@blamejs/blamejs-shop 0.4.56 → 0.4.58

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (402) hide show
  1. package/CHANGELOG.md +4 -0
  2. package/lib/affiliates.js +35 -4
  3. package/lib/api-keys.js +17 -2
  4. package/lib/asset-manifest.json +1 -1
  5. package/lib/backorder.js +21 -4
  6. package/lib/click-and-collect.js +11 -2
  7. package/lib/credit-limits.js +132 -84
  8. package/lib/vendor/MANIFEST.json +426 -366
  9. package/lib/vendor/blamejs/.github/codeql/codeql-config.yml +25 -0
  10. package/lib/vendor/blamejs/.github/workflows/actions-lint.yml +3 -3
  11. package/lib/vendor/blamejs/.github/workflows/cflite_batch.yml +1 -1
  12. package/lib/vendor/blamejs/.github/workflows/cflite_pr.yml +1 -1
  13. package/lib/vendor/blamejs/.github/workflows/ci.yml +13 -13
  14. package/lib/vendor/blamejs/.github/workflows/codeql.yml +8 -7
  15. package/lib/vendor/blamejs/.github/workflows/npm-publish.yml +2 -2
  16. package/lib/vendor/blamejs/.github/workflows/release-container.yml +4 -4
  17. package/lib/vendor/blamejs/.github/workflows/scorecard.yml +1 -1
  18. package/lib/vendor/blamejs/.github/workflows/sha-to-tag-verify.yml +1 -1
  19. package/lib/vendor/blamejs/CHANGELOG.md +2 -0
  20. package/lib/vendor/blamejs/api-snapshot.json +1381 -4
  21. package/lib/vendor/blamejs/eslint.config.mjs +1 -0
  22. package/lib/vendor/blamejs/examples/wiki/lib/source-comment-block-validator.js +4 -1
  23. package/lib/vendor/blamejs/examples/wiki/lib/symbol-index.js +5 -2
  24. package/lib/vendor/blamejs/examples/wiki/routes/pages.js +4 -1
  25. package/lib/vendor/blamejs/fuzz/guard-text.fuzz.js +20 -0
  26. package/lib/vendor/blamejs/index.js +2 -0
  27. package/lib/vendor/blamejs/lib/a2a-tasks.js +7 -23
  28. package/lib/vendor/blamejs/lib/acme.js +6 -5
  29. package/lib/vendor/blamejs/lib/agent-event-bus.js +5 -4
  30. package/lib/vendor/blamejs/lib/agent-idempotency.js +2 -5
  31. package/lib/vendor/blamejs/lib/agent-orchestrator.js +2 -5
  32. package/lib/vendor/blamejs/lib/agent-saga.js +3 -5
  33. package/lib/vendor/blamejs/lib/agent-tenant.js +2 -5
  34. package/lib/vendor/blamejs/lib/ai-adverse-decision.js +2 -15
  35. package/lib/vendor/blamejs/lib/ai-capability.js +1 -6
  36. package/lib/vendor/blamejs/lib/ai-dp.js +1 -5
  37. package/lib/vendor/blamejs/lib/ai-input.js +2 -2
  38. package/lib/vendor/blamejs/lib/ai-pref.js +3 -8
  39. package/lib/vendor/blamejs/lib/ai-quota.js +3 -14
  40. package/lib/vendor/blamejs/lib/api-key.js +37 -28
  41. package/lib/vendor/blamejs/lib/archive-adapters.js +2 -4
  42. package/lib/vendor/blamejs/lib/archive-entry-policy.js +32 -0
  43. package/lib/vendor/blamejs/lib/archive-read.js +5 -17
  44. package/lib/vendor/blamejs/lib/archive-tar-read.js +5 -16
  45. package/lib/vendor/blamejs/lib/archive.js +2 -10
  46. package/lib/vendor/blamejs/lib/arg-parser.js +7 -6
  47. package/lib/vendor/blamejs/lib/asyncapi-traits.js +2 -6
  48. package/lib/vendor/blamejs/lib/atomic-file.js +108 -31
  49. package/lib/vendor/blamejs/lib/audit-chain.js +133 -53
  50. package/lib/vendor/blamejs/lib/audit-daily-review.js +24 -14
  51. package/lib/vendor/blamejs/lib/audit-emit.js +82 -0
  52. package/lib/vendor/blamejs/lib/audit-sign.js +257 -0
  53. package/lib/vendor/blamejs/lib/audit.js +84 -0
  54. package/lib/vendor/blamejs/lib/auth/access-lock.js +5 -27
  55. package/lib/vendor/blamejs/lib/auth/dpop.js +23 -35
  56. package/lib/vendor/blamejs/lib/auth/fido-mds3.js +9 -15
  57. package/lib/vendor/blamejs/lib/auth/jwt-external.js +26 -8
  58. package/lib/vendor/blamejs/lib/auth/jwt.js +13 -15
  59. package/lib/vendor/blamejs/lib/auth/lockout.js +6 -25
  60. package/lib/vendor/blamejs/lib/auth/oauth.js +67 -45
  61. package/lib/vendor/blamejs/lib/auth/oid4vci.js +55 -32
  62. package/lib/vendor/blamejs/lib/auth/oid4vp.js +3 -2
  63. package/lib/vendor/blamejs/lib/auth/openid-federation.js +6 -6
  64. package/lib/vendor/blamejs/lib/auth/passkey.js +3 -3
  65. package/lib/vendor/blamejs/lib/auth/password.js +7 -1
  66. package/lib/vendor/blamejs/lib/auth/saml.js +37 -27
  67. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-holder.js +2 -14
  68. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-issuer.js +2 -14
  69. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc.js +1 -1
  70. package/lib/vendor/blamejs/lib/auth/status-list.js +7 -7
  71. package/lib/vendor/blamejs/lib/auth/step-up.js +6 -12
  72. package/lib/vendor/blamejs/lib/auth-bot-challenge.js +6 -37
  73. package/lib/vendor/blamejs/lib/backup/bundle.js +11 -18
  74. package/lib/vendor/blamejs/lib/backup/index.js +14 -47
  75. package/lib/vendor/blamejs/lib/bounded-map.js +112 -1
  76. package/lib/vendor/blamejs/lib/breach-deadline.js +1 -11
  77. package/lib/vendor/blamejs/lib/cache.js +7 -18
  78. package/lib/vendor/blamejs/lib/cbor.js +2 -1
  79. package/lib/vendor/blamejs/lib/cdn-cache-control.js +8 -9
  80. package/lib/vendor/blamejs/lib/cert.js +3 -10
  81. package/lib/vendor/blamejs/lib/chain-writer.js +162 -47
  82. package/lib/vendor/blamejs/lib/cli.js +5 -1
  83. package/lib/vendor/blamejs/lib/client-hints.js +7 -9
  84. package/lib/vendor/blamejs/lib/cloud-events.js +40 -31
  85. package/lib/vendor/blamejs/lib/cluster-storage.js +2 -38
  86. package/lib/vendor/blamejs/lib/cms-codec.js +2 -1
  87. package/lib/vendor/blamejs/lib/codepoint-class.js +67 -1
  88. package/lib/vendor/blamejs/lib/compliance-ai-act-logging.js +1 -6
  89. package/lib/vendor/blamejs/lib/compliance-ai-act-transparency.js +2 -4
  90. package/lib/vendor/blamejs/lib/compliance-eaa.js +1 -11
  91. package/lib/vendor/blamejs/lib/compliance-sanctions-fetcher.js +21 -28
  92. package/lib/vendor/blamejs/lib/compliance-sanctions.js +2 -14
  93. package/lib/vendor/blamejs/lib/compliance.js +2 -9
  94. package/lib/vendor/blamejs/lib/config-drift.js +2 -12
  95. package/lib/vendor/blamejs/lib/content-digest.js +10 -8
  96. package/lib/vendor/blamejs/lib/cookies.js +5 -11
  97. package/lib/vendor/blamejs/lib/cose.js +19 -11
  98. package/lib/vendor/blamejs/lib/cra-report.js +1 -11
  99. package/lib/vendor/blamejs/lib/crypto-field.js +5 -10
  100. package/lib/vendor/blamejs/lib/crypto.js +120 -3
  101. package/lib/vendor/blamejs/lib/csp.js +235 -3
  102. package/lib/vendor/blamejs/lib/daemon.js +42 -41
  103. package/lib/vendor/blamejs/lib/data-act.js +19 -9
  104. package/lib/vendor/blamejs/lib/db-query.js +6 -40
  105. package/lib/vendor/blamejs/lib/db.js +34 -12
  106. package/lib/vendor/blamejs/lib/dbsc.js +5 -6
  107. package/lib/vendor/blamejs/lib/ddl-change-control.js +18 -14
  108. package/lib/vendor/blamejs/lib/deprecate.js +4 -5
  109. package/lib/vendor/blamejs/lib/did.js +6 -2
  110. package/lib/vendor/blamejs/lib/dsr.js +8 -12
  111. package/lib/vendor/blamejs/lib/external-db-migrate.js +21 -22
  112. package/lib/vendor/blamejs/lib/external-db.js +14 -26
  113. package/lib/vendor/blamejs/lib/fda-21cfr11.js +12 -8
  114. package/lib/vendor/blamejs/lib/fdx.js +22 -18
  115. package/lib/vendor/blamejs/lib/file-upload.js +80 -66
  116. package/lib/vendor/blamejs/lib/flag-evaluation-context.js +5 -8
  117. package/lib/vendor/blamejs/lib/framework-error.js +12 -0
  118. package/lib/vendor/blamejs/lib/framework-schema.js +19 -0
