@blamejs/blamejs-shop 0.4.33 → 0.4.38

package/lib/vendor/blamejs/lib/vault/passphrase-ops.js

@@ -169,7 +169,7 @@ async function seal(opts) {
   }
 
   // Step 3: atomic rename sealed.tmp → sealed
-  nodeFs.renameSync(p.sealedTmp, p.sealed);
+  atomicFile.renameWithRetry(p.sealedTmp, p.sealed);
   atomicFile.fsyncDir(opts.dataDir);
 
   // Step 4: delete plaintext (unless keepPlaintext)
@@ -220,7 +220,7 @@ async function unseal(opts) {
   }
 
   // Step 3: atomic rename plaintext.tmp → plaintext
-  nodeFs.renameSync(p.plaintextTmp, p.plaintext);
+  atomicFile.renameWithRetry(p.plaintextTmp, p.plaintext);
   atomicFile.fsyncDir(opts.dataDir);
 
   // Step 4: delete sealed file
@@ -293,7 +293,7 @@ async function rotate(opts) {
   }
 
   // Step 3: atomic rename — swap in the new sealed file
-  nodeFs.renameSync(p.sealedTmp, p.sealed);
+  atomicFile.renameWithRetry(p.sealedTmp, p.sealed);
   atomicFile.fsyncDir(opts.dataDir);
 
   return { sealedPath: p.sealed };

package/lib/vendor/blamejs/lib/watcher.js

@@ -316,6 +316,14 @@ function create(opts) {
   _validateOpts(opts);
 
   var root        = nodePath.resolve(opts.root);
+  // Canonicalize to the real long path. On Windows a path with an 8.3
+  // short-name component (os.tmpdir() commonly resolves to C:\Users\RUNNER~1\…)
+  // makes the native recursive backend (ReadDirectoryChangesW) deliver
+  // long-name event paths that no longer prefix-match the watched root, which
+  // trips a libuv fs-event assertion and aborts the process on some Node builds.
+  // realpathSync.native expands short names and resolves symlinks; guarded so a
+  // non-existent root still falls through to the watcher's own not-found error.
+  try { root = nodeFs.realpathSync.native(root); } catch (_e) { /* keep resolved path */ }
   var debounceMs  = (opts.debounceMs !== undefined) ? opts.debounceMs : DEFAULT_DEBOUNCE_MS;
   var maxPending  = (opts.maxPending !== undefined) ? opts.maxPending : DEFAULT_MAX_PENDING;
   var requestedMode = opts.mode || "fs";

package/lib/vendor/blamejs/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.15.7",
+  "version": "0.15.9",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",
@@ -54,7 +54,7 @@
     "owns-its-stack"
   ],
   "engines": {
-    "node": ">=24.14.1"
+    "node": ">=24.16.0"
   },
   "files": [
     "index.js",

