@blamejs/blamejs-shop 0.5.5 → 0.5.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +4 -0
- package/README.md +1 -1
- package/lib/asset-manifest.json +1 -1
- package/lib/storefront.js +30 -17
- package/lib/vendor/MANIFEST.json +1395 -1409
- package/lib/vendor/blamejs/.clusterfuzzlite/Dockerfile +1 -1
- package/lib/vendor/blamejs/.github/dependabot.yml +12 -2
- package/lib/vendor/blamejs/.github/workflows/cflite_batch.yml +3 -3
- package/lib/vendor/blamejs/.github/workflows/cflite_pr.yml +3 -3
- package/lib/vendor/blamejs/.github/workflows/ci.yml +34 -29
- package/lib/vendor/blamejs/.github/workflows/codeql.yml +2 -2
- package/lib/vendor/blamejs/.github/workflows/npm-publish.yml +6 -6
- package/lib/vendor/blamejs/.github/workflows/release-container.yml +8 -8
- package/lib/vendor/blamejs/.github/workflows/scorecard.yml +1 -1
- package/lib/vendor/blamejs/.gitignore +6 -6
- package/lib/vendor/blamejs/CHANGELOG.md +68 -0
- package/lib/vendor/blamejs/CONTRIBUTING.md +16 -0
- package/lib/vendor/blamejs/README.md +2 -1
- package/lib/vendor/blamejs/ROADMAP.md +51 -0
- package/lib/vendor/blamejs/SECURITY.md +52 -1
- package/lib/vendor/blamejs/api-snapshot.json +22 -2
- package/lib/vendor/blamejs/bench/_helpers.js +2 -0
- package/lib/vendor/blamejs/bench/crypto-hash.bench.js +2 -0
- package/lib/vendor/blamejs/bench/crypto-symmetric.bench.js +2 -0
- package/lib/vendor/blamejs/bench/run.js +2 -0
- package/lib/vendor/blamejs/bench/safe-json.bench.js +2 -0
- package/lib/vendor/blamejs/bin/blamejs.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/Dockerfile +1 -1
- package/lib/vendor/blamejs/examples/wiki/lib/auto-site-entries.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/lib/build-app.js +9 -1
- package/lib/vendor/blamejs/examples/wiki/lib/harvest-cli.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/lib/harvest-env-vars.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/lib/harvest-errors.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/lib/harvest-vendored-deps.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/lib/html-entities.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/lib/nav.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/lib/opts-resolver.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/lib/page-generator.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/lib/section.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/lib/source-comment-block-validator.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/lib/source-doc-parser.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/lib/symbol-index.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/migrations/0001-pages-schema.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/package-lock.json +30 -0
- package/lib/vendor/blamejs/examples/wiki/routes/admin.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/routes/integration.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/routes/pages.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/scripts/backfill-module-metadata.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/seeders/prod/0001-default-pages.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/seeders/prod/pages/_index.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/seeders/prod/pages/api.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/server.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/site.config.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/snippets/auth/password-hash.example.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/src/editor.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/src/wiki.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/test/codebase-patterns.test.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/test/e2e.js +23 -0
- package/lib/vendor/blamejs/examples/wiki/test/find-missing-pages.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/test/integration.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/test/validate-cli-snapshot.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/test/validate-env-snapshot.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/test/validate-nav-coverage.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/test/validate-site-coverage.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/test/validate-source-comment-blocks.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/wiki.config.js +2 -0
- package/lib/vendor/blamejs/fuzz/_expected.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-agent-registry.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-csv.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-dsn.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-email.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-envelope.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-event-bus-payload.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-event-bus-topic.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-html.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-idempotency-key.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-imap-command.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-jmap.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-json.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-list-id.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-list-unsubscribe.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-mail-compose.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-mail-move.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-mail-query.