  119. package/lib/vendor/blamejs/lib/fsm.js +7 -12
  120. package/lib/vendor/blamejs/lib/gate-contract.js +869 -38
  121. package/lib/vendor/blamejs/lib/gdpr-ropa.js +4 -13
  122. package/lib/vendor/blamejs/lib/graphql-federation.js +1 -1
  123. package/lib/vendor/blamejs/lib/guard-agent-registry.js +2 -1
  124. package/lib/vendor/blamejs/lib/guard-all.js +1 -0
  125. package/lib/vendor/blamejs/lib/guard-archive.js +9 -30
  126. package/lib/vendor/blamejs/lib/guard-auth.js +23 -80
  127. package/lib/vendor/blamejs/lib/guard-cidr.js +20 -96
  128. package/lib/vendor/blamejs/lib/guard-csv.js +135 -196
  129. package/lib/vendor/blamejs/lib/guard-domain.js +23 -106
  130. package/lib/vendor/blamejs/lib/guard-dsn.js +16 -13
  131. package/lib/vendor/blamejs/lib/guard-email.js +46 -53
  132. package/lib/vendor/blamejs/lib/guard-envelope.js +1 -1
  133. package/lib/vendor/blamejs/lib/guard-event-bus-topic.js +2 -1
  134. package/lib/vendor/blamejs/lib/guard-filename.js +12 -60
  135. package/lib/vendor/blamejs/lib/guard-graphql.js +28 -75
  136. package/lib/vendor/blamejs/lib/guard-html-wcag.js +15 -2
  137. package/lib/vendor/blamejs/lib/guard-html.js +65 -117
  138. package/lib/vendor/blamejs/lib/guard-idempotency-key.js +2 -1
  139. package/lib/vendor/blamejs/lib/guard-image.js +280 -77
  140. package/lib/vendor/blamejs/lib/guard-imap-command.js +8 -9
  141. package/lib/vendor/blamejs/lib/guard-json.js +87 -103
  142. package/lib/vendor/blamejs/lib/guard-jsonpath.js +20 -88
  143. package/lib/vendor/blamejs/lib/guard-jwt.js +32 -114
  144. package/lib/vendor/blamejs/lib/guard-list-id.js +2 -7
  145. package/lib/vendor/blamejs/lib/guard-list-unsubscribe.js +2 -7
  146. package/lib/vendor/blamejs/lib/guard-mail-compose.js +5 -6
  147. package/lib/vendor/blamejs/lib/guard-mail-move.js +2 -1
  148. package/lib/vendor/blamejs/lib/guard-mail-query.js +5 -3
  149. package/lib/vendor/blamejs/lib/guard-mail-sieve.js +6 -7
  150. package/lib/vendor/blamejs/lib/guard-managesieve-command.js +5 -4
  151. package/lib/vendor/blamejs/lib/guard-markdown.js +76 -110
  152. package/lib/vendor/blamejs/lib/guard-message-id.js +5 -6
  153. package/lib/vendor/blamejs/lib/guard-mime.js +20 -99
  154. package/lib/vendor/blamejs/lib/guard-oauth.js +19 -73
  155. package/lib/vendor/blamejs/lib/guard-pdf.js +65 -72
  156. package/lib/vendor/blamejs/lib/guard-pop3-command.js +12 -13
  157. package/lib/vendor/blamejs/lib/guard-posture-chain.js +2 -1
  158. package/lib/vendor/blamejs/lib/guard-regex.js +24 -99
  159. package/lib/vendor/blamejs/lib/guard-saga-config.js +2 -1
  160. package/lib/vendor/blamejs/lib/guard-shell.js +22 -87
  161. package/lib/vendor/blamejs/lib/guard-smtp-command.js +8 -11
  162. package/lib/vendor/blamejs/lib/guard-sql.js +15 -13
  163. package/lib/vendor/blamejs/lib/guard-stream-args.js +2 -1
  164. package/lib/vendor/blamejs/lib/guard-svg.js +95 -140
  165. package/lib/vendor/blamejs/lib/guard-template.js +23 -80
  166. package/lib/vendor/blamejs/lib/guard-tenant-id.js +2 -1
  167. package/lib/vendor/blamejs/lib/guard-text.js +592 -0
  168. package/lib/vendor/blamejs/lib/guard-time.js +27 -95
  169. package/lib/vendor/blamejs/lib/guard-uuid.js +21 -93
  170. package/lib/vendor/blamejs/lib/guard-xml.js +76 -106
  171. package/lib/vendor/blamejs/lib/guard-yaml.js +24 -60
  172. package/lib/vendor/blamejs/lib/http-client-cache.js +5 -12
  173. package/lib/vendor/blamejs/lib/http-client-cookie-jar.js +2 -4
  174. package/lib/vendor/blamejs/lib/http-client.js +8 -21
  175. package/lib/vendor/blamejs/lib/http-message-signature.js +3 -2
  176. package/lib/vendor/blamejs/lib/i18n-messageformat.js +5 -7
  177. package/lib/vendor/blamejs/lib/i18n.js +83 -26
  178. package/lib/vendor/blamejs/lib/inbox.js +8 -8
  179. package/lib/vendor/blamejs/lib/incident-report.js +3 -21
  180. package/lib/vendor/blamejs/lib/ip-utils.js +49 -6
  181. package/lib/vendor/blamejs/lib/jobs.js +3 -2
  182. package/lib/vendor/blamejs/lib/keychain.js +6 -18
  183. package/lib/vendor/blamejs/lib/legal-hold.js +6 -15
  184. package/lib/vendor/blamejs/lib/log-stream-cloudwatch.js +44 -112
  185. package/lib/vendor/blamejs/lib/log-stream-otlp-grpc.js +17 -14
  186. package/lib/vendor/blamejs/lib/log-stream-otlp.js +16 -80
  187. package/lib/vendor/blamejs/lib/log-stream-webhook.js +20 -92
  188. package/lib/vendor/blamejs/lib/mail-arc-sign.js +8 -3
  189. package/lib/vendor/blamejs/lib/mail-arf.js +3 -2
  190. package/lib/vendor/blamejs/lib/mail-auth.js +40 -66
  191. package/lib/vendor/blamejs/lib/mail-bimi.js +19 -39
  192. package/lib/vendor/blamejs/lib/mail-crypto-pgp.js +3 -2
  193. package/lib/vendor/blamejs/lib/mail-dav.js +8 -35
  194. package/lib/vendor/blamejs/lib/mail-deploy.js +6 -9
  195. package/lib/vendor/blamejs/lib/mail-dkim.js +19 -38
  196. package/lib/vendor/blamejs/lib/mail-greylist.js +15 -26
  197. package/lib/vendor/blamejs/lib/mail-helo.js +2 -3
  198. package/lib/vendor/blamejs/lib/mail-journal.js +2 -1
  199. package/lib/vendor/blamejs/lib/mail-mdn.js +4 -3
  200. package/lib/vendor/blamejs/lib/mail-rbl.js +5 -8
  201. package/lib/vendor/blamejs/lib/mail-scan.js +2 -2
  202. package/lib/vendor/blamejs/lib/mail-send-deliver.js +33 -20
  203. package/lib/vendor/blamejs/lib/mail-server-imap.js +32 -87
  204. package/lib/vendor/blamejs/lib/mail-server-jmap.js +35 -51
  205. package/lib/vendor/blamejs/lib/mail-server-managesieve.js +29 -83
  206. package/lib/vendor/blamejs/lib/mail-server-mx.js +33 -74
  207. package/lib/vendor/blamejs/lib/mail-server-net.js +177 -0
  208. package/lib/vendor/blamejs/lib/mail-server-pop3.js +30 -83
  209. package/lib/vendor/blamejs/lib/mail-server-rate-limit.js +30 -6
  210. package/lib/vendor/blamejs/lib/mail-server-submission.js +34 -73
  211. package/lib/vendor/blamejs/lib/mail-server-tls.js +89 -0
  212. package/lib/vendor/blamejs/lib/mail-spam-score.js +7 -8
  213. package/lib/vendor/blamejs/lib/mail-store.js +3 -2
  214. package/lib/vendor/blamejs/lib/mail.js +6 -11
  215. package/lib/vendor/blamejs/lib/markup-escape.js +31 -0
  216. package/lib/vendor/blamejs/lib/markup-tokenizer.js +54 -0
  217. package/lib/vendor/blamejs/lib/mcp-tool-registry.js +26 -23
  218. package/lib/vendor/blamejs/lib/mcp.js +1 -1
  219. package/lib/vendor/blamejs/lib/mdoc.js +11 -12
  220. package/lib/vendor/blamejs/lib/metrics.js +32 -30
  221. package/lib/vendor/blamejs/lib/middleware/age-gate.js +3 -23
  222. package/lib/vendor/blamejs/lib/middleware/api-encrypt.js +11 -22
  223. package/lib/vendor/blamejs/lib/middleware/assetlinks.js +2 -7
  224. package/lib/vendor/blamejs/lib/middleware/bearer-auth.js +2 -1
  225. package/lib/vendor/blamejs/lib/middleware/body-parser.js +31 -48
  226. package/lib/vendor/blamejs/lib/middleware/bot-disclose.js +7 -10
  227. package/lib/vendor/blamejs/lib/middleware/bot-guard.js +2 -10
  228. package/lib/vendor/blamejs/lib/middleware/csrf-protect.js +13 -2
  229. package/lib/vendor/blamejs/lib/middleware/daily-byte-quota.js +6 -26
  230. package/lib/vendor/blamejs/lib/middleware/deny-response.js +19 -1
  231. package/lib/vendor/blamejs/lib/middleware/fetch-metadata.js +7 -0
  232. package/lib/vendor/blamejs/lib/middleware/idempotency-key.js +4 -20