package/lib/vendor/blamejs/release-notes/v0.15.8.json

@@ -0,0 +1,48 @@
+{
+  "$schema": "../scripts/release-notes-schema.json",
+  "version": "0.15.8",
+  "date": "2026-06-13",
+  "headline": "Redacts OTLP log-sink attributes to close a secret/PII egress the span fix missed, adds EU DSA and China PIPL cross-border compliance record-builders, ships an SSDF producer self-attestation with every release, and makes the published tarball reproducible",
+  "summary": "This release closes a telemetry egress hole, adds two compliance record-builder namespaces, and hardens the release supply chain. The OTLP log sinks (HTTP-JSON and gRPC) shipped a log record's meta attributes and the resource attributes to the collector unredacted — a log line carrying a bearer token, password, or API key reached the wire verbatim (CWE-532). The 0.15.4 fix wired the telemetry redactor into the span and metric exporters but the log sinks were missed; both now run record and resource attributes through the same redactor before serialization. New b.dsa builds the EU Digital Services Act (Reg 2022/2065) records an intermediary or platform must keep — Art. 16 notice-and-action, Art. 17 statement of reasons, and the Art. 15 / 24(3) transparency report. New b.pipl builds the China PIPL cross-border transfer records — an Art. 38/40 assessment that determines whether a CAC security assessment is mandatory (CIIO, important data, or the volume / sensitive-PI thresholds), and an Art. 40 security-assessment certificate. On the supply-chain side, every release now ships ssdf-attestation.json, a machine-readable NIST SP 800-218 / OMB M-22-18 producer self-attestation mapping each secure-development practice to its implementing control, and the published tarball is now packed with SOURCE_DATE_EPOCH so an operator can rebuild it byte-for-byte from the release commit.",
+  "sections": [
+    {
+      "heading": "Added",
+      "items": [
+        {
+          "title": "b.dsa — EU Digital Services Act compliance record-builders",
+          "body": "`b.dsa` builds the dated, frozen records the EU Digital Services Act (Regulation (EU) 2022/2065) requires an online intermediary or platform to keep: `b.dsa.noticeAndAction` (Art. 16) records a notice against a piece of content and computes the action-due window; `b.dsa.statementOfReasons` (Art. 17) records a moderation decision with its legal or contractual ground (exactly one is required), the facts, whether it was automated, and the redress routes offered; `b.dsa.transparencyReport` (Art. 15 / 24(3)) aggregates the period counts into a report with the next-due date. The builders perform no network I/O and emit a best-effort audit event; they map to the `dsa` compliance posture."
+        },
+        {
+          "title": "b.pipl — China PIPL cross-border transfer record-builders",
+          "body": "`b.pipl.sccFilingAssessment` builds a PIPL Art. 38/40/55 cross-border transfer assessment and determines the lawful mechanism: it forces a CAC security assessment (over a self-selected standard contract or certification) when the exporter is a critical-information-infrastructure operator, exports important data, handles personal information of more than 1,000,000 individuals, or crosses the cumulative volume / sensitive-PI thresholds. `b.pipl.securityAssessmentCertificate` records an Art. 40 security-assessment self-declaration with a 3-year validity clock. Both return frozen dated records and map to the `pipl-cn` posture."
+        },
+        {
+          "title": "SSDF producer self-attestation shipped with every release",
+          "body": "Every release now attaches `ssdf-attestation.json` — a machine-readable NIST SP 800-218 (SSDF v1.1) / OMB M-22-18 producer self-attestation. It maps each secure-software-development practice to its implementing control in the tree (SLSA L3 provenance, SSH-signed tags, vendored zero-runtime-dep supply chain, OSV-Scanner gating, coordinated disclosure) and is deterministic from the release commit. Its sha256 is a subject of the SLSA L3 provenance, so verifying the provenance verifies the attestation has not been tampered with. Downstream consumers who require SSDF supplier-compliance evidence can download it from the release page."
+        }
+      ]
+    },
+    {
+      "heading": "Security",
+      "items": [
+        {
+          "title": "OTLP log sinks redact record and resource attributes before export",
+          "body": "`b.logStream`'s OTLP log sinks (HTTP-JSON and gRPC) shipped a log record's `meta` attributes and the sink's resource attributes to the collector UNREDACTED, so a log line whose meta carried a bearer token, password, or API key — or a credential placed in a resource attribute — reached the OTLP wire verbatim (CWE-532). The 0.15.4 change baked the telemetry redactor into the span and metric exporters but its detector was anchored on the span/metric encoder function names, leaving the log sinks uncovered. Both log sinks now run record and resource attributes through `b.observability.redactAttrs` before serialization, the same egress contract the span and metric exporters already hold."
+        },
+        {
+          "title": "Reproducible published tarball (SOURCE_DATE_EPOCH)",
+          "body": "The release workflow now exports `SOURCE_DATE_EPOCH` (derived from the tagged commit's author date) before `npm pack`, so the mtime stamped into every tar header is deterministic. An operator can re-pack the package from the same commit and match the published tarball's sha256 byte-for-byte, strengthening the source-to-artifact verification path alongside the existing SLSA L3 provenance and PQC signatures."
+        }
+      ]
+    },
+    {
+      "heading": "Detectors",
+      "items": [
+        {
+          "title": "otlp-log-sink-encodes-attrs-without-redactor",
+          "body": "Fires when an OTLP log-sink encoder hands a raw `record.meta` or resource-attribute map to serialization without routing it through `observability.redactAttrs` — the class the span/metric detector could not see because the log sinks carry the OTLP-logs schema function names."
+        }
+      ]
+    }
+  ]
+}

