@blamejs/blamejs-shop 0.4.56 → 0.4.58

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (402) hide show
  1. package/CHANGELOG.md +4 -0
  2. package/lib/affiliates.js +35 -4
  3. package/lib/api-keys.js +17 -2
  4. package/lib/asset-manifest.json +1 -1
  5. package/lib/backorder.js +21 -4
  6. package/lib/click-and-collect.js +11 -2
  7. package/lib/credit-limits.js +132 -84
  8. package/lib/vendor/MANIFEST.json +426 -366
  9. package/lib/vendor/blamejs/.github/codeql/codeql-config.yml +25 -0
  10. package/lib/vendor/blamejs/.github/workflows/actions-lint.yml +3 -3
  11. package/lib/vendor/blamejs/.github/workflows/cflite_batch.yml +1 -1
  12. package/lib/vendor/blamejs/.github/workflows/cflite_pr.yml +1 -1
  13. package/lib/vendor/blamejs/.github/workflows/ci.yml +13 -13
  14. package/lib/vendor/blamejs/.github/workflows/codeql.yml +8 -7
  15. package/lib/vendor/blamejs/.github/workflows/npm-publish.yml +2 -2
  16. package/lib/vendor/blamejs/.github/workflows/release-container.yml +4 -4
  17. package/lib/vendor/blamejs/.github/workflows/scorecard.yml +1 -1
  18. package/lib/vendor/blamejs/.github/workflows/sha-to-tag-verify.yml +1 -1
  19. package/lib/vendor/blamejs/CHANGELOG.md +2 -0
  20. package/lib/vendor/blamejs/api-snapshot.json +1381 -4
  21. package/lib/vendor/blamejs/eslint.config.mjs +1 -0
  22. package/lib/vendor/blamejs/examples/wiki/lib/source-comment-block-validator.js +4 -1
  23. package/lib/vendor/blamejs/examples/wiki/lib/symbol-index.js +5 -2
  24. package/lib/vendor/blamejs/examples/wiki/routes/pages.js +4 -1
  25. package/lib/vendor/blamejs/fuzz/guard-text.fuzz.js +20 -0
  26. package/lib/vendor/blamejs/index.js +2 -0
  27. package/lib/vendor/blamejs/lib/a2a-tasks.js +7 -23
  28. package/lib/vendor/blamejs/lib/acme.js +6 -5
  29. package/lib/vendor/blamejs/lib/agent-event-bus.js +5 -4
  30. package/lib/vendor/blamejs/lib/agent-idempotency.js +2 -5
  31. package/lib/vendor/blamejs/lib/agent-orchestrator.js +2 -5
  32. package/lib/vendor/blamejs/lib/agent-saga.js +3 -5
  33. package/lib/vendor/blamejs/lib/agent-tenant.js +2 -5
  34. package/lib/vendor/blamejs/lib/ai-adverse-decision.js +2 -15
  35. package/lib/vendor/blamejs/lib/ai-capability.js +1 -6
  36. package/lib/vendor/blamejs/lib/ai-dp.js +1 -5
  37. package/lib/vendor/blamejs/lib/ai-input.js +2 -2
  38. package/lib/vendor/blamejs/lib/ai-pref.js +3 -8
  39. package/lib/vendor/blamejs/lib/ai-quota.js +3 -14
  40. package/lib/vendor/blamejs/lib/api-key.js +37 -28
  41. package/lib/vendor/blamejs/lib/archive-adapters.js +2 -4
  42. package/lib/vendor/blamejs/lib/archive-entry-policy.js +32 -0
  43. package/lib/vendor/blamejs/lib/archive-read.js +5 -17
  44. package/lib/vendor/blamejs/lib/archive-tar-read.js +5 -16
  45. package/lib/vendor/blamejs/lib/archive.js +2 -10
  46. package/lib/vendor/blamejs/lib/arg-parser.js +7 -6
  47. package/lib/vendor/blamejs/lib/asyncapi-traits.js +2 -6
  48. package/lib/vendor/blamejs/lib/atomic-file.js +108 -31
  49. package/lib/vendor/blamejs/lib/audit-chain.js +133 -53
  50. package/lib/vendor/blamejs/lib/audit-daily-review.js +24 -14
  51. package/lib/vendor/blamejs/lib/audit-emit.js +82 -0
  52. package/lib/vendor/blamejs/lib/audit-sign.js +257 -0
  53. package/lib/vendor/blamejs/lib/audit.js +84 -0
  54. package/lib/vendor/blamejs/lib/auth/access-lock.js +5 -27
  55. package/lib/vendor/blamejs/lib/auth/dpop.js +23 -35
  56. package/lib/vendor/blamejs/lib/auth/fido-mds3.js +9 -15
  57. package/lib/vendor/blamejs/lib/auth/jwt-external.js +26 -8
  58. package/lib/vendor/blamejs/lib/auth/jwt.js +13 -15
  59. package/lib/vendor/blamejs/lib/auth/lockout.js +6 -25
  60. package/lib/vendor/blamejs/lib/auth/oauth.js +67 -45
  61. package/lib/vendor/blamejs/lib/auth/oid4vci.js +55 -32
  62. package/lib/vendor/blamejs/lib/auth/oid4vp.js +3 -2
  63. package/lib/vendor/blamejs/lib/auth/openid-federation.js +6 -6
  64. package/lib/vendor/blamejs/lib/auth/passkey.js +3 -3
  65. package/lib/vendor/blamejs/lib/auth/password.js +7 -1
  66. package/lib/vendor/blamejs/lib/auth/saml.js +37 -27
  67. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-holder.js +2 -14
  68. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-issuer.js +2 -14
  69. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc.js +1 -1
  70. package/lib/vendor/blamejs/lib/auth/status-list.js +7 -7
  71. package/lib/vendor/blamejs/lib/auth/step-up.js +6 -12
  72. package/lib/vendor/blamejs/lib/auth-bot-challenge.js +6 -37
  73. package/lib/vendor/blamejs/lib/backup/bundle.js +11 -18
  74. package/lib/vendor/blamejs/lib/backup/index.js +14 -47
  75. package/lib/vendor/blamejs/lib/bounded-map.js +112 -1
  76. package/lib/vendor/blamejs/lib/breach-deadline.js +1 -11
  77. package/lib/vendor/blamejs/lib/cache.js +7 -18
  78. package/lib/vendor/blamejs/lib/cbor.js +2 -1
  79. package/lib/vendor/blamejs/lib/cdn-cache-control.js +8 -9
  80. package/lib/vendor/blamejs/lib/cert.js +3 -10
  81. package/lib/vendor/blamejs/lib/chain-writer.js +162 -47
  82. package/lib/vendor/blamejs/lib/cli.js +5 -1
  83. package/lib/vendor/blamejs/lib/client-hints.js +7 -9
  84. package/lib/vendor/blamejs/lib/cloud-events.js +40 -31
  85. package/lib/vendor/blamejs/lib/cluster-storage.js +2 -38
  86. package/lib/vendor/blamejs/lib/cms-codec.js +2 -1
  87. package/lib/vendor/blamejs/lib/codepoint-class.js +67 -1
  88. package/lib/vendor/blamejs/lib/compliance-ai-act-logging.js +1 -6
  89. package/lib/vendor/blamejs/lib/compliance-ai-act-transparency.js +2 -4
  90. package/lib/vendor/blamejs/lib/compliance-eaa.js +1 -11
  91. package/lib/vendor/blamejs/lib/compliance-sanctions-fetcher.js +21 -28
  92. package/lib/vendor/blamejs/lib/compliance-sanctions.js +2 -14
  93. package/lib/vendor/blamejs/lib/compliance.js +2 -9
  94. package/lib/vendor/blamejs/lib/config-drift.js +2 -12
  95. package/lib/vendor/blamejs/lib/content-digest.js +10 -8
  96. package/lib/vendor/blamejs/lib/cookies.js +5 -11
  97. package/lib/vendor/blamejs/lib/cose.js +19 -11
  98. package/lib/vendor/blamejs/lib/cra-report.js +1 -11
  99. package/lib/vendor/blamejs/lib/crypto-field.js +5 -10
  100. package/lib/vendor/blamejs/lib/crypto.js +120 -3
  101. package/lib/vendor/blamejs/lib/csp.js +235 -3
  102. package/lib/vendor/blamejs/lib/daemon.js +42 -41
  103. package/lib/vendor/blamejs/lib/data-act.js +19 -9
  104. package/lib/vendor/blamejs/lib/db-query.js +6 -40
  105. package/lib/vendor/blamejs/lib/db.js +34 -12
  106. package/lib/vendor/blamejs/lib/dbsc.js +5 -6
  107. package/lib/vendor/blamejs/lib/ddl-change-control.js +18 -14
  108. package/lib/vendor/blamejs/lib/deprecate.js +4 -5
  109. package/lib/vendor/blamejs/lib/did.js +6 -2
  110. package/lib/vendor/blamejs/lib/dsr.js +8 -12
  111. package/lib/vendor/blamejs/lib/external-db-migrate.js +21 -22
  112. package/lib/vendor/blamejs/lib/external-db.js +14 -26
  113. package/lib/vendor/blamejs/lib/fda-21cfr11.js +12 -8
  114. package/lib/vendor/blamejs/lib/fdx.js +22 -18
  115. package/lib/vendor/blamejs/lib/file-upload.js +80 -66
  116. package/lib/vendor/blamejs/lib/flag-evaluation-context.js +5 -8
  117. package/lib/vendor/blamejs/lib/framework-error.js +12 -0
  118. package/lib/vendor/blamejs/lib/framework-schema.js +19 -0
  119. package/lib/vendor/blamejs/lib/fsm.js +7 -12
  120. package/lib/vendor/blamejs/lib/gate-contract.js +869 -38
  121. package/lib/vendor/blamejs/lib/gdpr-ropa.js +4 -13
  122. package/lib/vendor/blamejs/lib/graphql-federation.js +1 -1
  123. package/lib/vendor/blamejs/lib/guard-agent-registry.js +2 -1
  124. package/lib/vendor/blamejs/lib/guard-all.js +1 -0
  125. package/lib/vendor/blamejs/lib/guard-archive.js +9 -30
  126. package/lib/vendor/blamejs/lib/guard-auth.js +23 -80
  127. package/lib/vendor/blamejs/lib/guard-cidr.js +20 -96
  128. package/lib/vendor/blamejs/lib/guard-csv.js +135 -196
  129. package/lib/vendor/blamejs/lib/guard-domain.js +23 -106
  130. package/lib/vendor/blamejs/lib/guard-dsn.js +16 -13
  131. package/lib/vendor/blamejs/lib/guard-email.js +46 -53
  132. package/lib/vendor/blamejs/lib/guard-envelope.js +1 -1
  133. package/lib/vendor/blamejs/lib/guard-event-bus-topic.js +2 -1
  134. package/lib/vendor/blamejs/lib/guard-filename.js +12 -60
  135. package/lib/vendor/blamejs/lib/guard-graphql.js +28 -75
  136. package/lib/vendor/blamejs/lib/guard-html-wcag.js +15 -2
  137. package/lib/vendor/blamejs/lib/guard-html.js +65 -117
  138. package/lib/vendor/blamejs/lib/guard-idempotency-key.js +2 -1
  139. package/lib/vendor/blamejs/lib/guard-image.js +280 -77
  140. package/lib/vendor/blamejs/lib/guard-imap-command.js +8 -9
  141. package/lib/vendor/blamejs/lib/guard-json.js +87 -103
  142. package/lib/vendor/blamejs/lib/guard-jsonpath.js +20 -88
  143. package/lib/vendor/blamejs/lib/guard-jwt.js +32 -114
  144. package/lib/vendor/blamejs/lib/guard-list-id.js +2 -7
  145. package/lib/vendor/blamejs/lib/guard-list-unsubscribe.js +2 -7
  146. package/lib/vendor/blamejs/lib/guard-mail-compose.js +5 -6
