@blamejs/blamejs-shop 0.4.53 → 0.4.55

package/lib/vendor/blamejs/lib/network-tls.js

@@ -23,6 +23,29 @@ var networkDns = lazyRequire(function () { return require("./network-dns"); });
 var httpClient = lazyRequire(function () { return require("./http-client"); });
 var asn1 = require("./asn1-der");
 
+// Audit + observability emit for an outbound TLS connection that runs with
+// peer-certificate validation DISABLED (an explicit operator opt-in —
+// rejectUnauthorized:false / allowInsecure — never a framework default).
+// Emitted at the point the disable is HONORED so the degraded posture is
+// observable (compliance evidence + incident response), parallel to the
+// tls.classical_downgrade audit. Drop-silent best-effort (§8 hot-path sink) —
+// an audit-sink failure must never break the TLS connect itself.
+function auditInsecureTls(meta) {
+  meta = meta || {};
+  try {
+    observability().safeEvent("tls.insecure_skip_verify", 1, {
+      host: meta.host || null, port: meta.port || null, source: meta.source || null,
+    });
+  } catch (_e) { /* drop-silent */ }
+  try {
+    audit().safeEmit({
+      action:  "tls.insecure_skip_verify",
+      outcome: "success",
+      metadata: { host: meta.host || null, port: meta.port || null, source: meta.source || null },
+    });
+  } catch (_e) { /* drop-silent — audit best-effort, never break TLS */ }
+}
+
 // STATE.tlsKeyShares is initialized to the default PQC group list at
 // module load — operator setKeyShares() overrides; resetKeyShares()
 // restores the default. Empty array means "fall back to Node's TLS
@@ -144,7 +167,7 @@ function addCa(pemOrPath, opts) {
     added.push(meta);
   }
   _emitAuditAdd(added, opts);
-  _emitObs("network.tls.ca.added", { count: added.length });
+  observability().safeEvent("network.tls.ca.added", 1, { count: added.length });
   return added;
 }
 
@@ -154,7 +177,7 @@ function addCaBundle(p, opts) {
 
 function useSystemTrust(enable) {
   STATE.systemTrust = enable !== false;
-  _emitObs("network.tls.system_trust.set", { enabled: STATE.systemTrust });
+  observability().safeEvent("network.tls.system_trust.set", 1, { enabled: STATE.systemTrust });
 }
 
 function isSystemTrustEnabled() { return !!STATE.systemTrust; }
@@ -216,7 +239,7 @@ function removeCa(fingerprint256, opts) {
   });
   if (removed.length === 0) return 0;
   if (!opts || opts.audit !== false) _emitAuditRemove(removed, "operator-remove");
-  _emitObs("network.tls.ca.removed", { count: removed.length, reason: "operator" });
+  observability().safeEvent("network.tls.ca.removed", 1, { count: removed.length, reason: "operator" });
   return removed.length;
 }
 
@@ -234,7 +257,7 @@ function removeCaByLabel(label, opts) {
   });
   if (removed.length === 0) return 0;
   if (!opts || opts.audit !== false) _emitAuditRemove(removed, "operator-remove-by-label");
-  _emitObs("network.tls.ca.removed", { count: removed.length, reason: "label" });
+  observability().safeEvent("network.tls.ca.removed", 1, { count: removed.length, reason: "label" });
   return removed.length;
 }
 
@@ -243,7 +266,7 @@ function clearAll(opts) {
   var removed = STATE.cas.map(function (e) { return Object.assign({ label: e.label }, e.meta); });
   STATE.cas = [];
   if (!opts || opts.audit !== false) _emitAuditRemove(removed, "operator-clear-all");
-  _emitObs("network.tls.ca.cleared", { count: removed.length });
+  observability().safeEvent("network.tls.ca.cleared", 1, { count: removed.length });
   return removed.length;
 }
 
@@ -260,7 +283,7 @@ function purgeExpired(opts) {
   });
   if (removed.length === 0) return 0;
   if (!opts || opts.audit !== false) _emitAuditRemove(removed, "expired");
-  _emitObs("network.tls.ca.purged_expired", { count: removed.length });
+  observability().safeEvent("network.tls.ca.purged_expired", 1, { count: removed.length });
   return removed.length;
 }
 
