@blamejs/blamejs-shop 0.4.49 → 0.4.50

package/lib/vendor/blamejs/test/layer-0-primitives/db-schema-transaction.test.js

@@ -0,0 +1,110 @@
+"use strict";
+/**
+ * dbSchema.runInTransaction / runInTransactionAsync — the BEGIN / COMMIT /
+ * ROLLBACK wrappers that seeders, migrations, and vault-rotate route through
+ * instead of hand-rolling the transaction skeleton. A fake handle records the
+ * exact statement sequence so the commit-on-success / rollback-on-failure
+ * contract — and, for the async form, that COMMIT waits for the awaited body —
+ * is asserted directly, without standing up a real SQLite database.
+ */
+
+var helpers = require("../helpers");
+var check = helpers.check;
+var dbSchema = require("../../lib/db-schema");
+
+// A handle exposing exec() — the shape runSqlOnHandle drives. It records every
+// statement; an optional failOn set makes a named statement (e.g. ROLLBACK)
+// throw so the onRollbackFail path is exercisable.
+function _fakeDb(failOn) {
+  var calls = [];
+  return {
+    _calls: calls,
+    exec: function (sql) {
+      calls.push(sql);
+      if (failOn && failOn[sql]) throw new Error("exec failed: " + sql);
+    },
+  };
+}
+
+function testSyncCommitAndRollback() {
+  var okDb = _fakeDb();
+  var ret = dbSchema.runInTransaction(okDb, function () {
+    okDb.exec("WORK");
+    return 42;
+  });
+  check("runInTransaction returns the fn result", ret === 42);
+  check("runInTransaction sequence is BEGIN, WORK, COMMIT",
+    okDb._calls.join(",") === "BEGIN,WORK,COMMIT");
+
+  var failDb = _fakeDb();
+  var threw = null;
+  try {
+    dbSchema.runInTransaction(failDb, function () { throw new Error("boom"); });
+  } catch (e) { threw = e; }
+  check("runInTransaction re-throws the body error", threw && threw.message === "boom");
+  check("runInTransaction rolls back (BEGIN, ROLLBACK — no COMMIT)",
+    failDb._calls.join(",") === "BEGIN,ROLLBACK");
+
+  // lockMode appends to BEGIN.
+  var lockDb = _fakeDb();
+  dbSchema.runInTransaction(lockDb, function () {}, { lockMode: "IMMEDIATE" });
+  check("runInTransaction honours opts.lockMode", lockDb._calls[0] === "BEGIN IMMEDIATE");
+}
+
+async function testAsyncCommitWaitsForBody() {
+  var okDb = _fakeDb();
+  var ret = await dbSchema.runInTransactionAsync(okDb, async function () {
+    // Yield to the event loop, THEN record work — proves COMMIT waits for the
+    // awaited body rather than firing synchronously after fn() returns a promise.
+    await Promise.resolve();
+    okDb.exec("ASYNC-WORK");
+    return "done";
+  });
+  check("runInTransactionAsync returns the awaited result", ret === "done");
+  check("runInTransactionAsync commits AFTER the awaited body (BEGIN, ASYNC-WORK, COMMIT)",
+    okDb._calls.join(",") === "BEGIN,ASYNC-WORK,COMMIT");
+}
+
+async function testAsyncRollbackOnReject() {
+  var failDb = _fakeDb();
+  var threw = null;
+  try {
+    await dbSchema.runInTransactionAsync(failDb, async function () {
+      await Promise.resolve();
+      throw new Error("async-boom");
+    });
+  } catch (e) { threw = e; }
+  check("runInTransactionAsync re-throws the rejected body error",
+    threw && threw.message === "async-boom");
+  check("runInTransactionAsync rolls back on async reject (BEGIN, ROLLBACK)",
+    failDb._calls.join(",") === "BEGIN,ROLLBACK");
+
+  // onRollbackFail fires when ROLLBACK itself throws, and the ORIGINAL error
+  // still surfaces (the rollback failure must not mask the body failure).
+  var rbFailDb = _fakeDb({ ROLLBACK: true });
+  var sawRollbackFail = false;
+  var origErr = null;
+  try {
+    await dbSchema.runInTransactionAsync(rbFailDb, async function () {
+      throw new Error("primary");
+    }, { onRollbackFail: function () { sawRollbackFail = true; } });
+  } catch (e) { origErr = e; }
+  check("onRollbackFail invoked when ROLLBACK throws", sawRollbackFail === true);
+  check("original body error still surfaces despite rollback failure",
+    origErr && origErr.message === "primary");
+}
+
+async function run() {
+  testSyncCommitAndRollback();
+  await testAsyncCommitWaitsForBody();
+  await testAsyncRollbackOnReject();
+}
+
+module.exports = { run: run };
+
+if (require.main === module) {
+  run().then(
+    function () { console.log("OK — " + helpers.getChecks() + " checks passed"); },
+    function (e) { console.error("FAIL:", e.stack || e); process.exit(1); }
+  );
+}

