@blamejs/blamejs-shop 0.4.56 → 0.4.58

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (402) hide show
  1. package/CHANGELOG.md +4 -0
  2. package/lib/affiliates.js +35 -4
  3. package/lib/api-keys.js +17 -2
  4. package/lib/asset-manifest.json +1 -1
  5. package/lib/backorder.js +21 -4
  6. package/lib/click-and-collect.js +11 -2
  7. package/lib/credit-limits.js +132 -84
  8. package/lib/vendor/MANIFEST.json +426 -366
  9. package/lib/vendor/blamejs/.github/codeql/codeql-config.yml +25 -0
  10. package/lib/vendor/blamejs/.github/workflows/actions-lint.yml +3 -3
  11. package/lib/vendor/blamejs/.github/workflows/cflite_batch.yml +1 -1
  12. package/lib/vendor/blamejs/.github/workflows/cflite_pr.yml +1 -1
  13. package/lib/vendor/blamejs/.github/workflows/ci.yml +13 -13
  14. package/lib/vendor/blamejs/.github/workflows/codeql.yml +8 -7
  15. package/lib/vendor/blamejs/.github/workflows/npm-publish.yml +2 -2
  16. package/lib/vendor/blamejs/.github/workflows/release-container.yml +4 -4
  17. package/lib/vendor/blamejs/.github/workflows/scorecard.yml +1 -1
  18. package/lib/vendor/blamejs/.github/workflows/sha-to-tag-verify.yml +1 -1
  19. package/lib/vendor/blamejs/CHANGELOG.md +2 -0
  20. package/lib/vendor/blamejs/api-snapshot.json +1381 -4
  21. package/lib/vendor/blamejs/eslint.config.mjs +1 -0
  22. package/lib/vendor/blamejs/examples/wiki/lib/source-comment-block-validator.js +4 -1
  23. package/lib/vendor/blamejs/examples/wiki/lib/symbol-index.js +5 -2
  24. package/lib/vendor/blamejs/examples/wiki/routes/pages.js +4 -1
  25. package/lib/vendor/blamejs/fuzz/guard-text.fuzz.js +20 -0
  26. package/lib/vendor/blamejs/index.js +2 -0
  27. package/lib/vendor/blamejs/lib/a2a-tasks.js +7 -23
  28. package/lib/vendor/blamejs/lib/acme.js +6 -5
  29. package/lib/vendor/blamejs/lib/agent-event-bus.js +5 -4
  30. package/lib/vendor/blamejs/lib/agent-idempotency.js +2 -5
  31. package/lib/vendor/blamejs/lib/agent-orchestrator.js +2 -5
  32. package/lib/vendor/blamejs/lib/agent-saga.js +3 -5
  33. package/lib/vendor/blamejs/lib/agent-tenant.js +2 -5
  34. package/lib/vendor/blamejs/lib/ai-adverse-decision.js +2 -15
  35. package/lib/vendor/blamejs/lib/ai-capability.js +1 -6
  36. package/lib/vendor/blamejs/lib/ai-dp.js +1 -5
  37. package/lib/vendor/blamejs/lib/ai-input.js +2 -2
  38. package/lib/vendor/blamejs/lib/ai-pref.js +3 -8
  39. package/lib/vendor/blamejs/lib/ai-quota.js +3 -14
  40. package/lib/vendor/blamejs/lib/api-key.js +37 -28
  41. package/lib/vendor/blamejs/lib/archive-adapters.js +2 -4
  42. package/lib/vendor/blamejs/lib/archive-entry-policy.js +32 -0
  43. package/lib/vendor/blamejs/lib/archive-read.js +5 -17
  44. package/lib/vendor/blamejs/lib/archive-tar-read.js +5 -16
  45. package/lib/vendor/blamejs/lib/archive.js +2 -10
  46. package/lib/vendor/blamejs/lib/arg-parser.js +7 -6
  47. package/lib/vendor/blamejs/lib/asyncapi-traits.js +2 -6
  48. package/lib/vendor/blamejs/lib/atomic-file.js +108 -31
  49. package/lib/vendor/blamejs/lib/audit-chain.js +133 -53
  50. package/lib/vendor/blamejs/lib/audit-daily-review.js +24 -14
  51. package/lib/vendor/blamejs/lib/audit-emit.js +82 -0
  52. package/lib/vendor/blamejs/lib/audit-sign.js +257 -0
  53. package/lib/vendor/blamejs/lib/audit.js +84 -0
  54. package/lib/vendor/blamejs/lib/auth/access-lock.js +5 -27
  55. package/lib/vendor/blamejs/lib/auth/dpop.js +23 -35
  56. package/lib/vendor/blamejs/lib/auth/fido-mds3.js +9 -15
  57. package/lib/vendor/blamejs/lib/auth/jwt-external.js +26 -8
  58. package/lib/vendor/blamejs/lib/auth/jwt.js +13 -15
  59. package/lib/vendor/blamejs/lib/auth/lockout.js +6 -25
  60. package/lib/vendor/blamejs/lib/auth/oauth.js +67 -45
  61. package/lib/vendor/blamejs/lib/auth/oid4vci.js +55 -32
  62. package/lib/vendor/blamejs/lib/auth/oid4vp.js +3 -2
  63. package/lib/vendor/blamejs/lib/auth/openid-federation.js +6 -6
  64. package/lib/vendor/blamejs/lib/auth/passkey.js +3 -3
  65. package/lib/vendor/blamejs/lib/auth/password.js +7 -1
  66. package/lib/vendor/blamejs/lib/auth/saml.js +37 -27
  67. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-holder.js +2 -14
  68. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-issuer.js +2 -14
  69. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc.js +1 -1
  70. package/lib/vendor/blamejs/lib/auth/status-list.js +7 -7
  71. package/lib/vendor/blamejs/lib/auth/step-up.js +6 -12
  72. package/lib/vendor/blamejs/lib/auth-bot-challenge.js +6 -37
  73. package/lib/vendor/blamejs/lib/backup/bundle.js +11 -18
  74. package/lib/vendor/blamejs/lib/backup/index.js +14 -47
  75. package/lib/vendor/blamejs/lib/bounded-map.js +112 -1
  76. package/lib/vendor/blamejs/lib/breach-deadline.js +1 -11
  77. package/lib/vendor/blamejs/lib/cache.js +7 -18
  78. package/lib/vendor/blamejs/lib/cbor.js +2 -1
  79. package/lib/vendor/blamejs/lib/cdn-cache-control.js +8 -9
  80. package/lib/vendor/blamejs/lib/cert.js +3 -10
  81. package/lib/vendor/blamejs/lib/chain-writer.js +162 -47
  82. package/lib/vendor/blamejs/lib/cli.js +5 -1
  83. package/lib/vendor/blamejs/lib/client-hints.js +7 -9
  84. package/lib/vendor/blamejs/lib/cloud-events.js +40 -31
  85. package/lib/vendor/blamejs/lib/cluster-storage.js +2 -38
  86. package/lib/vendor/blamejs/lib/cms-codec.js +2 -1
  87. package/lib/vendor/blamejs/lib/codepoint-class.js +67 -1
  88. package/lib/vendor/blamejs/lib/compliance-ai-act-logging.js +1 -6
  89. package/lib/vendor/blamejs/lib/compliance-ai-act-transparency.js +2 -4
  90. package/lib/vendor/blamejs/lib/compliance-eaa.js +1 -11
  91. package/lib/vendor/blamejs/lib/compliance-sanctions-fetcher.js +21 -28
  92. package/lib/vendor/blamejs/lib/compliance-sanctions.js +2 -14
  93. package/lib/vendor/blamejs/lib/compliance.js +2 -9
  94. package/lib/vendor/blamejs/lib/config-drift.js +2 -12
  95. package/lib/vendor/blamejs/lib/content-digest.js +10 -8
  96. package/lib/vendor/blamejs/lib/cookies.js +5 -11
  97. package/lib/vendor/blamejs/lib/cose.js +19 -11
  98. package/lib/vendor/blamejs/lib/cra-report.js +1 -11
  99. package/lib/vendor/blamejs/lib/crypto-field.js +5 -10
  100. package/lib/vendor/blamejs/lib/crypto.js +120 -3
  101. package/lib/vendor/blamejs/lib/csp.js +235 -3
  102. package/lib/vendor/blamejs/lib/daemon.js +42 -41
  103. package/lib/vendor/blamejs/lib/data-act.js +19 -9
  104. package/lib/vendor/blamejs/lib/db-query.js +6 -40
  105. package/lib/vendor/blamejs/lib/db.js +34 -12
  106. package/lib/vendor/blamejs/lib/dbsc.js +5 -6
  107. package/lib/vendor/blamejs/lib/ddl-change-control.js +18 -14
  108. package/lib/vendor/blamejs/lib/deprecate.js +4 -5
  109. package/lib/vendor/blamejs/lib/did.js +6 -2
  110. package/lib/vendor/blamejs/lib/dsr.js +8 -12
  111. package/lib/vendor/blamejs/lib/external-db-migrate.js +21 -22
  112. package/lib/vendor/blamejs/lib/external-db.js +14 -26
  113. package/lib/vendor/blamejs/lib/fda-21cfr11.js +12 -8
  114. package/lib/vendor/blamejs/lib/fdx.js +22 -18
  115. package/lib/vendor/blamejs/lib/file-upload.js +80 -66
  116. package/lib/vendor/blamejs/lib/flag-evaluation-context.js +5 -8
  117. package/lib/vendor/blamejs/lib/framework-error.js +12 -0
  118. package/lib/vendor/blamejs/lib/framework-schema.js +19 -0
