@blamejs/blamejs-shop 0.4.56 → 0.4.57

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (397) hide show
  1. package/CHANGELOG.md +2 -0
  2. package/lib/asset-manifest.json +1 -1
  3. package/lib/vendor/MANIFEST.json +426 -366
  4. package/lib/vendor/blamejs/.github/codeql/codeql-config.yml +25 -0
  5. package/lib/vendor/blamejs/.github/workflows/actions-lint.yml +3 -3
  6. package/lib/vendor/blamejs/.github/workflows/cflite_batch.yml +1 -1
  7. package/lib/vendor/blamejs/.github/workflows/cflite_pr.yml +1 -1
  8. package/lib/vendor/blamejs/.github/workflows/ci.yml +13 -13
  9. package/lib/vendor/blamejs/.github/workflows/codeql.yml +8 -7
  10. package/lib/vendor/blamejs/.github/workflows/npm-publish.yml +2 -2
  11. package/lib/vendor/blamejs/.github/workflows/release-container.yml +4 -4
  12. package/lib/vendor/blamejs/.github/workflows/scorecard.yml +1 -1
  13. package/lib/vendor/blamejs/.github/workflows/sha-to-tag-verify.yml +1 -1
  14. package/lib/vendor/blamejs/CHANGELOG.md +2 -0
  15. package/lib/vendor/blamejs/api-snapshot.json +1381 -4
  16. package/lib/vendor/blamejs/eslint.config.mjs +1 -0
  17. package/lib/vendor/blamejs/examples/wiki/lib/source-comment-block-validator.js +4 -1
  18. package/lib/vendor/blamejs/examples/wiki/lib/symbol-index.js +5 -2
  19. package/lib/vendor/blamejs/examples/wiki/routes/pages.js +4 -1
  20. package/lib/vendor/blamejs/fuzz/guard-text.fuzz.js +20 -0
  21. package/lib/vendor/blamejs/index.js +2 -0
  22. package/lib/vendor/blamejs/lib/a2a-tasks.js +7 -23
  23. package/lib/vendor/blamejs/lib/acme.js +6 -5
  24. package/lib/vendor/blamejs/lib/agent-event-bus.js +5 -4
  25. package/lib/vendor/blamejs/lib/agent-idempotency.js +2 -5
  26. package/lib/vendor/blamejs/lib/agent-orchestrator.js +2 -5
  27. package/lib/vendor/blamejs/lib/agent-saga.js +3 -5
  28. package/lib/vendor/blamejs/lib/agent-tenant.js +2 -5
  29. package/lib/vendor/blamejs/lib/ai-adverse-decision.js +2 -15
  30. package/lib/vendor/blamejs/lib/ai-capability.js +1 -6
  31. package/lib/vendor/blamejs/lib/ai-dp.js +1 -5
  32. package/lib/vendor/blamejs/lib/ai-input.js +2 -2
  33. package/lib/vendor/blamejs/lib/ai-pref.js +3 -8
  34. package/lib/vendor/blamejs/lib/ai-quota.js +3 -14
  35. package/lib/vendor/blamejs/lib/api-key.js +37 -28
  36. package/lib/vendor/blamejs/lib/archive-adapters.js +2 -4
  37. package/lib/vendor/blamejs/lib/archive-entry-policy.js +32 -0
  38. package/lib/vendor/blamejs/lib/archive-read.js +5 -17
  39. package/lib/vendor/blamejs/lib/archive-tar-read.js +5 -16
  40. package/lib/vendor/blamejs/lib/archive.js +2 -10
  41. package/lib/vendor/blamejs/lib/arg-parser.js +7 -6
  42. package/lib/vendor/blamejs/lib/asyncapi-traits.js +2 -6
  43. package/lib/vendor/blamejs/lib/atomic-file.js +108 -31
  44. package/lib/vendor/blamejs/lib/audit-chain.js +133 -53
  45. package/lib/vendor/blamejs/lib/audit-daily-review.js +24 -14
  46. package/lib/vendor/blamejs/lib/audit-emit.js +82 -0
  47. package/lib/vendor/blamejs/lib/audit-sign.js +257 -0
  48. package/lib/vendor/blamejs/lib/audit.js +84 -0
  49. package/lib/vendor/blamejs/lib/auth/access-lock.js +5 -27
  50. package/lib/vendor/blamejs/lib/auth/dpop.js +23 -35
  51. package/lib/vendor/blamejs/lib/auth/fido-mds3.js +9 -15
  52. package/lib/vendor/blamejs/lib/auth/jwt-external.js +26 -8
  53. package/lib/vendor/blamejs/lib/auth/jwt.js +13 -15
  54. package/lib/vendor/blamejs/lib/auth/lockout.js +6 -25
  55. package/lib/vendor/blamejs/lib/auth/oauth.js +67 -45
  56. package/lib/vendor/blamejs/lib/auth/oid4vci.js +55 -32
  57. package/lib/vendor/blamejs/lib/auth/oid4vp.js +3 -2
  58. package/lib/vendor/blamejs/lib/auth/openid-federation.js +6 -6
  59. package/lib/vendor/blamejs/lib/auth/passkey.js +3 -3
  60. package/lib/vendor/blamejs/lib/auth/password.js +7 -1
  61. package/lib/vendor/blamejs/lib/auth/saml.js +37 -27
  62. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-holder.js +2 -14
  63. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-issuer.js +2 -14
  64. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc.js +1 -1
  65. package/lib/vendor/blamejs/lib/auth/status-list.js +7 -7
  66. package/lib/vendor/blamejs/lib/auth/step-up.js +6 -12
  67. package/lib/vendor/blamejs/lib/auth-bot-challenge.js +6 -37
  68. package/lib/vendor/blamejs/lib/backup/bundle.js +11 -18
  69. package/lib/vendor/blamejs/lib/backup/index.js +14 -47
  70. package/lib/vendor/blamejs/lib/bounded-map.js +112 -1
  71. package/lib/vendor/blamejs/lib/breach-deadline.js +1 -11
  72. package/lib/vendor/blamejs/lib/cache.js +7 -18
  73. package/lib/vendor/blamejs/lib/cbor.js +2 -1
  74. package/lib/vendor/blamejs/lib/cdn-cache-control.js +8 -9
  75. package/lib/vendor/blamejs/lib/cert.js +3 -10
  76. package/lib/vendor/blamejs/lib/chain-writer.js +162 -47
  77. package/lib/vendor/blamejs/lib/cli.js +5 -1
  78. package/lib/vendor/blamejs/lib/client-hints.js +7 -9
  79. package/lib/vendor/blamejs/lib/cloud-events.js +40 -31
  80. package/lib/vendor/blamejs/lib/cluster-storage.js +2 -38
  81. package/lib/vendor/blamejs/lib/cms-codec.js +2 -1
  82. package/lib/vendor/blamejs/lib/codepoint-class.js +67 -1
  83. package/lib/vendor/blamejs/lib/compliance-ai-act-logging.js +1 -6
  84. package/lib/vendor/blamejs/lib/compliance-ai-act-transparency.js +2 -4
  85. package/lib/vendor/blamejs/lib/compliance-eaa.js +1 -11
