. The CAC security assessment
+ *   is MANDATORY — the operator may not self-select the standard
+ *   contract — when the exporter is a critical-information-infrastructure
+ *   operator (CIIO), handles "important data", or crosses the volume /
+ *   sensitive-PI thresholds in the Measures for Security Assessment of
+ *   Outbound Data Transfers.
+ *
+ *   These primitives follow the operator-feeds-metadata pattern: the
+ *   operator supplies the transfer's facts and the builder returns a
+ *   frozen, dated record (plus a best-effort audit event) that composes
+ *   into the operator's own retention / export sink. They perform NO
+ *   network I/O and do NOT file anything with the CAC — they document
+ *   the legal basis the operator must be able to produce on inspection.
+ *
+ * @card
+ *   China PIPL cross-border transfer records — Art. 38/40/55 SCC + CAC security-assessment basis (sccFilingAssessment, securityAssessmentCertificate).
+ */
+
+var lazyRequire = require("./lazy-require");
+var validateOpts = require("./validate-opts");
+var C = require("./constants");
+var { PiplError } = require("./framework-error");
+
+var audit = lazyRequire(function () { return require("./audit"); });
+
+// PIPL Art. 38(1) lawful cross-border mechanisms. A standard contract or
+// certification is a self-selectable basis; a security assessment is the
+// mechanism the CAC Measures impose when a mandatory trigger is present.
+var LEGAL_BASES = Object.freeze(["standard-contract", "security-assessment", "certification"]);
+
+// Mandatory-security-assessment thresholds from the CAC 2024 Provisions on
+// Promoting and Regulating Cross-Border Data Flows (Art. 7/8), which relaxed
+// the original 2022 Measures. Crossing ANY of these forces the
+// security-assessment mechanism — the operator cannot fall back to the
+// standard contract or certification.
+//   - CIIO exporter, or "important data" in scope: always mandatory.
+//   - cumulative outbound NON-sensitive PI of MORE THAN 1,000,000 individuals
+//     since 1 January of the current year (the 100,000–1,000,000 band is the
+//     standard-contract / certification tier, NOT a security-assessment
+//     trigger).
+//   - cumulative outbound SENSITIVE PI of MORE THAN 10,000 individuals in that
+//     window.
+// The thresholds are CUMULATIVE since 1 January and THIS transfer counts toward
+// them — the transfer's own `volume` is sorted into the sensitive or
+// non-sensitive bucket by `sensitivePI` and added to the running cumulative
+// before the comparison.
+var SECURITY_ASSESSMENT_NONSENSITIVE_PI_THRESHOLD = 1000000;
+var SECURITY_ASSESSMENT_SENSITIVE_PI_THRESHOLD = 10000;
+
+// Re-assessment / re-filing cadence. The CAC security assessment result
+// is valid for 3 years (Measures Art. 14); the standard-contract +
+// certification bases carry a PIPIA (Art. 55) that should be refreshed
+// at least annually or on any material change. We stamp the longer 3-year
+// clock for a mandated security assessment and a 1-year clock otherwise.
+var SECURITY_ASSESSMENT_VALIDITY_DAYS = 365 * 3;
+var STANDARD_REVIEW_DAYS = 365;
+
+var SCC_ASSESSMENT_ALLOWED_KEYS = [
+  "assessmentId", "transferType", "recipientJurisdiction", "dataCategories",
+  "legalBasis", "volume", "sensitivePI", "ciio", "importantData",
+  "cumulativePI", "cumulativeSensitivePI", "recordedAt", "audit",
+];
+
+var RISK_RATINGS = Object.freeze(["low", "medium", "high"]);
+
+var SECURITY_CERT_ALLOWED_KEYS = [
+  "certId", "assessmentScope", "dataExporter", "overseasRecipient",
+  "riskRating", "safeguards", "filingRef", "recordedAt", "audit",
+];
+
+// Resolve the audit sink: an operator-supplied b.audit-shaped object wins
+// (so the call is captured even without a DB-backed global handler);
+// otherwise fall back to the framework's global audit. Validated for shape
+// at the call site so a malformed sink throws rather than silently no-ops.
