@blamejs/blamejs-shop 0.4.69 → 0.4.71

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (299) hide show
  1. package/CHANGELOG.md +4 -0
  2. package/lib/admin.js +8 -6
  3. package/lib/asset-manifest.json +1 -1
  4. package/lib/security-middleware.js +65 -23
  5. package/lib/shipping-insurance.js +29 -4
  6. package/lib/sms-dispatcher.js +17 -4
  7. package/lib/storefront.js +10 -7
  8. package/lib/vendor/MANIFEST.json +319 -267
  9. package/lib/vendor/blamejs/CHANGELOG.md +2 -0
  10. package/lib/vendor/blamejs/api-snapshot.json +58 -5
  11. package/lib/vendor/blamejs/examples/wiki/README.md +1 -1
  12. package/lib/vendor/blamejs/examples/wiki/docker-compose.prod.yml +9 -8
  13. package/lib/vendor/blamejs/examples/wiki/docker-compose.yml +10 -9
  14. package/lib/vendor/blamejs/examples/wiki/env-snapshot.json +4 -3
  15. package/lib/vendor/blamejs/examples/wiki/lib/build-app.js +33 -17
  16. package/lib/vendor/blamejs/examples/wiki/routes/admin.js +7 -10
  17. package/lib/vendor/blamejs/examples/wiki/server.js +5 -4
  18. package/lib/vendor/blamejs/examples/wiki/test/e2e.js +5 -0
  19. package/lib/vendor/blamejs/lib/a2a-tasks.js +38 -6
  20. package/lib/vendor/blamejs/lib/agent-event-bus.js +13 -0
  21. package/lib/vendor/blamejs/lib/agent-idempotency.js +5 -1
  22. package/lib/vendor/blamejs/lib/agent-snapshot.js +32 -2
  23. package/lib/vendor/blamejs/lib/ai-aedt-bias-audit.js +2 -1
  24. package/lib/vendor/blamejs/lib/ai-content-detect.js +1 -3
  25. package/lib/vendor/blamejs/lib/ai-frontier-protocol.js +1 -1
  26. package/lib/vendor/blamejs/lib/ai-model-manifest.js +1 -1
  27. package/lib/vendor/blamejs/lib/ai-output.js +16 -7
  28. package/lib/vendor/blamejs/lib/api-snapshot.js +4 -1
  29. package/lib/vendor/blamejs/lib/app-shutdown.js +7 -1
  30. package/lib/vendor/blamejs/lib/archive-gz.js +9 -0
  31. package/lib/vendor/blamejs/lib/archive-read.js +9 -7
  32. package/lib/vendor/blamejs/lib/archive-tar-read.js +51 -8
  33. package/lib/vendor/blamejs/lib/archive.js +4 -2
  34. package/lib/vendor/blamejs/lib/asn1-der.js +70 -22
  35. package/lib/vendor/blamejs/lib/atomic-file.js +204 -2
  36. package/lib/vendor/blamejs/lib/audit-chain.js +54 -5
  37. package/lib/vendor/blamejs/lib/audit-daily-review.js +12 -2
  38. package/lib/vendor/blamejs/lib/audit-sign.js +2 -1
  39. package/lib/vendor/blamejs/lib/audit-tools.js +108 -23
  40. package/lib/vendor/blamejs/lib/audit.js +7 -2
  41. package/lib/vendor/blamejs/lib/auth/access-lock.js +2 -2
  42. package/lib/vendor/blamejs/lib/auth/bot-challenge.js +1 -1
  43. package/lib/vendor/blamejs/lib/auth/ciba.js +43 -4
  44. package/lib/vendor/blamejs/lib/auth/dpop.js +6 -1
  45. package/lib/vendor/blamejs/lib/auth/fido-mds3.js +5 -1
  46. package/lib/vendor/blamejs/lib/auth/jwt.js +2 -2
  47. package/lib/vendor/blamejs/lib/auth/lockout.js +18 -2
  48. package/lib/vendor/blamejs/lib/auth/passkey.js +1 -1
  49. package/lib/vendor/blamejs/lib/auth/password.js +1 -1
  50. package/lib/vendor/blamejs/lib/auth/saml.js +33 -13
  51. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc.js +24 -4
  52. package/lib/vendor/blamejs/lib/auth/status-list.js +14 -2
  53. package/lib/vendor/blamejs/lib/auth/step-up.js +9 -1
  54. package/lib/vendor/blamejs/lib/auth-bot-challenge.js +21 -2
  55. package/lib/vendor/blamejs/lib/backup/bundle.js +7 -2
  56. package/lib/vendor/blamejs/lib/backup/crypto.js +23 -8
  57. package/lib/vendor/blamejs/lib/backup/index.js +41 -20
  58. package/lib/vendor/blamejs/lib/backup/manifest.js +7 -1
  59. package/lib/vendor/blamejs/lib/break-glass.js +41 -22
  60. package/lib/vendor/blamejs/lib/cbor.js +34 -11
  61. package/lib/vendor/blamejs/lib/cdn-cache-control.js +7 -3
  62. package/lib/vendor/blamejs/lib/cert.js +5 -3
  63. package/lib/vendor/blamejs/lib/cli.js +5 -1
  64. package/lib/vendor/blamejs/lib/cloud-events.js +3 -2
  65. package/lib/vendor/blamejs/lib/cluster-storage.js +7 -3
  66. package/lib/vendor/blamejs/lib/codepoint-class.js +17 -0
  67. package/lib/vendor/blamejs/lib/compliance-eaa.js +1 -1
  68. package/lib/vendor/blamejs/lib/compliance-sanctions.js +9 -7
  69. package/lib/vendor/blamejs/lib/compliance.js +1 -1
  70. package/lib/vendor/blamejs/lib/config-drift.js +22 -8
  71. package/lib/vendor/blamejs/lib/content-credentials.js +11 -8
  72. package/lib/vendor/blamejs/lib/content-digest.js +11 -4
  73. package/lib/vendor/blamejs/lib/cookies.js +10 -2
  74. package/lib/vendor/blamejs/lib/cose.js +20 -0
  75. package/lib/vendor/blamejs/lib/crdt.js +2 -1
  76. package/lib/vendor/blamejs/lib/crypto-field.js +29 -23
  77. package/lib/vendor/blamejs/lib/crypto.js +18 -4
  78. package/lib/vendor/blamejs/lib/csp.js +4 -0
  79. package/lib/vendor/blamejs/lib/daemon.js +4 -1
  80. package/lib/vendor/blamejs/lib/data-act.js +27 -4
  81. package/lib/vendor/blamejs/lib/db-file-lifecycle.js +14 -6
  82. package/lib/vendor/blamejs/lib/db-query.js +69 -9
  83. package/lib/vendor/blamejs/lib/db.js +32 -15
  84. package/lib/vendor/blamejs/lib/dora.js +43 -13
  85. package/lib/vendor/blamejs/lib/dr-runbook.js +1 -1
  86. package/lib/vendor/blamejs/lib/dsa.js +2 -1
  87. package/lib/vendor/blamejs/lib/dsr.js +22 -8
  88. package/lib/vendor/blamejs/lib/early-hints.js +19 -0
  89. package/lib/vendor/blamejs/lib/eat.js +5 -1
  90. package/lib/vendor/blamejs/lib/external-db.js +60 -4
