@blamejs/blamejs-shop 0.4.91 → 0.4.93
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +4 -0
- package/lib/asset-manifest.json +1 -1
- package/lib/security-middleware.js +21 -3
- package/lib/vendor/MANIFEST.json +49 -41
- package/lib/vendor/blamejs/CHANGELOG.md +6 -0
- package/lib/vendor/blamejs/SECURITY.md +1 -0
- package/lib/vendor/blamejs/api-snapshot.json +208 -2
- package/lib/vendor/blamejs/examples/wiki/test/e2e.js +7 -4
- package/lib/vendor/blamejs/examples/wiki/test/integration.js +15 -12
- package/lib/vendor/blamejs/index.js +2 -0
- package/lib/vendor/blamejs/lib/audit-sign.js +34 -1
- package/lib/vendor/blamejs/lib/backup/manifest.js +191 -44
- package/lib/vendor/blamejs/lib/codepoint-class.js +284 -77
- package/lib/vendor/blamejs/lib/framework-error.js +14 -0
- package/lib/vendor/blamejs/lib/fsm.js +80 -24
- package/lib/vendor/blamejs/lib/log.js +32 -0
- package/lib/vendor/blamejs/lib/middleware/rate-limit.js +18 -2
- package/lib/vendor/blamejs/lib/middleware/request-id.js +24 -4
- package/lib/vendor/blamejs/lib/request-helpers.js +50 -0
- package/lib/vendor/blamejs/lib/safe-path.js +24 -10
- package/lib/vendor/blamejs/lib/sql.js +133 -0
- package/lib/vendor/blamejs/lib/totp.js +98 -33
- package/lib/vendor/blamejs/lib/ws-client.js +39 -28
- package/lib/vendor/blamejs/package.json +1 -1
- package/lib/vendor/blamejs/release-notes/v0.15.21.json +51 -0
- package/lib/vendor/blamejs/release-notes/v0.15.22.json +18 -0
- package/lib/vendor/blamejs/release-notes/v0.15.23.json +22 -0
- package/lib/vendor/blamejs/test/00-primitives.js +80 -0
- package/lib/vendor/blamejs/test/_smoke-worker.js +81 -0
- package/lib/vendor/blamejs/test/integration/federation-auth.test.js +7 -4
- package/lib/vendor/blamejs/test/integration/mail-crypto-smime.test.js +7 -4
- package/lib/vendor/blamejs/test/layer-0-primitives/backup-manifest-signature.test.js +91 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +65 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/codepoint-class.test.js +58 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/defineguard-default-gate-posture-caps.test.js +5 -2
- package/lib/vendor/blamejs/test/layer-0-primitives/dpop-middleware-replaystore-required.test.js +9 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/fsm.test.js +99 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/money.test.js +30 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/otlp-attr-redaction.test.js +9 -6
- package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-xff-spoofing.test.js +36 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/request-helpers.test.js +33 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/request-id-async-context.test.js +117 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-path.test.js +64 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/sql.test.js +96 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ws-client.test.js +55 -0
- package/lib/vendor/blamejs/test/smoke.js +93 -10
- package/package.json +1 -1
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"version": 1,
|
|
3
|
-
"frameworkVersion": "0.15.
