@blamejs/blamejs-shop 0.5.4 → 0.5.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (1407) hide show
  1. package/CHANGELOG.md +4 -0
  2. package/README.md +1 -1
  3. package/lib/asset-manifest.json +1 -1
  4. package/lib/dunning.js +29 -4
  5. package/lib/plan-changes.js +288 -66
  6. package/lib/storefront.js +420 -0
  7. package/lib/vendor/MANIFEST.json +1395 -1409
  8. package/lib/vendor/blamejs/.clusterfuzzlite/Dockerfile +1 -1
  9. package/lib/vendor/blamejs/.github/dependabot.yml +12 -2
  10. package/lib/vendor/blamejs/.github/workflows/cflite_batch.yml +3 -3
  11. package/lib/vendor/blamejs/.github/workflows/cflite_pr.yml +3 -3
  12. package/lib/vendor/blamejs/.github/workflows/ci.yml +34 -29
  13. package/lib/vendor/blamejs/.github/workflows/codeql.yml +2 -2
  14. package/lib/vendor/blamejs/.github/workflows/npm-publish.yml +6 -6
  15. package/lib/vendor/blamejs/.github/workflows/release-container.yml +8 -8
  16. package/lib/vendor/blamejs/.github/workflows/scorecard.yml +1 -1
  17. package/lib/vendor/blamejs/.gitignore +6 -6
  18. package/lib/vendor/blamejs/CHANGELOG.md +68 -0
  19. package/lib/vendor/blamejs/CONTRIBUTING.md +16 -0
  20. package/lib/vendor/blamejs/README.md +2 -1
  21. package/lib/vendor/blamejs/ROADMAP.md +51 -0
  22. package/lib/vendor/blamejs/SECURITY.md +52 -1
  23. package/lib/vendor/blamejs/api-snapshot.json +22 -2
  24. package/lib/vendor/blamejs/bench/_helpers.js +2 -0
  25. package/lib/vendor/blamejs/bench/crypto-hash.bench.js +2 -0
  26. package/lib/vendor/blamejs/bench/crypto-symmetric.bench.js +2 -0
  27. package/lib/vendor/blamejs/bench/run.js +2 -0
  28. package/lib/vendor/blamejs/bench/safe-json.bench.js +2 -0
  29. package/lib/vendor/blamejs/bin/blamejs.js +2 -0
  30. package/lib/vendor/blamejs/examples/wiki/Dockerfile +1 -1
  31. package/lib/vendor/blamejs/examples/wiki/lib/auto-site-entries.js +2 -0
  32. package/lib/vendor/blamejs/examples/wiki/lib/build-app.js +9 -1
  33. package/lib/vendor/blamejs/examples/wiki/lib/harvest-cli.js +2 -0
  34. package/lib/vendor/blamejs/examples/wiki/lib/harvest-env-vars.js +2 -0
  35. package/lib/vendor/blamejs/examples/wiki/lib/harvest-errors.js +2 -0
  36. package/lib/vendor/blamejs/examples/wiki/lib/harvest-vendored-deps.js +2 -0
  37. package/lib/vendor/blamejs/examples/wiki/lib/html-entities.js +2 -0
  38. package/lib/vendor/blamejs/examples/wiki/lib/nav.js +2 -0
  39. package/lib/vendor/blamejs/examples/wiki/lib/opts-resolver.js +2 -0
  40. package/lib/vendor/blamejs/examples/wiki/lib/page-generator.js +2 -0
  41. package/lib/vendor/blamejs/examples/wiki/lib/section.js +2 -0
  42. package/lib/vendor/blamejs/examples/wiki/lib/source-comment-block-validator.js +2 -0
  43. package/lib/vendor/blamejs/examples/wiki/lib/source-doc-parser.js +2 -0
  44. package/lib/vendor/blamejs/examples/wiki/lib/symbol-index.js +2 -0
  45. package/lib/vendor/blamejs/examples/wiki/migrations/0001-pages-schema.js +2 -0
  46. package/lib/vendor/blamejs/examples/wiki/package-lock.json +30 -0
  47. package/lib/vendor/blamejs/examples/wiki/routes/admin.js +2 -0
  48. package/lib/vendor/blamejs/examples/wiki/routes/integration.js +2 -0
  49. package/lib/vendor/blamejs/examples/wiki/routes/pages.js +2 -0
  50. package/lib/vendor/blamejs/examples/wiki/scripts/backfill-module-metadata.js +2 -0
  51. package/lib/vendor/blamejs/examples/wiki/seeders/prod/0001-default-pages.js +2 -0
  52. package/lib/vendor/blamejs/examples/wiki/seeders/prod/pages/_index.js +2 -0
  53. package/lib/vendor/blamejs/examples/wiki/seeders/prod/pages/api.js +2 -0
  54. package/lib/vendor/blamejs/examples/wiki/server.js +2 -0
  55. package/lib/vendor/blamejs/examples/wiki/site.config.js +2 -0
  56. package/lib/vendor/blamejs/examples/wiki/snippets/auth/password-hash.example.js +2 -0
  57. package/lib/vendor/blamejs/examples/wiki/src/editor.js +2 -0
  58. package/lib/vendor/blamejs/examples/wiki/src/wiki.js +2 -0
  59. package/lib/vendor/blamejs/examples/wiki/test/codebase-patterns.test.js +2 -0
  60. package/lib/vendor/blamejs/examples/wiki/test/e2e.js +23 -0
  61. package/lib/vendor/blamejs/examples/wiki/test/find-missing-pages.js +2 -0
  62. package/lib/vendor/blamejs/examples/wiki/test/integration.js +2 -0
  63. package/lib/vendor/blamejs/examples/wiki/test/validate-cli-snapshot.js +2 -0
  64. package/lib/vendor/blamejs/examples/wiki/test/validate-env-snapshot.js +2 -0
  65. package/lib/vendor/blamejs/examples/wiki/test/validate-nav-coverage.js +2 -0
  66. package/lib/vendor/blamejs/examples/wiki/test/validate-site-coverage.js +2 -0
  67. package/lib/vendor/blamejs/examples/wiki/test/validate-source-comment-blocks.js +2 -0
  68. package/lib/vendor/blamejs/examples/wiki/wiki.config.js +2 -0
  69. package/lib/vendor/blamejs/fuzz/_expected.js +2 -0
  70. package/lib/vendor/blamejs/fuzz/guard-agent-registry.fuzz.js +2 -0
  71. package/lib/vendor/blamejs/fuzz/guard-csv.fuzz.js +2 -0
  72. package/lib/vendor/blamejs/fuzz/guard-dsn.fuzz.js +2 -0
  73. package/lib/vendor/blamejs/fuzz/guard-email.fuzz.js +2 -0
  74. package/lib/vendor/blamejs/fuzz/guard-envelope.fuzz.js +2 -0
  75. package/lib/vendor/blamejs/fuzz/guard-event-bus-payload.fuzz.js +2 -0
  76. package/lib/vendor/blamejs/fuzz/guard-event-bus-topic.fuzz.js +2 -0
  77. package/lib/vendor/blamejs/fuzz/guard-html.fuzz.js +2 -0
  78. package/lib/vendor/blamejs/fuzz/guard-idempotency-key.fuzz.js +2 -0
  79. package/lib/vendor/blamejs/fuzz/guard-imap-command.fuzz.js +2 -0
  80. package/lib/vendor/blamejs/fuzz/guard-jmap.fuzz.js +2 -0
  81. package/lib/vendor/blamejs/fuzz/guard-json.fuzz.js +2 -0
  82. package/lib/vendor/blamejs/fuzz/guard-list-id.fuzz.js +2 -0
  83. package/lib/vendor/blamejs/fuzz/guard-list-unsubscribe.fuzz.js +2 -0
  84. package/lib/vendor/blamejs/fuzz/guard-mail-compose.fuzz.js +2 -0
  85. package/lib/vendor/blamejs/fuzz/guard-mail-move.fuzz.js +2 -0
  86. package/lib/vendor/blamejs/fuzz/guard-mail-query.fuzz.js +2 -0
  87. package/lib/vendor/blamejs/fuzz/guard-mail-reply.fuzz.js +2 -0
  88. package/lib/vendor/blamejs/fuzz/guard-mail-sieve.fuzz.js +2 -0
  89. package/lib/vendor/blamejs/fuzz/guard-managesieve-command.fuzz.js +2 -0
  90. package/lib/vendor/blamejs/fuzz/guard-markdown.fuzz.js +2 -0
  91. package/lib/vendor/blamejs/fuzz/guard-message-id.fuzz.js +2 -0
  92. package/lib/vendor/blamejs/fuzz/guard-pop3-command.fuzz.js +2 -0
  93. package/lib/vendor/blamejs/fuzz/guard-posture-chain.fuzz.js +2 -0
  94. package/lib/vendor/blamejs/fuzz/guard-saga-config.fuzz.js +2 -0
  95. package/lib/vendor/blamejs/fuzz/guard-smtp-command.fuzz.js +2 -0
  96. package/lib/vendor/blamejs/fuzz/guard-snapshot-envelope.fuzz.js +2 -0
  97. package/lib/vendor/blamejs/fuzz/guard-sql.fuzz.js +2 -0
  98. package/lib/vendor/blamejs/fuzz/guard-stream-args.fuzz.js +2 -0
  99. package/lib/vendor/blamejs/fuzz/guard-svg.fuzz.js +2 -0
  100. package/lib/vendor/blamejs/fuzz/guard-tenant-id.fuzz.js +2 -0
  101. package/lib/vendor/blamejs/fuzz/guard-text.fuzz.js +2 -0
  102. package/lib/vendor/blamejs/fuzz/guard-trace-context.fuzz.js +2 -0
  103. package/lib/vendor/blamejs/fuzz/guard-xml.fuzz.js +2 -0
  104. package/lib/vendor/blamejs/fuzz/guard-yaml.fuzz.js +2 -0
  105. package/lib/vendor/blamejs/fuzz/package-lock.json +1239 -0
  106. package/lib/vendor/blamejs/fuzz/package.json +10 -0
  107. package/lib/vendor/blamejs/fuzz/parsers__safe-ini.fuzz.js +2 -0
  108. package/lib/vendor/blamejs/fuzz/parsers__safe-toml.fuzz.js +2 -0
  109. package/lib/vendor/blamejs/fuzz/parsers__safe-xml.fuzz.js +2 -0
  110. package/lib/vendor/blamejs/fuzz/parsers__safe-yaml.fuzz.js +2 -0
  111. package/lib/vendor/blamejs/fuzz/safe-archive.fuzz.js +2 -0
  112. package/lib/vendor/blamejs/fuzz/safe-decompress.fuzz.js +2 -0
  113. package/lib/vendor/blamejs/fuzz/safe-dns.fuzz.js +2 -0
  114. package/lib/vendor/blamejs/fuzz/safe-ical.fuzz.js +2 -0
  115. package/lib/vendor/blamejs/fuzz/safe-icap.fuzz.js +2 -0
  116. package/lib/vendor/blamejs/fuzz/safe-json.fuzz.js +2 -0
  117. package/lib/vendor/blamejs/fuzz/safe-jsonpath.fuzz.js +2 -0
  118. package/lib/vendor/blamejs/fuzz/safe-mime.fuzz.js +2 -0
  119. package/lib/vendor/blamejs/fuzz/safe-mount-info.fuzz.js +2 -0
  120. package/lib/vendor/blamejs/fuzz/safe-sieve.fuzz.js +2 -0
  121. package/lib/vendor/blamejs/fuzz/safe-smtp.fuzz.js +2 -0
  122. package/lib/vendor/blamejs/fuzz/safe-url.fuzz.js +2 -0
  123. package/lib/vendor/blamejs/fuzz/safe-vcard.fuzz.js +2 -0
  124. package/lib/vendor/blamejs/index.js +2 -0
  125. package/lib/vendor/blamejs/lib/_test/crypto-fixtures.js +2 -0
  126. package/lib/vendor/blamejs/lib/a2a-tasks.js +2 -0
  127. package/lib/vendor/blamejs/lib/a2a.js +2 -0
  128. package/lib/vendor/blamejs/lib/acme.js +7 -1
  129. package/lib/vendor/blamejs/lib/agent-audit.js +2 -0
  130. package/lib/vendor/blamejs/lib/agent-envelope-mac.js +2 -0
  131. package/lib/vendor/blamejs/lib/agent-event-bus.js +2 -0
  132. package/lib/vendor/blamejs/lib/agent-idempotency.js +2 -0
  133. package/lib/vendor/blamejs/lib/agent-orchestrator.js +10 -2
  134. package/lib/vendor/blamejs/lib/agent-posture-chain.js +2 -0
  135. package/lib/vendor/blamejs/lib/agent-saga.js +2 -0
  136. package/lib/vendor/blamejs/lib/agent-snapshot.js +2 -0
  137. package/lib/vendor/blamejs/lib/agent-stream.js +2 -0
  138. package/lib/vendor/blamejs/lib/agent-tenant.js +11 -2
  139. package/lib/vendor/blamejs/lib/agent-trace.js +2 -0
  140. package/lib/vendor/blamejs/lib/ai-adverse-decision.js +2 -0
  141. package/lib/vendor/blamejs/lib/ai-aedt-bias-audit.js +2 -0
  142. package/lib/vendor/blamejs/lib/ai-capability.js +2 -0
  143. package/lib/vendor/blamejs/lib/ai-content-detect.js +2 -0
  144. package/lib/vendor/blamejs/lib/ai-disclosure.js +2 -0
  145. package/lib/vendor/blamejs/lib/ai-dp.js +2 -0
  146. package/lib/vendor/blamejs/lib/ai-frontier-protocol.js +2 -0
  147. package/lib/vendor/blamejs/lib/ai-input.js +2 -0
  148. package/lib/vendor/blamejs/lib/ai-model-manifest.js +2 -0
  149. package/lib/vendor/blamejs/lib/ai-output.js +2 -0
  150. package/lib/vendor/blamejs/lib/ai-pref.js +2 -0
  151. package/lib/vendor/blamejs/lib/ai-prompt.js +2 -0
  152. package/lib/vendor/blamejs/lib/ai-quota.js +2 -0
  153. package/lib/vendor/blamejs/lib/api-key.js +2 -0
  154. package/lib/vendor/blamejs/lib/api-snapshot.js +2 -0
  155. package/lib/vendor/blamejs/lib/app-shutdown.js +2 -0
  156. package/lib/vendor/blamejs/lib/app.js +2 -0
  157. package/lib/vendor/blamejs/lib/archive-adapters.js +2 -0
  158. package/lib/vendor/blamejs/lib/archive-entry-policy.js +2 -0
  159. package/lib/vendor/blamejs/lib/archive-gz.js +2 -0
  160. package/lib/vendor/blamejs/lib/archive-read.js +2 -0
  161. package/lib/vendor/blamejs/lib/archive-tar-read.js +2 -0
  162. package/lib/vendor/blamejs/lib/archive-tar.js +9 -0
  163. package/lib/vendor/blamejs/lib/archive-wrap.js +2 -0
  164. package/lib/vendor/blamejs/lib/archive.js +6 -0
  165. package/lib/vendor/blamejs/lib/arg-parser.js +2 -0
  166. package/lib/vendor/blamejs/lib/argon2-builtin.js +2 -0
  167. package/lib/vendor/blamejs/lib/asn1-der.js +2 -0
  168. package/lib/vendor/blamejs/lib/asyncapi-bindings.js +2 -0
  169. package/lib/vendor/blamejs/lib/asyncapi-traits.js +2 -0
  170. package/lib/vendor/blamejs/lib/asyncapi.js +2 -0
  171. package/lib/vendor/blamejs/lib/atomic-file.js +2 -0
  172. package/lib/vendor/blamejs/lib/audit-chain.js +2 -0
  173. package/lib/vendor/blamejs/lib/audit-daily-review.js +2 -0
  174. package/lib/vendor/blamejs/lib/audit-emit.js +2 -0
  175. package/lib/vendor/blamejs/lib/audit-sign.js +2 -0
  176. package/lib/vendor/blamejs/lib/audit-tools.js +2 -0
  177. package/lib/vendor/blamejs/lib/audit.js +2 -0
  178. package/lib/vendor/blamejs/lib/auth/aal.js +2 -0
  179. package/lib/vendor/blamejs/lib/auth/access-lock.js +2 -0
  180. package/lib/vendor/blamejs/lib/auth/acr-vocabulary.js +2 -0
  181. package/lib/vendor/blamejs/lib/auth/ato-kill-switch.js +48 -11
  182. package/lib/vendor/blamejs/lib/auth/auth-time-tracker.js +2 -0
  183. package/lib/vendor/blamejs/lib/auth/bot-challenge.js +2 -0
  184. package/lib/vendor/blamejs/lib/auth/ciba.js +2 -0
  185. package/lib/vendor/blamejs/lib/auth/dpop.js +2 -0
  186. package/lib/vendor/blamejs/lib/auth/elevation-grant.js +2 -0
  187. package/lib/vendor/blamejs/lib/auth/fal.js +2 -0
  188. package/lib/vendor/blamejs/lib/auth/fido-mds3.js +11 -7
  189. package/lib/vendor/blamejs/lib/auth/jar.js +4 -1
  190. package/lib/vendor/blamejs/lib/auth/jwt-external.js +16 -3
  191. package/lib/vendor/blamejs/lib/auth/jwt.js +2 -0
  192. package/lib/vendor/blamejs/lib/auth/lockout.js +237 -104
  193. package/lib/vendor/blamejs/lib/auth/oauth.js +98 -17
  194. package/lib/vendor/blamejs/lib/auth/oid4vci.js +58 -17
  195. package/lib/vendor/blamejs/lib/auth/oid4vp.js +2 -0
  196. package/lib/vendor/blamejs/lib/auth/openid-federation.js +2 -0
  197. package/lib/vendor/blamejs/lib/auth/passkey.js +2 -0
  198. package/lib/vendor/blamejs/lib/auth/password.js +2 -0
  199. package/lib/vendor/blamejs/lib/auth/saml.js +68 -7
  200. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-disclosure.js +2 -0
  201. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-holder.js +2 -0
  202. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-issuer.js +2 -0
  203. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc.js +9 -0
  204. package/lib/vendor/blamejs/lib/auth/status-list.js +7 -0
  205. package/lib/vendor/blamejs/lib/auth/step-up-policy.js +2 -0
  206. package/lib/vendor/blamejs/lib/auth/step-up.js +2 -0
  207. package/lib/vendor/blamejs/lib/auth-bot-challenge.js +5 -8
  208. package/lib/vendor/blamejs/lib/auth-header.js +2 -0
  209. package/lib/vendor/blamejs/lib/backup/bundle.js +2 -0
  210. package/lib/vendor/blamejs/lib/backup/crypto.js +2 -0
  211. package/lib/vendor/blamejs/lib/backup/index.js +14 -0
  212. package/lib/vendor/blamejs/lib/backup/manifest.js +2 -0
  213. package/lib/vendor/blamejs/lib/base32.js +2 -0
  214. package/lib/vendor/blamejs/lib/boot-gates.js +2 -0
  215. package/lib/vendor/blamejs/lib/bounded-map.js +3 -1
  216. package/lib/vendor/blamejs/lib/breach-deadline.js +2 -0
  217. package/lib/vendor/blamejs/lib/break-glass.js +10 -9
  218. package/lib/vendor/blamejs/lib/budr.js +2 -0
  219. package/lib/vendor/blamejs/lib/bundler.js +2 -0
  220. package/lib/vendor/blamejs/lib/cache-redis.js +2 -0
  221. package/lib/vendor/blamejs/lib/cache-status.js +2 -0
  222. package/lib/vendor/blamejs/lib/cache.js +13 -5
  223. package/lib/vendor/blamejs/lib/calendar.js +2 -0
  224. package/lib/vendor/blamejs/lib/canonical-json.js +19 -3
  225. package/lib/vendor/blamejs/lib/cbor.js +2 -0
  226. package/lib/vendor/blamejs/lib/cdn-cache-control.js +2 -0
  227. package/lib/vendor/blamejs/lib/cert.js +2 -0
  228. package/lib/vendor/blamejs/lib/chain-writer.js +2 -0
  229. package/lib/vendor/blamejs/lib/circuit-breaker.js +2 -0
  230. package/lib/vendor/blamejs/lib/cli-helpers.js +2 -0
  231. package/lib/vendor/blamejs/lib/cli.js +57 -20
  232. package/lib/vendor/blamejs/lib/client-hints.js +2 -0
  233. package/lib/vendor/blamejs/lib/cloud-events.js +2 -0
  234. package/lib/vendor/blamejs/lib/cluster-provider-db.js +2 -0
  235. package/lib/vendor/blamejs/lib/cluster-storage.js +2 -0
  236. package/lib/vendor/blamejs/lib/cluster.js +2 -0
  237. package/lib/vendor/blamejs/lib/cms-codec.js +2 -0
  238. package/lib/vendor/blamejs/lib/codepoint-class.js +2 -0
  239. package/lib/vendor/blamejs/lib/compliance-ai-act-logging.js +2 -0
  240. package/lib/vendor/blamejs/lib/compliance-ai-act-prohibited.js +2 -0
  241. package/lib/vendor/blamejs/lib/compliance-ai-act-risk.js +2 -0
  242. package/lib/vendor/blamejs/lib/compliance-ai-act-transparency.js +2 -0
  243. package/lib/vendor/blamejs/lib/compliance-ai-act.js +2 -0
  244. package/lib/vendor/blamejs/lib/compliance-eaa.js +2 -0
  245. package/lib/vendor/blamejs/lib/compliance-sanctions-aliases.js +2 -0
  246. package/lib/vendor/blamejs/lib/compliance-sanctions-fetcher.js +2 -0
  247. package/lib/vendor/blamejs/lib/compliance-sanctions-fuzzy.js +2 -0
  248. package/lib/vendor/blamejs/lib/compliance-sanctions.js +2 -0
  249. package/lib/vendor/blamejs/lib/compliance.js +2 -0
  250. package/lib/vendor/blamejs/lib/config-drift.js +2 -0
  251. package/lib/vendor/blamejs/lib/config.js +2 -0
  252. package/lib/vendor/blamejs/lib/consent.js +2 -0
  253. package/lib/vendor/blamejs/lib/constants.js +2 -0
  254. package/lib/vendor/blamejs/lib/content-credentials.js +2 -0
  255. package/lib/vendor/blamejs/lib/content-digest.js +2 -0
  256. package/lib/vendor/blamejs/lib/cookies.js +2 -0
  257. package/lib/vendor/blamejs/lib/cose.js +2 -0
  258. package/lib/vendor/blamejs/lib/cra-report.js +2 -0
  259. package/lib/vendor/blamejs/lib/crdt.js +2 -0
  260. package/lib/vendor/blamejs/lib/credential-hash.js +2 -0
  261. package/lib/vendor/blamejs/lib/crypto-field.js +2 -0
  262. package/lib/vendor/blamejs/lib/crypto-hpke-pq.js +2 -0
  263. package/lib/vendor/blamejs/lib/crypto-hpke.js +2 -0
  264. package/lib/vendor/blamejs/lib/crypto-oprf.js +2 -0
  265. package/lib/vendor/blamejs/lib/crypto-xwing.js +2 -0
  266. package/lib/vendor/blamejs/lib/crypto.js +2 -0
  267. package/lib/vendor/blamejs/lib/csp.js +2 -0
  268. package/lib/vendor/blamejs/lib/csv.js +14 -1
  269. package/lib/vendor/blamejs/lib/cwt.js +2 -0
  270. package/lib/vendor/blamejs/lib/daemon.js +2 -0
  271. package/lib/vendor/blamejs/lib/dark-patterns.js +2 -0
  272. package/lib/vendor/blamejs/lib/data-act.js +2 -0
  273. package/lib/vendor/blamejs/lib/db-collection.js +2 -0
  274. package/lib/vendor/blamejs/lib/db-declare-row-policy.js +2 -0
  275. package/lib/vendor/blamejs/lib/db-declare-view.js +2 -0
  276. package/lib/vendor/blamejs/lib/db-file-lifecycle.js +2 -0
  277. package/lib/vendor/blamejs/lib/db-query.js +2 -0
  278. package/lib/vendor/blamejs/lib/db-role-context.js +2 -0
  279. package/lib/vendor/blamejs/lib/db-schema.js +2 -0
  280. package/lib/vendor/blamejs/lib/db.js +2 -0
  281. package/lib/vendor/blamejs/lib/dbsc.js +2 -0
  282. package/lib/vendor/blamejs/lib/ddl-change-control.js +2 -0
  283. package/lib/vendor/blamejs/lib/deprecate.js +2 -0
  284. package/lib/vendor/blamejs/lib/dev.js +2 -0
  285. package/lib/vendor/blamejs/lib/did.js +2 -0
  286. package/lib/vendor/blamejs/lib/dora.js +2 -0