  91. package/lib/vendor/blamejs/lib/fda-21cfr11.js +30 -5
  92. package/lib/vendor/blamejs/lib/flag-providers.js +6 -2
  93. package/lib/vendor/blamejs/lib/forms.js +1 -1
  94. package/lib/vendor/blamejs/lib/gate-contract.js +46 -5
  95. package/lib/vendor/blamejs/lib/gdpr-ropa.js +18 -9
  96. package/lib/vendor/blamejs/lib/graphql-federation.js +17 -4
  97. package/lib/vendor/blamejs/lib/guard-all.js +2 -2
  98. package/lib/vendor/blamejs/lib/guard-dsn.js +1 -1
  99. package/lib/vendor/blamejs/lib/guard-envelope.js +1 -1
  100. package/lib/vendor/blamejs/lib/guard-html.js +9 -11
  101. package/lib/vendor/blamejs/lib/guard-imap-command.js +1 -1
  102. package/lib/vendor/blamejs/lib/guard-jmap.js +1 -1
  103. package/lib/vendor/blamejs/lib/guard-json.js +14 -6
  104. package/lib/vendor/blamejs/lib/guard-mail-move.js +1 -1
  105. package/lib/vendor/blamejs/lib/guard-managesieve-command.js +1 -1
  106. package/lib/vendor/blamejs/lib/guard-pop3-command.js +1 -1
  107. package/lib/vendor/blamejs/lib/guard-smtp-command.js +1 -1
  108. package/lib/vendor/blamejs/lib/guard-svg.js +8 -9
  109. package/lib/vendor/blamejs/lib/html-balance.js +7 -3
  110. package/lib/vendor/blamejs/lib/http-client-cookie-jar.js +33 -12
  111. package/lib/vendor/blamejs/lib/http-client.js +225 -53
  112. package/lib/vendor/blamejs/lib/iab-tcf.js +3 -2
  113. package/lib/vendor/blamejs/lib/importmap-integrity.js +41 -1
  114. package/lib/vendor/blamejs/lib/incident-report.js +9 -6
  115. package/lib/vendor/blamejs/lib/json-patch.js +1 -1
  116. package/lib/vendor/blamejs/lib/json-path.js +24 -3
  117. package/lib/vendor/blamejs/lib/jtd.js +2 -2
  118. package/lib/vendor/blamejs/lib/legal-hold.js +24 -8
  119. package/lib/vendor/blamejs/lib/log.js +2 -2
  120. package/lib/vendor/blamejs/lib/mail-agent.js +2 -2
  121. package/lib/vendor/blamejs/lib/mail-arf.js +1 -1
  122. package/lib/vendor/blamejs/lib/mail-auth.js +3 -3
  123. package/lib/vendor/blamejs/lib/mail-bimi.js +16 -16
  124. package/lib/vendor/blamejs/lib/mail-bounce.js +3 -3
  125. package/lib/vendor/blamejs/lib/mail-crypto-smime.js +71 -6
  126. package/lib/vendor/blamejs/lib/mail-deploy.js +9 -5
  127. package/lib/vendor/blamejs/lib/mail-greylist.js +2 -4
  128. package/lib/vendor/blamejs/lib/mail-helo.js +2 -4
  129. package/lib/vendor/blamejs/lib/mail-journal.js +11 -8
  130. package/lib/vendor/blamejs/lib/mail-mdn.js +8 -4
  131. package/lib/vendor/blamejs/lib/mail-rbl.js +2 -4
  132. package/lib/vendor/blamejs/lib/mail-scan.js +3 -5
  133. package/lib/vendor/blamejs/lib/mail-server-jmap.js +4 -1
  134. package/lib/vendor/blamejs/lib/mail-server-registry.js +1 -1
  135. package/lib/vendor/blamejs/lib/mail-server-tls.js +9 -2
  136. package/lib/vendor/blamejs/lib/mail-spam-score.js +2 -4
  137. package/lib/vendor/blamejs/lib/mail-store-fts.js +1 -1
  138. package/lib/vendor/blamejs/lib/mail.js +22 -2
  139. package/lib/vendor/blamejs/lib/markup-tokenizer.js +24 -0
  140. package/lib/vendor/blamejs/lib/mcp.js +6 -4
  141. package/lib/vendor/blamejs/lib/mdoc.js +26 -3
  142. package/lib/vendor/blamejs/lib/metrics.js +14 -3
  143. package/lib/vendor/blamejs/lib/middleware/api-encrypt.js +2 -2
  144. package/lib/vendor/blamejs/lib/middleware/body-parser.js +10 -4
  145. package/lib/vendor/blamejs/lib/middleware/bot-guard.js +26 -18
  146. package/lib/vendor/blamejs/lib/middleware/clear-site-data.js +5 -1
  147. package/lib/vendor/blamejs/lib/middleware/compression.js +9 -0
  148. package/lib/vendor/blamejs/lib/middleware/cors.js +32 -23
  149. package/lib/vendor/blamejs/lib/middleware/csrf-protect.js +60 -21
  150. package/lib/vendor/blamejs/lib/middleware/daily-byte-quota.js +6 -4
  151. package/lib/vendor/blamejs/lib/middleware/fetch-metadata.js +28 -4
  152. package/lib/vendor/blamejs/lib/middleware/network-allowlist.js +61 -30
  153. package/lib/vendor/blamejs/lib/middleware/rate-limit.js +25 -16
  154. package/lib/vendor/blamejs/lib/middleware/scim-server.js +2 -1
  155. package/lib/vendor/blamejs/lib/middleware/security-headers.js +24 -6
  156. package/lib/vendor/blamejs/lib/middleware/speculation-rules.js +6 -3
  157. package/lib/vendor/blamejs/lib/middleware/tus-upload.js +2 -2
  158. package/lib/vendor/blamejs/lib/money.js +1 -1
  159. package/lib/vendor/blamejs/lib/mtls-ca.js +10 -6
  160. package/lib/vendor/blamejs/lib/network-dns-resolver.js +1 -1
  161. package/lib/vendor/blamejs/lib/network-dns.js +9 -2
  162. package/lib/vendor/blamejs/lib/network-dnssec.js +2 -1
  163. package/lib/vendor/blamejs/lib/network-smtp-policy.js +23 -5
  164. package/lib/vendor/blamejs/lib/network-tls.js +27 -5
  165. package/lib/vendor/blamejs/lib/network-tsig.js +2 -2
  166. package/lib/vendor/blamejs/lib/nis2-report.js +1 -1
  167. package/lib/vendor/blamejs/lib/nist-crosswalk.js +1 -1
  168. package/lib/vendor/blamejs/lib/ntp-check.js +28 -0
  169. package/lib/vendor/blamejs/lib/numeric-bounds.js +9 -0
  170. package/lib/vendor/blamejs/lib/object-store/azure-blob.js +1 -2
  171. package/lib/vendor/blamejs/lib/object-store/gcs-bucket-ops.js +4 -2
  172. package/lib/vendor/blamejs/lib/object-store/gcs.js +6 -4
  173. package/lib/vendor/blamejs/lib/object-store/http-put.js +1 -2
  174. package/lib/vendor/blamejs/lib/object-store/http-request.js +30 -1