|
|
4
|
-
"createdAt": "2026-06-
|
|
3
|
+
"frameworkVersion": "0.15.23",
|
|
4
|
+
"createdAt": "2026-06-25T09:00:42.816Z",
|
|
5
5
|
"exports": {
|
|
6
6
|
"a2a": {
|
|
7
7
|
"type": "object",
|
|
@@ -2562,6 +2562,10 @@
|
|
|
2562
2562
|
"type": "function",
|
|
2563
2563
|
"arity": 2
|
|
2564
2564
|
},
|
|
2565
|
+
"fingerprintOf": {
|
|
2566
|
+
"type": "function",
|
|
2567
|
+
"arity": 1
|
|
2568
|
+
},
|
|
2565
2569
|
"getAlgorithm": {
|
|
2566
2570
|
"type": "function",
|
|
2567
2571
|
"arity": 0
|
|
@@ -4729,6 +4733,10 @@
|
|
|
4729
4733
|
"type": "instance",
|
|
4730
4734
|
"ctorName": "Array"
|
|
4731
4735
|
},
|
|
4736
|
+
"VERIFY_ONLY_ALGORITHMS": {
|
|
4737
|
+
"type": "instance",
|
|
4738
|
+
"ctorName": "Array"
|
|
4739
|
+
},
|
|
4732
4740
|
"compute": {
|
|
4733
4741
|
"type": "function",
|
|
4734
4742
|
"arity": 3
|
|
@@ -5001,6 +5009,10 @@
|
|
|
5001
5009
|
"type": "function",
|
|
5002
5010
|
"arity": 1
|
|
5003
5011
|
},
|
|
5012
|
+
"signBytes": {
|
|
5013
|
+
"type": "function",
|
|
5014
|
+
"arity": 1
|
|
5015
|
+
},
|
|
5004
5016
|
"signingPayload": {
|
|
5005
5017
|
"type": "function",
|
|
5006
5018
|
"arity": 1
|
|
@@ -5009,6 +5021,10 @@
|
|
|
5009
5021
|
"type": "function",
|
|
5010
5022
|
"arity": 1
|
|
5011
5023
|
},
|
|
5024
|
+
"verifyBytes": {
|
|
5025
|
+
"type": "function",
|
|
5026
|
+
"arity": 3
|
|
5027
|
+
},
|
|
5012
5028
|
"verifySignature": {
|
|
5013
5029
|
"type": "function",
|
|
5014
5030
|
"arity": 2
|
|
@@ -6776,6 +6792,180 @@
|
|
|
6776
6792
|
}
|
|
6777
6793
|
}
|
|
6778
6794
|
},
|
|
6795
|
+
"codepointClass": {
|
|
6796
|
+
"type": "object",
|
|
6797
|
+
"members": {
|
|
6798
|
+
"BIDI_RANGES": {
|
|
6799
|
+
"type": "instance",
|
|
6800
|
+
"ctorName": "Array"
|
|
6801
|
+
},
|
|
6802
|
+
"BIDI_RE": {
|
|
6803
|
+
"type": "instance",
|
|
6804
|
+
"ctorName": "RegExp"
|
|
6805
|
+
},
|
|
6806
|
+
"BIDI_RE_G": {
|
|
6807
|
+
"type": "instance",
|
|
6808
|
+
"ctorName": "RegExp"
|
|
6809
|
+
},
|
|
6810
|
+
"BOM_CHAR": {
|
|
6811
|
+
"type": "primitive",
|
|
6812
|
+
"valueType": "string"
|
|
6813
|
+
},
|
|
6814
|
+
"C0_CTRL_RANGES": {
|
|
6815
|
+
"type": "instance",
|
|
6816
|
+
"ctorName": "Array"
|
|
6817
|
+
},
|
|
6818
|
+
"C0_CTRL_RE": {
|
|
6819
|
+
"type": "instance",
|
|
6820
|
+
"ctorName": "RegExp"
|
|
6821
|
+
},
|
|
6822
|
+
"C0_CTRL_RE_G": {
|
|
6823
|
+
"type": "instance",
|
|
6824
|
+
"ctorName": "RegExp"
|
|
6825
|
+
},
|
|
6826
|
+
"HEX_PAIR_RE": {
|
|
6827
|
+
"type": "instance",
|
|
6828
|
+
"ctorName": "RegExp"
|
|
6829
|
+
},
|
|
6830
|
+
"NULL_BYTE": {
|
|
6831
|
+
"type": "primitive",
|
|
6832
|
+
"valueType": "string"
|
|
6833
|
+
},
|
|
6834
|
+
"NULL_RE_G": {
|
|
6835
|