  287. package/lib/vendor/blamejs/lib/dr-runbook.js +2 -0
  288. package/lib/vendor/blamejs/lib/dsa.js +2 -0
  289. package/lib/vendor/blamejs/lib/dsr.js +2 -0
  290. package/lib/vendor/blamejs/lib/dual-control.js +11 -15
  291. package/lib/vendor/blamejs/lib/early-hints.js +2 -0
  292. package/lib/vendor/blamejs/lib/eat.js +4 -1
  293. package/lib/vendor/blamejs/lib/error-page.js +2 -0
  294. package/lib/vendor/blamejs/lib/events.js +2 -0
  295. package/lib/vendor/blamejs/lib/external-db-migrate.js +2 -0
  296. package/lib/vendor/blamejs/lib/external-db.js +2 -0
  297. package/lib/vendor/blamejs/lib/fapi2.js +2 -0
  298. package/lib/vendor/blamejs/lib/fda-21cfr11.js +2 -0
  299. package/lib/vendor/blamejs/lib/fdx.js +2 -0
  300. package/lib/vendor/blamejs/lib/fedcm.js +2 -0
  301. package/lib/vendor/blamejs/lib/file-type.js +2 -0
  302. package/lib/vendor/blamejs/lib/file-upload.js +139 -21
  303. package/lib/vendor/blamejs/lib/flag-cache.js +2 -0
  304. package/lib/vendor/blamejs/lib/flag-evaluation-context.js +2 -0
  305. package/lib/vendor/blamejs/lib/flag-providers.js +2 -0
  306. package/lib/vendor/blamejs/lib/flag-targeting.js +4 -7
  307. package/lib/vendor/blamejs/lib/flag.js +2 -0
  308. package/lib/vendor/blamejs/lib/forms.js +11 -0
  309. package/lib/vendor/blamejs/lib/framework-error.js +2 -0
  310. package/lib/vendor/blamejs/lib/framework-files.js +2 -0
  311. package/lib/vendor/blamejs/lib/framework-schema.js +2 -0
  312. package/lib/vendor/blamejs/lib/framework-sha1-hibp.js +2 -0
  313. package/lib/vendor/blamejs/lib/fsm.js +2 -0
  314. package/lib/vendor/blamejs/lib/gate-contract.js +2 -0
  315. package/lib/vendor/blamejs/lib/gdpr-ropa.js +2 -0
  316. package/lib/vendor/blamejs/lib/graphql-federation.js +2 -0
  317. package/lib/vendor/blamejs/lib/guard-agent-registry.js +2 -0
  318. package/lib/vendor/blamejs/lib/guard-all.js +2 -0
  319. package/lib/vendor/blamejs/lib/guard-archive.js +2 -0
  320. package/lib/vendor/blamejs/lib/guard-auth.js +2 -0
  321. package/lib/vendor/blamejs/lib/guard-cidr.js +2 -0
  322. package/lib/vendor/blamejs/lib/guard-csv.js +2 -0
  323. package/lib/vendor/blamejs/lib/guard-domain.js +2 -0
  324. package/lib/vendor/blamejs/lib/guard-dsn.js +2 -0
  325. package/lib/vendor/blamejs/lib/guard-email.js +2 -0
  326. package/lib/vendor/blamejs/lib/guard-envelope.js +2 -0
  327. package/lib/vendor/blamejs/lib/guard-event-bus-payload.js +2 -0
  328. package/lib/vendor/blamejs/lib/guard-event-bus-topic.js +2 -0
  329. package/lib/vendor/blamejs/lib/guard-filename.js +2 -0
  330. package/lib/vendor/blamejs/lib/guard-graphql.js +2 -0
  331. package/lib/vendor/blamejs/lib/guard-html-wcag-aria.js +2 -0
  332. package/lib/vendor/blamejs/lib/guard-html-wcag-forms.js +2 -0
  333. package/lib/vendor/blamejs/lib/guard-html-wcag-tables.js +2 -0
  334. package/lib/vendor/blamejs/lib/guard-html-wcag-tagwalk.js +2 -0
  335. package/lib/vendor/blamejs/lib/guard-html-wcag.js +2 -0
  336. package/lib/vendor/blamejs/lib/guard-html.js +2 -0
  337. package/lib/vendor/blamejs/lib/guard-idempotency-key.js +2 -0
  338. package/lib/vendor/blamejs/lib/guard-image.js +2 -0
  339. package/lib/vendor/blamejs/lib/guard-imap-command.js +2 -0
  340. package/lib/vendor/blamejs/lib/guard-jmap.js +2 -0
  341. package/lib/vendor/blamejs/lib/guard-json.js +2 -0
  342. package/lib/vendor/blamejs/lib/guard-jsonpath.js +2 -0
  343. package/lib/vendor/blamejs/lib/guard-jwt.js +2 -0
  344. package/lib/vendor/blamejs/lib/guard-list-id.js +2 -0
  345. package/lib/vendor/blamejs/lib/guard-list-unsubscribe.js +2 -0
  346. package/lib/vendor/blamejs/lib/guard-mail-compose.js +2 -0
  347. package/lib/vendor/blamejs/lib/guard-mail-move.js +2 -0
  348. package/lib/vendor/blamejs/lib/guard-mail-query.js +2 -0
  349. package/lib/vendor/blamejs/lib/guard-mail-reply.js +2 -0
  350. package/lib/vendor/blamejs/lib/guard-mail-sieve.js +2 -0
  351. package/lib/vendor/blamejs/lib/guard-managesieve-command.js +2 -0
  352. package/lib/vendor/blamejs/lib/guard-markdown.js +2 -0
  353. package/lib/vendor/blamejs/lib/guard-message-id.js +2 -0
  354. package/lib/vendor/blamejs/lib/guard-mime.js +2 -0
  355. package/lib/vendor/blamejs/lib/guard-oauth.js +14 -1
  356. package/lib/vendor/blamejs/lib/guard-pdf.js +2 -0
  357. package/lib/vendor/blamejs/lib/guard-pop3-command.js +2 -0
  358. package/lib/vendor/blamejs/lib/guard-posture-chain.js +2 -0
  359. package/lib/vendor/blamejs/lib/guard-regex.js +59 -0
  360. package/lib/vendor/blamejs/lib/guard-saga-config.js +2 -0
  361. package/lib/vendor/blamejs/lib/guard-shell.js +2 -0
  362. package/lib/vendor/blamejs/lib/guard-smtp-command.js +2 -0
  363. package/lib/vendor/blamejs/lib/guard-snapshot-envelope.js +2 -0
  364. package/lib/vendor/blamejs/lib/guard-sql.js +2 -0
  365. package/lib/vendor/blamejs/lib/guard-stream-args.js +2 -0
  366. package/lib/vendor/blamejs/lib/guard-svg.js +2 -0
  367. package/lib/vendor/blamejs/lib/guard-template.js +2 -0
  368. package/lib/vendor/blamejs/lib/guard-tenant-id.js +2 -0
  369. package/lib/vendor/blamejs/lib/guard-text.js +2 -0
  370. package/lib/vendor/blamejs/lib/guard-time.js +2 -0
  371. package/lib/vendor/blamejs/lib/guard-trace-context.js +2 -0
  372. package/lib/vendor/blamejs/lib/guard-uuid.js +2 -0
  373. package/lib/vendor/blamejs/lib/guard-xml.js +2 -0
  374. package/lib/vendor/blamejs/lib/guard-yaml.js +2 -0
  375. package/lib/vendor/blamejs/lib/hal.js +2 -0
  376. package/lib/vendor/blamejs/lib/handlers.js +2 -0
  377. package/lib/vendor/blamejs/lib/honeytoken.js +2 -0
  378. package/lib/vendor/blamejs/lib/html-balance.js +2 -0
  379. package/lib/vendor/blamejs/lib/http-client-cache.js +2 -0
  380. package/lib/vendor/blamejs/lib/http-client-cookie-jar.js +2 -0
  381. package/lib/vendor/blamejs/lib/http-client.js +2 -0
  382. package/lib/vendor/blamejs/lib/http-message-signature.js +144 -11
  383. package/lib/vendor/blamejs/lib/http2-teardown.js +2 -0
  384. package/lib/vendor/blamejs/lib/i18n-messageformat.js +35 -6
  385. package/lib/vendor/blamejs/lib/i18n.js +2 -0
  386. package/lib/vendor/blamejs/lib/iab-mspa.js +2 -0
  387. package/lib/vendor/blamejs/lib/iab-tcf.js +2 -0
  388. package/lib/vendor/blamejs/lib/importmap-integrity.js +2 -0
  389. package/lib/vendor/blamejs/lib/inbox.js +2 -0
  390. package/lib/vendor/blamejs/lib/incident-report.js +2 -0
  391. package/lib/vendor/blamejs/lib/ip-utils.js +2 -0
  392. package/lib/vendor/blamejs/lib/jobs.js +2 -0
  393. package/lib/vendor/blamejs/lib/jose-jwe-experimental.js +2 -0
  394. package/lib/vendor/blamejs/lib/json-merge-patch.js +2 -0
  395. package/lib/vendor/blamejs/lib/json-patch.js +2 -0
  396. package/lib/vendor/blamejs/lib/json-path.js +2 -0
  397. package/lib/vendor/blamejs/lib/json-pointer.js +2 -0
  398. package/lib/vendor/blamejs/lib/json-schema.js +13 -1
  399. package/lib/vendor/blamejs/lib/jsonapi.js +2 -0
  400. package/lib/vendor/blamejs/lib/jtd.js +2 -0
  401. package/lib/vendor/blamejs/lib/jwk.js +2 -0
  402. package/lib/vendor/blamejs/lib/keychain.js +32 -10
  403. package/lib/vendor/blamejs/lib/lazy-require.js +2 -0
  404. package/lib/vendor/blamejs/lib/legal-hold.js +2 -0
  405. package/lib/vendor/blamejs/lib/link-header.js +2 -0
  406. package/lib/vendor/blamejs/lib/local-db-thin.js +2 -0
  407. package/lib/vendor/blamejs/lib/log-stream-cloudwatch.js +2 -0
  408. package/lib/vendor/blamejs/lib/log-stream-local.js +2 -0
  409. package/lib/vendor/blamejs/lib/log-stream-otlp-grpc.js +2 -0
  410. package/lib/vendor/blamejs/lib/log-stream-otlp.js +2 -0
  411. package/lib/vendor/blamejs/lib/log-stream-syslog.js +2 -0
  412. package/lib/vendor/blamejs/lib/log-stream-webhook.js +2 -0
  413. package/lib/vendor/blamejs/lib/log-stream.js +2 -0
  414. package/lib/vendor/blamejs/lib/log.js +2 -0
  415. package/lib/vendor/blamejs/lib/lro.js +2 -0
  416. package/lib/vendor/blamejs/lib/mail-agent.js +2 -0
  417. package/lib/vendor/blamejs/lib/mail-arc-reuse-token.js +20 -0
  418. package/lib/vendor/blamejs/lib/mail-arc-sign.js +32 -14
  419. package/lib/vendor/blamejs/lib/mail-arf.js +4 -0
  420. package/lib/vendor/blamejs/lib/mail-auth.js +93 -19
  421. package/lib/vendor/blamejs/lib/mail-bimi.js +26 -10
  422. package/lib/vendor/blamejs/lib/mail-bounce.js +23 -6
  423. package/lib/vendor/blamejs/lib/mail-crypto-pgp.js +2 -0
  424. package/lib/vendor/blamejs/lib/mail-crypto-smime.js +2 -0
  425. package/lib/vendor/blamejs/lib/mail-crypto.js +2 -0
  426. package/lib/vendor/blamejs/lib/mail-dav.js +2 -0
  427. package/lib/vendor/blamejs/lib/mail-deploy.js +2 -0
  428. package/lib/vendor/blamejs/lib/mail-dkim.js +44 -5
  429. package/lib/vendor/blamejs/lib/mail-greylist.js +2 -0
  430. package/lib/vendor/blamejs/lib/mail-helo.js +16 -0
  431. package/lib/vendor/blamejs/lib/mail-journal.js +2 -0
  432. package/lib/vendor/blamejs/lib/mail-mdn.js +17 -0
  433. package/lib/vendor/blamejs/lib/mail-rbl.js +2 -0
  434. package/lib/vendor/blamejs/lib/mail-require-tls.js +2 -0
  435. package/lib/vendor/blamejs/lib/mail-scan.js +2 -0
  436. package/lib/vendor/blamejs/lib/mail-send-deliver.js +32 -7
  437. package/lib/vendor/blamejs/lib/mail-server-imap.js +2 -0
  438. package/lib/vendor/blamejs/lib/mail-server-jmap.js +23 -11
  439. package/lib/vendor/blamejs/lib/mail-server-managesieve.js +2 -0
  440. package/lib/vendor/blamejs/lib/mail-server-mx.js +2 -0
  441. package/lib/vendor/blamejs/lib/mail-server-net.js +2 -0
  442. package/lib/vendor/blamejs/lib/mail-server-pop3.js +2 -0
  443. package/lib/vendor/blamejs/lib/mail-server-rate-limit.js +2 -0
  444. package/lib/vendor/blamejs/lib/mail-server-registry.js +2 -0
  445. package/lib/vendor/blamejs/lib/mail-server-submission.js +2 -0
  446. package/lib/vendor/blamejs/lib/mail-server-tls.js +2 -0
  447. package/lib/vendor/blamejs/lib/mail-sieve.js +2 -0
  448. package/lib/vendor/blamejs/lib/mail-spam-score.js +2 -0
  449. package/lib/vendor/blamejs/lib/mail-srs.js +8 -0
  450. package/lib/vendor/blamejs/lib/mail-store-fts.js +2 -0
  451. package/lib/vendor/blamejs/lib/mail-store.js +2 -0
  452. package/lib/vendor/blamejs/lib/mail-unsubscribe.js +2 -0
  453. package/lib/vendor/blamejs/lib/mail.js +11 -0
  454. package/lib/vendor/blamejs/lib/markup-escape.js +2 -0
  455. package/lib/vendor/blamejs/lib/markup-tokenizer.js +2 -0
  456. package/lib/vendor/blamejs/lib/mcp-tool-registry.js +2 -0
  457. package/lib/vendor/blamejs/lib/mcp.js +4 -2
  458. package/lib/vendor/blamejs/lib/mdoc.js +2 -0
  459. package/lib/vendor/blamejs/lib/metrics.js +2 -0
  460. package/lib/vendor/blamejs/lib/middleware/age-gate.js +2 -0
  461. package/lib/vendor/blamejs/lib/middleware/ai-act-disclosure.js +2 -0
  462. package/lib/vendor/blamejs/lib/middleware/api-encrypt.js +2 -0
  463. package/lib/vendor/blamejs/lib/middleware/assetlinks.js +2 -0
  464. package/lib/vendor/blamejs/lib/middleware/asyncapi-serve.js +2 -0
  465. package/lib/vendor/blamejs/lib/middleware/attach-user.js +2 -0
  466. package/lib/vendor/blamejs/lib/middleware/bearer-auth.js +2 -0
  467. package/lib/vendor/blamejs/lib/middleware/body-parser.js +2 -0
  468. package/lib/vendor/blamejs/lib/middleware/bot-disclose.js +2 -0
  469. package/lib/vendor/blamejs/lib/middleware/bot-guard.js +10 -1
  470. package/lib/vendor/blamejs/lib/middleware/clear-site-data.js +2 -0
  471. package/lib/vendor/blamejs/lib/middleware/compose-pipeline.js +2 -0
  472. package/lib/vendor/blamejs/lib/middleware/compression.js +2 -0
  473. package/lib/vendor/blamejs/lib/middleware/cookies.js +2 -0
  474. package/lib/vendor/blamejs/lib/middleware/cors.js +7 -0
  475. package/lib/vendor/blamejs/lib/middleware/csp-nonce.js +2 -0
  476. package/lib/vendor/blamejs/lib/middleware/csp-report.js +2 -0
  477. package/lib/vendor/blamejs/lib/middleware/csrf-protect.js +12 -5
  478. package/lib/vendor/blamejs/lib/middleware/daily-byte-quota.js +2 -0
  479. package/lib/vendor/blamejs/lib/middleware/db-role-for.js +2 -0
  480. package/lib/vendor/blamejs/lib/middleware/deny-response.js +2 -0
  481. package/lib/vendor/blamejs/lib/middleware/dpop.js +2 -0
  482. package/lib/vendor/blamejs/lib/middleware/error-handler.js +2 -0
  483. package/lib/vendor/blamejs/lib/middleware/fetch-metadata.js +2 -0
  484. package/lib/vendor/blamejs/lib/middleware/flag-context.js +2 -0
  485. package/lib/vendor/blamejs/lib/middleware/gpc.js +2 -0
  486. package/lib/vendor/blamejs/lib/middleware/headers.js +2 -0
  487. package/lib/vendor/blamejs/lib/middleware/health.js +2 -0
  488. package/lib/vendor/blamejs/lib/middleware/host-allowlist.js +2 -0
  489. package/lib/vendor/blamejs/lib/middleware/idempotency-key.js +30 -2
  490. package/lib/vendor/blamejs/lib/middleware/index.js +2 -0
  491. package/lib/vendor/blamejs/lib/middleware/nel.js +2 -0
  492. package/lib/vendor/blamejs/lib/middleware/network-allowlist.js +2 -0
  493. package/lib/vendor/blamejs/lib/middleware/no-cache.js +2 -0
  494. package/lib/vendor/blamejs/lib/middleware/openapi-serve.js +2 -0
  495. package/lib/vendor/blamejs/lib/middleware/protected-resource-metadata.js +2 -0
  496. package/lib/vendor/blamejs/lib/middleware/rate-limit.js +2 -0
  497. package/lib/vendor/blamejs/lib/middleware/request-id.js +2 -0
  498. package/lib/vendor/blamejs/lib/middleware/request-log.js +6 -0
  499. package/lib/vendor/blamejs/lib/middleware/require-aal.js +2 -0
  500. package/lib/vendor/blamejs/lib/middleware/require-auth.js +2 -0
  501. package/lib/vendor/blamejs/lib/middleware/require-bound-key.js +2 -0
  502. package/lib/vendor/blamejs/lib/middleware/require-content-type.js +2 -0
  503. package/lib/vendor/blamejs/lib/middleware/require-methods.js +2 -0
  504. package/lib/vendor/blamejs/lib/middleware/require-mtls.js +2 -0
  505. package/lib/vendor/blamejs/lib/middleware/require-step-up.js +42 -1
  506. package/lib/vendor/blamejs/lib/middleware/scim-server.js +2 -0
  507. package/lib/vendor/blamejs/lib/middleware/security-headers.js +2 -0
  508. package/lib/vendor/blamejs/lib/middleware/security-txt.js +2 -0
  509. package/lib/vendor/blamejs/lib/middleware/span-http-server.js +12 -0
  510. package/lib/vendor/blamejs/lib/middleware/speculation-rules.js +2 -0
  511. package/lib/vendor/blamejs/lib/middleware/sse.js +2 -0
  512. package/lib/vendor/blamejs/lib/middleware/trace-log-correlation.js +2 -0
  513. package/lib/vendor/blamejs/lib/middleware/trace-propagate.js +2 -0
  514. package/lib/vendor/blamejs/lib/middleware/tus-upload.js +2 -0
  515. package/lib/vendor/blamejs/lib/middleware/web-app-manifest.js +2 -0
  516. package/lib/vendor/blamejs/lib/migration-files.js +2 -0
  517. package/lib/vendor/blamejs/lib/migrations.js +2 -0
  518. package/lib/vendor/blamejs/lib/mime-parse.js +5 -1
  519. package/lib/vendor/blamejs/lib/module-loader.js +2 -0
  520. package/lib/vendor/blamejs/lib/money.js +2 -0
  521. package/lib/vendor/blamejs/lib/mtls-ca.js +2 -0
  522. package/lib/vendor/blamejs/lib/mtls-engine-default.js +2 -0
  523. package/lib/vendor/blamejs/lib/network-byte-quota.js +76 -14
  524. package/lib/vendor/blamejs/lib/network-dane.js +2 -0
  525. package/lib/vendor/blamejs/lib/network-dns-resolver.js +55 -18
  526. package/lib/vendor/blamejs/lib/network-dns.js +2 -0
  527. package/lib/vendor/blamejs/lib/network-dnssec.js +15 -2
  528. package/lib/vendor/blamejs/lib/network-heartbeat.js +2 -0
  529. package/lib/vendor/blamejs/lib/network-nts.js +2 -0
  530. package/lib/vendor/blamejs/lib/network-proxy.js +2 -0
  531. package/lib/vendor/blamejs/lib/network-smtp-policy.js +6 -1
  532. package/lib/vendor/blamejs/lib/network-tls.js +99 -5
  533. package/lib/vendor/blamejs/lib/network-tsig.js +13 -1
  534. package/lib/vendor/blamejs/lib/network.js +2 -0
  535. package/lib/vendor/blamejs/lib/nis2-report.js +2 -0
  536. package/lib/vendor/blamejs/lib/nist-crosswalk.js +2 -0
  537. package/lib/vendor/blamejs/lib/nonce-store.js +2 -0
  538. package/lib/vendor/blamejs/lib/notify.js +2 -0
  539. package/lib/vendor/blamejs/lib/ntp-check.js +2 -0
  540. package/lib/vendor/blamejs/lib/numeric-bounds.js +2 -0
  541. package/lib/vendor/blamejs/lib/numeric-checks.js +2 -0
  542. package/lib/vendor/blamejs/lib/object-store/azure-blob-bucket-ops.js +2 -0
  543. package/lib/vendor/blamejs/lib/object-store/azure-blob.js +2 -0
  544. package/lib/vendor/blamejs/lib/object-store/gcs-bucket-ops.js +2 -0
  545. package/lib/vendor/blamejs/lib/object-store/gcs.js +2 -0
  546. package/lib/vendor/blamejs/lib/object-store/http-put.js +2 -0
  547. package/lib/vendor/blamejs/lib/object-store/http-request.js +2 -0
  548. package/lib/vendor/blamejs/lib/object-store/index.js +2 -0
  549. package/lib/vendor/blamejs/lib/object-store/local.js +2 -0
  550. package/lib/vendor/blamejs/lib/object-store/sigv4-bucket-ops.js +2 -0
  551. package/lib/vendor/blamejs/lib/object-store/sigv4.js +2 -0
  552. package/lib/vendor/blamejs/lib/observability-otlp-exporter.js +4 -2
  553. package/lib/vendor/blamejs/lib/observability-tracer.js +2 -0
  554. package/lib/vendor/blamejs/lib/observability.js +2 -0
  555. package/lib/vendor/blamejs/lib/openapi-paths-builder.js +2 -0
  556. package/lib/vendor/blamejs/lib/openapi-schema-walk.js +2 -0
  557. package/lib/vendor/blamejs/lib/openapi-security.js +2 -0
  558. package/lib/vendor/blamejs/lib/openapi-yaml.js +2 -0
  559. package/lib/vendor/blamejs/lib/openapi.js +2 -0
  560. package/lib/vendor/blamejs/lib/otel-export.js +2 -0
  561. package/lib/vendor/blamejs/lib/outbox.js +2 -0
  562. package/lib/vendor/blamejs/lib/pagination.js +2 -0
  563. package/lib/vendor/blamejs/lib/parsers/index.js +2 -0
  564. package/lib/vendor/blamejs/lib/parsers/safe-env.js +2 -0
  565. package/lib/vendor/blamejs/lib/parsers/safe-ini.js +2 -0
  566. package/lib/vendor/blamejs/lib/parsers/safe-toml.js +2 -0
  567. package/lib/vendor/blamejs/lib/parsers/safe-xml.js +2 -0
  568. package/lib/vendor/blamejs/lib/parsers/safe-yaml.js +2 -0
  569. package/lib/vendor/blamejs/lib/permissions.js +2 -0
  570. package/lib/vendor/blamejs/lib/pick.js +2 -0
  571. package/lib/vendor/blamejs/lib/pipl-cn.js +2 -0
  572. package/lib/vendor/blamejs/lib/pqc-agent.js +2 -0
  573. package/lib/vendor/blamejs/lib/pqc-gate.js +2 -0
  574. package/lib/vendor/blamejs/lib/pqc-software.js +2 -0
  575. package/lib/vendor/blamejs/lib/privacy-pass.js +2 -0
