@blamejs/blamejs-shop 0.4.49 → 0.4.50

package/lib/vendor/blamejs/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.15.x
 
+- v0.15.11 (2026-06-14) — **Replaces a family of quadratic-time regexes that hostile input could use to stall a worker with linear scans, refuses a relocatable sealed-cell downgrade on the read side, fails closed when enabling row-level security behind a non-native driver, and scans the vendored crypto for known CVEs on every build.** Several text-handling primitives stripped trailing whitespace or extracted a mail address with a regex whose backtracking is quadratic in the input length on adversarial strings — a request body, a YAML document, a CSV cell, or a From header crafted as a long run of spaces could pin a worker's CPU. Each is now a linear character scan with identical output. The HTML-content check the MCP tool surface applies gained the vbscript: and data:text/html vectors it was missing. On the data-at-rest side, an AAD-bound (or per-row-key) column now refuses a plain, unbound vault cell on read — a relocatable envelope an attacker with write access could copy in from another row defeats the cross-row binding, so the field is nulled rather than surfaced; operators mid-migration opt back in with registerTable({ allowPlainMigration: true }). declareRowPolicy now treats row-level-security as enabled only on a value that unambiguously means true, so a non-native Postgres driver that returns the string "f" can no longer be read as "already on" and silently skip the ENABLE that protects the table's rows. Finally, because the framework's crypto is vendored rather than installed, npm audit and Dependabot never see it: every build now matches the vendored versions against the OSV vulnerability database, with a complementary Semgrep pass and workflow-file static analysis alongside. **Added:** *b.safeBuffer.indexAfterOpenTag(html, tagName)* — A linear helper that returns the offset just past a `<tag ...>` opening tag (case-insensitive), or -1 when absent or unterminated — the insertion point a response rewriter uses to splice content after <body> or <head> without a regex. It replaces the O(n^2) html.match(/<body[^>]*>/i) shape and is stricter than it: a real tag boundary is required after the name, so <bodyfoo> is not mistaken for <body>. **Security:** *Linear-time replacements across a family of quadratic regexes (ReDoS class)* — Several primitives located or stripped text with a regex whose backtracking is quadratic in V8 on adversarial input (CWE-1333): b.safeBuffer and the safe-env / safe-yaml / guard-csv parsers stripped trailing horizontal whitespace with /[ \t]+$/; b.mail extracted the address from a `Name <addr>` header with /<([^>]+)>/; the bot-disclosure and speculation-rules response middleware found the <body> insertion point with /<body[^>]*>/i; and the BIMI certificate-chain splitter walked PEM blocks with a lazy /BEGIN[\s\S]*?END/ scan. A crafted field — a long run of spaces, an unterminated bracket, a body carrying many <body starts with no closing >, a chain of BEGIN markers — could drive a worker's CPU to seconds of work. Each is now a linear scan: a shared b.safeBuffer.stripTrailingHspace (backward char walk), b.safeBuffer.indexAfterOpenTag (forward indexOf walk for the tag insertion point), a forward indexOf for address extraction, and an indexOf walk for the PEM split. Output is byte-identical (the tag-find is stricter — it no longer mistakes <bodyfoo> for <body>), and 400K-character adversarial inputs that took 8–85 seconds now complete in under 2 ms. · *MCP HTML-content check covers vbscript: and data:text/html* — The dangerous-markup check applied to text/html tool content matched <script>/<iframe>/<object>/<embed> and javascript: URLs but not the vbscript: scheme or data:text/html payloads. Both are now refused; data: URLs carrying non-HTML media (data:image/png and similar) are unaffected. · *AAD-bound columns refuse a plain sealed cell on read* — b.cryptoField.unsealRow now refuses a plain, unbound vault: envelope found on an AAD-bound (or per-row-key) column and nulls the field instead of returning it. A plain envelope carries no per-cell binding, so a writer who could place one — copied from anywhere under the same vault root — would otherwise relocate a value across rows or columns and defeat the copy-protection the AAD binding advertises. Operators migrating pre-AAD rows up to bound ciphertext opt into a bounded acceptance window with registerTable({ allowPlainMigration: true }) and clear it when migration completes. · *Row-level-security enablement fails closed on non-native drivers* — b.db.declareRowPolicy read pg_class.relrowsecurity to skip a redundant ENABLE ROW LEVEL SECURITY, but tested it with a bare truthiness check. A native pg driver returns a JS boolean; a proxy or ORM may return the string "f" for a disabled table — and "f" is truthy, so the check read it as already-enabled and silently skipped the ENABLE, leaving every row in the table unprotected while the migration reported success. RLS now counts as enabled only on a value that unambiguously means true (true, 1, or "t"/"true"/"1"/"on"/"yes"); every other shape re-issues ENABLE, a harmless no-op on an already-enabled table. · *Vendored-crypto CVE scanning, complementary SAST, and workflow static analysis in CI* — The framework ships zero npm runtime dependencies — its crypto (the noble suite, the WebAuthn server, the PKI layer) is vendored under lib/vendor/, where npm audit, Dependabot, and Socket cannot see it. Every build now generates a CycloneDX SBOM of the vendored tree (each library carrying an npm purl) and runs it through OSV-Scanner, matching the exact pinned version against the OSV vulnerability database; a published CVE or GHSA affecting a vendored version fails the build so the copy is refreshed before merge. A Semgrep pass (registry security-audit + javascript packs at ERROR severity) runs alongside CodeQL as complementary SAST, and actionlint statically checks the workflow files. All three install the OSS tool from its upstream release, matching the existing secret-scan gate's posture. **Detectors:** *Quadratic trailing-whitespace and tag-find regex detectors* — Two codebase-pattern detectors refuse reintroduction of the quadratic shapes: the /[ \t]+$/ trailing-whitespace strip (as .replace, .test, or via the named TRAILING_HSPACE_RE export) outside the linear helper that owns it, and the str.match(/<tag[^>]*>/) document-tag find that the response middleware must route through b.safeBuffer.indexAfterOpenTag. Each is proven to fire on the removed shape and stay silent on the linear replacement, so the ReDoS class cannot creep back into a new parser, guard, or response rewriter.
+
+- v0.15.10 (2026-06-13) — **Makes S3 Object-Lock version erasure reachable through the object store, and pins the build toolchain's native binary to a reviewed hash.** The object store gains the versioned-delete surface its S3 Object Lock support always needed for real erasure. An unversioned delete on a versioning-enabled (Object-Lock) bucket only writes a delete-marker — the data version survives — so the framework's own delete could report success while a record protected for compliance, or one a data subject asked to erase, stayed on disk. b.objectStore / b.storage now carry a versionId: put and saveRaw return the version they created, deleteFile(key, { versionId, bypassGovernanceRetention }) targets a specific version (refused — not silently delete-markered — when it is under an active retention), and listVersions enumerates versions and delete-markers so an erasure workflow can find them. Backends with no version surface (the filesystem backend, and the current Azure and GCS adapters) refuse a versioned delete loudly rather than silently dropping the current object. Separately, the build toolchain's native bundler binary is now verified against a reviewed SHA-256 pin so a tampered or drifted binary is caught before it bundles the framework. **Added:** *Versioned object delete + listVersions for S3 Object-Lock erasure* — b.storage.deleteFile and the b.objectStore sigv4 backend now accept opts.versionId to erase a specific object version, and opts.bypassGovernanceRetention to lift a GOVERNANCE-mode retention for callers with the permission (COMPLIANCE stays immutable to everyone). b.storage.saveRaw and the backend put now return the versionId they created on a versioning-enabled bucket, and a new b.storage.listVersions(prefix) / backend listVersions enumerates every version and delete-marker (key, versionId, isLatest, deleteMarker, size, lastModified, etag) so a right-to-erasure or crypto-shred workflow can target prior versions. On a backend with no version surface, listVersions throws VERSIONS_UNSUPPORTED and a versioned delete throws VERSIONID_UNSUPPORTED rather than silently acting on the current object. · *b.localDb.thin reaches SQLite resource-limit parity (limits option)* — b.localDb.thin now opens its node:sqlite handle with the same parse-time