@blamejs/blamejs-shop 0.4.56 → 0.4.58

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (402) hide show
  1. package/CHANGELOG.md +4 -0
  2. package/lib/affiliates.js +35 -4
  3. package/lib/api-keys.js +17 -2
  4. package/lib/asset-manifest.json +1 -1
  5. package/lib/backorder.js +21 -4
  6. package/lib/click-and-collect.js +11 -2
  7. package/lib/credit-limits.js +132 -84
  8. package/lib/vendor/MANIFEST.json +426 -366
  9. package/lib/vendor/blamejs/.github/codeql/codeql-config.yml +25 -0
  10. package/lib/vendor/blamejs/.github/workflows/actions-lint.yml +3 -3
  11. package/lib/vendor/blamejs/.github/workflows/cflite_batch.yml +1 -1
  12. package/lib/vendor/blamejs/.github/workflows/cflite_pr.yml +1 -1
  13. package/lib/vendor/blamejs/.github/workflows/ci.yml +13 -13
  14. package/lib/vendor/blamejs/.github/workflows/codeql.yml +8 -7
  15. package/lib/vendor/blamejs/.github/workflows/npm-publish.yml +2 -2
  16. package/lib/vendor/blamejs/.github/workflows/release-container.yml +4 -4
  17. package/lib/vendor/blamejs/.github/workflows/scorecard.yml +1 -1
  18. package/lib/vendor/blamejs/.github/workflows/sha-to-tag-verify.yml +1 -1
  19. package/lib/vendor/blamejs/CHANGELOG.md +2 -0
  20. package/lib/vendor/blamejs/api-snapshot.json +1381 -4
  21. package/lib/vendor/blamejs/eslint.config.mjs +1 -0
  22. package/lib/vendor/blamejs/examples/wiki/lib/source-comment-block-validator.js +4 -1
  23. package/lib/vendor/blamejs/examples/wiki/lib/symbol-index.js +5 -2
  24. package/lib/vendor/blamejs/examples/wiki/routes/pages.js +4 -1
  25. package/lib/vendor/blamejs/fuzz/guard-text.fuzz.js +20 -0
  26. package/lib/vendor/blamejs/index.js +2 -0
  27. package/lib/vendor/blamejs/lib/a2a-tasks.js +7 -23
  28. package/lib/vendor/blamejs/lib/acme.js +6 -5
  29. package/lib/vendor/blamejs/lib/agent-event-bus.js +5 -4
  30. package/lib/vendor/blamejs/lib/agent-idempotency.js +2 -5
  31. package/lib/vendor/blamejs/lib/agent-orchestrator.js +2 -5
  32. package/lib/vendor/blamejs/lib/agent-saga.js +3 -5
  33. package/lib/vendor/blamejs/lib/agent-tenant.js +2 -5
  34. package/lib/vendor/blamejs/lib/ai-adverse-decision.js +2 -15
  35. package/lib/vendor/blamejs/lib/ai-capability.js +1 -6
  36. package/lib/vendor/blamejs/lib/ai-dp.js +1 -5
  37. package/lib/vendor/blamejs/lib/ai-input.js +2 -2
  38. package/lib/vendor/blamejs/lib/ai-pref.js +3 -8
  39. package/lib/vendor/blamejs/lib/ai-quota.js +3 -14
  40. package/lib/vendor/blamejs/lib/api-key.js +37 -28
  41. package/lib/vendor/blamejs/lib/archive-adapters.js +2 -4
  42. package/lib/vendor/blamejs/lib/archive-entry-policy.js +32 -0
  43. package/lib/vendor/blamejs/lib/archive-read.js +5 -17
  44. package/lib/vendor/blamejs/lib/archive-tar-read.js +5 -16
  45. package/lib/vendor/blamejs/lib/archive.js +2 -10
  46. package/lib/vendor/blamejs/lib/arg-parser.js +7 -6
  47. package/lib/vendor/blamejs/lib/asyncapi-traits.js +2 -6
  48. package/lib/vendor/blamejs/lib/atomic-file.js +108 -31
  49. package/lib/vendor/blamejs/lib/audit-chain.js +133 -53
  50. package/lib/vendor/blamejs/lib/audit-daily-review.js +24 -14
  51. package/lib/vendor/blamejs/lib/audit-emit.js +82 -0
  52. package/lib/vendor/blamejs/lib/audit-sign.js +257 -0
  53. package/lib/vendor/blamejs/lib/audit.js +84 -0
  54. package/lib/vendor/blamejs/lib/auth/access-lock.js +5 -27
  55. package/lib/vendor/blamejs/lib/auth/dpop.js +23 -35
  56. package/lib/vendor/blamejs/lib/auth/fido-mds3.js +9 -15
  57. package/lib/vendor/blamejs/lib/auth/jwt-external.js +26 -8
  58. package/lib/vendor/blamejs/lib/auth/jwt.js +13 -15
  59. package/lib/vendor/blamejs/lib/auth/lockout.js +6 -25
  60. package/lib/vendor/blamejs/lib/auth/oauth.js +67 -45
  61. package/lib/vendor/blamejs/lib/auth/oid4vci.js +55 -32
  62. package/lib/vendor/blamejs/lib/auth/oid4vp.js +3 -2
  63. package/lib/vendor/blamejs/lib/auth/openid-federation.js +6 -6
  64. package/lib/vendor/blamejs/lib/auth/passkey.js +3 -3
  65. package/lib/vendor/blamejs/lib/auth/password.js +7 -1
  66. package/lib/vendor/blamejs/lib/auth/saml.js +37 -27
  67. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-holder.js +2 -14
  68. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-issuer.js +2 -14
  69. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc.js +1 -1
  70. package/lib/vendor/blamejs/lib/auth/status-list.js +7 -7
  71. package/lib/vendor/blamejs/lib/auth/step-up.js +6 -12
  72. package/lib/vendor/blamejs/lib/auth-bot-challenge.js +6 -37
  73. package/lib/vendor/blamejs/lib/backup/bundle.js +11 -18
  74. package/lib/vendor/blamejs/lib/backup/index.js +14 -47
  75. package/lib/vendor/blamejs/lib/bounded-map.js +112 -1
  76. package/lib/vendor/blamejs/lib/breach-deadline.js +1 -11
  77. package/lib/vendor/blamejs/lib/cache.js +7 -18
  78. package/lib/vendor/blamejs/lib/cbor.js +2 -1
  79. package/lib/vendor/blamejs/lib/cdn-cache-control.js +8 -9
  80. package/lib/vendor/blamejs/lib/cert.js +3 -10
  81. package/lib/vendor/blamejs/lib/chain-writer.js +162 -47
  82. package/lib/vendor/blamejs/lib/cli.js +5 -1
  83. package/lib/vendor/blamejs/lib/client-hints.js +7 -9
  84. package/lib/vendor/blamejs/lib/cloud-events.js +40 -31
  85. package/lib/vendor/blamejs/lib/cluster-storage.js +2 -38
  86. package/lib/vendor/blamejs/lib/cms-codec.js +2 -1
  87. package/lib/vendor/blamejs/lib/codepoint-class.js +67 -1
  88. package/lib/vendor/blamejs/lib/compliance-ai-act-logging.js +1 -6
  89. package/lib/vendor/blamejs/lib/compliance-ai-act-transparency.js +2 -4
  90. package/lib/vendor/blamejs/lib/compliance-eaa.js +1 -11
  91. package/lib/vendor/blamejs/lib/compliance-sanctions-fetcher.js +21 -28
  92. package/lib/vendor/blamejs/lib/compliance-sanctions.js +2 -14
  93. package/lib/vendor/blamejs/lib/compliance.js +2 -9
  94. package/lib/vendor/blamejs/lib/config-drift.js +2 -12
  95. package/lib/vendor/blamejs/lib/content-digest.js +10 -8
  96. package/lib/vendor/blamejs/lib/cookies.js +5 -11
  97. package/lib/vendor/blamejs/lib/cose.js +19 -11
  98. package/lib/vendor/blamejs/lib/cra-report.js +1 -11
  99. package/lib/vendor/blamejs/lib/crypto-field.js +5 -10
  100. package/lib/vendor/blamejs/lib/crypto.js +120 -3
  101. package/lib/vendor/blamejs/lib/csp.js +235 -3
  102. package/lib/vendor/blamejs/lib/daemon.js +42 -41
  103. package/lib/vendor/blamejs/lib/data-act.js +19 -9
  104. package/lib/vendor/blamejs/lib/db-query.js +6 -40
  105. package/lib/vendor/blamejs/lib/db.js +34 -12
  106. package/lib/vendor/blamejs/lib/dbsc.js +5 -6
  107. package/lib/vendor/blamejs/lib/ddl-change-control.js +18 -14
  108. package/lib/vendor/blamejs/lib/deprecate.js +4 -5