  576. package/lib/vendor/blamejs/lib/privacy.js +2 -0
  577. package/lib/vendor/blamejs/lib/problem-details.js +2 -0
  578. package/lib/vendor/blamejs/lib/process-spawn.js +2 -0
  579. package/lib/vendor/blamejs/lib/promise-pool.js +2 -0
  580. package/lib/vendor/blamejs/lib/protobuf-encoder.js +2 -0
  581. package/lib/vendor/blamejs/lib/protocol-dispatcher.js +2 -0
  582. package/lib/vendor/blamejs/lib/public-suffix.js +45 -5
  583. package/lib/vendor/blamejs/lib/pubsub-cluster.js +2 -0
  584. package/lib/vendor/blamejs/lib/pubsub-redis.js +2 -0
  585. package/lib/vendor/blamejs/lib/pubsub.js +2 -0
  586. package/lib/vendor/blamejs/lib/queue-local.js +28 -11
  587. package/lib/vendor/blamejs/lib/queue-redis.js +79 -17
  588. package/lib/vendor/blamejs/lib/queue-sqs.js +2 -0
  589. package/lib/vendor/blamejs/lib/queue.js +5 -3
  590. package/lib/vendor/blamejs/lib/redact.js +2 -0
  591. package/lib/vendor/blamejs/lib/redis-client.js +30 -5
  592. package/lib/vendor/blamejs/lib/render.js +2 -0
  593. package/lib/vendor/blamejs/lib/request-helpers.js +11 -0
  594. package/lib/vendor/blamejs/lib/resource-access-lock.js +2 -0
  595. package/lib/vendor/blamejs/lib/restore-bundle.js +2 -0
  596. package/lib/vendor/blamejs/lib/restore-rollback.js +2 -0
  597. package/lib/vendor/blamejs/lib/restore.js +2 -0
  598. package/lib/vendor/blamejs/lib/retention.js +2 -0
  599. package/lib/vendor/blamejs/lib/retry.js +2 -0
  600. package/lib/vendor/blamejs/lib/rfc3339.js +2 -0
  601. package/lib/vendor/blamejs/lib/router.js +109 -19
  602. package/lib/vendor/blamejs/lib/safe-archive.js +2 -0
  603. package/lib/vendor/blamejs/lib/safe-async.js +44 -0
  604. package/lib/vendor/blamejs/lib/safe-buffer.js +66 -0
  605. package/lib/vendor/blamejs/lib/safe-decompress.js +2 -0
  606. package/lib/vendor/blamejs/lib/safe-dns.js +2 -0
  607. package/lib/vendor/blamejs/lib/safe-ical.js +2 -0
  608. package/lib/vendor/blamejs/lib/safe-icap.js +7 -0
  609. package/lib/vendor/blamejs/lib/safe-json.js +2 -0
  610. package/lib/vendor/blamejs/lib/safe-jsonpath.js +2 -0
  611. package/lib/vendor/blamejs/lib/safe-mime.js +2 -0
  612. package/lib/vendor/blamejs/lib/safe-mount-info.js +2 -0
  613. package/lib/vendor/blamejs/lib/safe-path.js +2 -0
  614. package/lib/vendor/blamejs/lib/safe-redirect.js +2 -0
  615. package/lib/vendor/blamejs/lib/safe-schema.js +2 -0
  616. package/lib/vendor/blamejs/lib/safe-sieve.js +2 -0
  617. package/lib/vendor/blamejs/lib/safe-smtp.js +2 -0
  618. package/lib/vendor/blamejs/lib/safe-sql.js +2 -0
  619. package/lib/vendor/blamejs/lib/safe-url.js +2 -0
  620. package/lib/vendor/blamejs/lib/safe-vcard.js +2 -0
  621. package/lib/vendor/blamejs/lib/sandbox-worker.js +2 -0
  622. package/lib/vendor/blamejs/lib/sandbox.js +2 -0
  623. package/lib/vendor/blamejs/lib/scheduler.js +2 -0
  624. package/lib/vendor/blamejs/lib/scitt.js +2 -0
  625. package/lib/vendor/blamejs/lib/sd-notify.js +2 -0
  626. package/lib/vendor/blamejs/lib/sec-cyber.js +2 -0
  627. package/lib/vendor/blamejs/lib/security-assert.js +2 -0
  628. package/lib/vendor/blamejs/lib/seeders.js +2 -0
  629. package/lib/vendor/blamejs/lib/self-update-standalone-verifier.js +2 -0
  630. package/lib/vendor/blamejs/lib/self-update.js +104 -56
  631. package/lib/vendor/blamejs/lib/server-timing.js +2 -0
  632. package/lib/vendor/blamejs/lib/session-device-binding.js +2 -0
  633. package/lib/vendor/blamejs/lib/session-stores.js +2 -0
  634. package/lib/vendor/blamejs/lib/session.js +71 -32
  635. package/lib/vendor/blamejs/lib/slug.js +2 -0
  636. package/lib/vendor/blamejs/lib/sql.js +2 -0
  637. package/lib/vendor/blamejs/lib/sse.js +2 -0
  638. package/lib/vendor/blamejs/lib/ssrf-guard.js +9 -1
  639. package/lib/vendor/blamejs/lib/standard-webhooks.js +2 -0
  640. package/lib/vendor/blamejs/lib/static.js +54 -20
  641. package/lib/vendor/blamejs/lib/storage.js +2 -0
  642. package/lib/vendor/blamejs/lib/stream-throttle.js +2 -0
  643. package/lib/vendor/blamejs/lib/structured-fields.js +2 -0
  644. package/lib/vendor/blamejs/lib/subject.js +2 -0
  645. package/lib/vendor/blamejs/lib/tcpa-10dlc.js +2 -0
  646. package/lib/vendor/blamejs/lib/template.js +2 -0
  647. package/lib/vendor/blamejs/lib/tenant-quota.js +2 -0
  648. package/lib/vendor/blamejs/lib/test-harness.js +2 -0
  649. package/lib/vendor/blamejs/lib/testing.js +2 -0
  650. package/lib/vendor/blamejs/lib/time.js +2 -0
  651. package/lib/vendor/blamejs/lib/tls-exporter.js +2 -0
  652. package/lib/vendor/blamejs/lib/totp.js +2 -0
  653. package/lib/vendor/blamejs/lib/tracing.js +2 -0
  654. package/lib/vendor/blamejs/lib/tsa.js +2 -0
  655. package/lib/vendor/blamejs/lib/uri-template.js +2 -0
  656. package/lib/vendor/blamejs/lib/uuid.js +2 -0
  657. package/lib/vendor/blamejs/lib/validate-opts.js +2 -0
  658. package/lib/vendor/blamejs/lib/vault/index.js +2 -0
  659. package/lib/vendor/blamejs/lib/vault/passphrase-ops.js +2 -0
  660. package/lib/vendor/blamejs/lib/vault/passphrase-source.js +2 -0
  661. package/lib/vendor/blamejs/lib/vault/rotate.js +2 -0
  662. package/lib/vendor/blamejs/lib/vault/seal-pem-file.js +2 -0
  663. package/lib/vendor/blamejs/lib/vault/wrap.js +2 -0
  664. package/lib/vendor/blamejs/lib/vault-aad.js +2 -0
  665. package/lib/vendor/blamejs/lib/vc.js +31 -0
  666. package/lib/vendor/blamejs/lib/vendor/MANIFEST.json +10 -10
  667. package/lib/vendor/blamejs/lib/vendor/public-suffix-list.dat +2 -4
  668. package/lib/vendor/blamejs/lib/vendor/public-suffix-list.data.js +745 -745
  669. package/lib/vendor/blamejs/lib/vendor-data.js +2 -0
  670. package/lib/vendor/blamejs/lib/vex.js +2 -0
  671. package/lib/vendor/blamejs/lib/watcher.js +2 -0
  672. package/lib/vendor/blamejs/lib/web-push-vapid.js +2 -0
  673. package/lib/vendor/blamejs/lib/webhook-dispatcher.js +33 -5
  674. package/lib/vendor/blamejs/lib/webhook.js +2 -0
  675. package/lib/vendor/blamejs/lib/websocket-channels.js +2 -0
  676. package/lib/vendor/blamejs/lib/websocket.js +2 -0
  677. package/lib/vendor/blamejs/lib/wiki-concepts.js +2 -0
  678. package/lib/vendor/blamejs/lib/worker-pool.js +2 -0
  679. package/lib/vendor/blamejs/lib/worm.js +2 -0
  680. package/lib/vendor/blamejs/lib/ws-client.js +2 -0
  681. package/lib/vendor/blamejs/lib/x509-chain.js +2 -0
  682. package/lib/vendor/blamejs/lib/xml-c14n.js +10 -7
  683. package/lib/vendor/blamejs/oss-fuzz/projects/blamejs/Dockerfile +7 -6
  684. package/lib/vendor/blamejs/package-lock.json +533 -0
  685. package/lib/vendor/blamejs/package.json +3 -3
  686. package/lib/vendor/blamejs/release-notes/v0.15.x.json +2284 -0
  687. package/lib/vendor/blamejs/release-notes/v0.16.0.json +44 -0
  688. package/lib/vendor/blamejs/release-notes/v0.16.1.json +36 -0
  689. package/lib/vendor/blamejs/release-notes/v0.16.2.json +71 -0
  690. package/lib/vendor/blamejs/scripts/build-vendored-sbom.js +2 -0
  691. package/lib/vendor/blamejs/scripts/check-actions-currency.js +113 -1
  692. package/lib/vendor/blamejs/scripts/check-api-snapshot.js +2 -0
  693. package/lib/vendor/blamejs/scripts/check-changelog-extract.js +2 -0
  694. package/lib/vendor/blamejs/scripts/check-esbuild-pin.js +33 -40
  695. package/lib/vendor/blamejs/scripts/check-pack-against-gitignore.js +2 -0
  696. package/lib/vendor/blamejs/scripts/check-services.js +2 -0
  697. package/lib/vendor/blamejs/scripts/check-vendor-currency.js +2 -0
  698. package/lib/vendor/blamejs/scripts/consolidate-release-notes.js +2 -0
  699. package/lib/vendor/blamejs/scripts/gen-migrating.js +2 -0
  700. package/lib/vendor/blamejs/scripts/generate-changelog-entry.js +2 -0
  701. package/lib/vendor/blamejs/scripts/generate-release-signing-key.js +2 -0
  702. package/lib/vendor/blamejs/scripts/generate-ssdf-attestation.js +2 -0
  703. package/lib/vendor/blamejs/scripts/pin-all.js +215 -0
  704. package/lib/vendor/blamejs/scripts/refresh-api-snapshot.js +2 -0
  705. package/lib/vendor/blamejs/scripts/refresh-vendor-manifest.js +2 -0
  706. package/lib/vendor/blamejs/scripts/release.js +5 -1
  707. package/lib/vendor/blamejs/scripts/sha3-digest.js +2 -0
  708. package/lib/vendor/blamejs/scripts/sign-release-artifact.js +2 -0
  709. package/lib/vendor/blamejs/scripts/test-integration.js +2 -0
  710. package/lib/vendor/blamejs/scripts/test-wiki-integration.js +2 -0
  711. package/lib/vendor/blamejs/scripts/validate-source-comment-blocks.js +2 -0
  712. package/lib/vendor/blamejs/scripts/vendor-data-gen.js +2 -0
  713. package/lib/vendor/blamejs/scripts/vendor-data-keygen.js +2 -0
  714. package/lib/vendor/blamejs/test/00-primitives.js +35 -1
  715. package/lib/vendor/blamejs/test/10-state.js +2 -0
  716. package/lib/vendor/blamejs/test/20-db.js +2 -0
  717. package/lib/vendor/blamejs/test/30-chain.js +2 -0
  718. package/lib/vendor/blamejs/test/40-consumers.js +2 -0
  719. package/lib/vendor/blamejs/test/50-integration.js +2 -0
  720. package/lib/vendor/blamejs/test/_helpers.js +2 -0
  721. package/lib/vendor/blamejs/test/_smoke-worker.js +2 -0
  722. package/lib/vendor/blamejs/test/fixtures/worker-pool/echo.js +2 -0
  723. package/lib/vendor/blamejs/test/helpers/_codebase-shingle-worker.js +2 -0
  724. package/lib/vendor/blamejs/test/helpers/_codebase-shingle.js +2 -0
  725. package/lib/vendor/blamejs/test/helpers/_shape-match.js +2 -0
  726. package/lib/vendor/blamejs/test/helpers/check.js +2 -0
  727. package/lib/vendor/blamejs/test/helpers/cluster.js +2 -0
  728. package/lib/vendor/blamejs/test/helpers/db.js +2 -0
  729. package/lib/vendor/blamejs/test/helpers/drivers.js +2 -0
  730. package/lib/vendor/blamejs/test/helpers/fs-watch.js +2 -0
  731. package/lib/vendor/blamejs/test/helpers/http.js +2 -0
  732. package/lib/vendor/blamejs/test/helpers/index.js +2 -0
  733. package/lib/vendor/blamejs/test/helpers/json-round-trip.js +2 -0
  734. package/lib/vendor/blamejs/test/helpers/mocks.js +2 -0
  735. package/lib/vendor/blamejs/test/helpers/otel.js +2 -0
  736. package/lib/vendor/blamejs/test/helpers/services.js +2 -0
  737. package/lib/vendor/blamejs/test/helpers/wait.js +2 -0
  738. package/lib/vendor/blamejs/test/integration/audit-actor-binding-pg.test.js +2 -0
  739. package/lib/vendor/blamejs/test/integration/audit-chain-external-db.test.js +2 -0
  740. package/lib/vendor/blamejs/test/integration/audit-stack-mysql.test.js +2 -0
  741. package/lib/vendor/blamejs/test/integration/audit-stack-postgres.test.js +2 -0
  742. package/lib/vendor/blamejs/test/integration/backup-restore-objectstore.test.js +2 -0
  743. package/lib/vendor/blamejs/test/integration/cache.test.js +2 -0
  744. package/lib/vendor/blamejs/test/integration/cluster-provider-mysql.test.js +2 -0
  745. package/lib/vendor/blamejs/test/integration/data-layer-cluster-mysql.test.js +2 -0
  746. package/lib/vendor/blamejs/test/integration/data-layer-cluster-pg.test.js +2 -0
  747. package/lib/vendor/blamejs/test/integration/data-layer-mysql-privacy.test.js +2 -0
  748. package/lib/vendor/blamejs/test/integration/data-layer-mysql.test.js +2 -0
  749. package/lib/vendor/blamejs/test/integration/data-layer-pg.test.js +2 -0
  750. package/lib/vendor/blamejs/test/integration/data-layer-postgres.test.js +2 -0
  751. package/lib/vendor/blamejs/test/integration/db-layer-mysql.test.js +2 -0
  752. package/lib/vendor/blamejs/test/integration/db-layer-postgres.test.js +2 -0
  753. package/lib/vendor/blamejs/test/integration/distributed-scheduler-fencing-pg.test.js +2 -0
  754. package/lib/vendor/blamejs/test/integration/external-db-postgres.test.js +2 -0
  755. package/lib/vendor/blamejs/test/integration/federation-auth.test.js +2 -0
  756. package/lib/vendor/blamejs/test/integration/framework-schema-mysql.test.js +2 -0
  757. package/lib/vendor/blamejs/test/integration/http-client.test.js +2 -0
  758. package/lib/vendor/blamejs/test/integration/log-stream-cloudwatch.test.js +2 -0
  759. package/lib/vendor/blamejs/test/integration/log-stream.test.js +2 -0
  760. package/lib/vendor/blamejs/test/integration/mail-crypto-smime.test.js +2 -0
  761. package/lib/vendor/blamejs/test/integration/mail-dkim.test.js +2 -0
  762. package/lib/vendor/blamejs/test/integration/mail-smtp.test.js +2 -0
  763. package/lib/vendor/blamejs/test/integration/mtls-ca.test.js +2 -0
  764. package/lib/vendor/blamejs/test/integration/network-dns.test.js +2 -0
  765. package/lib/vendor/blamejs/test/integration/network-heartbeat.test.js +2 -0
  766. package/lib/vendor/blamejs/test/integration/ntp-check.test.js +2 -0
  767. package/lib/vendor/blamejs/test/integration/object-store-azure.test.js +2 -0
  768. package/lib/vendor/blamejs/test/integration/object-store-gcs.test.js +2 -0
  769. package/lib/vendor/blamejs/test/integration/object-store-sigv4.test.js +2 -0
  770. package/lib/vendor/blamejs/test/integration/object-store-worm-lock.test.js +2 -0
  771. package/lib/vendor/blamejs/test/integration/pqc-pkcs8-forward-compat.test.js +2 -0
  772. package/lib/vendor/blamejs/test/integration/pubsub.test.js +2 -0
  773. package/lib/vendor/blamejs/test/integration/queue-cluster-mysql.test.js +2 -0
  774. package/lib/vendor/blamejs/test/integration/queue-cluster-pg.test.js +2 -0
  775. package/lib/vendor/blamejs/test/integration/queue-redis.test.js +115 -0
  776. package/lib/vendor/blamejs/test/integration/queue-sqs.test.js +2 -0
  777. package/lib/vendor/blamejs/test/integration/redis-client-tls.test.js +2 -0
  778. package/lib/vendor/blamejs/test/integration/redis-reconnect-toxiproxy.test.js +2 -0
  779. package/lib/vendor/blamejs/test/integration/sql-fts5-catalog-sqlite.test.js +2 -0
  780. package/lib/vendor/blamejs/test/integration/ssrf-guard.test.js +2 -0
  781. package/lib/vendor/blamejs/test/integration/tls-classical-downgrade-audit.test.js +2 -0
  782. package/lib/vendor/blamejs/test/integration/webhook-dispatcher-pg.test.js +15 -0
  783. package/lib/vendor/blamejs/test/integration/websocket-permessage-deflate.test.js +2 -0
  784. package/lib/vendor/blamejs/test/integration/ws-client-roundtrip.test.js +2 -0
  785. package/lib/vendor/blamejs/test/layer-0-primitives/a2a-tasks.test.js +2 -0
  786. package/lib/vendor/blamejs/test/layer-0-primitives/a2a.test.js +2 -0
  787. package/lib/vendor/blamejs/test/layer-0-primitives/access-lock.test.js +2 -0
  788. package/lib/vendor/blamejs/test/layer-0-primitives/acme-coverage.test.js +441 -0
  789. package/lib/vendor/blamejs/test/layer-0-primitives/acme-failclosed.test.js +131 -0
  790. package/lib/vendor/blamejs/test/layer-0-primitives/acme.test.js +2 -0
  791. package/lib/vendor/blamejs/test/layer-0-primitives/age-gate.test.js +2 -0
  792. package/lib/vendor/blamejs/test/layer-0-primitives/agent-event-bus.test.js +2 -0
  793. package/lib/vendor/blamejs/test/layer-0-primitives/agent-idempotency.test.js +0 -0
  794. package/lib/vendor/blamejs/test/layer-0-primitives/agent-orchestrator.test.js +23 -0
  795. package/lib/vendor/blamejs/test/layer-0-primitives/agent-posture-chain.test.js +2 -0
  796. package/lib/vendor/blamejs/test/layer-0-primitives/agent-saga.test.js +2 -0
  797. package/lib/vendor/blamejs/test/layer-0-primitives/agent-snapshot.test.js +2 -0
  798. package/lib/vendor/blamejs/test/layer-0-primitives/agent-stream.test.js +2 -0
  799. package/lib/vendor/blamejs/test/layer-0-primitives/agent-tenant.test.js +22 -0
  800. package/lib/vendor/blamejs/test/layer-0-primitives/agent-trace.test.js +2 -0
  801. package/lib/vendor/blamejs/test/layer-0-primitives/ai-adverse-decision.test.js +2 -0
  802. package/lib/vendor/blamejs/test/layer-0-primitives/ai-aedt-bias-audit.test.js +2 -0
  803. package/lib/vendor/blamejs/test/layer-0-primitives/ai-capability.test.js +2 -0
  804. package/lib/vendor/blamejs/test/layer-0-primitives/ai-content-detect.test.js +2 -0
  805. package/lib/vendor/blamejs/test/layer-0-primitives/ai-disclosure-apply-all.test.js +2 -0
  806. package/lib/vendor/blamejs/test/layer-0-primitives/ai-disclosure.test.js +2 -0
  807. package/lib/vendor/blamejs/test/layer-0-primitives/ai-dp.test.js +2 -0
  808. package/lib/vendor/blamejs/test/layer-0-primitives/ai-frontier-protocol.test.js +2 -0
  809. package/lib/vendor/blamejs/test/layer-0-primitives/ai-input.test.js +2 -0
  810. package/lib/vendor/blamejs/test/layer-0-primitives/ai-model-manifest.test.js +2 -0
  811. package/lib/vendor/blamejs/test/layer-0-primitives/ai-output.test.js +2 -0
  812. package/lib/vendor/blamejs/test/layer-0-primitives/ai-pref.test.js +2 -0
  813. package/lib/vendor/blamejs/test/layer-0-primitives/ai-prompt.test.js +2 -0
  814. package/lib/vendor/blamejs/test/layer-0-primitives/ai-quota.test.js +2 -0
  815. package/lib/vendor/blamejs/test/layer-0-primitives/api-encrypt-rejection-envelope.test.js +2 -0
  816. package/lib/vendor/blamejs/test/layer-0-primitives/api-encrypt.test.js +2 -0
  817. package/lib/vendor/blamejs/test/layer-0-primitives/app-shutdown.test.js +2 -0
  818. package/lib/vendor/blamejs/test/layer-0-primitives/archive-gz.test.js +2 -0
  819. package/lib/vendor/blamejs/test/layer-0-primitives/archive-read.test.js +2 -0
  820. package/lib/vendor/blamejs/test/layer-0-primitives/archive-sniff-envelope.test.js +2 -0
  821. package/lib/vendor/blamejs/test/layer-0-primitives/archive-tar-hardening.test.js +22 -0
  822. package/lib/vendor/blamejs/test/layer-0-primitives/archive-tar.test.js +2 -0
  823. package/lib/vendor/blamejs/test/layer-0-primitives/archive-wrap-passphrase.test.js +2 -0
  824. package/lib/vendor/blamejs/test/layer-0-primitives/archive-wrap.test.js +2 -0
  825. package/lib/vendor/blamejs/test/layer-0-primitives/archive-zip-stream.test.js +2 -0
  826. package/lib/vendor/blamejs/test/layer-0-primitives/archive.test.js +4 -0
  827. package/lib/vendor/blamejs/test/layer-0-primitives/arg-parser.test.js +2 -0
  828. package/lib/vendor/blamejs/test/layer-0-primitives/asn1-der.test.js +2 -0
  829. package/lib/vendor/blamejs/test/layer-0-primitives/asyncapi.test.js +2 -0
  830. package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-conflict-path.test.js +2 -0
  831. package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-exclusive-temp.test.js +2 -0
  832. package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-fd-read-errorfor-bypass.test.js +2 -0
  833. package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-fd-read.test.js +2 -0
  834. package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-open-append-nofollow.test.js +2 -0