  233. package/lib/vendor/blamejs/lib/middleware/rate-limit.js +20 -28
  234. package/lib/vendor/blamejs/lib/middleware/scim-server.js +3 -2
  235. package/lib/vendor/blamejs/lib/middleware/security-headers.js +9 -1
  236. package/lib/vendor/blamejs/lib/middleware/security-txt.js +2 -6
  237. package/lib/vendor/blamejs/lib/middleware/tus-upload.js +12 -27
  238. package/lib/vendor/blamejs/lib/middleware/web-app-manifest.js +2 -7
  239. package/lib/vendor/blamejs/lib/migrations.js +4 -13
  240. package/lib/vendor/blamejs/lib/mime-parse.js +34 -17
  241. package/lib/vendor/blamejs/lib/module-loader.js +44 -0
  242. package/lib/vendor/blamejs/lib/money.js +105 -0
  243. package/lib/vendor/blamejs/lib/mtls-ca.js +116 -36
  244. package/lib/vendor/blamejs/lib/network-byte-quota.js +4 -18
  245. package/lib/vendor/blamejs/lib/network-dane.js +8 -6
  246. package/lib/vendor/blamejs/lib/network-dns-resolver.js +97 -6
  247. package/lib/vendor/blamejs/lib/network-dnssec.js +16 -16
  248. package/lib/vendor/blamejs/lib/network-heartbeat.js +3 -2
  249. package/lib/vendor/blamejs/lib/network-smtp-policy.js +29 -41
  250. package/lib/vendor/blamejs/lib/network-tls.js +40 -42
  251. package/lib/vendor/blamejs/lib/nis2-report.js +1 -11
  252. package/lib/vendor/blamejs/lib/nonce-store.js +81 -3
  253. package/lib/vendor/blamejs/lib/numeric-bounds.js +22 -8
  254. package/lib/vendor/blamejs/lib/object-store/azure-blob-bucket-ops.js +2 -6
  255. package/lib/vendor/blamejs/lib/object-store/azure-blob.js +5 -45
  256. package/lib/vendor/blamejs/lib/object-store/gcs.js +8 -71
  257. package/lib/vendor/blamejs/lib/object-store/http-put.js +1 -5
  258. package/lib/vendor/blamejs/lib/object-store/http-request.js +128 -0
  259. package/lib/vendor/blamejs/lib/object-store/sigv4-bucket-ops.js +2 -1
  260. package/lib/vendor/blamejs/lib/object-store/sigv4.js +9 -77
  261. package/lib/vendor/blamejs/lib/observability-otlp-exporter.js +9 -25
  262. package/lib/vendor/blamejs/lib/observability.js +95 -0
  263. package/lib/vendor/blamejs/lib/openapi-paths-builder.js +7 -3
  264. package/lib/vendor/blamejs/lib/otel-export.js +7 -10
  265. package/lib/vendor/blamejs/lib/outbox.js +43 -37
  266. package/lib/vendor/blamejs/lib/pagination.js +11 -15
  267. package/lib/vendor/blamejs/lib/parsers/safe-env.js +5 -4
  268. package/lib/vendor/blamejs/lib/parsers/safe-ini.js +10 -4
  269. package/lib/vendor/blamejs/lib/parsers/safe-toml.js +11 -9
  270. package/lib/vendor/blamejs/lib/parsers/safe-xml.js +2 -2
  271. package/lib/vendor/blamejs/lib/parsers/safe-yaml.js +7 -6
  272. package/lib/vendor/blamejs/lib/pick.js +63 -5
  273. package/lib/vendor/blamejs/lib/pipl-cn.js +69 -59
  274. package/lib/vendor/blamejs/lib/privacy-pass.js +8 -6
  275. package/lib/vendor/blamejs/lib/problem-details.js +2 -5
  276. package/lib/vendor/blamejs/lib/pubsub.js +4 -8
  277. package/lib/vendor/blamejs/lib/redact.js +2 -1
  278. package/lib/vendor/blamejs/lib/render.js +4 -2
  279. package/lib/vendor/blamejs/lib/request-helpers.js +133 -6
  280. package/lib/vendor/blamejs/lib/restore.js +5 -22
  281. package/lib/vendor/blamejs/lib/retention.js +3 -5
  282. package/lib/vendor/blamejs/lib/safe-async.js +457 -0
  283. package/lib/vendor/blamejs/lib/safe-buffer.js +137 -6
  284. package/lib/vendor/blamejs/lib/safe-decompress.js +2 -1
  285. package/lib/vendor/blamejs/lib/safe-dns.js +2 -1
  286. package/lib/vendor/blamejs/lib/safe-ical.js +12 -26
  287. package/lib/vendor/blamejs/lib/safe-json.js +7 -8
  288. package/lib/vendor/blamejs/lib/safe-jsonpath.js +6 -5
  289. package/lib/vendor/blamejs/lib/safe-mime.js +25 -29
  290. package/lib/vendor/blamejs/lib/safe-redirect.js +2 -5
  291. package/lib/vendor/blamejs/lib/safe-schema.js +7 -6
  292. package/lib/vendor/blamejs/lib/safe-sql.js +126 -0
  293. package/lib/vendor/blamejs/lib/safe-vcard.js +12 -26
  294. package/lib/vendor/blamejs/lib/sandbox-worker.js +9 -2
  295. package/lib/vendor/blamejs/lib/sandbox.js +3 -2
  296. package/lib/vendor/blamejs/lib/scheduler.js +5 -12
  297. package/lib/vendor/blamejs/lib/sec-cyber.js +82 -37
  298. package/lib/vendor/blamejs/lib/seeders.js +4 -11
  299. package/lib/vendor/blamejs/lib/self-update.js +92 -69
  300. package/lib/vendor/blamejs/lib/session-device-binding.js +112 -66
  301. package/lib/vendor/blamejs/lib/session.js +194 -6
  302. package/lib/vendor/blamejs/lib/sql.js +225 -78
  303. package/lib/vendor/blamejs/lib/sse.js +6 -10
  304. package/lib/vendor/blamejs/lib/static.js +136 -98
  305. package/lib/vendor/blamejs/lib/storage.js +4 -2
  306. package/lib/vendor/blamejs/lib/structured-fields.js +275 -16
  307. package/lib/vendor/blamejs/lib/tenant-quota.js +2 -20
  308. package/lib/vendor/blamejs/lib/tsa.js +11 -15
  309. package/lib/vendor/blamejs/lib/validate-opts.js +154 -8
  310. package/lib/vendor/blamejs/lib/vault/seal-pem-file.js +30 -48
  311. package/lib/vendor/blamejs/lib/vault-aad.js +3 -2
  312. package/lib/vendor/blamejs/lib/vc.js +2 -7
  313. package/lib/vendor/blamejs/lib/vex.js +35 -13
  314. package/lib/vendor/blamejs/lib/web-push-vapid.js +23 -20
  315. package/lib/vendor/blamejs/lib/webhook-dispatcher.js +706 -0
  316. package/lib/vendor/blamejs/lib/webhook.js +43 -18
  317. package/lib/vendor/blamejs/lib/websocket-channels.js +9 -7
  318. package/lib/vendor/blamejs/lib/websocket.js +7 -3
  319. package/lib/vendor/blamejs/lib/worm.js +2 -3
  320. package/lib/vendor/blamejs/lib/ws-client.js +8 -10
  321. package/lib/vendor/blamejs/package.json +1 -1
  322. package/lib/vendor/blamejs/release-notes/v0.15.13.json +81 -0
  323. package/lib/vendor/blamejs/scripts/check-changelog-extract.js +1 -1
  324. package/lib/vendor/blamejs/test/00-primitives.js +136 -7
  325. package/lib/vendor/blamejs/test/10-state.js +9 -3
  326. package/lib/vendor/blamejs/test/30-chain.js +40 -0
  327. package/lib/vendor/blamejs/test/helpers/check.js +18 -0
  328. package/lib/vendor/blamejs/test/helpers/db.js +4 -0
  329. package/lib/vendor/blamejs/test/helpers/index.js +1 -0
  330. package/lib/vendor/blamejs/test/integration/audit-chain-external-db.test.js +2 -1
  331. package/lib/vendor/blamejs/test/integration/audit-stack-postgres.test.js +2 -1
  332. package/lib/vendor/blamejs/test/integration/data-layer-mysql.test.js +8 -1
  333. package/lib/vendor/blamejs/test/integration/data-layer-pg.test.js +1 -1
  334. package/lib/vendor/blamejs/test/integration/framework-schema-mysql.test.js +2 -1
  335. package/lib/vendor/blamejs/test/integration/webhook-dispatcher-pg.test.js +269 -0
  336. package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-fd-read.test.js +149 -0
  337. package/lib/vendor/blamejs/test/layer-0-primitives/audit-framework-namespaces.test.js +51 -0
  338. package/lib/vendor/blamejs/test/layer-0-primitives/audit-sign-anchor.test.js +88 -0
  339. package/lib/vendor/blamejs/test/layer-0-primitives/audit-use-store.test.js +55 -1
  340. package/lib/vendor/blamejs/test/layer-0-primitives/backup-object-store-adapter.test.js +2 -2
  341. package/lib/vendor/blamejs/test/layer-0-primitives/bot-guard.test.js +1 -1
  342. package/lib/vendor/blamejs/test/layer-0-primitives/bounded-map.test.js +129 -0
  343. package/lib/vendor/blamejs/test/layer-0-primitives/chain-writer-multichain.test.js +107 -0
