@blamejs/blamejs-shop 0.4.56 → 0.4.57

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (397) hide show
  1. package/CHANGELOG.md +2 -0
  2. package/lib/asset-manifest.json +1 -1
  3. package/lib/vendor/MANIFEST.json +426 -366
  4. package/lib/vendor/blamejs/.github/codeql/codeql-config.yml +25 -0
  5. package/lib/vendor/blamejs/.github/workflows/actions-lint.yml +3 -3
  6. package/lib/vendor/blamejs/.github/workflows/cflite_batch.yml +1 -1
  7. package/lib/vendor/blamejs/.github/workflows/cflite_pr.yml +1 -1
  8. package/lib/vendor/blamejs/.github/workflows/ci.yml +13 -13
  9. package/lib/vendor/blamejs/.github/workflows/codeql.yml +8 -7
  10. package/lib/vendor/blamejs/.github/workflows/npm-publish.yml +2 -2
  11. package/lib/vendor/blamejs/.github/workflows/release-container.yml +4 -4
  12. package/lib/vendor/blamejs/.github/workflows/scorecard.yml +1 -1
  13. package/lib/vendor/blamejs/.github/workflows/sha-to-tag-verify.yml +1 -1
  14. package/lib/vendor/blamejs/CHANGELOG.md +2 -0
  15. package/lib/vendor/blamejs/api-snapshot.json +1381 -4
  16. package/lib/vendor/blamejs/eslint.config.mjs +1 -0
  17. package/lib/vendor/blamejs/examples/wiki/lib/source-comment-block-validator.js +4 -1
  18. package/lib/vendor/blamejs/examples/wiki/lib/symbol-index.js +5 -2
  19. package/lib/vendor/blamejs/examples/wiki/routes/pages.js +4 -1
  20. package/lib/vendor/blamejs/fuzz/guard-text.fuzz.js +20 -0
  21. package/lib/vendor/blamejs/index.js +2 -0
  22. package/lib/vendor/blamejs/lib/a2a-tasks.js +7 -23
  23. package/lib/vendor/blamejs/lib/acme.js +6 -5
  24. package/lib/vendor/blamejs/lib/agent-event-bus.js +5 -4
  25. package/lib/vendor/blamejs/lib/agent-idempotency.js +2 -5
  26. package/lib/vendor/blamejs/lib/agent-orchestrator.js +2 -5
  27. package/lib/vendor/blamejs/lib/agent-saga.js +3 -5
  28. package/lib/vendor/blamejs/lib/agent-tenant.js +2 -5
  29. package/lib/vendor/blamejs/lib/ai-adverse-decision.js +2 -15
  30. package/lib/vendor/blamejs/lib/ai-capability.js +1 -6
  31. package/lib/vendor/blamejs/lib/ai-dp.js +1 -5
  32. package/lib/vendor/blamejs/lib/ai-input.js +2 -2
  33. package/lib/vendor/blamejs/lib/ai-pref.js +3 -8
  34. package/lib/vendor/blamejs/lib/ai-quota.js +3 -14
  35. package/lib/vendor/blamejs/lib/api-key.js +37 -28
  36. package/lib/vendor/blamejs/lib/archive-adapters.js +2 -4
  37. package/lib/vendor/blamejs/lib/archive-entry-policy.js +32 -0
  38. package/lib/vendor/blamejs/lib/archive-read.js +5 -17
  39. package/lib/vendor/blamejs/lib/archive-tar-read.js +5 -16
  40. package/lib/vendor/blamejs/lib/archive.js +2 -10
  41. package/lib/vendor/blamejs/lib/arg-parser.js +7 -6
  42. package/lib/vendor/blamejs/lib/asyncapi-traits.js +2 -6
  43. package/lib/vendor/blamejs/lib/atomic-file.js +108 -31
  44. package/lib/vendor/blamejs/lib/audit-chain.js +133 -53
  45. package/lib/vendor/blamejs/lib/audit-daily-review.js +24 -14
  46. package/lib/vendor/blamejs/lib/audit-emit.js +82 -0
  47. package/lib/vendor/blamejs/lib/audit-sign.js +257 -0
  48. package/lib/vendor/blamejs/lib/audit.js +84 -0
  49. package/lib/vendor/blamejs/lib/auth/access-lock.js +5 -27
  50. package/lib/vendor/blamejs/lib/auth/dpop.js +23 -35
  51. package/lib/vendor/blamejs/lib/auth/fido-mds3.js +9 -15
  52. package/lib/vendor/blamejs/lib/auth/jwt-external.js +26 -8
  53. package/lib/vendor/blamejs/lib/auth/jwt.js +13 -15
  54. package/lib/vendor/blamejs/lib/auth/lockout.js +6 -25
  55. package/lib/vendor/blamejs/lib/auth/oauth.js +67 -45
  56. package/lib/vendor/blamejs/lib/auth/oid4vci.js +55 -32
  57. package/lib/vendor/blamejs/lib/auth/oid4vp.js +3 -2
  58. package/lib/vendor/blamejs/lib/auth/openid-federation.js +6 -6
  59. package/lib/vendor/blamejs/lib/auth/passkey.js +3 -3
  60. package/lib/vendor/blamejs/lib/auth/password.js +7 -1
  61. package/lib/vendor/blamejs/lib/auth/saml.js +37 -27
  62. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-holder.js +2 -14
  63. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-issuer.js +2 -14
  64. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc.js +1 -1
  65. package/lib/vendor/blamejs/lib/auth/status-list.js +7 -7
  66. package/lib/vendor/blamejs/lib/auth/step-up.js +6 -12
  67. package/lib/vendor/blamejs/lib/auth-bot-challenge.js +6 -37
  68. package/lib/vendor/blamejs/lib/backup/bundle.js +11 -18
  69. package/lib/vendor/blamejs/lib/backup/index.js +14 -47
  70. package/lib/vendor/blamejs/lib/bounded-map.js +112 -1
  71. package/lib/vendor/blamejs/lib/breach-deadline.js +1 -11
  72. package/lib/vendor/blamejs/lib/cache.js +7 -18
  73. package/lib/vendor/blamejs/lib/cbor.js +2 -1
  74. package/lib/vendor/blamejs/lib/cdn-cache-control.js +8 -9
  75. package/lib/vendor/blamejs/lib/cert.js +3 -10
  76. package/lib/vendor/blamejs/lib/chain-writer.js +162 -47
  77. package/lib/vendor/blamejs/lib/cli.js +5 -1
  78. package/lib/vendor/blamejs/lib/client-hints.js +7 -9
  79. package/lib/vendor/blamejs/lib/cloud-events.js +40 -31
  80. package/lib/vendor/blamejs/lib/cluster-storage.js +2 -38
  81. package/lib/vendor/blamejs/lib/cms-codec.js +2 -1
  82. package/lib/vendor/blamejs/lib/codepoint-class.js +67 -1
  83. package/lib/vendor/blamejs/lib/compliance-ai-act-logging.js +1 -6
  84. package/lib/vendor/blamejs/lib/compliance-ai-act-transparency.js +2 -4
  85. package/lib/vendor/blamejs/lib/compliance-eaa.js +1 -11
  86. package/lib/vendor/blamejs/lib/compliance-sanctions-fetcher.js +21 -28
  87. package/lib/vendor/blamejs/lib/compliance-sanctions.js +2 -14
  88. package/lib/vendor/blamejs/lib/compliance.js +2 -9
  89. package/lib/vendor/blamejs/lib/config-drift.js +2 -12
  90. package/lib/vendor/blamejs/lib/content-digest.js +10 -8
  91. package/lib/vendor/blamejs/lib/cookies.js +5 -11
  92. package/lib/vendor/blamejs/lib/cose.js +19 -11
  93. package/lib/vendor/blamejs/lib/cra-report.js +1 -11
  94. package/lib/vendor/blamejs/lib/crypto-field.js +5 -10
  95. package/lib/vendor/blamejs/lib/crypto.js +120 -3
  96. package/lib/vendor/blamejs/lib/csp.js +235 -3
  97. package/lib/vendor/blamejs/lib/daemon.js +42 -41
  98. package/lib/vendor/blamejs/lib/data-act.js +19 -9
  99. package/lib/vendor/blamejs/lib/db-query.js +6 -40
  100. package/lib/vendor/blamejs/lib/db.js +34 -12
  101. package/lib/vendor/blamejs/lib/dbsc.js +5 -6
  102. package/lib/vendor/blamejs/lib/ddl-change-control.js +18 -14
  103. package/lib/vendor/blamejs/lib/deprecate.js +4 -5
  104. package/lib/vendor/blamejs/lib/did.js +6 -2
  105. package/lib/vendor/blamejs/lib/dsr.js +8 -12
  106. package/lib/vendor/blamejs/lib/external-db-migrate.js +21 -22
  107. package/lib/vendor/blamejs/lib/external-db.js +14 -26
  108. package/lib/vendor/blamejs/lib/fda-21cfr11.js +12 -8