@@ -705,10 +728,6 @@ function _emitAuditAdd(metaList, opts) {
   }
 }
 
-function _emitObs(name, fields) {
-  try { observability().emit(name, fields || {}); } catch (_e) { /* obs best-effort */ }
-}
-
 function _resetForTest() {
   STATE.cas = [];
   STATE.systemTrust = false;
@@ -2725,6 +2744,7 @@ function connectWithEch(opts) {
       }
       if (opts.rejectUnauthorized === false) {
         connectOpts.rejectUnauthorized = false;
+        auditInsecureTls({ host: opts.host, port: port, source: "network.tls.connectWithEch" });
       }
       var echAttached = false;
       if (echConfigBuf && nodeSupportsEch) {
@@ -2735,7 +2755,7 @@ function connectWithEch(opts) {
         // gracefully with a one-shot warn so operators know they're
         // sending an outer-only ClientHello.
         try {
-          observability().emit("network.tls.ech.unsupported", {
+          observability().safeEvent("network.tls.ech.unsupported", 1, {
             host: opts.host, source: sourceLabel,
           });
         } catch (_e) { /* drop-silent */ }
@@ -2772,7 +2792,7 @@ function connectWithEch(opts) {
         settled = true;
         if (to) clearTimeout(to);
         try {
-          observability().emit("network.tls.ech.connected", {
+          observability().safeEvent("network.tls.ech.connected", 1, {
             host: opts.host, echAttached: echAttached, source: sourceLabel,
           });
         } catch (_e) { /* drop-silent */ }
@@ -2832,7 +2852,7 @@ function connectWithEch(opts) {
       // operator still gets a working TLS session. Emit obs so the
       // operator sees the degradation.
       try {
-        observability().emit("network.tls.ech.dns_failed", {
+        observability().safeEvent("network.tls.ech.dns_failed", 1, {
           host: opts.host, error: (e && e.message) || String(e),
         });
       } catch (_e) { /* drop-silent */ }
@@ -3174,6 +3194,7 @@ function wrapSNICallback(operatorCb) {
 }
 
 module.exports = {
+  auditInsecureTls:    auditInsecureTls,
   addCa:               addCa,
   addCaBundle:         addCaBundle,
   removeCa:            removeCa,

package/lib/vendor/blamejs/lib/network.js

@@ -151,7 +151,7 @@ var ntpFacade = {
       throw new NetworkError("ntp/bad-servers", "ntp.setServers: expected non-empty array");
     }
     ntpFacade._defaultServers = list.slice();
-    _emitObs("network.ntp.servers.set", { count: list.length });
+    observability().safeEvent("network.ntp.servers.set", 1, { count: list.length });
   },
   getServers:     function () {
     return (ntpFacade._defaultServers || ntpCheck.DEFAULT_SERVERS).slice();
@@ -262,7 +262,7 @@ function bootFromEnv(opts) {
       } catch (_e) { /* audit best-effort — never break boot */ }
     }
   }
-  _emitObs("network.boot.from_env", { source: "env" });
+  observability().safeEvent("network.boot.from_env", 1, { source: "env" });
   return applied;
 }
 
@@ -301,10 +301,6 @@ function snapshot() {
   };
 }
 
-function _emitObs(name, fields) {
-  try { observability().emit(name, fields || {}); } catch (_e) { /* obs best-effort */ }
-}
-
 function _resetForTest() {
   ntpFacade._defaultServers = null;
   ntpFacade._defaultTimeoutMs = null;

package/lib/vendor/blamejs/lib/notify.js

@@ -408,11 +408,6 @@ function create(opts) {
     channels[n] = registry;
   }
 
-  function _emitObs(name, labels) {
-    try { observability().event(name, 1, labels || {}); }
-    catch (_e) { /* drop-silent — observability sink must not crash send() */ }
-  }
-
   var _emitAudit = validateOpts.makeAuditEmitter(audit);
 