package/lib/vendor/blamejs/release-notes/v0.15.9.json

@@ -0,0 +1,58 @@
+{
+  "$schema": "../scripts/release-notes-schema.json",
+  "version": "0.15.9",
+  "date": "2026-06-13",
+  "headline": "Raises the Node floor to 24.16, adds SQLite parse-time resource caps, retries Windows rename locks on every atomic write and download, and ships a one-call secure logout that wipes client-side state",
+  "summary": "This release moves the engines floor to the current Node 24 LTS patch level and adds three hardening primitives. node:sqlite handles now construct with SQLITE_LIMIT_* caps: a statement over 1 MiB is rejected at parse time (a DoS floor on the raw-SQL surface, complementary to the existing row-count gate) and ATTACH DATABASE is denied. Every final temp-to-destination rename — the file written by an atomic write, a downloaded file, a sealed vault key, a rotated log, an extracted archive entry — now routes through a single retry that rides out a transient Windows lock (antivirus, the search indexer, or a file-sync client briefly holding the destination), instead of surfacing the lock as a hard failure; the retry, previously hand-rolled and unreachable, is now the reusable b.atomicFile.renameWithRetry. And b.session.logout destroys a session and tells the browser to wipe its client-side state in one call: it emits an RFC 9527 Clear-Site-Data header and expires the session cookie before destroying the row, the secure-default logout that previously had to be assembled by hand.",
+  "sections": [
+    {
+      "heading": "Changed",
+      "items": [
+        {
+          "title": "Node engines floor raised to >=24.16.0",
+          "body": "The minimum supported Node is now 24.16.0 (the current Node 24 LTS patch level), up from 24.14.1. This is an LTS-currency bump — there are no Node CVE fixes between 24.14.1 and 24.16.0 (24.14.1 already carried the CVE-2026-21713 HMAC fix); it keeps the framework on the latest patched LTS and makes the node:sqlite resource-cap hardening below available everywhere. Pre-1.0, operators upgrade across the floor; Node 26 continues to satisfy it."
+        }
+      ]
+    },
+    {
+      "heading": "Security",
+      "items": [
+        {
+          "title": "SQLite parse-time statement-size cap",
+          "body": "Every node:sqlite database the framework opens — the main db handle and the CLI's handle — now constructs with a SQLITE_LIMIT_LENGTH cap: a SQL statement over 1 MiB is rejected at parse time. Because the query builder parameterizes every value, the size cap guards the raw-SQL surface (`b.db.runSql`) against an attacker-influenced megaquery the parser would otherwise process (SQLite's default is 1 GB); it is a parse-time DoS floor complementary to the existing row-count gate. Legitimate framework and operator statements are far under the cap."
+        },
+        {
+          "title": "Windows rename-lock retry on every atomic rename and download",
+          "body": "On Windows a freshly-written file's destination is briefly held by antivirus, the search indexer, or a file-sync client (Dropbox, OneDrive), surfacing as a transient EPERM / EACCES / EBUSY on rename even though the temp file is fine. `b.atomicFile.writeSync` already retried this, but `b.httpClient.downloadStream` did not — a download into a cloud-synced or AV-scanned directory could fail hard on the lock. The retry is now the reusable `b.atomicFile.renameWithRetry`, and every final temp-to-destination rename in the framework routes through it: downloads, sealed vault keys, CA key/cert writes, log rotation, archive extraction, config-drift sidecars, the self-update binary swap, and restore/rollback moves. A non-transient error still throws immediately; POSIX renames are unaffected."
+        }
+      ]
+    },
+    {
+      "heading": "Added",
+      "items": [
+        {
+          "title": "b.session.logout — one-call secure logout",
+          "body": "`b.session.logout(res, token, opts?)` destroys the server-side session AND tells the browser to wipe its client-side state in one call: it emits an RFC 9527 Clear-Site-Data response header (cookies + storage + cache + execution contexts by default) and expires the session cookie, then destroys the session row. `b.session.destroy` alone is a store operation with no response object, so it could not wipe the browser's cached pages, storage, or a stale tab still holding the now-revoked cookie — that wiring previously had to be mounted by hand. Pass `cookieName` to match a non-default cookie and `types` to choose the Clear-Site-Data directives."
+        }
+      ]
+    },
+    {
+      "heading": "Fixed",
+      "items": [
+        {
+          "title": "b.watcher canonicalizes its root on Windows",
+          "body": "`b.watcher.create` now resolves its `root` to the real long path before watching. On Windows a root with an 8.3 short-name component (the system temp directory commonly resolves to one) made the native recursive backend deliver long-name event paths that no longer prefix-matched the watched root, which could abort the process under a strict libuv fs-event assertion. The watcher now canonicalizes the root (expanding short names and resolving symlinks), so events match the watched directory on Windows."
+        }
+      ]
+    },
+    {
+      "heading": "Detectors",
+      "items": [
+        {
+          "title": "Rename-retry, SQLite-limits, and Clear-Site-Data guards",
+          "body": "Three recurrence detectors ship with the fixes: a bare `nodeFs.renameSync` final rename that doesn't route through `atomicFile.renameWithRetry`; a main `DatabaseSync` handle constructed without the SQLITE_LIMIT_LENGTH `limits`; and a hand-rolled Clear-Site-Data header value that skips the shared RFC 9527 builder."
+        }
+      ]
+    }
+  ]
+}