  109. package/lib/vendor/blamejs/lib/fdx.js +22 -18
  110. package/lib/vendor/blamejs/lib/file-upload.js +80 -66
  111. package/lib/vendor/blamejs/lib/flag-evaluation-context.js +5 -8
  112. package/lib/vendor/blamejs/lib/framework-error.js +12 -0
  113. package/lib/vendor/blamejs/lib/framework-schema.js +19 -0
  114. package/lib/vendor/blamejs/lib/fsm.js +7 -12
  115. package/lib/vendor/blamejs/lib/gate-contract.js +869 -38
  116. package/lib/vendor/blamejs/lib/gdpr-ropa.js +4 -13
  117. package/lib/vendor/blamejs/lib/graphql-federation.js +1 -1
  118. package/lib/vendor/blamejs/lib/guard-agent-registry.js +2 -1
  119. package/lib/vendor/blamejs/lib/guard-all.js +1 -0
  120. package/lib/vendor/blamejs/lib/guard-archive.js +9 -30
  121. package/lib/vendor/blamejs/lib/guard-auth.js +23 -80
  122. package/lib/vendor/blamejs/lib/guard-cidr.js +20 -96
  123. package/lib/vendor/blamejs/lib/guard-csv.js +135 -196
  124. package/lib/vendor/blamejs/lib/guard-domain.js +23 -106
  125. package/lib/vendor/blamejs/lib/guard-dsn.js +16 -13
  126. package/lib/vendor/blamejs/lib/guard-email.js +46 -53
  127. package/lib/vendor/blamejs/lib/guard-envelope.js +1 -1
  128. package/lib/vendor/blamejs/lib/guard-event-bus-topic.js +2 -1
  129. package/lib/vendor/blamejs/lib/guard-filename.js +12 -60
  130. package/lib/vendor/blamejs/lib/guard-graphql.js +28 -75
  131. package/lib/vendor/blamejs/lib/guard-html-wcag.js +15 -2
  132. package/lib/vendor/blamejs/lib/guard-html.js +65 -117
  133. package/lib/vendor/blamejs/lib/guard-idempotency-key.js +2 -1
  134. package/lib/vendor/blamejs/lib/guard-image.js +280 -77
  135. package/lib/vendor/blamejs/lib/guard-imap-command.js +8 -9
  136. package/lib/vendor/blamejs/lib/guard-json.js +87 -103
  137. package/lib/vendor/blamejs/lib/guard-jsonpath.js +20 -88
  138. package/lib/vendor/blamejs/lib/guard-jwt.js +32 -114
  139. package/lib/vendor/blamejs/lib/guard-list-id.js +2 -7
  140. package/lib/vendor/blamejs/lib/guard-list-unsubscribe.js +2 -7
  141. package/lib/vendor/blamejs/lib/guard-mail-compose.js +5 -6
  142. package/lib/vendor/blamejs/lib/guard-mail-move.js +2 -1
  143. package/lib/vendor/blamejs/lib/guard-mail-query.js +5 -3
  144. package/lib/vendor/blamejs/lib/guard-mail-sieve.js +6 -7
  145. package/lib/vendor/blamejs/lib/guard-managesieve-command.js +5 -4
  146. package/lib/vendor/blamejs/lib/guard-markdown.js +76 -110
  147. package/lib/vendor/blamejs/lib/guard-message-id.js +5 -6
  148. package/lib/vendor/blamejs/lib/guard-mime.js +20 -99
  149. package/lib/vendor/blamejs/lib/guard-oauth.js +19 -73
  150. package/lib/vendor/blamejs/lib/guard-pdf.js +65 -72
  151. package/lib/vendor/blamejs/lib/guard-pop3-command.js +12 -13
  152. package/lib/vendor/blamejs/lib/guard-posture-chain.js +2 -1
  153. package/lib/vendor/blamejs/lib/guard-regex.js +24 -99
  154. package/lib/vendor/blamejs/lib/guard-saga-config.js +2 -1
  155. package/lib/vendor/blamejs/lib/guard-shell.js +22 -87
  156. package/lib/vendor/blamejs/lib/guard-smtp-command.js +8 -11
  157. package/lib/vendor/blamejs/lib/guard-sql.js +15 -13
  158. package/lib/vendor/blamejs/lib/guard-stream-args.js +2 -1
  159. package/lib/vendor/blamejs/lib/guard-svg.js +95 -140
  160. package/lib/vendor/blamejs/lib/guard-template.js +23 -80
  161. package/lib/vendor/blamejs/lib/guard-tenant-id.js +2 -1
  162. package/lib/vendor/blamejs/lib/guard-text.js +592 -0
  163. package/lib/vendor/blamejs/lib/guard-time.js +27 -95
  164. package/lib/vendor/blamejs/lib/guard-uuid.js +21 -93
  165. package/lib/vendor/blamejs/lib/guard-xml.js +76 -106
  166. package/lib/vendor/blamejs/lib/guard-yaml.js +24 -60
  167. package/lib/vendor/blamejs/lib/http-client-cache.js +5 -12
  168. package/lib/vendor/blamejs/lib/http-client-cookie-jar.js +2 -4
  169. package/lib/vendor/blamejs/lib/http-client.js +8 -21
  170. package/lib/vendor/blamejs/lib/http-message-signature.js +3 -2
  171. package/lib/vendor/blamejs/lib/i18n-messageformat.js +5 -7
  172. package/lib/vendor/blamejs/lib/i18n.js +83 -26
  173. package/lib/vendor/blamejs/lib/inbox.js +8 -8
  174. package/lib/vendor/blamejs/lib/incident-report.js +3 -21
  175. package/lib/vendor/blamejs/lib/ip-utils.js +49 -6
  176. package/lib/vendor/blamejs/lib/jobs.js +3 -2
  177. package/lib/vendor/blamejs/lib/keychain.js +6 -18
  178. package/lib/vendor/blamejs/lib/legal-hold.js +6 -15
  179. package/lib/vendor/blamejs/lib/log-stream-cloudwatch.js +44 -112
  180. package/lib/vendor/blamejs/lib/log-stream-otlp-grpc.js +17 -14
  181. package/lib/vendor/blamejs/lib/log-stream-otlp.js +16 -80
  182. package/lib/vendor/blamejs/lib/log-stream-webhook.js +20 -92
  183. package/lib/vendor/blamejs/lib/mail-arc-sign.js +8 -3
  184. package/lib/vendor/blamejs/lib/mail-arf.js +3 -2
  185. package/lib/vendor/blamejs/lib/mail-auth.js +40 -66
  186. package/lib/vendor/blamejs/lib/mail-bimi.js +19 -39
  187. package/lib/vendor/blamejs/lib/mail-crypto-pgp.js +3 -2
  188. package/lib/vendor/blamejs/lib/mail-dav.js +8 -35
  189. package/lib/vendor/blamejs/lib/mail-deploy.js +6 -9
  190. package/lib/vendor/blamejs/lib/mail-dkim.js +19 -38
  191. package/lib/vendor/blamejs/lib/mail-greylist.js +15 -26
  192. package/lib/vendor/blamejs/lib/mail-helo.js +2 -3
  193. package/lib/vendor/blamejs/lib/mail-journal.js +2 -1
  194. package/lib/vendor/blamejs/lib/mail-mdn.js +4 -3
  195. package/lib/vendor/blamejs/lib/mail-rbl.js +5 -8
  196. package/lib/vendor/blamejs/lib/mail-scan.js +2 -2
  197. package/lib/vendor/blamejs/lib/mail-send-deliver.js +33 -20
  198. package/lib/vendor/blamejs/lib/mail-server-imap.js +32 -87
  199. package/lib/vendor/blamejs/lib/mail-server-jmap.js +35 -51
  200. package/lib/vendor/blamejs/lib/mail-server-managesieve.js +29 -83
  201. package/lib/vendor/blamejs/lib/mail-server-mx.js +33 -74
  202. package/lib/vendor/blamejs/lib/mail-server-net.js +177 -0
  203. package/lib/vendor/blamejs/lib/mail-server-pop3.js +30 -83
  204. package/lib/vendor/blamejs/lib/mail-server-rate-limit.js +30 -6
  205. package/lib/vendor/blamejs/lib/mail-server-submission.js +34 -73
  206. package/lib/vendor/blamejs/lib/mail-server-tls.js +89 -0
  207. package/lib/vendor/blamejs/lib/mail-spam-score.js +7 -8
  208. package/lib/vendor/blamejs/lib/mail-store.js +3 -2
  209. package/lib/vendor/blamejs/lib/mail.js +6 -11
  210. package/lib/vendor/blamejs/lib/markup-escape.js +31 -0
  211. package/lib/vendor/blamejs/lib/markup-tokenizer.js +54 -0
  212. package/lib/vendor/blamejs/lib/mcp-tool-registry.js +26 -23
  213. package/lib/vendor/blamejs/lib/mcp.js +1 -1
  214. package/lib/vendor/blamejs/lib/mdoc.js +11 -12
  215. package/lib/vendor/blamejs/lib/metrics.js +32 -30
  216. package/lib/vendor/blamejs/lib/middleware/age-gate.js +3 -23
