@blamejs/blamejs-shop 0.4.56 → 0.4.57

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (397) hide show
  1. package/CHANGELOG.md +2 -0
  2. package/lib/asset-manifest.json +1 -1
  3. package/lib/vendor/MANIFEST.json +426 -366
  4. package/lib/vendor/blamejs/.github/codeql/codeql-config.yml +25 -0
  5. package/lib/vendor/blamejs/.github/workflows/actions-lint.yml +3 -3
  6. package/lib/vendor/blamejs/.github/workflows/cflite_batch.yml +1 -1
  7. package/lib/vendor/blamejs/.github/workflows/cflite_pr.yml +1 -1
  8. package/lib/vendor/blamejs/.github/workflows/ci.yml +13 -13
  9. package/lib/vendor/blamejs/.github/workflows/codeql.yml +8 -7
  10. package/lib/vendor/blamejs/.github/workflows/npm-publish.yml +2 -2
  11. package/lib/vendor/blamejs/.github/workflows/release-container.yml +4 -4
  12. package/lib/vendor/blamejs/.github/workflows/scorecard.yml +1 -1
  13. package/lib/vendor/blamejs/.github/workflows/sha-to-tag-verify.yml +1 -1
  14. package/lib/vendor/blamejs/CHANGELOG.md +2 -0
  15. package/lib/vendor/blamejs/api-snapshot.json +1381 -4
  16. package/lib/vendor/blamejs/eslint.config.mjs +1 -0
  17. package/lib/vendor/blamejs/examples/wiki/lib/source-comment-block-validator.js +4 -1
  18. package/lib/vendor/blamejs/examples/wiki/lib/symbol-index.js +5 -2
  19. package/lib/vendor/blamejs/examples/wiki/routes/pages.js +4 -1
  20. package/lib/vendor/blamejs/fuzz/guard-text.fuzz.js +20 -0
  21. package/lib/vendor/blamejs/index.js +2 -0
  22. package/lib/vendor/blamejs/lib/a2a-tasks.js +7 -23
  23. package/lib/vendor/blamejs/lib/acme.js +6 -5
  24. package/lib/vendor/blamejs/lib/agent-event-bus.js +5 -4
  25. package/lib/vendor/blamejs/lib/agent-idempotency.js +2 -5
  26. package/lib/vendor/blamejs/lib/agent-orchestrator.js +2 -5
  27. package/lib/vendor/blamejs/lib/agent-saga.js +3 -5
  28. package/lib/vendor/blamejs/lib/agent-tenant.js +2 -5
  29. package/lib/vendor/blamejs/lib/ai-adverse-decision.js +2 -15
  30. package/lib/vendor/blamejs/lib/ai-capability.js +1 -6
  31. package/lib/vendor/blamejs/lib/ai-dp.js +1 -5
  32. package/lib/vendor/blamejs/lib/ai-input.js +2 -2
  33. package/lib/vendor/blamejs/lib/ai-pref.js +3 -8
  34. package/lib/vendor/blamejs/lib/ai-quota.js +3 -14
  35. package/lib/vendor/blamejs/lib/api-key.js +37 -28
  36. package/lib/vendor/blamejs/lib/archive-adapters.js +2 -4
  37. package/lib/vendor/blamejs/lib/archive-entry-policy.js +32 -0
  38. package/lib/vendor/blamejs/lib/archive-read.js +5 -17
  39. package/lib/vendor/blamejs/lib/archive-tar-read.js +5 -16
  40. package/lib/vendor/blamejs/lib/archive.js +2 -10
  41. package/lib/vendor/blamejs/lib/arg-parser.js +7 -6
  42. package/lib/vendor/blamejs/lib/asyncapi-traits.js +2 -6
  43. package/lib/vendor/blamejs/lib/atomic-file.js +108 -31
  44. package/lib/vendor/blamejs/lib/audit-chain.js +133 -53
  45. package/lib/vendor/blamejs/lib/audit-daily-review.js +24 -14
  46. package/lib/vendor/blamejs/lib/audit-emit.js +82 -0
  47. package/lib/vendor/blamejs/lib/audit-sign.js +257 -0
  48. package/lib/vendor/blamejs/lib/audit.js +84 -0
  49. package/lib/vendor/blamejs/lib/auth/access-lock.js +5 -27
  50. package/lib/vendor/blamejs/lib/auth/dpop.js +23 -35
  51. package/lib/vendor/blamejs/lib/auth/fido-mds3.js +9 -15
  52. package/lib/vendor/blamejs/lib/auth/jwt-external.js +26 -8
  53. package/lib/vendor/blamejs/lib/auth/jwt.js +13 -15
  54. package/lib/vendor/blamejs/lib/auth/lockout.js +6 -25
  55. package/lib/vendor/blamejs/lib/auth/oauth.js +67 -45
  56. package/lib/vendor/blamejs/lib/auth/oid4vci.js +55 -32
  57. package/lib/vendor/blamejs/lib/auth/oid4vp.js +3 -2
  58. package/lib/vendor/blamejs/lib/auth/openid-federation.js +6 -6
  59. package/lib/vendor/blamejs/lib/auth/passkey.js +3 -3
  60. package/lib/vendor/blamejs/lib/auth/password.js +7 -1
  61. package/lib/vendor/blamejs/lib/auth/saml.js +37 -27
  62. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-holder.js +2 -14
  63. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-issuer.js +2 -14
  64. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc.js +1 -1
  65. package/lib/vendor/blamejs/lib/auth/status-list.js +7 -7
  66. package/lib/vendor/blamejs/lib/auth/step-up.js +6 -12
  67. package/lib/vendor/blamejs/lib/auth-bot-challenge.js +6 -37
  68. package/lib/vendor/blamejs/lib/backup/bundle.js +11 -18
  69. package/lib/vendor/blamejs/lib/backup/index.js +14 -47
  70. package/lib/vendor/blamejs/lib/bounded-map.js +112 -1
  71. package/lib/vendor/blamejs/lib/breach-deadline.js +1 -11
  72. package/lib/vendor/blamejs/lib/cache.js +7 -18
  73. package/lib/vendor/blamejs/lib/cbor.js +2 -1
  74. package/lib/vendor/blamejs/lib/cdn-cache-control.js +8 -9
  75. package/lib/vendor/blamejs/lib/cert.js +3 -10
  76. package/lib/vendor/blamejs/lib/chain-writer.js +162 -47
  77. package/lib/vendor/blamejs/lib/cli.js +5 -1
  78. package/lib/vendor/blamejs/lib/client-hints.js +7 -9
  79. package/lib/vendor/blamejs/lib/cloud-events.js +40 -31
  80. package/lib/vendor/blamejs/lib/cluster-storage.js +2 -38
  81. package/lib/vendor/blamejs/lib/cms-codec.js +2 -1
  82. package/lib/vendor/blamejs/lib/codepoint-class.js +67 -1
  83. package/lib/vendor/blamejs/lib/compliance-ai-act-logging.js +1 -6
  84. package/lib/vendor/blamejs/lib/compliance-ai-act-transparency.js +2 -4
  85. package/lib/vendor/blamejs/lib/compliance-eaa.js +1 -11
  86. package/lib/vendor/blamejs/lib/compliance-sanctions-fetcher.js +21 -28
  87. package/lib/vendor/blamejs/lib/compliance-sanctions.js +2 -14
  88. package/lib/vendor/blamejs/lib/compliance.js +2 -9
  89. package/lib/vendor/blamejs/lib/config-drift.js +2 -12
  90. package/lib/vendor/blamejs/lib/content-digest.js +10 -8
  91. package/lib/vendor/blamejs/lib/cookies.js +5 -11
  92. package/lib/vendor/blamejs/lib/cose.js +19 -11
  93. package/lib/vendor/blamejs/lib/cra-report.js +1 -11
  94. package/lib/vendor/blamejs/lib/crypto-field.js +5 -10
  95. package/lib/vendor/blamejs/lib/crypto.js +120 -3
  96. package/lib/vendor/blamejs/lib/csp.js +235 -3
  97. package/lib/vendor/blamejs/lib/daemon.js +42 -41
  98. package/lib/vendor/blamejs/lib/data-act.js +19 -9
  99. package/lib/vendor/blamejs/lib/db-query.js +6 -40
