@blamejs/blamejs-shop 0.4.56 → 0.4.58
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +4 -0
- package/lib/affiliates.js +35 -4
- package/lib/api-keys.js +17 -2
- package/lib/asset-manifest.json +1 -1
- package/lib/backorder.js +21 -4
- package/lib/click-and-collect.js +11 -2
- package/lib/credit-limits.js +132 -84
- package/lib/vendor/MANIFEST.json +426 -366
- package/lib/vendor/blamejs/.github/codeql/codeql-config.yml +25 -0
- package/lib/vendor/blamejs/.github/workflows/actions-lint.yml +3 -3
- package/lib/vendor/blamejs/.github/workflows/cflite_batch.yml +1 -1
- package/lib/vendor/blamejs/.github/workflows/cflite_pr.yml +1 -1
- package/lib/vendor/blamejs/.github/workflows/ci.yml +13 -13
- package/lib/vendor/blamejs/.github/workflows/codeql.yml +8 -7
- package/lib/vendor/blamejs/.github/workflows/npm-publish.yml +2 -2
- package/lib/vendor/blamejs/.github/workflows/release-container.yml +4 -4
- package/lib/vendor/blamejs/.github/workflows/scorecard.yml +1 -1
- package/lib/vendor/blamejs/.github/workflows/sha-to-tag-verify.yml +1 -1
- package/lib/vendor/blamejs/CHANGELOG.md +2 -0
- package/lib/vendor/blamejs/api-snapshot.json +1381 -4
- package/lib/vendor/blamejs/eslint.config.mjs +1 -0
- package/lib/vendor/blamejs/examples/wiki/lib/source-comment-block-validator.js +4 -1
- package/lib/vendor/blamejs/examples/wiki/lib/symbol-index.js +5 -2
- package/lib/vendor/blamejs/examples/wiki/routes/pages.js +4 -1
- package/lib/vendor/blamejs/fuzz/guard-text.fuzz.js +20 -0
- package/lib/vendor/blamejs/index.js +2 -0
- package/lib/vendor/blamejs/lib/a2a-tasks.js +7 -23
- package/lib/vendor/blamejs/lib/acme.js +6 -5
- package/lib/vendor/blamejs/lib/agent-event-bus.js +5 -4
- package/lib/vendor/blamejs/lib/agent-idempotency.js +2 -5
- package/lib/vendor/blamejs/lib/agent-orchestrator.js +2 -5
- package/lib/vendor/blamejs/lib/agent-saga.js +3 -5
- package/lib/vendor/blamejs/lib/agent-tenant.js +2 -5
- package/lib/vendor/blamejs/lib/ai-adverse-decision.js +2 -15
- package/lib/vendor/blamejs/lib/ai-capability.js +1 -6
- package/lib/vendor/blamejs/lib/ai-dp.js +1 -5
- package/lib/vendor/blamejs/lib/ai-input.js +2 -2
- package/lib/vendor/blamejs/lib/ai-pref.js +3 -8
- package/lib/vendor/blamejs/lib/ai-quota.js +3 -14
- package/lib/vendor/blamejs/lib/api-key.js +37 -28
- package/lib/vendor/blamejs/lib/archive-adapters.js +2 -4
- package/lib/vendor/blamejs/lib/archive-entry-policy.js +32 -0
- package/lib/vendor/blamejs/lib/archive-read.js +5 -17
- package/lib/vendor/blamejs/lib/archive-tar-read.js +5 -16
- package/lib/vendor/blamejs/lib/archive.js +2 -10
- package/lib/vendor/blamejs/lib/arg-parser.js +7 -6
- package/lib/vendor/blamejs/lib/asyncapi-traits.js +2 -6
- package/lib/vendor/blamejs/lib/atomic-file.js +108 -31
- package/lib/vendor/blamejs/lib/audit-chain.js +133 -53
- package/lib/vendor/blamejs/lib/audit-daily-review.js +24 -14
- package/lib/vendor/blamejs/lib/audit-emit.js +82 -0
- package/lib/vendor/blamejs/lib/audit-sign.js +257 -0
- package/lib/vendor/blamejs/lib/audit.js +84 -0
- package/lib/vendor/blamejs/lib/auth/access-lock.js +5 -27
- package/lib/vendor/blamejs/lib/auth/dpop.js +23 -35
- package/lib/vendor/blamejs/lib/auth/fido-mds3.js +9 -15
- package/lib/vendor/blamejs/lib/auth/jwt-external.js +26 -8
- package/lib/vendor/blamejs/lib/auth/jwt.js +13 -15
- package/lib/vendor/blamejs/lib/auth/lockout.js +6 -25
- package/lib/vendor/blamejs/lib/auth/oauth.js +67 -45
- package/lib/vendor/blamejs/lib/auth/oid4vci.js +55 -32
- package/lib/vendor/blamejs/lib/auth/oid4vp.js +3 -2
- package/lib/vendor/blamejs/lib/auth/openid-federation.js +6 -6
- package/lib/vendor/blamejs/lib/auth/passkey.js +3 -3
- package/lib/vendor/blamejs/lib/auth/password.js +7 -1
- package/lib/vendor/blamejs/lib/auth/saml.js +37 -27
- package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-holder.js +2 -14
- package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-issuer.js +2 -14
- package/lib/vendor/blamejs/lib/auth/sd-jwt-vc.js +1 -1
- package/lib/vendor/blamejs/lib/auth/status-list.js +7 -7
- package/lib/vendor/blamejs/lib/auth/step-up.js +6 -12
- package/lib/vendor/blamejs/lib/auth-bot-challenge.js +6 -37
- package/lib/vendor/blamejs/lib/backup/bundle.js +11 -18
- package/lib/vendor/blamejs/lib/backup/index.js +14 -47
- package/lib/vendor/blamejs/lib/bounded-map.js +112 -1
- package/lib/vendor/blamejs/lib/breach-deadline.js +1 -11
- package/lib/vendor/blamejs/lib/cache.js +7 -18
- package/lib/vendor/blamejs/lib/cbor.js +2 -1
- package/lib/vendor/blamejs/lib/cdn-cache-control.js +8 -9
- package/lib/vendor/blamejs/lib/cert.js +3 -10
- package/lib/vendor/blamejs/lib/chain-writer.js +162 -47
- package/lib/vendor/blamejs/lib/cli.js +5 -1
- package/lib/vendor/blamejs/lib/client-hints.js +7 -9
- package/lib/vendor/blamejs/lib/cloud-events.js +40 -31
- package/lib/vendor/blamejs/lib/cluster-storage.js +2 -38
- package/lib/vendor/blamejs/lib/cms-codec.js +2 -1
- package/lib/vendor/blamejs/lib/codepoint-class.js +67 -1
- package/lib/vendor/blamejs/lib/compliance-ai-act-logging.js +1 -6
- package/lib/vendor/blamejs/lib/compliance-ai-act-transparency.js +2 -4
- package/lib/vendor/blamejs/lib/compliance-eaa.js +1 -11
- package/lib/vendor/blamejs/lib/compliance-sanctions-fetcher.js +21 -28
- package/lib/vendor/blamejs/lib/compliance-sanctions.js +2 -14
- package/lib/vendor/blamejs/lib/compliance.js +2 -9
- package/lib/vendor/blamejs/lib/config-drift.js +2 -12
- package/lib/vendor/blamejs/lib/content-digest.js +10 -8
- package/lib/vendor/blamejs/lib/cookies.js +5 -11
- package/lib/vendor/blamejs/lib/cose.js +19 -11
- package/lib/vendor/blamejs/lib/cra-report.js +1 -11
- package/lib/vendor/blamejs/lib/crypto-field.js +5 -10
- package/lib/vendor/blamejs/lib/crypto.js +120 -3
- package/lib/vendor/blamejs/lib/csp.js +235 -3
- package/lib/vendor/blamejs/lib/daemon.js +42 -41
- package/lib/vendor/blamejs/lib/data-act.js +19 -9
- package/lib/vendor/blamejs/lib/db-query.js +6 -40
- package/lib/vendor/blamejs/lib/db.js +34 -12
- package/lib/vendor/blamejs/lib/dbsc.js +5 -6
- package/lib/vendor/blamejs/lib/ddl-change-control.js +18 -14
- package/lib/vendor/blamejs/lib/deprecate.js +4 -5
- package/lib/vendor/blamejs/lib/did.js +6 -2
- package/lib/vendor/blamejs/lib/dsr.js +8 -12
- package/lib/vendor/blamejs/lib/external-db-migrate.js +21 -22
- package/lib/vendor/blamejs/lib/external-db.js +14 -26
- package/lib/vendor/blamejs/lib/fda-21cfr11.js +12 -8
- package/lib/vendor/blamejs/lib/fdx.js +22 -18
- package/lib/vendor/blamejs/lib/file-upload.js +80 -66
- package/lib/vendor/blamejs/lib/flag-evaluation-context.js +5 -8
- package/lib/vendor/blamejs/lib/framework-error.js +12 -0
- package/lib/vendor/blamejs/lib/framework-schema.js +19 -0
- package/lib/vendor/blamejs/lib/fsm.js +7 -12
- package/lib/vendor/blamejs/lib/gate-contract.js +869 -38