  217. package/lib/vendor/blamejs/lib/middleware/api-encrypt.js +11 -22
  218. package/lib/vendor/blamejs/lib/middleware/assetlinks.js +2 -7
  219. package/lib/vendor/blamejs/lib/middleware/bearer-auth.js +2 -1
  220. package/lib/vendor/blamejs/lib/middleware/body-parser.js +31 -48
  221. package/lib/vendor/blamejs/lib/middleware/bot-disclose.js +7 -10
  222. package/lib/vendor/blamejs/lib/middleware/bot-guard.js +2 -10
  223. package/lib/vendor/blamejs/lib/middleware/csrf-protect.js +13 -2
  224. package/lib/vendor/blamejs/lib/middleware/daily-byte-quota.js +6 -26
  225. package/lib/vendor/blamejs/lib/middleware/deny-response.js +19 -1
  226. package/lib/vendor/blamejs/lib/middleware/fetch-metadata.js +7 -0
  227. package/lib/vendor/blamejs/lib/middleware/idempotency-key.js +4 -20
  228. package/lib/vendor/blamejs/lib/middleware/rate-limit.js +20 -28
  229. package/lib/vendor/blamejs/lib/middleware/scim-server.js +3 -2
  230. package/lib/vendor/blamejs/lib/middleware/security-headers.js +9 -1
  231. package/lib/vendor/blamejs/lib/middleware/security-txt.js +2 -6
  232. package/lib/vendor/blamejs/lib/middleware/tus-upload.js +12 -27
  233. package/lib/vendor/blamejs/lib/middleware/web-app-manifest.js +2 -7
  234. package/lib/vendor/blamejs/lib/migrations.js +4 -13
  235. package/lib/vendor/blamejs/lib/mime-parse.js +34 -17
  236. package/lib/vendor/blamejs/lib/module-loader.js +44 -0
  237. package/lib/vendor/blamejs/lib/money.js +105 -0
  238. package/lib/vendor/blamejs/lib/mtls-ca.js +116 -36
  239. package/lib/vendor/blamejs/lib/network-byte-quota.js +4 -18
  240. package/lib/vendor/blamejs/lib/network-dane.js +8 -6
  241. package/lib/vendor/blamejs/lib/network-dns-resolver.js +97 -6
  242. package/lib/vendor/blamejs/lib/network-dnssec.js +16 -16
  243. package/lib/vendor/blamejs/lib/network-heartbeat.js +3 -2
  244. package/lib/vendor/blamejs/lib/network-smtp-policy.js +29 -41
  245. package/lib/vendor/blamejs/lib/network-tls.js +40 -42
  246. package/lib/vendor/blamejs/lib/nis2-report.js +1 -11
  247. package/lib/vendor/blamejs/lib/nonce-store.js +81 -3
  248. package/lib/vendor/blamejs/lib/numeric-bounds.js +22 -8
  249. package/lib/vendor/blamejs/lib/object-store/azure-blob-bucket-ops.js +2 -6
  250. package/lib/vendor/blamejs/lib/object-store/azure-blob.js +5 -45
  251. package/lib/vendor/blamejs/lib/object-store/gcs.js +8 -71
  252. package/lib/vendor/blamejs/lib/object-store/http-put.js +1 -5
  253. package/lib/vendor/blamejs/lib/object-store/http-request.js +128 -0
  254. package/lib/vendor/blamejs/lib/object-store/sigv4-bucket-ops.js +2 -1
  255. package/lib/vendor/blamejs/lib/object-store/sigv4.js +9 -77
  256. package/lib/vendor/blamejs/lib/observability-otlp-exporter.js +9 -25
  257. package/lib/vendor/blamejs/lib/observability.js +95 -0
  258. package/lib/vendor/blamejs/lib/openapi-paths-builder.js +7 -3
  259. package/lib/vendor/blamejs/lib/otel-export.js +7 -10
  260. package/lib/vendor/blamejs/lib/outbox.js +43 -37
  261. package/lib/vendor/blamejs/lib/pagination.js +11 -15
  262. package/lib/vendor/blamejs/lib/parsers/safe-env.js +5 -4
  263. package/lib/vendor/blamejs/lib/parsers/safe-ini.js +10 -4
  264. package/lib/vendor/blamejs/lib/parsers/safe-toml.js +11 -9
  265. package/lib/vendor/blamejs/lib/parsers/safe-xml.js +2 -2
  266. package/lib/vendor/blamejs/lib/parsers/safe-yaml.js +7 -6
  267. package/lib/vendor/blamejs/lib/pick.js +63 -5
  268. package/lib/vendor/blamejs/lib/pipl-cn.js +69 -59
  269. package/lib/vendor/blamejs/lib/privacy-pass.js +8 -6
  270. package/lib/vendor/blamejs/lib/problem-details.js +2 -5
  271. package/lib/vendor/blamejs/lib/pubsub.js +4 -8
  272. package/lib/vendor/blamejs/lib/redact.js +2 -1
  273. package/lib/vendor/blamejs/lib/render.js +4 -2
  274. package/lib/vendor/blamejs/lib/request-helpers.js +133 -6
  275. package/lib/vendor/blamejs/lib/restore.js +5 -22
  276. package/lib/vendor/blamejs/lib/retention.js +3 -5
  277. package/lib/vendor/blamejs/lib/safe-async.js +457 -0
  278. package/lib/vendor/blamejs/lib/safe-buffer.js +137 -6
  279. package/lib/vendor/blamejs/lib/safe-decompress.js +2 -1
  280. package/lib/vendor/blamejs/lib/safe-dns.js +2 -1
  281. package/lib/vendor/blamejs/lib/safe-ical.js +12 -26
  282. package/lib/vendor/blamejs/lib/safe-json.js +7 -8
  283. package/lib/vendor/blamejs/lib/safe-jsonpath.js +6 -5
  284. package/lib/vendor/blamejs/lib/safe-mime.js +25 -29
  285. package/lib/vendor/blamejs/lib/safe-redirect.js +2 -5
  286. package/lib/vendor/blamejs/lib/safe-schema.js +7 -6
  287. package/lib/vendor/blamejs/lib/safe-sql.js +126 -0
  288. package/lib/vendor/blamejs/lib/safe-vcard.js +12 -26
  289. package/lib/vendor/blamejs/lib/sandbox-worker.js +9 -2
  290. package/lib/vendor/blamejs/lib/sandbox.js +3 -2
  291. package/lib/vendor/blamejs/lib/scheduler.js +5 -12
  292. package/lib/vendor/blamejs/lib/sec-cyber.js +82 -37
  293. package/lib/vendor/blamejs/lib/seeders.js +4 -11
  294. package/lib/vendor/blamejs/lib/self-update.js +92 -69
  295. package/lib/vendor/blamejs/lib/session-device-binding.js +112 -66
  296. package/lib/vendor/blamejs/lib/session.js +194 -6
  297. package/lib/vendor/blamejs/lib/sql.js +225 -78
  298. package/lib/vendor/blamejs/lib/sse.js +6 -10
  299. package/lib/vendor/blamejs/lib/static.js +136 -98
  300. package/lib/vendor/blamejs/lib/storage.js +4 -2
  301. package/lib/vendor/blamejs/lib/structured-fields.js +275 -16
  302. package/lib/vendor/blamejs/lib/tenant-quota.js +2 -20
  303. package/lib/vendor/blamejs/lib/tsa.js +11 -15
  304. package/lib/vendor/blamejs/lib/validate-opts.js +154 -8
  305. package/lib/vendor/blamejs/lib/vault/seal-pem-file.js +30 -48
  306. package/lib/vendor/blamejs/lib/vault-aad.js +3 -2
  307. package/lib/vendor/blamejs/lib/vc.js +2 -7
  308. package/lib/vendor/blamejs/lib/vex.js +35 -13
  309. package/lib/vendor/blamejs/lib/web-push-vapid.js +23 -20
  310. package/lib/vendor/blamejs/lib/webhook-dispatcher.js +706 -0
  311. package/lib/vendor/blamejs/lib/webhook.js +43 -18
  312. package/lib/vendor/blamejs/lib/websocket-channels.js +9 -7
  313. package/lib/vendor/blamejs/lib/websocket.js +7 -3
  314. package/lib/vendor/blamejs/lib/worm.js +2 -3
  315. package/lib/vendor/blamejs/lib/ws-client.js +8 -10
  316. package/lib/vendor/blamejs/package.json +1 -1
  317. package/lib/vendor/blamejs/release-notes/v0.15.13.json +81 -0
  318. package/lib/vendor/blamejs/scripts/check-changelog-extract.js +1 -1
  319. package/lib/vendor/blamejs/test/00-primitives.js +136 -7
  320. package/lib/vendor/blamejs/test/10-state.js +9 -3
  321. package/lib/vendor/blamejs/test/30-chain.js +40 -0
  322. package/lib/vendor/blamejs/test/helpers/check.js +18 -0