  109. package/lib/vendor/blamejs/lib/did.js +6 -2
  110. package/lib/vendor/blamejs/lib/dsr.js +8 -12
  111. package/lib/vendor/blamejs/lib/external-db-migrate.js +21 -22
  112. package/lib/vendor/blamejs/lib/external-db.js +14 -26
  113. package/lib/vendor/blamejs/lib/fda-21cfr11.js +12 -8
  114. package/lib/vendor/blamejs/lib/fdx.js +22 -18
  115. package/lib/vendor/blamejs/lib/file-upload.js +80 -66
  116. package/lib/vendor/blamejs/lib/flag-evaluation-context.js +5 -8
  117. package/lib/vendor/blamejs/lib/framework-error.js +12 -0
  118. package/lib/vendor/blamejs/lib/framework-schema.js +19 -0
  119. package/lib/vendor/blamejs/lib/fsm.js +7 -12
  120. package/lib/vendor/blamejs/lib/gate-contract.js +869 -38
  121. package/lib/vendor/blamejs/lib/gdpr-ropa.js +4 -13
  122. package/lib/vendor/blamejs/lib/graphql-federation.js +1 -1
  123. package/lib/vendor/blamejs/lib/guard-agent-registry.js +2 -1
  124. package/lib/vendor/blamejs/lib/guard-all.js +1 -0
  125. package/lib/vendor/blamejs/lib/guard-archive.js +9 -30
  126. package/lib/vendor/blamejs/lib/guard-auth.js +23 -80
  127. package/lib/vendor/blamejs/lib/guard-cidr.js +20 -96
  128. package/lib/vendor/blamejs/lib/guard-csv.js +135 -196
  129. package/lib/vendor/blamejs/lib/guard-domain.js +23 -106
  130. package/lib/vendor/blamejs/lib/guard-dsn.js +16 -13
  131. package/lib/vendor/blamejs/lib/guard-email.js +46 -53
  132. package/lib/vendor/blamejs/lib/guard-envelope.js +1 -1
  133. package/lib/vendor/blamejs/lib/guard-event-bus-topic.js +2 -1
  134. package/lib/vendor/blamejs/lib/guard-filename.js +12 -60
  135. package/lib/vendor/blamejs/lib/guard-graphql.js +28 -75
  136. package/lib/vendor/blamejs/lib/guard-html-wcag.js +15 -2
  137. package/lib/vendor/blamejs/lib/guard-html.js +65 -117
  138. package/lib/vendor/blamejs/lib/guard-idempotency-key.js +2 -1
  139. package/lib/vendor/blamejs/lib/guard-image.js +280 -77
  140. package/lib/vendor/blamejs/lib/guard-imap-command.js +8 -9
  141. package/lib/vendor/blamejs/lib/guard-json.js +87 -103
  142. package/lib/vendor/blamejs/lib/guard-jsonpath.js +20 -88
  143. package/lib/vendor/blamejs/lib/guard-jwt.js +32 -114
  144. package/lib/vendor/blamejs/lib/guard-list-id.js +2 -7
  145. package/lib/vendor/blamejs/lib/guard-list-unsubscribe.js +2 -7
  146. package/lib/vendor/blamejs/lib/guard-mail-compose.js +5 -6
  147. package/lib/vendor/blamejs/lib/guard-mail-move.js +2 -1
  148. package/lib/vendor/blamejs/lib/guard-mail-query.js +5 -3
  149. package/lib/vendor/blamejs/lib/guard-mail-sieve.js +6 -7
  150. package/lib/vendor/blamejs/lib/guard-managesieve-command.js +5 -4
  151. package/lib/vendor/blamejs/lib/guard-markdown.js +76 -110
  152. package/lib/vendor/blamejs/lib/guard-message-id.js +5 -6
  153. package/lib/vendor/blamejs/lib/guard-mime.js +20 -99
  154. package/lib/vendor/blamejs/lib/guard-oauth.js +19 -73
  155. package/lib/vendor/blamejs/lib/guard-pdf.js +65 -72
  156. package/lib/vendor/blamejs/lib/guard-pop3-command.js +12 -13
  157. package/lib/vendor/blamejs/lib/guard-posture-chain.js +2 -1
  158. package/lib/vendor/blamejs/lib/guard-regex.js +24 -99
  159. package/lib/vendor/blamejs/lib/guard-saga-config.js +2 -1
  160. package/lib/vendor/blamejs/lib/guard-shell.js +22 -87
  161. package/lib/vendor/blamejs/lib/guard-smtp-command.js +8 -11
  162. package/lib/vendor/blamejs/lib/guard-sql.js +15 -13
  163. package/lib/vendor/blamejs/lib/guard-stream-args.js +2 -1
  164. package/lib/vendor/blamejs/lib/guard-svg.js +95 -140
  165. package/lib/vendor/blamejs/lib/guard-template.js +23 -80
  166. package/lib/vendor/blamejs/lib/guard-tenant-id.js +2 -1
  167. package/lib/vendor/blamejs/lib/guard-text.js +592 -0
  168. package/lib/vendor/blamejs/lib/guard-time.js +27 -95
  169. package/lib/vendor/blamejs/lib/guard-uuid.js +21 -93
  170. package/lib/vendor/blamejs/lib/guard-xml.js +76 -106
  171. package/lib/vendor/blamejs/lib/guard-yaml.js +24 -60
  172. package/lib/vendor/blamejs/lib/http-client-cache.js +5 -12
  173. package/lib/vendor/blamejs/lib/http-client-cookie-jar.js +2 -4
  174. package/lib/vendor/blamejs/lib/http-client.js +8 -21
  175. package/lib/vendor/blamejs/lib/http-message-signature.js +3 -2
  176. package/lib/vendor/blamejs/lib/i18n-messageformat.js +5 -7
  177. package/lib/vendor/blamejs/lib/i18n.js +83 -26
  178. package/lib/vendor/blamejs/lib/inbox.js +8 -8
  179. package/lib/vendor/blamejs/lib/incident-report.js +3 -21
  180. package/lib/vendor/blamejs/lib/ip-utils.js +49 -6
  181. package/lib/vendor/blamejs/lib/jobs.js +3 -2
  182. package/lib/vendor/blamejs/lib/keychain.js +6 -18
  183. package/lib/vendor/blamejs/lib/legal-hold.js +6 -15
  184. package/lib/vendor/blamejs/lib/log-stream-cloudwatch.js +44 -112
  185. package/lib/vendor/blamejs/lib/log-stream-otlp-grpc.js +17 -14
  186. package/lib/vendor/blamejs/lib/log-stream-otlp.js +16 -80
  187. package/lib/vendor/blamejs/lib/log-stream-webhook.js +20 -92
  188. package/lib/vendor/blamejs/lib/mail-arc-sign.js +8 -3
  189. package/lib/vendor/blamejs/lib/mail-arf.js +3 -2
  190. package/lib/vendor/blamejs/lib/mail-auth.js +40 -66
  191. package/lib/vendor/blamejs/lib/mail-bimi.js +19 -39
  192. package/lib/vendor/blamejs/lib/mail-crypto-pgp.js +3 -2
  193. package/lib/vendor/blamejs/lib/mail-dav.js +8 -35
  194. package/lib/vendor/blamejs/lib/mail-deploy.js +6 -9
  195. package/lib/vendor/blamejs/lib/mail-dkim.js +19 -38
  196. package/lib/vendor/blamejs/lib/mail-greylist.js +15 -26
  197. package/lib/vendor/blamejs/lib/mail-helo.js +2 -3
  198. package/lib/vendor/blamejs/lib/mail-journal.js +2 -1
  199. package/lib/vendor/blamejs/lib/mail-mdn.js +4 -3
  200. package/lib/vendor/blamejs/lib/mail-rbl.js +5 -8
  201. package/lib/vendor/blamejs/lib/mail-scan.js +2 -2
  202. package/lib/vendor/blamejs/lib/mail-send-deliver.js +33 -20
  203. package/lib/vendor/blamejs/lib/mail-server-imap.js +32 -87
  204. package/lib/vendor/blamejs/lib/mail-server-jmap.js +35 -51
  205. package/lib/vendor/blamejs/lib/mail-server-managesieve.js +29 -83
  206. package/lib/vendor/blamejs/lib/mail-server-mx.js +33 -74
  207. package/lib/vendor/blamejs/lib/mail-server-net.js +177 -0
  208. package/lib/vendor/blamejs/lib/mail-server-pop3.js +30 -83
  209. package/lib/vendor/blamejs/lib/mail-server-rate-limit.js +30 -6
  210. package/lib/vendor/blamejs/lib/mail-server-submission.js +34 -73
  211. package/lib/vendor/blamejs/lib/mail-server-tls.js +89 -0
  212. package/lib/vendor/blamejs/lib/mail-spam-score.js +7 -8
  213. package/lib/vendor/blamejs/lib/mail-store.js +3 -2
  214. package/lib/vendor/blamejs/lib/mail.js +6 -11
  215. package/lib/vendor/blamejs/lib/markup-escape.js +31 -0
