@blamejs/blamejs-shop 0.4.91 → 0.4.92

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (46) hide show
  1. package/CHANGELOG.md +2 -0
  2. package/lib/asset-manifest.json +1 -1
  3. package/lib/vendor/MANIFEST.json +49 -41
  4. package/lib/vendor/blamejs/CHANGELOG.md +6 -0
  5. package/lib/vendor/blamejs/SECURITY.md +1 -0
  6. package/lib/vendor/blamejs/api-snapshot.json +208 -2
  7. package/lib/vendor/blamejs/examples/wiki/test/e2e.js +7 -4
  8. package/lib/vendor/blamejs/examples/wiki/test/integration.js +15 -12
  9. package/lib/vendor/blamejs/index.js +2 -0
  10. package/lib/vendor/blamejs/lib/audit-sign.js +34 -1
  11. package/lib/vendor/blamejs/lib/backup/manifest.js +191 -44
  12. package/lib/vendor/blamejs/lib/codepoint-class.js +284 -77
  13. package/lib/vendor/blamejs/lib/framework-error.js +14 -0
  14. package/lib/vendor/blamejs/lib/fsm.js +80 -24
  15. package/lib/vendor/blamejs/lib/log.js +32 -0
  16. package/lib/vendor/blamejs/lib/middleware/rate-limit.js +18 -2
  17. package/lib/vendor/blamejs/lib/middleware/request-id.js +24 -4
  18. package/lib/vendor/blamejs/lib/request-helpers.js +50 -0
  19. package/lib/vendor/blamejs/lib/safe-path.js +24 -10
  20. package/lib/vendor/blamejs/lib/sql.js +133 -0
  21. package/lib/vendor/blamejs/lib/totp.js +98 -33
  22. package/lib/vendor/blamejs/lib/ws-client.js +39 -28
  23. package/lib/vendor/blamejs/package.json +1 -1
  24. package/lib/vendor/blamejs/release-notes/v0.15.21.json +51 -0
  25. package/lib/vendor/blamejs/release-notes/v0.15.22.json +18 -0
  26. package/lib/vendor/blamejs/release-notes/v0.15.23.json +22 -0
  27. package/lib/vendor/blamejs/test/00-primitives.js +80 -0
  28. package/lib/vendor/blamejs/test/_smoke-worker.js +81 -0
  29. package/lib/vendor/blamejs/test/integration/federation-auth.test.js +7 -4
  30. package/lib/vendor/blamejs/test/integration/mail-crypto-smime.test.js +7 -4
  31. package/lib/vendor/blamejs/test/layer-0-primitives/backup-manifest-signature.test.js +91 -0
  32. package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +65 -0
  33. package/lib/vendor/blamejs/test/layer-0-primitives/codepoint-class.test.js +58 -0
  34. package/lib/vendor/blamejs/test/layer-0-primitives/defineguard-default-gate-posture-caps.test.js +5 -2
  35. package/lib/vendor/blamejs/test/layer-0-primitives/dpop-middleware-replaystore-required.test.js +9 -1
  36. package/lib/vendor/blamejs/test/layer-0-primitives/fsm.test.js +99 -0
  37. package/lib/vendor/blamejs/test/layer-0-primitives/money.test.js +30 -0
  38. package/lib/vendor/blamejs/test/layer-0-primitives/otlp-attr-redaction.test.js +9 -6
  39. package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-xff-spoofing.test.js +36 -0
  40. package/lib/vendor/blamejs/test/layer-0-primitives/request-helpers.test.js +33 -0
  41. package/lib/vendor/blamejs/test/layer-0-primitives/request-id-async-context.test.js +117 -0
  42. package/lib/vendor/blamejs/test/layer-0-primitives/safe-path.test.js +64 -0
  43. package/lib/vendor/blamejs/test/layer-0-primitives/sql.test.js +96 -0
  44. package/lib/vendor/blamejs/test/layer-0-primitives/ws-client.test.js +55 -0
  45. package/lib/vendor/blamejs/test/smoke.js +93 -10
  46. package/package.json +1 -1
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "version": 1,
3
- "frameworkVersion": "0.15.20",
4
- "createdAt": "2026-06-25T03:02:07.070Z",
3
+ "frameworkVersion": "0.15.23",
4
+ "createdAt": "2026-06-25T09:00:42.816Z",
5
5
  "exports": {
6
6
  "a2a": {
7
7
  "type": "object",
@@ -2562,6 +2562,10 @@
2562
2562
  "type": "function",
2563
2563
  "arity": 2
2564
2564
  },
2565
+ "fingerprintOf": {
2566
+ "type": "function",
2567