  323. package/lib/vendor/blamejs/test/helpers/db.js +4 -0
  324. package/lib/vendor/blamejs/test/helpers/index.js +1 -0
  325. package/lib/vendor/blamejs/test/integration/audit-chain-external-db.test.js +2 -1
  326. package/lib/vendor/blamejs/test/integration/audit-stack-postgres.test.js +2 -1
  327. package/lib/vendor/blamejs/test/integration/data-layer-mysql.test.js +8 -1
  328. package/lib/vendor/blamejs/test/integration/data-layer-pg.test.js +1 -1
  329. package/lib/vendor/blamejs/test/integration/framework-schema-mysql.test.js +2 -1
  330. package/lib/vendor/blamejs/test/integration/webhook-dispatcher-pg.test.js +269 -0
  331. package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-fd-read.test.js +149 -0
  332. package/lib/vendor/blamejs/test/layer-0-primitives/audit-framework-namespaces.test.js +51 -0
  333. package/lib/vendor/blamejs/test/layer-0-primitives/audit-sign-anchor.test.js +88 -0
  334. package/lib/vendor/blamejs/test/layer-0-primitives/audit-use-store.test.js +55 -1
  335. package/lib/vendor/blamejs/test/layer-0-primitives/backup-object-store-adapter.test.js +2 -2
  336. package/lib/vendor/blamejs/test/layer-0-primitives/bot-guard.test.js +1 -1
  337. package/lib/vendor/blamejs/test/layer-0-primitives/bounded-map.test.js +129 -0
  338. package/lib/vendor/blamejs/test/layer-0-primitives/chain-writer-multichain.test.js +107 -0
  339. package/lib/vendor/blamejs/test/layer-0-primitives/cli-api-key.test.js +12 -0
  340. package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +2788 -3214
  341. package/lib/vendor/blamejs/test/layer-0-primitives/codepoint-class.test.js +78 -0
  342. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-base64url.test.js +63 -0
  343. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-hash-stream.test.js +2 -1
  344. package/lib/vendor/blamejs/test/layer-0-primitives/csp-builder.test.js +50 -0
  345. package/lib/vendor/blamejs/test/layer-0-primitives/csp-nonce.test.js +1 -1
  346. package/lib/vendor/blamejs/test/layer-0-primitives/daemon.test.js +2 -1
  347. package/lib/vendor/blamejs/test/layer-0-primitives/defineguard-resolve-opts.test.js +76 -0
  348. package/lib/vendor/blamejs/test/layer-0-primitives/flag.test.js +9 -0
  349. package/lib/vendor/blamejs/test/layer-0-primitives/gate-contract-content-gate.test.js +290 -0
  350. package/lib/vendor/blamejs/test/layer-0-primitives/guard-csv.test.js +84 -0
  351. package/lib/vendor/blamejs/test/layer-0-primitives/guard-email.test.js +78 -0
  352. package/lib/vendor/blamejs/test/layer-0-primitives/guard-filename.test.js +23 -0
  353. package/lib/vendor/blamejs/test/layer-0-primitives/guard-gate-disposition-coverage.test.js +93 -0
  354. package/lib/vendor/blamejs/test/layer-0-primitives/guard-html.test.js +60 -0
  355. package/lib/vendor/blamejs/test/layer-0-primitives/guard-image.test.js +184 -0
  356. package/lib/vendor/blamejs/test/layer-0-primitives/guard-imap-command.test.js +0 -0
  357. package/lib/vendor/blamejs/test/layer-0-primitives/guard-json.test.js +54 -0
  358. package/lib/vendor/blamejs/test/layer-0-primitives/guard-managesieve-command.test.js +10 -0
  359. package/lib/vendor/blamejs/test/layer-0-primitives/guard-markdown.test.js +45 -0
  360. package/lib/vendor/blamejs/test/layer-0-primitives/guard-pdf.test.js +101 -0
  361. package/lib/vendor/blamejs/test/layer-0-primitives/guard-pop3-command.test.js +18 -0
  362. package/lib/vendor/blamejs/test/layer-0-primitives/guard-svg.test.js +76 -0
  363. package/lib/vendor/blamejs/test/layer-0-primitives/guard-text.test.js +365 -0
  364. package/lib/vendor/blamejs/test/layer-0-primitives/guard-xml.test.js +35 -0
  365. package/lib/vendor/blamejs/test/layer-0-primitives/guard-yaml.test.js +36 -0
  366. package/lib/vendor/blamejs/test/layer-0-primitives/i18n.test.js +20 -0
  367. package/lib/vendor/blamejs/test/layer-0-primitives/inbox.test.js +15 -0
  368. package/lib/vendor/blamejs/test/layer-0-primitives/ip-utils.test.js +83 -0
  369. package/lib/vendor/blamejs/test/layer-0-primitives/mail-arf.test.js +10 -0
  370. package/lib/vendor/blamejs/test/layer-0-primitives/mail-auth.test.js +39 -0
  371. package/lib/vendor/blamejs/test/layer-0-primitives/mail-dkim.test.js +36 -0
  372. package/lib/vendor/blamejs/test/layer-0-primitives/mail-greylist.test.js +17 -0
  373. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-tls.test.js +39 -0
  374. package/lib/vendor/blamejs/test/layer-0-primitives/mail-store.test.js +17 -0
  375. package/lib/vendor/blamejs/test/layer-0-primitives/mime-parse.test.js +106 -0
  376. package/lib/vendor/blamejs/test/layer-0-primitives/money.test.js +17 -0
  377. package/lib/vendor/blamejs/test/layer-0-primitives/mtls-ca-revocation.test.js +98 -0
  378. package/lib/vendor/blamejs/test/layer-0-primitives/nonce-store-release.test.js +77 -0
  379. package/lib/vendor/blamejs/test/layer-0-primitives/observability.test.js +48 -0
  380. package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-memory-getorinsert.test.js +100 -0
  381. package/lib/vendor/blamejs/test/layer-0-primitives/request-helpers.test.js +88 -0
  382. package/lib/vendor/blamejs/test/layer-0-primitives/safe-async-loops.test.js +278 -0
  383. package/lib/vendor/blamejs/test/layer-0-primitives/safe-buffer-linear-scans.test.js +37 -0
  384. package/lib/vendor/blamejs/test/layer-0-primitives/safe-jsonpath.test.js +14 -0
  385. package/lib/vendor/blamejs/test/layer-0-primitives/sandbox.test.js +19 -0
  386. package/lib/vendor/blamejs/test/layer-0-primitives/security-headers.test.js +1 -1
  387. package/lib/vendor/blamejs/test/layer-0-primitives/self-update.test.js +2 -1
  388. package/lib/vendor/blamejs/test/layer-0-primitives/session-device-binding.test.js +18 -0
  389. package/lib/vendor/blamejs/test/layer-0-primitives/session-extensions.test.js +1 -1
  390. package/lib/vendor/blamejs/test/layer-0-primitives/session-valid-from.test.js +73 -0
  391. package/lib/vendor/blamejs/test/layer-0-primitives/sql.test.js +100 -0
  392. package/lib/vendor/blamejs/test/layer-0-primitives/structured-fields.test.js +80 -0
  393. package/lib/vendor/blamejs/test/layer-0-primitives/validate-opts-shape.test.js +235 -0
  394. package/lib/vendor/blamejs/test/layer-0-primitives/webhook-dispatcher.test.js +374 -0
  395. package/lib/vendor/blamejs/test/layer-0-primitives/webhook.test.js +75 -8
  396. package/lib/vendor/blamejs/test/layer-5-integration/guard-host-integration.test.js +3 -3
  397. package/package.json +1 -1
@@ -37,6 +37,7 @@
37
37
  var defineClass = require("./framework-error").defineClass;
38
38
  var lazyRequire = require("./lazy-require");
39
39
  var validateOpts = require("./validate-opts");
40
+ var boundedMap = require("./bounded-map");
40
41
 
