@blamejs/blamejs-shop 0.4.33 → 0.4.38

package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js

@@ -2601,10 +2601,22 @@ async function testNoDuplicateCodeBlocks() {
       var w = new Worker(WORKER_PATH, {
         workerData: Object.assign({ files: shardFiles }, SHINGLE_OPTS_FOR_WORKER),
       });
-      w.once("message", function (msg) { resolve(msg); w.terminate(); });
-      w.once("error", reject);
+      // Reap the worker on EVERY settle path (#123). Previously the error and
+      // exit handlers rejected without terminate(), so an errored worker thread
+      // stayed alive holding its event-loop handles — the parent could not exit
+      // and the smoke run ran to the 25-min watchdog on memory-starved
+      // macOS-arm64 runners. settle() terminates first, idempotently.
+      var settled = false;
+      function settle(fn, arg) {
+        if (settled) return;
+        settled = true;
+        try { w.terminate(); } catch (_e) { /* already terminating */ }
+        fn(arg);
+      }
+      w.once("message", function (msg) { settle(resolve, msg); });
+      w.once("error", function (e) { settle(reject, e); });
       w.once("exit", function (code) {
-        if (code !== 0 && code !== null) reject(new Error("shingle worker exited " + code));
+        if (code !== 0 && code !== null) settle(reject, new Error("shingle worker exited " + code));
       });
     });
   }
@@ -2991,6 +3003,79 @@ async function testNoDuplicateCodeBlocks() {
       ],
       reason: "Config-time validateOpts cascade family — `validateOpts(opts, KEYS, label)` followed by per-field requireNonEmptyString / optionalPositiveInt / optionalFunction checks at a factory or builder entry point. jar.js:build joined in v0.14.22 (the RFC 9101 request-object builder validates clientId / audience / key / expiresInMs before minting). Each member emits its own error class and code namespace over a different opts vocabulary; the shared helper (validateOpts) is the extraction, and consolidating the cascades past the call boundary would surface the wrong error code for operator typos.",
     },
+    {
+      // The b.dsa (EU DSA) + b.pipl (China PIPL) compliance record-builders
+      // are a fresh pair of validateOpts-cascade + Object.freeze-record +
+      // audit.safeEmit functions. Each validates a DIFFERENT opts vocabulary
+      // (notice / statement-of-reasons / transparency-report; cross-border
+      // assessment / security-assessment certificate), builds a DIFFERENT
+      // frozen record, and emits a DIFFERENT audit action — so their 50/60-tok
+      // shingles coincide with the large existing compliance/builder family
+      // (validateOpts cascade + audit-emit), bridging the config-validation
+      // and audit-emit clusters. Shape-only: the shared primitives
+      // (validateOpts, audit.safeEmit, Object.freeze) ARE the extraction;
+      // collapsing the per-builder bodies would surface the wrong error code
+      // and the wrong audit action for each regulation. Union of the clusters
+      // the two new files participate in.
+      mode:  "family-subset",
+      files: [
+        "lib/ai-adverse-decision.js:wrap",
+        "lib/ai-dp.js:budget",
+        "lib/api-key.js:_validateIssueOpts",
+        "lib/audit-daily-review.js:create",
+        "lib/auth/jar.js:build",
+        "lib/auth/oauth.js:buildClientAttestationPop",
+        "lib/auth/oid4vci.js:create",
+        "lib/auth/saml.js:create",
+        "lib/auth/sd-jwt-vc-issuer.js:create",
+        "lib/break-glass.js:_validatePolicySet",
+        "lib/budr.js:declare",
+        "lib/calendar.js:validate",
+        "lib/cloud-events.js:wrap",
+        "lib/compliance-eaa.js:create",
+        "lib/compliance-sanctions-fetcher.js:create",
+        "lib/cose.js:macVerify0",
+        "lib/cose.js:verify",
+        "lib/crypto-field.js:declarePerRowResidency",
+        "lib/daemon.js:_validateStartOpts",