  147. package/lib/vendor/blamejs/lib/guard-mail-move.js +2 -1
  148. package/lib/vendor/blamejs/lib/guard-mail-query.js +5 -3
  149. package/lib/vendor/blamejs/lib/guard-mail-sieve.js +6 -7
  150. package/lib/vendor/blamejs/lib/guard-managesieve-command.js +5 -4
  151. package/lib/vendor/blamejs/lib/guard-markdown.js +76 -110
  152. package/lib/vendor/blamejs/lib/guard-message-id.js +5 -6
  153. package/lib/vendor/blamejs/lib/guard-mime.js +20 -99
  154. package/lib/vendor/blamejs/lib/guard-oauth.js +19 -73
  155. package/lib/vendor/blamejs/lib/guard-pdf.js +65 -72
  156. package/lib/vendor/blamejs/lib/guard-pop3-command.js +12 -13
  157. package/lib/vendor/blamejs/lib/guard-posture-chain.js +2 -1
  158. package/lib/vendor/blamejs/lib/guard-regex.js +24 -99
  159. package/lib/vendor/blamejs/lib/guard-saga-config.js +2 -1
  160. package/lib/vendor/blamejs/lib/guard-shell.js +22 -87
  161. package/lib/vendor/blamejs/lib/guard-smtp-command.js +8 -11
  162. package/lib/vendor/blamejs/lib/guard-sql.js +15 -13
  163. package/lib/vendor/blamejs/lib/guard-stream-args.js +2 -1
  164. package/lib/vendor/blamejs/lib/guard-svg.js +95 -140
  165. package/lib/vendor/blamejs/lib/guard-template.js +23 -80
  166. package/lib/vendor/blamejs/lib/guard-tenant-id.js +2 -1
  167. package/lib/vendor/blamejs/lib/guard-text.js +592 -0
  168. package/lib/vendor/blamejs/lib/guard-time.js +27 -95
  169. package/lib/vendor/blamejs/lib/guard-uuid.js +21 -93
  170. package/lib/vendor/blamejs/lib/guard-xml.js +76 -106
  171. package/lib/vendor/blamejs/lib/guard-yaml.js +24 -60
  172. package/lib/vendor/blamejs/lib/http-client-cache.js +5 -12
  173. package/lib/vendor/blamejs/lib/http-client-cookie-jar.js +2 -4
  174. package/lib/vendor/blamejs/lib/http-client.js +8 -21
  175. package/lib/vendor/blamejs/lib/http-message-signature.js +3 -2
  176. package/lib/vendor/blamejs/lib/i18n-messageformat.js +5 -7
  177. package/lib/vendor/blamejs/lib/i18n.js +83 -26
  178. package/lib/vendor/blamejs/lib/inbox.js +8 -8
  179. package/lib/vendor/blamejs/lib/incident-report.js +3 -21
  180. package/lib/vendor/blamejs/lib/ip-utils.js +49 -6
  181. package/lib/vendor/blamejs/lib/jobs.js +3 -2
  182. package/lib/vendor/blamejs/lib/keychain.js +6 -18
  183. package/lib/vendor/blamejs/lib/legal-hold.js +6 -15
  184. package/lib/vendor/blamejs/lib/log-stream-cloudwatch.js +44 -112
  185. package/lib/vendor/blamejs/lib/log-stream-otlp-grpc.js +17 -14
  186. package/lib/vendor/blamejs/lib/log-stream-otlp.js +16 -80
  187. package/lib/vendor/blamejs/lib/log-stream-webhook.js +20 -92
  188. package/lib/vendor/blamejs/lib/mail-arc-sign.js +8 -3
  189. package/lib/vendor/blamejs/lib/mail-arf.js +3 -2
  190. package/lib/vendor/blamejs/lib/mail-auth.js +40 -66
  191. package/lib/vendor/blamejs/lib/mail-bimi.js +19 -39
  192. package/lib/vendor/blamejs/lib/mail-crypto-pgp.js +3 -2
  193. package/lib/vendor/blamejs/lib/mail-dav.js +8 -35
  194. package/lib/vendor/blamejs/lib/mail-deploy.js +6 -9
  195. package/lib/vendor/blamejs/lib/mail-dkim.js +19 -38
  196. package/lib/vendor/blamejs/lib/mail-greylist.js +15 -26
  197. package/lib/vendor/blamejs/lib/mail-helo.js +2 -3
  198. package/lib/vendor/blamejs/lib/mail-journal.js +2 -1
  199. package/lib/vendor/blamejs/lib/mail-mdn.js +4 -3
  200. package/lib/vendor/blamejs/lib/mail-rbl.js +5 -8
  201. package/lib/vendor/blamejs/lib/mail-scan.js +2 -2
  202. package/lib/vendor/blamejs/lib/mail-send-deliver.js +33 -20
  203. package/lib/vendor/blamejs/lib/mail-server-imap.js +32 -87
  204. package/lib/vendor/blamejs/lib/mail-server-jmap.js +35 -51
  205. package/lib/vendor/blamejs/lib/mail-server-managesieve.js +29 -83
  206. package/lib/vendor/blamejs/lib/mail-server-mx.js +33 -74
  207. package/lib/vendor/blamejs/lib/mail-server-net.js +177 -0
  208. package/lib/vendor/blamejs/lib/mail-server-pop3.js +30 -83
  209. package/lib/vendor/blamejs/lib/mail-server-rate-limit.js +30 -6
  210. package/lib/vendor/blamejs/lib/mail-server-submission.js +34 -73
  211. package/lib/vendor/blamejs/lib/mail-server-tls.js +89 -0
  212. package/lib/vendor/blamejs/lib/mail-spam-score.js +7 -8
  213. package/lib/vendor/blamejs/lib/mail-store.js +3 -2
  214. package/lib/vendor/blamejs/lib/mail.js +6 -11
  215. package/lib/vendor/blamejs/lib/markup-escape.js +31 -0
  216. package/lib/vendor/blamejs/lib/markup-tokenizer.js +54 -0
  217. package/lib/vendor/blamejs/lib/mcp-tool-registry.js +26 -23
  218. package/lib/vendor/blamejs/lib/mcp.js +1 -1
  219. package/lib/vendor/blamejs/lib/mdoc.js +11 -12
  220. package/lib/vendor/blamejs/lib/metrics.js +32 -30
  221. package/lib/vendor/blamejs/lib/middleware/age-gate.js +3 -23
  222. package/lib/vendor/blamejs/lib/middleware/api-encrypt.js +11 -22
  223. package/lib/vendor/blamejs/lib/middleware/assetlinks.js +2 -7
  224. package/lib/vendor/blamejs/lib/middleware/bearer-auth.js +2 -1
  225. package/lib/vendor/blamejs/lib/middleware/body-parser.js +31 -48
  226. package/lib/vendor/blamejs/lib/middleware/bot-disclose.js +7 -10
  227. package/lib/vendor/blamejs/lib/middleware/bot-guard.js +2 -10
  228. package/lib/vendor/blamejs/lib/middleware/csrf-protect.js +13 -2
  229. package/lib/vendor/blamejs/lib/middleware/daily-byte-quota.js +6 -26
  230. package/lib/vendor/blamejs/lib/middleware/deny-response.js +19 -1
  231. package/lib/vendor/blamejs/lib/middleware/fetch-metadata.js +7 -0
  232. package/lib/vendor/blamejs/lib/middleware/idempotency-key.js +4 -20
  233. package/lib/vendor/blamejs/lib/middleware/rate-limit.js +20 -28
  234. package/lib/vendor/blamejs/lib/middleware/scim-server.js +3 -2
  235. package/lib/vendor/blamejs/lib/middleware/security-headers.js +9 -1
  236. package/lib/vendor/blamejs/lib/middleware/security-txt.js +2 -6
  237. package/lib/vendor/blamejs/lib/middleware/tus-upload.js +12 -27
  238. package/lib/vendor/blamejs/lib/middleware/web-app-manifest.js +2 -7
  239. package/lib/vendor/blamejs/lib/migrations.js +4 -13
  240. package/lib/vendor/blamejs/lib/mime-parse.js +34 -17
  241. package/lib/vendor/blamejs/lib/module-loader.js +44 -0
  242. package/lib/vendor/blamejs/lib/money.js +105 -0
  243. package/lib/vendor/blamejs/lib/mtls-ca.js +116 -36
  244. package/lib/vendor/blamejs/lib/network-byte-quota.js +4 -18
  245. package/lib/vendor/blamejs/lib/network-dane.js +8 -6
  246. package/lib/vendor/blamejs/lib/network-dns-resolver.js +97 -6
  247. package/lib/vendor/blamejs/lib/network-dnssec.js +16 -16
  248. package/lib/vendor/blamejs/lib/network-heartbeat.js +3 -2
  249. package/lib/vendor/blamejs/lib/network-smtp-policy.js +29 -41
  250. package/lib/vendor/blamejs/lib/network-tls.js +40 -42
  251. package/lib/vendor/blamejs/lib/nis2-report.js +1 -11
  252. package/lib/vendor/blamejs/lib/nonce-store.js +81 -3
  253. package/lib/vendor/blamejs/lib/numeric-bounds.js +22 -8
  254. package/lib/vendor/blamejs/lib/object-store/azure-blob-bucket-ops.js +2 -6
  255. package/lib/vendor/blamejs/lib/object-store/azure-blob.js +5 -45
  256. package/lib/vendor/blamejs/lib/object-store/gcs.js +8 -71
  257. package/lib/vendor/blamejs/lib/object-store/http-put.js +1 -5
  258. package/lib/vendor/blamejs/lib/object-store/http-request.js +128 -0
  259. package/lib/vendor/blamejs/lib/object-store/sigv4-bucket-ops.js +2 -1
  260. package/lib/vendor/blamejs/lib/object-store/sigv4.js +9 -77
  261. package/lib/vendor/blamejs/lib/observability-otlp-exporter.js +9 -25
  262. package/lib/vendor/blamejs/lib/observability.js +95 -0
  263. package/lib/vendor/blamejs/lib/openapi-paths-builder.js +7 -3
  264. package/lib/vendor/blamejs/lib/otel-export.js +7 -10
  265. package/lib/vendor/blamejs/lib/outbox.js +43 -37
  266. package/lib/vendor/blamejs/lib/pagination.js +11 -15
  267. package/lib/vendor/blamejs/lib/parsers/safe-env.js +5 -4
  268. package/lib/vendor/blamejs/lib/parsers/safe-ini.js +10 -4
  269. package/lib/vendor/blamejs/lib/parsers/safe-toml.js +11 -9
  270. package/lib/vendor/blamejs/lib/parsers/safe-xml.js +2 -2
  271. package/lib/vendor/blamejs/lib/parsers/safe-yaml.js +7 -6
  272. package/lib/vendor/blamejs/lib/pick.js +63 -5
  273. package/lib/vendor/blamejs/lib/pipl-cn.js +69 -59
  274. package/lib/vendor/blamejs/lib/privacy-pass.js +8 -6
  275. package/lib/vendor/blamejs/lib/problem-details.js +2 -5
  276. package/lib/vendor/blamejs/lib/pubsub.js +4 -8
  277. package/lib/vendor/blamejs/lib/redact.js +2 -1
  278. package/lib/vendor/blamejs/lib/render.js +4 -2
  279. package/lib/vendor/blamejs/lib/request-helpers.js +133 -6
  280. package/lib/vendor/blamejs/lib/restore.js +5 -22
  281. package/lib/vendor/blamejs/lib/retention.js +3 -5
  282. package/lib/vendor/blamejs/lib/safe-async.js +457 -0
  283. package/lib/vendor/blamejs/lib/safe-buffer.js +137 -6
  284. package/lib/vendor/blamejs/lib/safe-decompress.js +2 -1
  285. package/lib/vendor/blamejs/lib/safe-dns.js +2 -1
  286. package/lib/vendor/blamejs/lib/safe-ical.js +12 -26
  287. package/lib/vendor/blamejs/lib/safe-json.js +7 -8
  288. package/lib/vendor/blamejs/lib/safe-jsonpath.js +6 -5