  835. package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-open-nofollow.test.js +2 -0
  836. package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-rename-retry.test.js +2 -0
  837. package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-write-excl.test.js +2 -0
  838. package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-write-stream.test.js +2 -0
  839. package/lib/vendor/blamejs/test/layer-0-primitives/attach-user-bearer-scheme.test.js +2 -0
  840. package/lib/vendor/blamejs/test/layer-0-primitives/audit-chain-corrupted-anchor.test.js +2 -0
  841. package/lib/vendor/blamejs/test/layer-0-primitives/audit-chain-incremental-verify.test.js +2 -0
  842. package/lib/vendor/blamejs/test/layer-0-primitives/audit-checkpoint-false-rollback.test.js +2 -0
  843. package/lib/vendor/blamejs/test/layer-0-primitives/audit-cve-defensive.test.js +2 -0
  844. package/lib/vendor/blamejs/test/layer-0-primitives/audit-daily-review.test.js +2 -0
  845. package/lib/vendor/blamejs/test/layer-0-primitives/audit-export-cadf.test.js +2 -0
  846. package/lib/vendor/blamejs/test/layer-0-primitives/audit-framework-namespaces.test.js +2 -0
  847. package/lib/vendor/blamejs/test/layer-0-primitives/audit-query-self-log.test.js +2 -0
  848. package/lib/vendor/blamejs/test/layer-0-primitives/audit-safeemit-redacts-secrets.test.js +2 -0
  849. package/lib/vendor/blamejs/test/layer-0-primitives/audit-segregation.test.js +2 -0
  850. package/lib/vendor/blamejs/test/layer-0-primitives/audit-sign-anchor.test.js +2 -0
  851. package/lib/vendor/blamejs/test/layer-0-primitives/audit-sign-ml-dsa-65.test.js +2 -0
  852. package/lib/vendor/blamejs/test/layer-0-primitives/audit-signing-key-rotation.test.js +2 -0
  853. package/lib/vendor/blamejs/test/layer-0-primitives/audit-tools-dual-control.test.js +2 -0
  854. package/lib/vendor/blamejs/test/layer-0-primitives/audit-tools-return-bytes.test.js +2 -0
  855. package/lib/vendor/blamejs/test/layer-0-primitives/audit-use-store.test.js +2 -0
  856. package/lib/vendor/blamejs/test/layer-0-primitives/audit-verifybundle-tamper.test.js +2 -0
  857. package/lib/vendor/blamejs/test/layer-0-primitives/auth-bot-challenge-verifier.test.js +2 -0
  858. package/lib/vendor/blamejs/test/layer-0-primitives/auth-bot-challenge.test.js +2 -0
  859. package/lib/vendor/blamejs/test/layer-0-primitives/auth-jar.test.js +9 -6
  860. package/lib/vendor/blamejs/test/layer-0-primitives/auth-jwt-defenses.test.js +56 -0
  861. package/lib/vendor/blamejs/test/layer-0-primitives/auth-lockout.test.js +121 -1
  862. package/lib/vendor/blamejs/test/layer-0-primitives/auth-oauth-coverage.test.js +482 -0
  863. package/lib/vendor/blamejs/test/layer-0-primitives/auth-oauth-failclosed.test.js +257 -0
  864. package/lib/vendor/blamejs/test/layer-0-primitives/auth-password-audit.test.js +2 -0
  865. package/lib/vendor/blamejs/test/layer-0-primitives/auth-saml-coverage.test.js +671 -0
  866. package/lib/vendor/blamejs/test/layer-0-primitives/auth-saml-failclosed.test.js +179 -0
  867. package/lib/vendor/blamejs/test/layer-0-primitives/auth-status-list.test.js +19 -0
  868. package/lib/vendor/blamejs/test/layer-0-primitives/azure-blob-bucket-ops.test.js +2 -0
  869. package/lib/vendor/blamejs/test/layer-0-primitives/azure-blob-key-encoding.test.js +2 -0
  870. package/lib/vendor/blamejs/test/layer-0-primitives/backup-bundle-info.test.js +2 -0
  871. package/lib/vendor/blamejs/test/layer-0-primitives/backup-clone-bundle.test.js +2 -0
  872. package/lib/vendor/blamejs/test/layer-0-primitives/backup-find-bundles.test.js +2 -0
  873. package/lib/vendor/blamejs/test/layer-0-primitives/backup-index-coverage.test.js +690 -0
  874. package/lib/vendor/blamejs/test/layer-0-primitives/backup-index-failclosed.test.js +103 -0
  875. package/lib/vendor/blamejs/test/layer-0-primitives/backup-key-rotation.test.js +2 -0
  876. package/lib/vendor/blamejs/test/layer-0-primitives/backup-manifest-signature.test.js +2 -0
  877. package/lib/vendor/blamejs/test/layer-0-primitives/backup-object-store-adapter.test.js +2 -0
  878. package/lib/vendor/blamejs/test/layer-0-primitives/backup-residency-posture.test.js +2 -0
  879. package/lib/vendor/blamejs/test/layer-0-primitives/backup-rewrap-all.test.js +2 -0
  880. package/lib/vendor/blamejs/test/layer-0-primitives/backup-rewrap-bundle.test.js +2 -0
  881. package/lib/vendor/blamejs/test/layer-0-primitives/backup-scheduletest-drill.test.js +2 -0
  882. package/lib/vendor/blamejs/test/layer-0-primitives/backup-verify-all-bundles.test.js +0 -0
  883. package/lib/vendor/blamejs/test/layer-0-primitives/backup-verify-bundle.test.js +2 -0
  884. package/lib/vendor/blamejs/test/layer-0-primitives/backup-worker.test.js +2 -0
  885. package/lib/vendor/blamejs/test/layer-0-primitives/base32.test.js +2 -0
  886. package/lib/vendor/blamejs/test/layer-0-primitives/bearer-auth.test.js +2 -0
  887. package/lib/vendor/blamejs/test/layer-0-primitives/body-parser-chunked-malformed.test.js +2 -0
  888. package/lib/vendor/blamejs/test/layer-0-primitives/body-parser-error-redaction.test.js +2 -0
  889. package/lib/vendor/blamejs/test/layer-0-primitives/body-parser-smuggling.test.js +2 -0
  890. package/lib/vendor/blamejs/test/layer-0-primitives/boot-gates.test.js +2 -0
  891. package/lib/vendor/blamejs/test/layer-0-primitives/bot-guard.test.js +12 -0
  892. package/lib/vendor/blamejs/test/layer-0-primitives/bounded-map.test.js +2 -0
  893. package/lib/vendor/blamejs/test/layer-0-primitives/breach-deadline.test.js +2 -0
  894. package/lib/vendor/blamejs/test/layer-0-primitives/break-glass.test.js +46 -0
  895. package/lib/vendor/blamejs/test/layer-0-primitives/budr.test.js +2 -0
  896. package/lib/vendor/blamejs/test/layer-0-primitives/bundler-engine.test.js +2 -0
  897. package/lib/vendor/blamejs/test/layer-0-primitives/cache-status.test.js +2 -0
  898. package/lib/vendor/blamejs/test/layer-0-primitives/cache.test.js +12 -0
  899. package/lib/vendor/blamejs/test/layer-0-primitives/calendar.test.js +2 -0
  900. package/lib/vendor/blamejs/test/layer-0-primitives/canonical-json-jcs.test.js +2 -0
  901. package/lib/vendor/blamejs/test/layer-0-primitives/canonical-json.test.js +28 -0
  902. package/lib/vendor/blamejs/test/layer-0-primitives/cbor.test.js +2 -0
  903. package/lib/vendor/blamejs/test/layer-0-primitives/cdn-cache-control.test.js +2 -0
  904. package/lib/vendor/blamejs/test/layer-0-primitives/cert.test.js +2 -0
  905. package/lib/vendor/blamejs/test/layer-0-primitives/chain-writer-multichain.test.js +2 -0
  906. package/lib/vendor/blamejs/test/layer-0-primitives/ciba-authreqid-binding.test.js +2 -0
  907. package/lib/vendor/blamejs/test/layer-0-primitives/clear-site-data.test.js +2 -0
  908. package/lib/vendor/blamejs/test/layer-0-primitives/cli-api-key.test.js +2 -0
  909. package/lib/vendor/blamejs/test/layer-0-primitives/cli-audit-verify-chain.test.js +2 -0
  910. package/lib/vendor/blamejs/test/layer-0-primitives/cli-backup.test.js +2 -0
  911. package/lib/vendor/blamejs/test/layer-0-primitives/cli-config-drift.test.js +2 -0
  912. package/lib/vendor/blamejs/test/layer-0-primitives/cli-coverage.test.js +238 -0
  913. package/lib/vendor/blamejs/test/layer-0-primitives/cli-erase.test.js +2 -0
  914. package/lib/vendor/blamejs/test/layer-0-primitives/cli-file-type.test.js +2 -0
  915. package/lib/vendor/blamejs/test/layer-0-primitives/cli-helpers.test.js +2 -0
  916. package/lib/vendor/blamejs/test/layer-0-primitives/cli-mtls.test.js +2 -0
  917. package/lib/vendor/blamejs/test/layer-0-primitives/cli-password.test.js +2 -0
  918. package/lib/vendor/blamejs/test/layer-0-primitives/cli-restore.test.js +2 -0
  919. package/lib/vendor/blamejs/test/layer-0-primitives/cli-retention.test.js +2 -0
  920. package/lib/vendor/blamejs/test/layer-0-primitives/cli-security.test.js +2 -0
  921. package/lib/vendor/blamejs/test/layer-0-primitives/cli-vault.test.js +2 -0
  922. package/lib/vendor/blamejs/test/layer-0-primitives/client-hints.test.js +2 -0
  923. package/lib/vendor/blamejs/test/layer-0-primitives/cloud-events.test.js +2 -0
  924. package/lib/vendor/blamejs/test/layer-0-primitives/cluster-storage.test.js +2 -0
  925. package/lib/vendor/blamejs/test/layer-0-primitives/cluster-vault-rotation.test.js +2 -0
  926. package/lib/vendor/blamejs/test/layer-0-primitives/cms-codec.test.js +2 -0
  927. package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +791 -13
  928. package/lib/vendor/blamejs/test/layer-0-primitives/codepoint-class.test.js +2 -0
  929. package/lib/vendor/blamejs/test/layer-0-primitives/compliance-ai-act.test.js +2 -0
  930. package/lib/vendor/blamejs/test/layer-0-primitives/compliance-cascade.test.js +2 -0
  931. package/lib/vendor/blamejs/test/layer-0-primitives/compliance-eaa.test.js +2 -0
  932. package/lib/vendor/blamejs/test/layer-0-primitives/compliance-eu-ai-act-posture.test.js +2 -0
  933. package/lib/vendor/blamejs/test/layer-0-primitives/compliance-sanctions.test.js +2 -0
  934. package/lib/vendor/blamejs/test/layer-0-primitives/compliance.test.js +2 -0
  935. package/lib/vendor/blamejs/test/layer-0-primitives/compression-range.test.js +2 -0
  936. package/lib/vendor/blamejs/test/layer-0-primitives/config-drift.test.js +2 -0
  937. package/lib/vendor/blamejs/test/layer-0-primitives/config.test.js +2 -0
  938. package/lib/vendor/blamejs/test/layer-0-primitives/consent-purposes.test.js +2 -0
  939. package/lib/vendor/blamejs/test/layer-0-primitives/content-credentials.test.js +2 -0
  940. package/lib/vendor/blamejs/test/layer-0-primitives/content-digest.test.js +2 -0
  941. package/lib/vendor/blamejs/test/layer-0-primitives/cors.test.js +12 -0
  942. package/lib/vendor/blamejs/test/layer-0-primitives/cose.test.js +2 -0
  943. package/lib/vendor/blamejs/test/layer-0-primitives/cra-report.test.js +2 -0
  944. package/lib/vendor/blamejs/test/layer-0-primitives/crdt.test.js +2 -0
  945. package/lib/vendor/blamejs/test/layer-0-primitives/credential-hash.test.js +2 -0
  946. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-base64url.test.js +2 -0
  947. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-envelope.test.js +2 -0
  948. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-field-aad-downgrade.test.js +2 -0
  949. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-field-derived-hash.test.js +2 -0
  950. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-field-dual-read-migrate.test.js +2 -0
  951. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-field-per-row-key.test.js +2 -0
  952. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-field-unseal-rate-cap.test.js +2 -0
  953. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-field-upgrade-dialect.test.js +2 -0
  954. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-hash-files-parallel.test.js +2 -0
  955. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-hash-stream.test.js +2 -0
  956. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-hpke-pq.test.js +2 -0
  957. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-hpke.test.js +2 -0
  958. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-interop-oracles.test.js +2 -0
  959. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-mlkem768-x25519.test.js +2 -0
  960. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-namespace-hash.test.js +0 -0
  961. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-oprf.test.js +2 -0
  962. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-random-int.test.js +2 -0
  963. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-self-test.test.js +2 -0
  964. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-xwing.test.js +2 -0
  965. package/lib/vendor/blamejs/test/layer-0-primitives/csp-builder.test.js +2 -0
  966. package/lib/vendor/blamejs/test/layer-0-primitives/csp-nonce.test.js +2 -0
  967. package/lib/vendor/blamejs/test/layer-0-primitives/csp-report.test.js +2 -0
  968. package/lib/vendor/blamejs/test/layer-0-primitives/csrf-protect.test.js +40 -0
  969. package/lib/vendor/blamejs/test/layer-0-primitives/csv.test.js +11 -0
  970. package/lib/vendor/blamejs/test/layer-0-primitives/cwt.test.js +2 -0
  971. package/lib/vendor/blamejs/test/layer-0-primitives/daemon.test.js +2 -0
  972. package/lib/vendor/blamejs/test/layer-0-primitives/daily-byte-quota.test.js +2 -0
  973. package/lib/vendor/blamejs/test/layer-0-primitives/dane.test.js +2 -0
  974. package/lib/vendor/blamejs/test/layer-0-primitives/dark-patterns.test.js +2 -0
  975. package/lib/vendor/blamejs/test/layer-0-primitives/data-act.test.js +2 -0
  976. package/lib/vendor/blamejs/test/layer-0-primitives/db-collection-extensions.test.js +2 -0
  977. package/lib/vendor/blamejs/test/layer-0-primitives/db-collection.test.js +2 -0
  978. package/lib/vendor/blamejs/test/layer-0-primitives/db-column-gate.test.js +2 -0
  979. package/lib/vendor/blamejs/test/layer-0-primitives/db-init-extensions.test.js +2 -0
  980. package/lib/vendor/blamejs/test/layer-0-primitives/db-key-aad.test.js +2 -0
  981. package/lib/vendor/blamejs/test/layer-0-primitives/db-query-cross-schema.test.js +2 -0
  982. package/lib/vendor/blamejs/test/layer-0-primitives/db-query-extensions.test.js +2 -0
  983. package/lib/vendor/blamejs/test/layer-0-primitives/db-query-sealed-field-in.test.js +2 -0
  984. package/lib/vendor/blamejs/test/layer-0-primitives/db-raw-residency-gate.test.js +2 -0
  985. package/lib/vendor/blamejs/test/layer-0-primitives/db-role-for.test.js +2 -0
  986. package/lib/vendor/blamejs/test/layer-0-primitives/db-schema-drift.test.js +2 -0
  987. package/lib/vendor/blamejs/test/layer-0-primitives/db-schema-reconcile-emittable.test.js +2 -0
  988. package/lib/vendor/blamejs/test/layer-0-primitives/db-schema-transaction.test.js +2 -0
  989. package/lib/vendor/blamejs/test/layer-0-primitives/db-stream-and-payload-shape.test.js +2 -0
  990. package/lib/vendor/blamejs/test/layer-0-primitives/db-vacuum.test.js +2 -0
  991. package/lib/vendor/blamejs/test/layer-0-primitives/db-worm.test.js +2 -0
  992. package/lib/vendor/blamejs/test/layer-0-primitives/ddl-change-control.test.js +2 -0
  993. package/lib/vendor/blamejs/test/layer-0-primitives/declare-row-policy.test.js +2 -0
  994. package/lib/vendor/blamejs/test/layer-0-primitives/declare-view.test.js +2 -0
  995. package/lib/vendor/blamejs/test/layer-0-primitives/defineguard-default-gate-posture-caps.test.js +2 -0
  996. package/lib/vendor/blamejs/test/layer-0-primitives/defineguard-resolve-opts.test.js +2 -0
  997. package/lib/vendor/blamejs/test/layer-0-primitives/deny-response.test.js +2 -0
  998. package/lib/vendor/blamejs/test/layer-0-primitives/did.test.js +2 -0
  999. package/lib/vendor/blamejs/test/layer-0-primitives/dns-dnssec-algorithm.test.js +2 -0
  1000. package/lib/vendor/blamejs/test/layer-0-primitives/dns-null-mx.test.js +2 -0
  1001. package/lib/vendor/blamejs/test/layer-0-primitives/dnssec.test.js +37 -0
  1002. package/lib/vendor/blamejs/test/layer-0-primitives/dora.test.js +2 -0
  1003. package/lib/vendor/blamejs/test/layer-0-primitives/dpop-alg-kty.test.js +2 -0
  1004. package/lib/vendor/blamejs/test/layer-0-primitives/dpop-htu-peergating.test.js +2 -0
  1005. package/lib/vendor/blamejs/test/layer-0-primitives/dpop-middleware-replaystore-required.test.js +2 -0
  1006. package/lib/vendor/blamejs/test/layer-0-primitives/dr-runbook.test.js +2 -0
  1007. package/lib/vendor/blamejs/test/layer-0-primitives/dsa.test.js +2 -0
  1008. package/lib/vendor/blamejs/test/layer-0-primitives/dsr-state-rules.test.js +2 -0
  1009. package/lib/vendor/blamejs/test/layer-0-primitives/dsr.test.js +2 -0
  1010. package/lib/vendor/blamejs/test/layer-0-primitives/dual-control.test.js +28 -0
  1011. package/lib/vendor/blamejs/test/layer-0-primitives/early-hints.test.js +2 -0
  1012. package/lib/vendor/blamejs/test/layer-0-primitives/eat.test.js +2 -0
  1013. package/lib/vendor/blamejs/test/layer-0-primitives/erase-posture-vacuum.test.js +2 -0
  1014. package/lib/vendor/blamejs/test/layer-0-primitives/events.test.js +2 -0
  1015. package/lib/vendor/blamejs/test/layer-0-primitives/exploit-replay.test.js +2 -0
  1016. package/lib/vendor/blamejs/test/layer-0-primitives/external-db-hardening.test.js +2 -0
  1017. package/lib/vendor/blamejs/test/layer-0-primitives/external-db-migrate.test.js +2 -0
  1018. package/lib/vendor/blamejs/test/layer-0-primitives/external-db-non-atomic-backend.test.js +2 -0
  1019. package/lib/vendor/blamejs/test/layer-0-primitives/external-db-routing.test.js +2 -0
  1020. package/lib/vendor/blamejs/test/layer-0-primitives/fal.test.js +2 -0
  1021. package/lib/vendor/blamejs/test/layer-0-primitives/fapi2.test.js +2 -0
  1022. package/lib/vendor/blamejs/test/layer-0-primitives/fda-21cfr11.test.js +2 -0
  1023. package/lib/vendor/blamejs/test/layer-0-primitives/fdx.test.js +2 -0
  1024. package/lib/vendor/blamejs/test/layer-0-primitives/fedcm-dbsc.test.js +2 -0
  1025. package/lib/vendor/blamejs/test/layer-0-primitives/federation-vc-suite.test.js +124 -0
  1026. package/lib/vendor/blamejs/test/layer-0-primitives/fetch-metadata.test.js +2 -0
  1027. package/lib/vendor/blamejs/test/layer-0-primitives/fido-mds3-cert-bad-validity.test.js +2 -0
  1028. package/lib/vendor/blamejs/test/layer-0-primitives/fido-mds3.test.js +2 -0
  1029. package/lib/vendor/blamejs/test/layer-0-primitives/file-type.test.js +2 -0
  1030. package/lib/vendor/blamejs/test/layer-0-primitives/file-upload-content-safety-skip-audit.test.js +66 -0
  1031. package/lib/vendor/blamejs/test/layer-0-primitives/file-upload-ownership.test.js +214 -0
  1032. package/lib/vendor/blamejs/test/layer-0-primitives/flag.test.js +2 -0
  1033. package/lib/vendor/blamejs/test/layer-0-primitives/forensic-snapshot.test.js +2 -0
  1034. package/lib/vendor/blamejs/test/layer-0-primitives/fsm.test.js +2 -0
  1035. package/lib/vendor/blamejs/test/layer-0-primitives/gate-contract-content-gate.test.js +2 -0
  1036. package/lib/vendor/blamejs/test/layer-0-primitives/gcs-bucket-ops.test.js +2 -0
  1037. package/lib/vendor/blamejs/test/layer-0-primitives/gdpr-ropa.test.js +2 -0
  1038. package/lib/vendor/blamejs/test/layer-0-primitives/graphql-federation.test.js +2 -0
  1039. package/lib/vendor/blamejs/test/layer-0-primitives/guard-agent-registry.test.js +2 -0