  216. package/lib/vendor/blamejs/lib/markup-tokenizer.js +54 -0
  217. package/lib/vendor/blamejs/lib/mcp-tool-registry.js +26 -23
  218. package/lib/vendor/blamejs/lib/mcp.js +1 -1
  219. package/lib/vendor/blamejs/lib/mdoc.js +11 -12
  220. package/lib/vendor/blamejs/lib/metrics.js +32 -30
  221. package/lib/vendor/blamejs/lib/middleware/age-gate.js +3 -23
  222. package/lib/vendor/blamejs/lib/middleware/api-encrypt.js +11 -22
  223. package/lib/vendor/blamejs/lib/middleware/assetlinks.js +2 -7
  224. package/lib/vendor/blamejs/lib/middleware/bearer-auth.js +2 -1
  225. package/lib/vendor/blamejs/lib/middleware/body-parser.js +31 -48
  226. package/lib/vendor/blamejs/lib/middleware/bot-disclose.js +7 -10
  227. package/lib/vendor/blamejs/lib/middleware/bot-guard.js +2 -10
  228. package/lib/vendor/blamejs/lib/middleware/csrf-protect.js +13 -2
  229. package/lib/vendor/blamejs/lib/middleware/daily-byte-quota.js +6 -26
  230. package/lib/vendor/blamejs/lib/middleware/deny-response.js +19 -1
  231. package/lib/vendor/blamejs/lib/middleware/fetch-metadata.js +7 -0
  232. package/lib/vendor/blamejs/lib/middleware/idempotency-key.js +4 -20
  233. package/lib/vendor/blamejs/lib/middleware/rate-limit.js +20 -28
  234. package/lib/vendor/blamejs/lib/middleware/scim-server.js +3 -2
  235. package/lib/vendor/blamejs/lib/middleware/security-headers.js +9 -1
  236. package/lib/vendor/blamejs/lib/middleware/security-txt.js +2 -6
  237. package/lib/vendor/blamejs/lib/middleware/tus-upload.js +12 -27
  238. package/lib/vendor/blamejs/lib/middleware/web-app-manifest.js +2 -7
  239. package/lib/vendor/blamejs/lib/migrations.js +4 -13
  240. package/lib/vendor/blamejs/lib/mime-parse.js +34 -17
  241. package/lib/vendor/blamejs/lib/module-loader.js +44 -0
  242. package/lib/vendor/blamejs/lib/money.js +105 -0
  243. package/lib/vendor/blamejs/lib/mtls-ca.js +116 -36
  244. package/lib/vendor/blamejs/lib/network-byte-quota.js +4 -18
  245. package/lib/vendor/blamejs/lib/network-dane.js +8 -6
  246. package/lib/vendor/blamejs/lib/network-dns-resolver.js +97 -6
  247. package/lib/vendor/blamejs/lib/network-dnssec.js +16 -16
  248. package/lib/vendor/blamejs/lib/network-heartbeat.js +3 -2
  249. package/lib/vendor/blamejs/lib/network-smtp-policy.js +29 -41
  250. package/lib/vendor/blamejs/lib/network-tls.js +40 -42
  251. package/lib/vendor/blamejs/lib/nis2-report.js +1 -11
  252. package/lib/vendor/blamejs/lib/nonce-store.js +81 -3
  253. package/lib/vendor/blamejs/lib/numeric-bounds.js +22 -8
  254. package/lib/vendor/blamejs/lib/object-store/azure-blob-bucket-ops.js +2 -6
  255. package/lib/vendor/blamejs/lib/object-store/azure-blob.js +5 -45
  256. package/lib/vendor/blamejs/lib/object-store/gcs.js +8 -71
  257. package/lib/vendor/blamejs/lib/object-store/http-put.js +1 -5
  258. package/lib/vendor/blamejs/lib/object-store/http-request.js +128 -0
  259. package/lib/vendor/blamejs/lib/object-store/sigv4-bucket-ops.js +2 -1
  260. package/lib/vendor/blamejs/lib/object-store/sigv4.js +9 -77
  261. package/lib/vendor/blamejs/lib/observability-otlp-exporter.js +9 -25
  262. package/lib/vendor/blamejs/lib/observability.js +95 -0
  263. package/lib/vendor/blamejs/lib/openapi-paths-builder.js +7 -3
  264. package/lib/vendor/blamejs/lib/otel-export.js +7 -10
  265. package/lib/vendor/blamejs/lib/outbox.js +43 -37
  266. package/lib/vendor/blamejs/lib/pagination.js +11 -15
  267. package/lib/vendor/blamejs/lib/parsers/safe-env.js +5 -4
  268. package/lib/vendor/blamejs/lib/parsers/safe-ini.js +10 -4
  269. package/lib/vendor/blamejs/lib/parsers/safe-toml.js +11 -9
  270. package/lib/vendor/blamejs/lib/parsers/safe-xml.js +2 -2
  271. package/lib/vendor/blamejs/lib/parsers/safe-yaml.js +7 -6
  272. package/lib/vendor/blamejs/lib/pick.js +63 -5
  273. package/lib/vendor/blamejs/lib/pipl-cn.js +69 -59
  274. package/lib/vendor/blamejs/lib/privacy-pass.js +8 -6
  275. package/lib/vendor/blamejs/lib/problem-details.js +2 -5
  276. package/lib/vendor/blamejs/lib/pubsub.js +4 -8
  277. package/lib/vendor/blamejs/lib/redact.js +2 -1
  278. package/lib/vendor/blamejs/lib/render.js +4 -2
  279. package/lib/vendor/blamejs/lib/request-helpers.js +133 -6
  280. package/lib/vendor/blamejs/lib/restore.js +5 -22
  281. package/lib/vendor/blamejs/lib/retention.js +3 -5
  282. package/lib/vendor/blamejs/lib/safe-async.js +457 -0
  283. package/lib/vendor/blamejs/lib/safe-buffer.js +137 -6
  284. package/lib/vendor/blamejs/lib/safe-decompress.js +2 -1
  285. package/lib/vendor/blamejs/lib/safe-dns.js +2 -1
  286. package/lib/vendor/blamejs/lib/safe-ical.js +12 -26
  287. package/lib/vendor/blamejs/lib/safe-json.js +7 -8
  288. package/lib/vendor/blamejs/lib/safe-jsonpath.js +6 -5
  289. package/lib/vendor/blamejs/lib/safe-mime.js +25 -29
  290. package/lib/vendor/blamejs/lib/safe-redirect.js +2 -5
  291. package/lib/vendor/blamejs/lib/safe-schema.js +7 -6
  292. package/lib/vendor/blamejs/lib/safe-sql.js +126 -0
  293. package/lib/vendor/blamejs/lib/safe-vcard.js +12 -26
  294. package/lib/vendor/blamejs/lib/sandbox-worker.js +9 -2
  295. package/lib/vendor/blamejs/lib/sandbox.js +3 -2
  296. package/lib/vendor/blamejs/lib/scheduler.js +5 -12
  297. package/lib/vendor/blamejs/lib/sec-cyber.js +82 -37
  298. package/lib/vendor/blamejs/lib/seeders.js +4 -11
  299. package/lib/vendor/blamejs/lib/self-update.js +92 -69
  300. package/lib/vendor/blamejs/lib/session-device-binding.js +112 -66
  301. package/lib/vendor/blamejs/lib/session.js +194 -6
  302. package/lib/vendor/blamejs/lib/sql.js +225 -78
  303. package/lib/vendor/blamejs/lib/sse.js +6 -10
  304. package/lib/vendor/blamejs/lib/static.js +136 -98
  305. package/lib/vendor/blamejs/lib/storage.js +4 -2
  306. package/lib/vendor/blamejs/lib/structured-fields.js +275 -16
  307. package/lib/vendor/blamejs/lib/tenant-quota.js +2 -20
  308. package/lib/vendor/blamejs/lib/tsa.js +11 -15
  309. package/lib/vendor/blamejs/lib/validate-opts.js +154 -8
  310. package/lib/vendor/blamejs/lib/vault/seal-pem-file.js +30 -48
  311. package/lib/vendor/blamejs/lib/vault-aad.js +3 -2
  312. package/lib/vendor/blamejs/lib/vc.js +2 -7
  313. package/lib/vendor/blamejs/lib/vex.js +35 -13
  314. package/lib/vendor/blamejs/lib/web-push-vapid.js +23 -20
  315. package/lib/vendor/blamejs/lib/webhook-dispatcher.js +706 -0
  316. package/lib/vendor/blamejs/lib/webhook.js +43 -18
  317. package/lib/vendor/blamejs/lib/websocket-channels.js +9 -7
  318. package/lib/vendor/blamejs/lib/websocket.js +7 -3
  319. package/lib/vendor/blamejs/lib/worm.js +2 -3
  320. package/lib/vendor/blamejs/lib/ws-client.js +8 -10
  321. package/lib/vendor/blamejs/package.json +1 -1