  86. package/lib/vendor/blamejs/lib/compliance-sanctions-fetcher.js +21 -28
  87. package/lib/vendor/blamejs/lib/compliance-sanctions.js +2 -14
  88. package/lib/vendor/blamejs/lib/compliance.js +2 -9
  89. package/lib/vendor/blamejs/lib/config-drift.js +2 -12
  90. package/lib/vendor/blamejs/lib/content-digest.js +10 -8
  91. package/lib/vendor/blamejs/lib/cookies.js +5 -11
  92. package/lib/vendor/blamejs/lib/cose.js +19 -11
  93. package/lib/vendor/blamejs/lib/cra-report.js +1 -11
  94. package/lib/vendor/blamejs/lib/crypto-field.js +5 -10
  95. package/lib/vendor/blamejs/lib/crypto.js +120 -3
  96. package/lib/vendor/blamejs/lib/csp.js +235 -3
  97. package/lib/vendor/blamejs/lib/daemon.js +42 -41
  98. package/lib/vendor/blamejs/lib/data-act.js +19 -9
  99. package/lib/vendor/blamejs/lib/db-query.js +6 -40
  100. package/lib/vendor/blamejs/lib/db.js +34 -12
  101. package/lib/vendor/blamejs/lib/dbsc.js +5 -6
  102. package/lib/vendor/blamejs/lib/ddl-change-control.js +18 -14
  103. package/lib/vendor/blamejs/lib/deprecate.js +4 -5
  104. package/lib/vendor/blamejs/lib/did.js +6 -2
  105. package/lib/vendor/blamejs/lib/dsr.js +8 -12
  106. package/lib/vendor/blamejs/lib/external-db-migrate.js +21 -22
  107. package/lib/vendor/blamejs/lib/external-db.js +14 -26
  108. package/lib/vendor/blamejs/lib/fda-21cfr11.js +12 -8
  109. package/lib/vendor/blamejs/lib/fdx.js +22 -18
  110. package/lib/vendor/blamejs/lib/file-upload.js +80 -66
  111. package/lib/vendor/blamejs/lib/flag-evaluation-context.js +5 -8
  112. package/lib/vendor/blamejs/lib/framework-error.js +12 -0
  113. package/lib/vendor/blamejs/lib/framework-schema.js +19 -0
  114. package/lib/vendor/blamejs/lib/fsm.js +7 -12
  115. package/lib/vendor/blamejs/lib/gate-contract.js +869 -38
  116. package/lib/vendor/blamejs/lib/gdpr-ropa.js +4 -13
  117. package/lib/vendor/blamejs/lib/graphql-federation.js +1 -1
  118. package/lib/vendor/blamejs/lib/guard-agent-registry.js +2 -1
  119. package/lib/vendor/blamejs/lib/guard-all.js +1 -0
  120. package/lib/vendor/blamejs/lib/guard-archive.js +9 -30
  121. package/lib/vendor/blamejs/lib/guard-auth.js +23 -80
  122. package/lib/vendor/blamejs/lib/guard-cidr.js +20 -96
  123. package/lib/vendor/blamejs/lib/guard-csv.js +135 -196
  124. package/lib/vendor/blamejs/lib/guard-domain.js +23 -106
  125. package/lib/vendor/blamejs/lib/guard-dsn.js +16 -13
  126. package/lib/vendor/blamejs/lib/guard-email.js +46 -53
  127. package/lib/vendor/blamejs/lib/guard-envelope.js +1 -1
  128. package/lib/vendor/blamejs/lib/guard-event-bus-topic.js +2 -1
  129. package/lib/vendor/blamejs/lib/guard-filename.js +12 -60
  130. package/lib/vendor/blamejs/lib/guard-graphql.js +28 -75
  131. package/lib/vendor/blamejs/lib/guard-html-wcag.js +15 -2
  132. package/lib/vendor/blamejs/lib/guard-html.js +65 -117
  133. package/lib/vendor/blamejs/lib/guard-idempotency-key.js +2 -1
  134. package/lib/vendor/blamejs/lib/guard-image.js +280 -77
  135. package/lib/vendor/blamejs/lib/guard-imap-command.js +8 -9
  136. package/lib/vendor/blamejs/lib/guard-json.js +87 -103
  137. package/lib/vendor/blamejs/lib/guard-jsonpath.js +20 -88
  138. package/lib/vendor/blamejs/lib/guard-jwt.js +32 -114
  139. package/lib/vendor/blamejs/lib/guard-list-id.js +2 -7
  140. package/lib/vendor/blamejs/lib/guard-list-unsubscribe.js +2 -7
  141. package/lib/vendor/blamejs/lib/guard-mail-compose.js +5 -6
  142. package/lib/vendor/blamejs/lib/guard-mail-move.js +2 -1
  143. package/lib/vendor/blamejs/lib/guard-mail-query.js +5 -3
  144. package/lib/vendor/blamejs/lib/guard-mail-sieve.js +6 -7
  145. package/lib/vendor/blamejs/lib/guard-managesieve-command.js +5 -4
  146. package/lib/vendor/blamejs/lib/guard-markdown.js +76 -110
  147. package/lib/vendor/blamejs/lib/guard-message-id.js +5 -6
  148. package/lib/vendor/blamejs/lib/guard-mime.js +20 -99
  149. package/lib/vendor/blamejs/lib/guard-oauth.js +19 -73
  150. package/lib/vendor/blamejs/lib/guard-pdf.js +65 -72
  151. package/lib/vendor/blamejs/lib/guard-pop3-command.js +12 -13
  152. package/lib/vendor/blamejs/lib/guard-posture-chain.js +2 -1
  153. package/lib/vendor/blamejs/lib/guard-regex.js +24 -99
  154. package/lib/vendor/blamejs/lib/guard-saga-config.js +2 -1
  155. package/lib/vendor/blamejs/lib/guard-shell.js +22 -87
  156. package/lib/vendor/blamejs/lib/guard-smtp-command.js +8 -11
  157. package/lib/vendor/blamejs/lib/guard-sql.js +15 -13
  158. package/lib/vendor/blamejs/lib/guard-stream-args.js +2 -1
  159. package/lib/vendor/blamejs/lib/guard-svg.js +95 -140
  160. package/lib/vendor/blamejs/lib/guard-template.js +23 -80
  161. package/lib/vendor/blamejs/lib/guard-tenant-id.js +2 -1
  162. package/lib/vendor/blamejs/lib/guard-text.js +592 -0
  163. package/lib/vendor/blamejs/lib/guard-time.js +27 -95
  164. package/lib/vendor/blamejs/lib/guard-uuid.js +21 -93
  165. package/lib/vendor/blamejs/lib/guard-xml.js +76 -106
  166. package/lib/vendor/blamejs/lib/guard-yaml.js +24 -60
  167. package/lib/vendor/blamejs/lib/http-client-cache.js +5 -12
  168. package/lib/vendor/blamejs/lib/http-client-cookie-jar.js +2 -4
  169. package/lib/vendor/blamejs/lib/http-client.js +8 -21
  170. package/lib/vendor/blamejs/lib/http-message-signature.js +3 -2
  171. package/lib/vendor/blamejs/lib/i18n-messageformat.js +5 -7
  172. package/lib/vendor/blamejs/lib/i18n.js +83 -26