  344. package/lib/vendor/blamejs/test/layer-0-primitives/cli-api-key.test.js +12 -0
  345. package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +2788 -3214
  346. package/lib/vendor/blamejs/test/layer-0-primitives/codepoint-class.test.js +78 -0
  347. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-base64url.test.js +63 -0
  348. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-hash-stream.test.js +2 -1
  349. package/lib/vendor/blamejs/test/layer-0-primitives/csp-builder.test.js +50 -0
  350. package/lib/vendor/blamejs/test/layer-0-primitives/csp-nonce.test.js +1 -1
  351. package/lib/vendor/blamejs/test/layer-0-primitives/daemon.test.js +2 -1
  352. package/lib/vendor/blamejs/test/layer-0-primitives/defineguard-resolve-opts.test.js +76 -0
  353. package/lib/vendor/blamejs/test/layer-0-primitives/flag.test.js +9 -0
  354. package/lib/vendor/blamejs/test/layer-0-primitives/gate-contract-content-gate.test.js +290 -0
  355. package/lib/vendor/blamejs/test/layer-0-primitives/guard-csv.test.js +84 -0
  356. package/lib/vendor/blamejs/test/layer-0-primitives/guard-email.test.js +78 -0
  357. package/lib/vendor/blamejs/test/layer-0-primitives/guard-filename.test.js +23 -0
  358. package/lib/vendor/blamejs/test/layer-0-primitives/guard-gate-disposition-coverage.test.js +93 -0
  359. package/lib/vendor/blamejs/test/layer-0-primitives/guard-html.test.js +60 -0
  360. package/lib/vendor/blamejs/test/layer-0-primitives/guard-image.test.js +184 -0
  361. package/lib/vendor/blamejs/test/layer-0-primitives/guard-imap-command.test.js +0 -0
  362. package/lib/vendor/blamejs/test/layer-0-primitives/guard-json.test.js +54 -0
  363. package/lib/vendor/blamejs/test/layer-0-primitives/guard-managesieve-command.test.js +10 -0
  364. package/lib/vendor/blamejs/test/layer-0-primitives/guard-markdown.test.js +45 -0
  365. package/lib/vendor/blamejs/test/layer-0-primitives/guard-pdf.test.js +101 -0
  366. package/lib/vendor/blamejs/test/layer-0-primitives/guard-pop3-command.test.js +18 -0
  367. package/lib/vendor/blamejs/test/layer-0-primitives/guard-svg.test.js +76 -0
  368. package/lib/vendor/blamejs/test/layer-0-primitives/guard-text.test.js +365 -0
  369. package/lib/vendor/blamejs/test/layer-0-primitives/guard-xml.test.js +35 -0
  370. package/lib/vendor/blamejs/test/layer-0-primitives/guard-yaml.test.js +36 -0
  371. package/lib/vendor/blamejs/test/layer-0-primitives/i18n.test.js +20 -0
  372. package/lib/vendor/blamejs/test/layer-0-primitives/inbox.test.js +15 -0
  373. package/lib/vendor/blamejs/test/layer-0-primitives/ip-utils.test.js +83 -0
  374. package/lib/vendor/blamejs/test/layer-0-primitives/mail-arf.test.js +10 -0
  375. package/lib/vendor/blamejs/test/layer-0-primitives/mail-auth.test.js +39 -0
  376. package/lib/vendor/blamejs/test/layer-0-primitives/mail-dkim.test.js +36 -0
  377. package/lib/vendor/blamejs/test/layer-0-primitives/mail-greylist.test.js +17 -0
  378. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-tls.test.js +39 -0
  379. package/lib/vendor/blamejs/test/layer-0-primitives/mail-store.test.js +17 -0
  380. package/lib/vendor/blamejs/test/layer-0-primitives/mime-parse.test.js +106 -0
  381. package/lib/vendor/blamejs/test/layer-0-primitives/money.test.js +17 -0
  382. package/lib/vendor/blamejs/test/layer-0-primitives/mtls-ca-revocation.test.js +98 -0
  383. package/lib/vendor/blamejs/test/layer-0-primitives/nonce-store-release.test.js +77 -0
  384. package/lib/vendor/blamejs/test/layer-0-primitives/observability.test.js +48 -0
  385. package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-memory-getorinsert.test.js +100 -0
  386. package/lib/vendor/blamejs/test/layer-0-primitives/request-helpers.test.js +88 -0
  387. package/lib/vendor/blamejs/test/layer-0-primitives/safe-async-loops.test.js +278 -0
  388. package/lib/vendor/blamejs/test/layer-0-primitives/safe-buffer-linear-scans.test.js +37 -0
  389. package/lib/vendor/blamejs/test/layer-0-primitives/safe-jsonpath.test.js +14 -0
  390. package/lib/vendor/blamejs/test/layer-0-primitives/sandbox.test.js +19 -0
  391. package/lib/vendor/blamejs/test/layer-0-primitives/security-headers.test.js +1 -1
  392. package/lib/vendor/blamejs/test/layer-0-primitives/self-update.test.js +2 -1
  393. package/lib/vendor/blamejs/test/layer-0-primitives/session-device-binding.test.js +18 -0
  394. package/lib/vendor/blamejs/test/layer-0-primitives/session-extensions.test.js +1 -1
  395. package/lib/vendor/blamejs/test/layer-0-primitives/session-valid-from.test.js +73 -0
  396. package/lib/vendor/blamejs/test/layer-0-primitives/sql.test.js +100 -0
  397. package/lib/vendor/blamejs/test/layer-0-primitives/structured-fields.test.js +80 -0
  398. package/lib/vendor/blamejs/test/layer-0-primitives/validate-opts-shape.test.js +235 -0
  399. package/lib/vendor/blamejs/test/layer-0-primitives/webhook-dispatcher.test.js +374 -0
  400. package/lib/vendor/blamejs/test/layer-0-primitives/webhook.test.js +75 -8
  401. package/lib/vendor/blamejs/test/layer-5-integration/guard-host-integration.test.js +3 -3
  402. package/package.json +1 -1
@@ -207,20 +207,24 @@ function _memoryStore() {
207
207
  */
208
208
  function create(opts) {
209
209
  opts = opts || {};
210
- validateOpts(opts, [
211
- "audit", "approvers", "windowSpec", "posture", "signWith",
212
- "verifyWith", "store", "now", "selfApproval",
213
- ], "ddlChangeControl.create");
214
- validateOpts.auditShape(opts.audit, "ddlChangeControl",
215
- DdlChangeControlError, "ddl-change-control/bad-audit");
216
- validateOpts.optionalFunction(opts.signWith,
217
- "ddlChangeControl: signWith", DdlChangeControlError, "ddl-change-control/bad-signer");
218
- validateOpts.optionalFunction(opts.verifyWith,
219
- "ddlChangeControl: verifyWith", DdlChangeControlError, "ddl-change-control/bad-verifier");
220
- validateOpts.optionalFunction(opts.now,
221
- "ddlChangeControl: now", DdlChangeControlError, "ddl-change-control/bad-now");
222
- validateOpts.optionalNonEmptyString(opts.posture,
223
- "ddlChangeControl: posture", DdlChangeControlError, "ddl-change-control/bad-posture");
210
+ validateOpts.shape(opts, {
211
+ audit: function (value) {
212
+ validateOpts.auditShape(value, "ddlChangeControl",
213
+ DdlChangeControlError, "ddl-change-control/bad-audit");
214
+ },
215
+ signWith: { rule: "optional-function", code: "ddl-change-control/bad-signer" },
216
+ verifyWith: { rule: "optional-function", code: "ddl-change-control/bad-verifier" },
217
+ now: { rule: "optional-function", code: "ddl-change-control/bad-now" },
218
+ posture: { rule: "optional-string", code: "ddl-change-control/bad-posture" },
219
+ // approvers / windowSpec / store keep their own bespoke validation in
220
+ // the factory body (distinct error codes, floor semantics, the window
221
+ // grammar parser, the silent in-memory fallback) — declared here so the
222
+ // exhaustive contract accepts them while the body remains authoritative.
223
+ approvers: function () {},
224
+ windowSpec: function () {},
225
+ store: function () {},
226
+ selfApproval: { rule: "optional-boolean", code: "ddl-change-control/bad-self-approval" },
227
+ }, "ddlChangeControl", DdlChangeControlError, "ddl-change-control/bad-posture");
224
228
 