+function _resolveAudit(optsAudit, label) {
+  if (optsAudit === undefined || optsAudit === null) return audit();
+  return validateOpts.auditShape(optsAudit, label, PiplError, "pipl/bad-audit");
+}
+
+function _requireRecordedAt(value, label) {
+  if (typeof value !== "number" || !isFinite(value) || value <= 0) {
+    throw new PiplError("pipl/bad-recorded-at",
+      label + " must be a positive epoch-ms number");
+  }
+  return value;
+}
+
+/**
+ * @primitive  b.pipl.sccFilingAssessment
+ * @signature  b.pipl.sccFilingAssessment(opts)
+ * @since      0.15.8
+ * @status     stable
+ * @compliance pipl-cn
+ * @related    b.pipl.securityAssessmentCertificate, b.compliance.isCrossBorderRegulated, b.privacy.vendorReview
+ *
+ * Build a dated PIPL Art. 38 / Art. 55 cross-border transfer assessment
+ * and determine the lawful mechanism the transfer requires. PIPL Art. 38(1)
+ * permits three bases for moving personal information out of the PRC — the
+ * CAC standard contract (SCC), a CAC security assessment (Art. 40), or
+ * certification by a CAC-accredited body — but the Measures for Security
+ * Assessment of Outbound Data Transfers make the security assessment
+ * MANDATORY (the operator may NOT self-select the standard contract or
+ * certification) when the exporter is a critical-information-infrastructure
+ * operator (CIIO), exports "important data", handles personal information
+ * of more than 1,000,000 individuals, or has cumulatively exported PI of
+ * more than 100,000 individuals or sensitive PI of more than 10,000
+ * individuals since 1 January of the preceding year.
+ *
+ * The builder validates the operator-supplied facts, computes
+ * `securityAssessmentRequired` against those thresholds, resolves the
+ * `mechanismRequired` (forcing `security-assessment` when any trigger is
+ * present, otherwise honoring the operator's declared `legalBasis`), and
+ * stamps `recordedAt` plus a `nextReviewDueBy` re-assessment clock (3 years
+ * for a mandated security assessment per Measures Art. 14, otherwise the
+ * annual PIPIA refresh under Art. 55). The returned record is frozen and
+ * is NOT framework-persisted — compose it into your retention / audit /
+ * export sink. A best-effort `pipl.transfer.assessed` audit event fires.
+ *
+ * @opts
+ *   assessmentId:          string,    // required — operator's identifier for this assessment
+ *   transferType:          string,    // required — e.g. "intra-group", "processor", "controller-to-controller"
+ *   recipientJurisdiction: string,    // required — destination jurisdiction (e.g. "US", "EU", "SG")
+ *   dataCategories:        string[],  // required — non-empty list of PI categories transferred
+ *   legalBasis:            string,    // required — "standard-contract" | "security-assessment" | "certification"
+ *   volume:                number,    // required — count of data subjects in this transfer (>= 0)
+ *   sensitivePI:           boolean,   // required — whether the transfer includes sensitive PI (Art. 28)
+ *   ciio:                  boolean,   // optional — exporter is a CIIO (forces security assessment); default false
+ *   importantData:         boolean,   // optional — transfer includes "important data" (forces it); default false
+ *   cumulativePI:          number,    // optional — cumulative PI subjects exported since 1 Jan prior year; default 0
+ *   cumulativeSensitivePI: number,    // optional — cumulative sensitive-PI subjects exported in that window; default 0
+ *   recordedAt:            number,    // required — epoch ms of this assessment
+ *   audit:                 object,    // optional — b.audit-shaped sink; default global b.audit
+ *
+ * @example
+ *   var rec = b.pipl.sccFilingAssessment({
+ *     assessmentId:          "xfer-2026-001",
+ *     transferType:          "processor",
+ *     recipientJurisdiction: "US",
+ *     dataCategories:        ["contact", "billing"],
+ *     legalBasis:            "standard-contract",