package/lib/vendor/blamejs/test/layer-0-primitives/declare-row-policy.test.js

@@ -21,8 +21,15 @@ function _fakeXdb(spec) {
       captured.push({ sql: sql, params: (params || []).slice() });
       if (/FROM pg_class/.test(sql)) {
         if (spec.tableExists === false) return { rows: [], rowCount: 0 };
+        // A native pg driver hands back a JS boolean for relrowsecurity.
+        // `relrowsecurityRaw` lets a test inject exactly what a proxy /
+        // ORM / non-native driver returns instead (the string "t"/"f",
+        // "true"/"false", or 1/0) without the !! coercion masking it.
+        var rel = Object.prototype.hasOwnProperty.call(spec, "relrowsecurityRaw")
+          ? spec.relrowsecurityRaw
+          : !!spec.rlsAlreadyOn;
         return {
-          rows: [{ relrowsecurity: !!spec.rlsAlreadyOn }],
+          rows: [{ relrowsecurity: rel }],
           rowCount: 1,
         };
       }
@@ -157,6 +164,41 @@ async function run() {
   check("no withCheck: clause omitted",
     !sqls2.some(function (s) { return /WITH CHECK/.test(s); }));
 
+  // ---- non-native-boolean driver: the string "f" means RLS-DISABLED ----
+  // A proxy / ORM / non-native pg driver returns relrowsecurity as the
+  // string "f" (false) rather than a JS boolean. "f" is TRUTHY, so a bare
+  // `!relrowsecurity` would read it as "already enabled" and SILENTLY SKIP
+  // the ENABLE ROW LEVEL SECURITY — leaving every row in the table
+  // unprotected while the migration reports success. ENABLE must still be
+  // emitted for "f"/"false"/0/"no"; it must be skipped only for a value
+  // that unambiguously means true.
+  async function _runMig(relRaw) {
+    var x = _fakeXdb({ relrowsecurityRaw: relRaw });
+    var m = b.db.declareRowPolicy({
+      schema: "public", table: "sessions", name: "rls_coerce",
+      using: "user_id = current_setting('app.user_id')::uuid", command: "ALL",
+    });
+    await m.up(x, ctx);
+    return x.captured.map(function (c) { return c.sql; });
+  }
+  function _hasEnable(sqls) {
+    return sqls.some(function (s) { return /ENABLE ROW LEVEL SECURITY/.test(s); });
+  }
+  check('non-native driver: ENABLE emitted when relrowsecurity is the string "f"',
+    _hasEnable(await _runMig("f")));
+  check('non-native driver: ENABLE emitted when relrowsecurity is "false"',
+    _hasEnable(await _runMig("false")));
+  check("non-native driver: ENABLE emitted when relrowsecurity is the number 0",
+    _hasEnable(await _runMig(0)));
+  check('non-native driver: ENABLE emitted when relrowsecurity is "no"',
+    _hasEnable(await _runMig("no")));
+  check('enabled-state respected: ENABLE skipped when relrowsecurity is the string "t"',
+    !_hasEnable(await _runMig("t")));
+  check('enabled-state respected: ENABLE skipped when relrowsecurity is "true"',
+    !_hasEnable(await _runMig("true")));
+  check("enabled-state respected: ENABLE skipped when relrowsecurity is the number 1",
+    !_hasEnable(await _runMig(1)));
+
   // ---- table not found → throws ----
   var xdb3 = _fakeXdb({ tableExists: false });
   var threw3 = null;

package/lib/vendor/blamejs/test/layer-0-primitives/local-db-thin.test.js

@@ -71,8 +71,36 @@ async function run() {
     check("localDb.thin: PRAGMA journal_mode=WAL",
       modeRow && String(modeRow.journal_mode).toLowerCase() === "wal");
 