package/lib/vendor/blamejs/scripts/generate-ssdf-attestation.js

@@ -0,0 +1,338 @@
+"use strict";
+// Emit a NIST SP 800-218 (SSDF) / OMB M-22-18 producer self-attestation
+// as a machine-readable JSON artifact, attached to each GitHub release.
+//
+// Run via:
+//   node scripts/generate-ssdf-attestation.js \
+//     --version 0.15.7 --commit <sha> --date 2026-06-13T00:00:00Z \
+//     > ssdf-attestation.json
+//
+//   # or with --out:
+//   node scripts/generate-ssdf-attestation.js --out ssdf-attestation.json
+//
+// Wired into .github/workflows/npm-publish.yml alongside the SBOM +
+// cosign + SLSA steps. Downstream consumers who require SSDF supplier-
+// compliance evidence (OMB M-22-18 / M-23-16 self-attestation) download
+// this from the release page.
+//
+// WHAT THIS IS — AND IS NOT.
+//   This is a PRODUCER SELF-ATTESTATION, the machine-readable companion
+//   to the CISA / OMB "Secure Software Development Attestation Form". It
+//   is the producer's own assertion that the SSDF practices below are in
+//   force, mapped to the framework's REAL implementing controls. It is
+//   NOT a third-party audit, NOT a FedRAMP authorization, and NOT a CMVP
+//   validation. Its trust derives entirely from the release boundary that
+//   carries it: the SSH-signed tag, the SLSA L3 npm provenance, the
+//   Sigstore-keyless SBOM signatures, and the ML-DSA-65 release-signing
+//   sidecar — the same four trust roots documented in SECURITY.md sign
+//   this file by signing the release that contains it. A consumer who
+//   verifies those roots is verifying that THIS attestation came from the
+//   producer of record; the claims inside are the producer's assertions,
+//   verifiable against the cited controls in the source tree at the
+//   release commit.
+//
+// Each statement carries its NIST SSDF practice IDs (PO/PS/PW/RV.*) and
+// names the specific implementing control so the assertion is auditable,
+// not aspirational. Output is deterministic: the timestamp comes from
+// --date / SOURCE_DATE_EPOCH (never an unseeded clock), and the same
+// inputs produce byte-identical output.
+
+var fs   = require("node:fs");
+var path = require("node:path");
+
+var ROOT     = path.resolve(__dirname, "..");
+var PKG_PATH = path.join(ROOT, "package.json");
+
+// ---------------------------------------------------------------------
+// Argument + environment resolution. Config-time inputs THROW on bad
+// shape (operator catches a typo at invocation), per the three-tier
+// validation discipline — this is an entry-point script, not a hot path.
+// ---------------------------------------------------------------------
+
+function _parseArgs(argv) {
+  var out = {};
+  for (var i = 0; i < argv.length; i++) {
+    var a = argv[i];
+    if (a === "--out")          { out.out     = argv[++i]; continue; }
+    if (a === "--version")      { out.version = argv[++i]; continue; }
+    if (a === "--commit")       { out.commit  = argv[++i]; continue; }
+    if (a === "--date")         { out.date    = argv[++i]; continue; }
+    if (a === "--repository")   { out.repository = argv[++i]; continue; }
+    if (a === "-h" || a === "--help") { out.help = true; continue; }
+    throw new Error("generate-ssdf-attestation: unrecognized argument: " + a);
+  }
+  return out;
+}
+
+// Deterministic timestamp resolution: --date (RFC 3339) wins; else
+// SOURCE_DATE_EPOCH (seconds since the Unix epoch, the reproducible-build
+// convention) is parsed; else fail closed. We NEVER call an unseeded
+// clock — a reproducible artifact must produce identical bytes from
+// identical inputs.
+function _resolveTimestamp(args, env) {
+  if (typeof args.date === "string" && args.date.length > 0) {
+    var t = new Date(args.date);
+    if (isNaN(t.getTime())) {
+      throw new TypeError("generate-ssdf-attestation: --date is not a valid date: " + args.date);
+    }
+    return t.toISOString();
+  }
+  var epoch = env.SOURCE_DATE_EPOCH;
+  if (typeof epoch === "string" && epoch.length > 0) {
+    if (!/^[0-9]+$/.test(epoch)) {
+      throw new TypeError("generate-ssdf-attestation: SOURCE_DATE_EPOCH must be integer seconds, got: " + epoch);
+    }
+    var secs = parseInt(epoch, 10);
+    if (!isFinite(secs) || secs < 0) {
+      throw new TypeError("generate-ssdf-attestation: SOURCE_DATE_EPOCH out of range: " + epoch);
+    }
+    return new Date(secs * 1000).toISOString();
+  }
+  throw new Error(
+    "generate-ssdf-attestation: no deterministic timestamp source. " +