- package/lib/vendor/blamejs/lib/gdpr-ropa.js +4 -13
- package/lib/vendor/blamejs/lib/graphql-federation.js +1 -1
- package/lib/vendor/blamejs/lib/guard-agent-registry.js +2 -1
- package/lib/vendor/blamejs/lib/guard-all.js +1 -0
- package/lib/vendor/blamejs/lib/guard-archive.js +9 -30
- package/lib/vendor/blamejs/lib/guard-auth.js +23 -80
- package/lib/vendor/blamejs/lib/guard-cidr.js +20 -96
- package/lib/vendor/blamejs/lib/guard-csv.js +135 -196
- package/lib/vendor/blamejs/lib/guard-domain.js +23 -106
- package/lib/vendor/blamejs/lib/guard-dsn.js +16 -13
- package/lib/vendor/blamejs/lib/guard-email.js +46 -53
- package/lib/vendor/blamejs/lib/guard-envelope.js +1 -1
- package/lib/vendor/blamejs/lib/guard-event-bus-topic.js +2 -1
- package/lib/vendor/blamejs/lib/guard-filename.js +12 -60
- package/lib/vendor/blamejs/lib/guard-graphql.js +28 -75
- package/lib/vendor/blamejs/lib/guard-html-wcag.js +15 -2
- package/lib/vendor/blamejs/lib/guard-html.js +65 -117
- package/lib/vendor/blamejs/lib/guard-idempotency-key.js +2 -1
- package/lib/vendor/blamejs/lib/guard-image.js +280 -77
- package/lib/vendor/blamejs/lib/guard-imap-command.js +8 -9
- package/lib/vendor/blamejs/lib/guard-json.js +87 -103
- package/lib/vendor/blamejs/lib/guard-jsonpath.js +20 -88
- package/lib/vendor/blamejs/lib/guard-jwt.js +32 -114
- package/lib/vendor/blamejs/lib/guard-list-id.js +2 -7
- package/lib/vendor/blamejs/lib/guard-list-unsubscribe.js +2 -7
- package/lib/vendor/blamejs/lib/guard-mail-compose.js +5 -6
- package/lib/vendor/blamejs/lib/guard-mail-move.js +2 -1
- package/lib/vendor/blamejs/lib/guard-mail-query.js +5 -3
- package/lib/vendor/blamejs/lib/guard-mail-sieve.js +6 -7
- package/lib/vendor/blamejs/lib/guard-managesieve-command.js +5 -4
- package/lib/vendor/blamejs/lib/guard-markdown.js +76 -110
- package/lib/vendor/blamejs/lib/guard-message-id.js +5 -6
- package/lib/vendor/blamejs/lib/guard-mime.js +20 -99
- package/lib/vendor/blamejs/lib/guard-oauth.js +19 -73
- package/lib/vendor/blamejs/lib/guard-pdf.js +65 -72
- package/lib/vendor/blamejs/lib/guard-pop3-command.js +12 -13
- package/lib/vendor/blamejs/lib/guard-posture-chain.js +2 -1
- package/lib/vendor/blamejs/lib/guard-regex.js +24 -99
- package/lib/vendor/blamejs/lib/guard-saga-config.js +2 -1
- package/lib/vendor/blamejs/lib/guard-shell.js +22 -87
- package/lib/vendor/blamejs/lib/guard-smtp-command.js +8 -11
- package/lib/vendor/blamejs/lib/guard-sql.js +15 -13
- package/lib/vendor/blamejs/lib/guard-stream-args.js +2 -1
- package/lib/vendor/blamejs/lib/guard-svg.js +95 -140
- package/lib/vendor/blamejs/lib/guard-template.js +23 -80
- package/lib/vendor/blamejs/lib/guard-tenant-id.js +2 -1
- package/lib/vendor/blamejs/lib/guard-text.js +592 -0
- package/lib/vendor/blamejs/lib/guard-time.js +27 -95
- package/lib/vendor/blamejs/lib/guard-uuid.js +21 -93
- package/lib/vendor/blamejs/lib/guard-xml.js +76 -106
- package/lib/vendor/blamejs/lib/guard-yaml.js +24 -60
- package/lib/vendor/blamejs/lib/http-client-cache.js +5 -12
- package/lib/vendor/blamejs/lib/http-client-cookie-jar.js +2 -4
- package/lib/vendor/blamejs/lib/http-client.js +8 -21
- package/lib/vendor/blamejs/lib/http-message-signature.js +3 -2
- package/lib/vendor/blamejs/lib/i18n-messageformat.js +5 -7
- package/lib/vendor/blamejs/lib/i18n.js +83 -26
- package/lib/vendor/blamejs/lib/inbox.js +8 -8
- package/lib/vendor/blamejs/lib/incident-report.js +3 -21
- package/lib/vendor/blamejs/lib/ip-utils.js +49 -6
- package/lib/vendor/blamejs/lib/jobs.js +3 -2
- package/lib/vendor/blamejs/lib/keychain.js +6 -18
- package/lib/vendor/blamejs/lib/legal-hold.js +6 -15
- package/lib/vendor/blamejs/lib/log-stream-cloudwatch.js +44 -112
- package/lib/vendor/blamejs/lib/log-stream-otlp-grpc.js +17 -14
- package/lib/vendor/blamejs/lib/log-stream-otlp.js +16 -80
- package/lib/vendor/blamejs/lib/log-stream-webhook.js +20 -92
- package/lib/vendor/blamejs/lib/mail-arc-sign.js +8 -3
- package/lib/vendor/blamejs/lib/mail-arf.js +3 -2
- package/lib/vendor/blamejs/lib/mail-auth.js +40 -66
- package/lib/vendor/blamejs/lib/mail-bimi.js +19 -39
- package/lib/vendor/blamejs/lib/mail-crypto-pgp.js +3 -2
- package/lib/vendor/blamejs/lib/mail-dav.js +8 -35
- package/lib/vendor/blamejs/lib/mail-deploy.js +6 -9
- package/lib/vendor/blamejs/lib/mail-dkim.js +19 -38
- package/lib/vendor/blamejs/lib/mail-greylist.js +15 -26
- package/lib/vendor/blamejs/lib/mail-helo.js +2 -3
- package/lib/vendor/blamejs/lib/mail-journal.js +2 -1
- package/lib/vendor/blamejs/lib/mail-mdn.js +4 -3
- package/lib/vendor/blamejs/lib/mail-rbl.js +5 -8
- package/lib/vendor/blamejs/lib/mail-scan.js +2 -2
- package/lib/vendor/blamejs/lib/mail-send-deliver.js +33 -20
- package/lib/vendor/blamejs/lib/mail-server-imap.js +32 -87
- package/lib/vendor/blamejs/lib/mail-server-jmap.js +35 -51
- package/lib/vendor/blamejs/lib/mail-server-managesieve.js +29 -83
- package/lib/vendor/blamejs/lib/mail-server-mx.js +33 -74
- package/lib/vendor/blamejs/lib/mail-server-net.js +177 -0
- package/lib/vendor/blamejs/lib/mail-server-pop3.js +30 -83
- package/lib/vendor/blamejs/lib/mail-server-rate-limit.js +30 -6
- package/lib/vendor/blamejs/lib/mail-server-submission.js +34 -73
- package/lib/vendor/blamejs/lib/mail-server-tls.js +89 -0
- package/lib/vendor/blamejs/lib/mail-spam-score.js +7 -8
- package/lib/vendor/blamejs/lib/mail-store.js +3 -2
- package/lib/vendor/blamejs/lib/mail.js +6 -11
- package/lib/vendor/blamejs/lib/markup-escape.js +31 -0
- package/lib/vendor/blamejs/lib/markup-tokenizer.js +54 -0
- package/lib/vendor/blamejs/lib/mcp-tool-registry.js +26 -23
- package/lib/vendor/blamejs/lib/mcp.js +1 -1
- package/lib/vendor/blamejs/lib/mdoc.js +11 -12
- package/lib/vendor/blamejs/lib/metrics.js +32 -30
- package/lib/vendor/blamejs/lib/middleware/age-gate.js +3 -23
- package/lib/vendor/blamejs/lib/middleware/api-encrypt.js +11 -22
- package/lib/vendor/blamejs/lib/middleware/assetlinks.js +2 -7
- package/lib/vendor/blamejs/lib/middleware/bearer-auth.js +2 -1
- package/lib/vendor/blamejs/lib/middleware/body-parser.js +31 -48
- package/lib/vendor/blamejs/lib/middleware/bot-disclose.js +7 -10
- package/lib/vendor/blamejs/lib/middleware/bot-guard.js +2 -10
- package/lib/vendor/blamejs/lib/middleware/csrf-protect.js +13 -2
- package/lib/vendor/blamejs/lib/middleware/daily-byte-quota.js +6 -26
- package/lib/vendor/blamejs/lib/middleware/deny-response.js +19 -1
- package/lib/vendor/blamejs/lib/middleware/fetch-metadata.js +7 -0
- package/lib/vendor/blamejs/lib/middleware/idempotency-key.js +4 -20
- package/lib/vendor/blamejs/lib/middleware/rate-limit.js +20 -28
- package/lib/vendor/blamejs/lib/middleware/scim-server.js +3 -2
- package/lib/vendor/blamejs/lib/middleware/security-headers.js +9 -1
- package/lib/vendor/blamejs/lib/middleware/security-txt.js +2 -6