+    // ---- #320: SQLITE_LIMIT_LENGTH parity (sqlLength cap) ----
+    // The thin path now opens with the same 1 MiB sqlLength cap as b.db / the
+    // CLI: a >1 MiB raw statement is rejected at parse time. The builder/run
+    // path parameterizes values, so this guards prepare()/exec() of raw SQL.
+    var hugeSql = "SELECT '" + "x".repeat(1024 * 1024 + 64) + "'";
+    threw = null;
+    try { handle.prepare(hugeSql); } catch (e) { threw = e; }
+    check("localDb.thin: raw statement over the 1 MiB sqlLength cap is rejected at parse",
+      threw !== null);
+    // A normal statement is unaffected.
+    check("localDb.thin: a small statement still prepares", !!handle.prepare("SELECT 2 AS v"));
+
     handle.close();
 
+    // bad limits shape throws at validation.
+    threw = null;
+    try {
+      b.localDb.thin({ file: path.join(tmpDir, "lim.db"),
+        schemaSql: "CREATE TABLE t(x)", audit: false, limits: "nope" });
+    } catch (e) { threw = e; }
+    check("localDb.thin: non-object limits throws", threw && threw.code === "localdb-thin/bad-limits");
+
+    // opts.limits raises the cap — a statement that the default rejects now
+    // prepares under a 2 MiB sqlLength.
+    var raised = b.localDb.thin({ file: path.join(tmpDir, "raised.db"),
+      schemaSql: "CREATE TABLE t(x)", audit: false, limits: { sqlLength: 2 * 1024 * 1024 } });
+    check("localDb.thin: opts.limits raises sqlLength (over-default statement prepares)",
+      !!raised.prepare(hugeSql));
+    raised.close();
+
     // After close, prepare/run/query must throw.
     threw = null;
     try { handle.run("SELECT 1"); } catch (e) { threw = e; }

package/lib/vendor/blamejs/test/layer-0-primitives/mcp.test.js

@@ -70,6 +70,31 @@ async function run() {
   }, { posture: "sanitize" });
   check("mcp.toolResult.sanitize: sanitize-mode redacts <script>",  s.content[0].text.indexOf("[REDACTED]") !== -1);
 
+  // sanitize mode must redact EVERY dangerous token, not just the leftmost.
+  // On `data:text/html,<script>...` a non-global .replace would strip the
+  // data: scheme and leave the executable <script> — sanitize returning
+  // runnable HTML. The result must carry no <script / <iframe / javascript:
+  // / vbscript: / data:text/html anywhere.
+  var dangerous = [
+    "data:text/html,<script>alert(1)</script>",
+    "javascript:alert(1) then <iframe src=x></iframe>",
+    "<embed src=x> and vbscript:msgbox(1)",
+  ];
+  var leakRe = /<script\b|<iframe\b|<object\b|<embed\b|javascript:|vbscript:|data:\s*text\/html/i;
+  for (var di = 0; di < dangerous.length; di++) {
+    var sanOut = b.mcp.toolResult.sanitize({
+      content: [{ type: "text", text: dangerous[di] }],
+    }, { posture: "sanitize" });
+    check("mcp.toolResult.sanitize: no dangerous token survives — " + dangerous[di].slice(0, 24),
+      !leakRe.test(sanOut.content[0].text));
+  }
+  // A benign non-HTML data: URL is NOT over-redacted.
+  var benign = b.mcp.toolResult.sanitize({
+    content: [{ type: "text", text: "logo data:image/png;base64,AAAA" }],
+  }, { posture: "sanitize" });
+  check("mcp.toolResult.sanitize: benign data:image/png left intact",
+    benign.content[0].text.indexOf("data:image/png") !== -1);
+
   var capScope = b.mcp.capability.create(["fs:read", "fs:write"]);
   check("mcp.capability: scopes captured",                          capScope.scopes.length === 2);
   check("mcp.capability: satisfiedBy succeeds with full grant",     capScope.satisfiedBy(["fs:read", "fs:write", "extra"]));

package/lib/vendor/blamejs/test/layer-0-primitives/numeric-bounds.test.js

@@ -126,8 +126,37 @@ function testConsumersAcceptLegitimate() {
   check("legitimate maxBytes / maxUrlLength inputs pass through every consumer", true);
 }
 