+    "Pass --date <RFC3339> or set SOURCE_DATE_EPOCH (no unseeded clock is used)."
+  );
+}
+
+// Software version: --version wins; else package.json. Cross-check when
+// both are present so a tag/package drift fails the cut here too.
+function _resolveVersion(args, pkg) {
+  if (typeof args.version === "string" && args.version.length > 0) {
+    if (pkg.version && args.version !== pkg.version) {
+      throw new Error(
+        "generate-ssdf-attestation: --version (" + args.version +
+        ") does not match package.json version (" + pkg.version + ")"
+      );
+    }
+    return args.version;
+  }
+  if (typeof pkg.version === "string" && pkg.version.length > 0) return pkg.version;
+  throw new Error("generate-ssdf-attestation: no version (pass --version or set package.json version)");
+}
+
+// Source-control commit: --commit wins; else GITHUB_SHA; else null
+// (a locally-generated attestation that omits the commit is honest about
+// not knowing it rather than fabricating one).
+function _resolveCommit(args, env) {
+  if (typeof args.commit === "string" && args.commit.length > 0) return args.commit;
+  var sha = env.GITHUB_SHA;
+  if (typeof sha === "string" && sha.length > 0) return sha;
+  return null;
+}
+
+// Normalize the package.json repository field to a bare https URL.
+function _resolveRepository(args, pkg) {
+  if (typeof args.repository === "string" && args.repository.length > 0) return args.repository;
+  var r = pkg.repository;
+  var url = (r && typeof r === "object" && typeof r.url === "string") ? r.url
+          : (typeof r === "string" ? r : "");
+  url = url.replace(/^git\+/, "").replace(/\.git$/, "");
+  if (url.length === 0) return null;
+  return url;
+}
+
+// ---------------------------------------------------------------------
+// The attestation document.
+//
+// Structure follows the OMB M-22-18 / CISA "Secure Software Development
+// Attestation Form": producer identity, software identity, then the four
+// attestation-statement groups the Form covers. Each statement is mapped
+// to its NIST SP 800-218 v1.1 practice ID(s) and the framework control
+// that implements it, so the assertion is checkable against the source
+// tree at `commit`.
+//
+// SSDF practice families:
+//   PO  Prepare the Organization
+//   PS  Protect the Software
+//   PW  Produce Well-Secured Software
+//   RV  Respond to Vulnerabilities
+// ---------------------------------------------------------------------
+
+// The four M-22-18 Form attestation groups (the questions a producer
+// answers "yes" to on the Form), each backed by SSDF-practice-mapped
+// statements naming the framework's real implementing control.
+function _attestationStatements() {
+  return [
+    {
+      "id": "secure-build-environment",
+      "form_section": "1. Secure software development environment",
+      "summary": "Software is developed and built in secure environments with separated, least-privilege, ephemeral CI.",
+      "statements": [
+        {
+          "ssdf": ["PO.5.1", "PO.5.2"],
+          "claim": "Builds run only in GitHub-hosted ephemeral runners; every release job declares the minimum permissions it needs and elevates per-job (workflow-level contents:read; id-token:write only where OIDC signing requires it).",
+          "control": ".github/workflows/npm-publish.yml job-level permissions blocks; no self-hosted runners.",
+        },
+        {
+          "ssdf": ["PO.3.1", "PO.3.2", "PS.1.1"],
+          "claim": "The build environment's integrity is established by SLSA Build L3 provenance: a non-falsifiable attestation binds the published artifact to the exact workflow run, commit, and tag that produced it.",
+          "control": "slsa-framework/slsa-github-generator generator_generic_slsa3.yml@v2.1.0 emits blamejs-<version>.intoto.jsonl; npm publish --provenance attaches the SLSA v1 provenance to the registry tarball.",
+        },
+        {
+          "ssdf": ["PO.5.1"],
+          "claim": "Third-party GitHub Actions are SHA-pinned (the one tag-pinned exception, the SLSA reusable workflow, is required by its builder-fetch and is documented + detector-allowlisted); a currency gate fails the release if any pin falls behind upstream.",
+          "control": ".github/workflows/*.yml SHA pins; scripts/check-actions-currency.js runs on every PR and in the release flow.",
+        },
+      ],
+    },
+    {
+      "id": "provenance-and-component-trust",
+      "form_section": "2. Provenance and trust of software components",