  289. package/lib/vendor/blamejs/lib/safe-mime.js +25 -29
  290. package/lib/vendor/blamejs/lib/safe-redirect.js +2 -5
  291. package/lib/vendor/blamejs/lib/safe-schema.js +7 -6
  292. package/lib/vendor/blamejs/lib/safe-sql.js +126 -0
  293. package/lib/vendor/blamejs/lib/safe-vcard.js +12 -26
  294. package/lib/vendor/blamejs/lib/sandbox-worker.js +9 -2
  295. package/lib/vendor/blamejs/lib/sandbox.js +3 -2
  296. package/lib/vendor/blamejs/lib/scheduler.js +5 -12
  297. package/lib/vendor/blamejs/lib/sec-cyber.js +82 -37
  298. package/lib/vendor/blamejs/lib/seeders.js +4 -11
  299. package/lib/vendor/blamejs/lib/self-update.js +92 -69
  300. package/lib/vendor/blamejs/lib/session-device-binding.js +112 -66
  301. package/lib/vendor/blamejs/lib/session.js +194 -6
  302. package/lib/vendor/blamejs/lib/sql.js +225 -78
  303. package/lib/vendor/blamejs/lib/sse.js +6 -10
  304. package/lib/vendor/blamejs/lib/static.js +136 -98
  305. package/lib/vendor/blamejs/lib/storage.js +4 -2
  306. package/lib/vendor/blamejs/lib/structured-fields.js +275 -16
  307. package/lib/vendor/blamejs/lib/tenant-quota.js +2 -20
  308. package/lib/vendor/blamejs/lib/tsa.js +11 -15
  309. package/lib/vendor/blamejs/lib/validate-opts.js +154 -8
  310. package/lib/vendor/blamejs/lib/vault/seal-pem-file.js +30 -48
  311. package/lib/vendor/blamejs/lib/vault-aad.js +3 -2
  312. package/lib/vendor/blamejs/lib/vc.js +2 -7
  313. package/lib/vendor/blamejs/lib/vex.js +35 -13
  314. package/lib/vendor/blamejs/lib/web-push-vapid.js +23 -20
  315. package/lib/vendor/blamejs/lib/webhook-dispatcher.js +706 -0
  316. package/lib/vendor/blamejs/lib/webhook.js +43 -18
  317. package/lib/vendor/blamejs/lib/websocket-channels.js +9 -7
  318. package/lib/vendor/blamejs/lib/websocket.js +7 -3
  319. package/lib/vendor/blamejs/lib/worm.js +2 -3
  320. package/lib/vendor/blamejs/lib/ws-client.js +8 -10
  321. package/lib/vendor/blamejs/package.json +1 -1
  322. package/lib/vendor/blamejs/release-notes/v0.15.13.json +81 -0
  323. package/lib/vendor/blamejs/scripts/check-changelog-extract.js +1 -1
  324. package/lib/vendor/blamejs/test/00-primitives.js +136 -7
  325. package/lib/vendor/blamejs/test/10-state.js +9 -3
  326. package/lib/vendor/blamejs/test/30-chain.js +40 -0
  327. package/lib/vendor/blamejs/test/helpers/check.js +18 -0
  328. package/lib/vendor/blamejs/test/helpers/db.js +4 -0
  329. package/lib/vendor/blamejs/test/helpers/index.js +1 -0
  330. package/lib/vendor/blamejs/test/integration/audit-chain-external-db.test.js +2 -1
  331. package/lib/vendor/blamejs/test/integration/audit-stack-postgres.test.js +2 -1
  332. package/lib/vendor/blamejs/test/integration/data-layer-mysql.test.js +8 -1
  333. package/lib/vendor/blamejs/test/integration/data-layer-pg.test.js +1 -1
  334. package/lib/vendor/blamejs/test/integration/framework-schema-mysql.test.js +2 -1
  335. package/lib/vendor/blamejs/test/integration/webhook-dispatcher-pg.test.js +269 -0
  336. package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-fd-read.test.js +149 -0
  337. package/lib/vendor/blamejs/test/layer-0-primitives/audit-framework-namespaces.test.js +51 -0
  338. package/lib/vendor/blamejs/test/layer-0-primitives/audit-sign-anchor.test.js +88 -0
  339. package/lib/vendor/blamejs/test/layer-0-primitives/audit-use-store.test.js +55 -1
  340. package/lib/vendor/blamejs/test/layer-0-primitives/backup-object-store-adapter.test.js +2 -2
  341. package/lib/vendor/blamejs/test/layer-0-primitives/bot-guard.test.js +1 -1
  342. package/lib/vendor/blamejs/test/layer-0-primitives/bounded-map.test.js +129 -0
  343. package/lib/vendor/blamejs/test/layer-0-primitives/chain-writer-multichain.test.js +107 -0
  344. package/lib/vendor/blamejs/test/layer-0-primitives/cli-api-key.test.js +12 -0
  345. package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +2788 -3214
  346. package/lib/vendor/blamejs/test/layer-0-primitives/codepoint-class.test.js +78 -0
  347. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-base64url.test.js +63 -0
  348. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-hash-stream.test.js +2 -1
  349. package/lib/vendor/blamejs/test/layer-0-primitives/csp-builder.test.js +50 -0
  350. package/lib/vendor/blamejs/test/layer-0-primitives/csp-nonce.test.js +1 -1
  351. package/lib/vendor/blamejs/test/layer-0-primitives/daemon.test.js +2 -1
  352. package/lib/vendor/blamejs/test/layer-0-primitives/defineguard-resolve-opts.test.js +76 -0
  353. package/lib/vendor/blamejs/test/layer-0-primitives/flag.test.js +9 -0
  354. package/lib/vendor/blamejs/test/layer-0-primitives/gate-contract-content-gate.test.js +290 -0
  355. package/lib/vendor/blamejs/test/layer-0-primitives/guard-csv.test.js +84 -0
  356. package/lib/vendor/blamejs/test/layer-0-primitives/guard-email.test.js +78 -0
  357. package/lib/vendor/blamejs/test/layer-0-primitives/guard-filename.test.js +23 -0
  358. package/lib/vendor/blamejs/test/layer-0-primitives/guard-gate-disposition-coverage.test.js +93 -0
  359. package/lib/vendor/blamejs/test/layer-0-primitives/guard-html.test.js +60 -0
  360. package/lib/vendor/blamejs/test/layer-0-primitives/guard-image.test.js +184 -0
  361. package/lib/vendor/blamejs/test/layer-0-primitives/guard-imap-command.test.js +0 -0
  362. package/lib/vendor/blamejs/test/layer-0-primitives/guard-json.test.js +54 -0
  363. package/lib/vendor/blamejs/test/layer-0-primitives/guard-managesieve-command.test.js +10 -0
  364. package/lib/vendor/blamejs/test/layer-0-primitives/guard-markdown.test.js +45 -0
  365. package/lib/vendor/blamejs/test/layer-0-primitives/guard-pdf.test.js +101 -0
  366. package/lib/vendor/blamejs/test/layer-0-primitives/guard-pop3-command.test.js +18 -0
  367. package/lib/vendor/blamejs/test/layer-0-primitives/guard-svg.test.js +76 -0
  368. package/lib/vendor/blamejs/test/layer-0-primitives/guard-text.test.js +365 -0
  369. package/lib/vendor/blamejs/test/layer-0-primitives/guard-xml.test.js +35 -0
  370. package/lib/vendor/blamejs/test/layer-0-primitives/guard-yaml.test.js +36 -0
  371. package/lib/vendor/blamejs/test/layer-0-primitives/i18n.test.js +20 -0
  372. package/lib/vendor/blamejs/test/layer-0-primitives/inbox.test.js +15 -0
  373. package/lib/vendor/blamejs/test/layer-0-primitives/ip-utils.test.js +83 -0
  374. package/lib/vendor/blamejs/test/layer-0-primitives/mail-arf.test.js +10 -0
  375. package/lib/vendor/blamejs/test/layer-0-primitives/mail-auth.test.js +39 -0
  376. package/lib/vendor/blamejs/test/layer-0-primitives/mail-dkim.test.js +36 -0
  377. package/lib/vendor/blamejs/test/layer-0-primitives/mail-greylist.test.js +17 -0
  378. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-tls.test.js +39 -0
  379. package/lib/vendor/blamejs/test/layer-0-primitives/mail-store.test.js +17 -0
  380. package/lib/vendor/blamejs/test/layer-0-primitives/mime-parse.test.js +106 -0
  381. package/lib/vendor/blamejs/test/layer-0-primitives/money.test.js +17 -0
  382. package/lib/vendor/blamejs/test/layer-0-primitives/mtls-ca-revocation.test.js +98 -0
  383. package/lib/vendor/blamejs/test/layer-0-primitives/nonce-store-release.test.js +77 -0
  384. package/lib/vendor/blamejs/test/layer-0-primitives/observability.test.js +48 -0
  385. package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-memory-getorinsert.test.js +100 -0
  386. package/lib/vendor/blamejs/test/layer-0-primitives/request-helpers.test.js +88 -0
  387. package/lib/vendor/blamejs/test/layer-0-primitives/safe-async-loops.test.js +278 -0
  388. package/lib/vendor/blamejs/test/layer-0-primitives/safe-buffer-linear-scans.test.js +37 -0
  389. package/lib/vendor/blamejs/test/layer-0-primitives/safe-jsonpath.test.js +14 -0
  390. package/lib/vendor/blamejs/test/layer-0-primitives/sandbox.test.js +19 -0
  391. package/lib/vendor/blamejs/test/layer-0-primitives/security-headers.test.js +1 -1
  392. package/lib/vendor/blamejs/test/layer-0-primitives/self-update.test.js +2 -1
  393. package/lib/vendor/blamejs/test/layer-0-primitives/session-device-binding.test.js +18 -0
  394. package/lib/vendor/blamejs/test/layer-0-primitives/session-extensions.test.js +1 -1
  395. package/lib/vendor/blamejs/test/layer-0-primitives/session-valid-from.test.js +73 -0
  396. package/lib/vendor/blamejs/test/layer-0-primitives/sql.test.js +100 -0
  397. package/lib/vendor/blamejs/test/layer-0-primitives/structured-fields.test.js +80 -0
  398. package/lib/vendor/blamejs/test/layer-0-primitives/validate-opts-shape.test.js +235 -0
  399. package/lib/vendor/blamejs/test/layer-0-primitives/webhook-dispatcher.test.js +374 -0
  400. package/lib/vendor/blamejs/test/layer-0-primitives/webhook.test.js +75 -8
  401. package/lib/vendor/blamejs/test/layer-5-integration/guard-host-integration.test.js +3 -3
  402. package/package.json +1 -1
@@ -117,7 +117,16 @@ function _b64urlDecode(s) {
117
117
  // supplied alg the key can't actually produce.
118
118
  var _EC_CURVE_ALG = { prime256v1: "ES256", secp384r1: "ES384", secp521r1: "ES512" };
119
119
 