+        "lib/daemon.js:_validateStopOpts",
+        "lib/data-act.js:recordSwitchRequest",
+        "lib/data-act.js:shareWithThirdParty",
+        "lib/db.js:declareRequireDualControl",
+        "lib/ddl-change-control.js:create",
+        "lib/dsa.js:noticeAndAction",
+        "lib/dsa.js:statementOfReasons",
+        "lib/dsr.js:create",
+        "lib/external-db-migrate.js:create",
+        "lib/fda-21cfr11.js:posture",
+        "lib/fdx.js:consentReceipt",
+        "lib/fedcm.js:wellKnown",
+        "lib/file-upload.js:_validateCreateOpts",
+        "lib/http-client-cache.js:create",
+        "lib/http-client.js:_validateDownloadOpts",
+        "lib/mcp-tool-registry.js:verifyCall",
+        "lib/middleware/assetlinks.js:create",
+        "lib/middleware/protected-resource-metadata.js:create",
+        "lib/middleware/span-http-server.js:create",
+        "lib/network-heartbeat.js:start",
+        "lib/network-tls.js:_emitAuditAdd",
+        "lib/network-tls.js:_emitAuditRemove",
+        "lib/observability-tracer.js:create",
+        "lib/outbox.js:create",
+        "lib/pipl-cn.js:sccFilingAssessment",
+        "lib/pipl-cn.js:securityAssessmentCertificate",
+        "lib/privacy.js:vendorReview",
+        "lib/redact.js:installOutboundDlp",
+        "lib/sec-cyber.js:eightKArtifact",
+        "lib/self-update.js:_validatePollOpts",
+        "lib/self-update.js:_validateVerifyOpts",
+        "lib/static.js:_validateCreateOpts",
+        "lib/tcpa-10dlc.js:recordConsent",
+        "lib/vex.js:document",
+        "lib/watcher.js:_validateOpts",
+      ],
+      reason: "v0.15.8 — b.dsa (EU Digital Services Act) + b.pipl (China PIPL) cross-border record-builders join the config-time validateOpts-cascade + Object.freeze-record + audit.safeEmit family. Each validates a distinct opts vocabulary, builds a distinct frozen record, and emits a distinct audit action; the shared primitives (validateOpts / audit.safeEmit / Object.freeze) are the extraction. Shape-only — collapsing the per-builder bodies would emit the wrong error code and audit action per regulation. Union of the 50/60-tok clusters the two new files participate in.",
+    },
     {
       mode:  "family-subset",
       files: [
@@ -6997,6 +7082,74 @@ var KNOWN_ANTIPATTERNS = [
     allowlist: [],
     reason: "CWE-532 — span/metric/resource attributes are a first-class egress sink. #69 fixed lib/otel-export.js _attrsToOtlp but pinned its detector to that one function name, leaving the SPAN exporter's two sibling encoders (lib/observability-otlp-exporter.js _attrToOtlp JSON + _attrsToProto protobuf) shipping attribute values verbatim to the collector (#125). The shared root is 'an attribute-map encoder that serializes without scrubbing'; every such encoder must pass each value through observability.redactAttrs() (default composes b.redact.redact, fail-toward-dropping on a throwing redactor) before the wire payload. The negative lookahead exempts the per-value type-encoders (_valueToOtlp/_anyValueToProto) which run after redaction; the {0,4000} bound is a ReDoS backstop well above the real encoder bodies (<2000 chars).",
   },
+  // Same CWE-532 class, the OTHER OTLP egress family the span/metric detector
+  // above could not see: the LOG sinks (lib/log-stream-otlp.js HTTP-JSON +
+  // lib/log-stream-otlp-grpc.js gRPC). Their encoders are named per the OTLP
+  // logs schema (_toLogRecord / _serializeBatch / _encodeLogRecord /
+  // _encodeResourceLogs), not _attr*, so the function-name-anchored detector
+  // never matched them — the #125 span fix left the log record-meta + resource
+  // attributes shipping verbatim. Anchor on the buggy SHAPE instead: a raw
+  // `record.meta` / `resourceAttrs` / `_resourceAttrs(cfg)` handed straight to an
+  // _encode* call. The fix wraps the arg in observability().redactAttrs(...), so
+  // the first token inside the paren becomes `observability` and the match dies.