  173. package/lib/vendor/blamejs/lib/inbox.js +8 -8
  174. package/lib/vendor/blamejs/lib/incident-report.js +3 -21
  175. package/lib/vendor/blamejs/lib/ip-utils.js +49 -6
  176. package/lib/vendor/blamejs/lib/jobs.js +3 -2
  177. package/lib/vendor/blamejs/lib/keychain.js +6 -18
  178. package/lib/vendor/blamejs/lib/legal-hold.js +6 -15
  179. package/lib/vendor/blamejs/lib/log-stream-cloudwatch.js +44 -112
  180. package/lib/vendor/blamejs/lib/log-stream-otlp-grpc.js +17 -14
  181. package/lib/vendor/blamejs/lib/log-stream-otlp.js +16 -80
  182. package/lib/vendor/blamejs/lib/log-stream-webhook.js +20 -92
  183. package/lib/vendor/blamejs/lib/mail-arc-sign.js +8 -3
  184. package/lib/vendor/blamejs/lib/mail-arf.js +3 -2
  185. package/lib/vendor/blamejs/lib/mail-auth.js +40 -66
  186. package/lib/vendor/blamejs/lib/mail-bimi.js +19 -39
  187. package/lib/vendor/blamejs/lib/mail-crypto-pgp.js +3 -2
  188. package/lib/vendor/blamejs/lib/mail-dav.js +8 -35
  189. package/lib/vendor/blamejs/lib/mail-deploy.js +6 -9
  190. package/lib/vendor/blamejs/lib/mail-dkim.js +19 -38
  191. package/lib/vendor/blamejs/lib/mail-greylist.js +15 -26
  192. package/lib/vendor/blamejs/lib/mail-helo.js +2 -3
  193. package/lib/vendor/blamejs/lib/mail-journal.js +2 -1
  194. package/lib/vendor/blamejs/lib/mail-mdn.js +4 -3
  195. package/lib/vendor/blamejs/lib/mail-rbl.js +5 -8
  196. package/lib/vendor/blamejs/lib/mail-scan.js +2 -2
  197. package/lib/vendor/blamejs/lib/mail-send-deliver.js +33 -20
  198. package/lib/vendor/blamejs/lib/mail-server-imap.js +32 -87
  199. package/lib/vendor/blamejs/lib/mail-server-jmap.js +35 -51
  200. package/lib/vendor/blamejs/lib/mail-server-managesieve.js +29 -83
  201. package/lib/vendor/blamejs/lib/mail-server-mx.js +33 -74
  202. package/lib/vendor/blamejs/lib/mail-server-net.js +177 -0
  203. package/lib/vendor/blamejs/lib/mail-server-pop3.js +30 -83
  204. package/lib/vendor/blamejs/lib/mail-server-rate-limit.js +30 -6
  205. package/lib/vendor/blamejs/lib/mail-server-submission.js +34 -73
  206. package/lib/vendor/blamejs/lib/mail-server-tls.js +89 -0
  207. package/lib/vendor/blamejs/lib/mail-spam-score.js +7 -8
  208. package/lib/vendor/blamejs/lib/mail-store.js +3 -2
  209. package/lib/vendor/blamejs/lib/mail.js +6 -11
  210. package/lib/vendor/blamejs/lib/markup-escape.js +31 -0
  211. package/lib/vendor/blamejs/lib/markup-tokenizer.js +54 -0
  212. package/lib/vendor/blamejs/lib/mcp-tool-registry.js +26 -23
  213. package/lib/vendor/blamejs/lib/mcp.js +1 -1
  214. package/lib/vendor/blamejs/lib/mdoc.js +11 -12
  215. package/lib/vendor/blamejs/lib/metrics.js +32 -30
  216. package/lib/vendor/blamejs/lib/middleware/age-gate.js +3 -23
  217. package/lib/vendor/blamejs/lib/middleware/api-encrypt.js +11 -22
  218. package/lib/vendor/blamejs/lib/middleware/assetlinks.js +2 -7
  219. package/lib/vendor/blamejs/lib/middleware/bearer-auth.js +2 -1
  220. package/lib/vendor/blamejs/lib/middleware/body-parser.js +31 -48
  221. package/lib/vendor/blamejs/lib/middleware/bot-disclose.js +7 -10
  222. package/lib/vendor/blamejs/lib/middleware/bot-guard.js +2 -10
  223. package/lib/vendor/blamejs/lib/middleware/csrf-protect.js +13 -2
  224. package/lib/vendor/blamejs/lib/middleware/daily-byte-quota.js +6 -26
  225. package/lib/vendor/blamejs/lib/middleware/deny-response.js +19 -1
  226. package/lib/vendor/blamejs/lib/middleware/fetch-metadata.js +7 -0
  227. package/lib/vendor/blamejs/lib/middleware/idempotency-key.js +4 -20
  228. package/lib/vendor/blamejs/lib/middleware/rate-limit.js +20 -28
  229. package/lib/vendor/blamejs/lib/middleware/scim-server.js +3 -2
  230. package/lib/vendor/blamejs/lib/middleware/security-headers.js +9 -1
  231. package/lib/vendor/blamejs/lib/middleware/security-txt.js +2 -6
  232. package/lib/vendor/blamejs/lib/middleware/tus-upload.js +12 -27
  233. package/lib/vendor/blamejs/lib/middleware/web-app-manifest.js +2 -7
  234. package/lib/vendor/blamejs/lib/migrations.js +4 -13
  235. package/lib/vendor/blamejs/lib/mime-parse.js +34 -17
  236. package/lib/vendor/blamejs/lib/module-loader.js +44 -0
  237. package/lib/vendor/blamejs/lib/money.js +105 -0
  238. package/lib/vendor/blamejs/lib/mtls-ca.js +116 -36
  239. package/lib/vendor/blamejs/lib/network-byte-quota.js +4 -18
  240. package/lib/vendor/blamejs/lib/network-dane.js +8 -6
  241. package/lib/vendor/blamejs/lib/network-dns-resolver.js +97 -6
  242. package/lib/vendor/blamejs/lib/network-dnssec.js +16 -16
  243. package/lib/vendor/blamejs/lib/network-heartbeat.js +3 -2
  244. package/lib/vendor/blamejs/lib/network-smtp-policy.js +29 -41
  245. package/lib/vendor/blamejs/lib/network-tls.js +40 -42
  246. package/lib/vendor/blamejs/lib/nis2-report.js +1 -11
  247. package/lib/vendor/blamejs/lib/nonce-store.js +81 -3
  248. package/lib/vendor/blamejs/lib/numeric-bounds.js +22 -8
  249. package/lib/vendor/blamejs/lib/object-store/azure-blob-bucket-ops.js +2 -6
  250. package/lib/vendor/blamejs/lib/object-store/azure-blob.js +5 -45
  251. package/lib/vendor/blamejs/lib/object-store/gcs.js +8 -71
  252. package/lib/vendor/blamejs/lib/object-store/http-put.js +1 -5
  253. package/lib/vendor/blamejs/lib/object-store/http-request.js +128 -0
  254. package/lib/vendor/blamejs/lib/object-store/sigv4-bucket-ops.js +2 -1
  255. package/lib/vendor/blamejs/lib/object-store/sigv4.js +9 -77