  119. package/lib/vendor/blamejs/lib/fsm.js +7 -12
  120. package/lib/vendor/blamejs/lib/gate-contract.js +869 -38
  121. package/lib/vendor/blamejs/lib/gdpr-ropa.js +4 -13
  122. package/lib/vendor/blamejs/lib/graphql-federation.js +1 -1
  123. package/lib/vendor/blamejs/lib/guard-agent-registry.js +2 -1
  124. package/lib/vendor/blamejs/lib/guard-all.js +1 -0
  125. package/lib/vendor/blamejs/lib/guard-archive.js +9 -30
  126. package/lib/vendor/blamejs/lib/guard-auth.js +23 -80
  127. package/lib/vendor/blamejs/lib/guard-cidr.js +20 -96
  128. package/lib/vendor/blamejs/lib/guard-csv.js +135 -196
  129. package/lib/vendor/blamejs/lib/guard-domain.js +23 -106
  130. package/lib/vendor/blamejs/lib/guard-dsn.js +16 -13
  131. package/lib/vendor/blamejs/lib/guard-email.js +46 -53
  132. package/lib/vendor/blamejs/lib/guard-envelope.js +1 -1
  133. package/lib/vendor/blamejs/lib/guard-event-bus-topic.js +2 -1
  134. package/lib/vendor/blamejs/lib/guard-filename.js +12 -60
  135. package/lib/vendor/blamejs/lib/guard-graphql.js +28 -75
  136. package/lib/vendor/blamejs/lib/guard-html-wcag.js +15 -2
  137. package/lib/vendor/blamejs/lib/guard-html.js +65 -117
  138. package/lib/vendor/blamejs/lib/guard-idempotency-key.js +2 -1
  139. package/lib/vendor/blamejs/lib/guard-image.js +280 -77
  140. package/lib/vendor/blamejs/lib/guard-imap-command.js +8 -9
  141. package/lib/vendor/blamejs/lib/guard-json.js +87 -103
  142. package/lib/vendor/blamejs/lib/guard-jsonpath.js +20 -88
  143. package/lib/vendor/blamejs/lib/guard-jwt.js +32 -114
  144. package/lib/vendor/blamejs/lib/guard-list-id.js +2 -7
  145. package/lib/vendor/blamejs/lib/guard-list-unsubscribe.js +2 -7
  146. package/lib/vendor/blamejs/lib/guard-mail-compose.js +5 -6
  147. package/lib/vendor/blamejs/lib/guard-mail-move.js +2 -1
  148. package/lib/vendor/blamejs/lib/guard-mail-query.js +5 -3
  149. package/lib/vendor/blamejs/lib/guard-mail-sieve.js +6 -7
  150. package/lib/vendor/blamejs/lib/guard-managesieve-command.js +5 -4
  151. package/lib/vendor/blamejs/lib/guard-markdown.js +76 -110
  152. package/lib/vendor/blamejs/lib/guard-message-id.js +5 -6
  153. package/lib/vendor/blamejs/lib/guard-mime.js +20 -99
  154. package/lib/vendor/blamejs/lib/guard-oauth.js +19 -73
  155. package/lib/vendor/blamejs/lib/guard-pdf.js +65 -72
  156. package/lib/vendor/blamejs/lib/guard-pop3-command.js +12 -13
  157. package/lib/vendor/blamejs/lib/guard-posture-chain.js +2 -1
  158. package/lib/vendor/blamejs/lib/guard-regex.js +24 -99
  159. package/lib/vendor/blamejs/lib/guard-saga-config.js +2 -1
  160. package/lib/vendor/blamejs/lib/guard-shell.js +22 -87
  161. package/lib/vendor/blamejs/lib/guard-smtp-command.js +8 -11
  162. package/lib/vendor/blamejs/lib/guard-sql.js +15 -13
  163. package/lib/vendor/blamejs/lib/guard-stream-args.js +2 -1
  164. package/lib/vendor/blamejs/lib/guard-svg.js +95 -140
  165. package/lib/vendor/blamejs/lib/guard-template.js +23 -80
  166. package/lib/vendor/blamejs/lib/guard-tenant-id.js +2 -1
  167. package/lib/vendor/blamejs/lib/guard-text.js +592 -0
  168. package/lib/vendor/blamejs/lib/guard-time.js +27 -95
  169. package/lib/vendor/blamejs/lib/guard-uuid.js +21 -93
  170. package/lib/vendor/blamejs/lib/guard-xml.js +76 -106
  171. package/lib/vendor/blamejs/lib/guard-yaml.js +24 -60
  172. package/lib/vendor/blamejs/lib/http-client-cache.js +5 -12
  173. package/lib/vendor/blamejs/lib/http-client-cookie-jar.js +2 -4
  174. package/lib/vendor/blamejs/lib/http-client.js +8 -21
  175. package/lib/vendor/blamejs/lib/http-message-signature.js +3 -2
  176. package/lib/vendor/blamejs/lib/i18n-messageformat.js +5 -7
  177. package/lib/vendor/blamejs/lib/i18n.js +83 -26
  178. package/lib/vendor/blamejs/lib/inbox.js +8 -8
  179. package/lib/vendor/blamejs/lib/incident-report.js +3 -21
  180. package/lib/vendor/blamejs/lib/ip-utils.js +49 -6
  181. package/lib/vendor/blamejs/lib/jobs.js +3 -2
  182. package/lib/vendor/blamejs/lib/keychain.js +6 -18
  183. package/lib/vendor/blamejs/lib/legal-hold.js +6 -15
  184. package/lib/vendor/blamejs/lib/log-stream-cloudwatch.js +44 -112
  185. package/lib/vendor/blamejs/lib/log-stream-otlp-grpc.js +17 -14
  186. package/lib/vendor/blamejs/lib/log-stream-otlp.js +16 -80
  187. package/lib/vendor/blamejs/lib/log-stream-webhook.js +20 -92
  188. package/lib/vendor/blamejs/lib/mail-arc-sign.js +8 -3
  189. package/lib/vendor/blamejs/lib/mail-arf.js +3 -2
  190. package/lib/vendor/blamejs/lib/mail-auth.js +40 -66
  191. package/lib/vendor/blamejs/lib/mail-bimi.js +19 -39
  192. package/lib/vendor/blamejs/lib/mail-crypto-pgp.js +3 -2
  193. package/lib/vendor/blamejs/lib/mail-dav.js +8 -35
  194. package/lib/vendor/blamejs/lib/mail-deploy.js +6 -9
  195. package/lib/vendor/blamejs/lib/mail-dkim.js +19 -38
  196. package/lib/vendor/blamejs/lib/mail-greylist.js +15 -26
  197. package/lib/vendor/blamejs/lib/mail-helo.js +2 -3
  198. package/lib/vendor/blamejs/lib/mail-journal.js +2 -1
  199. package/lib/vendor/blamejs/lib/mail-mdn.js +4 -3
  200. package/lib/vendor/blamejs/lib/mail-rbl.js +5 -8
  201. package/lib/vendor/blamejs/lib/mail-scan.js +2 -2
  202. package/lib/vendor/blamejs/lib/mail-send-deliver.js +33 -20
  203. package/lib/vendor/blamejs/lib/mail-server-imap.js +32 -87
  204. package/lib/vendor/blamejs/lib/mail-server-jmap.js +35 -51
  205. package/lib/vendor/blamejs/lib/mail-server-managesieve.js +29 -83
  206. package/lib/vendor/blamejs/lib/mail-server-mx.js +33 -74
  207. package/lib/vendor/blamejs/lib/mail-server-net.js +177 -0
  208. package/lib/vendor/blamejs/lib/mail-server-pop3.js +30 -83
  209. package/lib/vendor/blamejs/lib/mail-server-rate-limit.js +30 -6
  210. package/lib/vendor/blamejs/lib/mail-server-submission.js +34 -73
  211. package/lib/vendor/blamejs/lib/mail-server-tls.js +89 -0
  212. package/lib/vendor/blamejs/lib/mail-spam-score.js +7 -8
  213. package/lib/vendor/blamejs/lib/mail-store.js +3 -2
  214. package/lib/vendor/blamejs/lib/mail.js +6 -11
  215. package/lib/vendor/blamejs/lib/markup-escape.js +31 -0
  216. package/lib/vendor/blamejs/lib/markup-tokenizer.js +54 -0
  217. package/lib/vendor/blamejs/lib/mcp-tool-registry.js +26 -23
  218. package/lib/vendor/blamejs/lib/mcp.js +1 -1
  219. package/lib/vendor/blamejs/lib/mdoc.js +11 -12
  220. package/lib/vendor/blamejs/lib/metrics.js +32 -30
  221. package/lib/vendor/blamejs/lib/middleware/age-gate.js +3 -23
  222. package/lib/vendor/blamejs/lib/middleware/api-encrypt.js +11 -22
  223. package/lib/vendor/blamejs/lib/middleware/assetlinks.js +2 -7
  224. package/lib/vendor/blamejs/lib/middleware/bearer-auth.js +2 -1
  225. package/lib/vendor/blamejs/lib/middleware/body-parser.js +31 -48
  226. package/lib/vendor/blamejs/lib/middleware/bot-disclose.js +7 -10
  227. package/lib/vendor/blamejs/lib/middleware/bot-guard.js +2 -10
  228. package/lib/vendor/blamejs/lib/middleware/csrf-protect.js +13 -2
  229. package/lib/vendor/blamejs/lib/middleware/daily-byte-quota.js +6 -26
  230. package/lib/vendor/blamejs/lib/middleware/deny-response.js +19 -1
  231. package/lib/vendor/blamejs/lib/middleware/fetch-metadata.js +7 -0
  232. package/lib/vendor/blamejs/lib/middleware/idempotency-key.js +4 -20