41
42
  var audit = lazyRequire(function () { return require("./audit"); });
42
43
 
@@ -68,21 +69,11 @@ function create(opts) {
68
69
  var controller = opts.controller;
69
70
  var dpo = opts.dpo || null;
70
71
  var supervisoryAuthority = opts.supervisoryAuthority || null;
71
- var auditOn = opts.audit !== false;
72
72
  var now = typeof opts.now === "function" ? opts.now : function () { return Date.now(); };
73
73
 
74
74
  var activities = new Map();
75
75
 
76
- function _emitAudit(action, outcome, metadata) {
77
- if (!auditOn) return;
78
- try {
79
- audit().safeEmit({
80
- action: "gdpr.ropa." + action,
81
- outcome: outcome,
82
- metadata: metadata || {},
83
- });
84
- } catch (_e) { /* drop-silent */ }
85
- }
76
+ var _emitAudit = audit().namespaced("gdpr.ropa", opts.audit);
86
77
 
87
78
  function _validateActivity(activity, op) {
88
79
  if (!activity || typeof activity !== "object") {
@@ -108,10 +99,10 @@ function create(opts) {
108
99
 
109
100
  function register(activity) {
110
101
  _validateActivity(activity, "register");
111
- if (activities.has(activity.id)) {
102
+ boundedMap.requireAbsent(activities, activity.id, function () {
112
103
  throw new GdprRopaError("gdpr-ropa/duplicate-id",
113
104
  "gdpr.ropa.register: activity '" + activity.id + "' already registered");
114
- }
105
+ });
115
106
  var rec = Object.assign({}, activity, {
116
107
  registeredAt: now(),
117
108
  lastUpdatedAt: now(),
@@ -66,7 +66,7 @@ function queryProbesSdl(query) {
66
66
  function _readBearer(req) {
67
67
  var h = req.headers && req.headers.authorization;
68
68
  if (typeof h !== "string") return null;
69
- if (h.length > C.BYTES.kib(8)) return null;
69
+ if (safeBuffer.byteLengthOf(h) > C.BYTES.kib(8)) return null;
70
70
  var m = /^Bearer\s+([A-Za-z0-9._~+/=-]+)$/.exec(h.trim());
71
71
  return m ? m[1] : null;
72
72
  }
@@ -24,6 +24,7 @@
24
24
 
25
25
  var { defineClass } = require("./framework-error");
26
26
  var gateContract = require("./gate-contract");
27
+ var codepointClass = require("./codepoint-class");
27
28
 