- package/lib/vendor/blamejs/lib/middleware/tus-upload.js +12 -27
- package/lib/vendor/blamejs/lib/middleware/web-app-manifest.js +2 -7
- package/lib/vendor/blamejs/lib/migrations.js +4 -13
- package/lib/vendor/blamejs/lib/mime-parse.js +34 -17
- package/lib/vendor/blamejs/lib/module-loader.js +44 -0
- package/lib/vendor/blamejs/lib/money.js +105 -0
- package/lib/vendor/blamejs/lib/mtls-ca.js +116 -36
- package/lib/vendor/blamejs/lib/network-byte-quota.js +4 -18
- package/lib/vendor/blamejs/lib/network-dane.js +8 -6
- package/lib/vendor/blamejs/lib/network-dns-resolver.js +97 -6
- package/lib/vendor/blamejs/lib/network-dnssec.js +16 -16
- package/lib/vendor/blamejs/lib/network-heartbeat.js +3 -2
- package/lib/vendor/blamejs/lib/network-smtp-policy.js +29 -41
- package/lib/vendor/blamejs/lib/network-tls.js +40 -42
- package/lib/vendor/blamejs/lib/nis2-report.js +1 -11
- package/lib/vendor/blamejs/lib/nonce-store.js +81 -3
- package/lib/vendor/blamejs/lib/numeric-bounds.js +22 -8
- package/lib/vendor/blamejs/lib/object-store/azure-blob-bucket-ops.js +2 -6
- package/lib/vendor/blamejs/lib/object-store/azure-blob.js +5 -45
- package/lib/vendor/blamejs/lib/object-store/gcs.js +8 -71
- package/lib/vendor/blamejs/lib/object-store/http-put.js +1 -5
- package/lib/vendor/blamejs/lib/object-store/http-request.js +128 -0
- package/lib/vendor/blamejs/lib/object-store/sigv4-bucket-ops.js +2 -1
- package/lib/vendor/blamejs/lib/object-store/sigv4.js +9 -77
- package/lib/vendor/blamejs/lib/observability-otlp-exporter.js +9 -25
- package/lib/vendor/blamejs/lib/observability.js +95 -0
- package/lib/vendor/blamejs/lib/openapi-paths-builder.js +7 -3
- package/lib/vendor/blamejs/lib/otel-export.js +7 -10
- package/lib/vendor/blamejs/lib/outbox.js +43 -37
- package/lib/vendor/blamejs/lib/pagination.js +11 -15
- package/lib/vendor/blamejs/lib/parsers/safe-env.js +5 -4
- package/lib/vendor/blamejs/lib/parsers/safe-ini.js +10 -4
- package/lib/vendor/blamejs/lib/parsers/safe-toml.js +11 -9
- package/lib/vendor/blamejs/lib/parsers/safe-xml.js +2 -2
- package/lib/vendor/blamejs/lib/parsers/safe-yaml.js +7 -6
- package/lib/vendor/blamejs/lib/pick.js +63 -5
- package/lib/vendor/blamejs/lib/pipl-cn.js +69 -59
- package/lib/vendor/blamejs/lib/privacy-pass.js +8 -6
- package/lib/vendor/blamejs/lib/problem-details.js +2 -5
- package/lib/vendor/blamejs/lib/pubsub.js +4 -8
- package/lib/vendor/blamejs/lib/redact.js +2 -1
- package/lib/vendor/blamejs/lib/render.js +4 -2
- package/lib/vendor/blamejs/lib/request-helpers.js +133 -6
- package/lib/vendor/blamejs/lib/restore.js +5 -22
- package/lib/vendor/blamejs/lib/retention.js +3 -5
- package/lib/vendor/blamejs/lib/safe-async.js +457 -0
- package/lib/vendor/blamejs/lib/safe-buffer.js +137 -6
- package/lib/vendor/blamejs/lib/safe-decompress.js +2 -1
- package/lib/vendor/blamejs/lib/safe-dns.js +2 -1
- package/lib/vendor/blamejs/lib/safe-ical.js +12 -26
- package/lib/vendor/blamejs/lib/safe-json.js +7 -8
- package/lib/vendor/blamejs/lib/safe-jsonpath.js +6 -5
- package/lib/vendor/blamejs/lib/safe-mime.js +25 -29
- package/lib/vendor/blamejs/lib/safe-redirect.js +2 -5
- package/lib/vendor/blamejs/lib/safe-schema.js +7 -6
- package/lib/vendor/blamejs/lib/safe-sql.js +126 -0
- package/lib/vendor/blamejs/lib/safe-vcard.js +12 -26
- package/lib/vendor/blamejs/lib/sandbox-worker.js +9 -2
- package/lib/vendor/blamejs/lib/sandbox.js +3 -2
- package/lib/vendor/blamejs/lib/scheduler.js +5 -12
- package/lib/vendor/blamejs/lib/sec-cyber.js +82 -37
- package/lib/vendor/blamejs/lib/seeders.js +4 -11
- package/lib/vendor/blamejs/lib/self-update.js +92 -69
- package/lib/vendor/blamejs/lib/session-device-binding.js +112 -66
- package/lib/vendor/blamejs/lib/session.js +194 -6
- package/lib/vendor/blamejs/lib/sql.js +225 -78
- package/lib/vendor/blamejs/lib/sse.js +6 -10
- package/lib/vendor/blamejs/lib/static.js +136 -98
- package/lib/vendor/blamejs/lib/storage.js +4 -2
- package/lib/vendor/blamejs/lib/structured-fields.js +275 -16
- package/lib/vendor/blamejs/lib/tenant-quota.js +2 -20
- package/lib/vendor/blamejs/lib/tsa.js +11 -15
- package/lib/vendor/blamejs/lib/validate-opts.js +154 -8
- package/lib/vendor/blamejs/lib/vault/seal-pem-file.js +30 -48
- package/lib/vendor/blamejs/lib/vault-aad.js +3 -2
- package/lib/vendor/blamejs/lib/vc.js +2 -7
- package/lib/vendor/blamejs/lib/vex.js +35 -13
- package/lib/vendor/blamejs/lib/web-push-vapid.js +23 -20
- package/lib/vendor/blamejs/lib/webhook-dispatcher.js +706 -0
- package/lib/vendor/blamejs/lib/webhook.js +43 -18
- package/lib/vendor/blamejs/lib/websocket-channels.js +9 -7
- package/lib/vendor/blamejs/lib/websocket.js +7 -3
- package/lib/vendor/blamejs/lib/worm.js +2 -3
- package/lib/vendor/blamejs/lib/ws-client.js +8 -10
- package/lib/vendor/blamejs/package.json +1 -1
- package/lib/vendor/blamejs/release-notes/v0.15.13.json +81 -0
- package/lib/vendor/blamejs/scripts/check-changelog-extract.js +1 -1
- package/lib/vendor/blamejs/test/00-primitives.js +136 -7
- package/lib/vendor/blamejs/test/10-state.js +9 -3
- package/lib/vendor/blamejs/test/30-chain.js +40 -0
- package/lib/vendor/blamejs/test/helpers/check.js +18 -0
- package/lib/vendor/blamejs/test/helpers/db.js +4 -0
- package/lib/vendor/blamejs/test/helpers/index.js +1 -0
- package/lib/vendor/blamejs/test/integration/audit-chain-external-db.test.js +2 -1
- package/lib/vendor/blamejs/test/integration/audit-stack-postgres.test.js +2 -1
- package/lib/vendor/blamejs/test/integration/data-layer-mysql.test.js +8 -1
- package/lib/vendor/blamejs/test/integration/data-layer-pg.test.js +1 -1
- package/lib/vendor/blamejs/test/integration/framework-schema-mysql.test.js +2 -1
- package/lib/vendor/blamejs/test/integration/webhook-dispatcher-pg.test.js +269 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-fd-read.test.js +149 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-framework-namespaces.test.js +51 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-sign-anchor.test.js +88 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-use-store.test.js +55 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/backup-object-store-adapter.test.js +2 -2
- package/lib/vendor/blamejs/test/layer-0-primitives/bot-guard.test.js +1 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/bounded-map.test.js +129 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/chain-writer-multichain.test.js +107 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cli-api-key.test.js +12 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +2788 -3214