  100. package/lib/vendor/blamejs/lib/db.js +34 -12
  101. package/lib/vendor/blamejs/lib/dbsc.js +5 -6
  102. package/lib/vendor/blamejs/lib/ddl-change-control.js +18 -14
  103. package/lib/vendor/blamejs/lib/deprecate.js +4 -5
  104. package/lib/vendor/blamejs/lib/did.js +6 -2
  105. package/lib/vendor/blamejs/lib/dsr.js +8 -12
  106. package/lib/vendor/blamejs/lib/external-db-migrate.js +21 -22
  107. package/lib/vendor/blamejs/lib/external-db.js +14 -26
  108. package/lib/vendor/blamejs/lib/fda-21cfr11.js +12 -8
  109. package/lib/vendor/blamejs/lib/fdx.js +22 -18
  110. package/lib/vendor/blamejs/lib/file-upload.js +80 -66
  111. package/lib/vendor/blamejs/lib/flag-evaluation-context.js +5 -8
  112. package/lib/vendor/blamejs/lib/framework-error.js +12 -0
  113. package/lib/vendor/blamejs/lib/framework-schema.js +19 -0
  114. package/lib/vendor/blamejs/lib/fsm.js +7 -12
  115. package/lib/vendor/blamejs/lib/gate-contract.js +869 -38
  116. package/lib/vendor/blamejs/lib/gdpr-ropa.js +4 -13
  117. package/lib/vendor/blamejs/lib/graphql-federation.js +1 -1
  118. package/lib/vendor/blamejs/lib/guard-agent-registry.js +2 -1
  119. package/lib/vendor/blamejs/lib/guard-all.js +1 -0
  120. package/lib/vendor/blamejs/lib/guard-archive.js +9 -30
  121. package/lib/vendor/blamejs/lib/guard-auth.js +23 -80
  122. package/lib/vendor/blamejs/lib/guard-cidr.js +20 -96
  123. package/lib/vendor/blamejs/lib/guard-csv.js +135 -196
  124. package/lib/vendor/blamejs/lib/guard-domain.js +23 -106
  125. package/lib/vendor/blamejs/lib/guard-dsn.js +16 -13
  126. package/lib/vendor/blamejs/lib/guard-email.js +46 -53
  127. package/lib/vendor/blamejs/lib/guard-envelope.js +1 -1
  128. package/lib/vendor/blamejs/lib/guard-event-bus-topic.js +2 -1
  129. package/lib/vendor/blamejs/lib/guard-filename.js +12 -60
  130. package/lib/vendor/blamejs/lib/guard-graphql.js +28 -75
  131. package/lib/vendor/blamejs/lib/guard-html-wcag.js +15 -2
  132. package/lib/vendor/blamejs/lib/guard-html.js +65 -117
  133. package/lib/vendor/blamejs/lib/guard-idempotency-key.js +2 -1
  134. package/lib/vendor/blamejs/lib/guard-image.js +280 -77
  135. package/lib/vendor/blamejs/lib/guard-imap-command.js +8 -9
  136. package/lib/vendor/blamejs/lib/guard-json.js +87 -103
  137. package/lib/vendor/blamejs/lib/guard-jsonpath.js +20 -88
  138. package/lib/vendor/blamejs/lib/guard-jwt.js +32 -114
  139. package/lib/vendor/blamejs/lib/guard-list-id.js +2 -7
  140. package/lib/vendor/blamejs/lib/guard-list-unsubscribe.js +2 -7
  141. package/lib/vendor/blamejs/lib/guard-mail-compose.js +5 -6
  142. package/lib/vendor/blamejs/lib/guard-mail-move.js +2 -1
  143. package/lib/vendor/blamejs/lib/guard-mail-query.js +5 -3
  144. package/lib/vendor/blamejs/lib/guard-mail-sieve.js +6 -7
  145. package/lib/vendor/blamejs/lib/guard-managesieve-command.js +5 -4
  146. package/lib/vendor/blamejs/lib/guard-markdown.js +76 -110
  147. package/lib/vendor/blamejs/lib/guard-message-id.js +5 -6
  148. package/lib/vendor/blamejs/lib/guard-mime.js +20 -99
  149. package/lib/vendor/blamejs/lib/guard-oauth.js +19 -73
  150. package/lib/vendor/blamejs/lib/guard-pdf.js +65 -72
  151. package/lib/vendor/blamejs/lib/guard-pop3-command.js +12 -13
  152. package/lib/vendor/blamejs/lib/guard-posture-chain.js +2 -1
  153. package/lib/vendor/blamejs/lib/guard-regex.js +24 -99
  154. package/lib/vendor/blamejs/lib/guard-saga-config.js +2 -1
  155. package/lib/vendor/blamejs/lib/guard-shell.js +22 -87
  156. package/lib/vendor/blamejs/lib/guard-smtp-command.js +8 -11
  157. package/lib/vendor/blamejs/lib/guard-sql.js +15 -13
  158. package/lib/vendor/blamejs/lib/guard-stream-args.js +2 -1
  159. package/lib/vendor/blamejs/lib/guard-svg.js +95 -140
  160. package/lib/vendor/blamejs/lib/guard-template.js +23 -80
  161. package/lib/vendor/blamejs/lib/guard-tenant-id.js +2 -1
  162. package/lib/vendor/blamejs/lib/guard-text.js +592 -0
  163. package/lib/vendor/blamejs/lib/guard-time.js +27 -95
  164. package/lib/vendor/blamejs/lib/guard-uuid.js +21 -93
  165. package/lib/vendor/blamejs/lib/guard-xml.js +76 -106
  166. package/lib/vendor/blamejs/lib/guard-yaml.js +24 -60
  167. package/lib/vendor/blamejs/lib/http-client-cache.js +5 -12
  168. package/lib/vendor/blamejs/lib/http-client-cookie-jar.js +2 -4
  169. package/lib/vendor/blamejs/lib/http-client.js +8 -21
  170. package/lib/vendor/blamejs/lib/http-message-signature.js +3 -2
  171. package/lib/vendor/blamejs/lib/i18n-messageformat.js +5 -7
  172. package/lib/vendor/blamejs/lib/i18n.js +83 -26
  173. package/lib/vendor/blamejs/lib/inbox.js +8 -8
  174. package/lib/vendor/blamejs/lib/incident-report.js +3 -21
  175. package/lib/vendor/blamejs/lib/ip-utils.js +49 -6
  176. package/lib/vendor/blamejs/lib/jobs.js +3 -2
  177. package/lib/vendor/blamejs/lib/keychain.js +6 -18
  178. package/lib/vendor/blamejs/lib/legal-hold.js +6 -15
  179. package/lib/vendor/blamejs/lib/log-stream-cloudwatch.js +44 -112
  180. package/lib/vendor/blamejs/lib/log-stream-otlp-grpc.js +17 -14
  181. package/lib/vendor/blamejs/lib/log-stream-otlp.js +16 -80
  182. package/lib/vendor/blamejs/lib/log-stream-webhook.js +20 -92
  183. package/lib/vendor/blamejs/lib/mail-arc-sign.js +8 -3
  184. package/lib/vendor/blamejs/lib/mail-arf.js +3 -2
  185. package/lib/vendor/blamejs/lib/mail-auth.js +40 -66
  186. package/lib/vendor/blamejs/lib/mail-bimi.js +19 -39
  187. package/lib/vendor/blamejs/lib/mail-crypto-pgp.js +3 -2
  188. package/lib/vendor/blamejs/lib/mail-dav.js +8 -35
  189. package/lib/vendor/blamejs/lib/mail-deploy.js +6 -9
  190. package/lib/vendor/blamejs/lib/mail-dkim.js +19 -38
  191. package/lib/vendor/blamejs/lib/mail-greylist.js +15 -26
  192. package/lib/vendor/blamejs/lib/mail-helo.js +2 -3
  193. package/lib/vendor/blamejs/lib/mail-journal.js +2 -1
  194. package/lib/vendor/blamejs/lib/mail-mdn.js +4 -3
  195. package/lib/vendor/blamejs/lib/mail-rbl.js +5 -8
  196. package/lib/vendor/blamejs/lib/mail-scan.js +2 -2
  197. package/lib/vendor/blamejs/lib/mail-send-deliver.js +33 -20
  198. package/lib/vendor/blamejs/lib/mail-server-imap.js +32 -87
  199. package/lib/vendor/blamejs/lib/mail-server-jmap.js +35 -51