  1040. package/lib/vendor/blamejs/test/layer-0-primitives/guard-all.test.js +2 -0
  1041. package/lib/vendor/blamejs/test/layer-0-primitives/guard-archive.test.js +2 -0
  1042. package/lib/vendor/blamejs/test/layer-0-primitives/guard-csv.test.js +2 -0
  1043. package/lib/vendor/blamejs/test/layer-0-primitives/guard-dsn.test.js +2 -0
  1044. package/lib/vendor/blamejs/test/layer-0-primitives/guard-email.test.js +2 -0
  1045. package/lib/vendor/blamejs/test/layer-0-primitives/guard-envelope.test.js +2 -0
  1046. package/lib/vendor/blamejs/test/layer-0-primitives/guard-event-bus-payload.test.js +2 -0
  1047. package/lib/vendor/blamejs/test/layer-0-primitives/guard-event-bus-topic.test.js +2 -0
  1048. package/lib/vendor/blamejs/test/layer-0-primitives/guard-filename.test.js +2 -0
  1049. package/lib/vendor/blamejs/test/layer-0-primitives/guard-gate-disposition-coverage.test.js +2 -0
  1050. package/lib/vendor/blamejs/test/layer-0-primitives/guard-html-wcag.test.js +2 -0
  1051. package/lib/vendor/blamejs/test/layer-0-primitives/guard-html.test.js +2 -0
  1052. package/lib/vendor/blamejs/test/layer-0-primitives/guard-idempotency-key.test.js +2 -0
  1053. package/lib/vendor/blamejs/test/layer-0-primitives/guard-image.test.js +2 -0
  1054. package/lib/vendor/blamejs/test/layer-0-primitives/guard-imap-command.test.js +0 -0
  1055. package/lib/vendor/blamejs/test/layer-0-primitives/guard-jmap.test.js +2 -0
  1056. package/lib/vendor/blamejs/test/layer-0-primitives/guard-json.test.js +2 -0
  1057. package/lib/vendor/blamejs/test/layer-0-primitives/guard-list-id.test.js +2 -0
  1058. package/lib/vendor/blamejs/test/layer-0-primitives/guard-list-unsubscribe.test.js +2 -0
  1059. package/lib/vendor/blamejs/test/layer-0-primitives/guard-mail-compose.test.js +2 -0
  1060. package/lib/vendor/blamejs/test/layer-0-primitives/guard-mail-move.test.js +2 -0
  1061. package/lib/vendor/blamejs/test/layer-0-primitives/guard-mail-query.test.js +2 -0
  1062. package/lib/vendor/blamejs/test/layer-0-primitives/guard-mail-reply.test.js +2 -0
  1063. package/lib/vendor/blamejs/test/layer-0-primitives/guard-mail-sieve.test.js +2 -0
  1064. package/lib/vendor/blamejs/test/layer-0-primitives/guard-managesieve-command.test.js +2 -0
  1065. package/lib/vendor/blamejs/test/layer-0-primitives/guard-markdown.test.js +2 -0
  1066. package/lib/vendor/blamejs/test/layer-0-primitives/guard-message-id.test.js +0 -0
  1067. package/lib/vendor/blamejs/test/layer-0-primitives/guard-oauth-replay-failopen.test.js +57 -0
  1068. package/lib/vendor/blamejs/test/layer-0-primitives/guard-pdf.test.js +2 -0
  1069. package/lib/vendor/blamejs/test/layer-0-primitives/guard-pop3-command.test.js +2 -0
  1070. package/lib/vendor/blamejs/test/layer-0-primitives/guard-posture-chain.test.js +2 -0
  1071. package/lib/vendor/blamejs/test/layer-0-primitives/guard-saga-config.test.js +2 -0
  1072. package/lib/vendor/blamejs/test/layer-0-primitives/guard-smtp-command.test.js +2 -0
  1073. package/lib/vendor/blamejs/test/layer-0-primitives/guard-snapshot-envelope.test.js +2 -0
  1074. package/lib/vendor/blamejs/test/layer-0-primitives/guard-stream-args.test.js +2 -0
  1075. package/lib/vendor/blamejs/test/layer-0-primitives/guard-svg.test.js +2 -0
  1076. package/lib/vendor/blamejs/test/layer-0-primitives/guard-tenant-id.test.js +2 -0
  1077. package/lib/vendor/blamejs/test/layer-0-primitives/guard-text.test.js +2 -0
  1078. package/lib/vendor/blamejs/test/layer-0-primitives/guard-trace-context.test.js +2 -0
  1079. package/lib/vendor/blamejs/test/layer-0-primitives/guard-xml.test.js +2 -0
  1080. package/lib/vendor/blamejs/test/layer-0-primitives/guard-yaml.test.js +2 -0
  1081. package/lib/vendor/blamejs/test/layer-0-primitives/hal.test.js +2 -0
  1082. package/lib/vendor/blamejs/test/layer-0-primitives/honeytoken.test.js +2 -0
  1083. package/lib/vendor/blamejs/test/layer-0-primitives/html-balance.test.js +2 -0
  1084. package/lib/vendor/blamejs/test/layer-0-primitives/http-client-cache.test.js +2 -0
  1085. package/lib/vendor/blamejs/test/layer-0-primitives/http-client-stream.test.js +2 -0
  1086. package/lib/vendor/blamejs/test/layer-0-primitives/http-client-throttle-transform.test.js +2 -0
  1087. package/lib/vendor/blamejs/test/layer-0-primitives/http-message-signature.test.js +315 -3
  1088. package/lib/vendor/blamejs/test/layer-0-primitives/i18n-messageformat.test.js +26 -0
  1089. package/lib/vendor/blamejs/test/layer-0-primitives/i18n.test.js +2 -0
  1090. package/lib/vendor/blamejs/test/layer-0-primitives/iab-mspa.test.js +2 -0
  1091. package/lib/vendor/blamejs/test/layer-0-primitives/iab-tcf.test.js +2 -0
  1092. package/lib/vendor/blamejs/test/layer-0-primitives/idempotency-key.test.js +40 -0
  1093. package/lib/vendor/blamejs/test/layer-0-primitives/importmap-integrity.test.js +2 -0
  1094. package/lib/vendor/blamejs/test/layer-0-primitives/inbox.test.js +2 -0
  1095. package/lib/vendor/blamejs/test/layer-0-primitives/incident-report.test.js +2 -0
  1096. package/lib/vendor/blamejs/test/layer-0-primitives/ip-utils.test.js +2 -0
  1097. package/lib/vendor/blamejs/test/layer-0-primitives/jose-jwe-experimental.test.js +2 -0
  1098. package/lib/vendor/blamejs/test/layer-0-primitives/json-api.test.js +2 -0
  1099. package/lib/vendor/blamejs/test/layer-0-primitives/json-merge-patch.test.js +2 -0
  1100. package/lib/vendor/blamejs/test/layer-0-primitives/json-patch.test.js +2 -0
  1101. package/lib/vendor/blamejs/test/layer-0-primitives/json-path.test.js +2 -0
  1102. package/lib/vendor/blamejs/test/layer-0-primitives/json-round-trip-helper.test.js +2 -0
  1103. package/lib/vendor/blamejs/test/layer-0-primitives/json-schema.test.js +26 -0
  1104. package/lib/vendor/blamejs/test/layer-0-primitives/jtd.test.js +2 -0
  1105. package/lib/vendor/blamejs/test/layer-0-primitives/jwk.test.js +2 -0
  1106. package/lib/vendor/blamejs/test/layer-0-primitives/jwt-external.test.js +2 -0
  1107. package/lib/vendor/blamejs/test/layer-0-primitives/keychain-coverage.test.js +0 -0
  1108. package/lib/vendor/blamejs/test/layer-0-primitives/keychain-failclosed.test.js +185 -0
  1109. package/lib/vendor/blamejs/test/layer-0-primitives/keychain.test.js +0 -0
  1110. package/lib/vendor/blamejs/test/layer-0-primitives/legal-hold.test.js +2 -0
  1111. package/lib/vendor/blamejs/test/layer-0-primitives/link-header.test.js +2 -0
  1112. package/lib/vendor/blamejs/test/layer-0-primitives/local-db-thin.test.js +2 -0
  1113. package/lib/vendor/blamejs/test/layer-0-primitives/log-stream-cloudwatch.test.js +2 -0
  1114. package/lib/vendor/blamejs/test/layer-0-primitives/log-stream-otlp-grpc.test.js +2 -0
  1115. package/lib/vendor/blamejs/test/layer-0-primitives/log-stream-otlp.test.js +2 -0
  1116. package/lib/vendor/blamejs/test/layer-0-primitives/lro.test.js +2 -0
  1117. package/lib/vendor/blamejs/test/layer-0-primitives/mail-agent.test.js +2 -0
  1118. package/lib/vendor/blamejs/test/layer-0-primitives/mail-arf.test.js +2 -0
  1119. package/lib/vendor/blamejs/test/layer-0-primitives/mail-auth-coverage.test.js +437 -0
  1120. package/lib/vendor/blamejs/test/layer-0-primitives/mail-auth-dmarc-policy-failclosed.test.js +2 -0
  1121. package/lib/vendor/blamejs/test/layer-0-primitives/mail-auth-failclosed.test.js +144 -0
  1122. package/lib/vendor/blamejs/test/layer-0-primitives/mail-auth.test.js +289 -0
  1123. package/lib/vendor/blamejs/test/layer-0-primitives/mail-bimi-cert-validity-unparseable.test.js +2 -0
  1124. package/lib/vendor/blamejs/test/layer-0-primitives/mail-bimi.test.js +2 -0
  1125. package/lib/vendor/blamejs/test/layer-0-primitives/mail-bounce.test.js +61 -0
  1126. package/lib/vendor/blamejs/test/layer-0-primitives/mail-canspam.test.js +2 -0
  1127. package/lib/vendor/blamejs/test/layer-0-primitives/mail-crypto-pgp-experimental.test.js +2 -0
  1128. package/lib/vendor/blamejs/test/layer-0-primitives/mail-crypto-pgp.test.js +2 -0
  1129. package/lib/vendor/blamejs/test/layer-0-primitives/mail-crypto-smime-bad-validity.test.js +2 -0
  1130. package/lib/vendor/blamejs/test/layer-0-primitives/mail-crypto-smime.test.js +2 -0
  1131. package/lib/vendor/blamejs/test/layer-0-primitives/mail-dav.test.js +2 -0
  1132. package/lib/vendor/blamejs/test/layer-0-primitives/mail-deploy-tlsrpt.test.js +2 -0
  1133. package/lib/vendor/blamejs/test/layer-0-primitives/mail-deploy.test.js +2 -0
  1134. package/lib/vendor/blamejs/test/layer-0-primitives/mail-dkim-numericdate-failclosed.test.js +2 -0
  1135. package/lib/vendor/blamejs/test/layer-0-primitives/mail-dkim.test.js +130 -0
  1136. package/lib/vendor/blamejs/test/layer-0-primitives/mail-feedback-id.test.js +2 -0
  1137. package/lib/vendor/blamejs/test/layer-0-primitives/mail-greylist.test.js +2 -0
  1138. package/lib/vendor/blamejs/test/layer-0-primitives/mail-header-injection.test.js +2 -0
  1139. package/lib/vendor/blamejs/test/layer-0-primitives/mail-helo.test.js +17 -0
  1140. package/lib/vendor/blamejs/test/layer-0-primitives/mail-journal.test.js +2 -0
  1141. package/lib/vendor/blamejs/test/layer-0-primitives/mail-mdn.test.js +29 -0
  1142. package/lib/vendor/blamejs/test/layer-0-primitives/mail-proxy-framing-bounds.test.js +2 -0
  1143. package/lib/vendor/blamejs/test/layer-0-primitives/mail-rbl.test.js +2 -0
  1144. package/lib/vendor/blamejs/test/layer-0-primitives/mail-require-tls.test.js +2 -0
  1145. package/lib/vendor/blamejs/test/layer-0-primitives/mail-scan.test.js +2 -0
  1146. package/lib/vendor/blamejs/test/layer-0-primitives/mail-send-deliver.test.js +113 -0
  1147. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-imap.test.js +2 -0
  1148. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-jmap.test.js +50 -0
  1149. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-managesieve.test.js +2 -0
  1150. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-mx.test.js +2 -0
  1151. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-pop3.test.js +2 -0
  1152. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-rate-limit.test.js +2 -0
  1153. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-registry.test.js +2 -0
  1154. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-submission.test.js +2 -0
  1155. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-tls.test.js +2 -0
  1156. package/lib/vendor/blamejs/test/layer-0-primitives/mail-sieve.test.js +2 -0
  1157. package/lib/vendor/blamejs/test/layer-0-primitives/mail-spam-score.test.js +2 -0
  1158. package/lib/vendor/blamejs/test/layer-0-primitives/mail-srs.test.js +21 -0
  1159. package/lib/vendor/blamejs/test/layer-0-primitives/mail-store-fts.test.js +2 -0
  1160. package/lib/vendor/blamejs/test/layer-0-primitives/mail-store.test.js +2 -0
  1161. package/lib/vendor/blamejs/test/layer-0-primitives/mail-unsubscribe.test.js +2 -0
  1162. package/lib/vendor/blamejs/test/layer-0-primitives/mail.test.js +2 -0
  1163. package/lib/vendor/blamejs/test/layer-0-primitives/mcp-tool-registry.test.js +2 -0
  1164. package/lib/vendor/blamejs/test/layer-0-primitives/mcp.test.js +2 -0
  1165. package/lib/vendor/blamejs/test/layer-0-primitives/mdoc.test.js +2 -0
  1166. package/lib/vendor/blamejs/test/layer-0-primitives/metrics-shadow-registry.test.js +2 -0
  1167. package/lib/vendor/blamejs/test/layer-0-primitives/metrics-snapshot.test.js +2 -0
  1168. package/lib/vendor/blamejs/test/layer-0-primitives/middleware-compose-pipeline.test.js +2 -0
  1169. package/lib/vendor/blamejs/test/layer-0-primitives/mime-parse.test.js +11 -0
  1170. package/lib/vendor/blamejs/test/layer-0-primitives/money.test.js +2 -0
  1171. package/lib/vendor/blamejs/test/layer-0-primitives/mtls-ca-paths.test.js +2 -0
  1172. package/lib/vendor/blamejs/test/layer-0-primitives/mtls-ca-revocation.test.js +2 -0
  1173. package/lib/vendor/blamejs/test/layer-0-primitives/nel.test.js +2 -0
  1174. package/lib/vendor/blamejs/test/layer-0-primitives/network-allowlist.test.js +2 -0
  1175. package/lib/vendor/blamejs/test/layer-0-primitives/network-byte-quota.test.js +65 -0
  1176. package/lib/vendor/blamejs/test/layer-0-primitives/network-dns-lookup-timeout-default.test.js +2 -0
  1177. package/lib/vendor/blamejs/test/layer-0-primitives/network-dns-resolver-timeout.test.js +2 -0
  1178. package/lib/vendor/blamejs/test/layer-0-primitives/network-dns-resolver.test.js +28 -0
  1179. package/lib/vendor/blamejs/test/layer-0-primitives/network-dns.test.js +2 -0
  1180. package/lib/vendor/blamejs/test/layer-0-primitives/network-heartbeat-passive.test.js +2 -0
  1181. package/lib/vendor/blamejs/test/layer-0-primitives/network-nts-handshake-byte-cap.test.js +2 -0
  1182. package/lib/vendor/blamejs/test/layer-0-primitives/network-smtp-policy-coverage.test.js +565 -0
  1183. package/lib/vendor/blamejs/test/layer-0-primitives/network-tls-build-options.test.js +2 -0
  1184. package/lib/vendor/blamejs/test/layer-0-primitives/network-tls-ct-inclusion.test.js +2 -0
  1185. package/lib/vendor/blamejs/test/layer-0-primitives/network-tls.test.js +2 -0
  1186. package/lib/vendor/blamejs/test/layer-0-primitives/network-tsig.test.js +26 -0
  1187. package/lib/vendor/blamejs/test/layer-0-primitives/network.test.js +2 -0
  1188. package/lib/vendor/blamejs/test/layer-0-primitives/nis2-report.test.js +2 -0
  1189. package/lib/vendor/blamejs/test/layer-0-primitives/nist-crosswalk.test.js +2 -0
  1190. package/lib/vendor/blamejs/test/layer-0-primitives/no-cache.test.js +2 -0
  1191. package/lib/vendor/blamejs/test/layer-0-primitives/nonce-store-release.test.js +2 -0
  1192. package/lib/vendor/blamejs/test/layer-0-primitives/notify.test.js +2 -0
  1193. package/lib/vendor/blamejs/test/layer-0-primitives/numeric-bounds.test.js +2 -0
  1194. package/lib/vendor/blamejs/test/layer-0-primitives/oauth-callback.test.js +2 -0
  1195. package/lib/vendor/blamejs/test/layer-0-primitives/object-store-range-header.test.js +2 -0
  1196. package/lib/vendor/blamejs/test/layer-0-primitives/object-store-versioned-delete.test.js +2 -0
  1197. package/lib/vendor/blamejs/test/layer-0-primitives/observability-tracing.test.js +22 -0
  1198. package/lib/vendor/blamejs/test/layer-0-primitives/observability.test.js +2 -0
  1199. package/lib/vendor/blamejs/test/layer-0-primitives/openapi.test.js +2 -0
  1200. package/lib/vendor/blamejs/test/layer-0-primitives/otel-export.test.js +2 -0
  1201. package/lib/vendor/blamejs/test/layer-0-primitives/otlp-attr-redaction.test.js +8 -0
  1202. package/lib/vendor/blamejs/test/layer-0-primitives/outbox-inflight-reaper.test.js +2 -0
  1203. package/lib/vendor/blamejs/test/layer-0-primitives/output-header-hardening.test.js +2 -0
  1204. package/lib/vendor/blamejs/test/layer-0-primitives/pagination.test.js +2 -0
  1205. package/lib/vendor/blamejs/test/layer-0-primitives/parser-verify-hardening.test.js +2 -0
  1206. package/lib/vendor/blamejs/test/layer-0-primitives/parsers-standalone.test.js +2 -0
  1207. package/lib/vendor/blamejs/test/layer-0-primitives/passkey-real-vectors.test.js +2 -0
  1208. package/lib/vendor/blamejs/test/layer-0-primitives/passkey.test.js +2 -0
  1209. package/lib/vendor/blamejs/test/layer-0-primitives/permissions.test.js +2 -0
  1210. package/lib/vendor/blamejs/test/layer-0-primitives/pipl-cn.test.js +2 -0
  1211. package/lib/vendor/blamejs/test/layer-0-primitives/pqc-agent-curve.test.js +2 -0
  1212. package/lib/vendor/blamejs/test/layer-0-primitives/pqc-software.test.js +2 -0
  1213. package/lib/vendor/blamejs/test/layer-0-primitives/privacy-pass.test.js +2 -0
  1214. package/lib/vendor/blamejs/test/layer-0-primitives/privacy-vendor-review.test.js +2 -0
  1215. package/lib/vendor/blamejs/test/layer-0-primitives/problem-details.test.js +2 -0
  1216. package/lib/vendor/blamejs/test/layer-0-primitives/process-spawn.test.js +2 -0
  1217. package/lib/vendor/blamejs/test/layer-0-primitives/promise-pool.test.js +2 -0
  1218. package/lib/vendor/blamejs/test/layer-0-primitives/protected-resource-metadata.test.js +2 -0
  1219. package/lib/vendor/blamejs/test/layer-0-primitives/proto-shadow-allowlist.test.js +2 -0
  1220. package/lib/vendor/blamejs/test/layer-0-primitives/protobuf-encoder.test.js +2 -0
  1221. package/lib/vendor/blamejs/test/layer-0-primitives/protocol-dispatcher.test.js +2 -0
  1222. package/lib/vendor/blamejs/test/layer-0-primitives/public-suffix.test.js +29 -0
  1223. package/lib/vendor/blamejs/test/layer-0-primitives/pubsub.test.js +2 -0
  1224. package/lib/vendor/blamejs/test/layer-0-primitives/queue-byo-db.test.js +2 -0
  1225. package/lib/vendor/blamejs/test/layer-0-primitives/queue-dlq-extend-lease.test.js +44 -0
  1226. package/lib/vendor/blamejs/test/layer-0-primitives/queue-flow-repeat.test.js +2 -0
  1227. package/lib/vendor/blamejs/test/layer-0-primitives/queue-priority-rate-progress.test.js +2 -0
  1228. package/lib/vendor/blamejs/test/layer-0-primitives/queue-sqs.test.js +2 -0
  1229. package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-cluster.test.js +2 -0
  1230. package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-memory-getorinsert.test.js +2 -0
  1231. package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-registry.test.js +2 -0
  1232. package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-xff-spoofing.test.js +2 -0
  1233. package/lib/vendor/blamejs/test/layer-0-primitives/redact-dlp.test.js +2 -0
  1234. package/lib/vendor/blamejs/test/layer-0-primitives/redis-client.test.js +16 -0
  1235. package/lib/vendor/blamejs/test/layer-0-primitives/request-helpers.test.js +7 -0
  1236. package/lib/vendor/blamejs/test/layer-0-primitives/request-id-async-context.test.js +2 -0
  1237. package/lib/vendor/blamejs/test/layer-0-primitives/request-log.test.js +3 -0
  1238. package/lib/vendor/blamejs/test/layer-0-primitives/require-auth-cache-control.test.js +2 -0
  1239. package/lib/vendor/blamejs/test/layer-0-primitives/require-mtls.test.js +2 -0
  1240. package/lib/vendor/blamejs/test/layer-0-primitives/resource-access-lock.test.js +2 -0
  1241. package/lib/vendor/blamejs/test/layer-0-primitives/restore-blob-remap.test.js +2 -0
  1242. package/lib/vendor/blamejs/test/layer-0-primitives/retention-dryrun-no-vacuum.test.js +2 -0
  1243. package/lib/vendor/blamejs/test/layer-0-primitives/retention-floor.test.js +2 -0
  1244. package/lib/vendor/blamejs/test/layer-0-primitives/retention-sweep-termination.test.js +2 -0