+function _ErrK(code, message) { this.code = code; this.message = message; }
+
+function testRequirePositiveFiniteInt() {
+  // The REQUIRED sibling of requirePositiveFiniteIntIfPresent: unlike the
+  // IfPresent form (which skips when undefined), the required form throws on
+  // a missing value — so a required numeric opt can't slip through absent.
+  check("requirePositiveFiniteInt accepts a valid value",
+    nb.requirePositiveFiniteInt(5, "x", _ErrK, "n/bad") === 5);
+  _expect("requirePositiveFiniteInt THROWS on undefined (required, not IfPresent)",
+    function () { nb.requirePositiveFiniteInt(undefined, "x", _ErrK, "n/bad"); }, "n/bad");
+  _expect("requirePositiveFiniteInt rejects Infinity",
+    function () { nb.requirePositiveFiniteInt(Infinity, "x", _ErrK, "n/bad"); }, "n/bad");
+  _expect("requirePositiveFiniteInt rejects 0 (not positive)",
+    function () { nb.requirePositiveFiniteInt(0, "x", _ErrK, "n/bad"); }, "n/bad");
+  // Optional { min, max } range — the bundler/mail-scan/safe-decompress shape.
+  check("requirePositiveFiniteInt accepts in-range",
+    nb.requirePositiveFiniteInt(50, "x", _ErrK, "n/bad", { min: 1, max: 100 }) === 50);
+  _expect("requirePositiveFiniteInt rejects above max",
+    function () { nb.requirePositiveFiniteInt(101, "x", _ErrK, "n/bad", { max: 100 }); }, "n/bad");
+  _expect("requirePositiveFiniteInt rejects below min",
+    function () { nb.requirePositiveFiniteInt(2, "x", _ErrK, "n/bad", { min: 5 }); }, "n/bad");
+  var msg = null;
+  try { nb.requirePositiveFiniteInt(70000, "port", _ErrK, "n/bad", { max: 65535 }); }
+  catch (e) { msg = e.message; }
+  check("range error names the bound + the offending shape",
+    /<= 65535/.test(msg || "") && /number 70000/.test(msg || ""));
+}
+
 async function run() {
   testHelperPredicate();
+  testRequirePositiveFiniteInt();
   testConsumersRejectInfinity();
   testConsumersAcceptLegitimate();
 }

package/lib/vendor/blamejs/test/layer-0-primitives/object-store-versioned-delete.test.js