  256. package/lib/vendor/blamejs/lib/observability-otlp-exporter.js +9 -25
  257. package/lib/vendor/blamejs/lib/observability.js +95 -0
  258. package/lib/vendor/blamejs/lib/openapi-paths-builder.js +7 -3
  259. package/lib/vendor/blamejs/lib/otel-export.js +7 -10
  260. package/lib/vendor/blamejs/lib/outbox.js +43 -37
  261. package/lib/vendor/blamejs/lib/pagination.js +11 -15
  262. package/lib/vendor/blamejs/lib/parsers/safe-env.js +5 -4
  263. package/lib/vendor/blamejs/lib/parsers/safe-ini.js +10 -4
  264. package/lib/vendor/blamejs/lib/parsers/safe-toml.js +11 -9
  265. package/lib/vendor/blamejs/lib/parsers/safe-xml.js +2 -2
  266. package/lib/vendor/blamejs/lib/parsers/safe-yaml.js +7 -6
  267. package/lib/vendor/blamejs/lib/pick.js +63 -5
  268. package/lib/vendor/blamejs/lib/pipl-cn.js +69 -59
  269. package/lib/vendor/blamejs/lib/privacy-pass.js +8 -6
  270. package/lib/vendor/blamejs/lib/problem-details.js +2 -5
  271. package/lib/vendor/blamejs/lib/pubsub.js +4 -8
  272. package/lib/vendor/blamejs/lib/redact.js +2 -1
  273. package/lib/vendor/blamejs/lib/render.js +4 -2
  274. package/lib/vendor/blamejs/lib/request-helpers.js +133 -6
  275. package/lib/vendor/blamejs/lib/restore.js +5 -22
  276. package/lib/vendor/blamejs/lib/retention.js +3 -5
  277. package/lib/vendor/blamejs/lib/safe-async.js +457 -0
  278. package/lib/vendor/blamejs/lib/safe-buffer.js +137 -6
  279. package/lib/vendor/blamejs/lib/safe-decompress.js +2 -1
  280. package/lib/vendor/blamejs/lib/safe-dns.js +2 -1
  281. package/lib/vendor/blamejs/lib/safe-ical.js +12 -26
  282. package/lib/vendor/blamejs/lib/safe-json.js +7 -8
  283. package/lib/vendor/blamejs/lib/safe-jsonpath.js +6 -5
  284. package/lib/vendor/blamejs/lib/safe-mime.js +25 -29
  285. package/lib/vendor/blamejs/lib/safe-redirect.js +2 -5
  286. package/lib/vendor/blamejs/lib/safe-schema.js +7 -6
  287. package/lib/vendor/blamejs/lib/safe-sql.js +126 -0
  288. package/lib/vendor/blamejs/lib/safe-vcard.js +12 -26
  289. package/lib/vendor/blamejs/lib/sandbox-worker.js +9 -2
  290. package/lib/vendor/blamejs/lib/sandbox.js +3 -2
  291. package/lib/vendor/blamejs/lib/scheduler.js +5 -12
  292. package/lib/vendor/blamejs/lib/sec-cyber.js +82 -37
  293. package/lib/vendor/blamejs/lib/seeders.js +4 -11
  294. package/lib/vendor/blamejs/lib/self-update.js +92 -69
  295. package/lib/vendor/blamejs/lib/session-device-binding.js +112 -66
  296. package/lib/vendor/blamejs/lib/session.js +194 -6
  297. package/lib/vendor/blamejs/lib/sql.js +225 -78
  298. package/lib/vendor/blamejs/lib/sse.js +6 -10
  299. package/lib/vendor/blamejs/lib/static.js +136 -98
  300. package/lib/vendor/blamejs/lib/storage.js +4 -2
  301. package/lib/vendor/blamejs/lib/structured-fields.js +275 -16
  302. package/lib/vendor/blamejs/lib/tenant-quota.js +2 -20
  303. package/lib/vendor/blamejs/lib/tsa.js +11 -15
  304. package/lib/vendor/blamejs/lib/validate-opts.js +154 -8
  305. package/lib/vendor/blamejs/lib/vault/seal-pem-file.js +30 -48
  306. package/lib/vendor/blamejs/lib/vault-aad.js +3 -2
  307. package/lib/vendor/blamejs/lib/vc.js +2 -7
  308. package/lib/vendor/blamejs/lib/vex.js +35 -13
  309. package/lib/vendor/blamejs/lib/web-push-vapid.js +23 -20
  310. package/lib/vendor/blamejs/lib/webhook-dispatcher.js +706 -0
  311. package/lib/vendor/blamejs/lib/webhook.js +43 -18
  312. package/lib/vendor/blamejs/lib/websocket-channels.js +9 -7
  313. package/lib/vendor/blamejs/lib/websocket.js +7 -3
  314. package/lib/vendor/blamejs/lib/worm.js +2 -3
  315. package/lib/vendor/blamejs/lib/ws-client.js +8 -10
  316. package/lib/vendor/blamejs/package.json +1 -1
  317. package/lib/vendor/blamejs/release-notes/v0.15.13.json +81 -0
  318. package/lib/vendor/blamejs/scripts/check-changelog-extract.js +1 -1
  319. package/lib/vendor/blamejs/test/00-primitives.js +136 -7
  320. package/lib/vendor/blamejs/test/10-state.js +9 -3
  321. package/lib/vendor/blamejs/test/30-chain.js +40 -0
  322. package/lib/vendor/blamejs/test/helpers/check.js +18 -0
  323. package/lib/vendor/blamejs/test/helpers/db.js +4 -0
  324. package/lib/vendor/blamejs/test/helpers/index.js +1 -0
  325. package/lib/vendor/blamejs/test/integration/audit-chain-external-db.test.js +2 -1
  326. package/lib/vendor/blamejs/test/integration/audit-stack-postgres.test.js +2 -1
  327. package/lib/vendor/blamejs/test/integration/data-layer-mysql.test.js +8 -1
  328. package/lib/vendor/blamejs/test/integration/data-layer-pg.test.js +1 -1
  329. package/lib/vendor/blamejs/test/integration/framework-schema-mysql.test.js +2 -1
  330. package/lib/vendor/blamejs/test/integration/webhook-dispatcher-pg.test.js +269 -0
  331. package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-fd-read.test.js +149 -0
  332. package/lib/vendor/blamejs/test/layer-0-primitives/audit-framework-namespaces.test.js +51 -0
  333. package/lib/vendor/blamejs/test/layer-0-primitives/audit-sign-anchor.test.js +88 -0
  334. package/lib/vendor/blamejs/test/layer-0-primitives/audit-use-store.test.js +55 -1
  335. package/lib/vendor/blamejs/test/layer-0-primitives/backup-object-store-adapter.test.js +2 -2
  336. package/lib/vendor/blamejs/test/layer-0-primitives/bot-guard.test.js +1 -1
  337. package/lib/vendor/blamejs/test/layer-0-primitives/bounded-map.test.js +129 -0