+      "summary": "The provenance of code and components is established and maintained; a complete SBOM accompanies every release.",
+      "statements": [
+        {
+          "ssdf": ["PW.4.1", "PW.4.4"],
+          "claim": "Zero npm runtime dependencies. Every third-party library is vendored under lib/vendor/ and pinned by SHA-256 in MANIFEST.json; the release refuses to publish if any runtime dependency component appears in the SBOM.",
+          "control": "lib/vendor/MANIFEST.json (per-artifact SHA-256 + version + license + source); npm-publish.yml runtime-deps gate; b.configDrift.verifyVendorIntegrity re-checks each artifact's SHA-256 at boot.",
+        },
+        {
+          "ssdf": ["PS.3.1", "PS.3.2"],
+          "claim": "Each release ships a complete CycloneDX 1.6 SBOM (npm-tree view + vendored-bundle view with per-file SHA-256 and purl) so consumers can inventory exactly what ships inside the tarball.",
+          "control": "sbom.cdx.json (npm tree) + sbom.vendored.cdx.json (scripts/build-vendored-sbom.js); both attached to the GitHub release.",
+        },
+        {
+          "ssdf": ["PS.2.1"],
+          "claim": "Release integrity is verifiable through four independent trust roots, each detecting tampering with the others: SLSA L3 npm provenance, Sigstore-keyless SBOM signatures, SSH-signed annotated tags, and an ML-DSA-65 (FIPS 204) release-signing sidecar over the tarball.",
+          "control": "cosign sign-blob (sbom.*.sigstore); SSH-signed tags enforced server-side by the release-tags ruleset; <tarball>.mldsa.sig via the framework's vendored ML-DSA-65 primitive. Verification recipes in SECURITY.md.",
+        },
+      ],
+    },
+    {
+      "id": "trusted-source-and-vuln-checking",
+      "form_section": "3. Trusted source-code supply chains and automated vulnerability checking",
+      "summary": "Good-faith effort to maintain trusted source-code supply chains and to perform automated vulnerability scanning on every release.",
+      "statements": [
+        {
+          "ssdf": ["RV.1.1", "RV.1.2", "PW.7.2"],
+          "claim": "Every release is scanned for known vulnerabilities before publish: OSV-Scanner runs against both SBOMs and the vendored tree, and the release fails on any finding. A vendored-dependency currency gate refuses a stale, potentially-vulnerable pin.",
+          "control": "OSV-Scanner step in npm-publish.yml (--sbom both + -r lib/vendor/); scripts/check-vendor-currency.js.",
+        },
+        {
+          "ssdf": ["PW.8.2", "PW.7.1"],
+          "claim": "Adversarial-input parsers are continuously fuzzed (coverage-guided libFuzzer via jazzer.js) and the pattern-catalog gate refuses any new parser primitive that lands without a matching fuzz harness.",
+          "control": "fuzz/*.fuzz.js harnesses; ClusterFuzzLite per-PR + daily batch; coverage gate in test/layer-0-primitives/codebase-patterns.test.js.",
+        },
+        {
+          "ssdf": ["PS.1.1", "PO.5.2"],
+          "claim": "Source-side supply-chain integrity is enforced at the repository boundary: protected default branch (no force-push, no non-linear merge, required status checks, required signed commits) and protected release tags (no deletion, no re-pointing) so a published tag cannot be silently rewritten.",
+          "control": "main-protection + release-tags GitHub rulesets; the sha-to-tag-verify workflow refuses a tag whose commit is not on main's first-parent PR-merged history.",
+        },
+      ],
+    },
+    {
+      "id": "vulnerability-disclosure-and-response",
+      "form_section": "4. Vulnerability disclosure and response",
+      "summary": "A vulnerability disclosure program and a process to respond to and remediate reported vulnerabilities are maintained.",
+      "statements": [
+        {
+          "ssdf": ["RV.1.3", "RV.2.1"],
+          "claim": "A coordinated vulnerability-disclosure process is published: a private reporting channel, an encryption option for sensitive reports, and committed first-response / triage / fix-release windows by severity.",
+          "control": "SECURITY.md (security@blamejs.com, maintainer PGP key, response-time table); GitHub private security advisories.",
+        },
+        {
+          "ssdf": ["RV.2.2", "RV.3.3"],
+          "claim": "Fixes are delivered through a stable, signed release path with a public LTS / deprecation policy; remediations are described in operator-facing release notes and the CHANGELOG drawn from a single structured source.",