225
229
  var approvers = 2;
226
230
  if (opts.approvers !== undefined) {
@@ -48,6 +48,7 @@
48
48
 
49
49
  var safeEnv = require("./parsers/safe-env");
50
50
  var validateOpts = require("./validate-opts");
51
+ var boundedMap = require("./bounded-map");
51
52
  var { FrameworkError } = require("./framework-error");
52
53
 
53
54
  class DeprecateError extends FrameworkError {
@@ -131,9 +132,8 @@ function warn(name, opts) {
131
132
  _validateOpts(opts, "warn");
132
133
 
133
134
  var key = name + ":" + opts.since;
134
- var entry = _seen.get(key);
135
- if (!entry) {
136
- entry = {
135
+ var entry = boundedMap.getOrInsert(_seen, key, function () {
136
+ return {
137
137
  name: name,
138
138
  since: opts.since,
139
139
  removeIn: opts.removeIn,
@@ -142,8 +142,7 @@ function warn(name, opts) {
142
142
  callCount: 0,
143
143
  firstSeen: new Date().toISOString(),
144
144
  };
145
- _seen.set(key, entry);
146
- }
145
+ });
147
146
  entry.callCount++;
148
147
 
149
148
  var mode = _modeFromEnv();
@@ -46,6 +46,7 @@
46
46
  */
47
47
 
48
48
  var nodeCrypto = require("node:crypto");
49
+ var bCrypto = require("./crypto");
49
50
  var safeJson = require("./safe-json");
50
51
  var validateOpts = require("./validate-opts");
51
52
  var { defineClass } = require("./framework-error");
@@ -380,8 +381,11 @@ function _jwkToKey(jwk) {
380
381
  throw new DidError("did/unsupported-key",
381
382
  "did: verificationMethod publicKeyJwk has unsupported kty/crv (" + jwk.kty + "/" + jwk.crv + ")");
382
383
  }
383
- try { return nodeCrypto.createPublicKey({ key: jwk, format: "jwk" }); }
384
- catch (e) { throw new DidError("did/bad-key", "did: verificationMethod publicKeyJwk is invalid: " + ((e && e.message) || e)); }
384
+ return bCrypto.importPublicJwk(jwk, {
385
+ errorClass: DidError,
386
+ code: "did/bad-key",
387
+ messagePrefix: "did: verificationMethod publicKeyJwk is invalid: ",
388
+ });
385
389
  }
386
390
 
387
391
  // Extract verification methods from a DID document → KeyObjects.
@@ -114,6 +114,7 @@ var bCrypto = require("./crypto");
114
114
  var lazyRequire = require("./lazy-require");
115
115
  var validateOpts = require("./validate-opts");
116
116
  var safeSql = require("./safe-sql");
117
+ var boundedMap = require("./bounded-map");
117
118
  var { defineClass } = require("./framework-error");
118
119
 
119
120
  var DsrError = defineClass("DsrError", { alwaysPermanent: true });
@@ -372,10 +373,7 @@ function create(opts) {
372
373
  } catch (_e) { /* drop-silent — audit sink */ }
373
374
  }
374
375
 
375
- function _emitMetric(verb, n, labels) {
376
- try { observability().safeEvent("dsr." + verb, n || 1, labels || {}); }
377
- catch (_e) { /* drop-silent */ }
378
- }
376
+ var _emitMetric = observability().namespaced("dsr");
379
377
 
380
378
  function _newTicketId() {
381
379
  var ts = String(Date.now()).slice(-7); // last 7 chars of unix-ms timestamp; collision-resistant when paired with the random suffix
@@ -894,10 +892,10 @@ function memoryTicketStore() {
894
892
  var byId = new Map();
895
893
  return {
896
894
  insert: async function (ticket) {
897
- if (byId.has(ticket.id)) {
895
+ boundedMap.requireAbsent(byId, ticket.id, function () {
898
896
  throw new DsrError("dsr/duplicate-ticket-id",
899
897
  "memoryTicketStore: duplicate ticket id " + ticket.id);
900
- }
898
+ });
901
899
  byId.set(ticket.id, Object.assign({}, ticket));
902
900
  },
903
901
  get: async function (id) {
@@ -919,10 +917,10 @@ function memoryTicketStore() {
919
917
  return out;
920
918
  },
921
919
  update: async function (id, ticket) {
922
- if (!byId.has(id)) {
920
+ boundedMap.requirePresent(byId, id, function () {
923
921
  throw new DsrError("dsr/ticket-not-found",
924
922
  "memoryTicketStore: ticket " + id + " not found for update");
925
- }
923
+ });
926
924
  byId.set(id, Object.assign({}, ticket));
927
925
  },
928
926
  delete: async function (id) {
@@ -1023,10 +1021,8 @@ function _ensureDsrSealTable() {
1023
1021
  function dbTicketStore(opts) {
1024
1022
  opts = opts || {};
1025
1023
  var db = opts.db;
1026
- if (!db || typeof db.runSql !== "function" || typeof db.prepare !== "function") {
1027
- throw new DsrError("dsr/bad-db",
1028
- "dbTicketStore: opts.db must be a b.db-shaped handle (with runSql + prepare)");
1029
- }
1024
+ validateOpts.requireMethods(db, ["runSql", "prepare"],
1025
+ "dbTicketStore: opts.db (b.db-shaped handle)", DsrError, "dsr/bad-db");
1030
1026
  var tableRaw = opts.table || "dsr_tickets";
1031
1027
  var qTable, qEmailIdx, qStatusIdx;
1032
1028
  try {
@@ -49,6 +49,7 @@
49
49
  * - externaldb.migrate.lock.released { holder }
50
50
  */
51
51
  var nodePath = require("node:path");
52
+ var moduleLoader = require("./module-loader");
52
53
  var atomicFile = require("./atomic-file");
53
54
  var canonicalJson = require("./canonical-json");
54
55
  var { sha3Hash } = require("./crypto");
@@ -379,19 +380,10 @@ function _list(dir) {
379
380
  }
380
381
 
381
382
  function _loadMigration(file, dir) {
382
- var fullPath = nodePath.join(dir, file);
383
- // Drop the require cache so a test/dev that edits a file picks up the
384
- // new content. Matches lib/migrations.js semantics.
385
- try { delete require.cache[require.resolve(fullPath)]; } catch (_e) { /* not yet cached */ }
386
- var mod;
387
- // Operator-supplied migration file — dynamic by design, won't survive
388
- // SEA / pkg bundling. External DB migration tooling is host-CLI scope,
389
- // not framework-internal scope.
390
- try { mod = require(fullPath); } // allow:dynamic-require — operator-supplied migration
391
- catch (e) {
392
- throw _err("externaldb-migrate/load-failed",
383
+ var mod = moduleLoader.requireFresh(nodePath.join(dir, file), function (e) {
384
+ return _err("externaldb-migrate/load-failed",
393
385
  "migration '" + file + "' failed to load: " + ((e && e.message) || String(e)));
394
- }
386
+ });
395
387
  if (!mod || typeof mod.up !== "function") {
396
388
  throw _err("externaldb-migrate/missing-up",
397
389
  "migration '" + file + "' must export an `up(xdb, ctx)` function");
@@ -437,16 +429,23 @@ function _resolveBackendName(opts) {
437
429
 