+
"type": "instance",
|
|
6836
|
+
"ctorName": "RegExp"
|
|
6837
|
+
},
|
|
6838
|
+
"SCRIPT_RANGES": {
|
|
6839
|
+
"type": "object",
|
|
6840
|
+
"members": {
|
|
6841
|
+
"arabic": {
|
|
6842
|
+
"type": "instance",
|
|
6843
|
+
"ctorName": "Array"
|
|
6844
|
+
},
|
|
6845
|
+
"armenian": {
|
|
6846
|
+
"type": "instance",
|
|
6847
|
+
"ctorName": "Array"
|
|
6848
|
+
},
|
|
6849
|
+
"cherokee": {
|
|
6850
|
+
"type": "instance",
|
|
6851
|
+
"ctorName": "Array"
|
|
6852
|
+
},
|
|
6853
|
+
"cyrillic": {
|
|
6854
|
+
"type": "instance",
|
|
6855
|
+
"ctorName": "Array"
|
|
6856
|
+
},
|
|
6857
|
+
"greek": {
|
|
6858
|
+
"type": "instance",
|
|
6859
|
+
"ctorName": "Array"
|
|
6860
|
+
},
|
|
6861
|
+
"han": {
|
|
6862
|
+
"type": "instance",
|
|
6863
|
+
"ctorName": "Array"
|
|
6864
|
+
},
|
|
6865
|
+
"hangul": {
|
|
6866
|
+
"type": "instance",
|
|
6867
|
+
"ctorName": "Array"
|
|
6868
|
+
},
|
|
6869
|
+
"hebrew": {
|
|
6870
|
+
"type": "instance",
|
|
6871
|
+
"ctorName": "Array"
|
|
6872
|
+
},
|
|
6873
|
+
"hiragana": {
|
|
6874
|
+
"type": "instance",
|
|
6875
|
+
"ctorName": "Array"
|
|
6876
|
+
},
|
|
6877
|
+
"katakana": {
|
|
6878
|
+
"type": "instance",
|
|
6879
|
+
"ctorName": "Array"
|
|
6880
|
+
},
|
|
6881
|
+
"latin": {
|
|
6882
|
+
"type": "instance",
|
|
6883
|
+
"ctorName": "Array"
|
|
6884
|
+
}
|
|
6885
|
+
}
|
|
6886
|
+
},
|
|
6887
|
+
"TAG_RANGES": {
|
|
6888
|
+
"type": "instance",
|
|
6889
|
+
"ctorName": "Array"
|
|
6890
|
+
},
|
|
6891
|
+
"TAG_RE": {
|
|
6892
|
+
"type": "instance",
|
|
6893
|
+
"ctorName": "RegExp"
|
|
6894
|
+
},
|
|
6895
|
+
"TAG_RE_G": {
|
|
6896
|
+
"type": "instance",
|
|
6897
|
+
"ctorName": "RegExp"
|
|
6898
|
+
},
|
|
6899
|
+
"ZERO_WIDTH_RANGES": {
|
|
6900
|
+
"type": "instance",
|
|
6901
|
+
"ctorName": "Array"
|
|
6902
|
+
},
|
|
6903
|
+
"ZERO_WIDTH_RE": {
|
|
6904
|
+
"type": "instance",
|
|
6905
|
+
"ctorName": "RegExp"
|
|
6906
|
+
},
|
|
6907
|
+
"ZW_RE_G": {
|
|
6908
|
+
"type": "instance",
|
|
6909
|
+
"ctorName": "RegExp"
|
|
6910
|
+
},
|
|
6911
|
+
"applyCharStripPolicies": {
|
|
6912
|
+
"type": "function",
|
|
6913
|
+
"arity": 2
|
|
6914
|
+
},
|
|
6915
|
+
"assertNoCharThreats": {
|
|
6916
|
+
"type": "function",
|
|
6917
|
+
"arity": 4
|
|
6918
|
+
},
|
|
6919
|
+
"charClass": {
|
|
6920
|
+
"type": "function",
|
|
6921
|
+
"arity": 1
|
|
6922
|
+
},
|
|
6923
|
+
"decodeNumericEntities": {
|
|
6924
|
+
"type": "function",
|
|
6925
|
+
"arity": 1
|
|
6926
|
+
},
|
|
6927
|
+
"detectCharThreats": {
|
|
6928
|
+
"type": "function",
|
|
6929
|
+
"arity": 4
|
|
6930
|
+
},
|
|
6931
|
+
"detectMixedScripts": {
|
|
6932
|
+
"type": "function",
|
|
6933
|
+
"arity": 2
|
|