  233. package/lib/vendor/blamejs/lib/middleware/rate-limit.js +20 -28
  234. package/lib/vendor/blamejs/lib/middleware/scim-server.js +3 -2
  235. package/lib/vendor/blamejs/lib/middleware/security-headers.js +9 -1
  236. package/lib/vendor/blamejs/lib/middleware/security-txt.js +2 -6
  237. package/lib/vendor/blamejs/lib/middleware/tus-upload.js +12 -27
  238. package/lib/vendor/blamejs/lib/middleware/web-app-manifest.js +2 -7
  239. package/lib/vendor/blamejs/lib/migrations.js +4 -13
  240. package/lib/vendor/blamejs/lib/mime-parse.js +34 -17
  241. package/lib/vendor/blamejs/lib/module-loader.js +44 -0
  242. package/lib/vendor/blamejs/lib/money.js +105 -0
  243. package/lib/vendor/blamejs/lib/mtls-ca.js +116 -36
  244. package/lib/vendor/blamejs/lib/network-byte-quota.js +4 -18
  245. package/lib/vendor/blamejs/lib/network-dane.js +8 -6
  246. package/lib/vendor/blamejs/lib/network-dns-resolver.js +97 -6
  247. package/lib/vendor/blamejs/lib/network-dnssec.js +16 -16
  248. package/lib/vendor/blamejs/lib/network-heartbeat.js +3 -2
  249. package/lib/vendor/blamejs/lib/network-smtp-policy.js +29 -41
  250. package/lib/vendor/blamejs/lib/network-tls.js +40 -42
  251. package/lib/vendor/blamejs/lib/nis2-report.js +1 -11
  252. package/lib/vendor/blamejs/lib/nonce-store.js +81 -3
  253. package/lib/vendor/blamejs/lib/numeric-bounds.js +22 -8
  254. package/lib/vendor/blamejs/lib/object-store/azure-blob-bucket-ops.js +2 -6
  255. package/lib/vendor/blamejs/lib/object-store/azure-blob.js +5 -45
  256. package/lib/vendor/blamejs/lib/object-store/gcs.js +8 -71
  257. package/lib/vendor/blamejs/lib/object-store/http-put.js +1 -5
  258. package/lib/vendor/blamejs/lib/object-store/http-request.js +128 -0
  259. package/lib/vendor/blamejs/lib/object-store/sigv4-bucket-ops.js +2 -1
  260. package/lib/vendor/blamejs/lib/object-store/sigv4.js +9 -77
  261. package/lib/vendor/blamejs/lib/observability-otlp-exporter.js +9 -25
  262. package/lib/vendor/blamejs/lib/observability.js +95 -0
  263. package/lib/vendor/blamejs/lib/openapi-paths-builder.js +7 -3
  264. package/lib/vendor/blamejs/lib/otel-export.js +7 -10
  265. package/lib/vendor/blamejs/lib/outbox.js +43 -37
  266. package/lib/vendor/blamejs/lib/pagination.js +11 -15
  267. package/lib/vendor/blamejs/lib/parsers/safe-env.js +5 -4
  268. package/lib/vendor/blamejs/lib/parsers/safe-ini.js +10 -4
  269. package/lib/vendor/blamejs/lib/parsers/safe-toml.js +11 -9
  270. package/lib/vendor/blamejs/lib/parsers/safe-xml.js +2 -2
  271. package/lib/vendor/blamejs/lib/parsers/safe-yaml.js +7 -6
  272. package/lib/vendor/blamejs/lib/pick.js +63 -5
  273. package/lib/vendor/blamejs/lib/pipl-cn.js +69 -59
  274. package/lib/vendor/blamejs/lib/privacy-pass.js +8 -6
  275. package/lib/vendor/blamejs/lib/problem-details.js +2 -5
  276. package/lib/vendor/blamejs/lib/pubsub.js +4 -8
  277. package/lib/vendor/blamejs/lib/redact.js +2 -1
  278. package/lib/vendor/blamejs/lib/render.js +4 -2
  279. package/lib/vendor/blamejs/lib/request-helpers.js +133 -6
  280. package/lib/vendor/blamejs/lib/restore.js +5 -22
  281. package/lib/vendor/blamejs/lib/retention.js +3 -5
  282. package/lib/vendor/blamejs/lib/safe-async.js +457 -0
  283. package/lib/vendor/blamejs/lib/safe-buffer.js +137 -6
  284. package/lib/vendor/blamejs/lib/safe-decompress.js +2 -1
  285. package/lib/vendor/blamejs/lib/safe-dns.js +2 -1
  286. package/lib/vendor/blamejs/lib/safe-ical.js +12 -26
  287. package/lib/vendor/blamejs/lib/safe-json.js +7 -8
  288. package/lib/vendor/blamejs/lib/safe-jsonpath.js +6 -5
  289. package/lib/vendor/blamejs/lib/safe-mime.js +25 -29
  290. package/lib/vendor/blamejs/lib/safe-redirect.js +2 -5
  291. package/lib/vendor/blamejs/lib/safe-schema.js +7 -6
  292. package/lib/vendor/blamejs/lib/safe-sql.js +126 -0
  293. package/lib/vendor/blamejs/lib/safe-vcard.js +12 -26
  294. package/lib/vendor/blamejs/lib/sandbox-worker.js +9 -2
  295. package/lib/vendor/blamejs/lib/sandbox.js +3 -2
  296. package/lib/vendor/blamejs/lib/scheduler.js +5 -12
  297. package/lib/vendor/blamejs/lib/sec-cyber.js +82 -37
  298. package/lib/vendor/blamejs/lib/seeders.js +4 -11
  299. package/lib/vendor/blamejs/lib/self-update.js +92 -69
  300. package/lib/vendor/blamejs/lib/session-device-binding.js +112 -66
  301. package/lib/vendor/blamejs/lib/session.js +194 -6
  302. package/lib/vendor/blamejs/lib/sql.js +225 -78
  303. package/lib/vendor/blamejs/lib/sse.js +6 -10
  304. package/lib/vendor/blamejs/lib/static.js +136 -98
  305. package/lib/vendor/blamejs/lib/storage.js +4 -2
  306. package/lib/vendor/blamejs/lib/structured-fields.js +275 -16
  307. package/lib/vendor/blamejs/lib/tenant-quota.js +2 -20
  308. package/lib/vendor/blamejs/lib/tsa.js +11 -15
  309. package/lib/vendor/blamejs/lib/validate-opts.js +154 -8
  310. package/lib/vendor/blamejs/lib/vault/seal-pem-file.js +30 -48
  311. package/lib/vendor/blamejs/lib/vault-aad.js +3 -2
  312. package/lib/vendor/blamejs/lib/vc.js +2 -7
  313. package/lib/vendor/blamejs/lib/vex.js +35 -13
  314. package/lib/vendor/blamejs/lib/web-push-vapid.js +23 -20
  315. package/lib/vendor/blamejs/lib/webhook-dispatcher.js +706 -0
  316. package/lib/vendor/blamejs/lib/webhook.js +43 -18
  317. package/lib/vendor/blamejs/lib/websocket-channels.js +9 -7
  318. package/lib/vendor/blamejs/lib/websocket.js +7 -3
  319. package/lib/vendor/blamejs/lib/worm.js +2 -3
  320. package/lib/vendor/blamejs/lib/ws-client.js +8 -10
  321. package/lib/vendor/blamejs/package.json +1 -1
  322. package/lib/vendor/blamejs/release-notes/v0.15.13.json +81 -0
  323. package/lib/vendor/blamejs/scripts/check-changelog-extract.js +1 -1
  324. package/lib/vendor/blamejs/test/00-primitives.js +136 -7
  325. package/lib/vendor/blamejs/test/10-state.js +9 -3
  326. package/lib/vendor/blamejs/test/30-chain.js +40 -0
  327. package/lib/vendor/blamejs/test/helpers/check.js +18 -0
  328. package/lib/vendor/blamejs/test/helpers/db.js +4 -0
  329. package/lib/vendor/blamejs/test/helpers/index.js +1 -0
  330. package/lib/vendor/blamejs/test/integration/audit-chain-external-db.test.js +2 -1
  331. package/lib/vendor/blamejs/test/integration/audit-stack-postgres.test.js +2 -1
  332. package/lib/vendor/blamejs/test/integration/data-layer-mysql.test.js +8 -1
  333. package/lib/vendor/blamejs/test/integration/data-layer-pg.test.js +1 -1
  334. package/lib/vendor/blamejs/test/integration/framework-schema-mysql.test.js +2 -1
  335. package/lib/vendor/blamejs/test/integration/webhook-dispatcher-pg.test.js +269 -0
  336. package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-fd-read.test.js +149 -0
  337. package/lib/vendor/blamejs/test/layer-0-primitives/audit-framework-namespaces.test.js +51 -0
  338. package/lib/vendor/blamejs/test/layer-0-primitives/audit-sign-anchor.test.js +88 -0
  339. package/lib/vendor/blamejs/test/layer-0-primitives/audit-use-store.test.js +55 -1
  340. package/lib/vendor/blamejs/test/layer-0-primitives/backup-object-store-adapter.test.js +2 -2
  341. package/lib/vendor/blamejs/test/layer-0-primitives/bot-guard.test.js +1 -1
  342. package/lib/vendor/blamejs/test/layer-0-primitives/bounded-map.test.js +129 -0