  338. package/lib/vendor/blamejs/test/layer-0-primitives/chain-writer-multichain.test.js +107 -0
  339. package/lib/vendor/blamejs/test/layer-0-primitives/cli-api-key.test.js +12 -0
  340. package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +2788 -3214
  341. package/lib/vendor/blamejs/test/layer-0-primitives/codepoint-class.test.js +78 -0
  342. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-base64url.test.js +63 -0
  343. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-hash-stream.test.js +2 -1
  344. package/lib/vendor/blamejs/test/layer-0-primitives/csp-builder.test.js +50 -0
  345. package/lib/vendor/blamejs/test/layer-0-primitives/csp-nonce.test.js +1 -1
  346. package/lib/vendor/blamejs/test/layer-0-primitives/daemon.test.js +2 -1
  347. package/lib/vendor/blamejs/test/layer-0-primitives/defineguard-resolve-opts.test.js +76 -0
  348. package/lib/vendor/blamejs/test/layer-0-primitives/flag.test.js +9 -0
  349. package/lib/vendor/blamejs/test/layer-0-primitives/gate-contract-content-gate.test.js +290 -0
  350. package/lib/vendor/blamejs/test/layer-0-primitives/guard-csv.test.js +84 -0
  351. package/lib/vendor/blamejs/test/layer-0-primitives/guard-email.test.js +78 -0
  352. package/lib/vendor/blamejs/test/layer-0-primitives/guard-filename.test.js +23 -0
  353. package/lib/vendor/blamejs/test/layer-0-primitives/guard-gate-disposition-coverage.test.js +93 -0
  354. package/lib/vendor/blamejs/test/layer-0-primitives/guard-html.test.js +60 -0
  355. package/lib/vendor/blamejs/test/layer-0-primitives/guard-image.test.js +184 -0
  356. package/lib/vendor/blamejs/test/layer-0-primitives/guard-imap-command.test.js +0 -0
  357. package/lib/vendor/blamejs/test/layer-0-primitives/guard-json.test.js +54 -0
  358. package/lib/vendor/blamejs/test/layer-0-primitives/guard-managesieve-command.test.js +10 -0
  359. package/lib/vendor/blamejs/test/layer-0-primitives/guard-markdown.test.js +45 -0
  360. package/lib/vendor/blamejs/test/layer-0-primitives/guard-pdf.test.js +101 -0
  361. package/lib/vendor/blamejs/test/layer-0-primitives/guard-pop3-command.test.js +18 -0
  362. package/lib/vendor/blamejs/test/layer-0-primitives/guard-svg.test.js +76 -0
  363. package/lib/vendor/blamejs/test/layer-0-primitives/guard-text.test.js +365 -0
  364. package/lib/vendor/blamejs/test/layer-0-primitives/guard-xml.test.js +35 -0
  365. package/lib/vendor/blamejs/test/layer-0-primitives/guard-yaml.test.js +36 -0
  366. package/lib/vendor/blamejs/test/layer-0-primitives/i18n.test.js +20 -0
  367. package/lib/vendor/blamejs/test/layer-0-primitives/inbox.test.js +15 -0
  368. package/lib/vendor/blamejs/test/layer-0-primitives/ip-utils.test.js +83 -0
  369. package/lib/vendor/blamejs/test/layer-0-primitives/mail-arf.test.js +10 -0
  370. package/lib/vendor/blamejs/test/layer-0-primitives/mail-auth.test.js +39 -0
  371. package/lib/vendor/blamejs/test/layer-0-primitives/mail-dkim.test.js +36 -0
  372. package/lib/vendor/blamejs/test/layer-0-primitives/mail-greylist.test.js +17 -0
  373. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-tls.test.js +39 -0
  374. package/lib/vendor/blamejs/test/layer-0-primitives/mail-store.test.js +17 -0
  375. package/lib/vendor/blamejs/test/layer-0-primitives/mime-parse.test.js +106 -0
  376. package/lib/vendor/blamejs/test/layer-0-primitives/money.test.js +17 -0
  377. package/lib/vendor/blamejs/test/layer-0-primitives/mtls-ca-revocation.test.js +98 -0
  378. package/lib/vendor/blamejs/test/layer-0-primitives/nonce-store-release.test.js +77 -0
  379. package/lib/vendor/blamejs/test/layer-0-primitives/observability.test.js +48 -0
  380. package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-memory-getorinsert.test.js +100 -0
  381. package/lib/vendor/blamejs/test/layer-0-primitives/request-helpers.test.js +88 -0
  382. package/lib/vendor/blamejs/test/layer-0-primitives/safe-async-loops.test.js +278 -0
  383. package/lib/vendor/blamejs/test/layer-0-primitives/safe-buffer-linear-scans.test.js +37 -0
  384. package/lib/vendor/blamejs/test/layer-0-primitives/safe-jsonpath.test.js +14 -0
  385. package/lib/vendor/blamejs/test/layer-0-primitives/sandbox.test.js +19 -0
  386. package/lib/vendor/blamejs/test/layer-0-primitives/security-headers.test.js +1 -1
  387. package/lib/vendor/blamejs/test/layer-0-primitives/self-update.test.js +2 -1
  388. package/lib/vendor/blamejs/test/layer-0-primitives/session-device-binding.test.js +18 -0
  389. package/lib/vendor/blamejs/test/layer-0-primitives/session-extensions.test.js +1 -1
  390. package/lib/vendor/blamejs/test/layer-0-primitives/session-valid-from.test.js +73 -0
  391. package/lib/vendor/blamejs/test/layer-0-primitives/sql.test.js +100 -0
  392. package/lib/vendor/blamejs/test/layer-0-primitives/structured-fields.test.js +80 -0
  393. package/lib/vendor/blamejs/test/layer-0-primitives/validate-opts-shape.test.js +235 -0
  394. package/lib/vendor/blamejs/test/layer-0-primitives/webhook-dispatcher.test.js +374 -0
  395. package/lib/vendor/blamejs/test/layer-0-primitives/webhook.test.js +75 -8
  396. package/lib/vendor/blamejs/test/layer-5-integration/guard-host-integration.test.js +3 -3
  397. package/package.json +1 -1
@@ -72,13 +72,12 @@
72
72
  * JWT identifier-safety guard — validates user-supplied JWT compact-serialization strings against the canonical CVE-class refuse list BEFORE hand-off to a signature verifier.
73
73
  */
74
74
 