  1245. package/lib/vendor/blamejs/test/layer-0-primitives/retry.test.js +2 -0
  1246. package/lib/vendor/blamejs/test/layer-0-primitives/router-body-validation.test.js +2 -0
  1247. package/lib/vendor/blamejs/test/layer-0-primitives/router-coverage.test.js +592 -0
  1248. package/lib/vendor/blamejs/test/layer-0-primitives/router-cross-origin-redirect.test.js +0 -0
  1249. package/lib/vendor/blamejs/test/layer-0-primitives/router-failclosed.test.js +0 -0
  1250. package/lib/vendor/blamejs/test/layer-0-primitives/router-tls0rtt.test.js +2 -0
  1251. package/lib/vendor/blamejs/test/layer-0-primitives/router-use-path-scope.test.js +59 -0
  1252. package/lib/vendor/blamejs/test/layer-0-primitives/safe-archive-auto-unwrap.test.js +2 -0
  1253. package/lib/vendor/blamejs/test/layer-0-primitives/safe-archive-inspect-unwrap.test.js +2 -0
  1254. package/lib/vendor/blamejs/test/layer-0-primitives/safe-async-loops.test.js +41 -0
  1255. package/lib/vendor/blamejs/test/layer-0-primitives/safe-async-parallel.test.js +2 -0
  1256. package/lib/vendor/blamejs/test/layer-0-primitives/safe-buffer-linear-scans.test.js +13 -0
  1257. package/lib/vendor/blamejs/test/layer-0-primitives/safe-decompress.test.js +2 -0
  1258. package/lib/vendor/blamejs/test/layer-0-primitives/safe-dns.test.js +2 -0
  1259. package/lib/vendor/blamejs/test/layer-0-primitives/safe-ical.test.js +2 -0
  1260. package/lib/vendor/blamejs/test/layer-0-primitives/safe-icap.test.js +2 -0
  1261. package/lib/vendor/blamejs/test/layer-0-primitives/safe-json-stringify-for-script.test.js +2 -0
  1262. package/lib/vendor/blamejs/test/layer-0-primitives/safe-jsonpath.test.js +2 -0
  1263. package/lib/vendor/blamejs/test/layer-0-primitives/safe-mime.test.js +2 -0
  1264. package/lib/vendor/blamejs/test/layer-0-primitives/safe-mount-info.test.js +2 -0
  1265. package/lib/vendor/blamejs/test/layer-0-primitives/safe-path.test.js +2 -0
  1266. package/lib/vendor/blamejs/test/layer-0-primitives/safe-redirect.test.js +2 -0
  1267. package/lib/vendor/blamejs/test/layer-0-primitives/safe-sieve.test.js +2 -0
  1268. package/lib/vendor/blamejs/test/layer-0-primitives/safe-smtp.test.js +2 -0
  1269. package/lib/vendor/blamejs/test/layer-0-primitives/safe-url-canonicalize.test.js +2 -0
  1270. package/lib/vendor/blamejs/test/layer-0-primitives/safe-url-idn-homograph.test.js +2 -0
  1271. package/lib/vendor/blamejs/test/layer-0-primitives/safe-vcard.test.js +2 -0
  1272. package/lib/vendor/blamejs/test/layer-0-primitives/safe-xml.test.js +2 -0
  1273. package/lib/vendor/blamejs/test/layer-0-primitives/saml-mdq-wrapping.test.js +237 -0
  1274. package/lib/vendor/blamejs/test/layer-0-primitives/saml-slo.test.js +2 -0
  1275. package/lib/vendor/blamejs/test/layer-0-primitives/saml-subjectconfirmation-notbefore.test.js +2 -0
  1276. package/lib/vendor/blamejs/test/layer-0-primitives/saml-subjectconfirmation-notonorafter.test.js +2 -0
  1277. package/lib/vendor/blamejs/test/layer-0-primitives/sandbox.test.js +2 -0
  1278. package/lib/vendor/blamejs/test/layer-0-primitives/scheduler-exactly-once.test.js +2 -0
  1279. package/lib/vendor/blamejs/test/layer-0-primitives/scheduler-watchdog-stale-settle.test.js +2 -0
  1280. package/lib/vendor/blamejs/test/layer-0-primitives/scim-server.test.js +2 -0
  1281. package/lib/vendor/blamejs/test/layer-0-primitives/scitt.test.js +2 -0
  1282. package/lib/vendor/blamejs/test/layer-0-primitives/sd-jwt-vc-ecdsa-p1363.test.js +2 -0
  1283. package/lib/vendor/blamejs/test/layer-0-primitives/sd-jwt-vc.test.js +2 -0
  1284. package/lib/vendor/blamejs/test/layer-0-primitives/sd-notify.test.js +2 -0
  1285. package/lib/vendor/blamejs/test/layer-0-primitives/sec-cyber.test.js +2 -0
  1286. package/lib/vendor/blamejs/test/layer-0-primitives/security-assert.test.js +2 -0
  1287. package/lib/vendor/blamejs/test/layer-0-primitives/security-headers.test.js +2 -0
  1288. package/lib/vendor/blamejs/test/layer-0-primitives/security-txt.test.js +2 -0
  1289. package/lib/vendor/blamejs/test/layer-0-primitives/seeders.test.js +2 -0
  1290. package/lib/vendor/blamejs/test/layer-0-primitives/self-update-poll-asset-digest.test.js +2 -0
  1291. package/lib/vendor/blamejs/test/layer-0-primitives/self-update-standalone-verifier-ecdsa-encoding.test.js +9 -1
  1292. package/lib/vendor/blamejs/test/layer-0-primitives/self-update-standalone-verifier.test.js +2 -0
  1293. package/lib/vendor/blamejs/test/layer-0-primitives/self-update.test.js +87 -4
  1294. package/lib/vendor/blamejs/test/layer-0-primitives/server-timing.test.js +2 -0
  1295. package/lib/vendor/blamejs/test/layer-0-primitives/session-binding-unreadable-failclosed.test.js +80 -0
  1296. package/lib/vendor/blamejs/test/layer-0-primitives/session-destroy-all-store-backed.test.js +2 -0
  1297. package/lib/vendor/blamejs/test/layer-0-primitives/session-device-binding-ipv6-canonical-and-no-store.test.js +2 -0
  1298. package/lib/vendor/blamejs/test/layer-0-primitives/session-device-binding.test.js +2 -0
  1299. package/lib/vendor/blamejs/test/layer-0-primitives/session-extensions.test.js +2 -0
  1300. package/lib/vendor/blamejs/test/layer-0-primitives/session-valid-from.test.js +2 -0
  1301. package/lib/vendor/blamejs/test/layer-0-primitives/shape-match.test.js +2 -0
  1302. package/lib/vendor/blamejs/test/layer-0-primitives/sigv4-bucket-ops.test.js +2 -0
  1303. package/lib/vendor/blamejs/test/layer-0-primitives/sigv4-multipart-sse.test.js +2 -0
  1304. package/lib/vendor/blamejs/test/layer-0-primitives/slug.test.js +2 -0
  1305. package/lib/vendor/blamejs/test/layer-0-primitives/smtp-policy.test.js +5 -1
  1306. package/lib/vendor/blamejs/test/layer-0-primitives/source-comment-blocks.test.js +2 -0
  1307. package/lib/vendor/blamejs/test/layer-0-primitives/speculation-rules.test.js +2 -0
  1308. package/lib/vendor/blamejs/test/layer-0-primitives/sql-coverage.test.js +422 -0
  1309. package/lib/vendor/blamejs/test/layer-0-primitives/sql.test.js +2 -0
  1310. package/lib/vendor/blamejs/test/layer-0-primitives/sse-backpressure.test.js +2 -0
  1311. package/lib/vendor/blamejs/test/layer-0-primitives/sse.test.js +2 -0
  1312. package/lib/vendor/blamejs/test/layer-0-primitives/ssrf-guard.test.js +23 -1
  1313. package/lib/vendor/blamejs/test/layer-0-primitives/standard-webhooks.test.js +2 -0
  1314. package/lib/vendor/blamejs/test/layer-0-primitives/static.test.js +33 -0
  1315. package/lib/vendor/blamejs/test/layer-0-primitives/step-up.test.js +44 -0
  1316. package/lib/vendor/blamejs/test/layer-0-primitives/storage-chunk-scratch.test.js +0 -0
  1317. package/lib/vendor/blamejs/test/layer-0-primitives/storage-presigned-url.test.js +2 -0
  1318. package/lib/vendor/blamejs/test/layer-0-primitives/stream-throttle.test.js +2 -0
  1319. package/lib/vendor/blamejs/test/layer-0-primitives/structured-fields-codec.test.js +2 -0
  1320. package/lib/vendor/blamejs/test/layer-0-primitives/structured-fields.test.js +2 -0
  1321. package/lib/vendor/blamejs/test/layer-0-primitives/tcpa-10dlc.test.js +2 -0
  1322. package/lib/vendor/blamejs/test/layer-0-primitives/template-escape-html.test.js +2 -0
  1323. package/lib/vendor/blamejs/test/layer-0-primitives/tenant-quota.test.js +2 -0
  1324. package/lib/vendor/blamejs/test/layer-0-primitives/test-coverage.test.js +2 -0
  1325. package/lib/vendor/blamejs/test/layer-0-primitives/test-harness.test.js +2 -0
  1326. package/lib/vendor/blamejs/test/layer-0-primitives/testing-request.test.js +2 -0
  1327. package/lib/vendor/blamejs/test/layer-0-primitives/testing.test.js +2 -0
  1328. package/lib/vendor/blamejs/test/layer-0-primitives/time.test.js +2 -0
  1329. package/lib/vendor/blamejs/test/layer-0-primitives/tls-exporter.test.js +2 -0
  1330. package/lib/vendor/blamejs/test/layer-0-primitives/tls-ocsp-ct.test.js +2 -0
  1331. package/lib/vendor/blamejs/test/layer-0-primitives/tls-ocsp-freshness.test.js +6 -2
  1332. package/lib/vendor/blamejs/test/layer-0-primitives/tls-ocsp-verify.test.js +127 -3
  1333. package/lib/vendor/blamejs/test/layer-0-primitives/tls-pinset-drift.test.js +2 -0
  1334. package/lib/vendor/blamejs/test/layer-0-primitives/tls-preferred-groups.test.js +2 -0
  1335. package/lib/vendor/blamejs/test/layer-0-primitives/tracing.test.js +2 -0
  1336. package/lib/vendor/blamejs/test/layer-0-primitives/tsa.test.js +2 -0
  1337. package/lib/vendor/blamejs/test/layer-0-primitives/uri-template.test.js +2 -0
  1338. package/lib/vendor/blamejs/test/layer-0-primitives/uuid.test.js +2 -0
  1339. package/lib/vendor/blamejs/test/layer-0-primitives/validate-opts-port.test.js +2 -0
  1340. package/lib/vendor/blamejs/test/layer-0-primitives/validate-opts-shape.test.js +2 -0
  1341. package/lib/vendor/blamejs/test/layer-0-primitives/vault-aad.test.js +2 -0
  1342. package/lib/vendor/blamejs/test/layer-0-primitives/vault-default-store.test.js +2 -0
  1343. package/lib/vendor/blamejs/test/layer-0-primitives/vault-rotate-aad.test.js +2 -0
  1344. package/lib/vendor/blamejs/test/layer-0-primitives/vault-seal-pem-file.test.js +2 -0
  1345. package/lib/vendor/blamejs/test/layer-0-primitives/vc.test.js +25 -0
  1346. package/lib/vendor/blamejs/test/layer-0-primitives/vendor-currency-classify.test.js +2 -0
  1347. package/lib/vendor/blamejs/test/layer-0-primitives/vendor-data.test.js +2 -0
  1348. package/lib/vendor/blamejs/test/layer-0-primitives/vendor-manifest.test.js +2 -0
  1349. package/lib/vendor/blamejs/test/layer-0-primitives/vex.test.js +2 -0
  1350. package/lib/vendor/blamejs/test/layer-0-primitives/watcher.test.js +2 -0
  1351. package/lib/vendor/blamejs/test/layer-0-primitives/web-push-vapid.test.js +2 -0
  1352. package/lib/vendor/blamejs/test/layer-0-primitives/webhook-dispatcher.test.js +77 -0
  1353. package/lib/vendor/blamejs/test/layer-0-primitives/webhook-verify-nonce-atomic.test.js +2 -0
  1354. package/lib/vendor/blamejs/test/layer-0-primitives/webhook.test.js +2 -0
  1355. package/lib/vendor/blamejs/test/layer-0-primitives/websocket-channels.test.js +2 -0
  1356. package/lib/vendor/blamejs/test/layer-0-primitives/websocket-extension-header.test.js +2 -0
  1357. package/lib/vendor/blamejs/test/layer-0-primitives/worker-pool-recycle-race.test.js +2 -0
  1358. package/lib/vendor/blamejs/test/layer-0-primitives/worker-pool.test.js +2 -0
  1359. package/lib/vendor/blamejs/test/layer-0-primitives/worm.test.js +2 -0
  1360. package/lib/vendor/blamejs/test/layer-0-primitives/ws-client.test.js +2 -0
  1361. package/lib/vendor/blamejs/test/layer-0-primitives/x509-chain-ca-enforcement.test.js +117 -1
  1362. package/lib/vendor/blamejs/test/layer-1-state/api-key.test.js +2 -0
  1363. package/lib/vendor/blamejs/test/layer-5-integration/bundler-output.test.js +2 -0
  1364. package/lib/vendor/blamejs/test/layer-5-integration/external-db-residency.test.js +2 -0
  1365. package/lib/vendor/blamejs/test/layer-5-integration/guard-host-integration.test.js +2 -0
  1366. package/lib/vendor/blamejs/test/layer-5-integration/security-chaos.test.js +2 -0
  1367. package/lib/vendor/blamejs/test/smoke.js +2 -0
  1368. package/package.json +5 -2
  1369. package/lib/vendor/blamejs/release-notes/v0.15.0.json +0 -77
  1370. package/lib/vendor/blamejs/release-notes/v0.15.1.json +0 -22
  1371. package/lib/vendor/blamejs/release-notes/v0.15.10.json +0 -53
  1372. package/lib/vendor/blamejs/release-notes/v0.15.11.json +0 -52
  1373. package/lib/vendor/blamejs/release-notes/v0.15.12.json +0 -47
  1374. package/lib/vendor/blamejs/release-notes/v0.15.13.json +0 -81
  1375. package/lib/vendor/blamejs/release-notes/v0.15.14.json +0 -122
  1376. package/lib/vendor/blamejs/release-notes/v0.15.15.json +0 -73
  1377. package/lib/vendor/blamejs/release-notes/v0.15.16.json +0 -94
  1378. package/lib/vendor/blamejs/release-notes/v0.15.17.json +0 -52
  1379. package/lib/vendor/blamejs/release-notes/v0.15.18.json +0 -49
  1380. package/lib/vendor/blamejs/release-notes/v0.15.19.json +0 -18
  1381. package/lib/vendor/blamejs/release-notes/v0.15.2.json +0 -22
  1382. package/lib/vendor/blamejs/release-notes/v0.15.20.json +0 -27
  1383. package/lib/vendor/blamejs/release-notes/v0.15.21.json +0 -51
  1384. package/lib/vendor/blamejs/release-notes/v0.15.22.json +0 -18
  1385. package/lib/vendor/blamejs/release-notes/v0.15.23.json +0 -22
  1386. package/lib/vendor/blamejs/release-notes/v0.15.24.json +0 -22
  1387. package/lib/vendor/blamejs/release-notes/v0.15.25.json +0 -18
  1388. package/lib/vendor/blamejs/release-notes/v0.15.26.json +0 -18
  1389. package/lib/vendor/blamejs/release-notes/v0.15.27.json +0 -18
  1390. package/lib/vendor/blamejs/release-notes/v0.15.28.json +0 -18
  1391. package/lib/vendor/blamejs/release-notes/v0.15.29.json +0 -27
  1392. package/lib/vendor/blamejs/release-notes/v0.15.3.json +0 -39
  1393. package/lib/vendor/blamejs/release-notes/v0.15.30.json +0 -18
  1394. package/lib/vendor/blamejs/release-notes/v0.15.31.json +0 -18
  1395. package/lib/vendor/blamejs/release-notes/v0.15.32.json +0 -18
  1396. package/lib/vendor/blamejs/release-notes/v0.15.33.json +0 -18
  1397. package/lib/vendor/blamejs/release-notes/v0.15.34.json +0 -27
  1398. package/lib/vendor/blamejs/release-notes/v0.15.35.json +0 -27
  1399. package/lib/vendor/blamejs/release-notes/v0.15.36.json +0 -18
  1400. package/lib/vendor/blamejs/release-notes/v0.15.37.json +0 -26
  1401. package/lib/vendor/blamejs/release-notes/v0.15.38.json +0 -26
  1402. package/lib/vendor/blamejs/release-notes/v0.15.4.json +0 -39
  1403. package/lib/vendor/blamejs/release-notes/v0.15.5.json +0 -22
  1404. package/lib/vendor/blamejs/release-notes/v0.15.6.json +0 -59
  1405. package/lib/vendor/blamejs/release-notes/v0.15.7.json +0 -43
  1406. package/lib/vendor/blamejs/release-notes/v0.15.8.json +0 -48
  1407. package/lib/vendor/blamejs/release-notes/v0.15.9.json +0 -58
@@ -1,3 +1,5 @@
1
+ // SPDX-License-Identifier: Apache-2.0
2
+ // Copyright (c) blamejs contributors
1
3
  "use strict";
2
4
  /**
3
5
  * X.509 basicConstraints cA enforcement across the framework's cert-chain
@@ -37,6 +39,9 @@ async function _mintChain(opts) {
37
39
  opts = opts || {};
38
40
  var interCa = opts.interCa === true; // default cA:FALSE (the attack)
39
41
  var leafSan = opts.leafSan || "victim.example";
42
+ // Default SAN is DNS:<leafSan>; a test can supply explicit entries (e.g. a
43
+ // hostile URI SAN) to exercise the SAN-vs-domain matcher.
44
+ var leafSanEntries = opts.leafSanEntries || [{ type: "dns", value: leafSan }];
40
45
  var now = new Date();
41
46
  var notAfter = new Date(now.getTime() + 365 * 24 * 60 * 60 * 1000);
42
47
  var alg = { name: "ECDSA", namedCurve: "P-256" };
@@ -70,21 +75,43 @@ async function _mintChain(opts) {
70
75
  extensions: [
71
76
  new x509.BasicConstraintsExtension(false, undefined, true),
72
77
  new x509.KeyUsagesExtension(x509.KeyUsageFlags.digitalSignature, true),
73
- new x509.SubjectAlternativeNameExtension([{ type: "dns", value: leafSan }]),
78
+ new x509.SubjectAlternativeNameExtension(leafSanEntries),
74
79
  new x509.ExtendedKeyUsageExtension([BIMI_EKU_OID], false),
75
80
  ],
76
81
  });
77
82
 
83
+ // Export the leaf's private key so a consumer test can sign a payload that
84
+ // the forged leaf would verify (e.g. a fido-mds3 BLOB).
85
+ var leafPkcs8 = await pki.crypto.subtle.exportKey("pkcs8", leafKeys.privateKey);
86
+ var leafKeyB64 = Buffer.from(leafPkcs8).toString("base64").match(/.{1,64}/g).join("\n");
87
+ var leafKeyPem = "-----BEGIN PRIVATE KEY-----\n" + leafKeyB64 + "\n-----END PRIVATE KEY-----\n";
88
+
78
89
  return {
79
90
  rootPem: root.toString("pem"),
80
91
  interPem: inter.toString("pem"),
81
92
  leafPem: leaf.toString("pem"),
93
+ leafKeyPem: leafKeyPem,
82
94
  root: new nodeCrypto.X509Certificate(root.toString("pem")),
83
95
  inter: new nodeCrypto.X509Certificate(inter.toString("pem")),
84
96
  leaf: new nodeCrypto.X509Certificate(leaf.toString("pem")),
85
97
  };
86
98
  }
87
99
 
100
+ // Build a fido-mds3 JWS BLOB signed by `leafKeyPem` with x5c = the given cert
101
+ // chain (PEMs, leaf-first), so a forged leaf can attempt to authenticate a BLOB.
102
+ function _b64url(buf) { return Buffer.from(buf).toString("base64url"); }
103
+ function _mds3Blob(payload, leafKeyPem, chainPems) {
104
+ var x5c = chainPems.map(function (pem) {
105
+ return pem.replace(/-----BEGIN CERTIFICATE-----/g, "")
106
+ .replace(/-----END CERTIFICATE-----/g, "").replace(/\s+/g, "");
107
+ });
108
+ var header = { alg: "ES256", typ: "JWT", x5c: x5c };
109
+ var signingInput = _b64url(JSON.stringify(header)) + "." + _b64url(JSON.stringify(payload));
110
+ var sig = nodeCrypto.sign("sha256", Buffer.from(signingInput, "ascii"),
111
+ { key: leafKeyPem, dsaEncoding: "ieee-p1363" });
112
+ return signingInput + "." + _b64url(sig);
113
+ }
114
+
88
115
  function _stubHttpClient(body) {
89
116
  return {
90
117
  request: function () {
@@ -149,6 +176,95 @@ async function run() {
149
176
  });
150
177
  check("bimi.fetchAndVerifyMark: valid CA chain still verifies", rv.ok === true);
151
178
 
179
+ // ---- 2b. SAN-vs-domain authorization must bind to the cert's actual host.
180
+ // A CA-chained VMC whose only SAN is a URI the URL parser refuses (here the
181
+ // real host is attacker.test, with the victim domain placed in the userinfo)
182
+ // must NOT vouch for the victim domain. The pre-fix matcher fell back to a raw
183
+ // substring search of the whole SAN string when safeUrl.parse threw, so
184
+ // "victim.example" appearing anywhere (userinfo / path) wrongly matched.
185
+ var hostile = await _mintChain({
186
+ interCa: true,
187
+ leafSan: "attacker.test",
188
+ leafSanEntries: [{ type: "url", value: "https://victim.example@attacker.test/" }],
189
+ });
190
+ var sanThrew = null;
191
+ try {
192
+ await b.mail.bimi.fetchAndVerifyMark({
193
+ domain: "victim.example",
194
+ vmcUrl: "https://victim.example/cert.pem",
195
+ trustAnchorsPem: hostile.rootPem,
196
+ httpClient: _stubHttpClient(hostile.leafPem + "\n" + hostile.interPem),
197
+ });
198
+ } catch (e) { sanThrew = e; }
199
+ check("bimi.fetchAndVerifyMark: hostile URI-SAN (userinfo) does NOT vouch for the victim domain",
200
+ sanThrew && sanThrew.code === "bimi/vmc-domain-mismatch");
201
+
202
+ // Control: a CA-chained VMC whose URI SAN host genuinely IS the domain verifies.