+ *     volume:                5000,
+ *     sensitivePI:           false,
+ *     recordedAt:            Date.now(),
+ *   });
+ *   // → { assessmentId, mechanismRequired: "standard-contract",
+ *   //     securityAssessmentRequired: false, recordedAt, nextReviewDueBy, ... }
+ */
+function sccFilingAssessment(opts) {
+  validateOpts.requireObject(opts, "b.pipl.sccFilingAssessment: opts", PiplError, "pipl/bad-opts");
+  validateOpts(opts, SCC_ASSESSMENT_ALLOWED_KEYS, "b.pipl.sccFilingAssessment");
+  validateOpts.requireNonEmptyString(opts.assessmentId,
+    "b.pipl.sccFilingAssessment: opts.assessmentId", PiplError, "pipl/bad-assessment-id");
+  validateOpts.requireNonEmptyString(opts.transferType,
+    "b.pipl.sccFilingAssessment: opts.transferType", PiplError, "pipl/bad-transfer-type");
+  validateOpts.requireNonEmptyString(opts.recipientJurisdiction,
+    "b.pipl.sccFilingAssessment: opts.recipientJurisdiction", PiplError, "pipl/bad-recipient");
+
+  if (!Array.isArray(opts.dataCategories) || opts.dataCategories.length === 0) {
+    throw new PiplError("pipl/bad-data-categories",
+      "b.pipl.sccFilingAssessment: opts.dataCategories must be a non-empty array of strings");
+  }
+  validateOpts.optionalNonEmptyStringArray(opts.dataCategories,
+    "b.pipl.sccFilingAssessment: opts.dataCategories", PiplError, "pipl/bad-data-categories");
+
+  if (LEGAL_BASES.indexOf(opts.legalBasis) === -1) {
+    throw new PiplError("pipl/bad-legal-basis",
+      "b.pipl.sccFilingAssessment: opts.legalBasis must be one of " +
+      LEGAL_BASES.join(" | ") + " (PIPL Art. 38(1)) — got " + JSON.stringify(opts.legalBasis));
+  }
+
+  if (typeof opts.volume !== "number" || !isFinite(opts.volume) || opts.volume < 0) {
+    throw new PiplError("pipl/bad-volume",
+      "b.pipl.sccFilingAssessment: opts.volume must be a non-negative finite number (data-subject count)");
+  }
+  if (typeof opts.sensitivePI !== "boolean") {
+    throw new PiplError("pipl/bad-sensitive-pi",
+      "b.pipl.sccFilingAssessment: opts.sensitivePI must be a boolean");
+  }
+
+  var ciio = opts.ciio === undefined ? false
+    : validateOpts.optionalBoolean(opts.ciio, "b.pipl.sccFilingAssessment: opts.ciio", PiplError, "pipl/bad-ciio");
+  var importantData = opts.importantData === undefined ? false
+    : validateOpts.optionalBoolean(opts.importantData, "b.pipl.sccFilingAssessment: opts.importantData", PiplError, "pipl/bad-important-data");
+  var cumulativePI = opts.cumulativePI === undefined ? 0
+    : validateOpts.optionalFiniteNonNegative(opts.cumulativePI, "b.pipl.sccFilingAssessment: opts.cumulativePI", PiplError, "pipl/bad-cumulative-pi");
+  var cumulativeSensitivePI = opts.cumulativeSensitivePI === undefined ? 0
+    : validateOpts.optionalFiniteNonNegative(opts.cumulativeSensitivePI, "b.pipl.sccFilingAssessment: opts.cumulativeSensitivePI", PiplError, "pipl/bad-cumulative-sensitive-pi");
+
+  var recordedAt = _requireRecordedAt(opts.recordedAt, "b.pipl.sccFilingAssessment: opts.recordedAt");
+  // Resolve + shape-validate the audit sink at the entry-point tier (THROWS
+  // on a malformed sink) — NOT inside the drop-silent emission try/catch
+  // below, which would swallow the config error.
+  var auditSink = _resolveAudit(opts.audit, "b.pipl.sccFilingAssessment: opts.audit");
+
+  // Mandatory-security-assessment determination (CAC 2024 Provisions, Art. 7/8).
+  // Crossing ANY trigger forces the security-assessment mechanism regardless of
+  // the operator's declared legalBasis — the operator cannot self-downgrade to
+  // the standard contract or certification once a trigger is present. The
+  // thresholds are cumulative since 1 January and THIS transfer counts: sort its
+  // own volume into the sensitive or non-sensitive bucket and add it to the
+  // running cumulative before comparing, so a first/planned transfer that alone
+  // crosses a threshold is classified correctly without the caller having to
+  // pre-add it to the cumulative field.