  343. package/lib/vendor/blamejs/test/layer-0-primitives/chain-writer-multichain.test.js +107 -0
  344. package/lib/vendor/blamejs/test/layer-0-primitives/cli-api-key.test.js +12 -0
  345. package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +2788 -3214
  346. package/lib/vendor/blamejs/test/layer-0-primitives/codepoint-class.test.js +78 -0
  347. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-base64url.test.js +63 -0
  348. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-hash-stream.test.js +2 -1
  349. package/lib/vendor/blamejs/test/layer-0-primitives/csp-builder.test.js +50 -0
  350. package/lib/vendor/blamejs/test/layer-0-primitives/csp-nonce.test.js +1 -1
  351. package/lib/vendor/blamejs/test/layer-0-primitives/daemon.test.js +2 -1
  352. package/lib/vendor/blamejs/test/layer-0-primitives/defineguard-resolve-opts.test.js +76 -0
  353. package/lib/vendor/blamejs/test/layer-0-primitives/flag.test.js +9 -0
  354. package/lib/vendor/blamejs/test/layer-0-primitives/gate-contract-content-gate.test.js +290 -0
  355. package/lib/vendor/blamejs/test/layer-0-primitives/guard-csv.test.js +84 -0
  356. package/lib/vendor/blamejs/test/layer-0-primitives/guard-email.test.js +78 -0
  357. package/lib/vendor/blamejs/test/layer-0-primitives/guard-filename.test.js +23 -0
  358. package/lib/vendor/blamejs/test/layer-0-primitives/guard-gate-disposition-coverage.test.js +93 -0
  359. package/lib/vendor/blamejs/test/layer-0-primitives/guard-html.test.js +60 -0
  360. package/lib/vendor/blamejs/test/layer-0-primitives/guard-image.test.js +184 -0
  361. package/lib/vendor/blamejs/test/layer-0-primitives/guard-imap-command.test.js +0 -0
  362. package/lib/vendor/blamejs/test/layer-0-primitives/guard-json.test.js +54 -0
  363. package/lib/vendor/blamejs/test/layer-0-primitives/guard-managesieve-command.test.js +10 -0
  364. package/lib/vendor/blamejs/test/layer-0-primitives/guard-markdown.test.js +45 -0
  365. package/lib/vendor/blamejs/test/layer-0-primitives/guard-pdf.test.js +101 -0
  366. package/lib/vendor/blamejs/test/layer-0-primitives/guard-pop3-command.test.js +18 -0
  367. package/lib/vendor/blamejs/test/layer-0-primitives/guard-svg.test.js +76 -0
  368. package/lib/vendor/blamejs/test/layer-0-primitives/guard-text.test.js +365 -0
  369. package/lib/vendor/blamejs/test/layer-0-primitives/guard-xml.test.js +35 -0
  370. package/lib/vendor/blamejs/test/layer-0-primitives/guard-yaml.test.js +36 -0
  371. package/lib/vendor/blamejs/test/layer-0-primitives/i18n.test.js +20 -0
  372. package/lib/vendor/blamejs/test/layer-0-primitives/inbox.test.js +15 -0
  373. package/lib/vendor/blamejs/test/layer-0-primitives/ip-utils.test.js +83 -0
  374. package/lib/vendor/blamejs/test/layer-0-primitives/mail-arf.test.js +10 -0
  375. package/lib/vendor/blamejs/test/layer-0-primitives/mail-auth.test.js +39 -0
  376. package/lib/vendor/blamejs/test/layer-0-primitives/mail-dkim.test.js +36 -0
  377. package/lib/vendor/blamejs/test/layer-0-primitives/mail-greylist.test.js +17 -0
  378. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-tls.test.js +39 -0
  379. package/lib/vendor/blamejs/test/layer-0-primitives/mail-store.test.js +17 -0
  380. package/lib/vendor/blamejs/test/layer-0-primitives/mime-parse.test.js +106 -0
  381. package/lib/vendor/blamejs/test/layer-0-primitives/money.test.js +17 -0
  382. package/lib/vendor/blamejs/test/layer-0-primitives/mtls-ca-revocation.test.js +98 -0
  383. package/lib/vendor/blamejs/test/layer-0-primitives/nonce-store-release.test.js +77 -0
  384. package/lib/vendor/blamejs/test/layer-0-primitives/observability.test.js +48 -0
  385. package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-memory-getorinsert.test.js +100 -0
  386. package/lib/vendor/blamejs/test/layer-0-primitives/request-helpers.test.js +88 -0
  387. package/lib/vendor/blamejs/test/layer-0-primitives/safe-async-loops.test.js +278 -0
  388. package/lib/vendor/blamejs/test/layer-0-primitives/safe-buffer-linear-scans.test.js +37 -0
  389. package/lib/vendor/blamejs/test/layer-0-primitives/safe-jsonpath.test.js +14 -0
  390. package/lib/vendor/blamejs/test/layer-0-primitives/sandbox.test.js +19 -0
  391. package/lib/vendor/blamejs/test/layer-0-primitives/security-headers.test.js +1 -1
  392. package/lib/vendor/blamejs/test/layer-0-primitives/self-update.test.js +2 -1
  393. package/lib/vendor/blamejs/test/layer-0-primitives/session-device-binding.test.js +18 -0
  394. package/lib/vendor/blamejs/test/layer-0-primitives/session-extensions.test.js +1 -1
  395. package/lib/vendor/blamejs/test/layer-0-primitives/session-valid-from.test.js +73 -0
  396. package/lib/vendor/blamejs/test/layer-0-primitives/sql.test.js +100 -0
  397. package/lib/vendor/blamejs/test/layer-0-primitives/structured-fields.test.js +80 -0
  398. package/lib/vendor/blamejs/test/layer-0-primitives/validate-opts-shape.test.js +235 -0
  399. package/lib/vendor/blamejs/test/layer-0-primitives/webhook-dispatcher.test.js +374 -0
  400. package/lib/vendor/blamejs/test/layer-0-primitives/webhook.test.js +75 -8
  401. package/lib/vendor/blamejs/test/layer-5-integration/guard-host-integration.test.js +3 -3
  402. package/package.json +1 -1
@@ -489,84 +489,147 @@ function _httpDate(date) {
489
489
  }
490
490
 
491
491
  function _validateCreateOpts(opts) {
492
- validateOpts.requireObject(opts, "staticServe.create", StaticServeError);
493
- validateOpts.requireNonEmptyString(opts.root, "staticServe.create: root", StaticServeError, "BAD_OPT");
492
+ // Declarative per-field validation. shape() runs requireObject(opts)
493
+ // itself (same "opts must be an object" / BAD_OPT contract the inline
494
+ // requireObject produced), then dispatches each field. A field whose
495
+ // check is one of the rule tokens maps to the token directly; a field
496
+ // with a bespoke message (mountPath / hashedPathPattern), a
497
+ // duck-typed-handle shape (permissions / cache / fileType / retention /
498
+ // revokeStore — each carrying its own operator-facing description), a
499
+ // numeric bound, or an audit/observability shape uses the
500
+ // validator-function hatch so the exact thrown code + message + label
501
+ // are preserved. Cross-field business logic (root existence,
502
+ // allowedFileTypes↔fileType wiring, the contentSafety map, the
503
+ // mountType enum, the quota↔cache requirement) stays below shape.
504
+ validateOpts.shape(opts, {
505
+ root: "required-string",
506
+ mountPath: function (value, _label, errorClass, code) {
507
+ // empty string is operator-permissible: "no mount, root is request URL"
508
+ if (typeof value === "string" && value.length === 0) return;
509
+ if (value !== undefined && value !== null && typeof value !== "string") {
510
+ throw errorClass.factory(code, "staticServe.create: mountPath must be a string");
511
+ }
512
+ },
513
+ hashedPathPattern: function (value, _label, errorClass, code) {
514
+ if (value !== undefined && value !== null && !(value instanceof RegExp)) {
515
+ throw errorClass.factory(code, "staticServe.create: hashedPathPattern must be a RegExp");
516
+ }
517
+ },
518
+ // indexFile === null is the operator's "disable" sentinel; the helper
519
+ // returns null/undefined unchanged so we keep that semantic.