  200. package/lib/vendor/blamejs/lib/mail-server-managesieve.js +29 -83
  201. package/lib/vendor/blamejs/lib/mail-server-mx.js +33 -74
  202. package/lib/vendor/blamejs/lib/mail-server-net.js +177 -0
  203. package/lib/vendor/blamejs/lib/mail-server-pop3.js +30 -83
  204. package/lib/vendor/blamejs/lib/mail-server-rate-limit.js +30 -6
  205. package/lib/vendor/blamejs/lib/mail-server-submission.js +34 -73
  206. package/lib/vendor/blamejs/lib/mail-server-tls.js +89 -0
  207. package/lib/vendor/blamejs/lib/mail-spam-score.js +7 -8
  208. package/lib/vendor/blamejs/lib/mail-store.js +3 -2
  209. package/lib/vendor/blamejs/lib/mail.js +6 -11
  210. package/lib/vendor/blamejs/lib/markup-escape.js +31 -0
  211. package/lib/vendor/blamejs/lib/markup-tokenizer.js +54 -0
  212. package/lib/vendor/blamejs/lib/mcp-tool-registry.js +26 -23
  213. package/lib/vendor/blamejs/lib/mcp.js +1 -1
  214. package/lib/vendor/blamejs/lib/mdoc.js +11 -12
  215. package/lib/vendor/blamejs/lib/metrics.js +32 -30
  216. package/lib/vendor/blamejs/lib/middleware/age-gate.js +3 -23
  217. package/lib/vendor/blamejs/lib/middleware/api-encrypt.js +11 -22
  218. package/lib/vendor/blamejs/lib/middleware/assetlinks.js +2 -7
  219. package/lib/vendor/blamejs/lib/middleware/bearer-auth.js +2 -1
  220. package/lib/vendor/blamejs/lib/middleware/body-parser.js +31 -48
  221. package/lib/vendor/blamejs/lib/middleware/bot-disclose.js +7 -10
  222. package/lib/vendor/blamejs/lib/middleware/bot-guard.js +2 -10
  223. package/lib/vendor/blamejs/lib/middleware/csrf-protect.js +13 -2
  224. package/lib/vendor/blamejs/lib/middleware/daily-byte-quota.js +6 -26
  225. package/lib/vendor/blamejs/lib/middleware/deny-response.js +19 -1
  226. package/lib/vendor/blamejs/lib/middleware/fetch-metadata.js +7 -0
  227. package/lib/vendor/blamejs/lib/middleware/idempotency-key.js +4 -20
  228. package/lib/vendor/blamejs/lib/middleware/rate-limit.js +20 -28
  229. package/lib/vendor/blamejs/lib/middleware/scim-server.js +3 -2
  230. package/lib/vendor/blamejs/lib/middleware/security-headers.js +9 -1
  231. package/lib/vendor/blamejs/lib/middleware/security-txt.js +2 -6
  232. package/lib/vendor/blamejs/lib/middleware/tus-upload.js +12 -27
  233. package/lib/vendor/blamejs/lib/middleware/web-app-manifest.js +2 -7
  234. package/lib/vendor/blamejs/lib/migrations.js +4 -13
  235. package/lib/vendor/blamejs/lib/mime-parse.js +34 -17
  236. package/lib/vendor/blamejs/lib/module-loader.js +44 -0
  237. package/lib/vendor/blamejs/lib/money.js +105 -0
  238. package/lib/vendor/blamejs/lib/mtls-ca.js +116 -36
  239. package/lib/vendor/blamejs/lib/network-byte-quota.js +4 -18
  240. package/lib/vendor/blamejs/lib/network-dane.js +8 -6
  241. package/lib/vendor/blamejs/lib/network-dns-resolver.js +97 -6
  242. package/lib/vendor/blamejs/lib/network-dnssec.js +16 -16
  243. package/lib/vendor/blamejs/lib/network-heartbeat.js +3 -2
  244. package/lib/vendor/blamejs/lib/network-smtp-policy.js +29 -41
  245. package/lib/vendor/blamejs/lib/network-tls.js +40 -42
  246. package/lib/vendor/blamejs/lib/nis2-report.js +1 -11
  247. package/lib/vendor/blamejs/lib/nonce-store.js +81 -3
  248. package/lib/vendor/blamejs/lib/numeric-bounds.js +22 -8
  249. package/lib/vendor/blamejs/lib/object-store/azure-blob-bucket-ops.js +2 -6
  250. package/lib/vendor/blamejs/lib/object-store/azure-blob.js +5 -45
  251. package/lib/vendor/blamejs/lib/object-store/gcs.js +8 -71
  252. package/lib/vendor/blamejs/lib/object-store/http-put.js +1 -5
  253. package/lib/vendor/blamejs/lib/object-store/http-request.js +128 -0
  254. package/lib/vendor/blamejs/lib/object-store/sigv4-bucket-ops.js +2 -1
  255. package/lib/vendor/blamejs/lib/object-store/sigv4.js +9 -77
  256. package/lib/vendor/blamejs/lib/observability-otlp-exporter.js +9 -25
  257. package/lib/vendor/blamejs/lib/observability.js +95 -0
  258. package/lib/vendor/blamejs/lib/openapi-paths-builder.js +7 -3
  259. package/lib/vendor/blamejs/lib/otel-export.js +7 -10
  260. package/lib/vendor/blamejs/lib/outbox.js +43 -37
  261. package/lib/vendor/blamejs/lib/pagination.js +11 -15
  262. package/lib/vendor/blamejs/lib/parsers/safe-env.js +5 -4
  263. package/lib/vendor/blamejs/lib/parsers/safe-ini.js +10 -4
  264. package/lib/vendor/blamejs/lib/parsers/safe-toml.js +11 -9
  265. package/lib/vendor/blamejs/lib/parsers/safe-xml.js +2 -2
  266. package/lib/vendor/blamejs/lib/parsers/safe-yaml.js +7 -6
  267. package/lib/vendor/blamejs/lib/pick.js +63 -5
  268. package/lib/vendor/blamejs/lib/pipl-cn.js +69 -59
  269. package/lib/vendor/blamejs/lib/privacy-pass.js +8 -6
  270. package/lib/vendor/blamejs/lib/problem-details.js +2 -5
  271. package/lib/vendor/blamejs/lib/pubsub.js +4 -8
  272. package/lib/vendor/blamejs/lib/redact.js +2 -1
  273. package/lib/vendor/blamejs/lib/render.js +4 -2
  274. package/lib/vendor/blamejs/lib/request-helpers.js +133 -6
  275. package/lib/vendor/blamejs/lib/restore.js +5 -22
  276. package/lib/vendor/blamejs/lib/retention.js +3 -5
  277. package/lib/vendor/blamejs/lib/safe-async.js +457 -0
  278. package/lib/vendor/blamejs/lib/safe-buffer.js +137 -6
  279. package/lib/vendor/blamejs/lib/safe-decompress.js +2 -1
  280. package/lib/vendor/blamejs/lib/safe-dns.js +2 -1
  281. package/lib/vendor/blamejs/lib/safe-ical.js +12 -26
  282. package/lib/vendor/blamejs/lib/safe-json.js +7 -8
  283. package/lib/vendor/blamejs/lib/safe-jsonpath.js +6 -5
  284. package/lib/vendor/blamejs/lib/safe-mime.js +25 -29
  285. package/lib/vendor/blamejs/lib/safe-redirect.js +2 -5
  286. package/lib/vendor/blamejs/lib/safe-schema.js +7 -6
  287. package/lib/vendor/blamejs/lib/safe-sql.js +126 -0
  288. package/lib/vendor/blamejs/lib/safe-vcard.js +12 -26
  289. package/lib/vendor/blamejs/lib/sandbox-worker.js +9 -2
  290. package/lib/vendor/blamejs/lib/sandbox.js +3 -2
  291. package/lib/vendor/blamejs/lib/scheduler.js +5 -12
  292. package/lib/vendor/blamejs/lib/sec-cyber.js +82 -37
  293. package/lib/vendor/blamejs/lib/seeders.js +4 -11
  294. package/lib/vendor/blamejs/lib/self-update.js +92 -69
  295. package/lib/vendor/blamejs/lib/session-device-binding.js +112 -66