  322. package/lib/vendor/blamejs/release-notes/v0.15.13.json +81 -0
  323. package/lib/vendor/blamejs/scripts/check-changelog-extract.js +1 -1
  324. package/lib/vendor/blamejs/test/00-primitives.js +136 -7
  325. package/lib/vendor/blamejs/test/10-state.js +9 -3
  326. package/lib/vendor/blamejs/test/30-chain.js +40 -0
  327. package/lib/vendor/blamejs/test/helpers/check.js +18 -0
  328. package/lib/vendor/blamejs/test/helpers/db.js +4 -0
  329. package/lib/vendor/blamejs/test/helpers/index.js +1 -0
  330. package/lib/vendor/blamejs/test/integration/audit-chain-external-db.test.js +2 -1
  331. package/lib/vendor/blamejs/test/integration/audit-stack-postgres.test.js +2 -1
  332. package/lib/vendor/blamejs/test/integration/data-layer-mysql.test.js +8 -1
  333. package/lib/vendor/blamejs/test/integration/data-layer-pg.test.js +1 -1
  334. package/lib/vendor/blamejs/test/integration/framework-schema-mysql.test.js +2 -1
  335. package/lib/vendor/blamejs/test/integration/webhook-dispatcher-pg.test.js +269 -0
  336. package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-fd-read.test.js +149 -0
  337. package/lib/vendor/blamejs/test/layer-0-primitives/audit-framework-namespaces.test.js +51 -0
  338. package/lib/vendor/blamejs/test/layer-0-primitives/audit-sign-anchor.test.js +88 -0
  339. package/lib/vendor/blamejs/test/layer-0-primitives/audit-use-store.test.js +55 -1
  340. package/lib/vendor/blamejs/test/layer-0-primitives/backup-object-store-adapter.test.js +2 -2
  341. package/lib/vendor/blamejs/test/layer-0-primitives/bot-guard.test.js +1 -1
  342. package/lib/vendor/blamejs/test/layer-0-primitives/bounded-map.test.js +129 -0
  343. package/lib/vendor/blamejs/test/layer-0-primitives/chain-writer-multichain.test.js +107 -0
  344. package/lib/vendor/blamejs/test/layer-0-primitives/cli-api-key.test.js +12 -0
  345. package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +2788 -3214
  346. package/lib/vendor/blamejs/test/layer-0-primitives/codepoint-class.test.js +78 -0
  347. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-base64url.test.js +63 -0
  348. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-hash-stream.test.js +2 -1
  349. package/lib/vendor/blamejs/test/layer-0-primitives/csp-builder.test.js +50 -0
  350. package/lib/vendor/blamejs/test/layer-0-primitives/csp-nonce.test.js +1 -1
  351. package/lib/vendor/blamejs/test/layer-0-primitives/daemon.test.js +2 -1
  352. package/lib/vendor/blamejs/test/layer-0-primitives/defineguard-resolve-opts.test.js +76 -0
  353. package/lib/vendor/blamejs/test/layer-0-primitives/flag.test.js +9 -0
  354. package/lib/vendor/blamejs/test/layer-0-primitives/gate-contract-content-gate.test.js +290 -0
  355. package/lib/vendor/blamejs/test/layer-0-primitives/guard-csv.test.js +84 -0
  356. package/lib/vendor/blamejs/test/layer-0-primitives/guard-email.test.js +78 -0
  357. package/lib/vendor/blamejs/test/layer-0-primitives/guard-filename.test.js +23 -0
  358. package/lib/vendor/blamejs/test/layer-0-primitives/guard-gate-disposition-coverage.test.js +93 -0
  359. package/lib/vendor/blamejs/test/layer-0-primitives/guard-html.test.js +60 -0
  360. package/lib/vendor/blamejs/test/layer-0-primitives/guard-image.test.js +184 -0
  361. package/lib/vendor/blamejs/test/layer-0-primitives/guard-imap-command.test.js +0 -0
  362. package/lib/vendor/blamejs/test/layer-0-primitives/guard-json.test.js +54 -0
  363. package/lib/vendor/blamejs/test/layer-0-primitives/guard-managesieve-command.test.js +10 -0
  364. package/lib/vendor/blamejs/test/layer-0-primitives/guard-markdown.test.js +45 -0
  365. package/lib/vendor/blamejs/test/layer-0-primitives/guard-pdf.test.js +101 -0
  366. package/lib/vendor/blamejs/test/layer-0-primitives/guard-pop3-command.test.js +18 -0
  367. package/lib/vendor/blamejs/test/layer-0-primitives/guard-svg.test.js +76 -0
  368. package/lib/vendor/blamejs/test/layer-0-primitives/guard-text.test.js +365 -0
  369. package/lib/vendor/blamejs/test/layer-0-primitives/guard-xml.test.js +35 -0
  370. package/lib/vendor/blamejs/test/layer-0-primitives/guard-yaml.test.js +36 -0
  371. package/lib/vendor/blamejs/test/layer-0-primitives/i18n.test.js +20 -0
  372. package/lib/vendor/blamejs/test/layer-0-primitives/inbox.test.js +15 -0
  373. package/lib/vendor/blamejs/test/layer-0-primitives/ip-utils.test.js +83 -0
  374. package/lib/vendor/blamejs/test/layer-0-primitives/mail-arf.test.js +10 -0
  375. package/lib/vendor/blamejs/test/layer-0-primitives/mail-auth.test.js +39 -0
  376. package/lib/vendor/blamejs/test/layer-0-primitives/mail-dkim.test.js +36 -0
  377. package/lib/vendor/blamejs/test/layer-0-primitives/mail-greylist.test.js +17 -0
  378. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-tls.test.js +39 -0
  379. package/lib/vendor/blamejs/test/layer-0-primitives/mail-store.test.js +17 -0
  380. package/lib/vendor/blamejs/test/layer-0-primitives/mime-parse.test.js +106 -0
  381. package/lib/vendor/blamejs/test/layer-0-primitives/money.test.js +17 -0
  382. package/lib/vendor/blamejs/test/layer-0-primitives/mtls-ca-revocation.test.js +98 -0
  383. package/lib/vendor/blamejs/test/layer-0-primitives/nonce-store-release.test.js +77 -0
  384. package/lib/vendor/blamejs/test/layer-0-primitives/observability.test.js +48 -0
  385. package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-memory-getorinsert.test.js +100 -0
  386. package/lib/vendor/blamejs/test/layer-0-primitives/request-helpers.test.js +88 -0
  387. package/lib/vendor/blamejs/test/layer-0-primitives/safe-async-loops.test.js +278 -0
  388. package/lib/vendor/blamejs/test/layer-0-primitives/safe-buffer-linear-scans.test.js +37 -0
  389. package/lib/vendor/blamejs/test/layer-0-primitives/safe-jsonpath.test.js +14 -0
  390. package/lib/vendor/blamejs/test/layer-0-primitives/sandbox.test.js +19 -0
  391. package/lib/vendor/blamejs/test/layer-0-primitives/security-headers.test.js +1 -1
  392. package/lib/vendor/blamejs/test/layer-0-primitives/self-update.test.js +2 -1
  393. package/lib/vendor/blamejs/test/layer-0-primitives/session-device-binding.test.js +18 -0
  394. package/lib/vendor/blamejs/test/layer-0-primitives/session-extensions.test.js +1 -1
  395. package/lib/vendor/blamejs/test/layer-0-primitives/session-valid-from.test.js +73 -0
  396. package/lib/vendor/blamejs/test/layer-0-primitives/sql.test.js +100 -0
  397. package/lib/vendor/blamejs/test/layer-0-primitives/structured-fields.test.js +80 -0
  398. package/lib/vendor/blamejs/test/layer-0-primitives/validate-opts-shape.test.js +235 -0
  399. package/lib/vendor/blamejs/test/layer-0-primitives/webhook-dispatcher.test.js +374 -0