203
+ var legit = await _mintChain({
204
+ interCa: true,
205
+ leafSan: "good.example",
206
+ leafSanEntries: [{ type: "url", value: "https://good.example/" }],
207
+ });
208
+ var legitRv = await b.mail.bimi.fetchAndVerifyMark({
209
+ domain: "good.example",
210
+ vmcUrl: "https://good.example/cert.pem",
211
+ trustAnchorsPem: legit.rootPem,
212
+ httpClient: _stubHttpClient(legit.leafPem + "\n" + legit.interPem),
213
+ });
214
+ check("bimi.fetchAndVerifyMark: a genuine URI-SAN host still verifies", legitRv.ok === true);
215
+
216
+ // domainToASCII truncates at a URL delimiter, so a DNS SAN "victim.example/evil"
217
+ // would have canonicalized to "victim.example" and matched — must fail closed.
218
+ var dnsDelim = await _mintChain({
219
+ interCa: true,
220
+ leafSan: "attacker.test",
221
+ leafSanEntries: [{ type: "dns", value: "victim.example/evil" }],
222
+ });
223
+ var dnsThrew = null;
224
+ try {
225
+ await b.mail.bimi.fetchAndVerifyMark({
226
+ domain: "victim.example",
227
+ vmcUrl: "https://victim.example/cert.pem",
228
+ trustAnchorsPem: dnsDelim.rootPem,
229
+ httpClient: _stubHttpClient(dnsDelim.leafPem + "\n" + dnsDelim.interPem),
230
+ });
231
+ } catch (e) { dnsThrew = e; }
232
+ check("bimi.fetchAndVerifyMark: a delimiter-bearing DNS SAN does NOT vouch for the prefix domain",
233
+ dnsThrew && dnsThrew.code === "bimi/vmc-domain-mismatch");
234
+
235
+ // ---- 3. Consumer path: b.auth.fidoMds3.fetch must refuse a BLOB whose x5c
236
+ // chains the leaf through the cA:FALSE intermediate. The forged leaf GENUINELY
237
+ // signs the BLOB (ES256), so without cA enforcement on the intermediate link a
238
+ // basicConstraints bypass would accept attacker-forged FIDO metadata.
239
+ var mds3Payload = {
240
+ legalHeader: "Test BLOB", no: 1,
241
+ nextUpdate: new Date(Date.now() + 7 * 86400000).toISOString().slice(0, 10),
242
+ entries: [{ aaguid: "01234567-89ab-cdef-0123-456789abcdef",
243
+ metadataStatement: { description: "Test entry" },
244
+ statusReports: [{ status: "FIDO_CERTIFIED_L2" }] }],
245
+ };
246
+ var forgedBlob = _mds3Blob(mds3Payload, c.leafKeyPem, [c.leafPem, c.interPem]);
247
+ var hcPath = require.resolve("../../lib/http-client");
248
+ var origHc = require.cache[hcPath].exports;
249
+ require.cache[hcPath].exports = Object.assign({}, origHc, {
250
+ request: async function () {
251
+ return { statusCode: 200, headers: {}, body: Buffer.from(forgedBlob, "ascii") };
252
+ },
253
+ });
254
+ var fmPath = require.resolve("../../lib/auth/fido-mds3");
255
+ delete require.cache[fmPath];
256
+ var fm = require(fmPath);
257
+ var mdsThrew = null;
258
+ try {
259
+ await fm.fetch({ url: "https://test.invalid/mds3", caCertificate: c.rootPem, force: true });
260
+ } catch (e) { mdsThrew = e; }
261
+ finally {
262
+ require.cache[hcPath].exports = origHc;
263
+ delete require.cache[fmPath];
264
+ }
265
+ check("fido-mds3.fetch: forged BLOB via cA:FALSE intermediate is REJECTED",
266
+ mdsThrew && mdsThrew.code === "fido-mds3/chain-broken");
267
+
152
268
  console.log("OK — x509 cA enforcement (" + helpers.getChecks() + " checks)");
153
269
  }
154
270
 
@@ -1,3 +1,5 @@
1
+ // SPDX-License-Identifier: Apache-2.0
2
+ // Copyright (c) blamejs contributors
1
3
  "use strict";
2
4
  /**
3
5
  * b.apiKey — operator-facing API key registry.
@@ -1,3 +1,5 @@
1
+ // SPDX-License-Identifier: Apache-2.0
2
+ // Copyright (c) blamejs contributors
1
3
  "use strict";
2
4
  /**
3
5
  * bundler-output — verifies the framework survives static-analysis
@@ -1,3 +1,5 @@
1
+ // SPDX-License-Identifier: Apache-2.0
2
+ // Copyright (c) blamejs contributors
1
3
  "use strict";
2
4
  /**
3
5
  * external-db-residency — per-row residency write gate
@@ -1,3 +1,5 @@
1
+ // SPDX-License-Identifier: Apache-2.0
2
+ // Copyright (c) blamejs contributors
1
3
  "use strict";
2
4
  /**
3
5
  * guard-host-integration — adaptive table-driven integration harness
@@ -1,3 +1,5 @@
1
+ // SPDX-License-Identifier: Apache-2.0
2
+ // Copyright (c) blamejs contributors
1
3
  "use strict";
2
4
  /**
3
5
  * security-chaos - fault-injection drills covering recovery paths the
@@ -1,3 +1,5 @@
1
+ // SPDX-License-Identifier: Apache-2.0
2
+ // Copyright (c) blamejs contributors
1
3
  "use strict";
2
4
  /**
3
5
  * Smoke test — orchestrator only.
package/package.json CHANGED
@@ -1,18 +1,21 @@
1
1
  {
2
2
  "name": "@blamejs/blamejs-shop",
3
- "version": "0.5.4",
3
+ "version": "0.5.6",
4
4
  "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
5
5
  "main": "lib/index.js",
6
6
  "scripts": {
7
7
  "start": "node server.js",
8
8
  "test": "node test/smoke.js",
9
+ "e2e": "node test/e2e/drive-checkout.js && node test/e2e/drive-account-subscriptions.js",
10
+ "e2e:checkout": "node test/e2e/drive-checkout.js",
11
+ "e2e:account": "node test/e2e/drive-account-subscriptions.js",
9
12
  "vendor": "bash scripts/vendor-update.sh",
10
13
  "sync-assets": "node scripts/sync-r2-assets.js",
11
14
  "d1-export": "node scripts/d1-export.js",
12
15
  "release": "node scripts/release.js"
13
16
  },
14
17
  "engines": {
15
- "node": ">=24.16.0"
18
+ "node": ">=24.18.0"
16
19
  },
17
20
  "files": [
18
21
  "lib/",
@@ -1,77 +0,0 @@
1
- {
2
- "$schema": "../scripts/release-notes-schema.json",
3
- "version": "0.15.0",
4
- "date": "2026-06-08",
5
- "headline": "A chainable SQL builder, MySQL as a first-class data backend, and a keyed lookup-hash default — the data layer goes tri-dialect",
6
- "summary": "This release makes the framework's data layer dialect-portable. `b.sql` is a new chainable query builder that quotes every identifier by construction, binds every value as a placeholder, and emits dialect-correct SQL for SQLite, Postgres, and MySQL; `b.guardSql` validates result rows against NUL bytes, quote-jump sequences, and per-column / total size boundaries. The entire framework data layer — the signed audit chain, cluster leadership and fencing, sessions, break-glass, the local queue, cache, scheduler, migrations, consent, and mail storage — is rebuilt on `b.sql`, which makes MySQL a supported external-database backend alongside Postgres and SQLite. Running the data layer on a real Postgres server surfaced two latent correctness bugs that only a non-SQLite backend exposes: identifiers were emitted unquoted at DDL time but read back camelCase (Postgres folds unquoted names to lowercase, silently breaking the audit chain, consent chain, cluster fencing, and vault-key consistency), and sealed columns coerced Buffer / object payloads through `String()` before encryption (corrupting non-string ciphertext); both are fixed by quoting every identifier and coercing per the column's declared type. Derived-hash columns — the blind-index lookup columns registered through `registerTable` — now default to a keyed MAC (SHAKE256 under the vault's per-deployment MAC key) instead of an unkeyed salted hash, so an exfiltrated database can no longer be brute-forced or rainbow-tabled to recover the indexed values; existing salted-hash indexes are read through a dual-read path and migrated forward, so the change is non-breaking. Audit-signing key rotation now preserves every historical checkpoint (rotation previously stranded checkpoints signed under the prior key). New cross-border data-residency postures (appi-jp, pdpa-sg, uk-gdpr) enforce a mandatory storage vacuum after erasure. Outbound TLS appends classical X25519 to its key-exchange preference so it can complete a handshake with a peer that advertises no post-quantum hybrid — previously the hybrids-only preference failed those handshakes outright — and emits a `tls.classical_downgrade` audit event whenever a connection lands on a classical group. Outbound HTTP/2 negotiation falls back to HTTP/1.1 against servers that only speak h1, the network heartbeat honors a target's permitted protocols instead of pinning cleartext targets down, a WebSocket connection closes cleanly on a peer's TCP half-close instead of wedging open, and the Azure blob backend encodes object-key path segments correctly.",
7
- "sections": [
8
- {
9
- "heading": "Added",
10
- "items": [
11
- {
12
- "title": "b.sql — a dialect-aware chainable SQL builder",
13
- "body": "`b.sql` composes SELECT / INSERT / UPDATE / UPSERT / DELETE / DDL from a fluent chain. Every identifier is validated and quoted by construction (`\"name\"` on SQLite/Postgres, `` `name` `` on MySQL), every value binds as a placeholder rather than interpolating, and the emitted statement is validated as a single balanced, single-statement query before it leaves the builder. Pass `{ dialect: \"postgres\" | \"mysql\" | \"sqlite\" }` (default SQLite) to target a backend; `upsert` emits the dialect-final conflict syntax. It composes `b.safeSql` for the identifier and placeholder primitives, so a SQL string can no longer be assembled by hand inside the framework."
14
- },
15
- {
16
- "title": "b.guardSql — result-row output validation",
17
- "body": "`b.guardSql` gates query result rows against embedded NUL bytes, quote-jump sequences, and configurable per-column and total-size boundaries, with the standard guard profiles (strict / balanced / permissive) and compliance postures (hipaa / pci-dss / gdpr / soc2). It is the output-side complement to the input-side `b.safeSql`."
18
- },
19
- {
20
- "title": "MySQL is a first-class data backend",
21
- "body": "MySQL joins Postgres and SQLite as a supported external-database backend. The framework's schema reconciler emits MySQL DDL, and the full data layer — signed audit chain (append + verify), cluster leadership and lease fencing, sessions, break-glass, the local queue, cache, scheduler, migrations, and consent — runs against a real MySQL server. Select the backend at `b.cluster.init` / `b.externalDb` configuration via the `dialect` option; `b.clusterStorage.dialect()` exposes the configured backend dialect to composing code."
22
- },
23
- {
24
- "title": "Cross-border erasure postures: appi-jp, pdpa-sg, uk-gdpr",
25
- "body": "Three data-residency compliance postures are added (Japan APPI, Singapore PDPA, UK GDPR). Each requires a mandatory storage vacuum after erasure (so deleted rows are reclaimed from the page store, not just tombstoned), a signed audit chain, encrypted backups, and a minimum TLS version. Pin one with `b.compliance.set`."
26
- }
27
- ]
28
- },
29
- {
30
- "heading": "Security",
31
- "items": [
32
- {
33
- "title": "Lookup-hash columns default to a keyed MAC",
34
- "body": "Derived-hash (blind-index) columns registered through `registerTable` now default to `derivedHashMode: \"hmac-shake256\"` — SHAKE256 keyed with the vault's per-deployment MAC key — instead of the previous unkeyed `salted-sha3`. The index value is no longer recomputable from the indexed plaintext alone, so an attacker who exfiltrates the database cannot brute-force or rainbow-table a lookup column (for example a subject-email index) without also holding the vault MAC key (CWE-916 / CWE-759). Existing `salted-sha3` indexes are read through a dual-read path and re-derived on write, so deployments upgrade without re-indexing up front."
35
- },
36
- {
37
- "title": "Postgres identifier casing no longer breaks the audit and cluster chains",
38
- "body": "Identifiers were written unquoted in DDL but read back in camelCase. On Postgres (which folds an unquoted identifier to lowercase) this silently desynchronized the signed audit chain, the consent chain, cluster leadership and fencing, and vault-key consistency — each reads a column the server had stored under a lowercased name. Every framework identifier is now quoted at both DDL and query time so the stored and read names match on every dialect (CWE-670). SQLite deployments were unaffected and remain byte-compatible."
39
- },
40
- {
41
- "title": "Sealed columns preserve non-string payloads",
42
- "body": "A sealed column coerced its value through `String()` before encryption, corrupting Buffer and object payloads (a Buffer became `\"[object Object]\"`-class garbage, an object its `toString`). Sealed values are now encoded per the column's declared type before the seal, so binary and structured payloads round-trip intact (CWE-704)."
43
- },
44
- {
45
- "title": "Audit-signing key rotation preserves historical checkpoints",
46
- "body": "Rotating the audit-signing key stranded every checkpoint signed under the prior key — `verifyCheckpoints` ignored the per-fingerprint history file the rotation writes, so post-rotation verification failed on otherwise-valid historical checkpoints. Verification now resolves each checkpoint's signing key by fingerprint (`getPublicKeyByFingerprint`) across the rotation history, so the full chain verifies after a key rotation."
47
- },
48
- {
49
- "title": "Outbound TLS reaches classical-only peers and audits the downgrade",
50
- "body": "The framework's outbound TLS offered only ML-KEM hybrid key-exchange groups, so a handshake with a peer that does not advertise a post-quantum hybrid — most of today's internet — failed outright (`handshake_failure`), leaving outbound connections to webhooks, OAuth providers, ACME directories, object stores, and DoT/DoH/SMTP/Redis-over-TLS unable to complete. Classical X25519 is now appended to the group preference so the hybrid is still negotiated whenever the peer supports it, and the connection completes over classical X25519 when it does not. Every connection that lands on a classical group rather than the post-quantum hybrid emits a `tls.classical_downgrade` audit event (carrying the negotiated group) so operators can observe and alert on which peers are not yet post-quantum-capable."
51
- },
52
- {
53
- "title": "Transport reachability and correctness",
54
- "body": "Outbound HTTP/2 negotiation now falls back to HTTP/1.1 when a TLS server offers only h1 (an ALPN protocol_version alert no longer fails the request). The network heartbeat honors a target's permitted protocols instead of dropping non-default ones, so a cleartext `http://` health target is no longer reported permanently down. A WebSocket connection closes cleanly when a peer half-closes its TCP socket (a bare FIN) instead of wedging the connection open. The Azure blob backend percent-encodes each object-key path segment, so a key containing reserved characters can no longer corrupt the request URL."
55
- }
56
- ]
57
- },
58
- {
59
- "heading": "Fixed",
60
- "items": [
61
- {
62
- "title": "Cross-border erasure performs the mandatory vacuum",
63
- "body": "Erasure under the uk-gdpr, appi-jp, and pdpa-sg residency postures now runs the storage vacuum the posture mandates, reclaiming erased rows from the page store rather than leaving them recoverable as free-list tombstones."
64
- }
65
- ]
66
- },
67
- {
68
- "heading": "Migration",
69
- "items": [
70
- {
71
- "title": "Derived-hash default change is non-breaking; MySQL is opt-in",
72
- "body": "Lookup-hash columns default to the keyed MAC on new writes and migrate existing rows on access through the dual-read path — no upfront re-indexing, no operator action required. To pin the previous unkeyed index (for example to keep a column byte-compatible with an external system), pass `derivedHashMode: \"salted-sha3\"` to `registerTable`. MySQL as a data backend is opt-in: existing SQLite and Postgres deployments are unchanged unless you set `dialect: \"mysql\"`. The Postgres identifier-casing and sealed-column-coercion fixes change the emitted DDL and the at-rest encoding of non-string sealed values; a Postgres deployment created before this release reconciles its schema to the quoted identifiers on the next schema-ensure pass."
73
- }
74
- ]
75
- }
76
- ]
77
- }
@@ -1,22 +0,0 @@
1
- {
2
- "$schema": "../scripts/release-notes-schema.json",
3
- "version": "0.15.1",
4
- "date": "2026-06-11",
5
- "headline": "Sealed-column lookups find rows written before the v0.15.0 hash change, and API-key secrets re-hash to the active algorithm on verify",
6
- "summary": "v0.15.0 changed the default derived hash — the blind index a sealed column is looked up by — from an unkeyed salted hash to a keyed MAC, and promised a transparent migration via a dual read. But no lookup path actually performed the dual read, so on a deployment that already held data, a lookup by a sealed column (a session's user id, an API key's owner, an audit actor or resource, a consent or data-subject id, a mail thread) computed only the new keyed digest and missed every row written before the upgrade. This release wires the dual read into every lookup: a sealed-column equality now matches both the active keyed digest and the legacy salted digest, so pre-upgrade rows are found again. That restores two correctness guarantees the gap had quietly broken — revoking all of a user's sessions no longer skips sessions created before the upgrade, and a subject erasure no longer leaves pre-upgrade rows behind. Separately, the framework's API-key store now re-hashes a stored secret to the active hash algorithm on the next successful verify, the transparent rotation the credential-hash primitive documented but the store had never performed.",
7
- "sections": [
8
- {
9
- "heading": "Fixed",
10
- "items": [
11
- {
12
- "title": "Sealed-column lookups match rows written before the v0.15.0 keyed-MAC change",
13
- "body": "After v0.15.0 flipped the default derived-hash mode to a keyed MAC, a lookup by a sealed column computed only the new keyed digest, so rows written under the previous salted-hash default were no longer found — a silent index miss on every existing deployment. Every framework lookup path now dual-reads: `b.db.from(...).where(sealedField, value)` and the framework's own api-key, session, audit, consent, data-subject, and mail-thread lookups match the column against both the active keyed digest and the legacy salted digest (`b.db.hashCandidatesFor` exposes the candidate list for operator code). No migration or operator action is required; rows re-hash to the keyed form on read over time and the candidate set collapses back to a single value. Two correctness consequences are restored: revoking all of a user's sessions now also revokes sessions created before the upgrade, and a data-subject erasure now also deletes (and crypto-shreds) the subject's pre-upgrade rows."
14
- },
15
- {
16
- "title": "API-key secret hashes upgrade to the active algorithm on verify",
17
- "body": "The framework's API-key store now re-hashes a stored secret to the configured hash algorithm on the next successful verify (leader-gated, best-effort, primary-match only), emitting an `apikey.secret_rehash` audit and observability event. This is the transparent rotation `b.credentialHash` documents — a key stored under an older algorithm or parameter set silently moves to the current one as it is used, with no change to the verify result or the returned record."
18
- }
19
- ]
20
- }
21
- ]
22
- }
@@ -1,53 +0,0 @@
1
- {
2
- "$schema": "../scripts/release-notes-schema.json",
3
- "version": "0.15.10",
4
- "date": "2026-06-13",
5
- "headline": "Makes S3 Object-Lock version erasure reachable through the object store, and pins the build toolchain's native binary to a reviewed hash",
6
- "summary": "The object store gains the versioned-delete surface its S3 Object Lock support always needed for real erasure. An unversioned delete on a versioning-enabled (Object-Lock) bucket only writes a delete-marker — the data version survives — so the framework's own delete could report success while a record protected for compliance, or one a data subject asked to erase, stayed on disk. b.objectStore / b.storage now carry a versionId: put and saveRaw return the version they created, deleteFile(key, { versionId, bypassGovernanceRetention }) targets a specific version (refused — not silently delete-markered — when it is under an active retention), and listVersions enumerates versions and delete-markers so an erasure workflow can find them. Backends with no version surface (the filesystem backend, and the current Azure and GCS adapters) refuse a versioned delete loudly rather than silently dropping the current object. Separately, the build toolchain's native bundler binary is now verified against a reviewed SHA-256 pin so a tampered or drifted binary is caught before it bundles the framework.",
7
- "sections": [
8
- {
9
- "heading": "Added",
10
- "items": [
11
- {
12
- "title": "Versioned object delete + listVersions for S3 Object-Lock erasure",
13
- "body": "b.storage.deleteFile and the b.objectStore sigv4 backend now accept opts.versionId to erase a specific object version, and opts.bypassGovernanceRetention to lift a GOVERNANCE-mode retention for callers with the permission (COMPLIANCE stays immutable to everyone). b.storage.saveRaw and the backend put now return the versionId they created on a versioning-enabled bucket, and a new b.storage.listVersions(prefix) / backend listVersions enumerates every version and delete-marker (key, versionId, isLatest, deleteMarker, size, lastModified, etag) so a right-to-erasure or crypto-shred workflow can target prior versions. On a backend with no version surface, listVersions throws VERSIONS_UNSUPPORTED and a versioned delete throws VERSIONID_UNSUPPORTED rather than silently acting on the current object."
14
- },
15
- {
16
- "title": "b.localDb.thin reaches SQLite resource-limit parity (limits option)",
17
- "body": "b.localDb.thin now opens its node:sqlite handle with the same parse-time statement-size cap as b.db and the CLI — a SQL statement over 1 MiB is rejected at parse time, the SQLITE_LIMIT_LENGTH floor that guards prepare()/exec() of raw SQL against an attacker-influenced megaquery (SQLite's default is 1 GB). The cap is on by default; a new limits option (e.g. { sqlLength: 2 * 1024 * 1024 } or other SQLITE_LIMIT_* keys) lets an operator raise or extend it. Previously the thin opener had no limits plumbing, so a consumer on that path could not reach parity with the rest of the framework's SQLite surface."
18
- }
19
- ]
20
- },
21
- {
22
- "heading": "Fixed",
23
- "items": [
24
- {
25
- "title": "S3 Object-Lock version erasure is reachable through the framework delete path",
26
- "body": "On a versioning-enabled (Object-Lock) bucket, an unversioned DELETE only writes a delete-marker — the protected data version survives untouched — yet the framework's delete had no versionId surface, so it issued the unversioned form and reported success while the bytes the lock protects remained. A retention or legal hold could therefore look enforced to the framework caller while the operation WORM actually blocks was unreachable. The delete path now targets the exact version: deleting a version under a COMPLIANCE retention is refused (it throws, even with bypassGovernanceRetention), a no-retention version erases cleanly, and the enforcement is proven end-to-end against MinIO through the framework's own API."
27
- },
28
- {
29
- "title": "b.configDrift.verifyVendorIntegrity is now working-directory-independent",
30
- "body": "The vendored-dependency integrity check resolved each manifest file path against process.cwd(), so it only worked when run from the application root. Run from anywhere else it read-failed every entry (reporting ok:false), and under a crafted working directory that happened to contain a clean vendor tree it could hash a different tree than the one actually loaded. It now resolves each file under the framework's own vendor directory by default — the tree loaded at runtime — and honors an explicit libVendorDir for verifying a deployed tree elsewhere, so the result no longer depends on where the process was started."