+  {
+    id: "otlp-log-sink-encodes-attrs-without-redactor",
+    primitive: "the OTLP LOG sinks (log-stream-otlp / log-stream-otlp-grpc) must run record.meta and resource attributes through observability.redactAttrs() before encoding — a log line's meta or a resource attribute holding a bearer token / password / API key ships to the collector verbatim otherwise (CWE-532), the same egress class as the span/metric exporters",
+    scanScope: "lib",
+    regex: /_encode(?:Attrs|Attributes|Resource)\(\s*(?:record\.meta\b|resourceAttrs\b|_resourceAttrs\(cfg\))/,
+    allowlist: [],
+    reason: "CWE-532 secret/PII egress. v0.15.4 (#125) baked observability.redactAttrs() into every SPAN + METRIC attribute encoder but the detector was anchored on the _attr* function names, so it was blind to the LOG sinks whose encoders carry the OTLP-logs schema names. lib/log-stream-otlp.js (_toLogRecord meta + _serializeBatch resource) and lib/log-stream-otlp-grpc.js (_encodeLogRecord meta + _encodeResourceLogs resource) handed record.meta and resourceAttrs straight to _encodeAttrs/_encodeAttributes/_encodeResource — a log record's meta or a resource attribute holding a credential reached the collector unscrubbed. Root: 'every OTLP egress encoder redacts'; the span detector saw spans/metrics, this one sees logs. Fires on the raw `_encode*(record.meta` / `_encode*(resourceAttrs` / `_encodeResource(_resourceAttrs(cfg)` shape; the fix wraps the arg in observability().redactAttrs(...) (the span/metric contract), making the first paren token `observability` so the match goes silent.",
+  },
+  // #146 — every FINAL temp->dest rename must route through
+  // atomicFile.renameWithRetry, the bounded retry on a Windows-transient
+  // destination lock (EPERM/EACCES/EBUSY from AV / the search indexer /
+  // Dropbox / OneDrive briefly holding the target). A bare nodeFs.renameSync
+  // surfaces a transient lock as a hard failure (httpClient.downloadStream
+  // shipped exactly that) and re-hand-rolls a retry the framework already owns
+  // as a primitive. The ONLY legitimate bare renameSync is inside the
+  // primitive itself (atomic-file.js _renameWithRetry).
+  {
+    id: "bare-renamesync-not-via-renamewithretry",
+    primitive: "route every final temp->dest rename through atomicFile.renameWithRetry (the Windows rename-lock retry) instead of a bare nodeFs.renameSync / fs.renameSync — a transient AV / indexer / cloud-sync lock on the destination must be retried, not surfaced as a hard failure",
+    scanScope: "lib",
+    regex: /\b(?:nodeFs|fs)\.renameSync\(/,
+    allowlist: [
+      // atomic-file.js IS the primitive — _renameWithRetry wraps the one real
+      // nodeFs.renameSync with the bounded transient-lock retry loop.
+      "lib/atomic-file.js",
+    ],
+    reason: "#146 (user-surfaced). atomicFile.writeSync retries its final rename on a Windows-transient destination lock; httpClient.downloadStream's final rename was a bare nodeFs.renameSync, so a download into a cloud-synced / AV-scanned directory surfaced the transient lock as a hard failure. The retry was also hand-rolled and un-reusable. The fix exports atomic-file's _renameWithRetry as atomicFile.renameWithRetry and routes EVERY final temp->dest rename through it (downloadStream + vault/passphrase-ops + mtls-ca + log-stream-local + self-update + config-drift + archive-read + archive-tar-read + local-db-thin + restore-rollback). Fires on any bare nodeFs.renameSync/fs.renameSync; the only allowlisted use is atomic-file.js where the primitive's retry loop lives.",
+  },
+  // v0.15.9 — db.init() must construct its DatabaseSync with the SQLITE_LIMIT_*
+  // sqlLength cap: a parse-time DoS floor that rejects a megaquery on the
+  // raw-SQL surface. The ephemeral storage headroom probe (new DatabaseSync(p))
+  // is a different construction and is not anchored. Fires if the main db handle
+  // is built without the limits shape.