  400. package/lib/vendor/blamejs/test/layer-0-primitives/webhook.test.js +75 -8
  401. package/lib/vendor/blamejs/test/layer-5-integration/guard-host-integration.test.js +3 -3
  402. package/package.json +1 -1
@@ -53,6 +53,7 @@
53
53
 
54
54
  var nodeCrypto = require("node:crypto");
55
55
  var bCrypto = require("./crypto");
56
+ var safeBuffer = require("./safe-buffer");
56
57
  var asn1 = require("./asn1-der");
57
58
  var cms = require("./cms-codec");
58
59
  var validateOpts = require("./validate-opts");
@@ -104,12 +105,12 @@ var DIGEST_OID_TO_NODE = {
104
105
  "2.16.840.1.101.3.4.2.10": "sha3-512",
105
106
  };
106
107
 
107
- function _bytes(x, what) {
108
- if (Buffer.isBuffer(x)) return x;
109
- if (x instanceof Uint8Array) return Buffer.from(x);
110
- if (typeof x === "string") return Buffer.from(x, "utf8");
111
- throw new TsaError("tsa/bad-bytes", "tsa: " + what + " must be Buffer / Uint8Array / string");
112
- }
108
+ var _bytes = safeBuffer.makeByteCoercer({
109
+ errorClass: TsaError,
110
+ typeCode: "tsa/bad-bytes",
111
+ messagePrefix: "tsa: ",
112
+ messageSuffix: " must be Buffer / Uint8Array / string",
113
+ });
113
114
 
114
115
  function _normHex(h) {
115
116
  return String(h).replace(/[^0-9a-fA-F]/g, "").replace(/^0+(?=.)/, "").toUpperCase();
@@ -658,15 +659,10 @@ function verifyToken(token, opts) {
658
659
  throw new TsaError("tsa/bad-trust-anchors",
659
660
  "tsa.verifyToken: trustAnchorsPem must be a non-empty PEM string or array of PEM strings");
660
661
  }
661
- // A supplied opts.at must be a valid Date — an Invalid Date would
662
- // make every validity-window comparison NaN (silently disabling it).
663
- var at = tst.genTime;
664
- if (opts.at !== undefined && opts.at !== null) {
665
- if (!(opts.at instanceof Date) || !isFinite(opts.at.getTime())) {
666
- throw new TsaError("tsa/bad-at", "tsa.verifyToken: opts.at must be a valid Date");
667
- }
668
- at = opts.at;
669
- }
662
+ // A supplied opts.at must be a valid Date — an Invalid Date would make
663
+ // every validity-window comparison NaN (silently disabling it).
664
+ validateOpts.optionalDate(opts.at, "tsa.verifyToken: opts.at", TsaError, "tsa/bad-at");
665
+ var at = (opts.at !== undefined && opts.at !== null) ? opts.at : tst.genTime;
670
666
  _verifyChain(signerCertDer, sd.certificates, anchors, at);
671
667
  }
672
668
 
@@ -28,6 +28,7 @@
28
28
  */
29
29
 
30
30
  var numericBounds = require("./numeric-bounds");
31
+ var pick = require("./pick");
31
32
 
32
33
  function _format(primitive, unknownKey, allowedKeys) {
33
34
  return primitive + ": unknown option '" + unknownKey + "'. " +
@@ -78,13 +79,18 @@ function auditShape(audit, callerLabel, errorClass, code) {
78
79
  // _throw — shared error-emission for the optional* validators. Routes
79
80
  // through the caller's framework-error class when supplied, falls back
80
81
  // to plain Error so this helper itself stays decoupled from any one
81
- // error hierarchy.
82
- function _throw(errorClass, code, msg, defaultCode) {
82
+ // error hierarchy. `permanent` (optional) is forwarded as the framework
83
+ // error's third constructor argument so callers whose config-time failure
84
+ // is non-retryable (a misconfigured dependency never becomes valid on
85
+ // retry) keep that flag when they route through these validators instead
86
+ // of hand-throwing; omitted → undefined → the class default (false), so
87
+ // existing callers are unaffected.
88
+ function _throw(errorClass, code, msg, defaultCode, permanent) {
83
89
  if (errorClass && errorClass.factory) {
84
- throw errorClass.factory(code || "BAD_OPT", msg);
90
+ throw errorClass.factory(code || "BAD_OPT", msg, permanent);
85
91
  }
86
92
  if (typeof errorClass === "function") {
87
- throw new errorClass(code || defaultCode, msg);
93
+ throw new errorClass(code || defaultCode, msg, permanent);
88
94
  }
89
95
  throw new Error(msg);
90
96
  }
@@ -132,6 +138,15 @@ function optionalFiniteNonNegative(value, label, errorClass, code) {
132
138
  return value;
133
139
  }
134
140
 
141
+ function optionalDate(value, label, errorClass, code) {
142
+ if (value === undefined || value === null) return value;
143
+ if (!(value instanceof Date) || !isFinite(value.getTime())) {
144
+ _throw(errorClass, code, (label || "opt") + " must be a valid Date",
145
+ "validate-opts/bad-date");
146
+ }
147
+ return value;
148
+ }
149
+
135
150
  function optionalPositiveFinite(value, label, errorClass, code) {
136
151
  if (value === undefined || value === null) return value;
137
152
  if (typeof value !== "number" || !isFinite(value) || value <= 0) {
@@ -218,18 +233,25 @@ function requireObject(opts, callerLabel, errorClass, code) {
218
233
  // (b.agent.*.reseal stores, b.dsr / b.outbox create() backends, etc.)
219
234
  // into one definition. Throws on null / non-object / any missing-or-
220
235
  // non-function method; returns obj on success.
221
- function requireMethods(obj, methods, callerLabel, errorClass, code) {
236
+ //
237
+ // `permanent` (optional) forwards to the framework error's permanent flag
238
+ // — pass true for a config-time dependency check whose failure is not
239
+ // retryable (a backend/store/vault missing its contract never becomes
240
+ // valid on retry). Omitted → the error class default (false), matching
241
+ // the historical bare `new Err(code, msg)` shape, so existing callers are
242
+ // unchanged.
243
+ function requireMethods(obj, methods, callerLabel, errorClass, code, permanent) {
222
244
  var label = callerLabel || "dependency";
223
245
  if (!obj || typeof obj !== "object") {
224
246
  _throw(errorClass, code, label + " must be an object exposing { " +
225
247
  methods.join(", ") + " }, got " + (obj === null ? "null" : typeof obj),
226
- "validate-opts/bad-methods-object");
248
+ "validate-opts/bad-methods-object", permanent);
227
249
  }
228
250
  for (var i = 0; i < methods.length; i += 1) {
229
251
  if (typeof obj[methods[i]] !== "function") {
230
252
  _throw(errorClass, code, label + " must expose a " + methods[i] +
231
253
  "() method (requires { " + methods.join(", ") + " })",
232
- "validate-opts/missing-method");
254
+ "validate-opts/missing-method", permanent);
233
255
  }
234
256
  }
235
257
  return obj;
@@ -331,6 +353,128 @@ function optionalPlainObject(value, label, errorClass, code, description) {
331
353
  return value;
332
354
  }
333
355
 
356
+ // _SHAPE_RULES — rule-token → validator dispatch table for `shape`. Each
357
+ // validator has the uniform (value, label, errorClass, code) signature, so the
358
+ // table drives them all from a declarative schema.