520
+ indexFile: "optional-string",
521
+ defaultMaxAge: function (value, label, errorClass, code) {
522
+ numericBounds.requireNonNegativeFiniteIntIfPresent(value, label, errorClass, code);
523
+ },
524
+ contentTypes: "optional-plain-object",
525
+ // contentSafety — extension-keyed gate map. undefined → the framework
526
+ // wires b.guardAll.byExtension({ profile: "strict" }) so every shipped
527
+ // guard is ON by default; null is the explicit opt-out (audited at
528
+ // create() time); a plain { ext: gate } object validates each value is a
529
+ // gate (a .check fn). The label / code / message match the prior inline
530
+ // check exactly so a test asserting them still holds.
531
+ contentSafety: function (value, _label, errorClass, code) {
532
+ if (value === undefined || value === null) return;
533
+ validateOpts.optionalPlainObject(value,
534
+ "staticServe.create: contentSafety", errorClass, code,
535
+ "must be a plain { ext: gate } object, null to opt out, or " +
536
+ "undefined for the default-on b.guardAll wiring");
537
+ var safetyKeys = Object.keys(value);
538
+ for (var sk = 0; sk < safetyKeys.length; sk++) {
539
+ var ext = safetyKeys[sk];
540
+ var g = value[ext];
541
+ if (!g || typeof g.check !== "function") {
542
+ throw errorClass.factory(code,
543
+ "staticServe.create: contentSafety[" + JSON.stringify(ext) +
544
+ "] must be a gate (b.guardCsv.gate / b.guardHtml.gate / etc.)");
545
+ }
546
+ }
547
+ },
548
+ permissions: function (value, label, errorClass, code) {
549
+ validateOpts.optionalObjectWithMethod(value, "check", label, errorClass, code,
550
+ "must be a b.permissions instance (check fn)");
551
+ },
552
+ cache: function (value, label, errorClass, code) {
553
+ validateOpts.optionalObjectWithMethod(value, "get", label, errorClass, code,
554
+ "must be a b.cache instance (used for cluster-shared bandwidth + concurrency tracking)");
555
+ },
556
+ fileType: function (value, label, errorClass, code) {
557
+ validateOpts.optionalObjectWithMethod(value, "detect", label, errorClass, code,
558
+ "must be a b.fileType instance (magic-byte MIME detection)");
559
+ },
560
+ retention: function (value, label, errorClass, code) {
561
+ validateOpts.optionalObjectWithMethod(value, "isServable", label, errorClass, code,
562
+ "must expose isServable(absPath, ctx) → boolean (compliance retention check)");
563
+ },
564
+ revokeStore: function (value, label, errorClass, code) {
565
+ validateOpts.optionalObjectWithMethod(value, "isRevoked", label, errorClass, code,
566
+ "must expose isRevoked(key) and revoke(key) for force-revoke support");
567
+ },
568
+ allowedFileTypes: "optional-string-array",
569
+ audit: function (value, _label, errorClass, _code) {
570
+ validateOpts.auditShape(value, "staticServe.create", errorClass);
571
+ },
572
+ observability: function (value, _label, errorClass, _code) {
573
+ validateOpts.observabilityShape(value, "staticServe.create", errorClass);
574
+ },
575
+ onServe: "optional-function",
576
+ onError: "optional-function",
577
+ acceptRanges: "optional-boolean",
578
+ auditSuccess: "optional-boolean",
579
+ auditFailures: "optional-boolean",
580
+ safeAttachmentForRiskyMimes: "optional-boolean",
581
+ forceAttachmentForNonText: "optional-boolean",
582
+ safeRenderSvg: "optional-boolean",
583
+ safeRenderPdf: "optional-boolean",
584
+ maxBytesPerActorPerWindowMs: function (value, label, errorClass, code) {
585
+ numericBounds.requireNonNegativeFiniteIntIfPresent(value, label, errorClass, code);
586
+ },
587
+ maxBytesAllActorsPerWindowMs: function (value, label, errorClass, code) {
588
+ numericBounds.requireNonNegativeFiniteIntIfPresent(value, label, errorClass, code);
589
+ },
590
+ bandwidthWindowMs: function (value, label, errorClass, code) {
591
+ numericBounds.requirePositiveFiniteIntIfPresent(value, label, errorClass, code);
592
+ },
593
+ maxConcurrentDownloadsPerActor: function (value, label, errorClass, code) {
594
+ numericBounds.requireNonNegativeFiniteIntIfPresent(value, label, errorClass, code);
595
+ },
596
+ maxIdleMs: function (value, label, errorClass, code) {
597
+ numericBounds.requirePositiveFiniteIntIfPresent(value, label, errorClass, code);
598
+ },
599
+ // maxRangeBytes — per-range byte cap (slowloris-range defense). A
600
+ // positive finite integer caps Range requests; Infinity is the
601
+ // documented opt-out, so the numericBounds finite-int helpers (which
602
+ // reject Infinity) can't be used directly here.
603
+ maxRangeBytes: function (value, label, errorClass, code) {
604
+ if (value === undefined || value === null || value === Infinity) return;
605
+ numericBounds.requirePositiveFiniteInt(value, label, errorClass, code);
606
+ },
607
+ }, "staticServe.create", StaticServeError, "BAD_OPT", {
608
+ // contentSafetyDisabledReason (audit-row string) and mountType (curated
609
+ // | user-content enum) carry dedicated cross-field validation below
610
+ // shape — the audit reason read and the enum throw whose exact message a
611
+ // test asserts. Listing them here keeps that bespoke logic the single
612
+ // validator rather than re-checking the same key inside shape.
613
+ allow: ["contentSafetyDisabledReason", "mountType"],
614
+ });
615
+
494
616
  if (!nodeFs.existsSync(opts.root)) {
495
617
  throw _err("BAD_OPT", "staticServe.create: root does not exist: " + opts.root);
496
618
  }
497
- if (typeof opts.mountPath === "string" && opts.mountPath.length === 0) {
498
- // empty string is operator-permissible: "no mount, root is request URL"
499
- } else if (opts.mountPath !== undefined && opts.mountPath !== null &&
500
- typeof opts.mountPath !== "string") {
501
- throw _err("BAD_OPT", "staticServe.create: mountPath must be a string");
502
- }
503
- if (opts.hashedPathPattern !== undefined && opts.hashedPathPattern !== null &&
504
- !(opts.hashedPathPattern instanceof RegExp)) {
505
- throw _err("BAD_OPT", "staticServe.create: hashedPathPattern must be a RegExp");
506
- }
507
- // indexFile === null is the operator's "disable" sentinel; the helper
508
- // returns null/undefined unchanged so we keep that semantic.
509
- validateOpts.optionalNonEmptyString(opts.indexFile,
510
- "staticServe.create: indexFile", StaticServeError, "BAD_OPT");
511
- numericBounds.requireNonNegativeFiniteIntIfPresent(opts.defaultMaxAge,
512
- "staticServe.create: defaultMaxAge", StaticServeError, "BAD_OPT");
513
- validateOpts.optionalPlainObject(opts.contentTypes,
514
- "staticServe.create: contentTypes", StaticServeError, "BAD_OPT");
515
- validateOpts.optionalObjectWithMethod(opts.permissions, "check",
516
- "staticServe.create: permissions", StaticServeError, "BAD_OPT",
517
- "must be a b.permissions instance (check fn)");
518
- validateOpts.optionalObjectWithMethod(opts.cache, "get",
519
- "staticServe.create: cache", StaticServeError, "BAD_OPT",
520
- "must be a b.cache instance (used for cluster-shared bandwidth + concurrency tracking)");
521
- validateOpts.optionalObjectWithMethod(opts.fileType, "detect",
522
- "staticServe.create: fileType", StaticServeError, "BAD_OPT",
523
- "must be a b.fileType instance (magic-byte MIME detection)");
524
- validateOpts.optionalObjectWithMethod(opts.retention, "isServable",
525
- "staticServe.create: retention", StaticServeError, "BAD_OPT",
526
- "must expose isServable(absPath, ctx) → boolean (compliance retention check)");
527
- validateOpts.optionalObjectWithMethod(opts.revokeStore, "isRevoked",
528
- "staticServe.create: revokeStore", StaticServeError, "BAD_OPT",
529
- "must expose isRevoked(key) and revoke(key) for force-revoke support");
530
- validateOpts.optionalNonEmptyStringArray(opts.allowedFileTypes,
531
- "staticServe.create: allowedFileTypes", StaticServeError, "BAD_OPT");
532
619
  if (Array.isArray(opts.allowedFileTypes) && opts.allowedFileTypes.length > 0 &&
533
620
  (!opts.fileType || typeof opts.fileType.detect !== "function")) {
534
621
  throw _err("BAD_OPT",
535
622
  "staticServe.create: allowedFileTypes is set but fileType primitive is not wired " +
536
623
  "(pass fileType: b.fileType so the framework can sniff magic bytes before serving)");
537
624
  }
538
- validateOpts.auditShape(opts.audit, "staticServe.create", StaticServeError);
539
- validateOpts.observabilityShape(opts.observability, "staticServe.create", StaticServeError);
540
- validateOpts.optionalFunction(opts.onServe, "staticServe.create: onServe", StaticServeError);
541
- validateOpts.optionalFunction(opts.onError, "staticServe.create: onError", StaticServeError);
542
- // contentSafety extension-keyed gate map. Default behaviour: when
543
- // undefined, the framework wires b.guardAll.byExtension({ profile:
544
- // "strict" }) automatically so every shipped guard is ON by default.