   function _actor(callerOpts) {
@@ -465,7 +460,7 @@ function create(opts) {
     // mechanism — no double-retry inside the breaker or transport).
     async function _oneAttempt(attemptIdx) {
       attemptCount = attemptIdx;
-      _emitObs("notify.send.attempt", { channel: channel, attempt: attemptIdx });
+      observability().safeEvent("notify.send.attempt", 1, { channel: channel, attempt: attemptIdx });
       var sendPromise = entry.transport.send(message, input.sendOpts || null);
       // withTimeout from b.safeAsync — never re-implement timer races.
       var timed = (perCallTimeoutMs > 0)
@@ -478,7 +473,7 @@ function create(opts) {
         // classifies it correctly (operators can still opt OUT by setting
         // err.permanent in their transport).
         if (e && e.code === "async/timeout") {
-          _emitObs("notify.send.timeout", { channel: channel });
+          observability().safeEvent("notify.send.timeout", 1, { channel: channel });
           var te = _err("TIMEOUT",
             "notify.send: '" + channel + "' transport timed out after " + perCallTimeoutMs + "ms");
           // Mark transient via a NETWORK-style code so b.retry.isRetryable
@@ -497,7 +492,7 @@ function create(opts) {
           return await entry.breaker.wrap(function () { return _oneAttempt(attemptIdx); });
         } catch (e) {
           if (e && e.code === "CIRCUIT_OPEN") {
-            _emitObs("notify.send.breaker.open", { channel: channel });
+            observability().safeEvent("notify.send.breaker.open", 1, { channel: channel });
           }
           throw e;
         }
@@ -524,7 +519,7 @@ function create(opts) {
         }, perCallRetry);
 
         var durationMs = clock() - startedAt;
-        _emitObs("notify.send.success", { channel: channel, durationMs: durationMs });
+        observability().safeEvent("notify.send.success", 1, { channel: channel, durationMs: durationMs });
         if (auditSuccess) {
           _emitAudit("notify.send.success", {
             actor:    _actor(input),
@@ -543,7 +538,7 @@ function create(opts) {
           durationMs: durationMs,
         });
       } catch (e) {
-        _emitObs("notify.send.failure", {
+        observability().safeEvent("notify.send.failure", 1, {
           channel: channel,
           reason:  (e && e.code) || "unknown",
         });
@@ -594,7 +589,7 @@ function create(opts) {
       if (results[i] && results[i].isNotifyError) failed++;
       else ok++;
     }
-    _emitObs("notify.batch", { size: inputs.length, ok: ok, failed: failed });
+    observability().safeEvent("notify.batch", 1, { size: inputs.length, ok: ok, failed: failed });
     return results;
   }
 
@@ -626,7 +621,7 @@ function create(opts) {
       } catch (_e) { /* operator may register their own handler */ }
     }
     var jobId = await q.enqueue(queueName, input);
-    _emitObs("notify.queue.enqueued", { channel: input.channel, queueName: queueName });
+    observability().safeEvent("notify.queue.enqueued", 1, { channel: input.channel, queueName: queueName });
     return { jobId: jobId };
   }
 

package/lib/vendor/blamejs/lib/seeders.js

@@ -438,11 +438,6 @@ function create(opts) {
   var audit = opts.audit || null;
   var clock = opts.clock || function () { return Date.now(); };
 
-  function _emitObs(name, labels) {
-    try { observability().event(name, 1, labels || {}); }
-    catch (_e) { /* drop-silent — observability sink must not crash seeders */ }
-  }
-
   var _emitAudit = validateOpts.makeAuditEmitter(audit);
 
   function _actor(callerOpts) {
@@ -512,7 +507,7 @@ function create(opts) {
     }
 
     var startedAt = clock();
-    _emitObs("seeders.run.start", { env: env, count: loaded.ordered.length });
+    observability().safeEvent("seeders.run.start", 1, { env: env, count: loaded.ordered.length });
 
     var holder = _acquireLock(db, lockStaleAfterMs, clock);
     try {
@@ -538,7 +533,7 @@ function create(opts) {
 
         if (!shouldRun) {
           skipped.push(name);
-          _emitObs("seeders.skipped", { env: env, name: name, reason: "already-applied" });
+          observability().safeEvent("seeders.skipped", 1, { env: env, name: name, reason: "already-applied" });
           continue;
         }
 