359
+ var _SHAPE_RULES = {
360
+ "required-string": requireNonEmptyString,
361
+ "optional-string": optionalNonEmptyString,
362
+ "optional-string-array": optionalNonEmptyStringArray,
363
+ "optional-boolean": optionalBoolean,
364
+ "optional-positive-int": optionalPositiveInt,
365
+ "optional-positive-finite": optionalPositiveFinite,
366
+ "optional-non-negative": optionalFiniteNonNegative,
367
+ "optional-date": optionalDate,
368
+ "optional-function": optionalFunction,
369
+ "optional-plain-object": optionalPlainObject,
370
+ "optional-port": optionalPort,
371
+ // numeric-bounds finite-int family (rejects Infinity/NaN, unlike the
372
+ // optional-positive-int sugar) — so byte/count caps declare in the shape
373
+ // rather than a separate numericBounds call outside it.
374
+ "optional-positive-finite-int": numericBounds.requirePositiveFiniteIntIfPresent,
375
+ "optional-non-negative-finite-int": numericBounds.requireNonNegativeFiniteIntIfPresent,
376
+ "required-positive-finite-int": numericBounds.requirePositiveFiniteInt,
377
+ };
378
+
379
+ // shape — declarative opts validator. Collapses the `requireObject(opts) +
380
+ // requireNonEmptyString(opts.a) + optionalPositiveFinite(opts.b) + ...` preamble
381
+ // that every create()/build() factory re-rolls into one schema-driven call.
382
+ // The schema is expressive enough that a factory never has to contort its
383
+ // validation to fit a fixed vocabulary — each opt's rule is ANY of:
384
+ //
385
+ // - a rule TOKEN (see _SHAPE_RULES) — sugar for the common per-field checks,
386
+ // using the call-wide `code`;
387
+ // - a per-field DESCRIPTOR `{ rule: "<token>", code?, label? }` — keeps a
388
+ // DISTINCT per-field code (BAD_THIRD_PARTY vs BAD_CONSUMER_REF) or a custom
389
+ // label, so behavior a per-field test asserts is preserved;
390
+ // - an injected-DEPENDENCY `{ methods: [...], optional?, code?, label? }` —
391
+ // validated via requireMethods;
392
+ // - a NESTED `{ shape: {...}, optional?, code?, label? }` — recurses into a
393
+ // sub-object field (e.g. opts.authServer.{issuer,jwksUri});
394
+ // - an arbitrary VALIDATOR FUNCTION `(value, label, errorClass, code, opts)
395
+ // => void` that throws on invalid — the universal hatch for a bespoke check.
396
+ // It receives the whole `opts` as the 5th arg, so CROSS-FIELD logic ("field
397
+ // B required when opts.a === X", a custom message, a numeric-bounds call)
398
+ // lives IN the shape rather than as a hand-rolled check outside it.
399
+ //
400
+ // Validates `opts` is an object, then dispatches each declared field; returns
401
+ // opts. An unknown rule token throws at call time — a schema typo is the
402
+ // author's bug, surfaced loudly rather than silently skipping a field.
403
+ //
404
+ // The schema is ALWAYS the authoritative, exhaustive opts contract — there is
405
+ // no opt-in: any key present on `opts` that the schema does not declare (nor
406
+ // list in `options.allow`) is rejected. This is mandatory by design, so the
407
+ // "future code adds an opt but forgets to validate it" gap cannot reopen — an
408
+ // undeclared opt can't be silently consumed, because it is refused here;
409
+ // adding it forces declaring its rule in the schema, where it is validated.
410
+ // (A field declared in the schema is always validated; exhaustiveness adds the
411
+ // converse — nothing reaches the body unvalidated.) `options.allow` is the only
412
+ // escape: an explicit list of keys a factory forwards to a sub-component rather
413
+ // than validating locally — there is no "skip the contract" mode.
414
+ function shape(opts, schema, callerLabel, errorClass, code, options) {
415
+ requireObject(opts, callerLabel, errorClass, code);
416
+ var fields = Object.keys(schema);
417
+ for (var i = 0; i < fields.length; i += 1) {
418
+ var field = fields[i];
419
+ var rule = schema[field];
420
+ var fieldCode = code;
421
+ var label = (callerLabel || "opts") + ": " + field;
422
+ var value = opts[field];
423
+ // Arbitrary validator function — the universal hatch. Receives the whole
424
+ // `opts` as a 5th arg so a rule can do CROSS-FIELD validation (e.g. "field B
425
+ // is required when opts.a === 'material'") without dropping back to inline
426
+ // checks outside the shape.
427
+ if (typeof rule === "function") { rule(value, label, errorClass, fieldCode, opts); continue; }
428
+ if (rule && typeof rule === "object") {
429
+ if (Array.isArray(rule.methods)) {
430
+ if (rule.optional && (value === undefined || value === null)) continue;
431
+ requireMethods(value, rule.methods, rule.label || label, errorClass, rule.code || code, rule.permanent);
432
+ continue;
433
+ }
434
+ // Nested sub-object: validate it is an object, then recurse.
435
+ if (rule.shape && typeof rule.shape === "object") {
436
+ if (rule.optional && (value === undefined || value === null)) continue;
437
+ requireObject(value, rule.label || label, errorClass, rule.code || code);
438
+ shape(value, rule.shape, rule.label || label, errorClass, rule.code || code);
439
+ continue;
440
+ }
441
+ // Per-field descriptor: { rule, code?, label? }.
442
+ if (typeof rule.rule === "string") {
443
+ if (typeof rule.code === "string") fieldCode = rule.code;
444
+ if (typeof rule.label === "string") label = rule.label;
445
+ rule = rule.rule;
446
+ } else {
447
+ _throw(errorClass, code, (callerLabel || "opts") +
448
+ ": unsupported shape rule object for field " + field,
449
+ "validate-opts/bad-shape-rule");
450
+ }
451
+ }
452
+ if (rule === "required-object") { requireObject(value, label, errorClass, fieldCode); continue; }
453
+ var fn = _SHAPE_RULES[rule];
454
+ if (typeof fn !== "function") {
455
+ _throw(errorClass, code, (callerLabel || "opts") +
456
+ ": unknown shape rule " + JSON.stringify(rule) + " for field " + field,
457
+ "validate-opts/bad-shape-rule");
458
+ }
459
+ fn(value, label, errorClass, fieldCode);
460
+ }
461
+ // Exhaustive contract enforcement — always on (the schema is complete).
462
+ var declared = Object.create(null);
463
+ for (var d = 0; d < fields.length; d += 1) declared[fields[d]] = true;
464
+ var allowList = (options && options.allow) || [];
465
+ for (var a = 0; a < allowList.length; a += 1) declared[allowList[a]] = true;
466
+ var present = Object.keys(opts);
467
+ for (var p = 0; p < present.length; p += 1) {
468
+ if (!declared[present[p]]) {
469
+ _throw(errorClass, code, (callerLabel || "opts") +
470
+ ": unknown opt " + JSON.stringify(present[p]) +
471
+ " (not in the validated shape; add it to the schema or pass options.allow)",
472
+ "validate-opts/unknown-opt");
473
+ }
474
+ }
475
+ return opts;
476
+ }
477
+
334
478
  // makeAuditEmitter — closure factory parallel to safeAsync.makeDropCallback.
335
479
  // Replaces the per-file `function _emit(action, info) { if (!audit) return;
336
480
  // try { audit.safeEmit(Object.assign({ action: action }, info || {})); }
@@ -412,7 +556,7 @@ function assignOwnEnumerable(target, source, reservedKeys) {
412
556
  var entries = [];
413
557
  for (var i = 0; i < keys.length; i += 1) {
414
558
  var k = keys[i];
415
- if (k === "__proto__" || k === "constructor" || k === "prototype") continue;
559
+ if (pick.isPoisonedKey(k)) continue;
416
560
  if (reserved[k]) continue;
417
561
  entries.push([k, source[k]]);
418
562
  }
@@ -445,6 +589,7 @@ module.exports.auditShape = auditShape;
445
589
  module.exports.optionalBoolean = optionalBoolean;
446
590
  module.exports.optionalPositiveInt = optionalPositiveInt;
447
591
  module.exports.optionalFiniteNonNegative = optionalFiniteNonNegative;
592
+ module.exports.optionalDate = optionalDate;
448
593
  module.exports.optionalPositiveFinite = optionalPositiveFinite;
449
594
  module.exports.optionalPort = optionalPort;
450
595
  module.exports.optionalFunction = optionalFunction;
@@ -456,6 +601,7 @@ module.exports.requireNonEmptyString = requireNonEmptyString;
456
601
  module.exports.observabilityShape = observabilityShape;
457
602
  module.exports.requireObject = requireObject;
458
603
  module.exports.requireMethods = requireMethods;
604
+ module.exports.shape = shape;
459
605
  module.exports.applyDefaults = applyDefaults;
460
606
  module.exports.makeAuditEmitter = makeAuditEmitter;
461
607
  module.exports.makeNamespacedEmitters = makeNamespacedEmitters;
@@ -185,7 +185,6 @@ function sealPemFile(opts) {
185
185
  // optionalPositiveFinite above already threw on a bad-shaped opts.pollInterval;
186
186
  // here only undefined / null / valid-positive-finite remain.