6934
|
+
},
|
|
6935
|
+
"escapeRegExp": {
|
|
6936
|
+
"type": "function",
|
|
6937
|
+
"arity": 1
|
|
6938
|
+
},
|
|
6939
|
+
"firstControlCharOffset": {
|
|
6940
|
+
"type": "function",
|
|
6941
|
+
"arity": 2
|
|
6942
|
+
},
|
|
6943
|
+
"fromCp": {
|
|
6944
|
+
"type": "function",
|
|
6945
|
+
"arity": 1
|
|
6946
|
+
},
|
|
6947
|
+
"hex4": {
|
|
6948
|
+
"type": "function",
|
|
6949
|
+
"arity": 1
|
|
6950
|
+
},
|
|
6951
|
+
"isAsciiAlnum": {
|
|
6952
|
+
"type": "function",
|
|
6953
|
+
"arity": 1
|
|
6954
|
+
},
|
|
6955
|
+
"isForbiddenControlChar": {
|
|
6956
|
+
"type": "function",
|
|
6957
|
+
"arity": 2
|
|
6958
|
+
},
|
|
6959
|
+
"isUnreserved": {
|
|
6960
|
+
"type": "function",
|
|
6961
|
+
"arity": 1
|
|
6962
|
+
},
|
|
6963
|
+
"scriptFor": {
|
|
6964
|
+
"type": "function",
|
|
6965
|
+
"arity": 1
|
|
6966
|
+
}
|
|
6967
|
+
}
|
|
6968
|
+
},
|
|
6779
6969
|
"compliance": {
|
|
6780
6970
|
"type": "object",
|
|
6781
6971
|
"members": {
|
|
@@ -40407,6 +40597,10 @@
|
|
|
40407
40597
|
"type": "function",
|
|
40408
40598
|
"arity": 1
|
|
40409
40599
|
},
|
|
40600
|
+
"enterRequestId": {
|
|
40601
|
+
"type": "function",
|
|
40602
|
+
"arity": 1
|
|
40603
|
+
},
|
|
40410
40604
|
"getRequestId": {
|
|
40411
40605
|
"type": "function",
|
|
40412
40606
|
"arity": 0
|
|
@@ -49219,6 +49413,10 @@
|
|
|
49219
49413
|
"type": "function",
|
|
49220
49414
|
"arity": 1
|
|
49221
49415
|
},
|
|
49416
|
+
"ipKey": {
|
|
49417
|
+
"type": "function",
|
|
49418
|
+
"arity": 2
|
|
49419
|
+
},
|
|
49222
49420
|
"ipPrefix": {
|
|
49223
49421
|
"type": "function",
|
|
49224
49422
|
"arity": 2
|
|
@@ -52354,6 +52552,10 @@
|
|
|
52354
52552
|
"type": "function",
|
|
52355
52553
|
"arity": 3
|
|
52356
52554
|
},
|
|
52555
|
+
"casWon": {
|
|
52556
|
+
"type": "function",
|
|
52557
|
+
"arity": 1
|
|
52558
|
+
},
|
|
52357
52559
|
"cast": {
|
|
52358
52560
|
"type": "function",
|
|
52359
52561
|
"arity": 2
|
|
@@ -52427,6 +52629,10 @@
|
|
|
52427
52629
|
"type": "function",
|
|
52428
52630
|
"arity": 1
|
|
52429
52631
|
},
|
|
52632
|
+
"guardedUpdate": {
|
|
52633
|
+
"type": "function",
|
|
52634
|
+
"arity": 2
|
|
52635
|
+
},
|
|
52430
52636
|
"insert": {
|
|
52431
52637
|
"type": "function",
|
|
52432
52638
|
"arity": 2
|
|
@@ -847,7 +847,10 @@ async function run() {
|
|
|
847
847
|
console.log("[wiki-e2e] OK — " + checks + " checks passed");
|
|
848
848
|
}
|
|
849
849
|
|
|
850
|
-
|
|
851
|
-
|
|
852
|
-
|
|
853
|
-
|
|
850
|
+
module.exports = { run: run };
|
|
851
|
+
if (require.main === module) {
|
|
852
|
+
run().catch(function (e) {
|
|
853
|
+
console.error("[wiki-e2e] FATAL:", e && e.stack || e);
|
|
854
|
+
process.exit(1);
|
|
855