  175. package/lib/vendor/blamejs/lib/object-store/local.js +37 -17
  176. package/lib/vendor/blamejs/lib/object-store/sigv4.js +1 -2
  177. package/lib/vendor/blamejs/lib/observability-otlp-exporter.js +20 -4
  178. package/lib/vendor/blamejs/lib/outbox.js +11 -4
  179. package/lib/vendor/blamejs/lib/parsers/safe-xml.js +1 -1
  180. package/lib/vendor/blamejs/lib/parsers/safe-yaml.js +21 -3
  181. package/lib/vendor/blamejs/lib/queue-local.js +10 -3
  182. package/lib/vendor/blamejs/lib/redact.js +7 -3
  183. package/lib/vendor/blamejs/lib/request-helpers.js +201 -23
  184. package/lib/vendor/blamejs/lib/resource-access-lock.js +3 -3
  185. package/lib/vendor/blamejs/lib/restore-bundle.js +46 -18
  186. package/lib/vendor/blamejs/lib/restore-rollback.js +10 -4
  187. package/lib/vendor/blamejs/lib/restore.js +19 -0
  188. package/lib/vendor/blamejs/lib/retention.js +20 -4
  189. package/lib/vendor/blamejs/lib/router.js +17 -4
  190. package/lib/vendor/blamejs/lib/safe-ical.js +2 -2
  191. package/lib/vendor/blamejs/lib/safe-icap.js +1 -1
  192. package/lib/vendor/blamejs/lib/safe-json.js +44 -0
  193. package/lib/vendor/blamejs/lib/safe-sieve.js +1 -1
  194. package/lib/vendor/blamejs/lib/safe-vcard.js +1 -1
  195. package/lib/vendor/blamejs/lib/sandbox-worker.js +6 -0
  196. package/lib/vendor/blamejs/lib/sandbox.js +1 -1
  197. package/lib/vendor/blamejs/lib/scheduler.js +17 -1
  198. package/lib/vendor/blamejs/lib/self-update-standalone-verifier.js +16 -0
  199. package/lib/vendor/blamejs/lib/session.js +27 -3
  200. package/lib/vendor/blamejs/lib/sql.js +3 -3
  201. package/lib/vendor/blamejs/lib/static.js +65 -13
  202. package/lib/vendor/blamejs/lib/template.js +7 -5
  203. package/lib/vendor/blamejs/lib/tenant-quota.js +52 -19
  204. package/lib/vendor/blamejs/lib/tsa.js +5 -2
  205. package/lib/vendor/blamejs/lib/vault/index.js +5 -0
  206. package/lib/vendor/blamejs/lib/vault/passphrase-ops.js +22 -26
  207. package/lib/vendor/blamejs/lib/vault/passphrase-source.js +8 -3
  208. package/lib/vendor/blamejs/lib/vault/rotate.js +13 -18
  209. package/lib/vendor/blamejs/lib/vault/seal-pem-file.js +4 -1
  210. package/lib/vendor/blamejs/lib/vc.js +1 -1
  211. package/lib/vendor/blamejs/lib/vendor/MANIFEST.json +10 -10
  212. package/lib/vendor/blamejs/lib/vendor/public-suffix-list.dat +23 -10
  213. package/lib/vendor/blamejs/lib/vendor/public-suffix-list.data.js +5498 -5494
  214. package/lib/vendor/blamejs/lib/webhook.js +16 -1
  215. package/lib/vendor/blamejs/lib/websocket.js +1 -1
  216. package/lib/vendor/blamejs/lib/worm.js +1 -1
  217. package/lib/vendor/blamejs/lib/ws-client.js +57 -46
  218. package/lib/vendor/blamejs/lib/x509-chain.js +44 -0
  219. package/lib/vendor/blamejs/package.json +1 -1
  220. package/lib/vendor/blamejs/release-notes/v0.15.14.json +122 -0
  221. package/lib/vendor/blamejs/scripts/check-vendor-currency.js +119 -4
  222. package/lib/vendor/blamejs/test/00-primitives.js +5 -1
  223. package/lib/vendor/blamejs/test/integration/mail-crypto-smime.test.js +18 -4
  224. package/lib/vendor/blamejs/test/layer-0-primitives/a2a-tasks.test.js +42 -0
  225. package/lib/vendor/blamejs/test/layer-0-primitives/agent-event-bus.test.js +36 -0
  226. package/lib/vendor/blamejs/test/layer-0-primitives/agent-idempotency.test.js +0 -0
  227. package/lib/vendor/blamejs/test/layer-0-primitives/agent-snapshot.test.js +47 -0
  228. package/lib/vendor/blamejs/test/layer-0-primitives/archive-gz.test.js +24 -0
  229. package/lib/vendor/blamejs/test/layer-0-primitives/archive-tar-hardening.test.js +160 -0
  230. package/lib/vendor/blamejs/test/layer-0-primitives/asn1-der.test.js +45 -0
  231. package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-fd-read.test.js +30 -0
  232. package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-open-nofollow.test.js +79 -0
  233. package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-write-excl.test.js +132 -0
  234. package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-write-stream.test.js +181 -0
  235. package/lib/vendor/blamejs/test/layer-0-primitives/audit-chain-corrupted-anchor.test.js +65 -0
  236. package/lib/vendor/blamejs/test/layer-0-primitives/audit-chain-incremental-verify.test.js +83 -0
  237. package/lib/vendor/blamejs/test/layer-0-primitives/audit-daily-review.test.js +48 -1
  238. package/lib/vendor/blamejs/test/layer-0-primitives/audit-signing-key-rotation.test.js +13 -3
  239. package/lib/vendor/blamejs/test/layer-0-primitives/audit-verifybundle-tamper.test.js +122 -0
  240. package/lib/vendor/blamejs/test/layer-0-primitives/auth-bot-challenge.test.js +37 -0
  241. package/lib/vendor/blamejs/test/layer-0-primitives/auth-jwt-defenses.test.js +5 -3
  242. package/lib/vendor/blamejs/test/layer-0-primitives/auth-lockout.test.js +21 -0
  243. package/lib/vendor/blamejs/test/layer-0-primitives/auth-status-list.test.js +73 -0
  244. package/lib/vendor/blamejs/test/layer-0-primitives/bot-guard.test.js +17 -0
  245. package/lib/vendor/blamejs/test/layer-0-primitives/break-glass.test.js +62 -3
  246. package/lib/vendor/blamejs/test/layer-0-primitives/clear-site-data.test.js +12 -0
  247. package/lib/vendor/blamejs/test/layer-0-primitives/cluster-storage.test.js +40 -0
  248. package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +146 -5