@@ -585,7 +580,7 @@ function create(opts) {
 
           var auditAction = (alreadyApplied && force) ? "seeders.force_applied" : "seeders.applied";
           var auditEvt = { env: env, name: name };
-          _emitObs(auditAction, auditEvt);
+          observability().safeEvent(auditAction, 1, auditEvt);
           if (auditApplied) {
             _emitAudit(auditAction, {
               actor:    _actor(callerOpts),
@@ -598,7 +593,7 @@ function create(opts) {
           failed = name;
           var msg = (e && e.message) || String(e);
           var code = (e && e.code) || "RUN_FAILED";
-          _emitObs("seeders.failed", { env: env, name: name });
+          observability().safeEvent("seeders.failed", 1, { env: env, name: name });
           if (auditFailures) {
             _emitAudit("seeders.failed", {
               actor:    _actor(callerOpts),
@@ -622,7 +617,7 @@ function create(opts) {
         failed:     failed,
         durationMs: clock() - startedAt,
       };
-      _emitObs("seeders.run.completed", {
+      observability().safeEvent("seeders.run.completed", 1, {
         env:        env,
         applied:    applied.length,
         skipped:    skipped.length,

package/lib/vendor/blamejs/lib/structured-fields.js

@@ -204,7 +204,43 @@ function unquoteSfString(s) {
   if (t.length === 0) return "";
   if (t.charAt(0) !== "\"") return t;
   if (t.length < 2 || t.charAt(t.length - 1) !== "\"") return null;
-  return t.slice(1, -1).replace(/\\"/g, "\"").replace(/\\\\/g, "\\");
+  return unescapeSfStringBody(t.slice(1, -1));
+}
+
+/**
+ * @primitive b.structuredFields.unescapeSfStringBody
+ * @signature b.structuredFields.unescapeSfStringBody(body)
+ * @since      0.15.12
+ * @related    b.structuredFields.unquoteSfString
+ *
+ * Undo the RFC 8941 §3.3.3 quoted-string backslash-escapes from the BODY of
+ * an sf-string (the bytes BETWEEN the surrounding double quotes). Only `\\\\`
+ * and `\\"` are legal escapes; every other backslash is literal.
+ *
+ * This is a single left-to-right scan, NOT two chained `.replace()` passes.
+ * The two-pass form (`.replace(/\\\\/g,"\\").replace(/\\"/g,'"')`, in either
+ * order) is not equivalent to a single decode: whichever pass runs first can
+ * rewrite a backslash the other escape sequence legitimately owns, so a lone
+ * escaped backslash (`\\\\`) decodes to two backslashes instead of one. The
+ * single pass consumes each escape exactly once. Non-string input passes
+ * through unchanged.
+ *
+ * @example
+ *   b.structuredFields.unescapeSfStringBody('a\\"b\\\\c');
+ *   // → 'a"b\c'
+ */
+function unescapeSfStringBody(body) {
+  if (typeof body !== "string") return body;
+  var out = "";
+  for (var i = 0; i < body.length; i++) {
+    var c = body.charAt(i);
+    if (c === "\\" && i + 1 < body.length) {
+      var n = body.charAt(i + 1);
+      if (n === "\\" || n === "\"") { out += n; i += 1; continue; }
+    }
+    out += c;
+  }
+  return out;
 }
 
 /**
@@ -674,6 +710,7 @@ module.exports = {
   refuseControlBytes:   refuseControlBytes,
   containsControlBytes: containsControlBytes,
   unquoteSfString:      unquoteSfString,
+  unescapeSfStringBody: unescapeSfStringBody,
   parse:                parse,
   serialize:            serialize,
   Token:                SfToken,

package/lib/vendor/blamejs/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.15.11",
+  "version": "0.15.12",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/lib/vendor/blamejs/release-notes/v0.15.12.json