- package/lib/vendor/blamejs/test/layer-0-primitives/codepoint-class.test.js +78 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-base64url.test.js +63 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-hash-stream.test.js +2 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/csp-builder.test.js +50 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/csp-nonce.test.js +1 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/daemon.test.js +2 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/defineguard-resolve-opts.test.js +76 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/flag.test.js +9 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/gate-contract-content-gate.test.js +290 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-csv.test.js +84 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-email.test.js +78 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-filename.test.js +23 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-gate-disposition-coverage.test.js +93 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-html.test.js +60 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-image.test.js +184 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-imap-command.test.js +0 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-json.test.js +54 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-managesieve-command.test.js +10 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-markdown.test.js +45 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-pdf.test.js +101 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-pop3-command.test.js +18 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-svg.test.js +76 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-text.test.js +365 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-xml.test.js +35 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-yaml.test.js +36 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/i18n.test.js +20 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/inbox.test.js +15 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ip-utils.test.js +83 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-arf.test.js +10 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-auth.test.js +39 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-dkim.test.js +36 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-greylist.test.js +17 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-tls.test.js +39 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-store.test.js +17 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mime-parse.test.js +106 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/money.test.js +17 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mtls-ca-revocation.test.js +98 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/nonce-store-release.test.js +77 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/observability.test.js +48 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-memory-getorinsert.test.js +100 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/request-helpers.test.js +88 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-async-loops.test.js +278 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-buffer-linear-scans.test.js +37 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-jsonpath.test.js +14 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/sandbox.test.js +19 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/security-headers.test.js +1 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/self-update.test.js +2 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/session-device-binding.test.js +18 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/session-extensions.test.js +1 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/session-valid-from.test.js +73 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/sql.test.js +100 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/structured-fields.test.js +80 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/validate-opts-shape.test.js +235 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/webhook-dispatcher.test.js +374 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/webhook.test.js +75 -8
- package/lib/vendor/blamejs/test/layer-5-integration/guard-host-integration.test.js +3 -3
- package/package.json +1 -1
|
@@ -144,21 +144,9 @@ function create(opts) {
|
|
|
144
144
|
var algorithm = _resolveHolderAlg(opts.holderKey, opts.algorithm);
|
|
145
145
|
var auditOn = opts.auditOn !== false;
|
|
146
146
|
|
|
147
|
-
|
|
148
|
-
if (!auditOn) return;
|
|
149
|
-
try {
|
|
150
|
-
audit().safeEmit({
|
|
151
|
-
action: action,
|
|
152
|
-
outcome: outcome,
|
|
153
|
-
metadata: metadata || {},
|
|
154
|
-
});
|
|
155
|
-
} catch (_e) { /* drop-silent */ }
|
|
156
|
-
}
|
|
147
|
+
var _emitAudit = audit().namespaced(null, { audit: auditOn });
|
|
157
148
|
|
|
158
|
-
|
|
159
|
-
try { observability().safeEvent("auth.sdJwtVc.holder." + verb, 1, {}); }
|
|
160
|
-
catch (_e) { /* drop-silent */ }
|
|
161
|
-
}
|
|
149
|
+
var _emitMetric = observability().namespaced("auth.sdJwtVc.holder");
|
|
162
150
|
|
|
163
151
|
async function store(spec) {
|
|
164
152
|
if (!spec || typeof spec !== "object") {
|
|
@@ -104,21 +104,9 @@ function create(opts) {
|
|
|
104
104
|
keysRotated: 0,
|
|
105
105
|
};
|
|
106
106
|
|
|
107
|
-
|
|
108
|
-
if (!auditOn) return;
|
|
109
|
-
try {
|
|
110
|
-
audit().safeEmit({
|
|
111
|
-
action: action,
|
|
112
|
-
outcome: outcome,
|
|
113
|
-
metadata: metadata || {},
|
|
114
|
-
});
|
|
115
|
-
} catch (_e) { /* drop-silent */ }
|
|
116
|
-
}
|
|
107
|
+
var _emitAudit = audit().namespaced(null, { audit: auditOn });
|
|
117
108
|
|
|
118
|
-
|
|
119
|
-
try { observability().safeEvent("auth.sdJwtVc.issuer." + verb, 1, {}); }
|
|
120
|
-
catch (_e) { /* drop-silent */ }
|
|
121
|
-
}
|
|
109
|
+
var _emitMetric = observability().namespaced("auth.sdJwtVc.issuer");
|
|
122
110
|
|
|
123
111
|
async function issue(spec) {
|
|
124
112
|
if (!spec || typeof spec !== "object") {
|
|
@@ -636,7 +636,7 @@ async function verify(presentation, opts) {
|
|
|
636
636
|
// refused with the precise alg-mismatch error rather than handed to
|
|
637
637
|
// node:crypto.verify.
|
|
638
638
|
jwtExternal._assertAlgKtyMatch(kbAlg, holderKey);
|
|
639
|
-
var holderKeyObj =
|
|
639
|
+
var holderKeyObj = bCrypto.importPublicJwk(holderKey);
|
|
640
640
|
var kbParsed = _verifyJwt(maybeKbJwt, holderKeyObj, kbAlg);
|
|
641
641
|
// Constant-time compares: the nonce is a verifier-issued replay-defense
|
|
642
642
|
// value, so a short-circuiting !== leaks a matching-prefix timing oracle.
|
|
@@ -69,13 +69,13 @@ var MAX_LIST_BYTES = C.BYTES.mib(1);
|
|
|
69
69
|
|
|
70
70
|
function _b64url(buf) { return bCrypto.toBase64Url(buf); }
|
|
71
71
|
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
}
|
|
72
|
+
// No typeMessage — a non-string input falls into the decode-failure path,
|
|
73
|
+
// matching this sink's original catch-everything behavior.