@@ -0,0 +1,97 @@
+"use strict";
+/**
+ * object-store versioned-delete surface — the cross-backend contract for the
+ * S3 Object-Lock erasure workflow (#88), exercised WITHOUT a live S3. The
+ * full enforcement proof (a COMPLIANCE-retained version's delete is refused)
+ * lives in test/integration/object-store-worm-lock.test.js against MinIO;
+ * this layer-0 test pins the parts that hold on any host:
+ *
+ *   - sigv4 exposes listVersions + a versionId-aware delete;
+ *   - non-S3 backends (local) have NO version surface and REFUSE a versioned
+ *     delete loudly (VERSIONID_UNSUPPORTED) rather than silently dropping the
+ *     current object — a silent drop on an erasure path is the footgun;
+ *   - the facade feature-detects listVersions (null on backends without it).
+ */
+
+var helpers = require("../helpers");
+var check = helpers.check;
+var b = helpers.b;
+var os = require("../../lib/object-store");
+var nodeOs = require("os");
+var nodePath = require("path");
+var nodeFs = require("fs");
+
+function _sigv4() {
+  return os.buildBackend({
+    name: "t", protocol: "sigv4", endpoint: "https://s3.local", region: "us-east-1",
+    bucket: "b", accessKeyId: "AK", secretAccessKey: "SK", allowInternal: true,
+    forcePathStyle: true, classifications: ["operational"], residencyTag: "unrestricted",
+  });
+}
+function _local() {
+  return os.buildBackend({
+    name: "l", protocol: "local",
+    rootDir: nodePath.join(nodeOs.tmpdir(), "bjv-" + process.pid + "-" + Math.floor(Math.random() * 1e6)),
+    classifications: ["operational"], residencyTag: "unrestricted",
+  });
+}
+
+async function run() {
+  var sig = _sigv4();
+  check("sigv4 facade exposes listVersions()", typeof sig.listVersions === "function");
+  check("sigv4 raw deleteKey is versionId-aware (arity 2)", sig.raw.delete.length === 2);
+  check("sigv4 raw exposes listVersions()", typeof sig.raw.listVersions === "function");
+
+  var loc = _local();
+  check("local facade reports no listVersions (feature-detect → null)", loc.listVersions === null);
+
+  // http-put is the fifth backend (a bare PUT/DELETE target, no version
+  // surface) — it must refuse a versioned delete loudly too, not forward a
+  // dropped versionId to a plain DELETE (the gap Codex P2 caught on PR #319).
+  var httpPut = os.buildBackend({
+    name: "h", protocol: "http-put", baseUrl: "https://up.invalid/bucket",
+    classifications: ["operational"], residencyTag: "unrestricted",
+  });
+  check("http-put facade reports no listVersions (feature-detect → null)", httpPut.listVersions === null);
+  var hpThrew = null;
+  try { await httpPut.delete("some-key", { versionId: "v1" }); }
+  catch (e) { hpThrew = e; }
+  check("http-put versioned delete REFUSES loudly (VERSIONID_UNSUPPORTED)",
+    hpThrew && hpThrew.code === "VERSIONID_UNSUPPORTED");
+
+  // A versioned delete on a backend with no version surface must THROW, not
+  // silently unlink the single on-disk file and report a version erased.
+  var threw = null;
+  try { await loc.delete("some-key", { versionId: "v1" }); }
+  catch (e) { threw = e; }
+  check("local versioned delete REFUSES loudly (VERSIONID_UNSUPPORTED)",
+    threw && threw.code === "VERSIONID_UNSUPPORTED");
+
+  // An UNVERSIONED local delete still works normally (returns false for a
+  // missing key) — the guard only fires when versionId is actually passed.
+  var missing = await loc.delete("definitely-absent-" + process.pid);
+  check("local unversioned delete still works (false for a missing key)", missing === false);
+
+  // b.storage.listVersions — the routed public facade. Against a local
+  // backend (no version surface) it refuses loudly with VERSIONS_UNSUPPORTED,
+  // the same contract as the backend level, so an erasure workflow can never
+  // mistake a single-version backend for a fully-enumerated one.
+  var sdir = nodePath.join(nodeOs.tmpdir(), "bjv-storage-" + process.pid + "-" + Math.floor(Math.random() * 1e6));
+  nodeFs.mkdirSync(sdir, { recursive: true });
+  b.storage.init({ backend: "local", uploadDir: sdir });
+  var lvThrew = null;
+  try { await b.storage.listVersions("any/prefix/"); }
+  catch (e) { lvThrew = e; }
+  check("b.storage.listVersions refuses on a no-version backend (VERSIONS_UNSUPPORTED)",
+    lvThrew && lvThrew.code === "VERSIONS_UNSUPPORTED");
+  b.storage._resetForTest();
+}
+
+module.exports = { run: run };
+
+if (require.main === module) {
+  run().then(
+    function () { console.log("OK — " + helpers.getChecks() + " checks passed"); },
+    function (e) { console.error("FAIL:", e.stack || e); process.exit(1); }
+  );
+}

package/lib/vendor/blamejs/test/layer-0-primitives/safe-buffer-linear-scans.test.js