statement-size cap as b.db and the CLI — a SQL statement over 1 MiB is rejected at parse time, the SQLITE_LIMIT_LENGTH floor that guards prepare()/exec() of raw SQL against an attacker-influenced megaquery (SQLite's default is 1 GB). The cap is on by default; a new limits option (e.g. { sqlLength: 2 * 1024 * 1024 } or other SQLITE_LIMIT_* keys) lets an operator raise or extend it. Previously the thin opener had no limits plumbing, so a consumer on that path could not reach parity with the rest of the framework's SQLite surface. **Fixed:** *S3 Object-Lock version erasure is reachable through the framework delete path* — On a versioning-enabled (Object-Lock) bucket, an unversioned DELETE only writes a delete-marker — the protected data version survives untouched — yet the framework's delete had no versionId surface, so it issued the unversioned form and reported success while the bytes the lock protects remained. A retention or legal hold could therefore look enforced to the framework caller while the operation WORM actually blocks was unreachable. The delete path now targets the exact version: deleting a version under a COMPLIANCE retention is refused (it throws, even with bypassGovernanceRetention), a no-retention version erases cleanly, and the enforcement is proven end-to-end against MinIO through the framework's own API. · *b.configDrift.verifyVendorIntegrity is now working-directory-independent* — The vendored-dependency integrity check resolved each manifest file path against process.cwd(), so it only worked when run from the application root. Run from anywhere else it read-failed every entry (reporting ok:false), and under a crafted working directory that happened to contain a clean vendor tree it could hash a different tree than the one actually loaded. It now resolves each file under the framework's own vendor directory by default — the tree loaded at runtime — and honors an explicit libVendorDir for verifying a deployed tree elsewhere, so the result no longer depends on where the process was started. **Security:** *Build toolchain native binary pinned to a reviewed hash* — The native bundler binary the build toolchain runs (esbuild's per-platform compiler, a development dependency that never ships in the runtime) is now verified against a SHA-256 pin captured by diffing the published package tarballs and hashing the binary. The build gate fails if the on-disk binary does not match the reviewed hash for its (version, platform); for a version that has not been reviewed it notes the gap and skips rather than trusting an unverified binary. A cross-artifact check keeps the version in agreement across package.json, the CI install step, and the hash map, so the gate can never quietly test a version that was never diffed — closing a real drift where CI had been installing an older patch than package.json declared. The reviewed diff is benign: version strings plus an installer size-bound and error-message hardening, no new install hooks, files, or network paths, and no runtime-dependency impact. **Detectors:** *Object-store erasure guard, esbuild-pin agreement, + structural re-anchoring of the lint detectors* — A new guard locks the object-store delete path to the versioned-erasure contract: b.storage.deleteFile must thread versionId to the backend, so it can never silently revert to the WORM-blind unversioned delete. A second guard enforces that the esbuild build-tool version agrees across package.json, the CI install step, and the binary-hash map, so a future bump can't update one and leave the gate testing an unreviewed version. Separately, the framework's internal codebase-pattern lint detectors were re-anchored from fixed character spans to structural code boundaries, so they keep matching the code they guard as those functions grow rather than aging out of range; reviving them surfaced a few internal validation and transaction sites that now route through shared helpers (a required positive-integer-with-range validator and an async transaction wrapper) instead of hand-rolling the check. No public API change.
+
 - v0.15.9 (2026-06-13) — **Raises the Node floor to 24.16, adds SQLite parse-time resource caps, retries Windows rename locks on every atomic write and download, and ships a one-call secure logout that wipes client-side state.** This release moves the engines floor to the current Node 24 LTS patch level and adds three hardening primitives. node:sqlite handles now construct with SQLITE_LIMIT_* caps: a statement over 1 MiB is rejected at parse time (a DoS floor on the raw-SQL surface, complementary to the existing row-count gate) and ATTACH DATABASE is denied. Every final temp-to-destination rename — the file written by an atomic write, a downloaded file, a sealed vault key, a rotated log, an extracted archive entry — now routes through a single retry that rides out a transient Windows lock (antivirus, the search indexer, or a file-sync client briefly holding the destination), instead of surfacing the lock as a hard failure; the retry, previously hand-rolled and unreachable, is now the reusable b.atomicFile.renameWithRetry. And b.session.logout destroys a session and tells the browser to wipe its client-side state in one call: it emits an RFC 9527 Clear-Site-Data header and expires the session cookie before destroying the row, the secure-default logout that previously had to be assembled by hand. **Added:** *b.session.logout — one-call secure logout* — `b.session.logout(res, token, opts?)` destroys the server-side session AND tells the browser to wipe its client-side state in one call: it emits an RFC 9527 Clear-Site-Data response header (cookies + storage + cache + execution contexts by default) and expires the session cookie, then destroys the session row. `b.session.destroy` alone is a store operation with no response object, so it could not wipe the browser's cached pages, storage, or a stale tab still holding the now-revoked cookie — that wiring previously had to be mounted by hand. Pass `cookieName` to match a non-default cookie and `types` to choose the Clear-Site-Data directives. **Changed:** *Node engines floor raised to >=24.16.0* — The minimum supported Node is now 24.16.0 (the current Node 24 LTS patch level), up from 24.14.1. This is an LTS-currency bump — there are no Node CVE fixes between 24.14.1 and 24.16.0 (24.14.1 already carried the CVE-2026-21713 HMAC fix); it keeps the framework on the latest patched LTS and makes the node:sqlite resource-cap hardening below available everywhere. Pre-1.0, operators upgrade across the floor; Node 26 continues to satisfy it. **Fixed:** *b.watcher canonicalizes its root on Windows* — `b.watcher.create` now resolves its `root` to the real long path before watching. On Windows a root with an 8.3 short-name component (the system temp directory commonly resolves to one) made the native recursive backend deliver long-name event paths that no longer prefix-matched the watched root, which could abort the process under a strict libuv fs-event assertion. The watcher now canonicalizes the root (expanding short names and resolving symlinks), so events match the watched directory on Windows. **Security:** *SQLite parse-time statement-size cap* — Every node:sqlite database the framework opens — the main db handle and the CLI's handle — now constructs with a SQLITE_LIMIT_LENGTH cap: a SQL statement over 1 MiB is rejected at parse time. Because the query builder parameterizes every value, the size cap guards the raw-SQL surface (`b.db.runSql`) against an attacker-influenced megaquery the parser would otherwise process (SQLite's default is 1 GB); it is a parse-time DoS floor complementary to the existing row-count gate. Legitimate framework and operator statements are far under the cap. · *Windows rename-lock retry on every atomic rename and download* — On Windows a freshly-written file's destination is briefly held by antivirus, the search indexer, or a file-sync client (Dropbox, OneDrive), surfacing as a transient EPERM / EACCES / EBUSY on rename even though the temp file is fine. `b.atomicFile.writeSync` already retried this, but `b.httpClient.downloadStream` did not — a download into a cloud-synced or AV-scanned directory could fail hard on the lock. The retry is now the reusable `b.atomicFile.renameWithRetry`, and every final temp-to-destination rename in the framework routes through it: downloads, sealed vault keys, CA key/cert writes, log rotation, archive extraction, config-drift sidecars, the self-update binary swap, and restore/rollback moves. A non-transient error still throws immediately; POSIX renames are unaffected. **Detectors:** *Rename-retry, SQLite-limits, and Clear-Site-Data guards* — Three recurrence detectors ship with the fixes: a bare `nodeFs.renameSync` final rename that doesn't route through `atomicFile.renameWithRetry`; a main `DatabaseSync` handle constructed without the SQLITE_LIMIT_LENGTH `limits`; and a hand-rolled Clear-Site-Data header value that skips the shared RFC 9527 builder.
 