+  var effectiveSensitivePI    = cumulativeSensitivePI + (opts.sensitivePI ? opts.volume : 0);
+  var effectiveNonSensitivePI = cumulativePI          + (opts.sensitivePI ? 0 : opts.volume);
+  var triggers = [];
+  if (ciio) triggers.push("ciio");
+  if (importantData) triggers.push("important-data");
+  if (effectiveNonSensitivePI > SECURITY_ASSESSMENT_NONSENSITIVE_PI_THRESHOLD) triggers.push("non-sensitive-pi-volume");
+  if (effectiveSensitivePI > SECURITY_ASSESSMENT_SENSITIVE_PI_THRESHOLD) triggers.push("sensitive-pi-volume");
+
+  var securityAssessmentRequired = triggers.length > 0;
+  var mechanismRequired = securityAssessmentRequired ? "security-assessment" : opts.legalBasis;
+  var nextReviewDays = securityAssessmentRequired ? SECURITY_ASSESSMENT_VALIDITY_DAYS : STANDARD_REVIEW_DAYS;
+
+  var record = Object.freeze({
+    assessmentId:               opts.assessmentId,
+    transferType:               opts.transferType,
+    recipientJurisdiction:      opts.recipientJurisdiction,
+    dataCategories:             Object.freeze(opts.dataCategories.slice()),
+    legalBasis:                 opts.legalBasis,
+    volume:                     opts.volume,
+    sensitivePI:                opts.sensitivePI,
+    mechanismRequired:          mechanismRequired,
+    securityAssessmentRequired: securityAssessmentRequired,
+    securityAssessmentTriggers: Object.freeze(triggers),
+    legalReference:             "PIPL Art. 38 / Art. 40 / Art. 55",
+    recordedAt:                 recordedAt,
+    nextReviewDueBy:            recordedAt + C.TIME.days(nextReviewDays),
+  });
+
+  try {
+    auditSink.safeEmit({
+      action:   "pipl.transfer.assessed",
+      outcome:  "success",
+      resource: { kind: "pipl-cross-border-transfer", id: opts.assessmentId },
+      metadata: {
+        transferType:               opts.transferType,
+        recipientJurisdiction:      opts.recipientJurisdiction,
+        mechanismRequired:          mechanismRequired,
+        securityAssessmentRequired: securityAssessmentRequired,
+        triggers:                   triggers,
+        recordedAt:                 recordedAt,
+      },
+    });
+  } catch (_e) { /* drop-silent — audit is best-effort, never block the builder */ }
+
+  return record;
+}
+
+/**
+ * @primitive  b.pipl.securityAssessmentCertificate
+ * @signature  b.pipl.securityAssessmentCertificate(opts)
+ * @since      0.15.8
+ * @status     stable
+ * @compliance pipl-cn
+ * @related    b.pipl.sccFilingAssessment, b.compliance.isCrossBorderRegulated
+ *
+ * Record a dated PIPL Art. 40 / CAC security-assessment self-declaration
+ * for an outbound data transfer. PIPL Art. 40 and the Measures for
+ * Security Assessment of Outbound Data Transfers require an operator who
+ * must pass (or has passed) the CAC security assessment to document the
+ * assessment scope, the data exporter, the overseas recipient, a risk
+ * rating, and the safeguards relied on — the evidence the operator must be
+ * able to produce on CAC inspection. This builder validates the supplied
+ * facts and returns a frozen, dated certificate record stamped with a
+ * 3-year `validUntil` clock (the CAC security-assessment result validity
+ * period, Measures Art. 14). It performs NO network I/O and files nothing
+ * with the CAC — it documents the assessment the operator conducted. A
+ * best-effort `pipl.security_assessment.recorded` audit event fires.
+ *
+ * @opts
+ *   certId:            string,    // required — operator's identifier for this certificate
+ *   assessmentScope:   string,    // required — scope of the security assessment (systems / data flows covered)
+ *   dataExporter:      string,    // required — the PRC data exporter (controller / processor)
+ *   overseasRecipient: string,    // required — the overseas recipient receiving the PI
+ *   riskRating:        string,    // required — "low" | "medium" | "high"
+ *   safeguards:        string[],  // required — non-empty list of safeguards relied on (encryption, DPA, etc.)