  249. package/lib/vendor/blamejs/test/layer-0-primitives/compliance-sanctions.test.js +14 -0
  250. package/lib/vendor/blamejs/test/layer-0-primitives/compression-range.test.js +115 -0
  251. package/lib/vendor/blamejs/test/layer-0-primitives/content-credentials.test.js +17 -5
  252. package/lib/vendor/blamejs/test/layer-0-primitives/cors.test.js +27 -5
  253. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-field-per-row-key.test.js +83 -0
  254. package/lib/vendor/blamejs/test/layer-0-primitives/csrf-protect.test.js +58 -0
  255. package/lib/vendor/blamejs/test/layer-0-primitives/data-act.test.js +30 -0
  256. package/lib/vendor/blamejs/test/layer-0-primitives/db-raw-residency-gate.test.js +74 -0
  257. package/lib/vendor/blamejs/test/layer-0-primitives/dora.test.js +20 -6
  258. package/lib/vendor/blamejs/test/layer-0-primitives/dpop-alg-kty.test.js +64 -0
  259. package/lib/vendor/blamejs/test/layer-0-primitives/dsr.test.js +32 -0
  260. package/lib/vendor/blamejs/test/layer-0-primitives/fda-21cfr11.test.js +43 -0
  261. package/lib/vendor/blamejs/test/layer-0-primitives/fetch-metadata.test.js +30 -0
  262. package/lib/vendor/blamejs/test/layer-0-primitives/graphql-federation.test.js +33 -0
  263. package/lib/vendor/blamejs/test/layer-0-primitives/guard-html.test.js +34 -0
  264. package/lib/vendor/blamejs/test/layer-0-primitives/guard-json.test.js +12 -0
  265. package/lib/vendor/blamejs/test/layer-0-primitives/http-client-stream.test.js +72 -0
  266. package/lib/vendor/blamejs/test/layer-0-primitives/http-client-throttle-transform.test.js +88 -0
  267. package/lib/vendor/blamejs/test/layer-0-primitives/importmap-integrity.test.js +25 -0
  268. package/lib/vendor/blamejs/test/layer-0-primitives/legal-hold.test.js +28 -0
  269. package/lib/vendor/blamejs/test/layer-0-primitives/mail-crypto-smime.test.js +20 -0
  270. package/lib/vendor/blamejs/test/layer-0-primitives/mail-header-injection.test.js +58 -0
  271. package/lib/vendor/blamejs/test/layer-0-primitives/mail-journal.test.js +63 -9
  272. package/lib/vendor/blamejs/test/layer-0-primitives/mdoc.test.js +41 -14
  273. package/lib/vendor/blamejs/test/layer-0-primitives/network-allowlist.test.js +61 -0
  274. package/lib/vendor/blamejs/test/layer-0-primitives/object-store-range-header.test.js +51 -0
  275. package/lib/vendor/blamejs/test/layer-0-primitives/otlp-attr-redaction.test.js +35 -0
  276. package/lib/vendor/blamejs/test/layer-0-primitives/output-header-hardening.test.js +102 -0
  277. package/lib/vendor/blamejs/test/layer-0-primitives/parser-verify-hardening.test.js +191 -0
  278. package/lib/vendor/blamejs/test/layer-0-primitives/proto-shadow-allowlist.test.js +120 -0
  279. package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-xff-spoofing.test.js +75 -0
  280. package/lib/vendor/blamejs/test/layer-0-primitives/request-helpers.test.js +128 -0
  281. package/lib/vendor/blamejs/test/layer-0-primitives/restore-blob-remap.test.js +128 -0
  282. package/lib/vendor/blamejs/test/layer-0-primitives/retention-sweep-termination.test.js +104 -0
  283. package/lib/vendor/blamejs/test/layer-0-primitives/router-body-validation.test.js +98 -0
  284. package/lib/vendor/blamejs/test/layer-0-primitives/safe-json-stringify-for-script.test.js +43 -0
  285. package/lib/vendor/blamejs/test/layer-0-primitives/saml-subjectconfirmation-notonorafter.test.js +48 -5
  286. package/lib/vendor/blamejs/test/layer-0-primitives/sandbox.test.js +23 -0
  287. package/lib/vendor/blamejs/test/layer-0-primitives/sd-jwt-vc.test.js +54 -0
  288. package/lib/vendor/blamejs/test/layer-0-primitives/session-extensions.test.js +24 -0
  289. package/lib/vendor/blamejs/test/layer-0-primitives/static.test.js +42 -1
  290. package/lib/vendor/blamejs/test/layer-0-primitives/step-up.test.js +7 -0
  291. package/lib/vendor/blamejs/test/layer-0-primitives/template-escape-html.test.js +43 -0
  292. package/lib/vendor/blamejs/test/layer-0-primitives/tenant-quota.test.js +15 -0
  293. package/lib/vendor/blamejs/test/layer-0-primitives/vault-default-store.test.js +48 -0
  294. package/lib/vendor/blamejs/test/layer-0-primitives/vendor-currency-classify.test.js +77 -0
  295. package/lib/vendor/blamejs/test/layer-0-primitives/webhook.test.js +50 -0
  296. package/lib/vendor/blamejs/test/layer-0-primitives/ws-client.test.js +22 -0
  297. package/lib/vendor/blamejs/test/layer-0-primitives/x509-chain-ca-enforcement.test.js +149 -0
  298. package/lib/vendor/blamejs/test/layer-5-integration/external-db-residency.test.js +34 -0
  299. package/package.json +1 -1
package/CHANGELOG.md CHANGED
@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
8
8
 
9
9
  ## v0.4.x
10
10
 
11