@@ -0,0 +1,47 @@
+{
+  "$schema": "../scripts/release-notes-schema.json",
+  "version": "0.15.12",
+  "date": "2026-06-14",
+  "headline": "Hardens a set of defense-in-depth seams: a single-pass structured-field unescape, a constant-time content-digest member match, complete reserved-character stripping, a Trojan-Source escape on the boot logger, generic body-parse error responses, and an audit trail whenever outbound TLS certificate validation is disabled",
+  "summary": "A sweep of low-severity but real hardening items. RFC 8941 structured-field string values (HTTP Message Signatures, Client Hints, Cache-Control) were un-escaped with two chained replaces that mis-decoded an escaped backslash adjacent to another escape; they now use one left-to-right pass that decodes each escape exactly once. The HTTP Message Signature content-digest check dropped a dead identity-replace and now matches the sha3-512 member by an exact, top-level, constant-time comparison instead of an unanchored substring scan. b.guardFilename's reserved-character strip used a non-global regex that left every separator after the first; it now strips all of them. The boot logger's TTY branch wrote raw text, bypassing the Trojan-Source / control-character escape the main logger applies — it now escapes the bidi and C0/newline control classes on every sink. The body parser no longer echoes a caught exception's detail (an fs errno + temp path, or a parse hook's thrown message) to the HTTP client — the client gets a generic status phrase while the full detail stays on the audit chain. And any outbound TLS connection that runs with peer-certificate validation disabled (an explicit operator opt-in, never a default) now emits a tls.insecure_skip_verify audit + observability event so the degraded posture is visible for compliance and incident response.",
+  "sections": [
+    {
+      "heading": "Added",
+      "items": [
+        {
+          "title": "b.structuredFields.unescapeSfStringBody(body)",
+          "body": "A single-pass decode of the RFC 8941 §3.3.3 quoted-string backslash escapes (the bytes between the surrounding quotes). It replaces the chained two-`.replace()` form, which is not equivalent to one decode — whichever pass runs first can rewrite a backslash the other escape sequence owns, so a lone escaped backslash decoded to two. The HTTP Message Signature, Client Hints, and Cache-Control sf-string readers now route through it."
+        },
+        {
+          "title": "tls.insecure_skip_verify audit event",
+          "body": "b.network.tls.auditInsecureTls(meta) emits an audit + observability event at the point an outbound TLS connection honors rejectUnauthorized:false / allowInsecure. The connectWithEch, OTLP-gRPC log stream, syslog-TLS log stream, and SMTP transports all emit it when an operator disables certificate validation — parallel to the existing tls.classical_downgrade audit. No default changes; the framework never disables validation itself."
+        }
+      ]
+    },
+    {
+      "heading": "Security",
+      "items": [
+        {
+          "title": "Single-pass structured-field string unescape",
+          "body": "The RFC 8941 sf-string readers in HTTP Message Signatures (Signature-Input covered-component names), Client Hints, and Cache-Control directive values un-escaped with `.replace(/\\\\\\\\/g,\"\\\\\").replace(/\\\\\"/g,'\"')` — two sequential passes that mis-decode adjacent escapes (a lone escaped backslash became two). All four sites now use the single-pass b.structuredFields.unescapeSfStringBody. It is fail-closed (a mis-decoded covered-component name just fails the signature check, never bypasses it); the fix restores RFC-conformant interop with peers that legitimately escape these values."
+        },
+        {
+          "title": "Constant-time, member-anchored content-digest verification",
+          "body": "b.crypto.httpSig.verify's covered content-digest check dropped a dead no-op replace and now parses the Content-Digest header into its top-level members and matches the sha3-512 member EXACTLY, in constant time (b.crypto.timingSafeEqual), rather than scanning for the digest text as a substring anywhere in the header. The Content-Digest header is already bound by the signature, so the substring form was not reachably exploitable; the change removes the latent ambiguity and the timing channel."
+        },
+        {
+          "title": "Reserved-character filename strip removes every occurrence",
+          "body": "b.guardFilename's reservedCharPolicy:\"strip\" (the permissive profile) used a non-global regex, so only the FIRST reserved character — including path separators — was replaced and the rest leaked through. The strip is now global: every reserved character is removed. Not a traversal bypass (the unconditional security floor still throws on `..`, null bytes, NTFS ADS, UNC, overlong UTF-8), but the strip is now complete and consistent."
+        },
+        {
+          "title": "Boot logger escapes control + bidi characters on every sink",
+          "body": "The boot-time logger's TTY branch wrote the raw message, bypassing the Trojan-Source (bidi) and control-character escapes the main logger applies — a hostile message could forge extra log lines on a terminal (CWE-117) or re-order the visible line (CVE-2021-42574). Both boot branches now escape the bidi and C0/newline control classes, matching the create() path and the logger's advertised guarantee."
+        },
+        {
+          "title": "Body-parser error responses never echo internal detail",
+          "body": "The body-parser's terminal error path surfaced a caught exception's message verbatim to the HTTP client — a multipart filesystem error leaked the errno + temp path, and a parse hook's thrown error (which can carry secrets) was echoed back. The client now gets a curated message only for a framework-classified 4xx error and a generic status phrase otherwise; the parse-hook wrapper carries a fixed message, and full diagnostics stay on the audit chain server-side (CWE-209). The cluster leader-discovery endpoint's error body is generalized the same way."
+        }
+      ]
+    }
+  ]
+}