 - v0.15.8 (2026-06-13) — **Redacts OTLP log-sink attributes to close a secret/PII egress the span fix missed, adds EU DSA and China PIPL cross-border compliance record-builders, ships an SSDF producer self-attestation with every release, and makes the published tarball reproducible.** This release closes a telemetry egress hole, adds two compliance record-builder namespaces, and hardens the release supply chain. The OTLP log sinks (HTTP-JSON and gRPC) shipped a log record's meta attributes and the resource attributes to the collector unredacted — a log line carrying a bearer token, password, or API key reached the wire verbatim (CWE-532). The 0.15.4 fix wired the telemetry redactor into the span and metric exporters but the log sinks were missed; both now run record and resource attributes through the same redactor before serialization. New b.dsa builds the EU Digital Services Act (Reg 2022/2065) records an intermediary or platform must keep — Art. 16 notice-and-action, Art. 17 statement of reasons, and the Art. 15 / 24(3) transparency report. New b.pipl builds the China PIPL cross-border transfer records — an Art. 38/40 assessment that determines whether a CAC security assessment is mandatory (CIIO, important data, or the volume / sensitive-PI thresholds), and an Art. 40 security-assessment certificate. On the supply-chain side, every release now ships ssdf-attestation.json, a machine-readable NIST SP 800-218 / OMB M-22-18 producer self-attestation mapping each secure-development practice to its implementing control, and the published tarball is now packed with SOURCE_DATE_EPOCH so an operator can rebuild it byte-for-byte from the release commit. **Added:** *b.dsa — EU Digital Services Act compliance record-builders* — `b.dsa` builds the dated, frozen records the EU Digital Services Act (Regulation (EU) 2022/2065) requires an online intermediary or platform to keep: `b.dsa.noticeAndAction` (Art. 16) records a notice against a piece of content and computes the action-due window; `b.dsa.statementOfReasons` (Art. 17) records a moderation decision with its legal or contractual ground (exactly one is required), the facts, whether it was automated, and the redress routes offered; `b.dsa.transparencyReport` (Art. 15 / 24(3)) aggregates the period counts into a report with the next-due date. The builders perform no network I/O and emit a best-effort audit event; they map to the `dsa` compliance posture. · *b.pipl — China PIPL cross-border transfer record-builders* — `b.pipl.sccFilingAssessment` builds a PIPL Art. 38/40/55 cross-border transfer assessment and determines the lawful mechanism: it forces a CAC security assessment (over a self-selected standard contract or certification) when the exporter is a critical-information-infrastructure operator, exports important data, handles personal information of more than 1,000,000 individuals, or crosses the cumulative volume / sensitive-PI thresholds. `b.pipl.securityAssessmentCertificate` records an Art. 40 security-assessment self-declaration with a 3-year validity clock. Both return frozen dated records and map to the `pipl-cn` posture. · *SSDF producer self-attestation shipped with every release* — Every release now attaches `ssdf-attestation.json` — a machine-readable NIST SP 800-218 (SSDF v1.1) / OMB M-22-18 producer self-attestation. It maps each secure-software-development practice to its implementing control in the tree (SLSA L3 provenance, SSH-signed tags, vendored zero-runtime-dep supply chain, OSV-Scanner gating, coordinated disclosure) and is deterministic from the release commit. Its sha256 is a subject of the SLSA L3 provenance, so verifying the provenance verifies the attestation has not been tampered with. Downstream consumers who require SSDF supplier-compliance evidence can download it from the release page. **Security:** *OTLP log sinks redact record and resource attributes before export* — `b.logStream`'s OTLP log sinks (HTTP-JSON and gRPC) shipped a log record's `meta` attributes and the sink's resource attributes to the collector UNREDACTED, so a log line whose meta carried a bearer token, password, or API key — or a credential placed in a resource attribute — reached the OTLP wire verbatim (CWE-532). The 0.15.4 change baked the telemetry redactor into the span and metric exporters but its detector was anchored on the span/metric encoder function names, leaving the log sinks uncovered. Both log sinks now run record and resource attributes through `b.observability.redactAttrs` before serialization, the same egress contract the span and metric exporters already hold. · *Reproducible published tarball (SOURCE_DATE_EPOCH)* — The release workflow now exports `SOURCE_DATE_EPOCH` (derived from the tagged commit's author date) before `npm pack`, so the mtime stamped into every tar header is deterministic. An operator can re-pack the package from the same commit and match the published tarball's sha256 byte-for-byte, strengthening the source-to-artifact verification path alongside the existing SLSA L3 provenance and PQC signatures. **Detectors:** *otlp-log-sink-encodes-attrs-without-redactor* — Fires when an OTLP log-sink encoder hands a raw `record.meta` or resource-attribute map to serialization without routing it through `observability.redactAttrs` — the class the span/metric detector could not see because the log sinks carry the OTLP-logs schema function names.

package/lib/vendor/blamejs/README.md

@@ -65,7 +65,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 - **Mongo-style document-store facade** — `b.db.collection(name, opts?)` with `$set` / `$inc` / `$unset` / `$eq` / `$ne` / `$gt` / `$gte` / `$lt` / `$lte` / `$in` / `$like`; schemaless-document opts via `overflow: "<col>"` (folds unknown fields into a JSON-text column; rewrites `WHERE` on virtual fields to `JSON_EXTRACT`), `jsonColumns: [...]` (auto-stringify on write + parse via `b.safeJson` on read), `sealedFields: { email: "emailHash" }` (co-locates a `b.cryptoField` sealed-column / derived-hash declaration so plaintext lookups auto-rewrite to hash-column lookups)
 - **DB lifecycle** — in-memory encrypted snapshot via `b.db.snapshot()`; standalone encrypted-DB-file lifecycle (`b.db.fileLifecycle({ dataDir, vault })` — decrypt-to-tmpfs, periodic re-encrypt flush, graceful shutdown — same envelope as `b.db`, no schema/audit-chain coupling); `db.init` opt-outs `frameworkTables: false` / `auditSigning: false` and path overrides `encryptedDbPath` / `encryptedDbName` / `dbKeyPath`
 - **External RDBMS** — bring-your-own Postgres / MySQL with pool tuning + role-aware connect + read-replica routing (`b.externalDb`); declarative role-narrowed views and Postgres row-level-security migrations (`b.db.declareView`, `b.db.declareRowPolicy`); an opt-in `requireTls` transport posture refuses a non-TLS backend at boot, and query / transaction / read traces carry OpenTelemetry `db.*` attributes. The framework's own data layer — the signed audit chain, cluster leadership and lease fencing, sessions, break-glass, and the local queue / cache / scheduler — is composed through the dialect-aware `b.sql` builder (every identifier quoted by construction, every value bound as a placeholder, dialect-correct SQLite / Postgres / MySQL output), so the framework's tables run on a Postgres or MySQL backend, not only local SQLite; `b.guardSql` validates result rows against NUL bytes, quote-jump sequences, and per-column / total-size boundaries
-- **Object store** — S3 / R2 / B2 / GCS / Azure with multipart upload + SSE + bucket-ops (create / delete / list / lifecycle / CORS); S3 Object Lock + per-object retention + legal hold for write-once-read-many compliance workloads (`b.storage`, `b.objectStore`)
+- **Object store** — S3 / R2 / B2 / GCS / Azure with multipart upload + SSE + bucket-ops (create / delete / list / lifecycle / CORS); S3 Object Lock + per-object retention + legal hold for write-once-read-many compliance workloads, with versioned delete + `listVersions` for right-to-erasure / crypto-shred against an Object-Lock bucket (`b.storage`, `b.objectStore`)
 - **Queues + cache** — durable queue with priority + cron + flows on local SQLite, shared Redis, OR AWS SQS via SigV4 + AWSJsonProtocol_1.0 (`b.queue`, `b.jobs`) — the local backend can target an operator-supplied database / table / schema; cluster-shared cache (`b.cache`)
 ### Identity & access
 