+ "arity": 1
2568
+ },
2565
2569
  "getAlgorithm": {
2566
2570
  "type": "function",
2567
2571
  "arity": 0
@@ -4729,6 +4733,10 @@
4729
4733
  "type": "instance",
4730
4734
  "ctorName": "Array"
4731
4735
  },
4736
+ "VERIFY_ONLY_ALGORITHMS": {
4737
+ "type": "instance",
4738
+ "ctorName": "Array"
4739
+ },
4732
4740
  "compute": {
4733
4741
  "type": "function",
4734
4742
  "arity": 3
@@ -5001,6 +5009,10 @@
5001
5009
  "type": "function",
5002
5010
  "arity": 1
5003
5011
  },
5012
+ "signBytes": {
5013
+ "type": "function",
5014
+ "arity": 1
5015
+ },
5004
5016
  "signingPayload": {
5005
5017
  "type": "function",
5006
5018
  "arity": 1
@@ -5009,6 +5021,10 @@
5009
5021
  "type": "function",
5010
5022
  "arity": 1
5011
5023
  },
5024
+ "verifyBytes": {
5025
+ "type": "function",
5026
+ "arity": 3
5027
+ },
5012
5028
  "verifySignature": {
5013
5029
  "type": "function",
5014
5030
  "arity": 2
@@ -6776,6 +6792,180 @@
6776
6792
  }
6777
6793
  }
6778
6794
  },
6795
+ "codepointClass": {
6796
+ "type": "object",
6797
+ "members": {
6798
+ "BIDI_RANGES": {
6799
+ "type": "instance",
6800
+ "ctorName": "Array"
6801
+ },
6802
+ "BIDI_RE": {
6803
+ "type": "instance",
6804
+ "ctorName": "RegExp"
6805
+ },
6806
+ "BIDI_RE_G": {
6807
+ "type": "instance",
6808
+ "ctorName": "RegExp"
6809
+ },
6810
+ "BOM_CHAR": {
6811
+ "type": "primitive",
6812
+ "valueType": "string"
6813
+ },
6814
+ "C0_CTRL_RANGES": {
6815
+ "type": "instance",
6816
+ "ctorName": "Array"
6817
+ },
6818
+ "C0_CTRL_RE": {
6819
+ "type": "instance",
6820
+ "ctorName": "RegExp"
6821
+ },
6822
+ "C0_CTRL_RE_G": {
6823
+ "type": "instance",
6824
+ "ctorName": "RegExp"
6825
+ },
6826
+ "HEX_PAIR_RE": {
6827
+ "type": "instance",
6828
+ "ctorName": "RegExp"
6829
+ },
6830
+ "NULL_BYTE": {
6831
+ "type": "primitive",
6832
+ "valueType": "string"
6833
+ },
6834
+ "NULL_RE_G": {
6835
+ "type": "instance",
6836
+ "ctorName": "RegExp"
6837
+ },
6838
+ "SCRIPT_RANGES": {
6839
+ "type": "object",
6840
+ "members": {
6841
+ "arabic": {
6842
+ "type": "instance",
6843
+ "ctorName": "Array"
6844
+ },
6845
+ "armenian": {
6846
+ "type": "instance",
6847
+ "ctorName": "Array"
6848
+ },
6849
+ "cherokee": {
6850
+ "type": "instance",
6851
+ "ctorName": "Array"
6852
+ },
6853
+ "cyrillic": {
6854
+ "type": "instance",
6855
+ "ctorName": "Array"
6856
+ },
6857
+ "greek": {
6858
+ "type": "instance",
6859
+ "ctorName": "Array"
6860
+ },
6861
+ "han": {
6862
+ "type": "instance",
6863
+ "ctorName": "Array"
6864
+ },
6865
+ "hangul": {
6866
+ "type": "instance",
6867
+ "ctorName": "Array"
6868
+ },
6869
+ "hebrew": {
6870
+ "type": "instance",
6871
+ "ctorName": "Array"
6872
+ },
6873
+ "hiragana": {
6874
+ "type": "instance",
6875
+ "ctorName": "Array"
6876
+ },
6877
+ "katakana": {
6878
+ "type": "instance",
6879
+ "ctorName": "Array"
6880
+ },
6881
+ "latin": {
6882
+ "type": "instance",
6883
+ "ctorName": "Array"
6884
+ }
6885
+ }
6886
+ },
6887
+ "TAG_RANGES": {
6888
+ "type": "instance",
6889
+ "ctorName": "Array"
6890
+ },
6891
+ "TAG_RE": {
6892
+ "type": "instance",
6893
+ "ctorName": "RegExp"
6894
+ },
6895
+ "TAG_RE_G": {
6896
+ "type": "instance",
6897
+ "ctorName": "RegExp"
6898
+ },
6899
+ "ZERO_WIDTH_RANGES": {
6900
+ "type": "instance",
6901
+ "ctorName": "Array"
6902
+ },
6903
+ "ZERO_WIDTH_RE": {
6904
+ "type": "instance",
6905
+ "ctorName": "RegExp"
6906
+ },
6907
+ "ZW_RE_G": {
6908
+ "type": "instance",
6909
+ "ctorName": "RegExp"
6910
+ },
6911
+ "applyCharStripPolicies": {
6912
+ "type": "function",
6913
+ "arity": 2
6914
+ },
6915
+ "assertNoCharThreats": {
6916
+ "type": "function",
6917
+ "arity": 4
6918
+ },
6919
+ "charClass": {