+  {
+    id: "db-databasesync-without-sqlite-limits",
+    primitive: "construct the main db.init DatabaseSync(dbPath, ...) with the node:sqlite limits option (sqlLength) — a parse-time DoS floor complementary to streamLimit",
+    scanScope: "lib",
+    regex: /new DatabaseSync\(dbPath\b/,
+    requires: /limits:\s*\{[\s\S]{0,200}?sqlLength/,
+    skipCommentLines: true,
+    allowlist: [],
+    reason: "v0.15.9 Node-24.16 adoption. The framework parameterizes every builder value, so SQLITE_LIMIT_LENGTH (sqlLength) guards the raw-SQL surface (b.db.runSql) against an attacker-influenced megaquery the parser would otherwise chew (SQLite default is 1 GB). Fires when the main db handle `new DatabaseSync(dbPath` is constructed without the `limits: { ... sqlLength` shape; the headroom probe `new DatabaseSync(p)` is intentionally not matched (ephemeral, no attacker input). (SQLITE_LIMIT_ATTACHED is left at the SQLite default — the snapshot/backup path uses ATTACH.)",
+  },
+  // v0.15.9 — the RFC 9527 Clear-Site-Data header value must be built via the
+  // shared middleware/clear-site-data headerValue() helper (which validates
+  // each directive against the known set), not a hand-rolled quoted-token
+  // string. A literal `setHeader("Clear-Site-Data", '"cookies", ...')` skips
+  // the directive validation and re-hand-rolls the RFC 9527 quoting the
+  // primitive owns (the b.session.logout extraction lesson).
+  {
+    id: "clear-site-data-header-hand-rolled",
+    primitive: "build the Clear-Site-Data response header via clearSiteData.headerValue(types) (validated RFC 9527 quoting) — do not hand-roll the quoted-directive string literal in setHeader",
+    scanScope: "lib",
+    regex: /setHeader\(\s*["']Clear-Site-Data["']\s*,\s*["']/,
+    skipCommentLines: true,
+    allowlist: [],
+    reason: "v0.15.9 (Clear-Site-Data logout wiring). The middleware/clear-site-data headerValue() helper is the single builder of the RFC 9527 §3 quoted-token list and validates every directive against KNOWN_TYPES; both emitters (the middleware's create() and b.session.logout) route through it. A literal `setHeader(\"Clear-Site-Data\", '\"cookies\", ...')` hand-rolls the quoting and skips the validation. Fires when the second setHeader arg is a string literal; the live emitters pass a var/call so they stay silent.",
+  },
   // #131 — the b.middleware.dpop factory must REQUIRE its replayStore at config
   // time. The store is DPoP's jti-replay defense (RFC 9449 §11.1); reading it
   // optionally and gating the check behind `if (replayStore)` silently mounts a
@@ -9374,6 +9527,24 @@ var KNOWN_ANTIPATTERNS = [
   // detector encoded. These 5 are the highest-priority subset (P1 +
   // P2 by audit ranking). The remaining 8 are scoped for follow-up.
 
+  {
+    // #123 — a worker_threads Worker whose error/exit handler rejects WITHOUT
+    // terminating leaves the thread alive holding its event-loop handles, so the
+    // parent process can't exit and the smoke run hangs under the watchdog on
+    // memory-starved CI runners (macOS-arm64). Every Promise-settle path
+    // (message / error / exit) must reap the worker via w.terminate() first; the
+    // fix funnels all three through a settle() guard that terminates before
+    // resolve/reject. Structural resource-hygiene drift a behavioral test can't
+    // assert — the harness closure isn't exported and the hang is a slow-runner
+    // race — so the detector is the guard.
+    id: "test-worker-reject-without-terminate",
+    primitive: "a worker_threads Worker error/exit handler must terminate() the worker before rejecting (route message/error/exit through a settle() helper) — a bare reject leaks the thread's handles and hangs process exit on slow CI runners",
+    scanScope: "test",
+    regex: /\bw\.once\("error",\s*reject\)/,
+    skipCommentLines: true,
+    allowlist: [],
+    reason: "#123 macOS codebase-patterns watchdog hang. _scanShardInWorker rejected on worker error/exit without w.terminate(), so an errored worker thread stayed alive holding open handles; the parent then could not exit and the smoke run ran to the 25-min watchdog on memory-starved macOS-arm64 runners (it hung this very release's CI). Every settle path must reap the worker via w.terminate() first; the fix funnels message/error/exit through a settle() guard that terminates before resolve/reject. Fires on the bare `w.once(\"error\", reject)` shape; silent once error/exit route through settle().",
+  },
   {
     // `Promise + setTimeout` direct sleep in tests is forbidden;
     // tests waiting on an asynchronous condition MUST use

package/lib/vendor/blamejs/test/layer-0-primitives/db-init-extensions.test.js

@@ -146,6 +146,37 @@ async function testSnapshotPlainMode() {
   await b.db.close();
 }
 
+async function testSqliteResourceLimits() {
+  // The node:sqlite `limits` option caps SQLITE_LIMIT_* at construction: a
+  // parse-time DoS floor. A statement over 1 MiB is rejected before SQLite's
+  // parser processes it, and ATTACH DATABASE is denied (the framework never
+  // uses it). RED on a tree without the limits option: the megaquery parses.