120
- function _verifyParamsForAlg(alg) {
120
+ // algParams — JOSE alg → node:crypto sign/verify parameters (hash + RSA
121
+ // PKCS1 padding / RSASSA-PSS saltLength / ECDSA dsaEncoding). The classical-
122
+ // JOSE table (RS/PS/ES per RFC 7518 §3, EdDSA per RFC 8037) lives HERE once,
123
+ // in the classical-JOSE domain owner: dpop proofs, fido-mds3 MDS3 BLOBs,
124
+ // oauth ID-token verify, and this module's own sign/verify all read the
125
+ // identical mapping. Returns null for an unrecognised alg so every caller
126
+ // throws its OWN typed error and keeps its OWN supported set — oauth omits
127
+ // EdDSA, dpop layers the PQC ML-DSA-87 on top. The values are sign/verify-
128
+ // symmetric (node:crypto uses the same params for both).
129
+ function algParams(alg) {
121
130
  if (alg === "RS256") return { hash: "sha256", padding: nodeCrypto.constants.RSA_PKCS1_PADDING };
122
131
  if (alg === "RS384") return { hash: "sha384", padding: nodeCrypto.constants.RSA_PKCS1_PADDING };
123
132
  if (alg === "RS512") return { hash: "sha512", padding: nodeCrypto.constants.RSA_PKCS1_PADDING };
@@ -128,8 +137,16 @@ function _verifyParamsForAlg(alg) {
128
137
  if (alg === "ES384") return { hash: "sha384", dsaEncoding: "ieee-p1363" };
129
138
  if (alg === "ES512") return { hash: "sha512", dsaEncoding: "ieee-p1363" };
130
139
  if (alg === "EdDSA") return { hash: null };
131
- throw new AuthError("auth-jwt-external/unsupported-alg",
132
- "alg '" + alg + "' is not supported by verifyExternal");
140
+ return null;
141
+ }
142
+
143
+ function _verifyParamsForAlg(alg) {
144
+ var params = algParams(alg);
145
+ if (!params) {
146
+ throw new AuthError("auth-jwt-external/unsupported-alg",
147
+ "alg '" + alg + "' is not supported by verifyExternal");
148
+ }
149
+ return params;
133
150
  }
134
151
 