545
- // Explicit opt-out: contentSafety: null (audited at create() time so
546
- // a security review can reconstruct which deploys disabled the
547
- // default-on protection).
625
+ // contentSafety — extension-keyed gate map; validated in the shape above
626
+ // (plain { ext: gate } object / null opt-out / undefined default-on).
627
+ // When undefined, the framework wires b.guardAll.byExtension({ profile:
628
+ // "strict" }) automatically so every shipped guard is ON by default;
629
+ // contentSafety: null is the explicit opt-out, audited at create() time so
630
+ // a security review can reconstruct which deploys disabled the default-on
631
+ // protection.
548
632
  // Example: contentSafety: { ".csv": b.guardCsv.gate({ profile: "strict" }) }
549
- if (opts.contentSafety !== undefined && opts.contentSafety !== null) {
550
- validateOpts.optionalPlainObject(opts.contentSafety,
551
- "staticServe.create: contentSafety", StaticServeError, "BAD_OPT",
552
- "must be a plain { ext: gate } object, null to opt out, or " +
553
- "undefined for the default-on b.guardAll wiring");
554
- var safetyKeys = Object.keys(opts.contentSafety);
555
- for (var sk = 0; sk < safetyKeys.length; sk++) {
556
- var ext = safetyKeys[sk];
557
- var g = opts.contentSafety[ext];
558
- if (!g || typeof g.check !== "function") {
559
- throw _err("BAD_OPT",
560
- "staticServe.create: contentSafety[" + JSON.stringify(ext) +
561
- "] must be a gate (b.guardCsv.gate / b.guardHtml.gate / etc.)");
562
- }
563
- }
564
- }
565
- validateOpts.optionalBoolean(opts.acceptRanges, "staticServe.create: acceptRanges", StaticServeError);
566
- validateOpts.optionalBoolean(opts.auditSuccess, "staticServe.create: auditSuccess", StaticServeError);
567
- validateOpts.optionalBoolean(opts.auditFailures, "staticServe.create: auditFailures", StaticServeError);
568
- validateOpts.optionalBoolean(opts.safeAttachmentForRiskyMimes,
569
- "staticServe.create: safeAttachmentForRiskyMimes", StaticServeError);
570
633
  // mountType — config-time enum. A typo ("usercontent", "uploads")
571
634
  // would silently fall back to the curated default and serve untrusted
572
635
  // HTML inline, so THROW at boot rather than mis-type the mount.
@@ -576,22 +639,6 @@ function _validateCreateOpts(opts) {
576
639
  "staticServe.create: mountType must be 'curated' (default) or " +
577
640
  "'user-content'; got " + JSON.stringify(opts.mountType));
578
641
  }
579
- validateOpts.optionalBoolean(opts.forceAttachmentForNonText,
580
- "staticServe.create: forceAttachmentForNonText", StaticServeError);
581
- validateOpts.optionalBoolean(opts.safeRenderSvg,
582
- "staticServe.create: safeRenderSvg", StaticServeError);
583
- validateOpts.optionalBoolean(opts.safeRenderPdf,
584
- "staticServe.create: safeRenderPdf", StaticServeError);
585
- numericBounds.requireNonNegativeFiniteIntIfPresent(opts.maxBytesPerActorPerWindowMs,
586
- "staticServe.create: maxBytesPerActorPerWindowMs", StaticServeError, "BAD_OPT");
587
- numericBounds.requireNonNegativeFiniteIntIfPresent(opts.maxBytesAllActorsPerWindowMs,
588
- "staticServe.create: maxBytesAllActorsPerWindowMs", StaticServeError, "BAD_OPT");
589
- numericBounds.requirePositiveFiniteIntIfPresent(opts.bandwidthWindowMs,
590
- "staticServe.create: bandwidthWindowMs", StaticServeError, "BAD_OPT");
591
- numericBounds.requireNonNegativeFiniteIntIfPresent(opts.maxConcurrentDownloadsPerActor,
592
- "staticServe.create: maxConcurrentDownloadsPerActor", StaticServeError, "BAD_OPT");
593
- numericBounds.requirePositiveFiniteIntIfPresent(opts.maxIdleMs,
594
- "staticServe.create: maxIdleMs", StaticServeError, "BAD_OPT");
595
642
  // Quotas require a cache for cluster-shared coordination.
596
643
  if ((opts.maxBytesPerActorPerWindowMs > 0 ||
597
644
  opts.maxBytesAllActorsPerWindowMs > 0 ||
@@ -701,20 +748,11 @@ async function integrity(absPath) {
701
748
 
702
749
  function create(opts) {
703
750
  opts = opts || {};
704
- // The v0.6.x test surface called `validateOpts(opts, [...allowed], label)`
705
- // for the unknown-key check. Preserve that gate in addition to the
706
- // throw-at-config-time validation so tests catch typos.
707
- validateOpts(opts, [
708
- "root", "mountPath", "hashedPathPattern",
709
- "indexFile", "defaultMaxAge", "contentTypes",
710
- "permissions", "cache", "fileType", "retention", "revokeStore",
711
- "allowedFileTypes", "audit", "observability", "onServe", "onError",
712
- "acceptRanges", "auditSuccess", "auditFailures",
713
- "maxBytesPerActorPerWindowMs", "maxBytesAllActorsPerWindowMs",
714
- "bandwidthWindowMs", "maxConcurrentDownloadsPerActor", "maxIdleMs",
715
- "contentSafety", "contentSafetyDisabledReason",
716
- "mountType", "forceAttachmentForNonText", "safeRenderSvg", "safeRenderPdf",
717
- ], "staticServe.create");
751
+ // The exhaustive shape() in _validateCreateOpts is the authoritative
752
+ // unknown-key gate: any opt not declared in its schema (nor listed in
753
+ // its options.allow pass-through) is rejected as an unknown opt, so the
754
+ // typo-catching the v0.6.x `validateOpts(opts, [...allowed])` call gave
755
+ // is now subsumed by the per-field validation below.
718
756
  _validateCreateOpts(opts);
719
757
  var cfg = validateOpts.applyDefaults(opts, DEFAULTS);
720
758
  var root = nodePath.resolve(opts.root);
@@ -38,10 +38,12 @@
38
38
  * Filesystem-and-cloud-backed object storage with sealed per-file encryption keys, classification routing, and residency enforcement.
39
39
  */
40
40
  var C = require("./constants");
41
+ var safeBuffer = require("./safe-buffer");
41
42
  var { generateBytes, encryptPacked, decryptPacked } = require("./crypto");
42
43
  var objectStore = require("./object-store");
43
44
  var lazyRequire = require("./lazy-require");
44
45
  var numericBounds = require("./numeric-bounds");
46
+ var codepointClass = require("./codepoint-class");
45
47
  var canonicalJson = require("./canonical-json");
46
48
  var { StorageError } = require("./framework-error");
47
49
 
@@ -950,7 +952,7 @@ function _validateAssemblyId(id) {
950
952
  for (var i = 0; i < id.length; i += 1) {
951
953
  var c = id.charCodeAt(i);
952
954
  // Refuse: C0 (0x00-0x1F), DEL (0x7F), slash, backslash, dot-prefix
953
- if (c < 0x20 || c === 0x2F || c === 0x5C || c === 0x7F) {
955
+ if (codepointClass.isForbiddenControlChar(c, { forbidTab: true }) || c === 0x2F || c === 0x5C) {
954
956
  throw _err("INVALID_ARGUMENT",
955
957
  "chunkScratch: assemblyId carries forbidden character at byte " + i, true);
956
958
  }
@@ -1083,7 +1085,7 @@ function chunkScratch(opts) {
1083
1085
  if (!Buffer.isBuffer(args.data)) {
1084
1086
  throw _err("INVALID_ARGUMENT", "chunkScratch.saveChunk: data must be a Buffer", true);
1085
1087
  }
1086
- if (args.data.length > maxChunkBytes) {
1088
+ if (safeBuffer.byteLengthOf(args.data) > maxChunkBytes) {
1087
1089
  throw _err("INVALID_ARGUMENT",
1088
1090
  "chunkScratch.saveChunk: chunk exceeds maxChunkBytes (" + args.data.length + " > " + maxChunkBytes + ")", true);
1089
1091
  }
@@ -70,6 +70,7 @@
70
70
  // node:util is a builtin (no lib require cycle) — used for strict UTF-8
71
71
  // validation of RFC 9651 Display Strings.