|
|
74
|
+
var _fromB64url = bCrypto.makeBase64UrlDecoder({
|
|
75
|
+
errorClass: StatusListError,
|
|
76
|
+
code: "status-list/bad-base64",
|
|
77
|
+
badMessage: "status-list segment is not valid base64url",
|
|
78
|
+
});
|
|
79
79
|
|
|
80
80
|
function _validateBits(bits) {
|
|
81
81
|
if (!SUPPORTED_BIT_SIZES[bits]) {
|
|
@@ -64,6 +64,7 @@ var lazyRequire = require("../lazy-require");
|
|
|
64
64
|
var validateOpts = require("../validate-opts");
|
|
65
65
|
var safeJson = require("../safe-json");
|
|
66
66
|
var structuredFields = require("../structured-fields");
|
|
67
|
+
var codepointClass = require("../codepoint-class");
|
|
67
68
|
var C = require("../constants");
|
|
68
69
|
var { AuthError } = require("../framework-error");
|
|
69
70
|
|
|
@@ -86,7 +87,7 @@ function _quote(value) {
|
|
|
86
87
|
// Reject CTLs and quote-injecting characters.
|
|
87
88
|
for (var i = 0; i < value.length; i += 1) {
|
|
88
89
|
var code = value.charCodeAt(i);
|
|
89
|
-
if (code
|
|
90
|
+
if (codepointClass.isForbiddenControlChar(code, { forbidTab: true })) { // ASCII control codepoints
|
|
90
91
|
throw new AuthError("auth-step-up/bad-challenge",
|
|
91
92
|
"challenge value contains control character at index " + i);
|
|
92
93
|
}
|
|
@@ -378,22 +379,15 @@ function parseChallenge(headerValue) {
|
|
|
378
379
|
if (rest.length === 0) return null;
|
|
379
380
|
var out = { error: null, scope: null, acrValues: null, maxAge: null, raw: {} };
|
|
380
381
|
// Split on commas at top level, but respect quoted strings.
|
|
381
|
-
var
|
|
382
|
-
|
|
383
|
-
|
|
384
|
-
var eq = token.indexOf("=");
|
|
385
|
-
if (eq === -1) continue;
|
|
386
|
-
var key = token.slice(0, eq).trim().toLowerCase();
|
|
387
|
-
var val = token.slice(eq + 1).trim();
|
|
388
|
-
if (val.length >= 2 && val.charAt(0) === '"' && val.charAt(val.length - 1) === '"') {
|
|
389
|
-
val = val.slice(1, val.length - 1);
|
|
390
|
-
}
|
|
382
|
+
var kvps = structuredFields.parseKeyValuePieces(_splitWwwAuth(rest));
|
|
383
|
+
structuredFields.forEachKeyValue(kvps, function (key, val) {
|
|
384
|
+
val = structuredFields.stripDoubleQuotes(val);
|
|
391
385
|
out.raw[key] = val;
|
|
392
386
|
if (key === "error") out.error = val;
|
|
393
387
|
else if (key === "scope") out.scope = val;
|
|
394
388
|
else if (key === "acr_values") out.acrValues = val.split(/\s+/);
|
|
395
389
|
else if (key === "max_age") out.maxAge = parseInt(val, 10);
|
|
396
|
-
}
|
|
390
|
+
});
|
|
397
391
|
return out;
|
|
398
392
|
}
|
|
399
393
|
|
|
@@ -88,13 +88,8 @@ function _requireKey(key) {
|
|
|
88
88
|
}
|
|
89
89
|
|
|
90
90
|
function _requireSessionStore(store) {
|
|
91
|
-
|
|
92
|
-
|
|
93
|
-
typeof store.set !== "function" ||
|
|
94
|
-
typeof store.del !== "function") {
|
|
95
|
-
throw new AuthBotChallengeError("auth-bot-challenge/bad-opt",
|
|
96
|
-
"sessionStore must be a b.cache-shaped object (get/set/del)");
|
|
97
|
-
}
|
|
91
|
+
validateOpts.requireMethods(store, ["get", "set", "del"],
|
|
92
|
+
"sessionStore (b.cache-shaped)", AuthBotChallengeError, "auth-bot-challenge/bad-opt");
|
|
98
93
|
}
|
|
99
94
|
|
|
100
95
|
function _requireBotGuard(bg) {
|
|
@@ -105,14 +100,8 @@ function _requireBotGuard(bg) {
|
|
|
105
100
|
}
|
|
106
101
|
|
|
107
102
|
function _requireLockout(lk) {
|
|
108
|
-
|
|
109
|
-
|
|
110
|
-
typeof lk.recordSuccess !== "function" ||
|
|
111
|
-
typeof lk.check !== "function") {
|
|
112
|
-
throw new AuthBotChallengeError("auth-bot-challenge/bad-opt",
|
|
113
|
-
"lockout must be a b.auth.lockout-shaped instance " +
|
|
114
|
-
"(recordFailure/recordSuccess/check)");
|
|
115
|
-
}
|
|
103
|
+
validateOpts.requireMethods(lk, ["recordFailure", "recordSuccess", "check"],
|
|
104
|
+
"lockout (b.auth.lockout-shaped instance)", AuthBotChallengeError, "auth-bot-challenge/bad-opt");
|
|
116
105
|
}
|
|
117
106
|
|
|
118
107
|
function _defaultKeyExtractor(req) {
|
|
@@ -222,29 +211,9 @@ function create(opts) {
|
|
|
222
211
|
var obsInst = opts.observability || null;
|
|
223
212
|
var clock = opts.clock || Date.now;
|
|
224
213
|
|
|
225
|
-
|
|
226
|
-
var sink = obsInst || _safeGlobalObs();
|
|
227
|
-
if (!sink) return;
|
|
228
|
-
try { sink.event(name, 1, labels); } catch (_e) { /* drop-silent */ }
|
|
229
|
-
}
|
|
230
|
-
|
|
231
|
-
function _safeGlobalObs() {
|
|
232
|
-
try { return observability(); } catch (_e) { return null; }
|
|
233
|
-
}
|
|
214
|
+
var _emitObs = observability().makeCounterEmitter(obsInst);
|
|
234
215
|
|
|
235
|
-
|
|
236
|
-
if (!auditInst) return;
|
|
237
|
-
try {
|
|
238
|
-
var event = {
|
|
239
|
-
action: action,
|
|
240
|
-
outcome: outcome,
|
|
241
|
-
resource: { kind: "auth.bot_challenge", id: key },
|
|
242
|
-
metadata: metadata || {},
|
|
243
|
-
};
|
|
244
|
-
if (req) event.actor = requestHelpers.extractActorContext(req);
|
|
245
|
-
auditInst.safeEmit(event);
|
|
246
|
-
} catch (_e) { /* audit best-effort */ }
|
|
247
|
-
}
|
|
216
|
+
var _emitAudit = requestHelpers.makeResourceAuditEmitter(auditInst, "auth.bot_challenge");
|
|
248
217
|
|
|
249
218
|
async function _readState(key) {
|
|
250
219
|
try {
|
|
@@ -148,24 +148,17 @@ async function create(opts) {
|
|
|
148
148
|
// earlier required-vs-skip branch above (existsSync → continue when
|
|
149
149
|
// not entry.required) is honored before we reach this point; the
|
|
150
150
|
// dest path is then computed from entry.relativePath, not srcPath.
|
|
151
|
-
|
|
152
|
-
|
|
153
|
-
|
|
154
|
-
|
|
155
|
-
|
|
156
|
-
|
|
157
|
-
|
|
158
|
-
|
|
159
|
-
|
|
160
|
-
|
|
161
|
-
|
|
162
|
-
if (read !== srcStat.size) {
|
|
163
|
-
throw new BackupBundleError("backup-bundle/short-read",
|
|
164
|
-
"create: short read on '" + entry.relativePath + "': " + read + " of " + srcStat.size + " bytes");
|
|
165
|
-
}
|
|
166
|
-
} finally {
|
|
167
|
-
try { nodeFs.closeSync(srcFd); } catch (_c) { /* close best-effort */ }
|
|
168
|
-
}
|
|
151
|
+
// TOCTOU-safe read via atomic-file; the short-read message keeps the
|
|
152
|
+
// per-entry relativePath context via errorFor.