package/lib/vendor/blamejs/test/00-primitives.js

@@ -16647,6 +16647,21 @@ function testLogger() {
 
     check("log.boot: .prefix exposes the namespace", log.prefix === "[blamejs:testmod] ");
 
+    // v0.15.12 (#182) — the TTY branch must escape BOTH the bidi (re-ordering)
+    // and C0/newline (line-forging) control classes the create() path
+    // neutralizes (Trojan-Source CVE-2021-42574 / log-injection CWE-117). The
+    // old boot() TTY branch wrote the raw message.
+    captured.log.length = 0;
+    var RLO = String.fromCharCode(0x202e);
+    log.info("admin" + RLO + "gnp");
+    check("log.boot TTY escapes bidi controls (no raw RLO)",
+          captured.log[captured.log.length - 1].indexOf(RLO) === -1);
+    check("log.boot TTY escapes bidi to \\u202e",
+          captured.log[captured.log.length - 1].indexOf("\\u202e") !== -1);
+    log.info("line1\nFAKE level=error injected");
+    check("log.boot TTY does not forge lines via a raw newline",
+          captured.log[captured.log.length - 1].indexOf("\n") === -1);
+
     var threw = false;
     try { b.log.boot(""); } catch (_e) { threw = true; }
     check("log.boot: rejects empty name", threw);
@@ -16667,6 +16682,15 @@ function testLogger() {
     check("log.boot JSON marks boot:true",    parsed.boot === true);
     check("log.boot JSON carries level",      parsed.level === "info");
 
+    // v0.15.12 (#182) — JSON.stringify escapes C0/newlines but leaves bidi
+    // controls raw; the boot JSON branch must apply the same bidi escape the
+    // create() path does so a piped aggregator can't be re-ordered.
+    captured.log.length = 0;
+    var RLO2 = String.fromCharCode(0x202e);
+    jsonLog("owner" + RLO2 + "x");
+    check("log.boot JSON escapes bidi controls (no raw RLO)", captured.log[0].indexOf(RLO2) === -1);
+    check("log.boot JSON line still parses", (function () { try { JSON.parse(captured.log[0]); return true; } catch (_e) { return false; } })());
+
     jsonLog.warn("ouch");
     var parsedWarn = JSON.parse(captured.error[0]);
     check("log.boot non-TTY warn → stderr JSON", parsedWarn.level === "warn" && parsedWarn.message === "ouch");

package/lib/vendor/blamejs/test/layer-0-primitives/body-parser-error-redaction.test.js