+ *   filingRef:         string,    // optional — CAC filing / acceptance reference number
+ *   recordedAt:        number,    // required — epoch ms of this declaration
+ *   audit:             object,    // optional — b.audit-shaped sink; default global b.audit
+ *
+ * @example
+ *   var cert = b.pipl.securityAssessmentCertificate({
+ *     certId:            "sa-2026-014",
+ *     assessmentScope:   "CRM outbound replication to US region",
+ *     dataExporter:      "Acme (Shanghai) Co., Ltd.",
+ *     overseasRecipient: "Acme Inc. (Delaware)",
+ *     riskRating:        "medium",
+ *     safeguards:        ["XChaCha20 at rest", "standard contractual clauses", "data minimization"],
+ *     recordedAt:        Date.now(),
+ *   });
+ *   // → { certId, assessmentScope, riskRating, recordedAt, validUntil }
+ */
+function securityAssessmentCertificate(opts) {
+  validateOpts.requireObject(opts, "b.pipl.securityAssessmentCertificate: opts", PiplError, "pipl/bad-opts");
+  validateOpts(opts, SECURITY_CERT_ALLOWED_KEYS, "b.pipl.securityAssessmentCertificate");
+  validateOpts.requireNonEmptyString(opts.certId,
+    "b.pipl.securityAssessmentCertificate: opts.certId", PiplError, "pipl/bad-cert-id");
+  validateOpts.requireNonEmptyString(opts.assessmentScope,
+    "b.pipl.securityAssessmentCertificate: opts.assessmentScope", PiplError, "pipl/bad-scope");
+  validateOpts.requireNonEmptyString(opts.dataExporter,
+    "b.pipl.securityAssessmentCertificate: opts.dataExporter", PiplError, "pipl/bad-exporter");
+  validateOpts.requireNonEmptyString(opts.overseasRecipient,
+    "b.pipl.securityAssessmentCertificate: opts.overseasRecipient", PiplError, "pipl/bad-recipient");
+
+  if (RISK_RATINGS.indexOf(opts.riskRating) === -1) {
+    throw new PiplError("pipl/bad-risk-rating",
+      "b.pipl.securityAssessmentCertificate: opts.riskRating must be one of " +
+      RISK_RATINGS.join(" | ") + " — got " + JSON.stringify(opts.riskRating));
+  }
+
+  if (!Array.isArray(opts.safeguards) || opts.safeguards.length === 0) {
+    throw new PiplError("pipl/bad-safeguards",
+      "b.pipl.securityAssessmentCertificate: opts.safeguards must be a non-empty array of strings");
+  }
+  validateOpts.optionalNonEmptyStringArray(opts.safeguards,
+    "b.pipl.securityAssessmentCertificate: opts.safeguards", PiplError, "pipl/bad-safeguards");
+
+  var filingRef = validateOpts.optionalNonEmptyString(opts.filingRef,
+    "b.pipl.securityAssessmentCertificate: opts.filingRef", PiplError, "pipl/bad-filing-ref");
+
+  var recordedAt = _requireRecordedAt(opts.recordedAt, "b.pipl.securityAssessmentCertificate: opts.recordedAt");
+  // Entry-point shape-validate the audit sink (THROWS) before the drop-silent
+  // emission try/catch below.