@@ -0,0 +1,94 @@
+"use strict";
+/**
+ * b.safeBuffer linear-scan helpers that replace O(n^2) regexes (ReDoS class).
+ *
+ * stripTrailingHspace and indexAfterOpenTag each replace a regex whose
+ * backtracking is quadratic in V8 on adversarial input:
+ *   - stripTrailingHspace: /[ \t]+$/        (greedy-then-$)
+ *   - indexAfterOpenTag:   /<tag[^>]*>/     (greedy-bracket-then->)
+ *
+ * Each test asserts (1) byte-for-byte output parity with the regex it
+ * replaces on every edge case, and (2) that a 400K-char adversarial input
+ * — which drives the regex to multiple seconds — completes near-instantly.
+ * The perf bound is deliberately loose (500ms) so it discriminates the
+ * O(n) fix from the O(n^2) regression (~8s) without flaking on a contended
+ * runner.
+ */
+
+var helpers = require("../helpers");
+var b     = helpers.b;
+var check = helpers.check;
+
+var TRAILING_HSPACE_RE = /[ \t]+$/;
+
+function _elapsedMs(fn) {
+  var s = process.hrtime.bigint();
+  fn();
+  return Number(process.hrtime.bigint() - s) / 1e6;
+}
+
+function run() {
+  var sb = b.safeBuffer;
+
+  // ---- stripTrailingHspace: byte-identical to /[ \t]+$/ replace ----
+  var cases = [
+    "hello   ", "a b\t\t", "hello \n", "hello \n   ", "", "   ", "\t\t\t",
+    "no-trailing", "trailing tab\t", "mixed \t \t ", " leading kept",
+    "internal  spaces  kept x", "unicode café  ", "line1\nline2  ",
+  ];
+  var allParity = true;
+  for (var i = 0; i < cases.length; i++) {
+    var got = sb.stripTrailingHspace(cases[i]);
+    var want = cases[i].replace(TRAILING_HSPACE_RE, "");
+    if (got !== want) { allParity = false; break; }
+  }
+  check("stripTrailingHspace: byte-identical to /[ \\t]+$/ on every edge case", allParity);
+  check("stripTrailingHspace: trailing \\n preserved (JS $ without /m)",
+    sb.stripTrailingHspace("hello \n") === "hello \n");
+  check("stripTrailingHspace: non-string passthrough", sb.stripTrailingHspace(42) === 42);
+
+  var bigWs = "content" + " ".repeat(400000);
+  var msStrip = _elapsedMs(function () { sb.stripTrailingHspace(bigWs); });
+  check("stripTrailingHspace: linear on 400K trailing spaces (< 500ms; regex was ~85s)", msStrip < 500);
+  check("stripTrailingHspace: 400K-space result correct", sb.stripTrailingHspace(bigWs) === "content");
+
+  // ---- indexAfterOpenTag: parity with /<body[^>]*>/i for real HTML ----
+  // Direct fully-qualified call (also satisfies the public-primitive
+  // coverage gate, which scans for the b.safeBuffer.* token form).
+  check("b.safeBuffer.indexAfterOpenTag: bare <body> → past the '>'",
+    b.safeBuffer.indexAfterOpenTag("<body>x", "body") === 6);
+
+  function oldIdx(html, tag) {
+    var m = html.match(new RegExp("<" + tag + "[^>]*>", "i"));
+    return m ? m.index + m[0].length : -1;
+  }
+  var htmls = [
+    "<!doctype html><html><head></head><body data-x=\"1\">CONTENT</body>",
+    "<body>bare", "<BODY id=a>x", "<html><body class=x>hi", "no body here",
+    "<body\nmultiline\nattrs>z",
+  ];
+  var idxParity = true;
+  for (var j = 0; j < htmls.length; j++) {
+    // For inputs without a degenerate <bodyfoo>, the helper agrees with the regex.
+    if (sb.indexAfterOpenTag(htmls[j], "body") !== oldIdx(htmls[j], "body")) { idxParity = false; break; }
+  }
+  check("indexAfterOpenTag: agrees with /<body[^>]*>/i on real HTML", idxParity);
+  check("indexAfterOpenTag: stricter than regex — <bodyfoo> is NOT a <body>",
+    sb.indexAfterOpenTag("<bodyfoo>hi", "body") === -1);
+  check("indexAfterOpenTag: absent tag → -1", sb.indexAfterOpenTag("<p>x</p>", "body") === -1);
+  check("indexAfterOpenTag: unterminated <body → -1", sb.indexAfterOpenTag("<body no close", "body") === -1);
+  check("indexAfterOpenTag: non-string → -1", sb.indexAfterOpenTag(42, "body") === -1);
+
+  var bigBody = "<body".repeat(80000); // 400K chars, 80K starts, no closing >
+  var msIdx = _elapsedMs(function () { sb.indexAfterOpenTag(bigBody, "body"); });
+  check("indexAfterOpenTag: linear on 80K <body starts (< 500ms; regex was ~8.6s)", msIdx < 500);
+  check("indexAfterOpenTag: degenerate input → -1 (no terminated tag)",
+    sb.indexAfterOpenTag(bigBody, "body") === -1);
+}
+
+module.exports = { run: run };
+
+if (require.main === module) {
+  try { run(); console.log("OK — " + helpers.getChecks() + " checks passed"); }
+  catch (e) { console.error("FAIL:", e.stack || e); process.exit(1); }
+}

package/lib/vendor/blamejs/test/layer-5-integration/bundler-output.test.js

@@ -143,6 +143,57 @@ function _esbuildBinaryMatchesPlatform() {
   catch (_e) { return false; }
 }
 