6920
+ "type": "function",
6921
+ "arity": 1
6922
+ },
6923
+ "decodeNumericEntities": {
6924
+ "type": "function",
6925
+ "arity": 1
6926
+ },
6927
+ "detectCharThreats": {
6928
+ "type": "function",
6929
+ "arity": 4
6930
+ },
6931
+ "detectMixedScripts": {
6932
+ "type": "function",
6933
+ "arity": 2
6934
+ },
6935
+ "escapeRegExp": {
6936
+ "type": "function",
6937
+ "arity": 1
6938
+ },
6939
+ "firstControlCharOffset": {
6940
+ "type": "function",
6941
+ "arity": 2
6942
+ },
6943
+ "fromCp": {
6944
+ "type": "function",
6945
+ "arity": 1
6946
+ },
6947
+ "hex4": {
6948
+ "type": "function",
6949
+ "arity": 1
6950
+ },
6951
+ "isAsciiAlnum": {
6952
+ "type": "function",
6953
+ "arity": 1
6954
+ },
6955
+ "isForbiddenControlChar": {
6956
+ "type": "function",
6957
+ "arity": 2
6958
+ },
6959
+ "isUnreserved": {
6960
+ "type": "function",
6961
+ "arity": 1
6962
+ },
6963
+ "scriptFor": {
6964
+ "type": "function",
6965
+ "arity": 1
6966
+ }
6967
+ }
6968
+ },
6779
6969
  "compliance": {
6780
6970
  "type": "object",
6781
6971
  "members": {
@@ -40407,6 +40597,10 @@
40407
40597
  "type": "function",
40408
40598
  "arity": 1
40409
40599
  },
40600
+ "enterRequestId": {
40601
+ "type": "function",
40602
+ "arity": 1
40603
+ },
40410
40604
  "getRequestId": {
40411
40605
  "type": "function",
40412
40606
  "arity": 0
@@ -49219,6 +49413,10 @@
49219
49413
  "type": "function",
49220
49414
  "arity": 1
49221
49415
  },
49416
+ "ipKey": {
49417
+ "type": "function",
49418
+ "arity": 2
49419
+ },
49222
49420
  "ipPrefix": {
49223
49421
  "type": "function",
49224
49422
  "arity": 2
@@ -52354,6 +52552,10 @@
52354
52552
  "type": "function",
52355
52553
  "arity": 3
52356
52554
  },
52555
+ "casWon": {
52556
+ "type": "function",
52557
+ "arity": 1
52558
+ },
52357
52559
  "cast": {
52358
52560
  "type": "function",
52359
52561
  "arity": 2
@@ -52427,6 +52629,10 @@
52427
52629
  "type": "function",
52428
52630
  "arity": 1
52429
52631
  },
52632
+ "guardedUpdate": {
52633
+ "type": "function",
52634
+ "arity": 2
52635
+ },
52430
52636
  "insert": {
52431
52637
  "type": "function",
52432
52638
  "arity": 2
@@ -847,7 +847,10 @@ async function run() {
847
847
  console.log("[wiki-e2e] OK — " + checks + " checks passed");
848
848
  }
849
849
 
850
- run().catch(function (e) {
851
- console.error("[wiki-e2e] FATAL:", e && e.stack || e);
852
- process.exit(1);
853
- });
850
+ module.exports = { run: run };
851
+ if (require.main === module) {
852
+ run().catch(function (e) {
853
+ console.error("[wiki-e2e] FATAL:", e && e.stack || e);
854
+ process.exit(1);
855
+ });
856
+ }
@@ -376,16 +376,19 @@ async function run() {
376
376
  }
377
377
  }
378
378
 
379
- run().then(function () {
380
- if (failures.length > 0) {
381
- console.error("\n[wiki-integration] FAIL — " + failures.length + " failed assertion(s):");
382
- failures.forEach(function (f) { console.error(" ✗ " + f); });
379
+ module.exports = { run: run };
380
+ if (require.main === module) {
381
+ run().then(function () {
382
+ if (failures.length > 0) {
383
+ console.error("\n[wiki-integration] FAIL — " + failures.length + " failed assertion(s):");
384
+ failures.forEach(function (f) { console.error(" ✗ " + f); });
385
+ process.exit(1);
386
+ }
387
+ console.log("\n[wiki-integration] OK — " + checks + " checks passed");
388
+ process.exit(0);
389
+ }, function (err) {
390
+ console.error("\n[wiki-integration] FAIL — error during run:");
391
+ console.error(err && err.stack || err);
383
392
  process.exit(1);
384
- }
385
- console.log("\n[wiki-integration] OK — " + checks + " checks passed");
386
- process.exit(0);
387
- }, function (err) {