package/lib/vendor/blamejs/SECURITY.md

@@ -204,10 +204,11 @@ What blamejs defends against, by design:
 - **Inline-script injection** — strict CSP default (`script-src 'self' 'nonce-...'`) blocks anything an XSS payload could ship.
 - **Algorithm-substitution attacks** — every encrypted blob carries a 4-byte algorithm-ID header; `b.crypto.decrypt` dispatches on the header bytes, not on a guess at the active default. An attacker swapping a weaker algorithm into the envelope fails the AEAD tag check.
 - **Supply-chain compromise via npm transitive deps** — zero npm runtime dependencies. Every external library is vendored under `lib/vendor/` with a manifest pinning version + license + provenance. Build reproducibility is verified via the GHCR image's SLSA provenance attestation (see DEPLOY.md → "Release verification").
+- **A published CVE in a vendored library going unnoticed** — because the crypto is vendored rather than installed, `npm audit` / Dependabot / Socket never see it. Every PR builds a CycloneDX SBOM of `lib/vendor/` (each library carries an npm purl) and runs it through OSV-Scanner, matching the exact pinned version against the OSV vulnerability database (CVE + GHSA). A match fails the build — the vendored copy is refreshed before merge. This runs alongside CodeQL (semantic SAST), a complementary Semgrep pass (registry security-audit + javascript packs at ERROR severity), gitleaks (secret scan over full history), and actionlint (workflow static analysis).
 - **Replay of API requests** — `apiEncrypt` middleware nonce-stores + replay-windows the `_ek` field; old session keys can't be reused.
 - **Error-detail leakage on an encrypted channel** — when `apiEncrypt` is active, terminal error responses (the error page, schema-validation refusals, RFC 9457 problem+json, deny-middleware bodies) are sealed in the same `{ _ct }` envelope as successes via `req.apiEncryptEncode`, so error detail (paths, field names, refusal reasons) doesn't ship in plaintext while the surrounding traffic is encrypted. Errors raised before a session exists (Bearer 401, handshake reject, replay refusal) stay plaintext so the caller can read them; the client opts into reading a non-2xx with `b.httpClient.encrypted({ responseMode: "passthrough" })` instead of throwing on the shape.
 - **Server-Side Request Forgery on outbound calls** — `b.ssrfGuard` resolves the hostname of every `b.httpClient.request({ url })` and refuses any IP in private / loopback / link-local / cloud-metadata / reserved ranges (incl. AWS / GCP / Azure metadata at 169.254.169.254). Wired default-on; operators on internal-mesh deployments override the loopback / private / link-local / reserved classes per call via `allowInternal: true | CIDR[]`. Cloud-metadata IPs are an unconditional hard-deny — no `allowInternal` value bypasses them, because metadata services leak instance credentials and a blanket override would let any compromised request exfiltrate them. Webhook delivery, OAuth, mail HTTP transports, object-store, and notify all inherit the gate.
-- **Cross-row sealed-data smuggling** — `b.vault.aad.seal(plaintext, { table, rowId, column, schemaVersion })` binds the AEAD authentication tag to the column's identity tuple. A copy-paste of a sealed value between rows, a schema-version replay, or a table-mismatch substitution surfaces as a refused decrypt rather than silent disclosure. `reseal(value, fromAad, toAad)` re-binds during schema migrations after authenticating the source.
+- **Cross-row sealed-data smuggling** — `b.vault.aad.seal(plaintext, { table, rowId, column, schemaVersion })` binds the AEAD authentication tag to the column's identity tuple. A copy-paste of a sealed value between rows, a schema-version replay, or a table-mismatch substitution surfaces as a refused decrypt rather than silent disclosure. `reseal(value, fromAad, toAad)` re-binds during schema migrations after authenticating the source. On the read side, `b.cryptoField.unsealRow` refuses a PLAIN (unbound) `vault:` cell found on an AAD-bound (or per-row-key) column — a relocatable envelope an attacker could copy in from anywhere under the same vault root would otherwise defeat the binding — and nulls the field rather than surfacing it. Operators migrating pre-AAD rows opt into a bounded acceptance window with `registerTable({ allowPlainMigration: true })`, cleared once migration completes.
 - **Tampered vendored library between releases** — `b.configDrift.verifyVendorIntegrity({ manifestPath })` runs at boot and compares every artifact under `lib/vendor/*` against its SHA-256 in `MANIFEST.json`. Mismatches abort start with an audit row under the `vendor` namespace (`vendor.integrity.tampered`); successful verification audits as `vendor.integrity.verified`. Operators wire this into the boot sequence ahead of opening any listener.
 - **Adversarial input crashing a parser / validator** — every `lib/safe-*.js` and `lib/guard-*.js` primitive (including nested `lib/parsers/safe-*.js`) is fuzzed with coverage-guided libFuzzer harnesses via jazzer.js. ClusterFuzzLite runs every PR (300s budget per target) + a daily batch (1800s + 600s coverage); OSS-Fuzz runs the same harnesses continuously on Google's infrastructure once the upstream submission lands (project config under `oss-fuzz/projects/blamejs/`). Findings ship with minimized reproducers + persist in the regression corpus across runs. The coverage gate in `test/layer-0-primitives/codebase-patterns.test.js` refuses any future parser primitive that lands without a matching `fuzz/<name>.fuzz.js` harness (or an audited `FUZZ_NOT_REQUIRED` allowlist entry with reason).
 - **Honeytoken trip detection** — `b.honeytoken` issues canary credentials (fake API key shapes, fake admin URLs, fake row IDs) registered with the framework but never handed to a real client. Any positive lookup against the registry — in a request, log search, or DB query — emits a `honeytoken.tripped` audit row regardless of where the request landed. Operators wire alerting against the audit-chain stream; the framework refuses the request silently in production and never confirms the token was a honeypot.
@@ -369,6 +370,7 @@ This is the minimum-viable security posture for a production deployment. The fra
 - [ ] For endpoints returning aggregate statistics over personal data (counts / sums / means / histograms): add calibrated noise with `b.ai.dp` and gate spend with `b.ai.dp.budget({ scope, epsilon, delta })` — use `type: "laplace"` (snapping mechanism) or `type: "gaussian"` (discrete Gaussian), NEVER a hand-rolled `Math.random`-based noise generator: a naive double-precision Laplace sampler lets an attacker distinguish neighbouring datasets from a single output (Mironov 2012), silently breaking the guarantee. Track the per-scope ε/δ budget so repeated queries can't be averaged to cancel the noise
 - [ ] For data with a TTL (GDPR Art. 17, PCI 3.1, retention windows): declare retention rules via `b.retention.create({ db, audit }).declare({ name, table, ageField, ttlMs, action: "erase" })` and run on a `b.scheduler` cadence; honour legal-hold via `legalHoldField`
 - [ ] For write-once-read-many object archives (SEC 17a-4, FINRA, HIPAA-shaped retention): create the bucket with `b.objectStore.bucketOps.create(name, { objectLockEnabled: true })` (Object Lock can ONLY be flipped at create time), apply a default retention via `setObjectLockConfiguration(name, { mode: "COMPLIANCE", years })`, and pin individual objects with `setObjectRetention(name, key, { mode, retainUntil })` or `setObjectLegalHold(name, key, "ON")` — `COMPLIANCE` cannot be shortened or bypassed by anyone (including root); pick deliberately
+- [ ] To erase a record on an Object-Lock (versioning-enabled) bucket — right-to-erasure or crypto-shred — target the VERSION: a plain `b.storage.deleteFile(key)` only writes a delete-marker and the protected data version survives. Capture the `versionId` from the write (`saveRaw`/`put` return it) or enumerate it with `b.storage.listVersions(prefix)`, then `b.storage.deleteFile(key, { versionId })`; a version under an active retention is refused (the call throws), and `bypassGovernanceRetention: true` lifts a GOVERNANCE-mode hold for an authorized caller but never a `COMPLIANCE` one
 - [ ] At boot, before any outbound socket opens: call `b.network.bootFromEnv({ env: process.env, audit: b.audit })` so operator-supplied NTP / DNS / proxy / DPI-trust / TCP socket settings (`BLAMEJS_NTP_*`, `BLAMEJS_DNS_*`, `HTTP_PROXY` / `HTTPS_PROXY` / `NO_PROXY`, `BLAMEJS_EXTRA_CA_CERTS`, `BLAMEJS_SOCKET_*`) apply uniformly
 - [ ] If you ship spans/metrics to an OTLP collector through a custom exporter (rather than the framework's `b.otelExport` / `b.logStream`, which already do this): run every span / metric / resource attribute **value** through `b.observability.redactAttrs(attrs)` before serialization. Telemetry is a first-class egress sink — an attribute value holding a bearer token, password, or PII is otherwise shipped to the collector verbatim (CWE-532). `redactAttrs` composes `b.redact.redact`, drops any attribute whose redactor throws (fail toward dropping), and honours an operator override installed via `b.observability.setRedactor`
 - [ ] If the deployment sits behind a deep-packet-inspection proxy with its own re-signing CA: install the CA via `b.network.tls.addCa("/path/to/corp-ca.pem", { label: "corp-mitm" })` and pass `allowDpiTrust: true` to `b.security.assertProduction` — every CA addition audits with subject + fingerprint so a forensic review can reconstruct the trust path