+ - v0.4.71 (2026-06-21) — **SMS dispatch and shipping-insurance adjudication now claim their state transition atomically.** Two exactly-once state transitions advanced their row with a primary-key UPDATE that was not gated on the expected prior status, so two concurrent callers could both win the transition. The scheduled SMS dispatch tick flipped a queued message to sent without an `AND status = 'queued'` guard, so two overlapping ticks could both hand the same message to the provider send hook — a duplicate text and a duplicate carrier charge. The shipping-insurance claim adjudication flipped a filed claim to approved or denied the same way, so a double-submitted approval (or an approval racing a denial) could record two different payout amounts as THE payout, or let a denial clobber an approval. Both transitions now gate the UPDATE on the prior status and act only on the row the UPDATE actually claimed (rowCount === 1); the loser is skipped or refused, matching the atomic-claim shape already used by the push-notification dispatch tick and the affiliate-commission payout. **Fixed:** *SMS dispatch tick advances each message exactly once under concurrent ticks* — The queued→sent (and the no-provider queued→failed) transition in the SMS dispatch tick now gates its UPDATE on `AND status = 'queued'` and hands a message to the operator's send hook only when the UPDATE actually claimed the row. Two overlapping ticks can no longer both dispatch the same message, so a customer is never double-texted and the carrier is never billed twice for one message. · *Shipping-insurance claim adjudication records exactly one outcome under concurrent callers* — markClaimApproved and markClaimDenied now gate their transition on `AND status = 'filed'` and refuse the caller whose UPDATE claimed no row. A double-submitted approval can no longer record two different payout amounts as the approved payout, and an approval can no longer clobber a denial (or vice-versa) — exactly one adjudication outcome sticks.
12
+
13
+ - v0.4.70 (2026-06-21) — **Bundled framework refreshed to blamejs 0.15.14, with the proxy-trust hardening wired through.** Refreshes the vendored blamejs to 0.15.14 — a broad security-hardening release that peer-gates every request-IP and protocol trust decision against the connecting socket, fails closed on a set of authentication and signature verifiers, bounds pre-authentication parsers against algorithmic-complexity denial of service, makes the framework's own file writes atomic and symlink-refusing, and adds a JSON serializer safe to embed in an inline script. The one behavior change that touches a deployment behind a TLS-terminating edge is how the client protocol is trusted: a bare trust-the-forwarded-header flag is no longer accepted for the HSTS and CSRF decisions, because a caller able to reach the origin socket could forge it. The storefront resolves the forwarded protocol through one owned model that the HSTS header, the CSRF origin check, and both session-cookie Secure decisions now share — so HSTS on container responses and authenticated forms behind the Cloudflare edge keep working with no operator action. **Changed:** *Bundled blamejs refreshed to 0.15.14* — Picks up the upstream security-hardening release: client-IP and protocol trust resolved by a peer-gated walk anchored at the connecting socket; SAML, electronic-signature, SD-JWT, DPoP, CIBA, mdoc, and COSE verifiers that could accept a malformed or unsigned credential now refuse it; pre-authentication parsers (CBOR, JSONPath, tar, gzip, YAML, ASN.1 DER) bounded against quadratic-time and frame-desync denial of service; allowlist and posture lookups keyed by untrusted input can no longer reach the prototype chain; the framework's predictable-temp and symlink-following writes go through atomic, symlink-refusing primitives; and several lost-update races (login lockout, bot-challenge, inline webhook delivery) are serialized. · *HSTS and CSRF protocol trust resolved through one owned model behind the edge* — The framework retired the bare forwarded-header trust flag for the decisions that depend on the client protocol (whether to emit HSTS, whether to set the Secure cookie attribute, and the CSRF origin pre-check), since a caller that can reach the origin socket could forge the header. The storefront now resolves the protocol through a single function shared by the security-headers middleware, the CSRF gate, and both the storefront and admin session-cookie paths. Behind the Cloudflare edge the resolver honours the worker-forwarded scheme; a direct connection with no forwarded header resolves to the socket scheme. HSTS on container-served responses and authenticated forms behind the CDN are unchanged; no configuration is required.
14
+
11
15
  - v0.4.69 (2026-06-20) — **A gift-card redemption that can't record its audit row no longer loses the balance.** Redeeming a gift card debits the card's balance in one atomic conditional update, then writes a redemption record in a separate statement. Because the bridge runs each statement on its own, a transient failure writing that record left the balance already debited with no redemption row — and the reversal path keys on that row, so the spent balance could never be returned. Redemption is now all-or-nothing: if the record can't be written, the card is re-credited for the amount (and moved back to active if the debit had zeroed it and closed it) before the error is surfaced, so a failed redemption never silently consumes a customer's balance. No API change. **Fixed:** *Redemption re-credits the card if its audit row can't be written* — After the atomic balance debit, the redemption record insert is wrapped so a transient write failure re-credits the card by the redeemed amount and restores it to active if that debit had zeroed and closed it. The customer keeps the balance and the card stays usable, instead of losing the spend to a redemption that left no row for the reversal path to act on.