+          "control": "scripts/release.js orchestrated flow; CHANGELOG.md + release-notes/<version>.json single source; LTS-CALENDAR.md.",
+        },
+        {
+          "ssdf": ["RV.3.1", "RV.3.4"],
+          "claim": "Root-cause analysis is institutional: a confirmed defect class is swept framework-wide and encoded as a recurrence detector so the same class cannot silently reappear in a later release.",
+          "control": "codebase-patterns class-level detectors (test/layer-0-primitives/codebase-patterns.test.js); behavioral regression tests ship with each fix.",
+        },
+      ],
+    },
+  ];
+}
+
+function buildAttestation(opts) {
+  var pkg = opts.pkg;
+  return {
+    "$schema_note": "NIST SP 800-218 (SSDF v1.1) / OMB M-22-18 producer self-attestation, machine-readable form.",
+    "attestation_type": "producer-self-attestation",
+    "attestation_format": "blamejs/ssdf-attestation",
+    "attestation_format_version": "1.0",
+    "framework": {
+      "name": "NIST SP 800-218",
+      "title": "Secure Software Development Framework (SSDF) Version 1.1",
+      "reference_form": "OMB M-22-18 / CISA Secure Software Development Attestation Form",
+    },
+    "generated": opts.timestamp,
+    "producer": {
+      // The producer of record. This is a self-attestation: the producer
+      // asserts the statements below, signed implicitly by the release
+      // boundary (SSH-signed tag + SLSA provenance + PQC sidecar).
+      "name": "blamejs",
+      "url": "https://blamejs.com/",
+      "security_contact": "security@blamejs.com",
+      "vulnerability_disclosure": "https://github.com/blamejs/blamejs/security",
+    },
+    "software": {
+      "name": pkg.name || "@blamejs/core",
+      "version": opts.version,
+      "repository": opts.repository,
+      "commit": opts.commit,
+      "license": pkg.license || null,
+    },
+    "attestation_statement":
+      "blamejs attests, as the producer of " + (pkg.name || "@blamejs/core") +
+      " version " + opts.version + ", that the secure software development " +
+      "practices enumerated below are followed for this release, mapped to " +
+      "NIST SP 800-218 (SSDF v1.1) practices. This is a self-attestation; " +
+      "its authenticity is bound to the signed release artifacts described " +
+      "in SECURITY.md (SSH-signed tag, SLSA L3 provenance, Sigstore SBOM " +
+      "signatures, ML-DSA-65 release-signing sidecar).",
+    "sections": _attestationStatements(),
+    "verification": {
+      "note": "This attestation is not independently signed; it is covered by the four release trust roots that sign the release containing it.",
+      "trust_roots": [
+        "SLSA L3 npm provenance (npm publish --provenance + blamejs-<version>.intoto.jsonl)",
+        "Sigstore-keyless SBOM signatures (sbom.cdx.json.sigstore, sbom.vendored.cdx.json.sigstore)",
+        "SSH-signed annotated git tag (release-tags ruleset, enforced server-side)",
+        "ML-DSA-65 release-signing sidecar (<tarball>.mldsa.sig, FIPS 204)",
+      ],
+      "recipes": "SECURITY.md -> 'Verifying release authenticity'",
+    },
+  };
+}
+
+function main() {
+  var args = _parseArgs(process.argv.slice(2));
+
+  if (args.help) {
+    process.stderr.write(
+      "Usage: node scripts/generate-ssdf-attestation.js " +
+      "[--version <v>] [--commit <sha>] [--date <RFC3339>] " +
+      "[--repository <url>] [--out <path>]\n" +
+      "Timestamp source (required, deterministic): --date or SOURCE_DATE_EPOCH.\n"
+    );
+    return;
+  }
+
+  var pkg;
+  try {
+    pkg = JSON.parse(fs.readFileSync(PKG_PATH, "utf8"));
+  } catch (e) {
+    process.stderr.write("[generate-ssdf-attestation] failed to read package.json: " + e.message + "\n");
+    process.exit(1);
+    return;
+  }
+
+  var doc = buildAttestation({
+    pkg:        pkg,
+    version:    _resolveVersion(args, pkg),
+    commit:     _resolveCommit(args, process.env),     // allow:raw-process-env — env-driven release script
+    repository: _resolveRepository(args, pkg),
+    timestamp:  _resolveTimestamp(args, process.env),  // allow:raw-process-env — env-driven release script
+  });
+
+  var json = JSON.stringify(doc, null, 2) + "\n";
+
+  if (typeof args.out === "string" && args.out.length > 0) {
+    fs.writeFileSync(args.out, json);
+    process.stderr.write("[generate-ssdf-attestation] wrote " + args.out + "\n");
+  } else {
+    process.stdout.write(json);
+  }
+}
+
+main();