187
187
  var pollInterval = opts.pollInterval || DEFAULT_POLL_MS;
188
- var auditOn = opts.audit !== false;
189
188
  var onResealed = typeof opts.onResealed === "function" ? opts.onResealed : null;
190
189
  var onError = typeof opts.onError === "function" ? opts.onError : null;
191
190
  validateOpts.optionalPositiveFinite(opts.maxSourceBytes,
@@ -200,16 +199,7 @@ function sealPemFile(opts) {
200
199
  var resealing = false;
201
200
  var pendingMtime = null;
202
201
 
203
- function _emitAudit(action, outcome, metadata) {
204
- if (!auditOn) return;
205
- try {
206
- audit().safeEmit({
207
- action: "vault.seal_pem_file." + action,
208
- outcome: outcome,
209
- metadata: metadata || {},
210
- });
211
- } catch (_e) { /* drop-silent */ }
212
- }
202
+ var _emitAudit = audit().namespaced("vault.seal_pem_file", opts.audit);
213
203
 
214
204
  function _writeSealed(plaintextBytes) {
215
205
  // atomicFile.writeSync already does the .tmp + fsync + rename +
@@ -274,43 +264,35 @@ function sealPemFile(opts) {
274
264
  // source isn't a symlink we don't expect, then read via fd so
275
265
  // a swap-after-stat doesn't change which bytes we read.
276
266
  try {
277
- var lstat = nodeFs.lstatSync(source);
278
- if (lstat.isSymbolicLink()) {
279
- throw new SealPemFileError("seal-pem-file/symlink-refused",
280
- "source is a symlink (refused; follow + re-stat opens TOCTOU)");
281
- }
282
- if (lstat.size > maxSourceBytes) {
283
- throw new SealPemFileError("seal-pem-file/source-too-large",
284
- "source size " + lstat.size + " exceeds maxSourceBytes " + maxSourceBytes);
285
- }
286
- // CodeQL js/file-system-race: the open-fd + fstat + inode-equality
287
- // check (this block and the next) IS the TOCTOU defense. lstat ran
288
- // above, then we open(O_NOFOLLOW-equivalent via the symlink refusal
289
- // above) and rebind every subsequent measurement to the fd's inode.
290
- // Any swap between lstat and open is detected by the fstat.ino !==
291
- // lstat.ino branch below and refused as toctou-detected.
292
- var fd = nodeFs.openSync(source, "r");
293
- try {
294
- var fstat = nodeFs.fstatSync(fd);
295
- // H6 #3 confirm the fd points at the same inode lstat saw.
296
- if (fstat.ino !== lstat.ino || fstat.size > maxSourceBytes) {
297
- throw new SealPemFileError("seal-pem-file/toctou-detected",
298
- "source mutated between lstat and open (TOCTOU defense)");
299
- }
300
- plaintext = Buffer.alloc(fstat.size);
301
- var read = 0;
302
- while (read < fstat.size) {
303
- var n = nodeFs.readSync(fd, plaintext, read, fstat.size - read, null);
304
- if (n === 0) break;
305
- read += n;
306
- }
307
- if (read !== fstat.size) {
308
- throw new SealPemFileError("seal-pem-file/short-read",
309
- "short read: " + read + " of " + fstat.size + " bytes");
310
- }
311
- } finally {
312
- try { nodeFs.closeSync(fd); } catch (_e) { /* close best-effort */ }
313
- }
267
+ // TOCTOU-safe read via atomic-file with the strongest guards:
268
+ // symlink refusal + inode-equality + a byte cap. The bespoke
269
+ // SealPemFileError codes/messages are preserved via errorFor; this
270
+ // call sits inside the outer try/catch that wraps any failure into
271
+ // seal-pem-file/source-read-failed + audit + the onError callback.
272
+ plaintext = atomicFile.fdSafeReadSync(source, {
273
+ refuseSymlink: true,
274
+ inodeCheck: true,
275
+ maxBytes: maxSourceBytes,
276
+ errorFor: function (kind, detail) {
277
+ if (kind === "symlink") {
278
+ return new SealPemFileError("seal-pem-file/symlink-refused",
279
+ "source is a symlink (refused; follow + re-stat opens TOCTOU)");
280
+ }
281
+ if (kind === "too-large") {
282
+ return new SealPemFileError("seal-pem-file/source-too-large",
283
+ "source size " + detail.size + " exceeds maxSourceBytes " + maxSourceBytes);
284
+ }
285
+ if (kind === "toctou") {
286
+ return new SealPemFileError("seal-pem-file/toctou-detected",
287
+ "source mutated between lstat and open (TOCTOU defense)");
288
+ }
289
+ if (kind === "short-read") {
290
+ return new SealPemFileError("seal-pem-file/short-read",
291
+ "short read: " + detail.read + " of " + detail.size + " bytes");
292
+ }
293
+ return undefined;
294
+ },
295
+ });
314
296
  }
315
297
  catch (e) {
316
298
  var err = new SealPemFileError("seal-pem-file/source-read-failed",
@@ -48,6 +48,7 @@
48
48
 
49
49
  var lazyRequire = require("./lazy-require");
50
50
  var validateOpts = require("./validate-opts");
51
+ var pick = require("./pick");
51
52
  var C = require("./constants");
52
53
  var { defineClass } = require("./framework-error");
53
54
  var VaultAadError = defineClass("VaultAadError", { alwaysPermanent: true });
@@ -80,7 +81,7 @@ function _canonicalize(parts) {
80
81
  chunks.push(Buffer.from([AAD_VERSION]));
81
82
  for (var i = 0; i < keys.length; i += 1) {
82
83
  var key = keys[i];
83
- if (key === "__proto__" || key === "constructor" || key === "prototype") {
84
+ if (pick.isPoisonedKey(key)) {
84
85
  throw new VaultAadError("vault-aad/bad-aad",
85
86
  "AAD field name " + JSON.stringify(key) + " is forbidden (poisoned key)");
86
87
  }
@@ -130,7 +131,7 @@ function buildContextAad(parts) {
130
131
  var out = {};
131
132
  for (var k in parts) {
132
133
  if (!Object.prototype.hasOwnProperty.call(parts, k)) continue;
133
- if (k === "__proto__" || k === "constructor" || k === "prototype") continue;
134
+ if (pick.isPoisonedKey(k)) continue;
134
135
  if (parts[k] == null) continue;
135
136
  out[k] = parts[k];
136
137
  }
@@ -316,13 +316,8 @@ async function verify(secured, opts) {
316
316
  if (!opts.publicKey && typeof opts.keyResolver !== "function") {
317
317
  throw new VcError("vc/no-key", "vc.verify: pass publicKey or keyResolver");
318
318
  }
319
- var at = new Date();
320
- if (opts.at !== undefined && opts.at !== null) {
321
- if (!(opts.at instanceof Date) || !isFinite(opts.at.getTime())) {
322
- throw new VcError("vc/bad-at", "vc.verify: opts.at must be a valid Date");
323
- }
324
- at = opts.at;
325
- }
319
+ validateOpts.optionalDate(opts.at, "vc.verify: opts.at", VcError, "vc/bad-at");
320
+ var at = (opts.at !== undefined && opts.at !== null) ? opts.at : new Date();
326
321
 
327
322
  var result = await _verifySecured(secured, opts, JOSE_TYP, COSE_TYP);
328
323
 
@@ -475,18 +475,39 @@ function document(opts) {
475
475
  throw new VexError("vex/bad-opts",
476
476
  "document: opts must be a non-null object");
477
477
  }
478
- validateOpts.requireNonEmptyString(opts.documentId, "documentId", VexError, "vex/missing-documentId");
479
- validateOpts.requireNonEmptyString(opts.title, "title", VexError, "vex/missing-title");
480
- validateOpts.requireNonEmptyString(opts.trackingId, "trackingId", VexError, "vex/missing-trackingId");
481
- validateOpts.requireNonEmptyString(opts.trackingVersion, "trackingVersion", VexError, "vex/missing-trackingVersion");
482
- validateOpts.requireNonEmptyString(opts.currentReleaseDate, "currentReleaseDate", VexError, "vex/missing-currentReleaseDate");
483
- validateOpts.requireNonEmptyString(opts.initialReleaseDate, "initialReleaseDate", VexError, "vex/missing-initialReleaseDate");
484
- if (!opts.publisher || typeof opts.publisher !== "object") {
485
- throw new VexError("vex/missing-publisher",
486
- "document: publisher object is required ({ name, namespace })");
487
- }
488
- validateOpts.requireNonEmptyString(opts.publisher.name, "publisher.name", VexError, "vex/missing-publisher-name");
489
- validateOpts.requireNonEmptyString(opts.publisher.namespace, "publisher.namespace", VexError, "vex/missing-publisher-namespace");
478
+ validateOpts.shape(opts, {
479
+ documentId: { rule: "required-string", code: "vex/missing-documentId", label: "documentId" },
480
+ title: { rule: "required-string", code: "vex/missing-title", label: "title" },
481
+ trackingId: { rule: "required-string", code: "vex/missing-trackingId", label: "trackingId" },
482
+ trackingVersion: { rule: "required-string", code: "vex/missing-trackingVersion", label: "trackingVersion" },
483
+ currentReleaseDate: { rule: "required-string", code: "vex/missing-currentReleaseDate", label: "currentReleaseDate" },
484
+ initialReleaseDate: { rule: "required-string", code: "vex/missing-initialReleaseDate", label: "initialReleaseDate" },
485
+ // publisher is required; the missing/sub-field checks own their own
486
+ // codes (vex/missing-publisher{,-name,-namespace}) the test asserts
487
+ // on. A truthy non-plain-object (array / string) is rejected with
488
+ // vex/bad-opts (optional-plain-object semantics) BEFORE the absent
489
+ // check, then a null/undefined publisher throws vex/missing-publisher,
490
+ // then name/namespace are required non-empty strings.