28
29
  var GuardAgentRegistryError = defineClass("GuardAgentRegistryError", { alwaysPermanent: true });
29
30
 
@@ -120,7 +121,7 @@ function _checkName(name, profile) {
120
121
  throw new GuardAgentRegistryError("agent-registry/non-ascii",
121
122
  "guardAgentRegistry.validate: name contains non-ASCII codepoint at offset " + i);
122
123
  }
123
- if (c < 0x20 || c === 0x7F || c === 0x2F || c === 0x5C) { // C0 / DEL / slash / backslash
124
+ if (codepointClass.isForbiddenControlChar(c, { forbidTab: true }) || c === 0x2F || c === 0x5C) { // C0 / DEL / slash / backslash
124
125
  throw new GuardAgentRegistryError("agent-registry/bad-name-char",
125
126
  "guardAgentRegistry.validate: name contains forbidden char 0x" + c.toString(16));
126
127
  }
@@ -59,6 +59,7 @@ var GUARDS = [
59
59
  require("./guard-xml"),
60
60
  require("./guard-markdown"),
61
61
  require("./guard-email"),
62
+ require("./guard-text"),
62
63
  ];
63
64
 
64
65
  // STANDALONE_GUARDS — guard-* primitives that don't fit content-type
@@ -112,10 +112,7 @@ var MAGIC_SIGNATURES = Object.freeze([
112
112
 
113
113
  var PROFILES = Object.freeze({
114
114
  "strict": {
115
- bidiPolicy: "reject",
116
- controlPolicy: "reject",
117
- nullBytePolicy: "reject",
118
- zeroWidthPolicy: "reject",
115
+ ...gateContract.CHAR_THREATS_REJECT_ALL,
119
116
  traversalPolicy: "reject",
120
117
  absolutePathPolicy: "reject",
121
118
  symlinkPolicy: "reject",
@@ -179,26 +176,12 @@ var PROFILES = Object.freeze({
179
176
  },
180
177
  });
181
178
 
182
- var DEFAULTS = Object.freeze(Object.assign({}, PROFILES["strict"], {
183
- mode: "enforce",
184
- maxRuntimeMs: C.TIME.seconds(10),
185
- }));
186
-
187
- var COMPLIANCE_POSTURES = Object.freeze({
188
- "hipaa": Object.assign({}, PROFILES["strict"], {
189
- forensicSnippetBytes: C.BYTES.bytes(256),
190
- }),
191
- "pci-dss": Object.assign({}, PROFILES["strict"], {
192
- forensicSnippetBytes: C.BYTES.bytes(256),
193
- }),
194
- "gdpr": Object.assign({}, PROFILES["balanced"], {
195
- forensicSnippetBytes: C.BYTES.bytes(128),
196
- }),
197
- "soc2": Object.assign({}, PROFILES["strict"], {
198
- forensicSnippetBytes: C.BYTES.bytes(512),
199
- }),
179
+ var DEFAULTS = gateContract.strictDefaults(PROFILES, {
180
+ maxRuntimeMs: C.TIME.seconds(10),
200
181
  });
201
182
 
183
+ var COMPLIANCE_POSTURES = gateContract.compliancePostures(PROFILES, { base: 256 });
184
+
202
185
  // ---- Helpers ----
203
186
 
204
187
  function _resolveOpts(opts) {
@@ -698,7 +681,8 @@ function validateEntries(entries, opts) {
698
681
  snippet: "entries must be an array" }],
699
682
  };
700
683
  }
701
- return gateContract.aggregateIssues(_detectIssues(entries, opts));
684
+ // "raw" contract — entries is an array the detector type-checks itself.
685
+ return gateContract.runIssueValidator(entries, opts, _detectIssues, "raw");
702
686
  }
703
687
 
704
688
  /**
@@ -777,13 +761,8 @@ function gate(opts) {
777
761
  return { ok: true, action: "serve" };
778
762
  }
779
763
  var rv = validateEntries(entries, opts);
780
- if (rv.issues.length === 0) return { ok: true, action: "serve" };
781
- var hasCritical = rv.issues.some(function (i) {
782
- return i.severity === "critical" || i.severity === "high";
783
- });
784
- if (!hasCritical) return { ok: true, action: "audit-only", issues: rv.issues };
785
- // Archive content has no safe sanitization — refuse.
786
- return { ok: false, action: "refuse", issues: rv.issues };
764
+ // Archive content has no safe sanitization serve / audit-only / refuse.
765
+ return gateContract.severityDisposition(rv.issues);
787
766
  });
788
767
  }
789
768
 
@@ -44,7 +44,6 @@
44
44
  var lazyRequire = require("./lazy-require");
45
45
  var gateContract = require("./gate-contract");
46
46
  var C = require("./constants");
47
- var numericBounds = require("./numeric-bounds");
48
47
  var guardJwt = require("./guard-jwt");
49
48
  var guardOauth = require("./guard-oauth");
50
49
  var cookies = require("./cookies");
@@ -59,30 +58,21 @@ var _err = GuardAuthError.factory;
59
58
 
60
59
  var PROFILES = Object.freeze({
61
60
  "strict": {
62
- bidiPolicy: "reject",
63
- controlPolicy: "reject",
64
- nullBytePolicy: "reject",
65
- zeroWidthPolicy: "reject",
61
+ ...gateContract.CHAR_THREATS_REJECT_ALL,
66
62
  childProfile: "strict",
67
63
  requireAtLeastOne: true,
68
64
  maxBytes: C.BYTES.kib(64),
69
65
  maxRuntimeMs: C.TIME.seconds(2),
70
66
  },
71
67
  "balanced": {
72
- bidiPolicy: "reject",
73
- controlPolicy: "reject",
74
- nullBytePolicy: "reject",
75
- zeroWidthPolicy: "reject",
68
+ ...gateContract.CHAR_THREATS_REJECT_ALL,
76
69
  childProfile: "balanced",
77
70
  requireAtLeastOne: false,
78
71
  maxBytes: C.BYTES.kib(128),
79
72
  maxRuntimeMs: C.TIME.seconds(2),
80
73
  },
81
74
  "permissive": {
82
- bidiPolicy: "reject", // BIDI refused at every profile
83
- controlPolicy: "reject", // controls refused at every profile
84
- nullBytePolicy: "reject", // null refused at every profile
85
- zeroWidthPolicy: "reject", // zero-width refused at every profile
75
+ ...gateContract.CHAR_THREATS_REJECT_ALL,
86
76
  childProfile: "permissive",
87
77
  requireAtLeastOne: false,
88
78
  maxBytes: C.BYTES.kib(512),
@@ -90,35 +80,6 @@ var PROFILES = Object.freeze({
90
80
  },
91
81
  });
92
82
 