+// ---- esbuild binary supply-chain pin ----
+//
+// esbuild ships its native compiler as a per-platform binary fetched at
+// install time (@esbuild/<platform>-<arch>). The bundle test below runs that
+// binary; this pin verifies the binary on disk is the EXACT one we reviewed,
+// so a tampered / drifted binary is caught before it gets to bundle the
+// framework. The hashes were captured by diffing the published 0.28.0 -> 0.28.1
+// tarballs and sha256-ing the binaries (the dependency-review discipline: diff
+// + verify the binary, never rubber-stamp a version bump).
+//
+// The map is keyed by (version -> platform-arch). The repo intentionally ships
+// no committed lockfile (zero runtime deps), so a CI dep cache can hold an
+// esbuild patch other than the one in package.json; we only have hashes for the
+// versions we have actually reviewed. So: verify the binary hash when the
+// installed (version, platform) pair has a reviewed hash, and note loudly +
+// skip otherwise — never fail on a version we never diffed, and never claim a
+// match we can't make. On every esbuild bump, re-review the diff and add the
+// new version's hashes here.
+var ESBUILD_BINARY_SHA256 = {
+  "0.28.1": {
+    "linux-x64": "0c6588b092a2c291a72bab90659f3c9e0e25e0fe59c9ac12b4dae4d945e5548c",  // CI floor (ubuntu), authoritative
+    "win32-x64": "ec02ee9b14ab332416fedd10614dfb80eed5304d94f67745067c011934a8c3c3",  // maintainer host (win32)
+  },
+};
+
+function testEsbuildBinaryHashPinned() {
+  var ver = require("esbuild/package.json").version;
+  var platKey = process.platform + "-" + process.arch;
+  var verMap = ESBUILD_BINARY_SHA256[ver];
+  var pinned = verMap && verMap[platKey];
+  if (!pinned) {
+    // Either an esbuild patch we have not reviewed (no hash for this version),
+    // or a platform we did not capture (e.g. darwin-arm64). Note the gap loudly
+    // so it is visible, but do not fail — we can only verify what we reviewed.
+    check("esbuild binary pin: no reviewed hash for " + ver + " / " + platKey +
+          " — verification skipped (re-review + re-pin on bump)", true);
+    return;
+  }
+  if (!_esbuildBinaryMatchesPlatform()) {
+    check("esbuild binary pin: skipped — node_modules binary mismatched for " +
+          platKey + " (host vs container deps)", true);
+    return;
+  }
+  var binPkg = path.dirname(require.resolve("@esbuild/" + platKey + "/package.json"));
+  var binName = process.platform === "win32" ? "esbuild.exe" : path.join("bin", "esbuild");
+  var binPath = path.join(binPkg, binName);
+  var actual = nodeCrypto.createHash("sha256").update(fs.readFileSync(binPath)).digest("hex");
+  check("esbuild " + ver + " native binary on disk matches the reviewed SHA-256 pin (" + platKey + ")",
+    actual === pinned);
+}
+
 function testEsbuildBundlePreservesVendorData() {
   if (!_esbuildBinaryMatchesPlatform()) {
     check("esbuild bundle: skipped — node_modules esbuild binary mismatched for " +
@@ -427,6 +478,7 @@ function testSeaBundlePreservesVendorData() {
 
 async function run() {
   try {
+    testEsbuildBinaryHashPinned();
     testEsbuildBundlePreservesVendorData();
     testEsbuildMinifiedBundlePreservesVendorData();
     testBundleHasNoMissingModuleRuntimePath();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/blamejs-shop",
-  "version": "0.4.49",
+  "version": "0.4.50",
   "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
   "main": "lib/index.js",
   "scripts": {