+  var tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "sqlim-"));
+  await _resetState();
+  await b.vault.init({ dataDir: tmpDir, mode: "plaintext" });
+  await b.db.init({
+    dataDir: tmpDir,
+    atRest:  "plain",
+    schema:  [{ name: "t", columns: { _id: "TEXT PRIMARY KEY" } }],
+  });
+
+  // A raw statement whose SQL TEXT exceeds 1 MiB is rejected at parse
+  // (sqlLength caps statement text, not bound-parameter values — the builder
+  // path always parameterizes, so this cap guards the raw-SQL surface).
+  var hugeSql = "SELECT '" + "x".repeat(1100000) + "' AS big";
+  var threw = null;
+  try { b.db.runSql(hugeSql); }
+  catch (e) { threw = e; }
+  check("sqlite limits: a >1 MiB raw statement is rejected at parse", threw !== null);
+
+  // A normal statement under the cap is unaffected.
+  b.db.from("t").insertOne({ _id: "normal" });
+  check("sqlite limits: a normal statement is unaffected",
+    b.db.from("t").where({ _id: "normal" }).first()._id === "normal");
+
+  await b.db.close();
+}
+
 async function run() {
   await testFrameworkTablesOff();
   await testAuditSigningOff();
@@ -153,6 +184,7 @@ async function run() {
   await testDbKeyPathOverride();
   await testSnapshot();
   await testSnapshotPlainMode();
+  await testSqliteResourceLimits();
 }
 
 module.exports = { run: run };

package/lib/vendor/blamejs/test/layer-0-primitives/dsa.test.js

@@ -0,0 +1,169 @@
+"use strict";
+// b.dsa — EU Digital Services Act (Reg 2022/2065) record-builders:
+// Art. 16 noticeAndAction, Art. 17 statementOfReasons, Art. 15/24(3)
+// transparencyReport. Pure builders (no DB); audit emission is captured
+// by swapping b.audit.safeEmit for the duration of each assertion.
+
+var helpers = require("../helpers");
+var b       = helpers.b;
+var check   = helpers.check;
+
+// Capture the audit events a builder emits. b.dsa resolves its audit
+// sink via require("./audit"), the same module object as b.audit, so
+// swapping b.audit.safeEmit intercepts the emission. Always restore in a
+// finally so a thrown assertion can't leak the stub.
+function captureAudit(fn) {
+  var events = [];
+  var orig = b.audit.safeEmit;
+  b.audit.safeEmit = function (ev) { events.push(ev); };
+  try { fn(events); }
+  finally { b.audit.safeEmit = orig; }
+  return events;
+}
+
+function expectCode(label, fn, code) {
+  var threw = null;
+  try { fn(); } catch (e) { threw = e; }
+  check(label, threw && (threw.code || "") === code);
+}
+
+function expectThrows(label, fn) {
+  var threw = null;
+  try { fn(); } catch (e) { threw = e; }
+  check(label, threw instanceof Error);
+}
+
+function run() {
+  // ---- surface ----
+  check("noticeAndAction is a function",         typeof b.dsa.noticeAndAction === "function");
+  check("statementOfReasons is a function",      typeof b.dsa.statementOfReasons === "function");
+  check("transparencyReport is a function",      typeof b.dsa.transparencyReport === "function");
+  check("listTransparencyMetrics is a function", typeof b.dsa.listTransparencyMetrics === "function");
+  check("DsaError exposed on b.frameworkError",  typeof b.frameworkError.DsaError === "function");
+  check("b.dsa.DsaError is the same constructor", b.dsa.DsaError === b.frameworkError.DsaError);
+
+  // ===== Art. 16 — noticeAndAction =====
+  var submittedAt = 1700000000000;
+  var nEvents = captureAudit(function () {
+    var n = b.dsa.noticeAndAction({
+      contentId:     "post-9931",
+      noticeType:    "illegal-content",
+      reason:        "Depicts a sale prohibited under national law.",
+      submittedAt:   submittedAt,
+      submitterType: "trusted-flagger",
+    });
+    check("notice: record frozen",                Object.isFrozen(n));
+    check("notice: status recorded",              n.status === "recorded");