491
+ publisher: function (v, label, e, c) {
492
+ validateOpts.optionalPlainObject(v, label, e, c);
493
+ if (!v || typeof v !== "object") {
494
+ throw new VexError("vex/missing-publisher",
495
+ "document: publisher object is required ({ name, namespace })");
496
+ }
497
+ validateOpts.requireNonEmptyString(v.name, "publisher.name", VexError, "vex/missing-publisher-name");
498
+ validateOpts.requireNonEmptyString(v.namespace, "publisher.namespace", VexError, "vex/missing-publisher-namespace");
499
+ },
500
+ // The body's Array.isArray check throws vex/bad-statements; the shape
501
+ // only needs to accept the key (an array is not a plain object).
502
+ statements: function () {},
503
+ tlp: "optional-string",
504
+ lang: "optional-string",
505
+ trackingStatus: "optional-string",
506
+ productTreeNames: "optional-plain-object",
507
+ distributionText: { rule: "optional-string", code: "vex/bad-distribution-text", label: "document.distributionText" },
508
+ // distributor is copied onto distribution as-is when truthy.
509
+ distributor: function () {},
510
+ }, "document", VexError, "vex/bad-opts");
490
511
  if (!Array.isArray(opts.statements)) {
491
512
  throw new VexError("vex/bad-statements",
492
513
  "document: statements must be an array of b.vex.statement objects");
@@ -530,7 +551,8 @@ function document(opts) {
530
551
  throw new VexError("vex/bad-product-tree-names",
531
552
  "document: productTreeNames must be a { <productId>: <displayName> } object");
532
553
  }
533
- validateOpts.optionalNonEmptyString(opts.distributionText, "document.distributionText", VexError, "vex/bad-distribution-text");
554
+ // distributionText is validated by the shape's optional-string rule
555
+ // above (label "document.distributionText", code vex/bad-distribution-text).
534
556
  // FIRST TLP 2.0 + CSAF §3.2.1.12.1.1.1 — distribution.text is
535
557
  // REQUIRED when TLP label is RED or AMBER+STRICT (the
536
558
  // recipient-restricted tiers carry mandatory boilerplate prose).
@@ -109,22 +109,25 @@ function buildVapidAuthHeader(opts) {
109
109
  validateOpts(opts, ["subscription", "contact", "privateKeyPem",
110
110
  "publicKeyB64Url", "ttlSec"],
111
111
  "webPush.buildVapidAuthHeader");
112
- if (!opts.subscription || typeof opts.subscription.endpoint !== "string") {
113
- throw new WebPushError("web-push/bad-subscription",
114
- "buildVapidAuthHeader: opts.subscription must include a string endpoint");
115
- }
116
- validateOpts.requireNonEmptyString(opts.contact, "contact",
117
- WebPushError, "web-push/bad-contact");
118
- if (!/^(mailto:|https:)/i.test(opts.contact)) {
119
- throw new WebPushError("web-push/bad-contact",
120
- "buildVapidAuthHeader: contact must start with 'mailto:' or 'https:' per RFC 8292 §2");
121
- }
122
- validateOpts.requireNonEmptyString(opts.privateKeyPem, "privateKeyPem",
123
- WebPushError, "web-push/bad-key");
124
- validateOpts.requireNonEmptyString(opts.publicKeyB64Url, "publicKeyB64Url",
125
- WebPushError, "web-push/bad-key");
126
- validateOpts.optionalPositiveFinite(opts.ttlSec, "webPush.buildVapidAuthHeader: ttlSec",
127
- WebPushError, "web-push/bad-ttl");
112
+ validateOpts.shape(opts, {
113
+ subscription: function (value) {
114
+ if (!value || typeof value.endpoint !== "string") {
115
+ throw new WebPushError("web-push/bad-subscription",
116
+ "buildVapidAuthHeader: opts.subscription must include a string endpoint");
117
+ }
118
+ },
119
+ contact: function (value) {
120
+ validateOpts.requireNonEmptyString(value, "contact",
121
+ WebPushError, "web-push/bad-contact");
122
+ if (!/^(mailto:|https:)/i.test(value)) {
123
+ throw new WebPushError("web-push/bad-contact",
124
+ "buildVapidAuthHeader: contact must start with 'mailto:' or 'https:' per RFC 8292 §2");
125
+ }
126
+ },
127
+ privateKeyPem: { rule: "required-string", code: "web-push/bad-key", label: "privateKeyPem" },
128
+ publicKeyB64Url: { rule: "required-string", code: "web-push/bad-key", label: "publicKeyB64Url" },
129
+ ttlSec: { rule: "optional-positive-finite", code: "web-push/bad-ttl" },
130
+ }, "webPush.buildVapidAuthHeader", WebPushError, "web-push/bad-opts");
128
131
  var ttlSec = opts.ttlSec || C.TIME.hours(12);
129
132
  // Audience: origin of the subscription endpoint per RFC 8292 §2.
130
133
  var endpointUrl;
@@ -232,10 +235,10 @@ function encrypt(opts) {
232
235
  throw new WebPushError("web-push/bad-subscription",
233
236
  "encrypt: subscription must have a keys: { p256dh, auth } object");
234
237
  }
235
- validateOpts.requireNonEmptyString(opts.subscription.keys.p256dh, "p256dh",
236
- WebPushError, "web-push/bad-p256dh");
237
- validateOpts.requireNonEmptyString(opts.subscription.keys.auth, "auth",
238
- WebPushError, "web-push/bad-auth");
238
+ validateOpts.shape(opts.subscription.keys, {
239
+ p256dh: { rule: "required-string", code: "web-push/bad-p256dh", label: "p256dh" },
240
+ auth: { rule: "required-string", code: "web-push/bad-auth", label: "auth" },
241
+ }, "webPush.encrypt.keys", WebPushError, "web-push/bad-opts");
239
242
  var plaintext = Buffer.isBuffer(opts.payload) ? opts.payload
240
243
  : typeof opts.payload === "string" ? Buffer.from(opts.payload, "utf8")
241
244
  : null;