438
430
  function create(opts) {
439
431
  opts = opts || {};
440
- validateOpts(opts, [
441
- "dir", "backend", "audit", "staleAfterMs",
442
- "schemaIntrospect", "ranBy", "signHistory",
443
- ], "b.externalDb.migrate");
444
- validateOpts.requireNonEmptyString(opts.dir, "externalDb.migrate.create: opts.dir (path to migrations directory)", ExternalDbMigrateError, "externaldb-migrate/no-dir");
445
- validateOpts.optionalFiniteNonNegative(opts.staleAfterMs, "externalDb.migrate: staleAfterMs", ExternalDbMigrateError, "externaldb-migrate/bad-stale");
446
- validateOpts.auditShape(opts.audit, "externalDb.migrate", ExternalDbMigrateError, "externaldb-migrate/bad-audit");
447
- validateOpts.optionalFunction(opts.schemaIntrospect,
448
- "externalDb.migrate: schemaIntrospect", ExternalDbMigrateError,
449
- "externaldb-migrate/bad-introspect");
432
+ validateOpts.shape(opts, {
433
+ dir: { rule: "required-string", code: "externaldb-migrate/no-dir",
434
+ label: "externalDb.migrate.create: opts.dir (path to migrations directory)" },
435
+ staleAfterMs: { rule: "optional-non-negative", code: "externaldb-migrate/bad-stale",
436
+ label: "externalDb.migrate: staleAfterMs" },
437
+ audit: function (value) {
438
+ validateOpts.auditShape(value, "externalDb.migrate", ExternalDbMigrateError, "externaldb-migrate/bad-audit");
439
+ },
440
+ schemaIntrospect: { rule: "optional-function", code: "externaldb-migrate/bad-introspect",
441
+ label: "externalDb.migrate: schemaIntrospect" },
442
+ backend: { rule: "optional-string", code: "externaldb-migrate/bad-backend",
443
+ label: "externalDb.migrate: backend (externalDb backend name)" },
444
+ ranBy: { rule: "optional-string", code: "externaldb-migrate/bad-ran-by",
445
+ label: "externalDb.migrate: ranBy (schema-history actor)" },
446
+ signHistory: { rule: "optional-boolean", code: "externaldb-migrate/bad-sign-history",
447
+ label: "externalDb.migrate: signHistory" },
448
+ }, "externalDb.migrate", ExternalDbMigrateError, "externaldb-migrate/bad-opt");
450
449
  var dir = opts.dir;
451
450
  var audit = opts.audit || null;
452
451
  var schemaIntrospect = typeof opts.schemaIntrospect === "function"
@@ -36,7 +36,9 @@
36
36
  * External-database integration for app data — Postgres / MySQL / SQLite / MongoDB connection pooling, retry, circuit breaker, classification routing, residency enforcement, and audit hooks.
37
37
  */
38
38
  var retryHelper = require("./retry");
39
+ var safeBuffer = require("./safe-buffer");
39
40
  var bCrypto = require("./crypto");
41
+ var numericBounds = require("./numeric-bounds");
40
42
  var C = require("./constants");
41
43
  var dbRoleContext = require("./db-role-context");
42
44
  var externalDbMigrate = require("./external-db-migrate");
@@ -45,6 +47,7 @@ var { boot } = require("./log");
45
47
  var safeAsync = require("./safe-async");
46
48
  var safeSql = require("./safe-sql");
47
49
  var validateOpts = require("./validate-opts");
50
+ var codepointClass = require("./codepoint-class");
48
51
  var { ExternalDbError } = require("./framework-error");
49
52
 
50
53
  var log = boot("external-db");
@@ -417,11 +420,7 @@ function _otelDbAttributes(b, sql, includeStatement) {
417
420
  // legitimately-quoted relation name still surfaces in the audit row.
418
421
  var _RELATION_RE = /\b(?:FROM|INTO|UPDATE|JOIN|TABLE|COPY)\s+((?:"[^"]+"|`[^`]+`|[A-Za-z_][\w$]*)(?:\.(?:"[^"]+"|`[^`]+`|[A-Za-z_][\w$]*))?)/ig;
419
422
  function _hasControlChar(s) {
420
- for (var i = 0; i < s.length; i += 1) {
421
- var c = s.charCodeAt(i);
422
- if (c < 0x20 || c === 0x7f) return true;
423
- }
424
- return false;
423
+ return codepointClass.firstControlCharOffset(s, { forbidTab: true }) !== -1;
425
424
  }
426
425
  function _extractTargetRelation(sql) {
427
426
  if (typeof sql !== "string" || sql.length === 0) return null;
@@ -747,7 +746,7 @@ function init(opts) {
747
746
  throw _err("INVALID_CONFIG",
748
747
  "backend '" + name + "': applicationName must not contain CR, LF, or NUL characters", true);
749
748
  }
750
- if (applicationName.length > C.BYTES.bytes(63)) {
749
+ if (safeBuffer.byteLengthOf(applicationName) > C.BYTES.bytes(63)) {
751
750
  throw _err("INVALID_CONFIG",
752
751
  "backend '" + name + "': applicationName exceeds Postgres 63-byte limit (got " +
753
752
  applicationName.length + ")", true);
@@ -1440,7 +1439,7 @@ function _buildSessionGucsStatements(sessionGucs) {
1440
1439
  // that bloats query logs and consumes max_stack_depth. The cap
1441
1440
  // is generous for legitimate tenant identifiers but rejects
1442
1441
  // amplification.
1443
- if (value.length > C.BYTES.kib(4)) {
1442
+ if (safeBuffer.byteLengthOf(value) > C.BYTES.kib(4)) {
1444
1443
  throw _err("INVALID_SESSION_GUCS",
1445
1444
  "sessionGucs['" + name + "']: value exceeds 4 KiB cap (got " +
1446
1445
  value.length + " chars)", true);
@@ -1725,11 +1724,9 @@ function _buildReplicas(backendName, cfg) {
1725
1724
  "backend '" + backendName + "': replicas[" + i + "].query must be a function", true);
1726
1725
  }
1727
1726
  var weight = r.weight !== undefined ? r.weight : 1;
1728
- if (typeof weight !== "number" || !isFinite(weight) || weight <= 0 ||
1729
- Math.floor(weight) !== weight) {
1730
- throw _err("INVALID_CONFIG",
1731
- "backend '" + backendName + "': replicas[" + i + "].weight must be a positive integer", true);
1732
- }
1727
+ numericBounds.requirePositiveFiniteInt(weight,
1728
+ "backend '" + backendName + "': replicas[" + i + "].weight", ExternalDbError,
1729
+ "INVALID_CONFIG", null, { permanent: true });
1733
1730
  var replicaTag = r.residencyTag || "unrestricted";
1734
1731
  var allowCrossBorder = r.allowCrossBorder === true;
1735
1732
  if (!_residencyCompatible(primaryTag, replicaTag) && !allowCrossBorder) {
@@ -2066,15 +2063,9 @@ function configurePool(backendName, opts) {
2066
2063
  "configurePool: unknown option '" + k + "'. Allowed: " + allowed.join(", "), true);
2067
2064
  }
2068
2065
  }
2069
- function _requirePosInt(name, value) {
2070
- if (typeof value !== "number" || !isFinite(value) || value <= 0 || Math.floor(value) !== value) {
2071
- throw _err("INVALID_CONFIG",
2072
- "configurePool: " + name + " must be a positive integer, got " + JSON.stringify(value), true);
2073
- }
2074
- }
2075
- if (opts.min !== undefined) _requirePosInt("min", opts.min);
2076
- if (opts.max !== undefined) _requirePosInt("max", opts.max);
2077
- if (opts.idleTimeoutMs !== undefined) _requirePosInt("idleTimeoutMs", opts.idleTimeoutMs);
2066
+ numericBounds.requireAllPositiveFiniteIntIfPresent(opts,
2067
+ ["min", "max", "idleTimeoutMs"], "configurePool", ExternalDbError,
2068
+ "INVALID_CONFIG", { permanent: true });
2078
2069
  if (opts.min !== undefined && opts.max !== undefined && opts.min > opts.max) {
2079
2070
  throw _err("INVALID_CONFIG", "configurePool: min must be <= max", true);
2080
2071
  }
@@ -2146,11 +2137,8 @@ function _connectAs(rawConnect, query, opts) {
2146
2137
  throw _err("INVALID_CONFIG", "connectAs: applicationName must be a string", true);
2147
2138
  }
2148
2139
  if (opts.statementTimeoutMs !== undefined) {
2149
- if (typeof opts.statementTimeoutMs !== "number" || !isFinite(opts.statementTimeoutMs) ||
2150
- opts.statementTimeoutMs <= 0 || Math.floor(opts.statementTimeoutMs) !== opts.statementTimeoutMs) {
2151
- throw _err("INVALID_CONFIG",
2152
- "connectAs: statementTimeoutMs must be a positive integer", true);
2153
- }
2140
+ numericBounds.requirePositiveFiniteIntIfPresent(opts.statementTimeoutMs,
2141
+ "connectAs: statementTimeoutMs", ExternalDbError, "INVALID_CONFIG", { permanent: true });
2154
2142
  }
2155
2143
  if (opts.gucs !== undefined && (typeof opts.gucs !== "object" || opts.gucs === null)) {
2156
2144
  throw _err("INVALID_CONFIG", "connectAs: gucs must be an object", true);
@@ -181,14 +181,18 @@ function posture(opts) {
181
181
  "audit", "signWith", "verifyWith", "meanings", "gxpNamespaces",
182
182
  "interceptAudit", "now",
183
183
  ], "fda21cfr11.posture");
184
- validateOpts.auditShape(opts.audit, "fda21cfr11.posture",
185
- Fda21Cfr11Error, "fda21cfr11/bad-audit");
186
- validateOpts.optionalFunction(opts.signWith,
187
- "fda21cfr11.posture: signWith", Fda21Cfr11Error, "fda21cfr11/bad-signer");
188
- validateOpts.optionalFunction(opts.verifyWith,
189
- "fda21cfr11.posture: verifyWith", Fda21Cfr11Error, "fda21cfr11/bad-verifier");
190
- validateOpts.optionalFunction(opts.now,
191
- "fda21cfr11.posture: now", Fda21Cfr11Error, "fda21cfr11/bad-now");
184
+ validateOpts.shape(opts, {
185
+ audit: function (value) {
186
+ validateOpts.auditShape(value, "fda21cfr11.posture",
187
+ Fda21Cfr11Error, "fda21cfr11/bad-audit");
188
+ },
189
+ signWith: { rule: "optional-function", code: "fda21cfr11/bad-signer" },
190
+ verifyWith: { rule: "optional-function", code: "fda21cfr11/bad-verifier" },
191
+ now: { rule: "optional-function", code: "fda21cfr11/bad-now" },
192
+ meanings: { rule: "optional-string-array", code: "fda21cfr11/bad-meanings" },
193
+ gxpNamespaces: { rule: "optional-string-array", code: "fda21cfr11/bad-gxp-namespaces" },
194
+ interceptAudit: { rule: "optional-boolean", code: "fda21cfr11/bad-intercept-audit" },
195
+ }, "fda21cfr11.posture", Fda21Cfr11Error, "fda21cfr11/bad-opts");
192
196
 