package/lib/vendor/blamejs/api-snapshot.json

@@ -1,7 +1,7 @@
 {
   "version": 1,
-  "frameworkVersion": "0.15.9",
-  "createdAt": "2026-06-13T22:58:01.805Z",
+  "frameworkVersion": "0.15.11",
+  "createdAt": "2026-06-14T05:18:13.280Z",
   "exports": {
     "a2a": {
       "type": "object",
@@ -48328,6 +48328,10 @@
           "type": "function",
           "arity": 1
         },
+        "indexAfterOpenTag": {
+          "type": "function",
+          "arity": 2
+        },
         "isHex": {
           "type": "function",
           "arity": 2
@@ -51211,6 +51215,10 @@
           "type": "function",
           "arity": 0
         },
+        "listVersions": {
+          "type": "function",
+          "arity": 2
+        },
         "presignedDownloadUrl": {
           "type": "function",
           "arity": 2

package/lib/vendor/blamejs/lib/bundler.js

@@ -266,13 +266,8 @@ function create(opts) {
   var hashOn   = opts.hash !== false;
   var hashLen  = DEFAULT_HASH_LEN;
   if (opts.hashLen !== undefined) {
-    if (!numericBounds.isPositiveFiniteInt(opts.hashLen) ||
-        opts.hashLen < MIN_HASH_LEN || opts.hashLen > MAX_HASH_LEN) {
-      throw new BundlerError("bundler/bad-hash-len",
-        "bundler.create: opts.hashLen must be a positive finite integer " +
-        "between " + MIN_HASH_LEN + " and " + MAX_HASH_LEN +
-        "; got " + numericBounds.shape(opts.hashLen));
-    }
+    numericBounds.requirePositiveFiniteInt(opts.hashLen, "bundler.create: opts.hashLen",
+      BundlerError, "bundler/bad-hash-len", { min: MIN_HASH_LEN, max: MAX_HASH_LEN });
     hashLen = opts.hashLen;
   }
   var log      = opts.log || null;

package/lib/vendor/blamejs/lib/config-drift.js

@@ -350,7 +350,7 @@ function create(opts) {
  * instead of a silent zero-files-checked pass.
  *
  * @opts
- *   libVendorDir: string,  // absolute path to lib/vendor (defaults to cwd-relative)
+ *   libVendorDir: string,  // absolute path to the lib/vendor tree to verify; default: the framework's own (cwd-independent). Per-file manifest paths resolve under this directory.
  *   manifestPath: string,  // absolute path to MANIFEST.json (defaults under libVendorDir)
  *
  * @example
@@ -367,7 +367,14 @@ function create(opts) {
  */
 function verifyVendorIntegrity(opts) {
   opts = opts || {};
-  var libVendorDir  = opts.libVendorDir  || nodePath.join(process.cwd(), "lib", "vendor");
+  // Default to the framework's OWN vendor directory (this module lives in
+  // lib/, so __dirname/vendor is lib/vendor) — the tree actually loaded at
+  // runtime. The previous cwd-relative default made the check cwd-dependent:
+  // run from another directory it read-failed every entry, and under a crafted
+  // cwd that happened to hold a clean vendor tree it could hash a DIFFERENT
+  // tree than the one loaded. Operators verifying a deployed tree elsewhere
+  // pass libVendorDir explicitly; per-file resolution honors it below.
+  var libVendorDir  = opts.libVendorDir  || nodePath.join(__dirname, "vendor");
   var manifestPath  = opts.manifestPath  || nodePath.join(libVendorDir, "MANIFEST.json");
   var raw;
   try { raw = nodeFs.readFileSync(manifestPath, "utf8"); }
@@ -390,7 +397,14 @@ function verifyVendorIntegrity(opts) {
       var rel = files[kind];
       var expected = hashes[kind];
       if (typeof rel !== "string" || typeof expected !== "string") return;
-      var abs = nodePath.isAbsolute(rel) ? rel : nodePath.join(process.cwd(), rel);
+      // Manifest paths are stored repo-root-relative (e.g. "lib/vendor/x.cjs").
+      // Resolve each one UNDER libVendorDir (the tree being verified), not
+      // process.cwd(), so the check hashes the actual loaded files regardless
+      // of the working directory. Strip the leading lib/vendor/ so the join
+      // doesn't double it; a manifest that already stored a vendor-relative
+      // path resolves the same way.
+      var relInVendor = rel.replace(/^lib[\\/]+vendor[\\/]+/, "");
+      var abs = nodePath.isAbsolute(rel) ? rel : nodePath.join(libVendorDir, relInVendor);
       var actual;
       try {
         var bytes = nodeFs.readFileSync(abs);