  296. package/lib/vendor/blamejs/lib/session.js +194 -6
  297. package/lib/vendor/blamejs/lib/sql.js +225 -78
  298. package/lib/vendor/blamejs/lib/sse.js +6 -10
  299. package/lib/vendor/blamejs/lib/static.js +136 -98
  300. package/lib/vendor/blamejs/lib/storage.js +4 -2
  301. package/lib/vendor/blamejs/lib/structured-fields.js +275 -16
  302. package/lib/vendor/blamejs/lib/tenant-quota.js +2 -20
  303. package/lib/vendor/blamejs/lib/tsa.js +11 -15
  304. package/lib/vendor/blamejs/lib/validate-opts.js +154 -8
  305. package/lib/vendor/blamejs/lib/vault/seal-pem-file.js +30 -48
  306. package/lib/vendor/blamejs/lib/vault-aad.js +3 -2
  307. package/lib/vendor/blamejs/lib/vc.js +2 -7
  308. package/lib/vendor/blamejs/lib/vex.js +35 -13
  309. package/lib/vendor/blamejs/lib/web-push-vapid.js +23 -20
  310. package/lib/vendor/blamejs/lib/webhook-dispatcher.js +706 -0
  311. package/lib/vendor/blamejs/lib/webhook.js +43 -18
  312. package/lib/vendor/blamejs/lib/websocket-channels.js +9 -7
  313. package/lib/vendor/blamejs/lib/websocket.js +7 -3
  314. package/lib/vendor/blamejs/lib/worm.js +2 -3
  315. package/lib/vendor/blamejs/lib/ws-client.js +8 -10
  316. package/lib/vendor/blamejs/package.json +1 -1
  317. package/lib/vendor/blamejs/release-notes/v0.15.13.json +81 -0
  318. package/lib/vendor/blamejs/scripts/check-changelog-extract.js +1 -1
  319. package/lib/vendor/blamejs/test/00-primitives.js +136 -7
  320. package/lib/vendor/blamejs/test/10-state.js +9 -3
  321. package/lib/vendor/blamejs/test/30-chain.js +40 -0
  322. package/lib/vendor/blamejs/test/helpers/check.js +18 -0
  323. package/lib/vendor/blamejs/test/helpers/db.js +4 -0
  324. package/lib/vendor/blamejs/test/helpers/index.js +1 -0
  325. package/lib/vendor/blamejs/test/integration/audit-chain-external-db.test.js +2 -1
  326. package/lib/vendor/blamejs/test/integration/audit-stack-postgres.test.js +2 -1
  327. package/lib/vendor/blamejs/test/integration/data-layer-mysql.test.js +8 -1
  328. package/lib/vendor/blamejs/test/integration/data-layer-pg.test.js +1 -1
  329. package/lib/vendor/blamejs/test/integration/framework-schema-mysql.test.js +2 -1
  330. package/lib/vendor/blamejs/test/integration/webhook-dispatcher-pg.test.js +269 -0
  331. package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-fd-read.test.js +149 -0
  332. package/lib/vendor/blamejs/test/layer-0-primitives/audit-framework-namespaces.test.js +51 -0
  333. package/lib/vendor/blamejs/test/layer-0-primitives/audit-sign-anchor.test.js +88 -0
  334. package/lib/vendor/blamejs/test/layer-0-primitives/audit-use-store.test.js +55 -1
  335. package/lib/vendor/blamejs/test/layer-0-primitives/backup-object-store-adapter.test.js +2 -2
  336. package/lib/vendor/blamejs/test/layer-0-primitives/bot-guard.test.js +1 -1
  337. package/lib/vendor/blamejs/test/layer-0-primitives/bounded-map.test.js +129 -0
  338. package/lib/vendor/blamejs/test/layer-0-primitives/chain-writer-multichain.test.js +107 -0
  339. package/lib/vendor/blamejs/test/layer-0-primitives/cli-api-key.test.js +12 -0
  340. package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +2788 -3214
  341. package/lib/vendor/blamejs/test/layer-0-primitives/codepoint-class.test.js +78 -0
  342. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-base64url.test.js +63 -0
  343. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-hash-stream.test.js +2 -1
  344. package/lib/vendor/blamejs/test/layer-0-primitives/csp-builder.test.js +50 -0
  345. package/lib/vendor/blamejs/test/layer-0-primitives/csp-nonce.test.js +1 -1
  346. package/lib/vendor/blamejs/test/layer-0-primitives/daemon.test.js +2 -1
  347. package/lib/vendor/blamejs/test/layer-0-primitives/defineguard-resolve-opts.test.js +76 -0
  348. package/lib/vendor/blamejs/test/layer-0-primitives/flag.test.js +9 -0
  349. package/lib/vendor/blamejs/test/layer-0-primitives/gate-contract-content-gate.test.js +290 -0
  350. package/lib/vendor/blamejs/test/layer-0-primitives/guard-csv.test.js +84 -0
  351. package/lib/vendor/blamejs/test/layer-0-primitives/guard-email.test.js +78 -0
  352. package/lib/vendor/blamejs/test/layer-0-primitives/guard-filename.test.js +23 -0
  353. package/lib/vendor/blamejs/test/layer-0-primitives/guard-gate-disposition-coverage.test.js +93 -0
  354. package/lib/vendor/blamejs/test/layer-0-primitives/guard-html.test.js +60 -0
  355. package/lib/vendor/blamejs/test/layer-0-primitives/guard-image.test.js +184 -0
  356. package/lib/vendor/blamejs/test/layer-0-primitives/guard-imap-command.test.js +0 -0
  357. package/lib/vendor/blamejs/test/layer-0-primitives/guard-json.test.js +54 -0
  358. package/lib/vendor/blamejs/test/layer-0-primitives/guard-managesieve-command.test.js +10 -0
  359. package/lib/vendor/blamejs/test/layer-0-primitives/guard-markdown.test.js +45 -0
  360. package/lib/vendor/blamejs/test/layer-0-primitives/guard-pdf.test.js +101 -0
  361. package/lib/vendor/blamejs/test/layer-0-primitives/guard-pop3-command.test.js +18 -0
  362. package/lib/vendor/blamejs/test/layer-0-primitives/guard-svg.test.js +76 -0
  363. package/lib/vendor/blamejs/test/layer-0-primitives/guard-text.test.js +365 -0
  364. package/lib/vendor/blamejs/test/layer-0-primitives/guard-xml.test.js +35 -0
  365. package/lib/vendor/blamejs/test/layer-0-primitives/guard-yaml.test.js +36 -0
  366. package/lib/vendor/blamejs/test/layer-0-primitives/i18n.test.js +20 -0
  367. package/lib/vendor/blamejs/test/layer-0-primitives/inbox.test.js +15 -0
  368. package/lib/vendor/blamejs/test/layer-0-primitives/ip-utils.test.js +83 -0
  369. package/lib/vendor/blamejs/test/layer-0-primitives/mail-arf.test.js +10 -0
  370. package/lib/vendor/blamejs/test/layer-0-primitives/mail-auth.test.js +39 -0
  371. package/lib/vendor/blamejs/test/layer-0-primitives/mail-dkim.test.js +36 -0
  372. package/lib/vendor/blamejs/test/layer-0-primitives/mail-greylist.test.js +17 -0
  373. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-tls.test.js +39 -0
  374. package/lib/vendor/blamejs/test/layer-0-primitives/mail-store.test.js +17 -0
  375. package/lib/vendor/blamejs/test/layer-0-primitives/mime-parse.test.js +106 -0
  376. package/lib/vendor/blamejs/test/layer-0-primitives/money.test.js +17 -0