+  var auditSink = _resolveAudit(opts.audit, "b.pipl.securityAssessmentCertificate: opts.audit");
+
+  var record = Object.freeze({
+    certId:            opts.certId,
+    assessmentScope:   opts.assessmentScope,
+    dataExporter:      opts.dataExporter,
+    overseasRecipient: opts.overseasRecipient,
+    riskRating:        opts.riskRating,
+    safeguards:        Object.freeze(opts.safeguards.slice()),
+    filingRef:         filingRef || null,
+    legalReference:    "PIPL Art. 40 / CAC Measures for Security Assessment of Outbound Data Transfers",
+    recordedAt:        recordedAt,
+    validUntil:        recordedAt + C.TIME.days(SECURITY_ASSESSMENT_VALIDITY_DAYS),
+  });
+
+  try {
+    auditSink.safeEmit({
+      action:   "pipl.security_assessment.recorded",
+      outcome:  "success",
+      resource: { kind: "pipl-security-assessment", id: opts.certId },
+      metadata: {
+        assessmentScope:   opts.assessmentScope,
+        dataExporter:      opts.dataExporter,
+        overseasRecipient: opts.overseasRecipient,
+        riskRating:        opts.riskRating,
+        filingRef:         filingRef || null,
+        recordedAt:        recordedAt,
+      },
+    });
+  } catch (_e) { /* drop-silent — audit is best-effort, never block the builder */ }
+
+  return record;
+}
+
+module.exports = {
+  sccFilingAssessment:           sccFilingAssessment,
+  securityAssessmentCertificate: securityAssessmentCertificate,
+  LEGAL_BASES:                   LEGAL_BASES,
+  RISK_RATINGS:                  RISK_RATINGS,
+  PiplError:                     PiplError,
+};

package/lib/vendor/blamejs/lib/restore-rollback.js

@@ -119,7 +119,7 @@ function swap(opts) {
   // Step 1: rename current dataDir → rollback nodePath. Skipped on first
   // restore (no existing dataDir).
   if (hadDataDir) {
-    try { nodeFs.renameSync(opts.dataDir, rollbackPath); }
+    try { atomicFile.renameWithRetry(opts.dataDir, rollbackPath); }
     catch (e) {
       throw new RestoreRollbackError("restore-rollback/rename-existing-failed",
         "swap: could not move existing dataDir to rollback: " + ((e && e.message) || String(e)));
@@ -127,11 +127,11 @@ function swap(opts) {
   }
 
   // Step 2: rename staging → dataDir
-  try { nodeFs.renameSync(opts.stagingDir, opts.dataDir); }
+  try { atomicFile.renameWithRetry(opts.stagingDir, opts.dataDir); }
   catch (e) {
     // Step 2 failed — try to undo step 1 so the operator's dataDir is back
     if (hadDataDir) {
-      try { nodeFs.renameSync(rollbackPath, opts.dataDir); }
+      try { atomicFile.renameWithRetry(rollbackPath, opts.dataDir); }
       catch (_e) { /* dataDir is now in rollbackPath; operator must recover manually */ }
     }
     throw new RestoreRollbackError("restore-rollback/rename-staging-failed",
@@ -220,7 +220,7 @@ async function rollback(opts) {
     atomicFile.ensureDir(rollbackRoot);
     discardedAt = atomicFile.pathTimestamp();
     var discardedPath = nodePath.join(rollbackRoot, "discarded-" + discardedAt);
-    try { nodeFs.renameSync(opts.dataDir, discardedPath); }
+    try { atomicFile.renameWithRetry(opts.dataDir, discardedPath); }
     catch (e) {
       throw new RestoreRollbackError("restore-rollback/rename-existing-failed",
         "rollback: could not move current dataDir aside: " + ((e && e.message) || String(e)));
@@ -229,7 +229,7 @@ async function rollback(opts) {
   }
 
   // Rename the rollback dir back into dataDir's place
-  try { nodeFs.renameSync(opts.rollbackPath, opts.dataDir); }
+  try { atomicFile.renameWithRetry(opts.rollbackPath, opts.dataDir); }
   catch (e) {
     throw new RestoreRollbackError("restore-rollback/rollback-rename-failed",
       "rollback: could not move rollback into dataDir: " + ((e && e.message) || String(e)) +

package/lib/vendor/blamejs/lib/self-update.js

@@ -676,7 +676,7 @@ async function swap(opts) {
   // don't silently lose both binaries (the prior best-effort comment
   // swallowed the rollback exception — SSDF RV.1 violation).
   try {
-    nodeFs.renameSync(from, to);
+    atomicFile.renameWithRetry(from, to);
   } catch (e) {
     if (e && e.code === "EXDEV") {
       // Cross-device — copy + unlink. Use atomicFile.copy for the safety

package/lib/vendor/blamejs/lib/session.js

@@ -65,6 +65,9 @@ var { SessionError } = require("./framework-error");
 // the cookie-side sid so the wire token is ciphertext rather than
 // plaintext (sealed-cookie default since v0.8.61).
 var vault = lazyRequire(function () { return require("./vault"); });
+// Lazy — b.session.logout composes the Clear-Site-Data header builder; keep it
+// out of the boot require graph (no cycle, but session is a low-level primitive).