12
16
 
13
17
  - v0.4.68 (2026-06-20) — **Redeeming a loyalty reward no longer burns points on a failed mint or exceeds the per-customer cap under load.** Redeeming a reward for points debited the customer's balance, then checked the per-customer redemption cap with a separate count and minted the reward coupon as separate steps. Two problems followed. The cap was a read-then-act check: two redemptions arriving together both read a count under the cap and both succeeded, so a customer could exceed a lifetime cap (for example mint two of a once-ever coupon). And if the coupon mint failed after the points were debited — the coupons primitive erroring, or a transient fault — the points were gone with no redemption row recorded, so no refund path could return them; the customer was charged for a reward they never received. Redemption now claims the cap slot in a single conditional insert that recomputes the live count, so concurrent redemptions can't both exceed the cap, and it reverses the points debit (and removes the claimed row) if the coupon can't be minted, so a failed redemption always leaves the balance whole. No API change. **Fixed:** *Per-customer redemption cap is enforced atomically* — The redemption row is now inserted only if the customer's live active/consumed count for that reward is still under the cap, recomputed inside the insert. Two redemptions racing the last slot resolve to a single winner; the loser is refused with the same cap error and its points are returned. The cheap pre-check is kept as a fast path but is no longer the thing that enforces the limit. · *A failed coupon mint returns the points and leaves no row* — If the coupon can't be minted after the points were debited and the slot claimed, both are rolled back — the points debit is reversed and the claimed redemption row is removed — so the customer's balance is whole and no redemption is left recorded for a reward that was never issued. The points reversal rides the same idempotent restore the checkout path uses, so a retry credits exactly once.
package/lib/admin.js CHANGED
@@ -41,6 +41,7 @@ var trustBadgesModule = require("./trust-badges");
41
41
  var cartModule = require("./cart"); // ABANDONED_* window/limit constants for the /admin/carts console
42
42
  var inventoryWriteoffsModule = require("./inventory-writeoffs"); // WRITEOFF_REASONS enum for the /admin/inventory/writeoffs console
43
43
  var textGuard = require("./text-guard");
44
+ var securityMiddleware = require("./security-middleware"); // resolveProtocol — shared proxy-trust model for the Secure-cookie decision
44
45
  var { AsyncLocalStorage } = require("node:async_hooks"); // allow:non-shop-require — Node-core per-request context (no npm dep); the framework itself composes it in db-role-context / log. No b.* request-context primitive exists to wrap it.
45
46
 
46
47
  var b = require("./vendor/blamejs");
@@ -510,13 +511,14 @@ function _adminJar() {
510
511
 
511
512
  // Whether THIS request's PUBLIC connection is https — drives both the
512
513
  // Secure attribute and the prefix choice for the admin session cookie.
513
- // Same rule as the storefront: trust the Worker-set `x-forwarded-proto`
514
- // (the container socket may be plain http behind the TLS-terminating
515
- // Worker), and treat a direct dev/e2e connection (no forwarded header,
516
- // non-encrypted socket) as http so the bare-named, non-Secure cookie is
517
- // emitted and a real browser stores it.
514
+ // Same rule as the storefront: resolve the Worker-set `x-forwarded-proto`
515
+ // through the shared securityMiddleware.resolveProtocol (the container
516
+ // socket may be plain http behind the TLS-terminating Worker), and treat a
517
+ // direct dev/e2e connection (no forwarded header, non-encrypted socket) as
518
+ // http so the bare-named, non-Secure cookie is emitted and a real browser
519
+ // stores it. One proxy-trust model across HSTS, csrf, and both cookie paths.
518
520
  function _secureForReq(req) {
519
- return b.requestHelpers.requestProtocol(req, { trustProxy: true }) === "https";
521
+ return securityMiddleware.resolveProtocol(req) === "https";
520
522
  }
521
523
  function _adminCookieName(secure) { return secure ? ADMIN_COOKIE_NAME_SECURE : ADMIN_COOKIE_NAME; }
522
524
 
@@ -1,5 +1,5 @@
1
1
  {
2
- "version": "0.4.69",
2
+ "version": "0.4.71",
3
3
  "assets": {
4
4
  "css/admin.css": {
5
5
  "integrity": "sha384-imfe0otYErcB8rr2h6KLSGTtStirysptpXETSPY4zLv3bZoIT75Lo1dOvkOav+xL",
@@ -293,6 +293,42 @@ function clientKey(req) {
293
293
  return sock || "unknown";
294
294
  }
295
295
 
296
+ /**
297
+ * Own the HTTPS decision for every proxy-trust consumer in one place — the
298
+ * single trust model the security middleware (HSTS via securityHeaders, the
299
+ * Secure-cookie + Origin pre-check via csrfProtect) and the storefront/admin
300
+ * session-cookie Secure flag all resolve protocol through.
301
+ *
302
+ * Topology: the Node container has NO public ingress. It is reachable only
303
+ * through the Cloudflare Worker over the service binding, and the edge always
304
+ * terminates TLS, so the real client scheme rides in the Worker-set
305
+ * `x-forwarded-proto` (always `https` for a real visitor). Because no internet
306
+ * caller can reach the container socket, that header cannot be forged from
307
+ * outside — so honoring it is correct here. blamejs 0.15.14 stopped trusting a
308
+ * bare `trustProxy` (a forgeable X-Forwarded-Proto from a *directly reachable*
309
+ * socket); it hands the decision to an operator-supplied `protocolResolver`
310
+ * when the operator can attest the header's provenance, which this deployment
311
+ * can. A direct dev / e2e connection carries no forwarded header and a plain
312
+ * socket, so it resolves to `http` (and the bare-named, non-Secure cookie a
313
+ * browser will actually store over loopback is emitted).
314
+ *
315
+ * Request-shape reader — returns "http"|"https" for any input, never throws.
316
+ */
317
+ function resolveProtocol(req) {
318
+ var headers = (req && req.headers) || {};
319
+ var xfp = headers["x-forwarded-proto"];
320
+ if (typeof xfp === "string" && xfp.length > 0) {
321
+ // Leftmost hop is the original client scheme (the Worker sets a single
322
+ // `https` token). Normalize and accept only the two valid schemes.