  377. package/lib/vendor/blamejs/test/layer-0-primitives/mtls-ca-revocation.test.js +98 -0
  378. package/lib/vendor/blamejs/test/layer-0-primitives/nonce-store-release.test.js +77 -0
  379. package/lib/vendor/blamejs/test/layer-0-primitives/observability.test.js +48 -0
  380. package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-memory-getorinsert.test.js +100 -0
  381. package/lib/vendor/blamejs/test/layer-0-primitives/request-helpers.test.js +88 -0
  382. package/lib/vendor/blamejs/test/layer-0-primitives/safe-async-loops.test.js +278 -0
  383. package/lib/vendor/blamejs/test/layer-0-primitives/safe-buffer-linear-scans.test.js +37 -0
  384. package/lib/vendor/blamejs/test/layer-0-primitives/safe-jsonpath.test.js +14 -0
  385. package/lib/vendor/blamejs/test/layer-0-primitives/sandbox.test.js +19 -0
  386. package/lib/vendor/blamejs/test/layer-0-primitives/security-headers.test.js +1 -1
  387. package/lib/vendor/blamejs/test/layer-0-primitives/self-update.test.js +2 -1
  388. package/lib/vendor/blamejs/test/layer-0-primitives/session-device-binding.test.js +18 -0
  389. package/lib/vendor/blamejs/test/layer-0-primitives/session-extensions.test.js +1 -1
  390. package/lib/vendor/blamejs/test/layer-0-primitives/session-valid-from.test.js +73 -0
  391. package/lib/vendor/blamejs/test/layer-0-primitives/sql.test.js +100 -0
  392. package/lib/vendor/blamejs/test/layer-0-primitives/structured-fields.test.js +80 -0
  393. package/lib/vendor/blamejs/test/layer-0-primitives/validate-opts-shape.test.js +235 -0
  394. package/lib/vendor/blamejs/test/layer-0-primitives/webhook-dispatcher.test.js +374 -0
  395. package/lib/vendor/blamejs/test/layer-0-primitives/webhook.test.js +75 -8
  396. package/lib/vendor/blamejs/test/layer-5-integration/guard-host-integration.test.js +3 -3
  397. package/package.json +1 -1
@@ -33,11 +33,15 @@
33
33
  * (e.g. JPEG marker followed by an embedded ZIP central directory) —
34
34
  * refused at every profile.
35
35
  *
36
- * EXIF / XMP metadata strip: handled by the operator's decoder
37
- * (sharp's `withMetadata: false`, libvips `metadata-strip`). The
38
- * guard does not parse byte streams; it enforces the policy boundary
39
- * and refuses the upload when the decoder's reported metadata
40
- * violates a cap.
36
+ * EXIF / XMP / IPTC metadata strip: `sanitize` removes the metadata
37
+ * segments in-framework by walking the container framing (JPEG APPn/COM
38
+ * markers, PNG ancillary text chunks, GIF comment/application extensions,
39
+ * WebP EXIF/XMP RIFF chunks) the privacy-leak and metadata-stego surface,
40
+ * stripped without a vendored decoder. Pixel transcoding / dimension
41
+ * downscale still belong to the operator's decoder (sharp's
42
+ * `withMetadata: false`, libvips `metadata-strip`); formats whose metadata
43
+ * lives in an offset-based structure (TIFF / HEIC / AVIF) are refused rather
44
+ * than passed through.
41
45
  *
42
46
  * SVG routing: bytes that match the SVG magic are refused under every
43
47
  * profile — operators must route SVG explicitly to `b.guardSvg`
@@ -60,9 +64,9 @@
60
64
  */
61
65
 
62
66
  var lazyRequire = require("./lazy-require");
67
+ var safeBuffer = require("./safe-buffer");
63
68
  var gateContract = require("./gate-contract");
64
69
  var C = require("./constants");
65
- var numericBounds = require("./numeric-bounds");
66
70
  var { GuardImageError } = require("./framework-error");
67
71
 
68
72
  var observability = lazyRequire(function () { return require("./observability"); });
@@ -143,34 +147,9 @@ var PROFILES = Object.freeze({
143
147
  },
144
148
  });
145
149
 
146
- var DEFAULTS = Object.freeze(Object.assign({}, PROFILES["strict"], {
147
- mode: "enforce",
148
- }));
149
-
150
- var COMPLIANCE_POSTURES = Object.freeze({
151
- "hipaa": Object.assign({}, PROFILES["strict"], {
152
- forensicSnippetBytes: C.BYTES.bytes(256),
153
- }),
154
- "pci-dss": Object.assign({}, PROFILES["strict"], {
155
- forensicSnippetBytes: C.BYTES.bytes(256),
156
- }),
157
- "gdpr": Object.assign({}, PROFILES["balanced"], {
158
- forensicSnippetBytes: C.BYTES.bytes(128),
159
- }),
160
- "soc2": Object.assign({}, PROFILES["strict"], {
161
- forensicSnippetBytes: C.BYTES.bytes(512),
162
- }),
163
- });
150
+ var DEFAULTS = gateContract.strictDefaults(PROFILES);
164
151
 
165
- function _resolveOpts(opts) {
166
- return gateContract.resolveProfileAndPosture(opts, {
167
- profiles: PROFILES,
168
- compliancePostures: COMPLIANCE_POSTURES,
169
- defaults: DEFAULTS,
170
- errorClass: GuardImageError,
171
- errCodePrefix: "image",
172
- });
173
- }
152
+ var COMPLIANCE_POSTURES = gateContract.compliancePostures(PROFILES, { base: 256 });
174
153
 
175
154
  function _bytesAt(buf, offset, sig) {
176
155
  if (buf.length < offset + sig.length) return false;
@@ -202,7 +181,7 @@ function _detectIssues(metadata, opts) {
202
181
  }
203
182
 
204
183
  var bytes = metadata.bytes;
205
- if (bytes && typeof bytes.length === "number" && bytes.length > opts.maxBytes) {
184
+ if (bytes && typeof bytes.length === "number" && safeBuffer.byteLengthOf(bytes) > opts.maxBytes) {
206
185
  return [{ kind: "image-cap", severity: "high",
207
186
  ruleId: "image.image-cap",
208
187
  snippet: "image bytes exceed maxBytes " + opts.maxBytes }];
@@ -351,13 +330,11 @@ function _detectIssues(metadata, opts) {
351
330
  * big.issues.some(function (i) { return i.kind === "width-cap"; });
352
331
  * // → true
353
332
  */
354
- function validate(input, opts) {
355
- opts = _resolveOpts(opts);
356
- numericBounds.requireAllPositiveFiniteIntIfPresent(opts,
357
- ["maxBytes", "maxWidth", "maxHeight", "maxFrames"],
358
- "guardImage.validate", GuardImageError, "image.bad-opt");
359
- return gateContract.aggregateIssues(_detectIssues(input, opts));
360
- }
333
+ // validate is assembled by gateContract.defineGuard from `detect`
334
+ // (_detectIssues) below — `validate(input, opts) = aggregateIssues(detect(
335
+ // input, resolveOpts(opts)))`, with the maxBytes / maxWidth / maxHeight /
336
+ // maxFrames caps declared via `intOpts`. The @primitive block above
337
+ // documents the resulting public ABI.