388
- console.error("\n[wiki-integration] FAIL — error during run:");
389
- console.error(err && err.stack || err);
390
- process.exit(1);
391
- });
393
+ });
394
+ }
@@ -124,6 +124,7 @@ var handlers = require("./lib/handlers");
124
124
  var safeSql = require("./lib/safe-sql");
125
125
  var sql = require("./lib/sql");
126
126
  var chainWriter = require("./lib/chain-writer");
127
+ var codepointClass = require("./lib/codepoint-class");
127
128
  var safeBuffer = require("./lib/safe-buffer");
128
129
  var safeDecompress = require("./lib/safe-decompress").safeDecompress;
129
130
  var safeMountInfo = require("./lib/safe-mount-info");
@@ -530,6 +531,7 @@ module.exports = {
530
531
  safeSql: safeSql,
531
532
  sql: sql,
532
533
  chainWriter: chainWriter,
534
+ codepointClass: codepointClass,
533
535
  safeBuffer: safeBuffer,
534
536
  safeDecompress: safeDecompress,
535
537
  safeMountInfo: safeMountInfo,
@@ -498,13 +498,45 @@ function sign(payload) {
498
498
  * // → true (when payload + signature were produced under that key)
499
499
  */
500
500
  function verify(payload, signature, publicKeyPem) {
501
- _requireInit();
501
+ // Only the DEFAULT-key path needs an initialized keypair; when the caller
502
+ // supplies an explicit publicKeyPem, verification needs no private material
503
+ // or in-memory key state. Gating init on the absence of publicKeyPem lets a
504
+ // verifier-only process (one that holds a trusted public key but never ran
505
+ // init()) verify a detached signature — the path b.backupManifest.verifyBytes
506
+ // relies on for downstream verifiers.
507
+ if (!publicKeyPem) _requireInit();
502
508
  var buf = Buffer.isBuffer(payload) ? payload : Buffer.from(String(payload), "utf8");
503
509
  var sigBuf = Buffer.isBuffer(signature) ? signature : Buffer.from(signature);
504
510
  var pub = publicKeyPem || keys.publicKey;
505
511
  return nodeCrypto.verify(null, buf, pub, sigBuf);
506
512
  }
507
513
 
514
+ /**
515
+ * @primitive b.auditSign.fingerprintOf
516
+ * @signature b.auditSign.fingerprintOf(publicKeyPem)
517
+ * @since 0.15.21
518
+ * @status stable
519
+ * @related b.auditSign.getPublicKeyFingerprint, b.auditSign.verify
520
+ *
521
+ * Compute the SHA3-512 fingerprint (lowercase hex) of a SPKI-PEM public key —
522
+ * the same derivation `getPublicKeyFingerprint()` returns for the active key,
523
+ * but for any supplied key and WITHOUT requiring `init()`. A verifier pins a
524
+ * trusted fingerprint and checks it against `fingerprintOf(block.publicKey)`
525
+ * before trusting a detached signature block, so an attacker can't substitute
526
+ * their own key while claiming the trusted fingerprint.
527
+ *
528
+ * @example
529
+ * var fp = b.auditSign.fingerprintOf(block.publicKey);
530
+ * if (fp !== trustedFingerprint) throw new Error("untrusted signing key");
531
+ */
532
+ function fingerprintOf(publicKeyPem) {
533
+ if (typeof publicKeyPem !== "string" || publicKeyPem.length === 0) {
534
+ throw new AuditSignError("audit-sign/bad-public-key",
535
+ "fingerprintOf: publicKeyPem must be a non-empty PEM string");
536
+ }
537
+ return _computeFingerprint(publicKeyPem);
538
+ }
539
+
508
540
  /**
509
541
  * @primitive b.auditSign.getPublicKey
510
542
  * @signature b.auditSign.getPublicKey()
@@ -1073,6 +1105,7 @@ module.exports = {
1073
1105
  getPublicKey: getPublicKey,
1074
1106
  getPublicKeyFingerprint: getPublicKeyFingerprint,
1075
1107
  getPublicKeyByFingerprint: getPublicKeyByFingerprint,
1108
+ fingerprintOf: fingerprintOf,
1076
1109
  getMode: getMode,
1077
1110
  getAlgorithm: getAlgorithm,
1078
1111
  DEFAULT_SIGNING_ALG: DEFAULT_SIGNING_ALG,