93
- var DEFAULTS = Object.freeze(Object.assign({}, PROFILES["strict"], {
94
- mode: "enforce",
95
- }));
96
-
97
- var COMPLIANCE_POSTURES = Object.freeze({
98
- "hipaa": Object.assign({}, PROFILES["strict"], {
99
- forensicSnippetBytes: C.BYTES.bytes(512),
100
- }),
101
- "pci-dss": Object.assign({}, PROFILES["strict"], {
102
- forensicSnippetBytes: C.BYTES.bytes(512),
103
- }),
104
- "gdpr": Object.assign({}, PROFILES["balanced"], {
105
- forensicSnippetBytes: C.BYTES.bytes(256),
106
- }),
107
- "soc2": Object.assign({}, PROFILES["strict"], {
108
- forensicSnippetBytes: C.BYTES.bytes(1024),
109
- }),
110
- });
111
-
112
- function _resolveOpts(opts) {
113
- return gateContract.resolveProfileAndPosture(opts, {
114
- profiles: PROFILES,
115
- compliancePostures: COMPLIANCE_POSTURES,
116
- defaults: DEFAULTS,
117
- errorClass: GuardAuthError,
118
- errCodePrefix: "auth",
119
- });
120
- }
121
-
122
83
  function _detectIssues(bundle, opts) {
123
84
  var issues = [];
124
85
  if (!bundle || typeof bundle !== "object") {
@@ -232,13 +193,9 @@ function _detectIssues(bundle, opts) {
232
193
  * rv.ok; // → false
233
194
  * rv.issues.some(function (i) { return i.source === "jwt"; }); // → true
234
195
  */
235
- function validate(input, opts) {
236
- opts = _resolveOpts(opts);
237
- numericBounds.requireAllPositiveFiniteIntIfPresent(opts,
238
- ["maxBytes"],
239
- "guardAuth.validate", GuardAuthError, "auth.bad-opt");
240
- return gateContract.aggregateIssues(_detectIssues(input, opts));
241
- }
196
+ // validate is assembled by gateContract.defineGuard from `detect`
197
+ // (_detectIssues), with the maxBytes cap declared via `intOpts`.
198
+ // The @primitive block above documents the resulting ABI.
242
199
 
243
200
  /**
244
201
  * @primitive b.guardAuth.sanitize
@@ -266,19 +223,15 @@ function validate(input, opts) {
266
223
  * }, { profile: "balanced" });
267
224
  * clean.cookieHeader; // → "sid=abc123"
268
225
  */
269
- function sanitize(input, opts) {
270
- opts = _resolveOpts(opts);
271
- if (!input || typeof input !== "object") {
272
- throw _err("auth.bad-input", "sanitize requires bundle object");
273
- }
274
- var issues = _detectIssues(input, opts);
275
- for (var i = 0; i < issues.length; i += 1) {
276
- if (issues[i].severity === "critical" || issues[i].severity === "high") {
277
- throw _err(issues[i].ruleId || "auth.refused",
278
- "guardAuth.sanitize [" + issues[i].source + "]: " +
279
- issues[i].snippet);
280
- }
281
- }
226
+ // _sanitizeTransform the normalize tail applied by defineGuard's generated
227
+ // sanitize AFTER resolve -> detect -> throwOnRefusalSeverity (default severities
228
+ // ['critical','high']). The auth-bundle is composed of values the framework
229
+ // cannot safely mutate (forging a JWT alg / rewriting an OAuth state parameter /
230
+ // dropping cookies would silently disarm an actual attack token), so the
231
+ // transform is identity — the bundle is returned unchanged when no high/critical
232
+ // issue refused upstream. A non-object input refuses upstream via the high-
233
+ // severity auth.bad-input issue _detectIssues raises.
234
+ function _sanitizeTransform(input) {
282
235
  return input;
283
236
  }
284
237
 
@@ -313,25 +266,15 @@ function sanitize(input, opts) {
313
266
  * verdict.action; // → "refuse"
314
267
  */
315
268
  function gate(opts) {
316
- opts = _resolveOpts(opts);
269
+ opts = _guard.resolveOpts(opts);
317
270
  return gateContract.buildGuardGate(
318
271
  opts.name || "guardAuth:" + (opts.profile || "default"),
319
272
  opts,
320
273
  async function (ctx) {
321
274
  var bundle = ctx && (ctx.authBundle || ctx.auth);
322
275
  if (!bundle) return { ok: true, action: "serve" };
323
- var rv = validate(bundle, opts);
324
- if (rv.issues.length === 0) return { ok: true, action: "serve" };
325
- var hasCritical = rv.issues.some(function (i) {
326
- return i.severity === "critical";
327
- });
328
- var hasHigh = rv.issues.some(function (i) {
329
- return i.severity === "high";
330
- });
331
- if (!hasCritical && !hasHigh) {
332
- return { ok: true, action: "audit-only", issues: rv.issues };
333
- }
334
- return { ok: false, action: "refuse", issues: rv.issues };
276
+ var rv = module.exports.validate(bundle, opts);
277
+ return gateContract.severityDisposition(rv.issues);
335
278
  });
336
279
  }
337
280
 
@@ -367,15 +310,15 @@ var INTEGRATION_FIXTURES = Object.freeze({
367
310
  // surface (validate / sanitize / bespoke gate) passed through verbatim.
368
311
  // The custom KIND ("auth-bundle") is accepted because the bespoke gate
369
312
  // reads its own ctx fields (ctx.authBundle / ctx.auth).
370
- module.exports = gateContract.defineGuard({
313
+ var _guard = module.exports = gateContract.defineGuard({
371
314
  name: "auth",
372
315
  kind: "auth-bundle",
373
316
  errorClass: GuardAuthError,
374
317
  profiles: PROFILES,
375
- defaults: DEFAULTS,
376
- postures: COMPLIANCE_POSTURES,
318
+ base: 512,
377
319
  integrationFixtures: INTEGRATION_FIXTURES,
378
- validate: validate,
379
- sanitize: sanitize,
320
+ detect: _detectIssues,
321
+ sanitizeTransform: _sanitizeTransform,
322
+ intOpts: ["maxBytes"],
380
323
  gate: gate,
381
324
  });
@@ -43,11 +43,9 @@
43
43
  * CIDR identifier-safety primitive (KIND="identifier").
44
44
  */
45
45
 
46
- var codepointClass = require("./codepoint-class");
47
46
  var lazyRequire = require("./lazy-require");
48
47
  var gateContract = require("./gate-contract");
49
48
  var C = require("./constants");
50
- var numericBounds = require("./numeric-bounds");
51
49
  var safeBuffer = require("./safe-buffer");
52
50
  var { GuardCidrError } = require("./framework-error");
53
51
 
@@ -102,10 +100,7 @@ var IPV6_RESERVED = Object.freeze([
102
100
 
103
101
  var PROFILES = Object.freeze({
104
102
  "strict": {
105
- bidiPolicy: "reject",
106
- controlPolicy: "reject",
107
- nullBytePolicy: "reject",
108
- zeroWidthPolicy: "reject",
103
+ ...gateContract.CHAR_THREATS_REJECT_ALL,
109
104
  networkAlignmentPolicy: "reject",
110
105
  reservedRangesPolicy: "reject",
111
106
  ipv4MappedIpv6Policy: "reject",
@@ -115,10 +110,7 @@ var PROFILES = Object.freeze({
115
110
  maxRuntimeMs: C.TIME.seconds(2),
116
111
  },
117
112
  "balanced": {
118
- bidiPolicy: "reject",
119
- controlPolicy: "reject",
120
- nullBytePolicy: "reject",
121
- zeroWidthPolicy: "reject",
113
+ ...gateContract.CHAR_THREATS_REJECT_ALL,
122
114
  networkAlignmentPolicy: "audit",
123
115
  reservedRangesPolicy: "audit",
124
116
  ipv4MappedIpv6Policy: "audit",
@@ -128,10 +120,7 @@ var PROFILES = Object.freeze({
128
120
  maxRuntimeMs: C.TIME.seconds(2),
129
121
  },
130
122
  "permissive": {
131
- bidiPolicy: "reject", // BIDI refused at every profile
132
- controlPolicy: "reject", // controls refused at every profile
133
- nullBytePolicy: "reject", // null refused at every profile
134
- zeroWidthPolicy: "reject", // zero-width refused at every profile
123
+ ...gateContract.CHAR_THREATS_REJECT_ALL,
135
124
  networkAlignmentPolicy: "audit",
136
125
  reservedRangesPolicy: "allow",
137
126
  ipv4MappedIpv6Policy: "allow",
@@ -142,35 +131,6 @@ var PROFILES = Object.freeze({
142
131
  },
143
132
  });
144
133
 