193
197
  var auditMod = opts.audit && typeof opts.audit.safeEmit === "function" ? opts.audit : null;
194
198
  var signWith = typeof opts.signWith === "function" ? opts.signWith : null;
@@ -168,10 +168,13 @@ function bind(opts) {
168
168
  throw FdxError.factory("fdx/bad-auth-server",
169
169
  "fdx.bind: authServer object required");
170
170
  }
171
- validateOpts.requireNonEmptyString(opts.authServer.issuer,
172
- "fdx.bind: authServer.issuer", FdxError, "BAD_ISSUER");
173
- validateOpts.requireNonEmptyString(opts.authServer.jwksUri,
174
- "fdx.bind: authServer.jwksUri", FdxError, "BAD_JWKS_URI");
171
+ validateOpts.shape(opts.authServer, {
172
+ issuer: { rule: "required-string", code: "BAD_ISSUER", label: "fdx.bind: authServer.issuer" },
173
+ jwksUri: { rule: "required-string", code: "BAD_JWKS_URI", label: "fdx.bind: authServer.jwksUri" },
174
+ }, "fdx.bind: authServer", FdxError, "fdx/bad-auth-server",
175
+ // fapi2 is forwarded verbatim to fapi2.assertOAuthConfig, which owns
176
+ // its shape ({ pkce, dpop?, mtls?, par }) — validated there, not here.
177
+ { allow: ["fapi2"] });
175
178
 
176
179
  if (!Array.isArray(opts.resources) || opts.resources.length === 0) {
177
180
  throw FdxError.factory("fdx/bad-resources",
@@ -315,20 +318,21 @@ function consentReceipt(opts) {
315
318
  if (!opts || typeof opts !== "object") {
316
319
  throw FdxError.factory("fdx/bad-opts", "fdx.consentReceipt: opts required");
317
320
  }
318
- validateOpts.requireNonEmptyString(opts.dataProvider,
319
- "fdx.consentReceipt: dataProvider", FdxError, "BAD_DATA_PROVIDER");
320
- validateOpts.requireNonEmptyString(opts.consumerRef,
321
- "fdx.consentReceipt: consumerRef", FdxError, "BAD_CONSUMER_REF");
322
- validateOpts.requireNonEmptyString(opts.thirdParty,
323
- "fdx.consentReceipt: thirdParty", FdxError, "BAD_THIRD_PARTY");
324
- validateOpts.requireNonEmptyString(opts.revocationUrl,
325
- "fdx.consentReceipt: revocationUrl", FdxError, "BAD_REVOCATION_URL");
326
- if (!Array.isArray(opts.scopes) || opts.scopes.length === 0) {
327
- throw FdxError.factory("fdx/bad-scopes",
328
- "fdx.consentReceipt: scopes must be a non-empty array");
329
- }
330
- numericBounds.requirePositiveFiniteIntIfPresent(opts.durationMs,
331
- "fdx.consentReceipt: durationMs", FdxError, "BAD_DURATION");
321
+ validateOpts.shape(opts, {
322
+ dataProvider: { rule: "required-string", code: "BAD_DATA_PROVIDER" },
323
+ consumerRef: { rule: "required-string", code: "BAD_CONSUMER_REF" },
324
+ thirdParty: { rule: "required-string", code: "BAD_THIRD_PARTY" },
325
+ revocationUrl: { rule: "required-string", code: "BAD_REVOCATION_URL" },
326
+ scopes: function (value) {
327
+ if (!Array.isArray(value) || value.length === 0) {
328
+ throw FdxError.factory("fdx/bad-scopes",
329
+ "fdx.consentReceipt: scopes must be a non-empty array");
330
+ }
331
+ },
332
+ durationMs: function (value, label) {
333
+ numericBounds.requirePositiveFiniteIntIfPresent(value, label, FdxError, "BAD_DURATION");
334
+ },
335
+ }, "fdx.consentReceipt", FdxError, "fdx/bad-opts");
332
336
 
333
337
  var issuedAt = Date.now();
334
338
  var expiresAt = issuedAt + (opts.durationMs || C.TIME.weeks(52));
@@ -259,73 +259,87 @@ function _validateUploadId(id) {
259
259
  }
260
260
 