package/lib/vendor/blamejs/lib/crypto-field.js

@@ -331,6 +331,15 @@ function isRowSealed(value) {
  *                                          // threaded into AAD. Default "1". Bump
  *                                          // when the column layout changes to
  *                                          // invalidate all prior ciphertext.
+ *   allowPlainMigration: boolean,          // default false. On an aad / per-row-key
+ *                                          // table the read path refuses a PLAIN
+ *                                          // (unbound) vault: cell — a relocatable
+ *                                          // envelope an attacker could copy in from
+ *                                          // another row defeats the AAD copy-
+ *                                          // protection, so it is nulled, not surfaced.
+ *                                          // Set true ONLY for the bounded window while
+ *                                          // migrating pre-AAD rows up to AAD-bound
+ *                                          // ciphertext; clear it once migration ends.
  *
  * @example
  *   b.cryptoField.registerTable("patients", {
@@ -403,6 +412,13 @@ function registerTable(name, opts) {
     rowIdField:      rowIdField,
     schemaVersion:   schemaVersion,
     derivedHashMode: derivedHashMode,
+    // allowPlainMigration — read-side downgrade window. On an aad / per-row-key
+    // table the read path refuses a plain `vault:` cell (no AAD = relocatable,
+    // which would defeat the cross-row/cross-column copy-protection the AAD
+    // binding advertises). Operators with genuine pre-AAD rows opt into a
+    // bounded lazy-migration window with { allowPlainMigration: true }; a
+    // re-seal (sealRow) then re-emits the cell AAD-bound. Default closed.
+    allowPlainMigration: opts.allowPlainMigration === true,
   };
 }
 
@@ -1240,6 +1256,20 @@ function unsealRow(table, row, actor, dbHandle) {
           unsealed = _decodeTyped(vaultAad.unseal(out[field],
             _aadParts(s, table, field, out)));
         } else if (typeof out[field] === "string" && out[field].startsWith(VAULT_PREFIX)) {
+          // A plain `vault:` cell (no AAD) on an AAD-bound / per-row-key table
+          // is a downgrade: plain vault.seal carries no AAD, so a DB-write
+          // attacker could relocate such a cell from another row/column into
+          // this one and the read would silently accept it — defeating the
+          // cross-row/cross-column copy-protection the AAD binding advertises.
+          // Refuse (throw -> catch nulls the field + audits) unless the table
+          // opted into the documented pre-AAD lazy-migration window.
+          if ((s.aad || perRowKeyTables[table]) && !s.allowPlainMigration) {
+            throw new CryptoFieldError("crypto-field/aad-downgrade-refused",
+              "unsealRow: '" + table + "'.'" + field + "' is AAD-bound but the stored " +
+              "cell is a plain (unbound) vault envelope — refusing a relocatable-seal " +
+              "downgrade (set registerTable({ allowPlainMigration: true }) for a " +
+              "documented pre-AAD migration window)");
+          }
           unsealed = _decodeTyped(vault.unseal(out[field]));
         } else {
           // Not a sealed value — pass through.

package/lib/vendor/blamejs/lib/db-declare-row-policy.js

@@ -73,6 +73,18 @@ function _err(code, message) {
   return new DeclareRowPolicyError(code, message);
 }
 
+// _isRlsEnabled — fail-closed coercion of pg_class.relrowsecurity. Native pg
+// drivers return a JS boolean; a proxy / ORM / non-native driver may return
+// "t"/"f", "true"/"false", or 1/0. RLS counts as enabled ONLY on a value that
+// unambiguously means true; every other shape (including the truthy string
+// "f") reads as not-enabled, so ENABLE is (re-)issued rather than silently
+// skipped — a skipped ENABLE would leave the table's rows unprotected.
+function _isRlsEnabled(v) {
+  if (v === true || v === 1) return true;
+  if (typeof v === "string") return /^(t|true|1|on|yes)$/i.test(v.trim());
+  return false;
+}
+
 function _validateIdent(where, value) {
   try {
     safeSql.validateIdentifier(value, { allowReserved: true });
@@ -227,7 +239,14 @@ function declareRowPolicy(opts) {
         "source table '" + spec.schema + "." + spec.table +
         "' not found (does it exist? does the migration role have visibility?)");
     }
-    if (!rows[0].relrowsecurity) {
+    // relrowsecurity is a Postgres boolean. Native pg drivers return true/false,
+    // but a proxy / ORM / non-native driver may hand back "t"/"f", "true"/"false",
+    // or 1/0. The string "f" is TRUTHY, so a bare `!rows[0].relrowsecurity` would
+    // read "f" as "already enabled" and silently SKIP ENABLE — leaving the table's
+    // rows unprotected while the migration reports success. Treat RLS as enabled
+    // ONLY on a value that unambiguously means true; anything else fails closed and
+    // (re-)issues ENABLE, which is a harmless no-op on an already-enabled table.
+    if (!_isRlsEnabled(rows[0].relrowsecurity)) {
       var enableStmt = sql.enableRowLevelSecurity(tableRef, { dialect: "postgres" });
       await xdb.query(enableStmt.sql, enableStmt.params);
     }

package/lib/vendor/blamejs/lib/db-schema.js

@@ -98,6 +98,34 @@ function runInTransaction(db, fn, opts) {
   }
 }
 
+// runInTransactionAsync — the async sibling of runInTransaction. SQLite
+// transactions are synchronous at the wire, but the body between BEGIN and
+// COMMIT may await (a seeder's run(), a per-row re-seal that reads off the
+// handle): await fn() before COMMIT so the transaction wraps the whole
+// awaited body, and ROLLBACK on rejection. Same opts.lockMode /
+// opts.onRollbackFail contract as the sync form.
+async function runInTransactionAsync(db, fn, opts) {
+  if (typeof fn !== "function") {
+    throw new TypeError("dbSchema.runInTransactionAsync: fn must be a function");
+  }
+  opts = opts || {};
+  var beginSql = opts.lockMode ? "BEGIN " + opts.lockMode : "BEGIN";
+  runSqlOnHandle(db, beginSql);
+  try {
+    var result = await fn();
+    runSqlOnHandle(db, "COMMIT");
+    return result;
+  } catch (e) {
+    try { runSqlOnHandle(db, "ROLLBACK"); }
+    catch (rollbackErr) {
+      if (typeof opts.onRollbackFail === "function") {
+        try { opts.onRollbackFail(rollbackErr); } catch (_e) { /* nested handler must not bubble */ }
+      }
+    }
+    throw e;
+  }
+}
+
 // ---- Internal migrations table ----
 
 // Logical name; the physical name + configured prefix resolve through
@@ -611,6 +639,7 @@ module.exports = {
   runSql:           runSql,
   runSqlOnHandle:   runSqlOnHandle,
   runInTransaction: runInTransaction,
+  runInTransactionAsync: runInTransactionAsync,
   // Shared data-layer dialect resolution — composed by migrations.js +
   // seeders.js so the handle-dialect / b.sql-opts / key-text-type logic
   // lives in exactly one place.