145
- var DEFAULTS = Object.freeze(Object.assign({}, PROFILES["strict"], {
146
- mode: "enforce",
147
- }));
148
-
149
- var COMPLIANCE_POSTURES = Object.freeze({
150
- "hipaa": Object.assign({}, PROFILES["strict"], {
151
- forensicSnippetBytes: C.BYTES.bytes(128),
152
- }),
153
- "pci-dss": Object.assign({}, PROFILES["strict"], {
154
- forensicSnippetBytes: C.BYTES.bytes(128),
155
- }),
156
- "gdpr": Object.assign({}, PROFILES["balanced"], {
157
- forensicSnippetBytes: C.BYTES.bytes(64),
158
- }),
159
- "soc2": Object.assign({}, PROFILES["strict"], {
160
- forensicSnippetBytes: C.BYTES.bytes(256),
161
- }),
162
- });
163
-
164
- function _resolveOpts(opts) {
165
- return gateContract.resolveProfileAndPosture(opts, {
166
- profiles: PROFILES,
167
- compliancePostures: COMPLIANCE_POSTURES,
168
- defaults: DEFAULTS,
169
- errorClass: GuardCidrError,
170
- errCodePrefix: "cidr",
171
- });
172
- }
173
-
174
134
  // ---- Parsers ----
175
135
 
176
136
  function _parseIpv4(s) {
@@ -284,25 +244,9 @@ function _ipv6InReservedRange(groups, prefix) {
284
244
  // ---- Detection ----
285
245
 
286
246
  function _detectIssues(input, opts) {
287
- var issues = [];
288
- if (typeof input !== "string") {
289
- return [{ kind: "bad-input", severity: "high",
290
- ruleId: "cidr.bad-input",
291
- snippet: "cidr is not a string" }];
292
- }
293
- if (input.length === 0) {
294
- return [{ kind: "empty", severity: "high",
295
- ruleId: "cidr.empty",
296
- snippet: "cidr is empty" }];
297
- }
298
- if (Buffer.byteLength(input, "utf8") > opts.maxBytes) {
299
- return [{ kind: "cidr-cap", severity: "high",
300
- ruleId: "cidr.cidr-cap",
301
- snippet: "cidr input exceeds maxBytes " + opts.maxBytes }];
302
- }
303
-
304
- var charThreats = codepointClass.detectCharThreats(input, opts, "cidr");
305
- for (var ci = 0; ci < charThreats.length; ci += 1) issues.push(charThreats[ci]);
247
+ var pre = gateContract.detectStringInput(input, opts, { name: "cidr", cap: { bytes: opts.maxBytes } });
248
+ if (pre.done) return pre.issues;
249
+ var issues = pre.issues;
306
250
 
307
251
  // Split address from mask.
308
252
  var slashAt = input.indexOf("/");
@@ -464,21 +408,10 @@ function _detectIssues(input, opts) {
464
408
  * var clean = b.guardCidr.validate("8.8.8.0/24", { profile: "strict" });
465
409
  * clean.ok; // → true
466
410
  */
467
- function validate(input, opts) {
468
- opts = _resolveOpts(opts);
469
- numericBounds.requireAllPositiveFiniteIntIfPresent(opts,
470
- ["maxBytes"],
471
- "guardCidr.validate", GuardCidrError, "cidr.bad-opt");
472
- if (typeof input !== "string") {
473
- return {
474
- ok: false,
475
- issues: [{ kind: "bad-input", severity: "high",
476
- ruleId: "cidr.bad-input",
477
- snippet: "cidr is not a string" }],
478
- };
479
- }
480
- return gateContract.aggregateIssues(_detectIssues(input, opts));
481
- }
411
+ // validate is assembled by gateContract.defineGuard from `detect`
412
+ // (_detectIssues) below — `validate(input, opts) = aggregateIssues(detect(
413
+ // input, resolveOpts(opts)))`, with the maxBytes cap declared via `intOpts`.
414
+ // The @primitive block above documents the resulting public ABI.
482
415
 
483
416
  /**
484
417
  * @primitive b.guardCidr.sanitize
@@ -505,13 +438,10 @@ function validate(input, opts) {
505
438
  * var v4 = b.guardCidr.sanitize("8.8.8.0/24", { profile: "strict" });
506
439
  * v4; // → "8.8.8.0/24"
507
440
  */
508
- function sanitize(input, opts) {
509
- opts = _resolveOpts(opts);
510
- if (typeof input !== "string") {
511
- throw _err("cidr.bad-input", "sanitize requires string input");
512
- }
513
- var issues = _detectIssues(input, opts);
514
- gateContract.throwOnRefusalSeverity(issues, { errorClass: GuardCidrError, codePrefix: "cidr" });
441
+ // _sanitizeTransform the guard-specific normalize applied by defineGuard's
442
+ // generated sanitize AFTER resolve → detect → throw-on-refusal. Input is an
443
+ // already-validated string at this point (a non-string refuses upstream).
444
+ function _sanitizeTransform(input) {
515
445
  // Normalize: lowercase IPv6 groups + canonical mask form.
516
446
  var slashAt = input.indexOf("/");
517
447
  var addr = slashAt === -1 ? input : input.slice(0, slashAt);
@@ -525,14 +455,8 @@ function sanitize(input, opts) {
525
455
  // single-sourced @abiTemplate (defineGuard) blocks in gate-contract.js,
526
456
  // instantiated per guard by the page generator.
527
457
 
528
- var INTEGRATION_FIXTURES = Object.freeze({
529
- kind: "identifier",
530
- benignBytes: Buffer.from("8.8.8.0/24", "utf8"),
531
- hostileBytes: Buffer.from("10.0.0.0/8", "utf8"),
532
- benignIdentifier: "8.8.8.0/24",
533
- // Hostile: RFC 1918 private range — refused at strict.
534
- hostileIdentifier: "10.0.0.0/8",
535
- });
458
+ // Hostile: RFC 1918 private range — refused at strict.
459
+ var INTEGRATION_FIXTURES = gateContract.identifierFixtures("8.8.8.0/24", "10.0.0.0/8");
536
460
 
537
461
  // Assembled from the gate-contract guard factory: error class, registry
538
462
  // exports (NAME / KIND / INTEGRATION_FIXTURES), buildProfile /
@@ -546,10 +470,10 @@ module.exports = gateContract.defineGuard({
546
470
  kind: "identifier",
547
471
  errorClass: GuardCidrError,
548
472
  profiles: PROFILES,
549
- defaults: DEFAULTS,
550
- postures: COMPLIANCE_POSTURES,
473
+ base: 128,
551
474
  integrationFixtures: INTEGRATION_FIXTURES,
552
- validate: validate,
553
- sanitize: sanitize,
475
+ detect: _detectIssues,
476
+ sanitizeTransform: _sanitizeTransform,
477
+ intOpts: ["maxBytes"],
554
478
  ctxFields: ["identifier", "cidr"],
555
479
  });