72
72
  var TextDecoder = require("node:util").TextDecoder;
73
+ var codepointClass = require("./codepoint-class");
73
74
 
74
75
  function splitTopLevel(s, sep) {
75
76
  if (typeof s !== "string") return [];
@@ -103,6 +104,261 @@ function splitTopLevel(s, sep) {
103
104
  return out;
104
105
  }
105
106
 
107
+ /**
108
+ * @primitive b.structuredFields.splitUnquoted
109
+ * @signature b.structuredFields.splitUnquoted(s, sep)
110
+ * @since 0.15.13
111
+ * @status stable
112
+ * @related b.structuredFields.splitTopLevel
113
+ *
114
+ * Split `s` on every `sep` that falls OUTSIDE a `"..."` quoted run — the
115
+ * iCalendar / vCard variant of the quote-aware splitter. A `"` toggles the
116
+ * quoted state and there is NO backslash escaping of the quote (RFC 5545
117
+ * 3.1.1 / RFC 6350 3.3 QSAFE-CHAR excludes DQUOTE, so a `"` always opens or
118
+ * closes a run). This is deliberately simpler than `splitTopLevel`, which
119
+ * honours HTTP structured-field backslash-quote escapes; the two are NOT
120
+ * interchangeable. Accepts any single-character separator.
121
+ *
122
+ * @example
123
+ * b.structuredFields.splitUnquoted('a;b="x;y";c', ";");
124
+ * // returns ['a', 'b="x;y"', 'c']
125
+ */
126
+ function splitUnquoted(s, sep) {
127
+ var out = [];
128
+ var inQ = false;
129
+ var start = 0;
130
+ for (var i = 0; i < s.length; i++) {
131
+ var c = s.charAt(i);
132
+ if (c === '"') { inQ = !inQ; continue; }
133
+ if (c === sep && !inQ) {
134
+ out.push(s.slice(start, i));
135
+ start = i + 1;
136
+ }
137
+ }
138
+ out.push(s.slice(start));
139
+ return out;
140
+ }
141
+
142
+ /**
143
+ * @primitive b.structuredFields.stripDoubleQuotes
144
+ * @signature b.structuredFields.stripDoubleQuotes(s)
145
+ * @since 0.15.13
146
+ * @status stable
147
+ * @related b.structuredFields.splitUnquoted, b.structuredFields.unquoteSfString
148
+ *
149
+ * Strip ONE layer of surrounding `"` from `s` when both ends are a double
150
+ * quote (length ≥ 2), otherwise return `s` unchanged. The plain DQUOTE
151
+ * unwrap used by the iCal / vCard parsers for a quoted parameter value —
152
+ * no backslash-escape processing (RFC 5545 3.1 / RFC 6350 5: a quoted
153
+ * param value is QSAFE-CHAR, which excludes DQUOTE, so there is nothing to
154
+ * unescape). Distinct from `unquoteSfString`, which decodes HTTP
155
+ * structured-field `\"` / `\\` escapes.
156
+ *
157
+ * @example
158
+ * b.structuredFields.stripDoubleQuotes('"a;b"');
159
+ * // returns 'a;b'
160
+ *
161
+ * b.structuredFields.stripDoubleQuotes('plain');
162
+ * // returns 'plain'
163
+ */
164
+ function stripDoubleQuotes(s) {
165
+ if (s.length >= 2 && s.charAt(0) === '"' && s.charAt(s.length - 1) === '"') {
166
+ return s.slice(1, -1);
167
+ }
168
+ return s;
169
+ }
170
+
171
+ /**
172
+ * @primitive b.structuredFields.unfoldHeaderContinuations
173
+ * @signature b.structuredFields.unfoldHeaderContinuations(value)
174
+ * @since 0.15.13
175
+ * @status stable
176
+ * @related b.structuredFields.parseTagList
177
+ *
178
+ * Collapse RFC 5322 folding whitespace — a CRLF (or bare LF) followed by one
179
+ * or more spaces/tabs — back to a single space, reversing the line folding a
180
+ * header value may carry in transit. Used before parsing DKIM / ARC /
181
+ * Authentication-Results tag lists, where a folded `b=` / `bh=` value must be
182
+ * rejoined before its base64 is read.
183
+ *
184
+ * @example
185
+ * b.structuredFields.unfoldHeaderContinuations("v=DKIM1;\r\n k=rsa");
186
+ * // returns "v=DKIM1; k=rsa"
187
+ */
188
+ function unfoldHeaderContinuations(value) {
189
+ return String(value).replace(/\r?\n[ \t]+/g, " ");
190
+ }
191
+
192
+ /**
193
+ * @primitive b.structuredFields.parseKeyValuePiece
194
+ * @signature b.structuredFields.parseKeyValuePiece(piece, kvSep?, lowerKey?)
195
+ * @since 0.15.13
196
+ * @status stable
197
+ * @related b.structuredFields.parseTagList, b.structuredFields.splitTopLevel
198
+ *
199
+ * Parse ONE already-split list piece into a `{ key, value }` pair: `key` is the
200
+ * text before the first `kvSep` (default "="), trimmed and — unless `lowerKey`
201
+ * is `false` — lower-cased; `value` is the raw remainder (the caller trims /
202
+ * unquotes / sf-string-parses it per its own grammar). A piece with NO `kvSep`
203
+ * is a "bare" item — `value` is null — which the caller handles per its grammar
204
+ * (skip it, or treat as a flag-style directive).
205
+ *
206
+ * The shared per-pair step behind every `key=value` list parser: the naive
207
+ * `parseTagList` loop AND the quote-aware parsers that first `splitTopLevel`
208
+ * then parse each piece (Cache-Control directives, Client-Hints brand params,
209
+ * Content-Type parameters). `lowerKey:false` serves the rare grammar whose key
210
+ * is case-sensitive (a verbatim tag-list passthrough).
211
+ *
212
+ * @example
213
+ * b.structuredFields.parseKeyValuePiece("Max-Age=60"); // → { key: "max-age", value: "60" }
214
+ * b.structuredFields.parseKeyValuePiece("no-store"); // → { key: "no-store", value: null }
215
+ * b.structuredFields.parseKeyValuePiece("Key=a=b", "=", false); // → { key: "Key", value: "a=b" }
216
+ */
217
+ function parseKeyValuePiece(piece, kvSep, lowerKey) {
218
+ var sep = kvSep || "=";
219
+ var at = piece.indexOf(sep);
220
+ var rawKey = (at === -1 ? piece : piece.slice(0, at)).trim();
221
+ var key = lowerKey === false ? rawKey : rawKey.toLowerCase();
222
+ return { key: key, value: at === -1 ? null : piece.slice(at + sep.length) };
223
+ }
224
+
225
+ /**
226
+ * @primitive b.structuredFields.parseTagList
227
+ * @signature b.structuredFields.parseTagList(input, opts?)
228
+ * @since 0.15.13
229
+ * @status stable
230
+ * @related b.structuredFields.splitTopLevel
231
+ *
232
+ * Parse a NAIVE delimited `key<kvSep>value` tag list into an ordered
233
+ * array of `[key, value]` pairs. This is the non-quote-aware sibling
234
+ * of `splitTopLevel`: it is for grammars whose RFC forbids the DQUOTE
235
+ * structured-string form, so a bare `split` is correct and a
236
+ * quote-aware walk would be wrong — DKIM (RFC 6376 §3.2), DMARC
237
+ * (RFC 7489 §6.4), ARC (RFC 8617 §4), BIMI (RFC 9091 §4), and the
238
+ * MTA-STS policy grammar (RFC 8461, line/colon delimited).
239
+ *
240
+ * Pairs are returned (not a map) so a caller whose grammar permits a
241
+ * repeated key — MTA-STS `mx:` lines list one host each — keeps every
242
+ * occurrence; a caller wanting last-wins map semantics folds the
243
+ * pairs into a plain object itself. Order is preserved, so a caller
244
+ * that throws on a malformed value throws at the same point it would
245
+ * have mid-loop.
246
+ *
247
+ * Entries that are empty after trimming, or carry no `kvSep`, are
248
+ * skipped (matching every shipped parser's prior behavior).
249
+ *
250
+ * @opts
251
+ * sep: string|RegExp, // entry separator. default: ";" (MTA-STS uses /\r?\n/)
252
+ * kvSep: string, // key/value separator. default: "=" (MTA-STS uses ":")
253
+ * unfold: boolean, // collapse CRLF+WSP folds to a space first (DKIM FWS). default: false
254
+ * stripValueWs: boolean, // strip all whitespace inside each value (DKIM/ARC FWS). default: false
255
+ * lowerKey: boolean, // lower-case each key. default: true (set false to preserve case)
256
+ *
257
+ * @example
258
+ * b.structuredFields.parseTagList("v=DKIM1; k=rsa; p=MIGf");
259
+ * // → [ ["v", "DKIM1"], ["k", "rsa"], ["p", "MIGf"] ]
260
+ *
261
+ * b.structuredFields.parseTagList("version:STSv1\nmx:a.example\nmx:b.example",
262
+ * { sep: /\r?\n/, kvSep: ":" });
263
+ * // → [ ["version","STSv1"], ["mx","a.example"], ["mx","b.example"] ]
264
+ */
265
+ function parseTagList(input, opts) {
266
+ opts = opts || {};
267
+ var sep = opts.sep === undefined ? ";" : opts.sep;
268
+ var kvSep = opts.kvSep === undefined ? "=" : opts.kvSep;
269
+ var s = String(input);
270
+ if (opts.unfold) s = unfoldHeaderContinuations(s);
271
+ var kvps = parseKeyValuePieces(s.split(sep), 0, kvSep, opts.lowerKey);
272
+ var out = [];
273
+ forEachKeyValue(kvps, function (key, val) {
274
+ if (opts.stripValueWs) val = val.replace(/\s+/g, "");
275
+ out.push([key, val]);
276
+ });
277
+ return out;
278
+ }
279
+
280
+ /**
281
+ * @primitive b.structuredFields.parseKeyValuePieces
282
+ * @signature b.structuredFields.parseKeyValuePieces(pieces, startIndex?, kvSep?, lowerKey?)