package/lib/vendor/blamejs/lib/db.js

@@ -1402,6 +1402,13 @@ async function init(opts) {
       aad:             t.aad,
       rowIdField:      t.rowIdField,
       schemaVersion:   t.schemaVersion,
+      // The read-side pre-AAD migration opt-in must pass through too —
+      // otherwise a schema declaring { aad: true, allowPlainMigration: true }
+      // registers with the default (false) via this declarative db.init path,
+      // and legacy plain vault: cells are nulled on read despite the operator
+      // opting into the migration window. registerTable defaults this to false,
+      // so non-migrating tables are unaffected.
+      allowPlainMigration: t.allowPlainMigration,
     });
     tableMetadata[t.name] = {
       primaryKey:             _normalizePk(t),

package/lib/vendor/blamejs/lib/guard-csv.js

@@ -56,6 +56,7 @@
 
 var codepointClass = require("./codepoint-class");
 var csv = require("./csv");
+var safeBuffer = require("./safe-buffer");
 var C = require("./constants");
 var lazyRequire = require("./lazy-require");
 var numericBounds = require("./numeric-bounds");
@@ -432,7 +433,9 @@ function _stripIssues(text, opts) {
   out = out.replace(ZW_RE_G, "");
   if (opts.trailingWhitespacePolicy === "trim") {
     out = out.split("\n").map(function (line) {
-      return line.replace(/[ \t]+$/g, "");
+      // Linear per-line trailing-whitespace trim — .replace(/[ \t]+$/) is
+      // O(n^2) in V8 on adversarial input (untrusted CSV here).
+      return safeBuffer.stripTrailingHspace(line);
     }).join("\n");
   }
   return out;
@@ -521,9 +524,15 @@ function escapeCell(value, opts) {
   if (opts.bidiCharPolicy === "strip") str = str.replace(BIDI_RE_G, "");
 
   if (opts.trailingWhitespacePolicy === "trim") {
-    str = str.replace(/[ \t]+$/g, "");
-  } else if (opts.trailingWhitespacePolicy === "reject" && /[ \t]+$/.test(str)) {
-    throw _err("csv.trailing-whitespace", "cell has trailing whitespace");
+    // Linear strip — .replace(/[ \t]+$/) is O(n^2) on adversarial untrusted CSV.
+    str = safeBuffer.stripTrailingHspace(str);
+  } else if (opts.trailingWhitespacePolicy === "reject") {
+    // Linear "ends in space/tab?" check — /[ \t]+$/.test is ALSO O(n^2) (the
+    // engine scans from every offset when there is no trailing run).
+    var lastCode = str.length > 0 ? str.charCodeAt(str.length - 1) : 0;
+    if (lastCode === 0x20 || lastCode === 0x09) {
+      throw _err("csv.trailing-whitespace", "cell has trailing whitespace");
+    }
   }
 
   if (typeof value === "number" &&

package/lib/vendor/blamejs/lib/local-db-thin.js

@@ -44,6 +44,7 @@
  *     schemaSql:  string,                // required CREATE TABLE / INDEX script
  *     recovery:   "refuse" | "rename-and-recreate",  // default: "refuse"
  *     pragmas:    object,                // optional extra PRAGMA overrides
+ *     limits:     object,                // node:sqlite SQLITE_LIMIT_* caps; default { sqlLength: 1 MiB } (parity with b.db / CLI)
  *     audit:      boolean,               // default: true
  *   }) -> { db, prepare, run, query, close, file }
  *
@@ -55,12 +56,20 @@
 
 var nodeFs   = require("node:fs");
 var nodePath = require("node:path");
+var C = require("./constants");
 var lazyRequire = require("./lazy-require");
 var validateOpts = require("./validate-opts");
 var safeSql = require("./safe-sql");
 var { LocalDbThinError } = require("./framework-error");
 var atomicFile = require("./atomic-file");
 
+// Default parse-time statement-size cap, matching b.db and the CLI opener
+// (the v0.15.9 node:sqlite SQLITE_LIMIT_LENGTH floor). prepare()/exec() on the
+// thin path parse operator/application SQL, so the same cap guards it against
+// an attacker-influenced megaquery the parser would otherwise chew (SQLite's
+// default is 1 GB). Operators raise/relax it via opts.limits.
+var _DEFAULT_SQL_LENGTH = C.BYTES.mib(1);
+
 var audit = lazyRequire(function () { return require("./audit"); });
 
 // LRU prepared-statement cache cap — same magnitude as lib/db.js's full
@@ -99,6 +108,19 @@ function _validateOpts(opts) {
     throw new LocalDbThinError("localdb-thin/bad-pragmas",
       "localDb.thin: pragmas must be an object mapping pragma name -> value");
   }
+  if (opts.limits !== undefined &&
+      (typeof opts.limits !== "object" || opts.limits === null || Array.isArray(opts.limits))) {
+    throw new LocalDbThinError("localdb-thin/bad-limits",
+      "localDb.thin: limits must be an object of node:sqlite SQLITE_LIMIT_* caps " +
+      "(e.g. { sqlLength: 1048576 })");
+  }
+}
+
+// Merge operator-supplied limits over the framework default (sqlLength cap),
+// so the thin path reaches parity with b.db / the CLI opener while letting an
+// operator raise the cap or add SQLITE_LIMIT_* keys (e.g. attach: 0).
+function _resolveLimits(opts) {
+  return Object.assign({ sqlLength: _DEFAULT_SQL_LENGTH }, opts.limits || {});
 }
 
 function _runPragmas(database, extra) {
@@ -175,7 +197,7 @@ function thin(opts) {
   var renamedTo = null;
 
   function _attemptOpen() {
-    var db = new DatabaseSync(file);
+    var db = new DatabaseSync(file, { limits: _resolveLimits(opts) });
     _runPragmas(db, opts.pragmas);
     if (!_integrityOk(db)) {
       try { db.close(); } catch (_e) { /* best-effort */ }

package/lib/vendor/blamejs/lib/mail-bimi.js

@@ -799,10 +799,23 @@ async function fetchAndVerifyMark(opts) {
 
 function _splitPemChain(pemText) {
   if (typeof pemText !== "string") return [];
+  // Linear indexOf walk over non-overlapping BEGIN..END blocks — NOT
+  // /-----BEGIN CERTIFICATE-----[\s\S]*?-----END CERTIFICATE-----/g. The
+  // lazy-quantifier scan re-walks from every BEGIN marker that has no
+  // matching END, which is superlinear on a chain of BEGIN-only markers;
+  // the indexOf walk advances monotonically and never re-scans.
+  var BEGIN = "-----BEGIN CERTIFICATE-----";
+  var END = "-----END CERTIFICATE-----";
   var out = [];
-  var re = /-----BEGIN CERTIFICATE-----[\s\S]*?-----END CERTIFICATE-----/g;
-  var m;
-  while ((m = re.exec(pemText)) !== null) out.push(m[0]);
+  var from = 0;
+  for (;;) {
+    var b = pemText.indexOf(BEGIN, from);
+    if (b === -1) break;
+    var e = pemText.indexOf(END, b + BEGIN.length);
+    if (e === -1) break;   // unterminated final block — no further certs
+    out.push(pemText.slice(b, e + END.length));
+    from = e + END.length;
+  }
   return out;
 }
 

package/lib/vendor/blamejs/lib/mail-scan.js

@@ -161,11 +161,8 @@ function create(opts) {
 
   validateOpts.requireNonEmptyString(opts.host, "mail.scan.create.host",
     MailScanError, "mail-scan/bad-host");
-  if (!numericBounds.isPositiveFiniteInt(opts.port) || opts.port > 65535) {                        // TCP port-number range cap
-    throw new MailScanError("mail-scan/bad-port",
-      "mail.scan.create.port must be a positive integer in [1,65535]; got " +
-      numericBounds.shape(opts.port));
-  }
+  numericBounds.requirePositiveFiniteInt(opts.port, "mail.scan.create.port",
+    MailScanError, "mail-scan/bad-port", { max: 65535 });   // TCP port-number range cap
   var protocol = opts.protocol || DEFAULT_PROTOCOL;
   if (!ALLOWED_PROTOCOLS[protocol]) {
     throw new MailScanError("mail-scan/bad-protocol",