361
338
 
362
339
  /**
363
340
  * @primitive b.guardImage.sanitize
@@ -366,19 +343,35 @@ function validate(input, opts) {
366
343
  * @status stable
367
344
  * @related b.guardImage.validate, b.guardImage.gate
368
345
  *
369
- * Best-effort metadata pass-through. Image-byte sanitization
370
- * (transcoding, EXIF strip, dimension downscale) is the operator
371
- * decoder's responsibility — the guard cannot rewrite raster bytes
372
- * without a vendored decoder. `sanitize` validates the metadata
373
- * against the active profile and re-throws `GuardImageError` when
374
- * any issue is `critical` or `high`. Returns the input unchanged
375
- * when every issue is `warn` or below.
346
+ * Strip the container's metadata segments from `input.bytes` EXIF/GPS,
347
+ * XMP/IPTC, and comment payloads (the privacy-leak and metadata-stego
348
+ * surface)and return the bag with the cleaned bytes. Stripping walks the
349
+ * linear container framing (JPEG APPn/COM markers, PNG ancillary text chunks,
350
+ * GIF comment/application extensions, WebP EXIF/XMP RIFF chunks); pixel
351
+ * transcoding and dimension downscale still need a vendored decoder and stay
352
+ * the operator's job.
353
+ *
354
+ * `sanitize` first runs the validate chain and re-throws `GuardImageError`
355
+ * when any issue is `critical` or `high` (a polyglot or MIME-mismatch is
356
+ * refused, never stripped). A format whose metadata lives in an offset-based
357
+ * structure that cannot be rewritten without a decoder (TIFF / HEIC / AVIF) is
358
+ * refused with `image.sanitize-unsupported-format`; a structurally malformed
359
+ * container is refused with `image.sanitize-malformed` rather than returned
360
+ * half-stripped. BMP / ICO carry no metadata container and pass through.
376
361
  *
377
362
  * @opts
378
363
  * profile: "strict"|"balanced"|"permissive",
379
364
  * compliancePosture: "hipaa"|"pci-dss"|"gdpr"|"soc2",
380
365
  *
381
366
  * @example
367
+ * // EXIF-laden JPEG → the APP1 (EXIF/XMP) segment is removed.
368
+ * var clean = b.guardImage.sanitize({
369
+ * bytes: jpegWithExif,
370
+ * declaredMime: "image/jpeg",
371
+ * }, { profile: "strict" });
372
+ * clean.bytes.length < jpegWithExif.length; // → true
373
+ *
374
+ * // A MIME-mismatch is refused, not stripped.
382
375
  * try {
383
376
  * b.guardImage.sanitize({
384
377
  * bytes: Buffer.from([0xFF, 0xD8, 0xFF]),
@@ -388,14 +381,221 @@ function validate(input, opts) {
388
381
  * e.code; // → "image.mime-mismatch"
389
382
  * }
390
383
  */
391
- function sanitize(input, opts) {
392
- opts = _resolveOpts(opts);
393
- if (!input || typeof input !== "object") {
394
- throw _err("image.bad-input", "sanitize requires metadata object");
384
+ // ---- Container-framing metadata strip (sanitize) ----
385
+ //
386
+ // Linear TLV byte-surgery over the well-defined container framing — the same
387
+ // signature-walk shape as inspectMagic, NOT a pixel decoder (Hard rule: no
388
+ // vendored raster library). Removes the metadata segments that carry EXIF/GPS,
389
+ // XMP/IPTC PII, and metadata-embedded stego/polyglot payloads operators need
390
+ // stripped before serving an otherwise-clean image. Pixel transcoding and
391
+ // dimension downscale still need a decoder and stay the operator's job.
392
+ //
393
+ // A structurally malformed container is REFUSED (throw), never returned
394
+ // half-stripped — sanitize must not hand back bytes it could not fully clean.
395
+
396
+ function _stripMalformed(detail) {
397
+ return _err("image.sanitize-malformed",
398
+ "cannot strip image metadata — malformed container framing: " + detail);
399
+ }
400
+
401
+ // JPEG: FFD8 SOI, then marker segments until SOS (FFDA) begins entropy data.
402
+ // Drop EXIF/XMP (APP1=E1), IPTC/Photoshop (APP13=ED), comments (COM=FE), and
403
+ // the vendor APPn range (E3..EC, EF). Keep JFIF (APP0=E0), ICC color
404
+ // (APP2=E2), Adobe (APP14=EE), and every coding segment (SOFn/DHT/DQT/DRI/SOS).
405
+ function _stripJpegMetadata(buf) {
406
+ if (buf.length < 2 || buf[0] !== 0xFF || buf[1] !== 0xD8) {
407
+ throw _stripMalformed("missing SOI");
395
408
  }
396
- var issues = _detectIssues(input, opts);
397
- gateContract.throwOnRefusalSeverity(issues, { errorClass: GuardImageError, codePrefix: "image" });
398
- return input;
409
+ var parts = [buf.slice(0, 2)];
410
+ var i = 2;
411
+ while (i < buf.length) {
412
+ if (buf[i] !== 0xFF) throw _stripMalformed("expected marker at " + i);
413
+ // Collapse any 0xFF fill bytes preceding the marker code.
414
+ var mi = i + 1;
415
+ while (mi < buf.length && buf[mi] === 0xFF) mi += 1;
416
+ if (mi >= buf.length) throw _stripMalformed("truncated marker");
417
+ var marker = buf[mi];
418
+ // Standalone markers (no length payload): TEM(01), RSTn(D0..D7).
419
+ if (marker === 0x01 || (marker >= 0xD0 && marker <= 0xD7)) {
420
+ parts.push(buf.slice(i, mi + 1)); i = mi + 1; continue;
421
+ }
422
+ if (marker === 0xD9) { parts.push(buf.slice(i, mi + 1)); i = mi + 1; break; } // EOI
423
+ if (marker === 0xDA) { parts.push(buf.slice(i)); i = buf.length; break; } // SOS + entropy → verbatim
424
+ if (mi + 3 > buf.length) throw _stripMalformed("truncated segment length");
425
+ var segLen = (buf[mi + 1] << 8) | buf[mi + 2];
426
+ if (segLen < 2) throw _stripMalformed("bad segment length");
427
+ var segEnd = mi + 1 + segLen;
428
+ if (segEnd > buf.length) throw _stripMalformed("segment overruns buffer");
429
+ var drop = marker === 0xE1 || marker === 0xED || marker === 0xFE ||
430
+ (marker >= 0xE3 && marker <= 0xEC) || marker === 0xEF;
431
+ if (!drop) parts.push(buf.slice(i, segEnd));
432
+ i = segEnd;
433
+ }
434
+ return Buffer.concat(parts);
435
+ }
436
+
437
+ // PNG: 8-byte signature, then length(4 BE)+type(4)+data+crc(4) chunks. Drop the
438
+ // text/metadata/time ancillary chunks; keep critical chunks (IHDR/PLTE/IDAT/
439
+ // IEND) and rendering ancillary (gAMA/cHRM/sRGB/iCCP/pHYs/tRNS/bKGD/sBIT/...).
440
+ // Dropping a chunk never disturbs another's per-chunk CRC.