|
|
153
|
+
var plain = atomicFile.fdSafeReadSync(srcPath, {
|
|
154
|
+
errorFor: function (kind, detail) {
|
|
155
|
+
if (kind === "short-read") {
|
|
156
|
+
return new BackupBundleError("backup-bundle/short-read",
|
|
157
|
+
"create: short read on '" + entry.relativePath + "': " + detail.read + " of " + detail.size + " bytes");
|
|
158
|
+
}
|
|
159
|
+
return undefined;
|
|
160
|
+
},
|
|
161
|
+
});
|
|
169
162
|
var checksum = bCrypto.checksum(plain);
|
|
170
163
|
var encResult = await bCrypto.encryptWithFreshSalt(plain, passphrase);
|
|
171
164
|
var encPath = _encryptedPathFor(entry.relativePath);
|
|
@@ -59,7 +59,9 @@ var backupManifest = require("./manifest");
|
|
|
59
59
|
var lazyRequire = require("../lazy-require");
|
|
60
60
|
var validateOpts = require("../validate-opts");
|
|
61
61
|
var numericBounds = require("../numeric-bounds");
|
|
62
|
+
var boundedMap = require("../bounded-map");
|
|
62
63
|
var audit = lazyRequire(function () { return require("../audit"); });
|
|
64
|
+
var auditEmit = require("../audit-emit");
|
|
63
65
|
var compliance = lazyRequire(function () { return require("../compliance"); });
|
|
64
66
|
// lazyRequire ../db so backup stays a leaf module operators can use
|
|
65
67
|
// without the rest of the framework's DB chain loaded in the same
|
|
@@ -228,17 +230,9 @@ function diskStorage(opts) {
|
|
|
228
230
|
// ---- Engine ----
|
|
229
231
|
|
|
230
232
|
function _validateStorage(storage) {
|
|
231
|
-
|
|
232
|
-
|
|
233
|
-
|
|
234
|
-
}
|
|
235
|
-
var required = ["writeBundle", "readBundle", "listBundles", "deleteBundle", "hasBundle"];
|
|
236
|
-
for (var i = 0; i < required.length; i++) {
|
|
237
|
-
if (typeof storage[required[i]] !== "function") {
|
|
238
|
-
throw new BackupError("backup/bad-storage",
|
|
239
|
-
"storage backend missing method '" + required[i] + "'");
|
|
240
|
-
}
|
|
241
|
-
}
|
|
233
|
+
validateOpts.requireMethods(storage,
|
|
234
|
+
["writeBundle", "readBundle", "listBundles", "deleteBundle", "hasBundle"],
|
|
235
|
+
"storage backend", BackupError, "backup/bad-storage");
|
|
242
236
|
}
|
|
243
237
|
|
|
244
238
|
async function _resolveVaultKeyJson(vaultKeyJsonOpt) {
|
|
@@ -488,15 +482,7 @@ function create(opts) {
|
|
|
488
482
|
} catch (_e) { /* db not available in this module graph — flush is a no-op */ }
|
|
489
483
|
}
|
|
490
484
|
|
|
491
|
-
|
|
492
|
-
if (!auditOn) return;
|
|
493
|
-
audit().safeEmit({
|
|
494
|
-
action: action,
|
|
495
|
-
outcome: outcome,
|
|
496
|
-
metadata: info || {},
|
|
497
|
-
reason: info && info.reason ? info.reason : null,
|
|
498
|
-
});
|
|
499
|
-
}
|
|
485
|
+
var _emitAudit = auditEmit.gatedReasonEmitter({ audit: auditOn });
|
|
500
486
|
|
|
501
487
|
async function run(runOpts) {
|
|
502
488
|
runOpts = runOpts || {};
|
|
@@ -1091,18 +1077,10 @@ module.exports = {
|
|
|
1091
1077
|
*/
|
|
1092
1078
|
function bundleAdapterStorage(opts) {
|
|
1093
1079
|
opts = opts || {};
|
|
1094
|
-
|
|
1095
|
-
|
|
1096
|
-
|
|
1097
|
-
}
|
|
1080
|
+
validateOpts.requireMethods(opts.adapter,
|
|
1081
|
+
["writeFile", "readFile", "listKeys", "deleteKey", "hasKey"],
|
|
1082
|
+
"bundleAdapterStorage: opts.adapter", BackupError, "backup/bad-adapter");
|
|
1098
1083
|
var adapter = opts.adapter;
|
|
1099
|
-
var required = ["writeFile", "readFile", "listKeys", "deleteKey", "hasKey"];
|
|
1100
|
-
for (var i = 0; i < required.length; i += 1) {
|
|
1101
|
-
if (typeof adapter[required[i]] !== "function") {
|
|
1102
|
-
throw new BackupError("backup/bad-adapter",
|
|
1103
|
-
"bundleAdapterStorage: adapter missing method '" + required[i] + "'");
|
|
1104
|
-
}
|
|
1105
|
-
}
|
|
1106
1084
|
// v0.12.8 — `format: "tar"` becomes the default for new bundles.
|
|
1107
1085
|
// `format: "directory"` opts back into the v0.12.7 file-by-file
|
|
1108
1086
|
// layout for operators with existing bundles. The format is
|
|
@@ -1435,11 +1413,9 @@ function bundleAdapterStorage(opts) {
|
|
|
1435
1413
|
if (slash <= 0) continue;
|
|
1436
1414
|
var bid = key.slice(0, slash);
|
|
1437
1415
|
if (!_isValidBundleId(bid)) continue;
|
|
1438
|
-
var stats =
|
|
1439
|
-
|
|
1440
|
-
|
|
1441
|
-
byBundle.set(bid, stats);
|
|
1442
|
-
}
|
|
1416
|
+
var stats = boundedMap.getOrInsert(byBundle, bid, function () {
|
|
1417
|
+
return { count: 0, hasTar: false, hasTarGz: false, hasOther: false };
|
|
1418
|
+
});
|
|
1443
1419
|
stats.count += 1;
|
|
1444
1420
|
var rest = key.slice(slash + 1);
|
|
1445
1421
|
if (rest === "bundle.tar") stats.hasTar = true;
|
|
@@ -2341,17 +2317,8 @@ bundleAdapterStorage.fsAdapter = function (fsOpts) {
|
|
|
2341
2317
|
* // path composes through unwrap + read.gz + read.tar.
|
|
2342
2318
|
*/
|
|
2343
2319
|
bundleAdapterStorage.objectStoreAdapter = function (client, osOpts) {
|
|
2344
|
-
|
|
2345
|
-
|
|
2346
|
-
"objectStoreAdapter: client is required (a b.objectStore-shaped object with put / get / head / delete / list)");
|
|
2347
|
-
}
|
|
2348
|
-
var required = ["put", "get", "head", "delete", "list"];
|
|
2349
|
-
for (var i = 0; i < required.length; i += 1) {
|
|
2350
|
-
if (typeof client[required[i]] !== "function") {
|
|
2351
|
-
throw new BackupError("backup/bad-adapter",
|
|
2352
|
-
"objectStoreAdapter: client missing method '" + required[i] + "'");
|
|
2353
|
-
}
|
|
2354
|
-
}
|
|
2320
|
+
validateOpts.requireMethods(client, ["put", "get", "head", "delete", "list"],
|
|
2321
|
+
"objectStoreAdapter: client", BackupError, "backup/bad-adapter");
|
|
2355
2322
|
osOpts = osOpts || {};
|
|
2356
2323
|
var prefix = "";
|
|
2357
2324
|
if (osOpts.prefix !== undefined && osOpts.prefix !== null) {
|
|
@@ -37,6 +37,7 @@
|
|
|
37
37
|
*/
|
|
38
38
|
|
|
39
39
|
var numericBounds = require("./numeric-bounds");
|
|
40
|
+
var validateOpts = require("./validate-opts");
|
|
40
41
|
var { defineClass } = require("./framework-error");
|
|
41
42
|
|
|
42
43
|
var BoundedMapError = defineClass("BoundedMapError");
|
|
@@ -99,4 +100,114 @@ function boundedMap(opts) {
|
|
|
99
100
|
};
|
|
100
101
|
}
|
|
101
102
|
|
|
102
|
-
|
|
103
|
+
// getOrInsert(map, key, factory, opts?) — Map.prototype.getOrInsertComputed(key,
|
|
104
|
+
// factory) polyfill. The native method lands in Node 26 but the framework floor
|
|
105
|
+
// is 24.16, so the framework's request-keyed Maps hand-roll `var v = m.get(k);
|
|
106
|
+
// if (!v) { v = ...; m.set(k, v); }` everywhere. This is the ONE place that
|
|
107
|
+
// shape lives, so the floor-bump sweep swaps the body for the native method in
|
|
108
|
+
// a single edit instead of N call sites. Returns the existing value; otherwise
|
|
109
|
+
// computes factory(key), stores it, and returns it.