323
+ var first = xfp.split(",")[0].trim().toLowerCase();
324
+ if (first === "https" || first === "http") return first;
325
+ }
326
+ // No forwarded header → direct connection. Delegate the socket-scheme
327
+ // derivation to the vendored primitive (trustProxy:false = socket-only) so
328
+ // that fallback stays single-sourced in the framework.
329
+ return b.requestHelpers.requestProtocol(req, { trustProxy: false });
330
+ }
331
+
296
332
  /**
297
333
  * Build the security-headers options for createApp's
298
334
  * `middleware.securityHeaders`. The vendored blamejs default emits a
@@ -333,25 +369,28 @@ function clientKey(req) {
333
369
  * so both substrates stay header-consistent.
334
370
  */
335
371
  function securityHeadersOpts() {
336
- // `trustProxy: true` is what lets the vendored HSTS header actually
372
+ // `protocolResolver` is what lets the vendored HSTS header actually
337
373
  // ship from the container. The vendored securityHeaders middleware
338
374
  // emits Strict-Transport-Security ONLY when the request protocol
339
375
  // resolves to https (RFC 6797 §7.2: HSTS over plain HTTP is ignored by
340
376
  // UAs, so the middleware suppresses it on non-TLS requests). Behind the
341
377
  // Cloudflare Worker the container socket is plain http and the real
342
- // scheme rides in the Worker-set `x-forwarded-proto: https` — without
343
- // trustProxy the middleware reads `http`, decides the request isn't
344
- // TLS, and drops HSTS on EVERY container-served response. The edge
345
- // Worker sets its own HSTS on edge-rendered pages, but a direct-to-
346
- // container request (edge render off, or an internal hop that returns
347
- // HTML) then carries no HSTS at all. Opting into the forwarded-proto
348
- // header the same stance the csrf gate already takes (mountRouteGuards
349
- // passes trustProxy:true) and the storefront session-cookie path takes
350
- // (`_secureForReq`)restores the header on container responses. HSTS
351
- // stays OWNED by the vendored middleware (we set no header ourselves),
352
- // so there is no double-set: on an edge-rendered page only the Worker's
353
- // header is present; on a container-served page only this one is.
354
- return { documentPolicy: false, referrerPolicy: "same-origin", trustProxy: true };
378
+ // scheme rides in the Worker-set `x-forwarded-proto: https` — left to
379
+ // its default (socket only) the middleware reads `http`, decides the
380
+ // request isn't TLS, and drops HSTS on EVERY container-served response.
381
+ // The edge Worker sets its own HSTS on edge-rendered pages, but a
382
+ // direct-to-container request (edge render off, or an internal hop that
383
+ // returns HTML) then carries no HSTS at all. blamejs 0.15.14 refuses a
384
+ // bare `trustProxy` for this decision (an attacker who can reach the
385
+ // socket could forge X-Forwarded-Proto to suppress HSTS), so we own the
386
+ // decision via `resolveProtocol` — sound here because the container has
387
+ // no public ingress (see resolveProtocol). The csrf gate and the
388
+ // storefront/admin session-cookie path resolve protocol the same way
389
+ // (one trust model). HSTS stays OWNED by the vendored middleware (we set
390
+ // no header ourselves), so there is no double-set: on an edge-rendered
391
+ // page only the Worker's header is present; on a container-served page
392
+ // only this one is.
393
+ return { documentPolicy: false, referrerPolicy: "same-origin", protocolResolver: resolveProtocol };
355
394
  }
356
395
 
357
396
  // ---- route-scoped CSP (payment processors + CAPTCHA providers) ----------
@@ -730,16 +769,18 @@ function mountRouteGuards(r) {
730
769
  cookie: true,
731
770
  skipStateless: true,
732
771
  // Behind the Cloudflare Worker the container connection is plain http
733
- // while the visitor is on https; trustProxy opts in the Worker-set
734
- // `x-forwarded-proto` so the origin pre-check derives the real public
735
- // origin (and the token cookie carries the `__Host-csrf` prefix),
772
+ // while the visitor is on https; `protocolResolver` owns the Worker-set
773
+ // `x-forwarded-proto` read so the origin pre-check derives the real
774
+ // public origin (and the token cookie carries the `__Host-csrf` prefix),
736
775
  // matching the session-cookie stance (storefront `_secureForReq`).
737
- // allowedOrigins is the explicit public-host allowlist so a legitimate
738
- // same-origin POST is never refused as cross-origin on a proxy
739
- // scheme/host mismatch the regression that breaks sign-in + every
740
- // authenticated form behind the CDN.
741
- trustProxy: true,
742
- allowedOrigins: PUBLIC_ORIGINS,
776
+ // blamejs 0.15.14 refuses a bare `trustProxy` here (forgeable from a
777
+ // directly-reachable socket); the resolver is sound because the
778
+ // container has no public ingress (see resolveProtocol). allowedOrigins
779
+ // is the explicit public-host allowlist so a legitimate same-origin POST
780
+ // is never refused as cross-origin on a proxy scheme/host mismatch — the
781
+ // regression that breaks sign-in + every authenticated form behind the CDN.
782
+ protocolResolver: resolveProtocol,
783
+ allowedOrigins: PUBLIC_ORIGINS,
743
784
  });
744
785
  r.use(function csrfGuard(req, res, next) {
745
786
  var pathname = req.pathname || req.url || "/";
@@ -844,6 +885,7 @@ function mountRouteGuards(r) {
844
885
 
845
886
  module.exports = {
846
887
  clientKey: clientKey,
888
+ resolveProtocol: resolveProtocol,
847
889
  securityHeadersOpts: securityHeadersOpts,
848
890
  globalRateLimitOpts: globalRateLimitOpts,
849
891
  botGuardOpts: botGuardOpts,
@@ -603,11 +603,26 @@ function create(opts) {
603
603
  ins.declared_value_minor + " on the parent insurance");
604
604
  }
605
605
  var now = _now();
606
- await query(
606
+ // Atomic claim: the `AND status = 'filed'` predicate is the
607
+ // serialization point. The JS check above only refuses a SEQUENTIAL
608
+ // re-adjudication; two concurrent approve calls (a double-clicked
609
+ // operator action, a retried insurer callback) would both read
610
+ // 'filed' and both stamp a payout last-write-wins — two different
611
+ // payout_minor amounts could each be recorded as THE approved payout,
612
+ // or an approve could clobber a deny. Gating the UPDATE on the status
613
+ // means exactly one caller transitions the row; the loser sees zero
614
+ // rows and is refused, so one adjudication outcome sticks.