135
152
  // _toPrivateKey — import the operator's classical signing key from any of
@@ -231,11 +248,11 @@ function _signCompactJws(header, payload, privateKey, alg) {
231
248
  }
232
249
 
233
250
  function _jwkToKey(jwk) {
234
- try { return nodeCrypto.createPublicKey({ key: jwk, format: "jwk" }); }
235
- catch (e) {
236
- throw new AuthError("auth-jwt-external/bad-jwk",
237
- "could not import JWK (kid=" + (jwk && jwk.kid) + "): " + ((e && e.message) || String(e)));
238
- }
251
+ return bCrypto.importPublicJwk(jwk, {
252
+ errorClass: AuthError,
253
+ code: "auth-jwt-external/bad-jwk",
254
+ messagePrefix: "could not import JWK (kid=" + (jwk && jwk.kid) + "): ",
255
+ });
239
256
  }
240
257
 
241
258
  // CVE-2026-22817 — RS256→HS256 alg-confusion + the broader alg/kty
@@ -725,6 +742,7 @@ module.exports = {
725
742
  REFUSED_ALGS: REFUSED_ALGS,
726
743
  // Shared JOSE defenses — routed from oauth.verifyIdToken /
727
744
  // oid4vci proof verify / sd-jwt-vc.verify / openid-federation.
745
+ algParams: algParams,
728
746
  _assertAlgKtyMatch: _assertAlgKtyMatch,
729
747
  _issuerMatches: _issuerMatches,
730
748
  // Classical-JWS signer internals — composed by oauth.js's attestation
@@ -78,6 +78,7 @@ var C = require("../constants");
78
78
  var bCrypto = require("../crypto");
79
79
  var safeJson = require("../safe-json");
80
80
  var validateOpts = require("../validate-opts");
81
+ var nonceStore = require("../nonce-store");
81
82
  var { AuthError } = require("../framework-error");
82
83
 
83
84
  // Algorithm registry. The string keys are the JWT header `alg` values
@@ -92,11 +93,12 @@ var SUPPORTED_ALGORITHMS = Object.freeze(Object.keys(ALGORITHM_TO_NODE));
92
93
 
93
94
  function _b64urlEncode(buf) { return bCrypto.toBase64Url(buf); }
94
95
 
95
- function _b64urlDecode(s) {
96
- if (typeof s !== "string") throw new AuthError("auth-jwt/malformed", "expected base64url string");
97
- try { return bCrypto.fromBase64Url(s); }
98
- catch (_e) { throw new AuthError("auth-jwt/malformed", "JWT segment is not valid base64url"); }
99
- }
96
+ var _b64urlDecode = bCrypto.makeBase64UrlDecoder({
97
+ errorClass: AuthError,
98
+ code: "auth-jwt/malformed",
99
+ typeMessage: "expected base64url string",
100
+ badMessage: "JWT segment is not valid base64url",
101
+ });
100
102
 
101
103
  function _toKeyObject(pemOrKey, kind) {
102
104
  // kind is 'private' or 'public' — passes through if already a KeyObject;
@@ -409,16 +411,12 @@ async function verify(token, opts) {
409
411
  if (typeof p.exp === "number") {
410
412
  expireAtMs = p.exp * C.TIME.seconds(1);
411
413
  }
412
- var inserted;
413
- try { inserted = await opts.replayStore.checkAndInsert(p.jti, expireAtMs); }
414
- catch (e) {
415
- throw new AuthError("auth-jwt/replay-store-failed",
416
- "replayStore.checkAndInsert threw: " + ((e && e.message) || String(e)));
417
- }
418
- if (inserted === false) {
419
- throw new AuthError("auth-jwt/replay",
420
- "token jti='" + p.jti + "' has been seen before — replay refused");
421
- }
414
+ await nonceStore.enforceReplay(opts.replayStore, p.jti, expireAtMs, {
415
+ errorClass: AuthError,
416
+ storeFailedCode: "auth-jwt/replay-store-failed",
417
+ replayCode: "auth-jwt/replay",
418
+ tokenLabel: "token",
419
+ });
422
420
  }
423
421
 
424
422
  return p;
@@ -200,32 +200,13 @@ function create(opts) {
200
200
 
201
201
  function _scopedKey(key) { return namespace + ":" + key; }
202
202
 
203
- function _emitObs(name, labels) {
204
- var sink = obsInst || _safeGlobalObs();
205
- if (!sink) return;
206
- try { sink.event(name, 1, labels); } catch (_e) { /* observability is best-effort */ }
207
- }
208
-
209
- // Fall back to the framework's global observability registry when the
210
- // operator didn't pass their own. event() is a no-op when no registry
211
- // is wired, so this is zero-cost in apps without observability.
212
- function _safeGlobalObs() {
213
- try { return observability(); } catch (_e) { return null; }
214
- }
203
+ // Emit to the operator's configured observability instance, else the
204
+ // framework's global registry (a no-op when none is wired), drop-silent.
205
+ var _emitObs = observability().makeCounterEmitter(obsInst);
215
206
 
216
- function _emitAudit(action, key, outcome, metadata, req) {
217
- if (!auditInst) return;
218
- try {
219
- var event = {
220
- action: action,
221
- outcome: outcome,
222
- resource: { kind: "auth.lockout", id: namespace + ":" + key },
223
- metadata: metadata || {},
224
- };
225
- if (req) event.actor = requestHelpers.extractActorContext(req);
226
- auditInst.safeEmit(event);
227
- } catch (_e) { /* audit best-effort */ }
228
- }
207
+ var _emitAudit = requestHelpers.makeResourceAuditEmitter(auditInst, "auth.lockout", function (key) {
208
+ return namespace + ":" + key;
209
+ });
229
210
 
230
211
  // Cache failures fail-OPEN by design (per the framework's
231
212
  // documented brute-force-lockout posture — rather than crash the
@@ -215,11 +215,8 @@ var DEFAULT_CLOCK_SKEW_MS = C.TIME.minutes(1);
215
215
  // OAuth 2.0 Threat Model §4.4.1.8 / §4.4.1.13.
216
216
  var PKCE_VERIFIER_BYTES = C.BYTES.bytes(32);
217
217
  var STATE_NONCE_BYTES = C.BYTES.bytes(16);
218
- // JOSE PSS salt lengths (RFC 7518 §3.5) match the hash-output size:
219
- // PS256/SHA-256 32, PS384/SHA-384 48, PS512/SHA-512 → 64.
220
- var PSS_SALT_BYTES_SHA256 = C.BYTES.bytes(32);
221
- var PSS_SALT_BYTES_SHA384 = C.BYTES.bytes(48);
222
- var PSS_SALT_BYTES_SHA512 = C.BYTES.bytes(64);
218
+ // JOSE PSS salt lengths (RFC 7518 §3.5) now live with the shared alg table
219
+ // in jwtExternal.algParams; _verifyParamsForAlg here is a thin wrapper.
223
220
 
224
221
  // RFC 8628 §3.4 — device_code length cap. The spec doesn't fix a max
225
222
  // length but 8 KiB comfortably accommodates any legitimate base64url
@@ -253,11 +250,12 @@ var RFC_8693_TOKEN_TYPES = Object.freeze([
253
250
 
254
251
  function _b64urlEncode(buf) { return bCrypto.toBase64Url(buf); }
255
252
 
256
- function _b64urlDecode(s) {
257
- if (typeof s !== "string") throw new OAuthError("auth-oauth/bad-base64", "expected base64url string");
258
- try { return bCrypto.fromBase64Url(s); }
259
- catch (_e) { throw new OAuthError("auth-oauth/bad-base64", "segment is not valid base64url"); }
260
- }
253
+ var _b64urlDecode = bCrypto.makeBase64UrlDecoder({
254
+ errorClass: OAuthError,
255
+ code: "auth-oauth/bad-base64",
256
+ typeMessage: "expected base64url string",
257
+ badMessage: "segment is not valid base64url",
258
+ });
261
259
 
262
260
  function _generateRandomToken(bytes) {
263
261
  return _b64urlEncode(generateBytes(bytes));
@@ -329,29 +327,27 @@ function _validateUrl(url, allowHttp, label) {
329
327
  // ---- JOSE alg → node:crypto verify parameters ----
330
328
 
331
329
  function _verifyParamsForAlg(alg) {
332
- // Returns { hash, padding, dsaEncoding } for node:crypto.verify.
333
- if (alg === "RS256") return { hash: "sha256", padding: nodeCrypto.constants.RSA_PKCS1_PADDING };
334
- if (alg === "RS384") return { hash: "sha384", padding: nodeCrypto.constants.RSA_PKCS1_PADDING };
335
- if (alg === "RS512") return { hash: "sha512", padding: nodeCrypto.constants.RSA_PKCS1_PADDING };
336
- if (alg === "PS256") return { hash: "sha256", padding: nodeCrypto.constants.RSA_PKCS1_PSS_PADDING, saltLength: PSS_SALT_BYTES_SHA256 };
337
- if (alg === "PS384") return { hash: "sha384", padding: nodeCrypto.constants.RSA_PKCS1_PSS_PADDING, saltLength: PSS_SALT_BYTES_SHA384 };
338
- if (alg === "PS512") return { hash: "sha512", padding: nodeCrypto.constants.RSA_PKCS1_PSS_PADDING, saltLength: PSS_SALT_BYTES_SHA512 };
339
- if (alg === "ES256") return { hash: "sha256", dsaEncoding: "ieee-p1363" };
340
- if (alg === "ES384") return { hash: "sha384", dsaEncoding: "ieee-p1363" };
341
- if (alg === "ES512") return { hash: "sha512", dsaEncoding: "ieee-p1363" };
342
- throw new OAuthError("auth-oauth/unsupported-alg",
343
- "alg '" + alg + "' is not supported for ID-token verification");
330
+ // Returns { hash, padding, dsaEncoding } for node:crypto.verify, from the
331
+ // shared classical-JOSE table (jwtExternal.algParams). ID-token verification
332
+ // deliberately does NOT accept EdDSA most OIDC OPs sign with RS256/ES256
333
+ // and the framework keeps the ID-token verify surface to the RSA/ECDSA set.
334
+ var params = jwtExternal.algParams(alg);
335
+ if (!params || alg === "EdDSA") {
336
+ throw new OAuthError("auth-oauth/unsupported-alg",
337
+ "alg '" + alg + "' is not supported for ID-token verification");
338
+ }
339
+ return params;
344
340
  }
345
341
 