@@ -0,0 +1,74 @@
+"use strict";
+/**
+ * body-parser error-response redaction (v0.15.12, #84 / CWE-209).
+ *
+ * A caught exception's detail must never be echoed to the HTTP client. The
+ * terminal catch surfaces a curated message only for a framework-classified
+ * 4xx BodyParserError; any other thrown error — and every 5xx — gets a generic
+ * status phrase, with full detail kept on the audit chain server-side. The
+ * parse-hook wrapper carries a fixed message so an operator hook's thrown
+ * secret can't ride the 4xx path to the client.
+ */
+
+var EventEmitter = require("events").EventEmitter;
+var helpers      = require("../helpers");
+var b            = helpers.b;
+var check        = helpers.check;
+var _bodyRes     = helpers._bodyRes;
+
+function _bodyReqStream(body, headers) {
+  var req = new EventEmitter();
+  req.method  = "POST";
+  req.url     = "/";
+  req.headers = Object.assign({ "content-length": String(Buffer.byteLength(body)) }, headers || {});
+  req.socket  = { remoteAddress: "127.0.0.1" };
+  req.destroy = function () { req._destroyed = true; };
+  // Deliver the body on next tick so the parser's data/end listeners are wired.
+  process.nextTick(function () {
+    req.emit("data", Buffer.from(body, "utf8"));
+    req.emit("end");
+  });
+  return req;
+}
+
+async function _run(opts, body, headers) {
+  var bp  = b.middleware.bodyParser(opts);
+  var req = _bodyReqStream(body, headers);
+  var res = _bodyRes();
+  var settled = false;
+  function fin() { settled = true; }
+  res.on("finish", fin);
+  bp(req, res, fin);
+  // Poll for the response to settle — never a fixed sleep (§6b).
+  await helpers.waitUntil(function () { return settled || res._endedStatus !== null; }, {
+    timeoutMs: 5000,
+    label: "body-parser error response settles",
+  });
+  return res;
+}
+
+async function run() {
+  // (1) parse-hook throws a detail-bearing error — not echoed to the client.
+  // Use a non-credential sentinel so the test itself carries no secret shape.
+  var SENTINEL = "do-not-echo-sentinel-9f8e7d6c";
+  var r1 = await _run(
+    { json: { parseHook: function () { throw new Error("internal detail " + SENTINEL + " host:5432"); } } },
+    "{}",
+    { "content-type": "application/json" }
+  );
+  var b1 = String(r1._captured || "");
+  check("#84 parse-hook internal detail is NOT echoed to the client",
+        b1.indexOf(SENTINEL) === -1 && b1.indexOf("host:5432") === -1);
+  check("#84 parse-hook client message is the curated fixed reason",
+        b1.length === 0 || b1.indexOf("parse hook") !== -1);
+
+  // (2) a genuinely malformed JSON body still returns a useful 400 grammar
+  // error (the fix must not over-redact client-input errors).
+  var r2 = await _run({ json: {} }, "{not json", { "content-type": "application/json" });
+  check("#84 malformed JSON still returns 400", r2._endedStatus === 400 || r2._endedStatus === null);
+  var b2 = String(r2._captured || "");
+  check("#84 malformed-JSON error is still surfaced (not blanket-redacted)",
+        b2.length === 0 || b2.indexOf("JSON") !== -1 || b2.indexOf("parse") !== -1 || b2.indexOf("Bad Request") !== -1);
+}
+
+module.exports = { run: run };

package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js

@@ -5741,18 +5741,14 @@ async function testNoDuplicateCodeBlocks() {
       ],
       reason: "Same nested-shape cluster as above with notify removed. Same justification.",
     },
-    {
-      files: [
-        "lib/network-proxy.js:_emitObs",
-        "lib/network-tls.js:_emitObs",
-        "lib/network.js:_emitObs",
-      ],
-      reason: "Network listener teardown shape — `function reset() { state.X = null; state.Y = null; state.Z = []; ...}`. Each network primitive has a different reset surface; consolidating would force unrelated state into a base contract.",
-    },
     {
       files: ["lib/notify.js:<unknown>", "lib/seeders.js:<unknown>", "lib/webhook.js:<unknown>"],
       reason: "Same nested-shape cluster as middleware/db-role-for+notify+seeders+webhook (see above) with db-role-for removed.",
     },
+    {
+      files: ["lib/api-key.js:create", "lib/file-upload.js:create", "lib/seeders.js:create"],
+      reason: "Conventional create() entry prelude — a run of per-primitive `var X = cfg.X;` opts-to-cfg field unpacking followed by the standard `var audit = opts.audit || null; var clock = opts.clock || function () { return Date.now(); }; var _emitAudit = validateOpts.makeAuditEmitter(audit);` trio. The reusable part (the audit emitter) is already centralized in validateOpts.makeAuditEmitter; the remaining shared run is per-primitive opts unpacking (api-key: prefix/idBytes/secretBytes; file-upload: maxChunkBytes/maxStagingBytes/...; seeders: auditFailures/lockStaleAfterMs) that cannot become one primitive without forcing unrelated config surfaces into a single base contract.",
+    },
     {
       files: [
         "lib/object-store/azure-blob.js:_buildSasToken",
@@ -9140,6 +9136,20 @@ var KNOWN_ANTIPATTERNS = [
     allowlist: [],
     reason: "Extracted to observability.safeEvent — drop-silent semantics for hot-path event emission. Any module wrapping observability.event in try/catch should call observability.safeEvent instead.",
   },
+  {
+    id: "observability-emit-nonexistent-method",
+    scanScope: "lib",
+    primitive: "observability.safeEvent(name, value, labels) / observability.event(...) — there is no observability.emit",
+    // The observability module exposes event / safeEvent / tap / setTap — it
+    // has NO `emit`. A call to observability().emit(...) throws TypeError and,
+    // because every call site wraps the emit in a drop-silent try/catch, the
+    // metric silently never fires. The whole network-* family carried 11 such
+    // dead calls. Any reintroduction is a dead telemetry emit, never a working
+    // one — route through safeEvent(name, value, labels) instead.
+    regex: /observability\s*\(\s*\)\s*\.\s*emit\s*\(/,
+    allowlist: [],
+    reason: "observability has no emit() method; observability().emit(...) is a dead drop-silent call. Use observability.safeEvent(name, value, labels).",
+  },
   {
     id: "inline-hex-string-validator",
     primitive: "safeBuffer.isHex(s, expectedLength?) — returns boolean",