+var clearSiteData = lazyRequire(function () { return require("./middleware/clear-site-data"); });
 
 // Pluggable session-storage backend. Default uses cluster-storage (which
 // in turn dispatches to the framework's main DB or external DB). An
@@ -705,6 +708,66 @@ async function destroy(token) {
   return await _deleteBySidHash(_hashSid(sid));
 }
 
+/**
+ * @primitive b.session.logout
+ * @signature b.session.logout(res, token, opts?)
+ * @since     0.15.9
+ * @status    stable
+ * @related   b.session.destroy, b.middleware.clearSiteData
+ *
+ * Secure logout in one call: destroy the server-side session AND tell the
+ * browser to wipe its client-side state. It emits an RFC 9527 Clear-Site-Data
+ * response header (cookies + storage + cache + executionContexts by default)
+ * and expires the session cookie, then destroys the session row. `destroy()`
+ * alone is a store operation with no `res`, so it cannot wipe the browser's
+ * cached pages / storage / any stale tab still holding the now-revoked cookie;
+ * this composes the secure-default logout the middleware otherwise had to be
+ * mounted by hand. Returns whether a session was destroyed. Leader-only.
+ *
+ * @opts
+ *   cookieName: string,    // default: "sid" — the session cookie to expire
+ *   types:      string[],  // default: the RFC 9527 Clear-Site-Data directive set
+ *
+ * @example
+ *   app.post("/logout", async function (req, res) {
+ *     await b.session.logout(res, req.cookies.sid);
+ *     res.end("logged out");
+ *   });
+ *   // → emits Clear-Site-Data + expires the sid cookie + destroys the session
+ */
+async function logout(res, token, opts) {
+  if (!res || typeof res.setHeader !== "function") {
+    throw new SessionError("session/bad-res",
+      "b.session.logout: res must be an HTTP response with setHeader()");
+  }
+  opts = opts || {};
+  var cookieName = opts.cookieName === undefined ? "sid" : opts.cookieName;
+  if (typeof cookieName !== "string" || cookieName.length === 0) {
+    throw new SessionError("session/bad-cookie-name",
+      "b.session.logout: opts.cookieName must be a non-empty string");
+  }
+  var csd = clearSiteData();
+  var types = opts.types === undefined ? csd.DEFAULT_TYPES : opts.types;
+  // Build (and validate) the RFC 9527 header BEFORE any side effect — an
+  // unknown directive throws here, queuing nothing.
+  var clearSiteDataValue = csd.headerValue(types, "b.session.logout");
+
+  // Revoke the server-side session FIRST. If destroy() throws (a follower
+  // failing cluster.requireLeader(), or a store/DB error), no client-wipe
+  // headers have been queued — an error response can't then expire the
+  // browser cookie + Clear-Site-Data while the session row is still live,
+  // which would leave a copied token usable server-side.
+  var destroyed = await destroy(token);
+
+  // Now wipe the client-side state: RFC 9527 Clear-Site-Data (cookies /
+  // storage / cache) + expire the session cookie (belt-and-suspenders with the
+  // "cookies" directive, and effective even if the client ignores the header).
+  res.setHeader("Clear-Site-Data", clearSiteDataValue);
+  res.setHeader("Set-Cookie",
+    cookieName + "=; Path=/; HttpOnly; Secure; SameSite=Strict; Max-Age=0");
+  return destroyed;
+}
+
 async function _deleteBySidHash(sidHash) {
   var built = sql.delete(_sessionSqlTable(), _sessionSqlOpts())
     .where("sidHash", sidHash)
@@ -1245,6 +1308,7 @@ module.exports = {
   create:               create,
   verify:               verify,
   destroy:              destroy,
+  logout:               logout,
   destroyAllForUser:    destroyAllForUser,
   touch:                touch,
   rotate:               rotate,