346
342
  // ---- JWKS → KeyObject ----
347
343
 
348
344
  function _jwkToKey(jwk) {
349
345
  // node's createPublicKey accepts JWK directly since Node 16.
350
- try { return nodeCrypto.createPublicKey({ key: jwk, format: "jwk" }); }
351
- catch (e) {
352
- throw new OAuthError("auth-oauth/bad-jwk",
353
- "could not import JWK (kid=" + (jwk && jwk.kid) + "): " + ((e && e.message) || String(e)));
354
- }
346
+ return bCrypto.importPublicJwk(jwk, {
347
+ errorClass: OAuthError,
348
+ code: "auth-oauth/bad-jwk",
349
+ messagePrefix: "could not import JWK (kid=" + (jwk && jwk.kid) + "): ",
350
+ });
355
351
  }
356
352
 
357
353
  // ---- RFC 9396 Rich Authorization Requests (RAR) ----
@@ -657,6 +653,16 @@ function _publicCnfJwk(jwk, label) {
657
653
  label + ": instanceKeyJwk.kty='" + jwk.kty + "' is not an asymmetric public JWK");
658
654
  }
659
655
 
656
+ // Config-time check for an OPTIONAL epoch-seconds override (iat / nbf): if
657
+ // present it must be a finite number, so a typo is caught at build time
658
+ // rather than silently ignored by the `typeof === "number"` body guard.
659
+ function _optionalFiniteNumber(value, label, code) {
660
+ if (value === undefined || value === null) return;
661
+ if (typeof value !== "number" || !isFinite(value)) {
662
+ throw new OAuthError(code, label + " must be a finite number (epoch seconds)");
663
+ }
664
+ }
665
+
660
666
  /**
661
667
  * @primitive b.auth.oauth.buildClientAttestation
662
668
  * @signature b.auth.oauth.buildClientAttestation(opts)
@@ -700,14 +706,23 @@ function _publicCnfJwk(jwk, label) {
700
706
  */
701
707
  function buildClientAttestation(aopts) {
702
708
  aopts = aopts || {};
703
- validateOpts(aopts, [
704
- "clientId", "attesterPrivateKey", "instanceKeyJwk", "algorithm",
705
- "expiresInSec", "nbf", "iat", "extraClaims",
706
- ], "auth.oauth.buildClientAttestation");
707
- validateOpts.requireNonEmptyString(aopts.clientId,
708
- "buildClientAttestation: clientId", OAuthError, "auth-oauth/attestation-no-client-id");
709
- validateOpts.optionalPositiveInt(aopts.expiresInSec,
710
- "buildClientAttestation: expiresInSec", OAuthError, "auth-oauth/attestation-bad-expiry");
709
+ validateOpts.shape(aopts, {
710
+ clientId: { rule: "required-string", code: "auth-oauth/attestation-no-client-id" },
711
+ // KeyObject | PEM string | JWK object — typed downstream by
712
+ // _toAttestationPrivateKey; the shape only enforces presence.
713
+ attesterPrivateKey: function (v, l) {
714
+ if (v === undefined || v === null) {
715
+ throw new OAuthError("auth-oauth/attestation-no-attester-key",
716
+ l + " (Attester signing key) is required");
717
+ }
718
+ },
719
+ instanceKeyJwk: { rule: "required-object", code: "auth-oauth/attestation-bad-cnf" },
720
+ algorithm: { rule: "optional-string", code: "auth-oauth/attestation-bad-alg" },
721
+ nbf: function (v, l) { _optionalFiniteNumber(v, l, "auth-oauth/attestation-bad-nbf"); },
722
+ iat: function (v, l) { _optionalFiniteNumber(v, l, "auth-oauth/attestation-bad-iat"); },
723
+ extraClaims: { rule: "optional-plain-object", code: "auth-oauth/attestation-bad-extra-claims" },
724
+ expiresInSec: { rule: "optional-positive-int", code: "auth-oauth/attestation-bad-expiry" },
725
+ }, "buildClientAttestation", OAuthError, "auth-oauth/attestation-no-client-id");
711
726
  var key = _toAttestationPrivateKey(aopts.attesterPrivateKey, "buildClientAttestation");
712
727
  var alg = _resolveAttestationAlg(aopts.algorithm, key, "buildClientAttestation");
713
728
  var cnfJwk = _publicCnfJwk(aopts.instanceKeyJwk, "buildClientAttestation");
@@ -769,16 +784,23 @@ function buildClientAttestation(aopts) {
769
784
  */
770
785
  function buildClientAttestationPop(popts) {
771
786
  popts = popts || {};
772
- validateOpts(popts, [
773
- "instancePrivateKey", "audience", "algorithm", "challenge",
774
- "jti", "iat", "expiresInSec",
775
- ], "auth.oauth.buildClientAttestationPop");
776
- validateOpts.requireNonEmptyString(popts.audience,
777
- "buildClientAttestationPop: audience (AS issuer)", OAuthError, "auth-oauth/attestation-pop-no-aud");
778
- validateOpts.optionalNonEmptyString(popts.challenge,
779
- "buildClientAttestationPop: challenge", OAuthError, "auth-oauth/attestation-pop-bad-challenge");
780
- validateOpts.optionalPositiveInt(popts.expiresInSec,
781
- "buildClientAttestationPop: expiresInSec", OAuthError, "auth-oauth/attestation-pop-bad-expiry");
787
+ validateOpts.shape(popts, {
788
+ audience: { rule: "required-string", code: "auth-oauth/attestation-pop-no-aud",
789
+ label: "buildClientAttestationPop: audience (AS issuer)" },
790
+ // KeyObject | PEM string | JWK object — typed downstream by
791
+ // _toAttestationPrivateKey; the shape only enforces presence.
792
+ instancePrivateKey: function (v, l) {
793
+ if (v === undefined || v === null) {
794
+ throw new OAuthError("auth-oauth/attestation-pop-no-instance-key",
795
+ l + " (instance signing key matching cnf.jwk) is required");
796
+ }
797
+ },
798
+ algorithm: { rule: "optional-string", code: "auth-oauth/attestation-pop-bad-alg" },
799
+ jti: { rule: "optional-string", code: "auth-oauth/attestation-pop-bad-jti" },
800
+ iat: function (v, l) { _optionalFiniteNumber(v, l, "auth-oauth/attestation-pop-bad-iat"); },
801
+ challenge: { rule: "optional-string", code: "auth-oauth/attestation-pop-bad-challenge" },
802
+ expiresInSec: { rule: "optional-positive-int", code: "auth-oauth/attestation-pop-bad-expiry" },
803
+ }, "buildClientAttestationPop", OAuthError, "auth-oauth/attestation-pop-no-aud");
782
804
  var key = _toAttestationPrivateKey(popts.instancePrivateKey, "buildClientAttestationPop");
783
805
  var alg = _resolveAttestationAlg(popts.algorithm, key, "buildClientAttestationPop");
784
806
  var iatSec = typeof popts.iat === "number" ? popts.iat : Math.floor(Date.now() / C.TIME.seconds(1));
@@ -54,7 +54,7 @@ var lazyRequire = require("../lazy-require");
54
54
  var validateOpts = require("../validate-opts");
55
55
  var safeJson = require("../safe-json");
56
56
  var nodeCrypto = require("node:crypto");
57
- var { generateToken, sha3Hash, timingSafeEqual } = require("../crypto");
57
+ var { generateToken, sha3Hash, timingSafeEqual, importPublicJwk } = require("../crypto");
58
58
  // Shared JOSE defenses (CVE-2026-22817 alg/kty cross-check). Top-of-
59
59
  // file per project convention §3; no circular load — jwt-external
60
60
  // requires nothing from oid4vci.
@@ -297,11 +297,11 @@ async function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedCl
297
297
  // A resolver that returns an RSA key for a proof declaring an HMAC
298
298
  // alg would otherwise be verified as an HMAC secret.
299
299
  jwtExternal._assertAlgKtyMatch(header.alg, holderKeyJwk);
300
- try { keyObj = nodeCrypto.createPublicKey({ key: holderKeyJwk, format: "jwk" }); }
301
- catch (e) {
302
- throw new AuthError("auth-oid4vci/bad-resolved-key",
303
- "credential issuance: resolveKid-returned key is not importable as a public key: " + ((e && e.message) || String(e)));
304
- }
300
+ keyObj = importPublicJwk(holderKeyJwk, {
301
+ errorClass: AuthError,
302
+ code: "auth-oid4vci/bad-resolved-key",
303
+ messagePrefix: "credential issuance: resolveKid-returned key is not importable as a public key: ",
304
+ });
305
305
  } else if (!holderKeyJwk && header.x5c) {
306
306
  // RFC 7515 §4.1.6 / OID4VCI §8.2.1.1 — the wallet ships a base64 DER
307
307
  // certificate chain; the LEAF (first) cert's SPKI is the holder key.
@@ -333,11 +333,11 @@ async function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedCl
333
333
  // A leaf cert holding an RSA key against a proof declaring an HMAC
334
334
  // alg would otherwise be verified as an HMAC secret.
335
335
  jwtExternal._assertAlgKtyMatch(header.alg, holderKeyJwk);
336
- try { keyObj = nodeCrypto.createPublicKey({ key: holderKeyJwk, format: "jwk" }); }
337
- catch (e) {
338
- throw new AuthError("auth-oid4vci/bad-x5c",
339
- "credential issuance: proof JWT `x5c` leaf public key is not importable: " + ((e && e.message) || String(e)));
340
- }
336
+ keyObj = importPublicJwk(holderKeyJwk, {
337
+ errorClass: AuthError,
338
+ code: "auth-oid4vci/bad-x5c",
339
+ messagePrefix: "credential issuance: proof JWT `x5c` leaf public key is not importable: ",
340
+ });
341
341
  } else {
342
342
  if (!holderKeyJwk) {
343
343
  throw new AuthError("auth-oid4vci/no-jwk-in-header",
@@ -349,11 +349,11 @@ async function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedCl
349
349
  // key as an HMAC secret. Routed through the shared helper so every
350
350
  // JWT verifier in the framework enforces the same check.
351
351
  jwtExternal._assertAlgKtyMatch(header.alg, holderKeyJwk);
352
- try { keyObj = nodeCrypto.createPublicKey({ key: holderKeyJwk, format: "jwk" }); }
353
- catch (e) {
354
- throw new AuthError("auth-oid4vci/bad-jwk",
355
- "credential issuance: proof JWT jwk is not parseable: " + ((e && e.message) || String(e)));
356
- }
352
+ keyObj = importPublicJwk(holderKeyJwk, {
353
+ errorClass: AuthError,
354
+ code: "auth-oid4vci/bad-jwk",
355
+ messagePrefix: "credential issuance: proof JWT jwk is not parseable: ",
356
+ });
357
357
  }
358
358
 