+    check("notice: default noticeId derived",     n.noticeId === "dsa-notice-" + submittedAt);
+    check("notice: actionDueBy = submittedAt+24h", n.actionDueBy === submittedAt + b.constants.TIME.hours(24));
+    check("notice: illegal-content requires SoR",  n.statementOfReasonsRequired === true);
+  });
+  check("notice: emitted one audit event",        nEvents.length === 1);
+  check("notice: audit action dsa.notice.recorded", nEvents[0] && nEvents[0].action === "dsa.notice.recorded");
+  check("notice: audit metadata carries contentId", nEvents[0] && nEvents[0].metadata.contentId === "post-9931");
+
+  var nTerms = b.dsa.noticeAndAction({
+    contentId: "post-1", noticeType: "terms-violation", reason: "Breaches guidelines.",
+    submittedAt: submittedAt, submitterType: "individual",
+    noticeId: "op-77", actionWindowMs: b.constants.TIME.hours(48),
+  });
+  check("notice: terms-violation no SoR",       nTerms.statementOfReasonsRequired === false);
+  check("notice: explicit noticeId honored",    nTerms.noticeId === "op-77");
+  check("notice: explicit actionWindow honored", nTerms.actionDueBy === submittedAt + b.constants.TIME.hours(48));
+
+  expectCode("notice: non-object opts throws",
+    function () { b.dsa.noticeAndAction("nope"); }, "dsa/bad-opts");
+  expectThrows("notice: unknown opt key throws",
+    function () { b.dsa.noticeAndAction({ contentId: "c", noticeType: "other", reason: "r", submittedAt: submittedAt, submitterType: "individual", bogus: 1 }); });
+  expectCode("notice: missing contentId throws",
+    function () { b.dsa.noticeAndAction({ noticeType: "other", reason: "r", submittedAt: submittedAt, submitterType: "individual" }); }, "dsa/bad-content-id");
+  expectCode("notice: unknown noticeType throws",
+    function () { b.dsa.noticeAndAction({ contentId: "c", noticeType: "wat", reason: "r", submittedAt: submittedAt, submitterType: "individual" }); }, "dsa/unknown-notice-type");
+  expectCode("notice: missing submittedAt throws",
+    function () { b.dsa.noticeAndAction({ contentId: "c", noticeType: "other", reason: "r", submitterType: "individual" }); }, "dsa/bad-submitted-at");
+  expectCode("notice: unknown submitterType throws",
+    function () { b.dsa.noticeAndAction({ contentId: "c", noticeType: "other", reason: "r", submittedAt: submittedAt, submitterType: "robot" }); }, "dsa/unknown-submitter-type");
+
+  // ===== Art. 17 — statementOfReasons =====
+  var sEvents = captureAudit(function () {
+    var s = b.dsa.statementOfReasons({
+      contentId: "post-9931", decision: "content-removed",
+      legalGround: "National law prohibiting the depicted sale.",
+      facts: "Listing offered a prohibited item for sale.", automated: false,
+      redressOptions: ["internal-complaint", "judicial-redress"], noticeId: "dsa-notice-" + submittedAt,
+    });
+    check("sor: record frozen",            Object.isFrozen(s));
+    check("sor: default sorId derived",    /^dsa-sor-\d+$/.test(s.sorId));
+    check("sor: groundType legal",         s.groundType === "legal");
+    check("sor: contractualGround null",   s.contractualGround === null);
+    check("sor: redressOptions frozen",    Object.isFrozen(s.redressOptions) && s.redressOptions.length === 2);
+    check("sor: noticeId linked",          s.noticeId === "dsa-notice-" + submittedAt);
+  });
+  check("sor: emitted one audit event",    sEvents.length === 1);
+  check("sor: audit action dsa.sor.recorded", sEvents[0] && sEvents[0].action === "dsa.sor.recorded");
+
+  var sC = b.dsa.statementOfReasons({
+    contentId: "post-2", decision: "account-suspended",
+    contractualGround: "Terms section 4.2 — repeated spam.", facts: "Five spam posts in 24h.",
+    automated: true, redressOptions: ["internal-complaint"],
+  });
+  check("sor: groundType contractual", sC.groundType === "contractual");