package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-rename-retry.test.js

@@ -0,0 +1,70 @@
+"use strict";
+// b.atomicFile.renameWithRetry — the bounded retry on a Windows-transient
+// destination lock (EPERM/EACCES/EBUSY from AV / search indexer / Dropbox /
+// OneDrive briefly holding the target). #146: httpClient.downloadStream and
+// every other final temp->dest rename route through this instead of a bare
+// nodeFs.renameSync, so a transient lock is retried, not surfaced as a hard
+// failure. A non-transient error (ENOENT, etc.) still throws immediately.
+
+var nodeFs = require("node:fs");
+var os     = require("node:os");
+var path   = require("node:path");
+var helpers = require("../helpers");
+var check   = helpers.check;
+var atomicFile = require("../../lib/atomic-file");
+
+function run() {
+  check("renameWithRetry is exported", typeof atomicFile.renameWithRetry === "function");
+
+  var dir = nodeFs.mkdtempSync(path.join(os.tmpdir(), "renameretry-"));
+  var realRename = nodeFs.renameSync;
+
+  // ---- transient EPERM is retried, then the rename succeeds ----
+  var src1 = path.join(dir, "a.tmp");
+  var dst1 = path.join(dir, "a.dst");
+  nodeFs.writeFileSync(src1, "payload");
+  var calls = 0;
+  nodeFs.renameSync = function (from, to) {
+    calls += 1;
+    if (calls < 3) { var e = new Error("transient lock"); e.code = "EPERM"; throw e; }
+    return realRename(from, to);
+  };
+  try { atomicFile.renameWithRetry(src1, dst1); }
+  finally { nodeFs.renameSync = realRename; }
+  check("renameWithRetry retries past a transient EPERM (3 attempts)", calls === 3);
+  check("renameWithRetry: the rename ultimately succeeds",
+    nodeFs.existsSync(dst1) && !nodeFs.existsSync(src1));
+
+  // ---- a non-transient error throws immediately, with NO retry ----
+  var attempts = 0;
+  nodeFs.renameSync = function () {
+    attempts += 1;
+    var e = new Error("no such file"); e.code = "ENOENT"; throw e;
+  };
+  var threw = null;
+  try { atomicFile.renameWithRetry(path.join(dir, "missing"), path.join(dir, "x")); }
+  catch (e) { threw = e; }
+  finally { nodeFs.renameSync = realRename; }
+  check("renameWithRetry rethrows a non-transient error", threw !== null && threw.code === "ENOENT");
+  check("renameWithRetry does NOT retry a non-transient error", attempts === 1);
+
+  // ---- a persistently-transient lock eventually gives up (does not hang) ----
+  var stuck = 0;
+  nodeFs.renameSync = function () {
+    stuck += 1;
+    var e = new Error("still locked"); e.code = "EBUSY"; throw e;
+  };
+  var stuckThrew = null;
+  try { atomicFile.renameWithRetry(path.join(dir, "s"), path.join(dir, "d")); }
+  catch (e) { stuckThrew = e; }
+  finally { nodeFs.renameSync = realRename; }
+  check("renameWithRetry gives up after the bounded attempts (no infinite loop)",
+    stuckThrew !== null && stuckThrew.code === "EBUSY" && stuck === 5);
+}
+
+module.exports = { run: run };
+
+if (require.main === module) {
+  try { run(); console.log("[atomic-file-rename-retry] OK"); }
+  catch (e) { console.error("FAIL:", e && e.stack || e); process.exit(1); }
+}