359
359
  var signingInput = parts[0] + "." + parts[1];
@@ -428,13 +428,36 @@ async function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedCl
428
428
  * });
429
429
  */
430
430
  function create(opts) {
431
+ // Preserve the original object-guard's exact label + default code
432
+ // (distinct from the per-field "issuer.create:" label prefix below).
431
433
  validateOpts.requireObject(opts, "auth.oid4vci.issuer.create", AuthError);
432
- validateOpts.requireNonEmptyString(opts.credentialIssuerUrl,
433
- "issuer.create: credentialIssuerUrl", AuthError, "auth-oid4vci/no-issuer-url");
434
- validateOpts.requireNonEmptyString(opts.credentialEndpoint,
435
- "issuer.create: credentialEndpoint", AuthError, "auth-oid4vci/no-credential-endpoint");
436
- validateOpts.requireNonEmptyString(opts.tokenEndpoint,
437
- "issuer.create: tokenEndpoint", AuthError, "auth-oid4vci/no-token-endpoint");
434
+ validateOpts.shape(opts, {
435
+ credentialIssuerUrl: { rule: "required-string", code: "auth-oid4vci/no-issuer-url" },
436
+ credentialEndpoint: { rule: "required-string", code: "auth-oid4vci/no-credential-endpoint" },
437
+ tokenEndpoint: { rule: "required-string", code: "auth-oid4vci/no-token-endpoint" },
438
+ // sdJwtIssuer + supportedCredentials carry distinct bespoke checks
439
+ // (instance shape / non-empty map / per-credential format+vct) below;
440
+ // declare them here so the exhaustive contract accepts the keys —
441
+ // required-object validates only that they are objects, which the
442
+ // bespoke checks then refine.
443
+ sdJwtIssuer: "required-object",
444
+ supportedCredentials: "required-object",
445
+ proofAlgorithms: "optional-string-array",
446
+ // resolveKid / validateX5c carry distinct per-field codes the inline
447
+ // config-time guards used; the descriptor form keeps the exact code +
448
+ // label inside the exhaustive shape.
449
+ resolveKid: { rule: "optional-function", code: "auth-oid4vci/bad-resolve-kid" },
450
+ validateX5c: { rule: "optional-function", code: "auth-oid4vci/bad-validate-x5c" },
451
+ preAuthCodeTtlMs: "optional-positive-finite",
452
+ accessTokenTtlMs: "optional-positive-finite",
453
+ cNonceTtlMs: "optional-positive-finite",
454
+ proofMaxAgeMs: "optional-positive-finite",
455
+ accessTokenSingleUse: "optional-boolean",
456
+ codeStore: "optional-plain-object",
457
+ accessTokenStore: "optional-plain-object",
458
+ cNonceStore: "optional-plain-object",
459
+ authorizationServers: "optional-string-array",
460
+ }, "issuer.create", AuthError);
438
461
  if (!opts.sdJwtIssuer || typeof opts.sdJwtIssuer.issue !== "function") {
439
462
  throw new AuthError("auth-oid4vci/no-sd-jwt-issuer",
440
463
  "issuer.create: sdJwtIssuer must be a b.auth.sdJwtVc.issuer instance");
@@ -464,18 +487,18 @@ function create(opts) {
464
487
  ? opts.proofAlgorithms : ["ES256", "ES384", "EdDSA"];
465
488
 
466
489
  // Optional kid-resolver for kid-only proofs (EUDI-Wallet attested-key
467
- // flow). Config-time throw if supplied but not a function. Absent →
468
- // kid-only proofs keep the clear refusal (back-compat).
469
- var resolveKid = validateOpts.optionalFunction(opts.resolveKid,
470
- "issuer.create: resolveKid", AuthError, "auth-oid4vci/bad-resolve-kid");
490
+ // flow). Validated by the shape above (config-time throw if supplied
491
+ // but not a function). Absent → kid-only proofs keep the clear refusal
492
+ // (back-compat).
493
+ var resolveKid = opts.resolveKid;
471
494
 
472
495
  // Optional x5c chain-trust policy for x5c proofs (RFC 7515 §4.1.6 /
473
- // OID4VCI §8.2.1.1). Config-time throw if supplied but not a function.
474
- // Absent → the leaf-cert SPKI binds at the same self-asserted trust
475
- // level as an inline `jwk` (the proof signature binds the key); chain
476
- // anchoring beyond that is the operator's to enforce via this callback.
477
- var validateX5c = validateOpts.optionalFunction(opts.validateX5c,
478
- "issuer.create: validateX5c", AuthError, "auth-oid4vci/bad-validate-x5c");
496
+ // OID4VCI §8.2.1.1). Validated by the shape above (config-time throw if
497
+ // supplied but not a function). Absent → the leaf-cert SPKI binds at the
498
+ // same self-asserted trust level as an inline `jwk` (the proof signature
499
+ // binds the key); chain anchoring beyond that is the operator's to
500
+ // enforce via this callback.
501
+ var validateX5c = opts.validateX5c;
479
502
 
480
503
  var preAuthTtl = opts.preAuthCodeTtlMs || DEFAULT_PRE_AUTH_TTL_MS;
481
504
  var accessTokenTtl = opts.accessTokenTtlMs || DEFAULT_ACCESS_TOKEN_TTL;
@@ -52,6 +52,7 @@
52
52
 
53
53
  var lazyRequire = require("../lazy-require");
54
54
  var validateOpts = require("../validate-opts");
55
+ var boundedMap = require("../bounded-map");
55
56
  var { generateToken } = require("../crypto");
56
57
  var { AuthError } = require("../framework-error");
57
58
 
@@ -90,10 +91,10 @@ function _validateDcql(dcql) {
90
91
  throw new AuthError("auth-oid4vp/no-credential-id",
91
92
  "DCQL: credentials[" + i + "].id is required");
92
93
  }
93
- if (seenIds.has(cred.id)) {
94
+ boundedMap.requireAbsentMember(seenIds, cred.id, function () {
94
95
  throw new AuthError("auth-oid4vp/duplicate-id",
95
96
  "DCQL: credentials[" + i + "].id \"" + cred.id + "\" duplicated");
96
- }
97
+ });
97
98
  seenIds.add(cred.id);
98
99
  if (typeof cred.format !== "string" || cred.format.length === 0) {
99
100
  throw new AuthError("auth-oid4vp/no-format",
@@ -58,6 +58,7 @@ var lazyRequire = require("../lazy-require");
58
58
  var validateOpts = require("../validate-opts");
59
59
  var safeJson = require("../safe-json");
60
60
  var nodeCrypto = require("node:crypto");
61
+ var bCrypto = require("../crypto");
61
62
  var C = require("../constants");
62
63
  // Shared JOSE defenses (CVE-2026-22817 alg/kty cross-check +
63
64
  // CVE-2026-23552 constant-time iss compare). Top-of-file per project
@@ -195,12 +196,11 @@ function verifyEntityStatement(jwt, jwks, vopts) {
195
196
  // same check.
196
197
  jwtExternal._assertAlgKtyMatch(parsed.header.alg, key);
197
198
 