75
- var codepointClass = require("./codepoint-class");
76
75
  var lazyRequire = require("./lazy-require");
77
76
  var gateContract = require("./gate-contract");
78
77
  var C = require("./constants");
79
- var numericBounds = require("./numeric-bounds");
80
78
  var safeJson = require("./safe-json");
81
79
  var { GuardJwtError } = require("./framework-error");
80
+ var codepointClass = require("./codepoint-class");
82
81
 
83
82
  var observability = lazyRequire(function () { return require("./observability"); });
84
83
  void observability;
@@ -118,10 +117,7 @@ function _b64urlDecodeJson(seg) {
118
117
 
119
118
  var PROFILES = Object.freeze({
120
119
  "strict": {
121
- bidiPolicy: "reject",
122
- controlPolicy: "reject",
123
- nullBytePolicy: "reject",
124
- zeroWidthPolicy: "reject",
120
+ ...gateContract.CHAR_THREATS_REJECT_ALL,
125
121
  algNonePolicy: "reject",
126
122
  algAllowlistPolicy: "reject",
127
123
  kidTraversalPolicy: "reject",
@@ -142,10 +138,7 @@ var PROFILES = Object.freeze({
142
138
  maxRuntimeMs: C.TIME.seconds(2),
143
139
  },
144
140
  "balanced": {
145
- bidiPolicy: "reject",
146
- controlPolicy: "reject",
147
- nullBytePolicy: "reject",
148
- zeroWidthPolicy: "reject",
141
+ ...gateContract.CHAR_THREATS_REJECT_ALL,
149
142
  algNonePolicy: "reject", // alg=none refused at every profile
150
143
  algAllowlistPolicy: "audit",
151
144
  kidTraversalPolicy: "reject", // kid traversal refused at every profile
@@ -166,10 +159,7 @@ var PROFILES = Object.freeze({
166
159
  maxRuntimeMs: C.TIME.seconds(2),
167
160
  },
168
161
  "permissive": {
169
- bidiPolicy: "reject", // BIDI refused at every profile
170
- controlPolicy: "reject", // controls refused at every profile
171
- nullBytePolicy: "reject", // null refused at every profile
172
- zeroWidthPolicy: "reject", // zero-width refused at every profile
162
+ ...gateContract.CHAR_THREATS_REJECT_ALL,
173
163
  algNonePolicy: "reject", // alg=none refused at every profile
174
164
  algAllowlistPolicy: "allow",
175
165
  kidTraversalPolicy: "reject", // kid traversal refused at every profile
@@ -191,55 +181,10 @@ var PROFILES = Object.freeze({
191
181
  },
192
182
  });
193
183
 
194
- var DEFAULTS = Object.freeze(Object.assign({}, PROFILES["strict"], {
195
- mode: "enforce",
196
- }));
197
-
198
- var COMPLIANCE_POSTURES = Object.freeze({
199
- "hipaa": Object.assign({}, PROFILES["strict"], {
200
- forensicSnippetBytes: C.BYTES.bytes(256),
201
- }),
202
- "pci-dss": Object.assign({}, PROFILES["strict"], {
203
- forensicSnippetBytes: C.BYTES.bytes(256),
204
- }),
205
- "gdpr": Object.assign({}, PROFILES["balanced"], {
206
- forensicSnippetBytes: C.BYTES.bytes(128),
207
- }),
208
- "soc2": Object.assign({}, PROFILES["strict"], {
209
- forensicSnippetBytes: C.BYTES.bytes(512),
210
- }),
211
- });
212
-
213
- function _resolveOpts(opts) {
214
- return gateContract.resolveProfileAndPosture(opts, {
215
- profiles: PROFILES,
216
- compliancePostures: COMPLIANCE_POSTURES,
217
- defaults: DEFAULTS,
218
- errorClass: GuardJwtError,
219
- errCodePrefix: "jwt",
220
- });
221
- }
222
-
223
184
  function _detectIssues(input, opts) {
224
- var issues = [];
225
- if (typeof input !== "string") {
226
- return [{ kind: "bad-input", severity: "high",
227
- ruleId: "jwt.bad-input",
228
- snippet: "jwt is not a string" }];
229
- }
230
- if (input.length === 0) {
231
- return [{ kind: "empty", severity: "high",
232
- ruleId: "jwt.empty",
233
- snippet: "jwt is empty" }];
234
- }
235
- if (Buffer.byteLength(input, "utf8") > opts.maxBytes) {
236
- return [{ kind: "jwt-cap", severity: "high",
237
- ruleId: "jwt.jwt-cap",
238
- snippet: "jwt input exceeds maxBytes " + opts.maxBytes }];
239
- }
240
-
241
- var charThreats = codepointClass.detectCharThreats(input, opts, "jwt");
242
- for (var ci = 0; ci < charThreats.length; ci += 1) issues.push(charThreats[ci]);
185
+ var pre = gateContract.detectStringInput(input, opts, { name: "jwt", cap: { bytes: opts.maxBytes } });
186
+ if (pre.done) return pre.issues;
187
+ var issues = pre.issues;
243
188
 
244
189
  if (!JWT_SHAPE_RE.test(input)) { // allow:regex-no-length-cap — input bounded by maxBytes
245
190
  issues.push({
@@ -490,22 +435,11 @@ function _detectIssues(input, opts) {
490
435
  * var ok = b.guardJwt.validate(benign, { profile: "strict" });
491
436
  * ok.ok; // → true
492
437
  */
493
- function validate(input, opts) {
494
- opts = _resolveOpts(opts);
495
- numericBounds.requireAllPositiveFiniteIntIfPresent(opts,
496
- ["maxBytes", "maxHeaderBytes", "maxPayloadBytes", "maxSignatureBytes",
497
- "nbfFutureSlackMs", "iatFutureSlackMs"],
498
- "guardJwt.validate", GuardJwtError, "jwt.bad-opt");
499
- if (typeof input !== "string") {
500
- return {
501
- ok: false,
502
- issues: [{ kind: "bad-input", severity: "high",
503
- ruleId: "jwt.bad-input",
504
- snippet: "jwt is not a string" }],
505
- };
506
- }
507
- return gateContract.aggregateIssues(_detectIssues(input, opts));
508
- }
438
+ // validate is assembled by gateContract.defineGuard from `detect`
439
+ // (_detectIssues) below — `validate(input, opts) = aggregateIssues(detect(
440
+ // input, resolveOpts(opts)))`, with the segment/total byte caps and slack
441
+ // windows declared via `intOpts`. The @primitive block above documents the
442
+ // resulting public ABI.
509
443
 
510
444
  /**
511
445
  * @primitive b.guardJwt.sanitize
@@ -537,15 +471,11 @@ function validate(input, opts) {
537
471
  * e.code; // → "jwt.alg-none"
538
472
  * }
539
473
  */
540
- function sanitize(input, opts) {
541
- opts = _resolveOpts(opts);
542
- if (typeof input !== "string") {
543
- throw _err("jwt.bad-input", "sanitize requires string input");
544
- }
545
- // JWT shape can't be repaired — sanitize either passes through
546
- // valid input or throws.
547
- var issues = _detectIssues(input, opts);
548
- gateContract.throwOnRefusalSeverity(issues, { errorClass: GuardJwtError, codePrefix: "jwt" });
474
+ // _sanitizeTransform the guard-specific normalize applied by defineGuard's
475
+ // generated sanitize AFTER resolve → detect → throw-on-refusal. JWT compact
476
+ // serialization can't be repaired (every byte feeds the signature), so the
477
+ // transform is identity: a validated token passes through unchanged.
478
+ function _sanitizeTransform(input) {
549
479
  return input;
550
480
  }
551
481
 