615
+ var approvedUpd = await query(
607
616
  "UPDATE insurance_claims SET status = 'approved', payout_minor = ?1, " +
608
- "resolved_at = ?2, updated_at = ?2 WHERE id = ?3",
617
+ "resolved_at = ?2, updated_at = ?2 WHERE id = ?3 AND status = 'filed'",
609
618
  [input.payout_minor, now, claimId],
610
619
  );
620
+ if (Number(approvedUpd.rowCount || 0) !== 1) {
621
+ var racedApprove = await _getClaimRow(claimId);
622
+ throw new TypeError("shippingInsurance.markClaimApproved: claim " + claimId +
623
+ " is " + (racedApprove ? racedApprove.status : "gone") +
624
+ ", only filed claims can move to approved");
625
+ }
611
626
  return _hydrateClaim(await _getClaimRow(claimId));
612
627
  }
613
628
 
@@ -630,11 +645,21 @@ function create(opts) {
630
645
  " is " + claim.status + ", only filed claims can move to denied");
631
646
  }
632
647
  var now = _now();
633
- await query(
648
+ // Atomic claim — same race, same guard as markClaimApproved: the
649
+ // `AND status = 'filed'` predicate serializes the two concurrent
650
+ // callers so exactly one adjudication outcome (approve XOR deny)
651
+ // transitions the row; the loser is refused.
652
+ var deniedUpd = await query(
634
653
  "UPDATE insurance_claims SET status = 'denied', denial_reason = ?1, " +
635
- "resolved_at = ?2, updated_at = ?2 WHERE id = ?3",
654
+ "resolved_at = ?2, updated_at = ?2 WHERE id = ?3 AND status = 'filed'",
636
655
  [denialReason, now, claimId],
637
656
  );
657
+ if (Number(deniedUpd.rowCount || 0) !== 1) {
658
+ var racedDeny = await _getClaimRow(claimId);
659
+ throw new TypeError("shippingInsurance.markClaimDenied: claim " + claimId +
660
+ " is " + (racedDeny ? racedDeny.status : "gone") +
661
+ ", only filed claims can move to denied");
662
+ }
638
663
  return _hydrateClaim(await _getClaimRow(claimId));
639
664
  }
640
665
 
@@ -867,19 +867,32 @@ function create(opts) {
867
867
  if (resolved) providerSlug = resolved.slug;
868
868
  }
869
869
  if (!providerSlug) {
870
- await query(
870
+ // Atomic claim. The snapshot SELECT above is read without a
871
+ // lock, so two concurrent ticks can both pull this same
872
+ // `queued` row. The `AND status = 'queued'` guard makes the
873
+ // transition the claim: SQLite/D1 serialises writers, so
874
+ // exactly one tick's UPDATE matches the row (rowCount === 1)
875
+ // and the other sees rowCount === 0. Only the winner hands the
876
+ // row to the operator's send hook (via `advanced`), so the
877
+ // terminal failure is recorded — and surfaced — exactly once.
878
+ var lostFail = await query(
871
879
  "UPDATE sms_messages SET status = 'failed', failure_reason = ?1, " +
872
- "failed_at = ?2 WHERE id = ?3",
880
+ "failed_at = ?2 WHERE id = ?3 AND status = 'queued'",
873
881
  ["no_provider_at_dispatch", now, row.id],
874
882
  );
883
+ if (Number(lostFail.rowCount || 0) !== 1) continue;
875
884
  advanced.push(await _getMessage(row.id));
876
885
  continue;
877
886
  }
878
- await query(
887
+ // Atomic claim on the advance to `sent` — same race, same guard.
888
+ // The loser skips so the operator's send hook (the real provider
889
+ // POST) fires once per row, never twice for one message.
890
+ var claimed = await query(
879
891
  "UPDATE sms_messages SET status = 'sent', provider_slug = ?1, " +
880
- "sent_at = ?2 WHERE id = ?3",
892
+ "sent_at = ?2 WHERE id = ?3 AND status = 'queued'",
881
893
  [providerSlug, now, row.id],
882
894
  );
895
+ if (Number(claimed.rowCount || 0) !== 1) continue;
883
896
  advanced.push(await _getMessage(row.id));
884
897
  }
885
898
  return advanced;
package/lib/storefront.js CHANGED
@@ -9600,14 +9600,17 @@ function _readCookie(req, name) {
9600
9600
  // of truth for both the Secure attribute and the cookie-prefix choice.
9601
9601
  // The container socket behind the Cloudflare Worker may be plain http even
9602
9602
  // when the visitor's connection is https, so the decision rides on the
9603
- // forwarded protocol the Worker sets (`x-forwarded-proto`); `trustProxy`
9604
- // opts that header in (the framework refuses the attacker-forgeable header
9605
- // otherwise). Direct dev / e2e connections have no forwarded header and a
9606
- // non-encrypted socket, so this returns false there and the bare-named,
9607
- // non-Secure cookie is emitted (a real browser drops a Secure cookie over
9608
- // http, so the bare name is what keeps dev/e2e sessions working).
9603
+ // forwarded protocol the Worker sets (`x-forwarded-proto`). Resolution is
9604
+ // delegated to the shared securityMiddleware.resolveProtocol so this Secure-
9605
+ // cookie decision uses the SAME proxy-trust model as the HSTS + csrf gates
9606
+ // (blamejs 0.15.14 refuses a bare `trustProxy`; the resolver owns the
9607
+ // header read, sound because the container has no public ingress). Direct
9608
+ // dev / e2e connections have no forwarded header and a non-encrypted socket,
9609
+ // so this returns false there and the bare-named, non-Secure cookie is
9610
+ // emitted (a real browser drops a Secure cookie over http, so the bare name
9611
+ // is what keeps dev/e2e sessions working).
9609
9612
  function _secureForReq(req) {
9610
- return b.requestHelpers.requestProtocol(req, { trustProxy: true }) === "https";
9613
+ return securityMiddleware.resolveProtocol(req) === "https";
9611
9614
  }
9612
9615
 
9613
9616
  // Resolve the on-wire name for one of the prefix-hardened cookies. Secure