261
261
  function _validateCreateOpts(opts) {
262
- validateOpts.requireObject(opts, "fileUpload.create", FileUploadError);
263
- validateOpts.requireNonEmptyString(opts.stagingDir, "fileUpload.create: stagingDir", FileUploadError);
264
- if (!nodePath.isAbsolute(opts.stagingDir)) {
265
- throw _err("BAD_OPT", "fileUpload.create: stagingDir must be an absolute path, got " +
266
- JSON.stringify(opts.stagingDir));
267
- }
268
- validateOpts.optionalFunction(opts.onFinalize, "fileUpload.create: onFinalize", FileUploadError);
269
- validateOpts.optionalFunction(opts.onChunk, "fileUpload.create: onChunk", FileUploadError);
270
- numericBounds.requireAllPositiveFiniteIntIfPresent(opts,
271
- ["maxFileBytes", "maxChunkBytes", "maxStreamReassemblyBytes",
272
- "maxStagingBytes", "maxActiveUploadsPerActor"],
273
- "fileUpload.create", FileUploadError, "BAD_OPT");
274
- numericBounds.requireNonNegativeFiniteIntIfPresent(opts.incompleteTtlMs,
275
- "fileUpload.create: incompleteTtlMs", FileUploadError, "BAD_OPT");
276
- numericBounds.requireNonNegativeFiniteIntIfPresent(opts.maxIdleMs,
277
- "fileUpload.create: maxIdleMs", FileUploadError, "BAD_OPT");
278
- numericBounds.requirePositiveFiniteIntIfPresent(opts.maxChunks,
279
- "fileUpload.create: maxChunks", FileUploadError, "BAD_OPT");
280
- validateOpts.auditShape(opts.audit, "fileUpload.create", FileUploadError);
281
- validateOpts.observabilityShape(opts.observability, "fileUpload.create", FileUploadError);
282
- validateOpts.optionalFunction(opts.clock, "fileUpload.create: clock", FileUploadError);
283
- // allowedFileTypes — operator's MIME allowlist. Empty / undefined
284
- // disables the gate. Setting it without wiring a fileType primitive
285
- // is a misconfig — the gate would have nothing to enforce against.
286
- validateOpts.optionalNonEmptyStringArray(opts.allowedFileTypes,
287
- "fileUpload.create: allowedFileTypes", FileUploadError, "BAD_OPT");
288
- if (Array.isArray(opts.allowedFileTypes) && opts.allowedFileTypes.length > 0 &&
289
- (!opts.fileType || typeof opts.fileType.detect !== "function")) {
290
- throw _err("BAD_OPT",
291
- "fileUpload.create: allowedFileTypes is set but fileType primitive is not wired " +
292
- "(pass fileType: b.fileType so the framework can sniff magic bytes at finalize)");
293
- }
294
- // permissions — when set, must expose check(actor, scope) → boolean.
295
- validateOpts.optionalObjectWithMethod(opts.permissions, "check",
296
- "fileUpload.create: permissions", FileUploadError, "BAD_OPT",
297
- "must be a b.permissions instance (check fn)");
298
- // contentSafety — extension-keyed gate map for per-extension content
299
- // validation. Default behaviour: when undefined, the framework wires
300
- // b.guardAll.byExtension({ profile: "strict" }) automatically so every
301
- // shipped guard is ON by default. Explicit opt-out: contentSafety:
302
- // null (audited at create() time so a security review can reconstruct
303
- // which deploys disabled the default-on protection).
304
- // Example: contentSafety: { ".csv": b.guardCsv.gate({ profile: "strict" }) }
305
- if (opts.contentSafety !== undefined && opts.contentSafety !== null) {
306
- validateOpts.optionalPlainObject(opts.contentSafety,
307
- "fileUpload.create: contentSafety", FileUploadError, "BAD_OPT",
308
- "must be a plain { ext: gate } object, null to opt out, or " +
309
- "undefined for the default-on b.guardAll wiring");
310
- var safetyKeys = Object.keys(opts.contentSafety);
311
- for (var sk = 0; sk < safetyKeys.length; sk++) {
312
- var ext = safetyKeys[sk];
313
- var g = opts.contentSafety[ext];
314
- if (!g || typeof g.check !== "function") {
262
+ validateOpts.shape(opts, {
263
+ stagingDir: function (v, label) {
264
+ validateOpts.requireNonEmptyString(v, label, FileUploadError);
265
+ if (!nodePath.isAbsolute(v)) {
266
+ throw _err("BAD_OPT", "fileUpload.create: stagingDir must be an absolute path, got " +
267
+ JSON.stringify(v));
268
+ }
269
+ },
270
+ onFinalize: "optional-function",
271
+ onChunk: "optional-function",
272
+ // Byte / count caps — finite positive ints; TTL/idle windows allow 0.
273
+ maxFileBytes: "optional-positive-finite-int",
274
+ maxChunkBytes: "optional-positive-finite-int",
275
+ maxStreamReassemblyBytes: "optional-positive-finite-int",
276
+ maxStagingBytes: "optional-positive-finite-int",
277
+ maxActiveUploadsPerActor: "optional-positive-finite-int",
278
+ maxChunks: "optional-positive-finite-int",
279
+ incompleteTtlMs: "optional-non-negative-finite-int",
280
+ maxIdleMs: "optional-non-negative-finite-int",
281
+ audit: function (v) { validateOpts.auditShape(v, "fileUpload.create", FileUploadError); },
282
+ observability: function (v) { validateOpts.observabilityShape(v, "fileUpload.create", FileUploadError); },
283
+ clock: "optional-function",
284
+ // allowedFileTypes operator's MIME allowlist. Empty / undefined
285
+ // disables the gate. Setting it without wiring a fileType primitive
286
+ // is a misconfig — the gate would have nothing to enforce against.
287
+ allowedFileTypes: function (v, label) {
288
+ validateOpts.optionalNonEmptyStringArray(v, label, FileUploadError, "BAD_OPT");
289
+ if (Array.isArray(v) && v.length > 0 &&
290
+ (!opts.fileType || typeof opts.fileType.detect !== "function")) {
315
291
  throw _err("BAD_OPT",
316
- "fileUpload.create: contentSafety[" + JSON.stringify(ext) +
317
- "] must be a gate (b.guardCsv.gate / b.guardHtml.gate / etc.)");
292
+ "fileUpload.create: allowedFileTypes is set but fileType primitive is not wired " +
293
+ "(pass fileType: b.fileType so the framework can sniff magic bytes at finalize)");
318
294
  }
319
- }
320
- }
321
- // filenameSafety single gate for filename validation. Default: on.
322
- // Operator opts out with filenameSafety: null (audited).
323
- if (opts.filenameSafety !== undefined && opts.filenameSafety !== null) {
324
- validateOpts.optionalObjectWithMethod(opts.filenameSafety, "check",
325
- "fileUpload.create: filenameSafety", FileUploadError, "BAD_OPT",
326
- "must be a gate (b.guardFilename.gate(...)), null to opt out, or " +
327
- "undefined for the default-on wiring");
328
- }
295
+ },
296
+ // permissions — when set, must expose check(actor, scope) → boolean.
297
+ permissions: function (v, label) {
298
+ validateOpts.optionalObjectWithMethod(v, "check", label, FileUploadError, "BAD_OPT",
299
+ "must be a b.permissions instance (check fn)");
300
+ },
301
+ // contentSafety extension-keyed gate map for per-extension content
302
+ // validation. Default behaviour: when undefined, the framework wires
303
+ // b.guardAll.byExtension({ profile: "strict" }) automatically so every
304
+ // shipped guard is ON by default. Explicit opt-out: contentSafety:
305
+ // null (audited at create() time so a security review can reconstruct
306
+ // which deploys disabled the default-on protection).
307
+ // Example: contentSafety: { ".csv": b.guardCsv.gate({ profile: "strict" }) }
308
+ contentSafety: function (v, label) {
309
+ if (v === undefined || v === null) return;
310
+ validateOpts.optionalPlainObject(v, label, FileUploadError, "BAD_OPT",
311
+ "must be a plain { ext: gate } object, null to opt out, or " +
312
+ "undefined for the default-on b.guardAll wiring");
313
+ var safetyKeys = Object.keys(v);
314
+ for (var sk = 0; sk < safetyKeys.length; sk++) {
315
+ var ext = safetyKeys[sk];
316
+ var g = v[ext];
317
+ if (!g || typeof g.check !== "function") {
318
+ throw _err("BAD_OPT",
319
+ "fileUpload.create: contentSafety[" + JSON.stringify(ext) +
320
+ "] must be a gate (b.guardCsv.gate / b.guardHtml.gate / etc.)");
321
+ }
322
+ }
323
+ },
324
+ // filenameSafety — single gate for filename validation. Default: on.
325
+ // Operator opts out with filenameSafety: null (audited).
326
+ filenameSafety: function (v, label) {
327
+ if (v === undefined || v === null) return;
328
+ validateOpts.optionalObjectWithMethod(v, "check", label, FileUploadError, "BAD_OPT",
329
+ "must be a gate (b.guardFilename.gate(...)), null to opt out, or " +
330
+ "undefined for the default-on wiring");
331
+ },
332
+ // fileType — magic-byte sniffer (b.fileType) consumed at finalize when
333
+ // allowedFileTypes is set; validated here so it can't be passed un-typed.
334
+ fileType: function (v, label) {
335
+ if (v === undefined || v === null) return;
336
+ validateOpts.optionalObjectWithMethod(v, "detect", label, FileUploadError, "BAD_OPT",
337
+ "must be a b.fileType instance (detect fn)");
338
+ },
339
+ // Reason strings recorded when a default-on safety is explicitly disabled.
340
+ contentSafetyDisabledReason: "optional-string",
341
+ filenameSafetyDisabledReason: "optional-string",
342
+ }, "fileUpload.create", FileUploadError, "BAD_OPT", { exhaustive: true });
329
343
  }
330
344
 
331
345
  /**
@@ -698,7 +712,7 @@ function create(opts) {
698
712
  throw _err("EMPTY_CHUNK",
699
713
  "fileUpload.acceptChunk: body is empty (0 bytes)");
700
714
  }
701
- if (body.length > maxChunkBytes) {
715
+ if (safeBuffer.byteLengthOf(body) > maxChunkBytes) {
702
716
  _emitObs("fileUpload.chunk_too_large", 1);
703
717
  throw _err("CHUNK_TOO_LARGE",
704
718
  "fileUpload.acceptChunk: chunk body is " + body.length +
@@ -17,6 +17,7 @@
17
17
  */
18
18
 
19
19
  var nodeCrypto = require("node:crypto");
20
+ var pick = require("./pick");
20
21
  var validateOpts = require("./validate-opts");
21
22
  var lazyRequire = require("./lazy-require");
22
23
  var { defineClass } = require("./framework-error");
@@ -33,7 +34,7 @@ function _normalize(input, label) {
33
34
  var out = {};
34
35
  for (var key in input) {
35
36
  if (!Object.prototype.hasOwnProperty.call(input, key)) continue;
36
- if (key === "__proto__" || key === "constructor" || key === "prototype") {
37
+ if (pick.isPoisonedKey(key)) {
37
38
  continue; // poisoned-keys defense
38
39
  }
39
40
  out[key] = input[key];
@@ -55,12 +56,8 @@ function merge(base, overlay) {
55
56
  var b = _normalize(base, "merge.base");
56
57
  var o = _normalize(overlay, "merge.overlay");
57
58
  var out = {};
58
- for (var k1 in b) {
59
- if (Object.prototype.hasOwnProperty.call(b, k1)) out[k1] = b[k1];
60
- }
61
- for (var k2 in o) {
62
- if (Object.prototype.hasOwnProperty.call(o, k2)) out[k2] = o[k2];
63
- }
59
+ validateOpts.assignOwnEnumerable(out, b);
60
+ validateOpts.assignOwnEnumerable(out, o);
64
61
  return Object.freeze(out);
65
62
  }
66
63
 
@@ -110,7 +107,7 @@ function fromRequest(req, opts) {
110
107
  if (opts.extra && typeof opts.extra === "object") {
111
108
  for (var k in opts.extra) {
112
109
  if (Object.prototype.hasOwnProperty.call(opts.extra, k)) {
113
- if (k === "__proto__" || k === "constructor" || k === "prototype") continue;
110
+ if (pick.isPoisonedKey(k)) continue;
114
111
  ctx[k] = opts.extra[k];
115
112
  }
116
113
  }