@@ -590,36 +520,23 @@ function kidSafe(kid) {
590
520
  throw _err("jwt.kid-traversal",
591
521
  "kid `" + kid + "` contains path-traversal indicators");
592
522
  }
593
- for (var i = 0; i < kid.length; i += 1) {
594
- var cc = kid.charCodeAt(i);
595
- if (cc < 0x20 || cc === 0x7F) { // control-byte boundary check
596
- throw _err("jwt.kid-control",
597
- "kid contains control byte at index " + i);
598
- }
523
+ var _kidCtl = codepointClass.firstControlCharOffset(kid, { forbidTab: true }); // control-byte boundary check
524
+ if (_kidCtl !== -1) {
525
+ throw _err("jwt.kid-control",
526
+ "kid contains control byte at index " + _kidCtl);
599
527
  }
600
528
  return kid;
601
529
  }
602
530
 
603
531
  // ---- guard-* family registry exports ----
604
- var INTEGRATION_FIXTURES = Object.freeze({
605
- kind: "identifier",
606
- // Benign: minimal v4 token with alg=ES256, valid JSON header / payload.
607
- benignBytes: Buffer.from(
608
- "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9." +
609
- "eyJpc3MiOiJleGFtcGxlIiwiZXhwIjo5OTk5OTk5OTk5LCJpYXQiOjE3MDAwMDAwMDB9." +
610
- "sig", "utf8"),
611
- benignIdentifier:
612
- "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9." +
532
+ // Benign: minimal v4 token with alg=ES256, valid JSON header / payload.
533
+ // Hostile: alg=none — universal refuse class.
534
+ var INTEGRATION_FIXTURES = gateContract.identifierFixtures(
535
+ "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9." +
613
536
  "eyJpc3MiOiJleGFtcGxlIiwiZXhwIjo5OTk5OTk5OTk5LCJpYXQiOjE3MDAwMDAwMDB9." +
614
537
  "sig",
615
- // Hostile: alg=none — universal refuse class.
616
- hostileBytes: Buffer.from(
617
- "eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0." +
618
- "eyJzdWIiOiJhdHRhY2tlciIsImV4cCI6OTk5OTk5OTk5OX0.", "utf8"),
619
- hostileIdentifier:
620
- "eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0." +
621
- "eyJzdWIiOiJhdHRhY2tlciIsImV4cCI6OTk5OTk5OTk5OX0.",
622
- });
538
+ "eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0." +
539
+ "eyJzdWIiOiJhdHRhY2tlciIsImV4cCI6OTk5OTk5OTk5OX0.");
623
540
 
624
541
  // Assembled from the gate-contract guard factory. KIND "identifier"; the
625
542
  // gate is the standard serve -> audit-only -> refuse chain over
@@ -632,11 +549,12 @@ module.exports = gateContract.defineGuard({
632
549
  kind: "identifier",
633
550
  errorClass: GuardJwtError,
634
551
  profiles: PROFILES,
635
- defaults: DEFAULTS,
636
- postures: COMPLIANCE_POSTURES,
552
+ base: 256,
637
553
  integrationFixtures: INTEGRATION_FIXTURES,
638
- validate: validate,
639
- sanitize: sanitize,
554
+ detect: _detectIssues,
555
+ sanitizeTransform: _sanitizeTransform,
556
+ intOpts: ["maxBytes", "maxHeaderBytes", "maxPayloadBytes",
557
+ "maxSignatureBytes", "nbfFutureSlackMs", "iatFutureSlackMs"],
640
558
  extra: {
641
559
  kidSafe: kidSafe,
642
560
  },
@@ -74,6 +74,7 @@
74
74
  var C = require("./constants");
75
75
  var { defineClass } = require("./framework-error");
76
76
  var gateContract = require("./gate-contract");
77
+ var codepointClass = require("./codepoint-class");
77
78
 
78
79
  var GuardListIdError = defineClass("GuardListIdError", { alwaysPermanent: true });
79
80
 
@@ -272,13 +273,7 @@ function validate(headerValue, opts) {
272
273
  // generator.
273
274
 
274
275
  function _hasControlChar(s) {
275
- for (var i = 0; i < s.length; i += 1) {
276
- var c = s.charCodeAt(i);
277
- if (c === 0x00 || c === 0x7f || (c < 0x20 && c !== 0x09)) { // RFC 5322 control + TAB allow
278
- return true;
279
- }
280
- }
281
- return false;
276
+ return codepointClass.firstControlCharOffset(s) !== -1;
282
277
  }
283
278
 
284
279
  function _refuse(reason) {
@@ -80,6 +80,7 @@ var C = require("./constants");
80
80
  var { defineClass } = require("./framework-error");
81
81
  var safeUrl = require("./safe-url");
82
82
  var gateContract = require("./gate-contract");
83
+ var codepointClass = require("./codepoint-class");
83
84
 
84
85
  var GuardListUnsubscribeError = defineClass("GuardListUnsubscribeError", { alwaysPermanent: true });
85
86
 
@@ -354,13 +355,7 @@ function _extractUris(raw, maxUris) {
354
355
  }
355
356
 
356
357
  function _hasControlChar(s) {
357
- for (var i = 0; i < s.length; i += 1) {
358
- var c = s.charCodeAt(i);
359
- if (c === 0x00 || c === 0x7f || (c < 0x20 && c !== 0x09)) { // RFC 5322 control + TAB allow
360
- return true;
361
- }
362
- }
363
- return false;
358
+ return codepointClass.firstControlCharOffset(s) !== -1;
364
359
  }
365
360
 
366
361
  function _trunc(s) {
@@ -37,6 +37,7 @@
37
37
 
38
38
  var { defineClass } = require("./framework-error");
39
39
  var gateContract = require("./gate-contract");
40
+ var codepointClass = require("./codepoint-class");
40
41
 
41
42
  var GuardMailComposeError = defineClass("GuardMailComposeError", { alwaysPermanent: true });
42
43
 
@@ -229,12 +230,10 @@ function _checkBody(body, profile, allowAlt) {
229
230
  }
230
231
 
231
232
  function _checkHeaderValue(v, label) {
232
- for (var i = 0; i < v.length; i += 1) {
233
- var c = v.charCodeAt(i);
234
- if ((c < 0x20 && c !== 0x09) || c === 0x7F) { // C0 + DEL refusal in header
235
- throw new GuardMailComposeError("mail-compose/control-char-in-header",
236
- "guardMailCompose.validate: control char 0x" + c.toString(16) + " in " + label);
237
- }
233
+ var ctrlAt = codepointClass.firstControlCharOffset(v); // C0 (except TAB) + DEL refusal in header
234
+ if (ctrlAt !== -1) {
235
+ throw new GuardMailComposeError("mail-compose/control-char-in-header",
236
+ "guardMailCompose.validate: control char 0x" + v.charCodeAt(ctrlAt).toString(16) + " in " + label);
238
237
  }
239
238
  }
240
239
 