31
- }
32
- ]
33
- },
34
- {
35
- "heading": "Security",
36
- "items": [
37
- {
38
- "title": "Build toolchain native binary pinned to a reviewed hash",
39
- "body": "The native bundler binary the build toolchain runs (esbuild's per-platform compiler, a development dependency that never ships in the runtime) is now verified against a SHA-256 pin captured by diffing the published package tarballs and hashing the binary. The build gate fails if the on-disk binary does not match the reviewed hash for its (version, platform); for a version that has not been reviewed it notes the gap and skips rather than trusting an unverified binary. A cross-artifact check keeps the version in agreement across package.json, the CI install step, and the hash map, so the gate can never quietly test a version that was never diffed — closing a real drift where CI had been installing an older patch than package.json declared. The reviewed diff is benign: version strings plus an installer size-bound and error-message hardening, no new install hooks, files, or network paths, and no runtime-dependency impact."
40
- }
41
- ]
42
- },
43
- {
44
- "heading": "Detectors",
45
- "items": [
46
- {
47
- "title": "Object-store erasure guard, esbuild-pin agreement, + structural re-anchoring of the lint detectors",
48
- "body": "A new guard locks the object-store delete path to the versioned-erasure contract: b.storage.deleteFile must thread versionId to the backend, so it can never silently revert to the WORM-blind unversioned delete. A second guard enforces that the esbuild build-tool version agrees across package.json, the CI install step, and the binary-hash map, so a future bump can't update one and leave the gate testing an unreviewed version. Separately, the framework's internal codebase-pattern lint detectors were re-anchored from fixed character spans to structural code boundaries, so they keep matching the code they guard as those functions grow rather than aging out of range; reviving them surfaced a few internal validation and transaction sites that now route through shared helpers (a required positive-integer-with-range validator and an async transaction wrapper) instead of hand-rolling the check. No public API change."
49
- }
50
- ]
51
- }
52
- ]
53
- }
@@ -1,52 +0,0 @@
1
- {
2
- "$schema": "../scripts/release-notes-schema.json",
3
- "version": "0.15.11",
4
- "date": "2026-06-14",
5
- "headline": "Replaces a family of quadratic-time regexes that hostile input could use to stall a worker with linear scans, refuses a relocatable sealed-cell downgrade on the read side, fails closed when enabling row-level security behind a non-native driver, and scans the vendored crypto for known CVEs on every build",
6
- "summary": "Several text-handling primitives stripped trailing whitespace or extracted a mail address with a regex whose backtracking is quadratic in the input length on adversarial strings — a request body, a YAML document, a CSV cell, or a From header crafted as a long run of spaces could pin a worker's CPU. Each is now a linear character scan with identical output. The HTML-content check the MCP tool surface applies gained the vbscript: and data:text/html vectors it was missing. On the data-at-rest side, an AAD-bound (or per-row-key) column now refuses a plain, unbound vault cell on read — a relocatable envelope an attacker with write access could copy in from another row defeats the cross-row binding, so the field is nulled rather than surfaced; operators mid-migration opt back in with registerTable({ allowPlainMigration: true }). declareRowPolicy now treats row-level-security as enabled only on a value that unambiguously means true, so a non-native Postgres driver that returns the string \"f\" can no longer be read as \"already on\" and silently skip the ENABLE that protects the table's rows. Finally, because the framework's crypto is vendored rather than installed, npm audit and Dependabot never see it: every build now matches the vendored versions against the OSV vulnerability database, with a complementary Semgrep pass and workflow-file static analysis alongside.",
7
- "sections": [
8
- {
9
- "heading": "Added",
10
- "items": [
11
- {
12
- "title": "b.safeBuffer.indexAfterOpenTag(html, tagName)",
13
- "body": "A linear helper that returns the offset just past a `<tag ...>` opening tag (case-insensitive), or -1 when absent or unterminated — the insertion point a response rewriter uses to splice content after <body> or <head> without a regex. It replaces the O(n^2) html.match(/<body[^>]*>/i) shape and is stricter than it: a real tag boundary is required after the name, so <bodyfoo> is not mistaken for <body>."
14
- }
15
- ]
16
- },
17
- {
18
- "heading": "Security",
19
- "items": [
20
- {
21
- "title": "Linear-time replacements across a family of quadratic regexes (ReDoS class)",
22
- "body": "Several primitives located or stripped text with a regex whose backtracking is quadratic in V8 on adversarial input (CWE-1333): b.safeBuffer and the safe-env / safe-yaml / guard-csv parsers stripped trailing horizontal whitespace with /[ \\t]+$/; b.mail extracted the address from a `Name <addr>` header with /<([^>]+)>/; the bot-disclosure and speculation-rules response middleware found the <body> insertion point with /<body[^>]*>/i; and the BIMI certificate-chain splitter walked PEM blocks with a lazy /BEGIN[\\s\\S]*?END/ scan. A crafted field — a long run of spaces, an unterminated bracket, a body carrying many <body starts with no closing >, a chain of BEGIN markers — could drive a worker's CPU to seconds of work. Each is now a linear scan: a shared b.safeBuffer.stripTrailingHspace (backward char walk), b.safeBuffer.indexAfterOpenTag (forward indexOf walk for the tag insertion point), a forward indexOf for address extraction, and an indexOf walk for the PEM split. Output is byte-identical (the tag-find is stricter — it no longer mistakes <bodyfoo> for <body>), and 400K-character adversarial inputs that took 8–85 seconds now complete in under 2 ms."
23
- },
24
- {
25
- "title": "MCP HTML-content check covers vbscript: and data:text/html",
26
- "body": "The dangerous-markup check applied to text/html tool content matched <script>/<iframe>/<object>/<embed> and javascript: URLs but not the vbscript: scheme or data:text/html payloads. Both are now refused; data: URLs carrying non-HTML media (data:image/png and similar) are unaffected."
27
- },
28
- {
29
- "title": "AAD-bound columns refuse a plain sealed cell on read",
30
- "body": "b.cryptoField.unsealRow now refuses a plain, unbound vault: envelope found on an AAD-bound (or per-row-key) column and nulls the field instead of returning it. A plain envelope carries no per-cell binding, so a writer who could place one — copied from anywhere under the same vault root — would otherwise relocate a value across rows or columns and defeat the copy-protection the AAD binding advertises. Operators migrating pre-AAD rows up to bound ciphertext opt into a bounded acceptance window with registerTable({ allowPlainMigration: true }) and clear it when migration completes."
31
- },
32
- {
33
- "title": "Row-level-security enablement fails closed on non-native drivers",
34
- "body": "b.db.declareRowPolicy read pg_class.relrowsecurity to skip a redundant ENABLE ROW LEVEL SECURITY, but tested it with a bare truthiness check. A native pg driver returns a JS boolean; a proxy or ORM may return the string \"f\" for a disabled table — and \"f\" is truthy, so the check read it as already-enabled and silently skipped the ENABLE, leaving every row in the table unprotected while the migration reported success. RLS now counts as enabled only on a value that unambiguously means true (true, 1, or \"t\"/\"true\"/\"1\"/\"on\"/\"yes\"); every other shape re-issues ENABLE, a harmless no-op on an already-enabled table."
35
- },
36
- {
37
- "title": "Vendored-crypto CVE scanning, complementary SAST, and workflow static analysis in CI",
38
- "body": "The framework ships zero npm runtime dependencies — its crypto (the noble suite, the WebAuthn server, the PKI layer) is vendored under lib/vendor/, where npm audit, Dependabot, and Socket cannot see it. Every build now generates a CycloneDX SBOM of the vendored tree (each library carrying an npm purl) and runs it through OSV-Scanner, matching the exact pinned version against the OSV vulnerability database; a published CVE or GHSA affecting a vendored version fails the build so the copy is refreshed before merge. A Semgrep pass (registry security-audit + javascript packs at ERROR severity) runs alongside CodeQL as complementary SAST, and actionlint statically checks the workflow files. All three install the OSS tool from its upstream release, matching the existing secret-scan gate's posture."
39
- }
40
- ]
41
- },
42
- {
43
- "heading": "Detectors",
44
- "items": [
45
- {
46
- "title": "Quadratic trailing-whitespace and tag-find regex detectors",
47
- "body": "Two codebase-pattern detectors refuse reintroduction of the quadratic shapes: the /[ \\t]+$/ trailing-whitespace strip (as .replace, .test, or via the named TRAILING_HSPACE_RE export) outside the linear helper that owns it, and the str.match(/<tag[^>]*>/) document-tag find that the response middleware must route through b.safeBuffer.indexAfterOpenTag. Each is proven to fire on the removed shape and stay silent on the linear replacement, so the ReDoS class cannot creep back into a new parser, guard, or response rewriter."
48
- }
49
- ]
50
- }
51
- ]
52
- }
@@ -1,47 +0,0 @@
1
- {
2
- "$schema": "../scripts/release-notes-schema.json",
3
- "version": "0.15.12",
4
- "date": "2026-06-14",
5
- "headline": "Hardens a set of defense-in-depth seams: a single-pass structured-field unescape, a constant-time content-digest member match, complete reserved-character stripping, a Trojan-Source escape on the boot logger, generic body-parse error responses, and an audit trail whenever outbound TLS certificate validation is disabled",
6
- "summary": "A sweep of low-severity but real hardening items. RFC 8941 structured-field string values (HTTP Message Signatures, Client Hints, Cache-Control) were un-escaped with two chained replaces that mis-decoded an escaped backslash adjacent to another escape; they now use one left-to-right pass that decodes each escape exactly once. The HTTP Message Signature content-digest check dropped a dead identity-replace and now matches the sha3-512 member by an exact, top-level, constant-time comparison instead of an unanchored substring scan. b.guardFilename's reserved-character strip used a non-global regex that left every separator after the first; it now strips all of them. The boot logger's TTY branch wrote raw text, bypassing the Trojan-Source / control-character escape the main logger applies — it now escapes the bidi and C0/newline control classes on every sink. The body parser no longer echoes a caught exception's detail (an fs errno + temp path, or a parse hook's thrown message) to the HTTP client — the client gets a generic status phrase while the full detail stays on the audit chain. And any outbound TLS connection that runs with peer-certificate validation disabled (an explicit operator opt-in, never a default) now emits a tls.insecure_skip_verify audit + observability event so the degraded posture is visible for compliance and incident response.",
7
- "sections": [
8
- {
9
- "heading": "Added",
10
- "items": [
11
- {
12
- "title": "b.structuredFields.unescapeSfStringBody(body)",
13
- "body": "A single-pass decode of the RFC 8941 §3.3.3 quoted-string backslash escapes (the bytes between the surrounding quotes). It replaces the chained two-`.replace()` form, which is not equivalent to one decode — whichever pass runs first can rewrite a backslash the other escape sequence owns, so a lone escaped backslash decoded to two. The HTTP Message Signature, Client Hints, and Cache-Control sf-string readers now route through it."
14
- },
15
- {
16
- "title": "tls.insecure_skip_verify audit event",
17
- "body": "b.network.tls.auditInsecureTls(meta) emits an audit + observability event at the point an outbound TLS connection honors rejectUnauthorized:false / allowInsecure. The connectWithEch, OTLP-gRPC log stream, syslog-TLS log stream, and SMTP transports all emit it when an operator disables certificate validation — parallel to the existing tls.classical_downgrade audit. No default changes; the framework never disables validation itself."
18
- }
19
- ]
20
- },
21
- {
22
- "heading": "Security",
23
- "items": [
24
- {
25
- "title": "Single-pass structured-field string unescape",
26
- "body": "The RFC 8941 sf-string readers in HTTP Message Signatures (Signature-Input covered-component names), Client Hints, and Cache-Control directive values un-escaped with `.replace(/\\\\\\\\/g,\"\\\\\").replace(/\\\\\"/g,'\"')` — two sequential passes that mis-decode adjacent escapes (a lone escaped backslash became two). All four sites now use the single-pass b.structuredFields.unescapeSfStringBody. It is fail-closed (a mis-decoded covered-component name just fails the signature check, never bypasses it); the fix restores RFC-conformant interop with peers that legitimately escape these values."
27
- },
28
- {
29
- "title": "Constant-time, member-anchored content-digest verification",
30
- "body": "b.crypto.httpSig.verify's covered content-digest check dropped a dead no-op replace and now parses the Content-Digest header into its top-level members and matches the sha3-512 member EXACTLY, in constant time (b.crypto.timingSafeEqual), rather than scanning for the digest text as a substring anywhere in the header. The Content-Digest header is already bound by the signature, so the substring form was not reachably exploitable; the change removes the latent ambiguity and the timing channel."
31
- },
32
- {
33
- "title": "Reserved-character filename strip removes every occurrence",
34
- "body": "b.guardFilename's reservedCharPolicy:\"strip\" (the permissive profile) used a non-global regex, so only the FIRST reserved character — including path separators — was replaced and the rest leaked through. The strip is now global: every reserved character is removed. Not a traversal bypass (the unconditional security floor still throws on `..`, null bytes, NTFS ADS, UNC, overlong UTF-8), but the strip is now complete and consistent."
35
- },
36
- {
37
- "title": "Boot logger escapes control + bidi characters on every sink",
38
- "body": "The boot-time logger's TTY branch wrote the raw message, bypassing the Trojan-Source (bidi) and control-character escapes the main logger applies — a hostile message could forge extra log lines on a terminal (CWE-117) or re-order the visible line (CVE-2021-42574). Both boot branches now escape the bidi and C0/newline control classes, matching the create() path and the logger's advertised guarantee."
39
- },
40
- {
41
- "title": "Body-parser error responses never echo internal detail",
42
- "body": "The body-parser's terminal error path surfaced a caught exception's message verbatim to the HTTP client — a multipart filesystem error leaked the errno + temp path, and a parse hook's thrown error (which can carry secrets) was echoed back. The client now gets a curated message only for a framework-classified 4xx error and a generic status phrase otherwise; the parse-hook wrapper carries a fixed message, and full diagnostics stay on the audit chain server-side (CWE-209). The cluster leader-discovery endpoint's error body is generalized the same way."
43
- }
44
- ]
45
- }
46
- ]
47
- }
@@ -1,81 +0,0 @@
1
- {
2
- "$schema": "../scripts/release-notes-schema.json",
3
- "version": "0.15.13",
4
- "date": "2026-06-19",
5
- "headline": "Consolidates a large set of duplicated, security-sensitive code paths — injected-dependency validation, positive-integer option caps, TOCTOU-safe file reads, markup escaping, audit emission, structured-field parsing, and untrusted-JWK import — onto shared hardened primitives, so a fix or guard now applies everywhere at once; adds a TOCTOU-safe file reader; and makes several configuration errors throw typed framework errors instead of a bare Error",
6
- "summary": "Across the framework, logic that had been hand-rolled in many places (and had quietly drifted between copies) is now single-sourced through shared primitives. The practical effect for operators is consistency: the strongest available guard is applied everywhere a given operation happens, rather than in whichever copy happened to have it. Injected dependencies (stores, backends, vaults, db handles, query objects) are validated through one contract; operator-tunable positive-integer options (pool sizes, byte caps, timeouts, stream limits) validate through one bounds primitive that forwards the caller's non-retryable / HTTP-status flags; the open-fd → fstat → read-fully pattern that several call sites used to defend file reads against a swap-after-stat race (CWE-367) is now the b.atomicFile.fdSafeReadSync primitive, with symlink refusal, inode-equality, a byte cap, and an integrity hash available as options and each caller's exact typed error preserved; and the XML/HTML markup escapers (including the b.guardHtml / b.guardSvg sanitizer output) route through one b.markupEscape so the base & < > \" chain can't drift between them. A few configuration-validation paths that threw a bare Error (httpClient.configurePool, b.db stream-limit validation) now throw the module's typed framework error. No security defaults change; this release tightens and unifies existing protections rather than adding opt-ins.",
7
- "sections": [
8
- {
9
- "heading": "Added",
10
- "items": [
11
- {
12
- "title": "b.atomicFile.fdSafeReadSync(filepath, opts?)",
13
- "body": "A TOCTOU-safe synchronous file read (CWE-367 / js/file-system-race): it opens the path read-only, then binds the size, content, and integrity measurement to the inode the fd holds open, so a swap between stat and read can't change which bytes are returned. Optional guards layer on top — maxBytes (refuse an over-cap file), refuseSymlink + inodeCheck (refuse a symlink source and any inode swap, the strongest posture for operator-writable paths), expectedHash (SHA3-512), encoding (return a string), allowShortRead — and an errorFor(kind, detail) callback lets each caller keep its own typed error. The framework's own file reads (atomic-file, the TLS certificate-path loader, the sealed-PEM source reader, the backup bundle reader) all route through it."
14
- },
15
- {
16
- "title": "Shared substrate primitives for previously-duplicated logic",
17
- "body": "A set of shared primitives now back call sites that had each re-implemented the same logic: validateOpts.requireMethods (gains a `permanent` flag) for injected-dependency contract checks; numericBounds positive-finite-int validators (gain an errorOpts { permanent, statusCode }) for tunable integer options; b.markupEscape for the & < > \" markup chain; structured-field parsing helpers (parseTagList, forEachKeyValue, splitUnquoted, stripDoubleQuotes, unfoldHeaderContinuations); crypto.importPublicJwk and crypto.makeBase64UrlDecoder; safeSql.toPositional; safeBuffer.makeByteCoercer; nonceStore.enforceReplay; and the audit/observability namespaced emitters. These are mostly invisible substrate — the operator-visible benefit is that a guard or fix added to one of them now covers every caller."
18
- }
19
- ]
20
- },
21
- {
22
- "heading": "Changed",
23
- "items": [
24
- {
25
- "title": "Configuration errors throw typed framework errors",
26
- "body": "Two configuration-validation paths that threw a bare `Error` now throw the module's typed framework error: httpClient.configurePool (bad maxSockets / maxFreeSockets / keepAliveMsecs → HttpClientError, code httpclient/bad-opts) and the b.db stream-limit validation (Query.stream → DbQueryError). The thrown error remains an Error subclass, so existing `instanceof Error` / try-catch handling is unaffected; code that matched the old free-text message should match the typed error's `code` instead. Several routed validators also report a slightly more precise message (\"positive finite integer\" instead of \"positive integer\")."
27
- }
28
- ]
29
- },
30
- {
31
- "heading": "Security",
32
- "items": [
33
- {
34
- "title": "TOCTOU-safe file reads applied uniformly",
35
- "body": "The open-fd → fstat → read pattern that anchors a file read to one inode against a swap-after-stat race is now centralized in b.atomicFile.fdSafeReadSync, and every framework file read routes through it. The sealed-PEM source reader keeps the strongest posture (symlink refusal + inode-equality + byte cap), and those guards are now available as options to any caller — a re-introduced hand-rolled read-loop is flagged by a codebase-pattern detector."
36
- },
37
- {
38
- "title": "Injected-dependency and integer-option validation can't silently drift",
39
- "body": "Injected stores / backends / vaults / db handles / query objects are validated through one contract (validateOpts.requireMethods), and operator-tunable positive-integer options through one bounds primitive (numericBounds), both forwarding the caller's non-retryable / HTTP-status error flags so a config error stays permanent / carries its 4xx. Inverse detectors flag any re-introduced inline check, so the validation can no longer be partially copied or weakened in one place."
40
- },
41
- {
42
- "title": "Single markup-escape chain for the HTML/SVG sanitizers",
43
- "body": "The b.guardHtml and b.guardSvg sanitizer output escapers, the AI-Act transparency and mail HTML escapers, and the XML report escapers now share one b.markupEscape for the base & < > \" chain (apostrophe form as a parameter; each caller keeps its own input coercion and any extra escapes such as guardHtml.escapeAttr's backtick / = IE-attribute-injection hardening). Byte-for-byte parity with the prior escapers was verified across an XSS-vector corpus, so the consolidation cannot have introduced an escaping gap; a re-inlined & < > \" chain anywhere else is flagged by a detector."
44
- },
45
- {
46
- "title": "One hardening point for untrusted public-JWK import",
47
- "body": "The createPublicKey-from-JWK call that imports attacker-controlled key material (DID publicKeyJwk, DNSKEY, COSE_Key, DPoP / OAuth / OIDC / DBSC proof JWKs) is centralized in b.crypto.importPublicJwk, so the untrusted-key import has a single audited home; each caller keeps its own kty/crv pre-validation and typed error."
48
- },
49
- {
50
- "title": "Linear-time Content-Security-Policy header parsing",
51
- "body": "The CSP response-header parser split directives on a `/\\s*,\\s*/` regex that ran in O(n^2) on a long comma-less run of whitespace, letting a crafted header stall a worker (js/polynomial-redos). It now splits on the literal comma and trims each item, which is linear and byte-for-byte equivalent."
52
- },
53
- {
54
- "title": "Parsed INI and OpenAPI path maps can't reach Object.prototype",
55
- "body": "The INI parser already refuses a `__proto__` / `constructor` / `prototype` section or key (it throws before any write); as defense-in-depth, every parsed node — and the OpenAPI paths map keyed by URL pattern — is now a null-prototype object, so even a future gap could only ever set an own property, never mutate Object.prototype (CWE-1321)."
56
- }
57
- ]
58
- },
59
- {
60
- "heading": "Fixed",
61
- "items": [
62
- {
63
- "title": "Webhook deliveries retry transient transport failures instead of dead-lettering them",
64
- "body": "A delivery that failed with a transient transport error (connection reset, timeout, 5xx) was recorded as permanently failed and dead-lettered rather than retried. The destination-safety check (SSRF / blocked-host guard) now runs in its own step and is the only permanent failure; a transport failure backs off and retries up to the configured limit."
65
- },
66
- {
67
- "title": "Webhook deliveries table creates on MySQL",
68
- "body": "The pending-delivery index used a partial-index (WHERE) clause that MySQL does not support, so the deliveries table failed to create on a MySQL backend. The index is now dialect-aware — partial on PostgreSQL / SQLite, plain on MySQL."
69
- },
70
- {
71
- "title": "Inline webhook delivery can't be double-sent by concurrent retry processing",
72
- "body": "An inline delivery is now claimed (status set to in-flight with a claim timestamp) before the POST, so a concurrent retry pass can't pick up and re-send the same delivery; a row left in-flight by a crash is reclaimed after the stale-claim window."
73
- },
74
- {
75
- "title": "Audit checkpoint can never be anchored against a replaced database",
76
- "body": "close() fires a best-effort final checkpoint as the database shuts down. In a narrow close-then-reopen window that checkpoint's write could resume after a fresh database had opened and anchor the prior database's chain tip into it. checkpoint() now binds to the database it read the tip from and refuses to write (returns null, fail-closed) if that handle has since been closed or replaced — so a checkpoint is only ever written against the database it measured."
77
- }
78
- ]
79
- }
80
- ]
81
- }