283
+ * @since 0.15.13
284
+ * @status stable
285
+ * @related b.structuredFields.parseKeyValuePiece, b.structuredFields.parseTagList
286
+ *
287
+ * Iterate an already-split list of structured-field pieces, trimming each,
288
+ * dropping empties, and parsing the survivors into `{ key, value }` records
289
+ * via `parseKeyValuePiece`. `startIndex` skips a leading non-pair token (the
290
+ * media type in a `Content-Type`, the brand in a `Sec-CH-UA` member); `kvSep`
291
+ * overrides the default `"="`; `lowerKey:false` preserves key case for a
292
+ * case-sensitive grammar.
293
+ *
294
+ * The split is left to the caller because the boundary discipline differs by
295
+ * grammar — `splitTopLevel` honours quotes/parens for RFC 8941 lists, while a
296
+ * plain `String(value).split(";")` is right where inner separators cannot be
297
+ * quoted. Per-piece dispatch (unquote, numeric coercion, poisoned-key drops)
298
+ * stays with the caller; this owns only the uniform iterate-trim-skip-parse
299
+ * spine the parsers shared verbatim.
300
+ *
301
+ * @opts
302
+ * startIndex: number, // default: 0 — first piece treated as a key/value pair
303
+ * kvSep: string, // default: "=" — key/value separator within a piece
304
+ * lowerKey: boolean, // default: true — lower-case each parsed key
305
+ *
306
+ * @example
307
+ * var kvps = b.structuredFields.parseKeyValuePieces(
308
+ * b.structuredFields.splitTopLevel("max-age=600, immutable", ","));
309
+ * // → [ { key: "max-age", value: "600" }, { key: "immutable", value: null } ]
310
+ */
311
+ function parseKeyValuePieces(pieces, startIndex, kvSep, lowerKey) {
312
+ var out = [];
313
+ for (var i = startIndex || 0; i < pieces.length; i += 1) {
314
+ var p = pieces[i].trim();
315
+ if (p.length === 0) continue;
316
+ out.push(parseKeyValuePiece(p, kvSep, lowerKey));
317
+ }
318
+ return out;
319
+ }
320
+
321
+ /**
322
+ * @primitive b.structuredFields.forEachKeyValue
323
+ * @signature b.structuredFields.forEachKeyValue(kvps, handler)
324
+ * @since 0.15.13
325
+ * @status stable
326
+ * @related b.structuredFields.parseKeyValuePieces, b.structuredFields.parseTagList
327
+ *
328
+ * Consume the `{ key, value }` records from `parseKeyValuePieces`: skip
329
+ * the bare entries (those with a `null` value — a key that carried no
330
+ * separator), trim each surviving value, and invoke
331
+ * `handler(key, trimmedValue, index)`. The mirror of
332
+ * `parseKeyValuePieces` on the consuming side — that primitive owns the
333
+ * parse spine, this owns the iterate-skip-bare-trim spine every header
334
+ * parser repeated verbatim before dispatching.
335
+ *
336
+ * Per-key dispatch (sf-string unquoting, numeric coercion, poisoned-key
337
+ * drops, building a typed result) stays in the handler — a handler that
338
+ * `return`s skips the current entry, exactly like a `continue`. Parsers
339
+ * that instead treat a bare key as meaningful (a value-less directive)
340
+ * iterate the records directly rather than calling this.
341
+ *
342
+ * @example
343
+ * var b = require("blamejs");
344
+ *
345
+ * var out = {};
346
+ * var kvps = b.structuredFields.parseKeyValuePieces("a=1; b=2".split(";"));
347
+ * b.structuredFields.forEachKeyValue(kvps, function (key, value) {
348
+ * out[key] = value;
349
+ * });
350
+ * // out → { a: "1", b: "2" }
351
+ */
352
+ function forEachKeyValue(kvps, handler) {
353
+ if (typeof handler !== "function") {
354
+ throw new TypeError("structuredFields.forEachKeyValue: handler must be a function");
355
+ }
356
+ for (var i = 0; i < kvps.length; i += 1) {
357
+ if (kvps[i].value === null) continue;
358
+ handler(kvps[i].key, kvps[i].value.trim(), i);
359
+ }
360
+ }
361
+
106
362
  /**
107
363
  * @primitive b.structuredFields.refuseControlBytes
108
364
  * @signature b.structuredFields.refuseControlBytes(value, opts)
@@ -155,22 +411,18 @@ function refuseControlBytes(value, opts) {
155
411
  if (!opts.label || typeof opts.label !== "string") {
156
412
  throw new TypeError("refuseControlBytes: opts.label (non-empty string) is required");
157
413
  }
158
- var allowHt = opts.allowHt !== false;
159
- for (var i = 0; i < value.length; i += 1) {
160
- var cc = value.charCodeAt(i);
161
- if (allowHt && cc === 9) continue; // ASCII HT (folding whitespace)
162
- if (cc < 32 || cc === 127) { // C0 + DEL codepoint range
163
- var msg = opts.label + ": value contains control characters (C0 / DEL)";
164
- // opts.useNativeError === true → call the ErrorClass with a
165
- // single-arg `message` (matches native Error / TypeError /
166
- // RangeError signatures used by defensive request-shape
167
- // readers). Default false → call with (code, message) which
168
- // matches every framework-error class generated by `defineClass`.
169
- if (opts.useNativeError === true) {
170
- throw new opts.ErrorClass(msg);
171
- }
172
- throw new opts.ErrorClass(opts.code, msg);
414
+ var allowHt = opts.allowHt !== false; // ASCII HT (folding whitespace) permitted unless allowHt === false
415
+ if (codepointClass.firstControlCharOffset(value, { forbidTab: !allowHt }) !== -1) { // C0 + DEL codepoint range
416
+ var msg = opts.label + ": value contains control characters (C0 / DEL)";
417
+ // opts.useNativeError === true call the ErrorClass with a
418
+ // single-arg `message` (matches native Error / TypeError /
419
+ // RangeError signatures used by defensive request-shape
420
+ // readers). Default false → call with (code, message) which
421
+ // matches every framework-error class generated by `defineClass`.
422
+ if (opts.useNativeError === true) {
423
+ throw new opts.ErrorClass(msg);
173
424
  }
425
+ throw new opts.ErrorClass(opts.code, msg);
174
426
  }
175
427
  }
176
428
 
@@ -271,7 +523,7 @@ function containsControlBytes(value, opts) {
271
523
  for (var i = 0; i < value.length; i += 1) {
272
524
  var cc = value.charCodeAt(i);
273
525
  if (allowHt && cc === 9) continue; // ASCII HT (folding whitespace)
274
- if (cc < 32 || cc === 127) return true; // C0 + DEL codepoint range
526
+ if (codepointClass.isForbiddenControlChar(cc, { forbidTab: true })) return true; // C0 + DEL codepoint range
275
527
  }
276
528
  return false;
277
529
  }
@@ -707,6 +959,13 @@ function serialize(value, type, opts) {
707
959
 
708
960
  module.exports = {
709
961
  splitTopLevel: splitTopLevel,
962
+ splitUnquoted: splitUnquoted,
963
+ stripDoubleQuotes: stripDoubleQuotes,
964
+ parseTagList: parseTagList,
965
+ unfoldHeaderContinuations: unfoldHeaderContinuations,
966
+ parseKeyValuePiece: parseKeyValuePiece,
967
+ parseKeyValuePieces: parseKeyValuePieces,
968
+ forEachKeyValue: forEachKeyValue,
710
969
  refuseControlBytes: refuseControlBytes,
711
970
  containsControlBytes: containsControlBytes,
712
971
  unquoteSfString: unquoteSfString,
@@ -183,16 +183,7 @@ function create(opts) {
183
183
  return defaultBytesCap;
184
184
  }
185
185
 
186
- function _emitAudit(action, outcome, metadata) {
187
- if (!auditOn) return;
188
- try {
189
- audit().safeEmit({
190
- action: action,
191
- outcome: outcome,
192
- metadata: metadata || {},
193
- });
194
- } catch (_e) { /* audit best-effort */ }
195
- }
186
+ var _emitAudit = audit().namespaced(null, { audit: auditOn });
196
187
 
197
188
  function _emitMetric(name, n) {
198
189
  try { observability().safeEvent(name, n || 1, {}); }
@@ -375,16 +366,7 @@ function budget(opts) {
375
366
  return c;
376
367
  }
377
368
 
378
- function _emitAudit(action, outcome, metadata) {
379
- if (!auditOn) return;
380
- try {
381
- audit().safeEmit({
382
- action: action,
383
- outcome: outcome,
384
- metadata: metadata || {},
385
- });
386
- } catch (_e) { /* audit best-effort */ }
387
- }
369
+ var _emitAudit = audit().namespaced(null, { audit: auditOn });
388
370
 
389
371
  function _emitMetric(name, n) {
390
372
  try { observability().safeEvent(name, n || 1, {}); }