@@ -35,6 +35,7 @@
35
35
 
36
36
  var { defineClass } = require("./framework-error");
37
37
  var gateContract = require("./gate-contract");
38
+ var codepointClass = require("./codepoint-class");
38
39
 
39
40
  var GuardMailMoveError = defineClass("GuardMailMoveError", { alwaysPermanent: true });
40
41
 
@@ -159,7 +160,7 @@ function _checkFolderName(name, label, profile) {
159
160
  }
160
161
  for (var i = 0; i < name.length; i += 1) {
161
162
  var c = name.charCodeAt(i);
162
- if (c < 0x20 || c === 0x7F) { // C0 + DEL refusal
163
+ if (codepointClass.isForbiddenControlChar(c, { forbidTab: true })) { // C0 + DEL refusal
163
164
  throw new GuardMailMoveError("mail-move/control-char-in-name",
164
165
  "guardMailMove.validate: " + label + " contains control char 0x" + c.toString(16));
165
166
  }
@@ -28,6 +28,8 @@
28
28
 
29
29
  var { defineClass } = require("./framework-error");
30
30
  var gateContract = require("./gate-contract");
31
+ var pick = require("./pick");
32
+ var boundedMap = require("./bounded-map");
31
33
 
32
34
  var GuardMailQueryError = defineClass("GuardMailQueryError", { alwaysPermanent: true });
33
35
 
@@ -211,10 +213,10 @@ function _walk(node, depth, profile, visited) {
211
213
  throw new GuardMailQueryError("mail-query/buffer-not-allowed",
212
214
  "guardMailQuery.validate: Buffer refused inside filter");
213
215
  }
214
- if (visited.has(node)) {
216
+ boundedMap.requireAbsentMember(visited, node, function () {
215
217
  throw new GuardMailQueryError("mail-query/cycle",
216
218
  "guardMailQuery.validate: cyclic filter refused");
217
- }
219
+ });
218
220
  visited.add(node);
219
221
 
220
222
  if (Array.isArray(node)) {
@@ -235,7 +237,7 @@ function _walk(node, depth, profile, visited) {
235
237
  }
236
238
  for (var ki = 0; ki < keys.length; ki += 1) {
237
239
  var k = keys[ki];
238
- if (k === "__proto__" || k === "constructor" || k === "prototype") {
240
+ if (pick.isPoisonedKey(k)) {
239
241
  throw new GuardMailQueryError("mail-query/proto-key",
240
242
  "guardMailQuery.validate: forbidden key '" + k + "'");
241
243
  }
@@ -34,6 +34,7 @@
34
34
 
35
35
  var { defineClass } = require("./framework-error");
36
36
  var gateContract = require("./gate-contract");
37
+ var codepointClass = require("./codepoint-class");
37
38
 
38
39
  var GuardMailSieveError = defineClass("GuardMailSieveError", { alwaysPermanent: true });
39
40
 
@@ -125,12 +126,10 @@ function validate(op, opts) {
125
126
  // Control-char refusal in script (NUL is always refused; other
126
127
  // C0 except CR/LF/TAB are refused too — Sieve scripts are
127
128
  // text-only per RFC 5228 §1.4).
128
- for (var j = 0; j < op.script.length; j += 1) {
129
- var c = op.script.charCodeAt(j);
130
- if (c === 0x00 || (c < 0x20 && c !== 0x09 && c !== 0x0A && c !== 0x0D) || c === 0x7F) { // NUL / C0 except TAB/LF/CR / DEL refusal
131
- throw new GuardMailSieveError("mail-sieve/control-char-in-script",
132
- "guardMailSieve.validate: control char 0x" + c.toString(16) + " at offset " + j);
133
- }
129
+ var ctrlAt = codepointClass.firstControlCharOffset(op.script, { allowLf: true, allowCr: true }); // NUL / C0 except TAB/LF/CR / DEL refusal
130
+ if (ctrlAt !== -1) {
131
+ throw new GuardMailSieveError("mail-sieve/control-char-in-script",
132
+ "guardMailSieve.validate: control char 0x" + op.script.charCodeAt(ctrlAt).toString(16) + " at offset " + ctrlAt);
134
133
  }
135
134
  }
136
135
 
@@ -169,7 +168,7 @@ function _checkName(name, profile) {
169
168
  }
170
169
  for (var i = 0; i < name.length; i += 1) {
171
170
  var c = name.charCodeAt(i);
172
- if (c < 0x20 || c === 0x7F || c === 0x2F || c === 0x5C) { // C0 / DEL / slash / backslash refusal
171
+ if (codepointClass.isForbiddenControlChar(c, { forbidTab: true }) || c === 0x2F || c === 0x5C) { // C0 / DEL / slash / backslash refusal
173
172
  throw new GuardMailSieveError("mail-sieve/bad-name-char",
174
173
  "guardMailSieve.validate: op.name contains forbidden char 0x" + c.toString(16));
175
174
  }
@@ -102,6 +102,8 @@
102
102
 
103
103
  var { defineClass } = require("./framework-error");
104
104
  var gateContract = require("./gate-contract");
105
+ var codepointClass = require("./codepoint-class");
106
+ var safeBuffer = require("./safe-buffer");
105
107
 
106
108
  var GuardManageSieveCommandError = defineClass("GuardManageSieveCommandError",
107
109
  { alwaysPermanent: true });
@@ -214,9 +216,9 @@ function validate(line, opts) {
214
216
  throw new GuardManageSieveCommandError("guard-managesieve-command/empty-line",
215
217
  "guardManageSieveCommand.validate: empty command line");
216
218
  }
217
- if (line.length > caps.maxLineBytes) {
219
+ if (safeBuffer.byteLengthOf(line) > caps.maxLineBytes) {
218
220
  throw new GuardManageSieveCommandError("guard-managesieve-command/line-too-long",
219
- "guardManageSieveCommand.validate: line " + line.length +
221
+ "guardManageSieveCommand.validate: line " + safeBuffer.byteLengthOf(line) +
220
222
  " bytes exceeds cap " + caps.maxLineBytes);
221
223
  }
222
224
 
@@ -232,8 +234,7 @@ function validate(line, opts) {
232
234
  continue;
233
235
  }
234
236
  if (inQuote) continue;
235
- if (c === 0x00 || c === 0x7F || (c < 0x20 && c !== 0x09)) { // control-byte refusal
236
- if (c === 0x0A && caps.allowBareLf) continue;
237
+ if (codepointClass.isForbiddenControlChar(c, { allowLf: caps.allowBareLf })) { // control-byte refusal (bare LF only when caps allow)
237
238
  throw new GuardManageSieveCommandError("guard-managesieve-command/bad-byte",
238
239
  "guardManageSieveCommand.validate: control byte 0x" +
239
240
  c.toString(16) + " at offset " + i); // base-16 toString radix