198
- var keyObj;
199
- try { keyObj = nodeCrypto.createPublicKey({ key: key, format: "jwk" }); }
200
- catch (e) {
201
- throw new AuthError("auth-openid-federation/bad-jwk",
202
- "verifyEntityStatement: JWK is not parseable: " + ((e && e.message) || String(e)));
203
- }
199
+ var keyObj = bCrypto.importPublicJwk(key, {
200
+ errorClass: AuthError,
201
+ code: "auth-openid-federation/bad-jwk",
202
+ messagePrefix: "verifyEntityStatement: JWK is not parseable: ",
203
+ });
204
204
 
205
205
  var hash = _hashByAlg(parsed.header.alg);
206
206
  var verifyOpts = { key: keyObj };
@@ -325,7 +325,7 @@ function _b64urlExtInput(value, name, maxBytes) {
325
325
  }
326
326
  if (typeof maxBytes === "number") {
327
327
  var decoded = Buffer.from(value, "base64url");
328
- if (decoded.length > maxBytes) {
328
+ if (safeBuffer.byteLengthOf(decoded) > maxBytes) {
329
329
  throw new AuthError("auth-passkey/extension-input-too-large",
330
330
  name + " decoded length " + decoded.length + " exceeds " + maxBytes + " bytes");
331
331
  }
@@ -333,14 +333,14 @@ function _b64urlExtInput(value, name, maxBytes) {
333
333
  return value;
334
334
  }
335
335
  if (Buffer.isBuffer(value)) {
336
- if (typeof maxBytes === "number" && value.length > maxBytes) {
336
+ if (typeof maxBytes === "number" && safeBuffer.byteLengthOf(value) > maxBytes) {
337
337
  throw new AuthError("auth-passkey/extension-input-too-large",
338
338
  name + " length " + value.length + " exceeds " + maxBytes + " bytes");
339
339
  }
340
340
  return value.toString("base64url");
341
341
  }
342
342
  if (value instanceof Uint8Array) {
343
- if (typeof maxBytes === "number" && value.length > maxBytes) {
343
+ if (typeof maxBytes === "number" && safeBuffer.byteLengthOf(value) > maxBytes) {
344
344
  throw new AuthError("auth-passkey/extension-input-too-large",
345
345
  name + " length " + value.length + " exceeds " + maxBytes + " bytes");
346
346
  }
@@ -421,7 +421,13 @@ function policy(opts) {
421
421
  var sha1Full = hibpSha1.sha1Hex(plaintext).toUpperCase();
422
422
  var prefix = sha1Full.slice(0, 5);
423
423
  var suffix = sha1Full.slice(5);
424
- var url = p.hibpEndpoint.replace(/\/+$/, "") + "/range/" + prefix;
424
+ // Strip trailing slashes with a linear backward scan rather than
425
+ // /\/+$/ — the `$`-after-greedy-`+` regex is O(n^2) in V8 on a value
426
+ // that is a long run of '/' (the engine retries from every offset).
427
+ // Byte-identical result, unconditionally linear.
428
+ var endEp = p.hibpEndpoint.length;
429
+ while (endEp > 0 && p.hibpEndpoint.charCodeAt(endEp - 1) === 0x2f) { endEp -= 1; }
430
+ var url = p.hibpEndpoint.slice(0, endEp) + "/range/" + prefix;
425
431
  var resp;
426
432
  try {
427
433
  resp = await httpClient.request({
@@ -332,13 +332,18 @@ function _verifyXmldsig(envelope, signatureNode, certPem) {
332
332
  * });
333
333
  */
334
334
  function create(opts) {
335
- validateOpts.requireObject(opts, "auth.saml.sp.create", AuthError);
336
- validateOpts.requireNonEmptyString(opts.entityId, "entityId", AuthError, "auth-saml/no-entity-id");
337
- validateOpts.requireNonEmptyString(opts.assertionConsumerServiceUrl, "assertionConsumerServiceUrl",
338
- AuthError, "auth-saml/no-acs");
339
- validateOpts.requireNonEmptyString(opts.idpEntityId, "idpEntityId", AuthError, "auth-saml/no-idp-entity-id");
340
- validateOpts.requireNonEmptyString(opts.idpSsoUrl, "idpSsoUrl", AuthError, "auth-saml/no-idp-sso");
341
- validateOpts.requireNonEmptyString(opts.idpCertPem, "idpCertPem", AuthError, "auth-saml/no-idp-cert");
335
+ validateOpts.shape(opts, {
336
+ entityId: { rule: "required-string", label: "entityId", code: "auth-saml/no-entity-id" },
337
+ assertionConsumerServiceUrl: { rule: "required-string", label: "assertionConsumerServiceUrl", code: "auth-saml/no-acs" },
338
+ idpEntityId: { rule: "required-string", label: "idpEntityId", code: "auth-saml/no-idp-entity-id" },
339
+ idpSsoUrl: { rule: "required-string", label: "idpSsoUrl", code: "auth-saml/no-idp-sso" },
340
+ idpCertPem: { rule: "required-string", label: "idpCertPem", code: "auth-saml/no-idp-cert" },
341
+ audience: "optional-string",
342
+ clockSkewSec: "optional-non-negative",
343
+ nameIdFormat: "optional-string",
344
+ singleLogoutServiceUrl: "optional-string",
345
+ idpSloUrl: "optional-string",
346
+ }, "auth.saml.sp.create", AuthError);
342
347
 
343
348
  var audience = opts.audience || opts.entityId;
344
349
  var clockSkewSec = typeof opts.clockSkewSec === "number" ? opts.clockSkewSec : 60; // allow:raw-time-literal — clock-skew default
@@ -973,6 +978,25 @@ function create(opts) {
973
978
  * idpVerifyAlg: "ml-dsa-65",
974
979
  * });
975
980
  */
981
+ // _extractRedirectSignature(queryString) — split a SAML HTTP-Redirect
982
+ // binding query string, pulling the URL-decoded `Signature=` value out and
983
+ // collecting the remaining (signed) portion in order. Shared by
984
+ // parseLogoutRequest / parseLogoutResponse so the two cannot drift on which
985
+ // bytes the signature covers — a drift would be a signature-bypass.
986
+ function _extractRedirectSignature(queryString) {
987
+ var parts = queryString.split("&");
988
+ var sigValue = null;
989
+ var signedPortion = [];
990
+ for (var i = 0; i < parts.length; i += 1) {
991
+ if (parts[i].indexOf("Signature=") === 0) {
992
+ sigValue = decodeURIComponent(parts[i].slice("Signature=".length));
993
+ } else {
994
+ signedPortion.push(parts[i]);
995
+ }
996
+ }
997
+ return { sigValue: sigValue, signedPortion: signedPortion };
998
+ }
999
+
976
1000
  function parseLogoutRequest(samlRequestB64, vopts) {
977
1001
  vopts = vopts || {};
978
1002
  if (typeof samlRequestB64 !== "string" || samlRequestB64.length === 0) {
@@ -998,16 +1022,9 @@ function create(opts) {
998
1022
  throw new AuthError("auth-saml/bad-verify-alg",
999
1023
  "parseLogoutRequest: idpVerifyAlg must be 'ml-dsa-65' / 'ml-dsa-87' / 'ed25519'");
1000
1024
  }
1001
- var parts = vopts.queryString.split("&");
1002
- var sigValue = null;
1003
- var signedPortion = [];
1004
- for (var i = 0; i < parts.length; i += 1) {
1005
- if (parts[i].indexOf("Signature=") === 0) {
1006
- sigValue = decodeURIComponent(parts[i].slice("Signature=".length));
1007
- } else {
1008
- signedPortion.push(parts[i]);
1009
- }
1010
- }
1025
+ var sig = _extractRedirectSignature(vopts.queryString);
1026
+ var sigValue = sig.sigValue;
1027
+ var signedPortion = sig.signedPortion;
1011
1028
  if (!sigValue) {
1012
1029
  throw new AuthError("auth-saml/no-signature",
1013
1030
  "parseLogoutRequest: queryString lacks Signature parameter");
@@ -1193,16 +1210,9 @@ function create(opts) {
1193
1210
  throw new AuthError("auth-saml/bad-verify-alg",
1194
1211
  "parseLogoutResponse: idpVerifyAlg must be 'ml-dsa-65' / 'ml-dsa-87' / 'ed25519'");
1195
1212
  }
1196
- var parts = vopts.queryString.split("&");
1197
- var sigValue = null;
1198
- var signedPortion = [];
1199
- for (var i = 0; i < parts.length; i += 1) {
1200
- if (parts[i].indexOf("Signature=") === 0) {
1201
- sigValue = decodeURIComponent(parts[i].slice("Signature=".length));
1202
- } else {
1203
- signedPortion.push(parts[i]);
1204
- }
1205
- }
1213
+ var sig = _extractRedirectSignature(vopts.queryString);
1214
+ var sigValue = sig.sigValue;
1215
+ var signedPortion = sig.signedPortion;
1206
1216
  if (!sigValue) {
1207
1217
  throw new AuthError("auth-saml/no-signature",
1208
1218
  "parseLogoutResponse: queryString lacks Signature parameter");