package/lib/vendor/blamejs/test/layer-0-primitives/guard-filename.test.js

@@ -239,6 +239,17 @@ function testGuardFilenameSanitize() {
   check("sanitize strips leading/trailing whitespace + trailing dot",
         clean === "weird name.txt");
 
+  // v0.15.12 (#78) — reservedCharPolicy:"strip" (set by the permissive profile)
+  // must strip EVERY reserved char, not just the first. The old non-global
+  // RESERVED_CHARS_RE left the 2nd/3rd path separators in place.
+  var multiSep = b.guardFilename.sanitize("a/b/c/d", { profile: "permissive" });
+  check("sanitize permissive strips ALL path separators (#78)",
+        multiSep.indexOf("/") === -1 && multiSep === "a_b_c_d");
+  var multiBack = b.guardFilename.sanitize("x\\y\\z", { profile: "permissive" });
+  check("sanitize permissive strips ALL backslashes (#78)", multiBack.indexOf("\\") === -1);
+  check("sanitize permissive leaves a clean name unchanged (#78)",
+        b.guardFilename.sanitize("clean.txt", { profile: "permissive" }) === "clean.txt");
+
   var threwTraversal = null;
   try { b.guardFilename.sanitize("../etc/passwd", { profile: "balanced" }); }
   catch (e) { threwTraversal = e; }

package/lib/vendor/blamejs/test/layer-0-primitives/http-message-signature.test.js

@@ -119,6 +119,38 @@ function testContentDigestTamper() {
         verified.reason === "content-digest-mismatch");
 }
 
+// v0.15.12 (#178) — the content-digest check was rewritten from an unanchored
+// substring `indexOf` (+ dead identity-replace) to a top-level-member parse
+// with a constant-time compare. The signature already binds the Content-Digest
+// header (covered component), so the substring case is not reachable via the
+// consumer path — this guards that the refactor still ACCEPTS a valid sha3-512
+// member (no over-tightening) while testContentDigestTamper guards the reject.
+function testContentDigestMemberAnchored() {
+  var keys = _genEd25519();
+  var msg = {
+    method:  "POST",
+    url:     "https://api.example.com/x",
+    headers: { host: "api.example.com" },
+    body:    "member-anchored-body",
+  };
+  var signed = b.crypto.httpSig.sign(msg, {
+    keyid:      "k1",
+    alg:        "ed25519",
+    privateKey: keys.privateKey,
+    covered:    ["@method", "content-digest"],
+  });
+  check("#178 a valid sha3-512 content-digest member parses + matches",
+        /^sha3-512=:/.test(signed.headers["Content-Digest"]));
+  var verifyMsg = Object.assign({}, msg, {
+    headers: Object.assign({}, msg.headers, signed.headers),
+  });
+  var verified = b.crypto.httpSig.verify(verifyMsg, {
+    keyResolver: function () { return keys.publicKey; },
+  });
+  check("#178 member-anchored content-digest verify still accepts the valid member",
+        verified.valid === true);
+}
+
 function testExpired() {
   var keys = _genEd25519();
   var msg = {
@@ -211,6 +243,7 @@ async function run() {
   testRoundTripEd25519();
   testRoundTripMlDsa65();
   testContentDigestTamper();
+  testContentDigestMemberAnchored();
   testExpired();
   testUnknownKeyid();
   testValidation();