|
+
});
|
|
856
|
+
}
|
|
@@ -376,16 +376,19 @@ async function run() {
|
|
|
376
376
|
}
|
|
377
377
|
}
|
|
378
378
|
|
|
379
|
-
|
|
380
|
-
|
|
381
|
-
|
|
382
|
-
|
|
379
|
+
module.exports = { run: run };
|
|
380
|
+
if (require.main === module) {
|
|
381
|
+
run().then(function () {
|
|
382
|
+
if (failures.length > 0) {
|
|
383
|
+
console.error("\n[wiki-integration] FAIL — " + failures.length + " failed assertion(s):");
|
|
384
|
+
failures.forEach(function (f) { console.error(" ✗ " + f); });
|
|
385
|
+
process.exit(1);
|
|
386
|
+
}
|
|
387
|
+
console.log("\n[wiki-integration] OK — " + checks + " checks passed");
|
|
388
|
+
process.exit(0);
|
|
389
|
+
}, function (err) {
|
|
390
|
+
console.error("\n[wiki-integration] FAIL — error during run:");
|
|
391
|
+
console.error(err && err.stack || err);
|
|
383
392
|
process.exit(1);
|
|
384
|
-
}
|
|
385
|
-
|
|
386
|
-
process.exit(0);
|
|
387
|
-
}, function (err) {
|
|
388
|
-
console.error("\n[wiki-integration] FAIL — error during run:");
|
|
389
|
-
console.error(err && err.stack || err);
|
|
390
|
-
process.exit(1);
|
|
391
|
-
});
|
|
393
|
+
});
|
|
394
|
+
}
|
|
@@ -124,6 +124,7 @@ var handlers = require("./lib/handlers");
|
|
|
124
124
|
var safeSql = require("./lib/safe-sql");
|
|
125
125
|
var sql = require("./lib/sql");
|
|
126
126
|
var chainWriter = require("./lib/chain-writer");
|
|
127
|
+
var codepointClass = require("./lib/codepoint-class");
|
|
127
128
|
var safeBuffer = require("./lib/safe-buffer");
|
|
128
129
|
var safeDecompress = require("./lib/safe-decompress").safeDecompress;
|
|
129
130
|
var safeMountInfo = require("./lib/safe-mount-info");
|
|
@@ -530,6 +531,7 @@ module.exports = {
|
|
|
530
531
|
safeSql: safeSql,
|
|
531
532
|
sql: sql,
|
|
532
533
|
chainWriter: chainWriter,
|
|
534
|
+
codepointClass: codepointClass,
|
|
533
535
|
safeBuffer: safeBuffer,
|
|
534
536
|
safeDecompress: safeDecompress,
|
|
535
537
|
safeMountInfo: safeMountInfo,
|
|
@@ -498,13 +498,45 @@ function sign(payload) {
|
|
|
498
498
|
* // → true (when payload + signature were produced under that key)
|
|
499
499
|
*/
|
|
500
500
|
function verify(payload, signature, publicKeyPem) {
|
|
501
|
-
|
|
501
|
+
// Only the DEFAULT-key path needs an initialized keypair; when the caller
|
|
502
|
+
// supplies an explicit publicKeyPem, verification needs no private material
|
|
503
|
+
// or in-memory key state. Gating init on the absence of publicKeyPem lets a
|
|
504
|
+
// verifier-only process (one that holds a trusted public key but never ran
|
|
505
|
+
// init()) verify a detached signature — the path b.backupManifest.verifyBytes
|
|
506
|
+
// relies on for downstream verifiers.