+  check("sor: legalGround null",       sC.legalGround === null);
+  check("sor: automated true",         sC.automated === true);
+
+  expectCode("sor: unknown decision throws",
+    function () { b.dsa.statementOfReasons({ contentId: "c", decision: "nuke", legalGround: "x", facts: "f", automated: false, redressOptions: ["internal-complaint"] }); }, "dsa/unknown-decision");
+  expectCode("sor: non-boolean automated throws",
+    function () { b.dsa.statementOfReasons({ contentId: "c", decision: "no-action", legalGround: "x", facts: "f", automated: "no", redressOptions: ["internal-complaint"] }); }, "dsa/bad-automated");
+  expectCode("sor: neither ground throws",
+    function () { b.dsa.statementOfReasons({ contentId: "c", decision: "no-action", facts: "f", automated: false, redressOptions: ["internal-complaint"] }); }, "dsa/ground-required");
+  expectCode("sor: both grounds throws",
+    function () { b.dsa.statementOfReasons({ contentId: "c", decision: "no-action", legalGround: "x", contractualGround: "y", facts: "f", automated: false, redressOptions: ["internal-complaint"] }); }, "dsa/ground-required");
+  expectCode("sor: empty redressOptions throws",
+    function () { b.dsa.statementOfReasons({ contentId: "c", decision: "content-removed", legalGround: "x", facts: "f", automated: false, redressOptions: [] }); }, "dsa/redress-required");
+  expectCode("sor: unknown redress option throws",
+    function () { b.dsa.statementOfReasons({ contentId: "c", decision: "content-removed", legalGround: "x", facts: "f", automated: false, redressOptions: ["call-the-mayor"] }); }, "dsa/unknown-redress-option");
+
+  // ===== Art. 15 / 24(3) — transparencyReport =====
+  var metricNames = b.dsa.listTransparencyMetrics();
+  check("metrics: frozen list", Array.isArray(metricNames) && Object.isFrozen(metricNames));
+  check("metrics: includes noticesReceived", metricNames.indexOf("noticesReceived") !== -1);
+
+  var period = { from: Date.UTC(2025, 0, 1), to: Date.UTC(2025, 11, 31) };
+  var rEvents = captureAudit(function () {
+    var r = b.dsa.transparencyReport({
+      period: period,
+      metrics: { noticesReceived: 1200, actionsTaken: 940, automatedDecisions: 610, appeals: 75 },
+      service: "example-platform",
+    });
+    check("report: record frozen",            Object.isFrozen(r));
+    check("report: metrics frozen",           Object.isFrozen(r.metrics));
+    check("report: period frozen",            Object.isFrozen(r.period));
+    check("report: supplied metric carried",  r.metrics.noticesReceived === 1200);
+    check("report: omitted metric defaults 0", r.metrics.statementsOfReasons === 0);
+    check("report: all metric fields present", metricNames.every(function (m) { return typeof r.metrics[m] === "number"; }));
+    check("report: default reportId derived", r.reportId === "dsa-transparency-" + period.to);
+    check("report: nextReportDueBy = to+365d", r.nextReportDueBy === period.to + b.constants.TIME.days(365));
+  });
+  check("report: emitted one audit event",        rEvents.length === 1);
+  check("report: audit action transparency event", rEvents[0] && rEvents[0].action === "dsa.transparency_report.generated");
+  check("report: audit metadata actionsTaken",    rEvents[0] && rEvents[0].metadata.actionsTaken === 940);
+
+  expectCode("report: missing period throws",
+    function () { b.dsa.transparencyReport({ metrics: {} }); }, "dsa/bad-period");
+  expectCode("report: from >= to throws",
+    function () { b.dsa.transparencyReport({ period: { from: period.to, to: period.from } }); }, "dsa/bad-period-order");
+  expectCode("report: unknown metric key throws",
+    function () { b.dsa.transparencyReport({ period: period, metrics: { bogusMetric: 1 } }); }, "dsa/unknown-metric");
+  expectCode("report: negative metric throws",