441
+ var _PNG_DROP = Object.freeze({ tEXt: 1, zTXt: 1, iTXt: 1, eXIf: 1, tIME: 1, dSIG: 1 });
442
+ function _stripPngMetadata(buf) {
443
+ if (buf.length < 8) throw _stripMalformed("truncated signature");
444
+ var parts = [buf.slice(0, 8)];
445
+ var i = 8;
446
+ while (i + 8 <= buf.length) {
447
+ var len = buf.readUInt32BE(i);
448
+ if (len > 0x7FFFFFFF) throw _stripMalformed("chunk length exceeds PNG max");
449
+ var type = buf.toString("latin1", i + 4, i + 8);
450
+ var end = i + 12 + len; // 4 len + 4 type + len + 4 crc
451
+ if (end > buf.length) throw _stripMalformed("chunk overruns buffer");
452
+ if (!_PNG_DROP[type]) parts.push(buf.slice(i, end));
453
+ i = end;
454
+ if (type === "IEND") break;
455
+ }
456
+ return Buffer.concat(parts);
457
+ }
458
+
459
+ // GIF: header(6)+logical-screen-descriptor(7)+optional global color table, then
460
+ // blocks. Drop comment (0x21 0xFE) + plain-text (0x21 0x01) + non-loop
461
+ // application (0x21 0xFF, e.g. XMP) extensions; keep graphic-control extensions
462
+ // (0x21 0xF9), the NETSCAPE/ANIMEXTS loop extension (animation control), image
463
+ // descriptors (0x2C), and the trailer (0x3B).
464
+ function _gifSkipSubBlocks(buf, i) {
465
+ while (i < buf.length) {
466
+ var size = buf[i];
467
+ i += 1;
468
+ if (size === 0) return i; // block terminator
469
+ i += size;
470
+ }
471
+ throw _stripMalformed("unterminated sub-block stream");
472
+ }
473
+ function _stripGifMetadata(buf) {
474
+ if (buf.length < 13) throw _stripMalformed("truncated header");
475
+ var i = 13;
476
+ var packed = buf[10];
477
+ if (packed & 0x80) i += 3 * (1 << ((packed & 0x07) + 1)); // global color table
478
+ if (i > buf.length) throw _stripMalformed("global color table overruns buffer");
479
+ var parts = [buf.slice(0, i)];
480
+ while (i < buf.length) {
481
+ var b = buf[i];
482
+ if (b === 0x3B) { parts.push(buf.slice(i, i + 1)); i += 1; break; } // trailer
483
+ if (b === 0x2C) { // image descriptor
484
+ var start = i;
485
+ if (i + 10 > buf.length) throw _stripMalformed("truncated image descriptor");
486
+ var lc = buf[i + 9];
487
+ i += 10;
488
+ if (lc & 0x80) i += 3 * (1 << ((lc & 0x07) + 1)); // local color table
489
+ if (i + 1 > buf.length) throw _stripMalformed("truncated LZW code size");
490
+ i += 1; // LZW minimum code size
491
+ i = _gifSkipSubBlocks(buf, i);
492
+ parts.push(buf.slice(start, i));
493
+ continue;
494
+ }
495
+ if (b === 0x21) { // extension introducer
496
+ if (i + 2 > buf.length) throw _stripMalformed("truncated extension");
497
+ var label = buf[i + 1];
498
+ var start2 = i;
499
+ var j = i + 2;
500
+ if (label === 0xF9) { // graphic control — keep
501
+ var k = _gifSkipSubBlocks(buf, j);
502
+ parts.push(buf.slice(start2, k));
503
+ i = k;
504
+ continue;
505
+ }
506
+ if (label === 0xFF) { // application extension
507
+ if (j >= buf.length) throw _stripMalformed("truncated app extension");
508
+ var blockSize = buf[j];
509
+ var idEnd = j + 1 + blockSize;
510
+ if (idEnd > buf.length) throw _stripMalformed("app-id overruns buffer");
511
+ var appId = buf.toString("latin1", j + 1, idEnd);
512
+ var k2 = _gifSkipSubBlocks(buf, idEnd);
513
+ if (appId.indexOf("NETSCAPE2.0") === 0 || appId.indexOf("ANIMEXTS1.0") === 0) {
514
+ parts.push(buf.slice(start2, k2)); // keep loop control
515
+ }
516
+ i = k2;
517
+ continue;
518
+ }
519
+ // comment (0xFE) / plain-text (0x01) / other → drop.
520
+ var k3 = j;
521
+ if (label === 0x01) { // plain text has a 12-byte header block
522
+ if (k3 >= buf.length) throw _stripMalformed("truncated plain-text header");
523
+ k3 += 1 + buf[k3];
524
+ if (k3 > buf.length) throw _stripMalformed("plain-text header overruns buffer");
525
+ }
526
+ k3 = _gifSkipSubBlocks(buf, k3);
527
+ i = k3;
528
+ continue;
529
+ }
530
+ throw _stripMalformed("unknown block 0x" + b.toString(16) + " at " + i);
531
+ }
532
+ return Buffer.concat(parts);
533
+ }
534
+
535
+ // WebP: RIFF container — "RIFF"+size(4 LE)+"WEBP"+chunks (FourCC+size(4 LE)+
536
+ // data, padded to even). Drop EXIF + XMP chunks, clear the VP8X EXIF/XMP flag
537
+ // bits so a strict decoder does not expect the dropped chunks, and rewrite the
538
+ // RIFF size. Keep VP8/VP8L/VP8X/ANIM/ANMF/ALPH/ICCP.
539
+ function _stripWebpMetadata(buf) {
540
+ if (buf.length < 12 ||
541
+ buf.toString("latin1", 0, 4) !== "RIFF" ||
542
+ buf.toString("latin1", 8, 12) !== "WEBP") {
543
+ throw _stripMalformed("not a RIFF/WEBP container");
544
+ }
545
+ var body = [];
546
+ var i = 12;
547
+ while (i + 8 <= buf.length) {
548
+ var fourcc = buf.toString("latin1", i, i + 4);
549
+ var size = buf.readUInt32LE(i + 4);
550
+ var dataEnd = i + 8 + size;
551
+ if (dataEnd > buf.length) throw _stripMalformed("chunk overruns buffer");
552
+ var padded = dataEnd + (size & 1); // even-pad
553
+ if (padded > buf.length) padded = buf.length; // tolerate a missing final pad byte
554
+ if (fourcc === "EXIF" || fourcc === "XMP ") { i = padded; continue; } // drop metadata chunk
555
+ var chunk = buf.slice(i, padded);
556
+ if (fourcc === "VP8X" && size >= 1) {
557
+ chunk = Buffer.from(chunk); // own copy before mutating flags
558
+ chunk[8] = chunk[8] & ~0x08 & ~0x04; // clear EXIF + XMP presence bits
559
+ }
560
+ body.push(chunk);
561
+ i = padded;
562
+ }
563
+ var bodyBuf = Buffer.concat(body);
564
+ var out = Buffer.concat([buf.slice(0, 12), bodyBuf]);
565
+ out.writeUInt32LE(4 + bodyBuf.length, 4); // RIFF size = "WEBP" + chunks
566
+ return out;
567
+ }
568
+
569
+ function _stripImageMetadata(bytes) {
570
+ var mimes = _detectMagicMimes(bytes);
571
+ if (mimes.indexOf("image/jpeg") !== -1) return _stripJpegMetadata(bytes);
572
+ if (mimes.indexOf("image/png") !== -1) return _stripPngMetadata(bytes);
573
+ if (mimes.indexOf("image/gif") !== -1) return _stripGifMetadata(bytes);
574
+ if (mimes.indexOf("image/webp") !== -1) return _stripWebpMetadata(bytes);
575
+ // BMP / ICO carry no text/EXIF metadata container — nothing to strip.
576
+ if (mimes.indexOf("image/bmp") !== -1 || mimes.indexOf("image/x-icon") !== -1) return bytes;
577
+ // TIFF / HEIC / AVIF keep metadata in IFD / ISO-BMFF box structures that need
578
+ // offset-aware rewriting (a format parser — forbidden). Refuse rather than
579
+ // hand back un-stripped bytes claiming they were sanitized.
580
+ throw _err("image.sanitize-unsupported-format",
581
+ "in-framework metadata strip covers jpeg/png/gif/webp (linear container " +
582
+ "framing); this format needs a vendored decoder — refuse and run an " +
583
+ "external sanitizer");
584
+ }
585
+
586
+ // _sanitizeTransform — defineGuard's generated sanitize runs resolve → detect →
587
+ // throw-on-refusal first, so a polyglot / mime-mismatch (critical/high) is
588
+ // refused before this point. For an otherwise-clean image the metadata bag's
589
+ // bytes are stripped of their EXIF/XMP/IPTC/comment segments; pixel transcoding
590
+ // still needs a decoder and stays the operator's job. Non-Buffer bytes pass
591
+ // through (validate already refused bad input upstream).