|
|
110
|
+
//
|
|
111
|
+
// Optional cardinality ceiling so a CAPPED caller (e.g. b.metrics' label
|
|
112
|
+
// cardinality cap) composes this rather than re-rolling the get-then-set with
|
|
113
|
+
// its own size guard: when `opts.maxSize` is a number and the key is absent at
|
|
114
|
+
// or above that size, the value is NOT stored and `opts.onFull(key)` (or
|
|
115
|
+
// undefined) is returned. Works on a plain Map or the boundedMap facade above.
|
|
116
|
+
function _assertMapLike(map, fnName) {
|
|
117
|
+
validateOpts.requireMethods(map, ["has", "get", "set"],
|
|
118
|
+
fnName + ": map (Map-like)", BoundedMapError, "bounded-map/bad-map");
|
|
119
|
+
}
|
|
120
|
+
|
|
121
|
+
function getOrInsert(map, key, factory, opts) {
|
|
122
|
+
_assertMapLike(map, "getOrInsert");
|
|
123
|
+
if (typeof factory !== "function") {
|
|
124
|
+
throw new BoundedMapError("bounded-map/bad-factory",
|
|
125
|
+
"getOrInsert: factory must be a function, got " + (typeof factory));
|
|
126
|
+
}
|
|
127
|
+
if (map.has(key)) return map.get(key);
|
|
128
|
+
if (opts && opts.maxSize !== undefined) {
|
|
129
|
+
// A bad maxSize silently breaks the ceiling (NaN/Infinity never cap →
|
|
130
|
+
// unbounded; negative always caps → never stores) — validate via the
|
|
131
|
+
// shared numeric-bounds / validate-opts assertions, never a hand-rolled
|
|
132
|
+
// typeof check.
|
|
133
|
+
numericBounds.requirePositiveFiniteIntIfPresent(opts.maxSize,
|
|
134
|
+
"getOrInsert: opts.maxSize", BoundedMapError, "bounded-map/bad-max-size");
|
|
135
|
+
validateOpts.optionalFunction(opts.onFull,
|
|
136
|
+
"getOrInsert: opts.onFull", BoundedMapError, "bounded-map/bad-on-full");
|
|
137
|
+
if (map.size >= opts.maxSize) {
|
|
138
|
+
return opts.onFull ? opts.onFull(key) : undefined;
|
|
139
|
+
}
|
|
140
|
+
}
|
|
141
|
+
var value = factory(key);
|
|
142
|
+
map.set(key, value);
|
|
143
|
+
return value;
|
|
144
|
+
}
|
|
145
|
+
|
|
146
|
+
// requireAbsent / requirePresent complete the keyed-store guard family that
|
|
147
|
+
// getOrInsert opened. A framework registry (topics, jobs, metrics, RoPA
|
|
148
|
+
// activities, DSR tickets, …) keys a Map and guards every mutation by
|
|
149
|
+
// presence: a unique INSERT throws on a duplicate key, an UPDATE/lookup throws
|
|
150
|
+
// when the key is missing. That guard — `if (map.has(k)) throw <duplicate>` /
|
|
151
|
+
// `if (!map.has(k)) throw <not-found>` — recurred across ~18 registries, each
|
|
152
|
+
// re-rolling the check beside its own .set. Centralizing it makes the
|
|
153
|
+
// uniqueness/existence check impossible to forget (the primitive IS the check)
|
|
154
|
+
// while leaving the caller its own typed error and value shape.
|
|
155
|
+
|
|
156
|
+
// requireAbsent(map, key, onConflict) — uniqueness guard before an insert.
|
|
157
|
+
// When `key` is already present, invokes onConflict(key, existingValue)
|
|
158
|
+
// (callers throw their own typed duplicate error from it) and returns its
|
|
159
|
+
// result; otherwise returns undefined and the caller performs its insert.
|
|
160
|
+
function requireAbsent(map, key, onConflict) {
|
|
161
|
+
_assertMapLike(map, "requireAbsent");
|
|
162
|
+
if (typeof onConflict !== "function") {
|
|
163
|
+
throw new BoundedMapError("bounded-map/bad-on-conflict",
|
|
164
|
+
"requireAbsent: onConflict must be a function, got " + (typeof onConflict));
|
|
165
|
+
}
|
|
166
|
+
if (map.has(key)) return onConflict(key, map.get(key));
|
|
167
|
+
return undefined;
|
|
168
|
+
}
|
|
169
|
+
|
|
170
|
+
// requirePresent(map, key, onMissing) — existence guard before an update or
|
|
171
|
+
// lookup. When `key` is absent, invokes onMissing(key) (callers throw their
|
|
172
|
+
// own typed not-found error) and returns its result; otherwise returns the
|
|
173
|
+
// existing value, so a must-exist lookup is a single call.
|
|
174
|
+
function requirePresent(map, key, onMissing) {
|
|
175
|
+
_assertMapLike(map, "requirePresent");
|
|
176
|
+
if (typeof onMissing !== "function") {
|
|
177
|
+
throw new BoundedMapError("bounded-map/bad-on-missing",
|
|
178
|
+
"requirePresent: onMissing must be a function, got " + (typeof onMissing));
|
|
179
|
+
}
|
|
180
|
+
if (!map.has(key)) return onMissing(key);
|
|
181
|
+
return map.get(key);
|
|
182
|
+
}
|
|
183
|
+
|
|
184
|
+
// requireAbsentMember(set, key, onConflict) — the Set sibling of requireAbsent.
|
|
185
|
+
// A value-LESS membership store (a Set tracking seen keys while parsing, or
|
|
186
|
+
// visited nodes during a recursive walk) rejects a re-occurrence:
|
|
187
|
+
// `if (set.has(key)) throw <duplicate|cycle>` before `set.add(key)`. Unlike
|
|
188
|
+
// requireAbsent (a keyed Map with values), the container has nothing to return,
|
|
189
|
+
// so only `.has` is required — a Set, or any { has } membership view. When the
|
|
190
|
+
// member is already present, invokes onConflict(key) (the caller throws its own
|
|
191
|
+
// typed duplicate / cycle error) and returns its result; otherwise returns
|
|
192
|
+
// undefined and the caller performs its `.add`.
|
|
193
|
+
function requireAbsentMember(set, key, onConflict) {
|
|
194
|
+
if (!set || typeof set.has !== "function") {
|
|
195
|
+
throw new BoundedMapError("bounded-map/bad-set",
|
|
196
|
+
"requireAbsentMember: set must be a Set-like { has }");
|
|
197
|
+
}
|
|
198
|
+
if (typeof onConflict !== "function") {
|
|
199
|
+
throw new BoundedMapError("bounded-map/bad-on-conflict",
|
|
200
|
+
"requireAbsentMember: onConflict must be a function, got " + (typeof onConflict));
|
|
201
|
+
}
|
|
202
|
+
if (set.has(key)) return onConflict(key);
|
|
203
|
+
return undefined;
|
|
204
|
+
}
|
|
205
|
+
|
|
206
|
+
module.exports = {
|
|
207
|
+
boundedMap: boundedMap,
|
|
208
|
+
BoundedMapError: BoundedMapError,
|
|
209
|
+
getOrInsert: getOrInsert,
|
|
210
|
+
requireAbsent: requireAbsent,
|
|
211
|
+
requirePresent: requirePresent,
|
|
212
|
+
requireAbsentMember: requireAbsentMember,
|
|
213
|
+
};
|
|
@@ -149,21 +149,11 @@ function forStates(states, detectedAtMs) {
|
|
|
149
149
|
// deadline registry and tracks per-state filing status.
|
|
150
150
|
function createReporter(opts) {
|
|
151
151
|
opts = opts || {};
|
|
152
|
-
var auditOn = opts.audit !== false;
|
|
153
152
|
var now = typeof opts.now === "function" ? opts.now : function () { return Date.now(); };
|
|
154
153
|
var seq = 0;
|
|
155
154
|
var breaches = new Map();
|
|
156
155
|
|
|
157
|
-
|
|
158
|
-
if (!auditOn) return;
|
|
159
|
-
try {
|
|
160
|
-
audit().safeEmit({
|
|
161
|
-
action: "breach.report." + action,
|
|
162
|
-
outcome: outcome,
|
|
163
|
-
metadata: metadata || {},
|
|
164
|
-
});
|
|
165
|
-
} catch (_e) { /* drop-silent */ }
|
|
166
|
-
}
|
|
156
|
+
var _emitAudit = audit().namespaced("breach.report", opts.audit);
|
|
167
157
|
|
|
168
158
|
function open(spec) {
|
|
169
159
|
if (!spec || typeof spec !== "object") {
|
|
@@ -70,6 +70,7 @@
|
|
|
70
70
|
* LRU + TTL cache with operator-supplied namespacing, drop-silent key validation on hot-path observability, and pluggable backends that share semantics across single-process and clustered nodes.