+    function () { b.dsa.transparencyReport({ period: period, metrics: { appeals: -3 } }); }, "dsa/bad-metric-value");
+  expectCode("report: non-integer metric throws",
+    function () { b.dsa.transparencyReport({ period: period, metrics: { appeals: 2.5 } }); }, "dsa/bad-metric-value");
+}
+
+module.exports = { run: run };
+
+if (require.main === module) {
+  try { run(); console.log("[dsa] OK"); }
+  catch (e) { console.error("FAIL:", e && e.stack || e); process.exit(1); }
+}

package/lib/vendor/blamejs/test/layer-0-primitives/otlp-attr-redaction.test.js

@@ -15,7 +15,9 @@ var helpers = require("../helpers");
 var b     = helpers.b;
 var check = helpers.check;
 
-var otlp = require("../../lib/observability-otlp-exporter");
+var otlp        = require("../../lib/observability-otlp-exporter");
+var otlpLog     = require("../../lib/log-stream-otlp");
+var otlpLogGrpc = require("../../lib/log-stream-otlp-grpc");
 
 var SECRET_TOKEN = "Bearer eyJSECRETtokenABCdef.ghi.jkl";
 var SECRET_PW    = "hunter2-PLAINTEXT-PASSWORD";
@@ -89,6 +91,43 @@ async function run() {
   check("protobuf: api key redacted on the OTLP wire",      protoWire.indexOf(SECRET_API) === -1);
   check("protobuf: non-sensitive control attribute survives", protoWire.indexOf(CONTROL_VAL) !== -1);
 
+  // ---- OTLP LOG sinks are EGRESS too: record-meta + resource attrs must redact ----
+  // The span/metric exporters redact; the log sinks (HTTP-JSON + gRPC) shipped
+  // the same attribute maps to the collector UNREDACTED — a log line carrying a
+  // bearer token / password in its meta or a credential in a resource attribute
+  // reached the wire verbatim (CWE-532). Drive the serialization seam of both.
+  var logRec = otlpLog._toLogRecord({
+    ts: 1700000000000, level: "error", message: "boom",
+    meta: { "http.method": CONTROL_VAL, authorization: SECRET_TOKEN, password: SECRET_PW },
+  });
+  var logRecWire = JSON.stringify(logRec);
+  check("otlp-log json: record-meta bearer token redacted", logRecWire.indexOf(SECRET_TOKEN) === -1);
+  check("otlp-log json: record-meta password redacted",     logRecWire.indexOf(SECRET_PW) === -1);
+  check("otlp-log json: non-sensitive record-meta survives", logRecWire.indexOf(CONTROL_VAL) !== -1);
+
+  var logBatchWire = otlpLog._serializeBatch(
+    [{ ts: 1700000000000, level: "info", message: "m", meta: { api_key: SECRET_API } }],
+    { serviceName: "svc", resourceAttributes: { authorization: SECRET_TOKEN, region: CONTROL_VAL } },
+    "1.0.0"
+  ).toString("utf8");
+  check("otlp-log json: resource-attr bearer token redacted", logBatchWire.indexOf(SECRET_TOKEN) === -1);
+  check("otlp-log json: record-meta api key redacted",        logBatchWire.indexOf(SECRET_API) === -1);
+  check("otlp-log json: non-sensitive resource attr survives", logBatchWire.indexOf(CONTROL_VAL) !== -1);
+
+  var grpcRec = otlpLogGrpc._encodeLogRecord({
+    ts: 1700000000000, level: "error", message: "boom",
+    meta: { authorization: SECRET_TOKEN, password: SECRET_PW },
+  }).toString("latin1");
+  check("otlp-log grpc: record-meta bearer token redacted", grpcRec.indexOf(SECRET_TOKEN) === -1);
+  check("otlp-log grpc: record-meta password redacted",     grpcRec.indexOf(SECRET_PW) === -1);
+
+  var grpcReq = otlpLogGrpc._encodeExportRequest(
+    [{ ts: 1700000000000, level: "info", message: "m", meta: { api_key: SECRET_API } }],
+    { serviceName: "svc", resourceAttributes: { authorization: SECRET_TOKEN } }
+  ).toString("latin1");
+  check("otlp-log grpc: resource-attr bearer token redacted", grpcReq.indexOf(SECRET_TOKEN) === -1);
+  check("otlp-log grpc: record-meta api key redacted",        grpcReq.indexOf(SECRET_API) === -1);
+
   b.observability.setRedactor(null);   // restore default for other tests
   process.stdout.write("OK — otlp attribute redaction tests\n");
 }