592
+ function _sanitizeTransform(metadata) {
593
+ if (!metadata || typeof metadata !== "object" || !Buffer.isBuffer(metadata.bytes)) {
594
+ return metadata;
595
+ }
596
+ var cleaned = _stripImageMetadata(metadata.bytes);
597
+ if (cleaned === metadata.bytes) return metadata;
598
+ return Object.assign({}, metadata, { bytes: cleaned });
399
599
  }
400
600
 
401
601
  /**
@@ -410,9 +610,10 @@ function sanitize(input, opts) {
410
610
  * { "image/png": gate, "image/jpeg": gate } })` or `b.staticServe`.
411
611
  * Operators pass `ctx.metadata` (the decoder's reported shape) plus
412
612
  * the original `bytes`. Action chain: `serve` (no issues) →
413
- * `audit-only` (warn-only) → `refuse` (any critical / high). No
414
- * `sanitize` action image bytes can't be transcoded without a
415
- * vendored decoder.
613
+ * `audit-only` (warn-only) → `refuse` (any critical / high). The gate
614
+ * does not auto-strip; an operator who wants metadata removed before
615
+ * serving calls `b.guardImage.sanitize(bag)` explicitly (it walks the
616
+ * container framing — EXIF/XMP/IPTC out of JPEG/PNG/GIF/WebP).
416
617
  *
417
618
  * @opts
418
619
  * profile: "strict"|"balanced"|"permissive",
@@ -434,25 +635,21 @@ function sanitize(input, opts) {
434
635
  * verdict.issues[0].kind; // → "mime-mismatch"
435
636
  */
436
637
  function gate(opts) {
437
- opts = _resolveOpts(opts);
638
+ opts = gateContract.resolveProfileAndPosture(opts, {
639
+ profiles: PROFILES,
640
+ compliancePostures: COMPLIANCE_POSTURES,
641
+ defaults: DEFAULTS,
642
+ errorClass: GuardImageError,
643
+ errCodePrefix: "image",
644
+ });
438
645
  return gateContract.buildGuardGate(
439
646
  opts.name || "guardImage:" + (opts.profile || "default"),
440
647
  opts,
441
648
  async function (ctx) {
442
649
  var meta = ctx && (ctx.metadata || ctx.imageMetadata);
443
650
  if (!meta) return { ok: true, action: "serve" };
444
- var rv = validate(meta, opts);
445
- if (rv.issues.length === 0) return { ok: true, action: "serve" };
446
- var hasCritical = rv.issues.some(function (i) {
447
- return i.severity === "critical";
448
- });
449
- var hasHigh = rv.issues.some(function (i) {
450
- return i.severity === "high";
451
- });
452
- if (!hasCritical && !hasHigh) {
453
- return { ok: true, action: "audit-only", issues: rv.issues };
454
- }
455
- return { ok: false, action: "refuse", issues: rv.issues };
651
+ var rv = module.exports.validate(meta, opts);
652
+ return gateContract.severityDisposition(rv.issues);
456
653
  });
457
654
  }
458
655
 
@@ -506,10 +703,12 @@ var INTEGRATION_FIXTURES = Object.freeze({
506
703
  // Assembled from the gate-contract guard factory: error class, registry
507
704
  // exports (NAME / KIND / INTEGRATION_FIXTURES), buildProfile /
508
705
  // compliancePosture / loadRulePack wiring, plus the per-guard inspection
509
- // surface (validate / sanitize / gate) and the image extra (inspectMagic)
510
- // passed through verbatim. KIND="metadata" is a custom kind, so the bespoke
511
- // `gate` (operator-feeds-metadata ctx.metadata reader) is REQUIRED and
512
- // carries the magic-byte / polyglot / dimension chain unchanged.
706
+ // surface. validate + sanitize are generated from `detect` (_detectIssues)
707
+ // and `sanitizeTransform` (_sanitizeTransform) with the positive-finite-int
708
+ // caps declared via `intOpts`. The image extra (inspectMagic) passes through
709
+ // verbatim. KIND="metadata" is a custom kind, so the bespoke `gate`
710
+ // (operator-feeds-metadata ctx.metadata reader) is REQUIRED and carries the
711
+ // magic-byte / polyglot / dimension chain unchanged.
513
712
  module.exports = gateContract.defineGuard({
514
713
  name: "image",
515
714
  kind: "metadata",
@@ -518,8 +717,12 @@ module.exports = gateContract.defineGuard({
518
717
  defaults: DEFAULTS,
519
718
  postures: COMPLIANCE_POSTURES,
520
719
  integrationFixtures: INTEGRATION_FIXTURES,
521
- validate: validate,
522
- sanitize: sanitize,
720
+ // detect/sanitizeTransform read a structured `{ bytes, declaredMime, ... }`
721
+ // metadata report, not text. The generated validate's default "raw" input
722
+ // contract hands the bag straight to detect (which owns its own bad-input).
723
+ detect: _detectIssues,
724
+ sanitizeTransform: _sanitizeTransform,
725
+ intOpts: ["maxBytes", "maxWidth", "maxHeight", "maxFrames"],
523
726
  gate: gate,
524
727
  extra: {
525
728
  inspectMagic: inspectMagic,
@@ -83,6 +83,8 @@
83
83
 
84
84
  var { defineClass } = require("./framework-error");
85
85
  var gateContract = require("./gate-contract");
86
+ var codepointClass = require("./codepoint-class");
87
+ var safeBuffer = require("./safe-buffer");
86
88
 
87
89
  var GuardImapCommandError = defineClass("GuardImapCommandError", { alwaysPermanent: true });
88
90
 
@@ -210,21 +212,18 @@ function validate(line, opts) {
210
212
  throw new GuardImapCommandError("guard-imap-command/empty-line",
211
213
  "guardImapCommand.validate: empty command line");
212
214
  }
213
- if (line.length > caps.maxLineBytes) {
215
+ if (safeBuffer.byteLengthOf(line) > caps.maxLineBytes) {
214
216
  throw new GuardImapCommandError("guard-imap-command/line-too-long",
215
- "guardImapCommand.validate: line " + line.length + " bytes exceeds cap " + caps.maxLineBytes);
217
+ "guardImapCommand.validate: line " + safeBuffer.byteLengthOf(line) + " bytes exceeds cap " + caps.maxLineBytes);
216
218
  }
217
219
  // Byte-safety: refuse bare CR / bare LF / NUL / C0 / DEL. The
218
220
  // wire-protocol reader has already stripped the terminating CRLF
219
221
  // before calling validate(); any remaining CR or LF is a smuggling
220
222
  // shape.
221
- for (var i = 0; i < line.length; i += 1) {
222
- var c = line.charCodeAt(i);
223
- if (c === 0x00 || c === 0x7F || (c < 0x20 && c !== 0x09)) { // control-byte refusal
224
- if (c === 0x0A && caps.allowBareLf) continue;
225
- throw new GuardImapCommandError("guard-imap-command/bad-byte",
226
- "guardImapCommand.validate: control byte 0x" + c.toString(16) + " at offset " + i); // hex format literal in error message
227
- }
223
+ var ctrlAt = codepointClass.firstControlCharOffset(line, { allowLf: caps.allowBareLf }); // bare LF permitted only when caps allow
224
+ if (ctrlAt !== -1) {
225
+ throw new GuardImapCommandError("guard-imap-command/bad-byte",
226
+ "guardImapCommand.validate: control byte 0x" + line.charCodeAt(ctrlAt).toString(16) + " at offset " + ctrlAt); // hex format literal in error message
228
227
  }
229
228
 
230
229
  // RFC 9051 §2.2.1 — `tag SP command [SP args] CRLF`