|
|
507
|
+
if (!publicKeyPem) _requireInit();
|
|
502
508
|
var buf = Buffer.isBuffer(payload) ? payload : Buffer.from(String(payload), "utf8");
|
|
503
509
|
var sigBuf = Buffer.isBuffer(signature) ? signature : Buffer.from(signature);
|
|
504
510
|
var pub = publicKeyPem || keys.publicKey;
|
|
505
511
|
return nodeCrypto.verify(null, buf, pub, sigBuf);
|
|
506
512
|
}
|
|
507
513
|
|
|
514
|
+
/**
|
|
515
|
+
* @primitive b.auditSign.fingerprintOf
|
|
516
|
+
* @signature b.auditSign.fingerprintOf(publicKeyPem)
|
|
517
|
+
* @since 0.15.21
|
|
518
|
+
* @status stable
|
|
519
|
+
* @related b.auditSign.getPublicKeyFingerprint, b.auditSign.verify
|
|
520
|
+
*
|
|
521
|
+
* Compute the SHA3-512 fingerprint (lowercase hex) of a SPKI-PEM public key —
|
|
522
|
+
* the same derivation `getPublicKeyFingerprint()` returns for the active key,
|
|
523
|
+
* but for any supplied key and WITHOUT requiring `init()`. A verifier pins a
|
|
524
|
+
* trusted fingerprint and checks it against `fingerprintOf(block.publicKey)`
|
|
525
|
+
* before trusting a detached signature block, so an attacker can't substitute
|
|
526
|
+
* their own key while claiming the trusted fingerprint.
|
|
527
|
+
*
|
|
528
|
+
* @example
|
|
529
|
+
* var fp = b.auditSign.fingerprintOf(block.publicKey);
|
|
530
|
+
* if (fp !== trustedFingerprint) throw new Error("untrusted signing key");
|
|
531
|
+
*/
|
|
532
|
+
function fingerprintOf(publicKeyPem) {
|
|
533
|
+
if (typeof publicKeyPem !== "string" || publicKeyPem.length === 0) {
|
|
534
|
+
throw new AuditSignError("audit-sign/bad-public-key",
|
|
535
|
+
"fingerprintOf: publicKeyPem must be a non-empty PEM string");
|
|
536
|
+
}
|
|
537
|
+
return _computeFingerprint(publicKeyPem);
|
|
538
|
+
}
|
|
539
|
+
|
|
508
540
|
/**
|
|
509
541
|
* @primitive b.auditSign.getPublicKey
|
|
510
542
|
* @signature b.auditSign.getPublicKey()
|
|
@@ -1073,6 +1105,7 @@ module.exports = {
|
|
|
1073
1105
|
getPublicKey: getPublicKey,
|
|
1074
1106
|
getPublicKeyFingerprint: getPublicKeyFingerprint,
|
|
1075
1107
|
getPublicKeyByFingerprint: getPublicKeyByFingerprint,
|
|
1108
|
+
fingerprintOf: fingerprintOf,
|
|
1076
1109
|
getMode: getMode,
|
|
1077
1110
|
getAlgorithm: getAlgorithm,
|
|
1078
1111
|
DEFAULT_SIGNING_ALG: DEFAULT_SIGNING_ALG,
|