package/lib/vendor/blamejs/lib/mail.js

@@ -313,10 +313,9 @@ function _normalizeRecipientList(value, label) {
         label + "[" + i + "] contains forbidden control characters", true);
     }
     // Accept "Name <email@addr>" form too — extract the angle-bracket
-    // address for validation; preserve the full string in the message.
-    var bracket = arr[i].match(/<([^>]+)>/);
-    var addr = bracket ? bracket[1] : arr[i];
-    if (!_isValidEmail(addr.trim())) {
+    // address for validation (linear, via _extractAddr); preserve the full
+    // string in the message.
+    if (!_isValidEmail(_extractAddr(arr[i]))) {
       throw new MailError("mail/invalid-recipient",
         label + " '" + arr[i] + "' is not a valid email address", true);
     }
@@ -423,9 +422,7 @@ function _validateMessage(message) {
     throw new MailError("mail/invalid-from",
       "message.from contains forbidden control characters", true);
   }
-  var fromBracket = message.from.match(/<([^>]+)>/);
-  var fromAddr = fromBracket ? fromBracket[1] : message.from;
-  if (!_isValidEmail(fromAddr.trim())) {
+  if (!_isValidEmail(_extractAddr(message.from))) {
     throw new MailError("mail/invalid-from",
       "message.from '" + message.from + "' is not a valid email address", true);
   }
@@ -557,8 +554,18 @@ function _mergeMessage(defaults, message) {
 
 function _extractAddr(s) {
   if (s === undefined || s === null) return s;
-  var m = String(s).match(/<([^>]+)>/);
-  return m ? m[1].trim() : String(s).trim();
+  s = String(s);
+  // Linear angle-bracket extraction — NOT s.match(/<([^>]+)>/), which is O(n^2)
+  // in V8 on a long run of '<' with no '>' (the engine retries the greedy
+  // [^>]+ from every '<' offset; 200K '<' ~ 11s). Recipient/from addresses on
+  // b.mail.send can be caller/request-supplied, so this is a reachable DoS.
+  // Mirrors the regex: the chars between the first '<' and the next '>'.
+  var lt = s.indexOf("<");
+  if (lt !== -1) {
+    var gt = s.indexOf(">", lt + 1);
+    if (gt > lt + 1) return s.slice(lt + 1, gt).trim();
+  }
+  return s.trim();
 }
 
 function _toArray(v) {

package/lib/vendor/blamejs/lib/mcp.js

@@ -435,7 +435,28 @@ var PROMPT_INJECTION_MARKERS = [
   "</?(?:assistant|system|user|tool)>",
 ];
 var INJECTION_RE = new RegExp(PROMPT_INJECTION_MARKERS.join("|"), "i");                          // allow:dynamic-regex — composed from the const PROMPT_INJECTION_MARKERS list above; not operator-supplied input
-var DANGEROUS_HTML_RE = /<script\b|<iframe\b|<object\b|<embed\b|javascript:/i;
+// vbscript: and data:text/html are dangerous URL schemes the guard claims to
+// neutralize but the original alternation omitted (CodeQL js/incomplete-url-
+// scheme-check). data: is scoped to text/html so a benign data:image/png isn't
+// over-redacted. The alternation stays linear (no nested quantifier).
+var DANGEROUS_HTML_RE = /<script\b|<iframe\b|<object\b|<embed\b|javascript:|vbscript:|data:\s*text\/html/i;
+
+// Global variants for sanitize-mode redaction. A non-global .replace removes
+// only the LEFTMOST match, so on `data:text/html,<script>alert(1)</script>`
+// the leftmost `data:text/html` would be stripped and the executable
+// `<script>` left behind — sanitize mode returning runnable HTML. _redactAll
+// replaces EVERY dangerous token, repeating to a fixpoint in case removing one
+// abuts two halves into a new one. Input byte-length is bounded by the caller,
+// and [REDACTED] introduces no dangerous token, so the loop terminates quickly.
+var INJECTION_RE_G = new RegExp(PROMPT_INJECTION_MARKERS.join("|"), "gi");                        // allow:dynamic-regex — same const-composed source as INJECTION_RE
+var DANGEROUS_HTML_RE_G = /<script\b|<iframe\b|<object\b|<embed\b|javascript:|vbscript:|data:\s*text\/html/gi;
+
+function _redactAll(text, globalRe) {
+  var out = text;
+  var prev;
+  do { prev = out; out = out.replace(globalRe, "[REDACTED]"); } while (out !== prev);
+  return out;
+}
 
 function _toolResultSanitize(result, opts) {
   opts = opts || {};
@@ -475,14 +496,15 @@ function _toolResultSanitize(result, opts) {
       if (INJECTION_RE.test(regexInput)) {                                                       // allow:regex-no-length-cap regexInput byteLength bounded above
         issues.push({ kind: "prompt-injection", index: i });
         if (posture === "sanitize") {
-          // Strip the injection marker line — operators wanting
-          // structural redaction wire their own classifier.
-          t = t.replace(INJECTION_RE, "[REDACTED]");
+          // Strip EVERY injection marker — operators wanting structural
+          // redaction wire their own classifier. Global fixpoint redact so a
+          // second marker after the first isn't left behind.
+          t = _redactAll(t, INJECTION_RE_G);
         }
       }
       if (DANGEROUS_HTML_RE.test(regexInput)) {                                                  // allow:regex-no-length-cap regexInput byteLength bounded above
         issues.push({ kind: "dangerous-html", index: i });
-        if (posture === "sanitize") t = t.replace(DANGEROUS_HTML_RE, "[REDACTED]");
+        if (posture === "sanitize") t = _redactAll(t, DANGEROUS_HTML_RE_G);
       }
       cleaned.push({ type: "text", text: t });
     } else if (block.type === "image" || block.type === "resource_link" || block.type === "audio") {
@@ -922,7 +944,7 @@ function _elicitationGuard(opts) {
       }
       if (posture === "sanitize") {
         return Object.assign({}, elicitRequest, {
-          message: message.replace(INJECTION_RE, "[REDACTED]"),
+          message: _redactAll(message, INJECTION_RE_G),
         });
       }
     }

package/lib/vendor/blamejs/lib/middleware/bot-disclose.js

@@ -29,6 +29,7 @@
 var defineClass = require("../framework-error").defineClass;
 var lazyRequire = require("../lazy-require");
 var validateOpts = require("../validate-opts");
+var safeBuffer = require("../safe-buffer");
 
 var audit = lazyRequire(function () { return require("../audit"); });
 
@@ -140,11 +141,12 @@ function create(opts) {
       if (typeof ct !== "string" || ct.indexOf("text/html") === -1) return chunk;
       var body = Buffer.isBuffer(chunk) ? chunk.toString("utf8") :
         (typeof chunk === "string" ? chunk : "");
-      // Inject after <body> opening tag if present, else after <html>
-      // opening tag, else prepend.
-      var bodyMatch = body.match(/<body[^>]*>/i);
-      if (bodyMatch) {
-        var idx = bodyMatch.index + bodyMatch[0].length;
+      // Inject after the <body> opening tag if present, else prepend.
+      // Linear tag-find — NOT body.match(/<body[^>]*>/i), which is O(n^2)
+      // in V8 on a body carrying many `<body` starts with no closing `>`
+      // (rendered user content can produce exactly that).
+      var idx = safeBuffer.indexAfterOpenTag(body, "body");
+      if (idx !== -1) {
         body = body.slice(0, idx) + "\n" + bannerHtml + "\n" + body.slice(idx);
       } else {
         body = bannerHtml + "\n" + body;