|
|
71
71
|
*/
|
|
72
72
|
|
|
73
|
+
var boundedMap = require("./bounded-map");
|
|
73
74
|
var cacheRedis = require("./cache-redis");
|
|
74
75
|
var redisClient = require("./redis-client");
|
|
75
76
|
var clusterStorage = require("./cluster-storage");
|
|
@@ -179,16 +180,8 @@ function _defaultSizeOf(value) {
|
|
|
179
180
|
}
|
|
180
181
|
|
|
181
182
|
function _validateBackendObject(backend) {
|
|
182
|
-
|
|
183
|
-
|
|
184
|
-
throw _err("BAD_OPT", "cache.create: custom backend must be an object");
|
|
185
|
-
}
|
|
186
|
-
for (var i = 0; i < required.length; i++) {
|
|
187
|
-
if (typeof backend[required[i]] !== "function") {
|
|
188
|
-
throw _err("BAD_OPT", "cache.create: custom backend missing method '" + required[i] +
|
|
189
|
-
"' (required: " + required.join(", ") + ")");
|
|
190
|
-
}
|
|
191
|
-
}
|
|
183
|
+
validateOpts.requireMethods(backend, ["get", "set", "del", "clear", "size", "close"],
|
|
184
|
+
"cache.create: custom backend", CacheError, "BAD_OPT");
|
|
192
185
|
}
|
|
193
186
|
|
|
194
187
|
function _validateCreateOpts(opts) {
|
|
@@ -338,8 +331,7 @@ function _memoryBackend(cfg) {
|
|
|
338
331
|
totalBytes += bytes;
|
|
339
332
|
if (tags && tags.length > 0) {
|
|
340
333
|
for (var i = 0; i < tags.length; i++) {
|
|
341
|
-
var s =
|
|
342
|
-
if (!s) { s = new Set(); tagIndex.set(tags[i], s); }
|
|
334
|
+
var s = boundedMap.getOrInsert(tagIndex, tags[i], function () { return new Set(); });
|
|
343
335
|
s.add(key);
|
|
344
336
|
}
|
|
345
337
|
}
|
|
@@ -1028,12 +1020,9 @@ function create(opts) {
|
|
|
1028
1020
|
var operatorObs = opts.observability || null;
|
|
1029
1021
|
var clock = opts.clock || function () { return Date.now(); };
|
|
1030
1022
|
var invalidationPubsub = opts.invalidationPubsub || null;
|
|
1031
|
-
if (invalidationPubsub
|
|
1032
|
-
|
|
1033
|
-
|
|
1034
|
-
typeof invalidationPubsub.unsubscribe !== "function")) {
|
|
1035
|
-
throw _err("BAD_OPT",
|
|
1036
|
-
"cache.create: invalidationPubsub must implement { publish, subscribe, unsubscribe } (b.pubsub.create instance)");
|
|
1023
|
+
if (invalidationPubsub) {
|
|
1024
|
+
validateOpts.requireMethods(invalidationPubsub, ["publish", "subscribe", "unsubscribe"],
|
|
1025
|
+
"cache.create: invalidationPubsub (b.pubsub.create instance)", CacheError, "BAD_OPT");
|
|
1037
1026
|
}
|
|
1038
1027
|
var invalidationChannel = "cache:" + namespace + ":invalidate";
|
|
1039
1028
|
var invalidationToken = null;
|
|
@@ -54,6 +54,7 @@
|
|
|
54
54
|
*/
|
|
55
55
|
|
|
56
56
|
var C = require("./constants");
|
|
57
|
+
var safeBuffer = require("./safe-buffer");
|
|
57
58
|
var { defineClass } = require("./framework-error");
|
|
58
59
|
|
|
59
60
|
var CborError = defineClass("CborError", { alwaysPermanent: true });
|
|
@@ -300,7 +301,7 @@ function decode(buffer, opts) {
|
|
|
300
301
|
}
|
|
301
302
|
var buf = Buffer.isBuffer(buffer) ? buffer : Buffer.from(buffer);
|
|
302
303
|
var maxBytes = _capInt(opts.maxBytes, DEFAULT_MAX_BYTES, ABSOLUTE_MAX_BYTES);
|
|
303
|
-
if (buf
|
|
304
|
+
if (safeBuffer.byteLengthOf(buf) > maxBytes) {
|
|
304
305
|
throw new CborError("cbor/too-large",
|
|
305
306
|
"cbor.decode: input " + buf.length + " bytes exceeds maxBytes " + maxBytes);
|
|
306
307
|
}
|
|
@@ -336,20 +336,19 @@ function parse(headerValue) {
|
|
|
336
336
|
if (trimmed.length === 0) return null;
|
|
337
337
|
|
|
338
338
|
var out = { directives: {} };
|
|
339
|
-
var
|
|
340
|
-
|
|
341
|
-
|
|
342
|
-
|
|
343
|
-
var eq = raw.indexOf("=");
|
|
339
|
+
var kvps = structuredFields.parseKeyValuePieces(
|
|
340
|
+
structuredFields.splitTopLevel(trimmed, ","));
|
|
341
|
+
for (var p = 0; p < kvps.length; p += 1) {
|
|
342
|
+
var kvp = kvps[p];
|
|
344
343
|
var key, val, bare;
|
|
345
|
-
if (
|
|
346
|
-
key =
|
|
344
|
+
if (kvp.value === null) {
|
|
345
|
+
key = kvp.key;
|
|
347
346
|
val = "";
|
|
348
347
|
bare = true;
|
|
349
348
|
}
|
|
350
349
|
else {
|
|
351
|
-
key =
|
|
352
|
-
val =
|
|
350
|
+
key = kvp.key;
|
|
351
|
+
val = kvp.value.trim();
|
|
353
352
|
bare = false;
|
|
354
353
|
// Unquote sf-string per RFC 8941 §3.3.3 (defensive — operators
|
|
355
354
|
// routinely emit `s-maxage="3600"` even though the directive is
|
|
@@ -100,10 +100,8 @@ function _createSealedDiskStorage(opts) {
|
|
|
100
100
|
CertError, "cert/bad-storage-root");
|
|
101
101
|
var rootDir = nodePath.resolve(opts.rootDir);
|
|
102
102
|
var vaultStore = opts.vault || vault().getDefaultStore();
|
|
103
|
-
|
|
104
|
-
|
|
105
|
-
"cert.storage: vault must expose seal(buf) + unseal(buf) — typically b.vault.getDefaultStore()");
|
|
106
|
-
}
|
|
103
|
+
validateOpts.requireMethods(vaultStore, ["seal", "unseal"],
|
|
104
|
+
"cert.storage: vault (typically b.vault.getDefaultStore())", CertError, "cert/bad-storage-vault");
|
|
107
105
|
|
|
108
106
|
function _ensureDir(dir) { atomicFile.ensureDir(dir); }
|
|
109
107
|
function _certDir(name) { return nodePath.join(rootDir, name); }
|
|
@@ -411,12 +409,7 @@ function create(opts) {
|
|
|
411
409
|
var ocspTimer = null;
|
|
412
410
|
var stopped = false;
|
|
413
411
|
|
|
414
|
-
|
|
415
|
-
if (!auditEnabled) return;
|
|
416
|
-
try {
|
|
417
|
-
audit().safeEmit({ action: action, outcome: outcome, metadata: metadata || {} });
|
|
418
|
-
} catch (_e) { /* drop-silent — audit emission is hot-path */ }
|
|
419
|
-
}
|
|
412
|
+
var _emitAudit = audit().namespaced(null, { audit: auditEnabled });
|
|
420
413
|
|
|
421
414
|
function _bootAcme() {
|
|
422
415
|
if (acmeClient) return acmeClient;
|