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-mail-reply.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-mail-sieve.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-managesieve-command.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-markdown.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-message-id.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-pop3-command.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-posture-chain.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-saga-config.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-smtp-command.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-snapshot-envelope.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-sql.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-stream-args.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-svg.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-tenant-id.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-text.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-trace-context.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-xml.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-yaml.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/package-lock.json +1239 -0
- package/lib/vendor/blamejs/fuzz/package.json +10 -0
- package/lib/vendor/blamejs/fuzz/parsers__safe-ini.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/parsers__safe-toml.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/parsers__safe-xml.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/parsers__safe-yaml.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/safe-archive.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/safe-decompress.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/safe-dns.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/safe-ical.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/safe-icap.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/safe-json.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/safe-jsonpath.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/safe-mime.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/safe-mount-info.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/safe-sieve.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/safe-smtp.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/safe-url.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/safe-vcard.fuzz.js +2 -0
- package/lib/vendor/blamejs/index.js +2 -0
- package/lib/vendor/blamejs/lib/_test/crypto-fixtures.js +2 -0
- package/lib/vendor/blamejs/lib/a2a-tasks.js +2 -0
- package/lib/vendor/blamejs/lib/a2a.js +2 -0
- package/lib/vendor/blamejs/lib/acme.js +7 -1
- package/lib/vendor/blamejs/lib/agent-audit.js +2 -0
- package/lib/vendor/blamejs/lib/agent-envelope-mac.js +2 -0
- package/lib/vendor/blamejs/lib/agent-event-bus.js +2 -0
- package/lib/vendor/blamejs/lib/agent-idempotency.js +2 -0
- package/lib/vendor/blamejs/lib/agent-orchestrator.js +10 -2
- package/lib/vendor/blamejs/lib/agent-posture-chain.js +2 -0
- package/lib/vendor/blamejs/lib/agent-saga.js +2 -0
- package/lib/vendor/blamejs/lib/agent-snapshot.js +2 -0
- package/lib/vendor/blamejs/lib/agent-stream.js +2 -0
- package/lib/vendor/blamejs/lib/agent-tenant.js +11 -2
- package/lib/vendor/blamejs/lib/agent-trace.js +2 -0
- package/lib/vendor/blamejs/lib/ai-adverse-decision.js +2 -0
- package/lib/vendor/blamejs/lib/ai-aedt-bias-audit.js +2 -0
- package/lib/vendor/blamejs/lib/ai-capability.js +2 -0
- package/lib/vendor/blamejs/lib/ai-content-detect.js +2 -0
- package/lib/vendor/blamejs/lib/ai-disclosure.js +2 -0
- package/lib/vendor/blamejs/lib/ai-dp.js +2 -0
- package/lib/vendor/blamejs/lib/ai-frontier-protocol.js +2 -0
- package/lib/vendor/blamejs/lib/ai-input.js +2 -0
- package/lib/vendor/blamejs/lib/ai-model-manifest.js +2 -0
- package/lib/vendor/blamejs/lib/ai-output.js +2 -0
- package/lib/vendor/blamejs/lib/ai-pref.js +2 -0
- package/lib/vendor/blamejs/lib/ai-prompt.js +2 -0
- package/lib/vendor/blamejs/lib/ai-quota.js +2 -0
- package/lib/vendor/blamejs/lib/api-key.js +2 -0
- package/lib/vendor/blamejs/lib/api-snapshot.js +2 -0
- package/lib/vendor/blamejs/lib/app-shutdown.js +2 -0
- package/lib/vendor/blamejs/lib/app.js +2 -0
- package/lib/vendor/blamejs/lib/archive-adapters.js +2 -0
- package/lib/vendor/blamejs/lib/archive-entry-policy.js +2 -0
- package/lib/vendor/blamejs/lib/archive-gz.js +2 -0
- package/lib/vendor/blamejs/lib/archive-read.js +2 -0
- package/lib/vendor/blamejs/lib/archive-tar-read.js +2 -0
- package/lib/vendor/blamejs/lib/archive-tar.js +9 -0
- package/lib/vendor/blamejs/lib/archive-wrap.js +2 -0
- package/lib/vendor/blamejs/lib/archive.js +6 -0
- package/lib/vendor/blamejs/lib/arg-parser.js +2 -0
- package/lib/vendor/blamejs/lib/argon2-builtin.js +2 -0
- package/lib/vendor/blamejs/lib/asn1-der.js +2 -0
- package/lib/vendor/blamejs/lib/asyncapi-bindings.js +2 -0
- package/lib/vendor/blamejs/lib/asyncapi-traits.js +2 -0
- package/lib/vendor/blamejs/lib/asyncapi.js +2 -0
- package/lib/vendor/blamejs/lib/atomic-file.js +2 -0
- package/lib/vendor/blamejs/lib/audit-chain.js +2 -0
- package/lib/vendor/blamejs/lib/audit-daily-review.js +2 -0
- package/lib/vendor/blamejs/lib/audit-emit.js +2 -0
- package/lib/vendor/blamejs/lib/audit-sign.js +2 -0
- package/lib/vendor/blamejs/lib/audit-tools.js +2 -0
- package/lib/vendor/blamejs/lib/audit.js +2 -0
- package/lib/vendor/blamejs/lib/auth/aal.js +2 -0
- package/lib/vendor/blamejs/lib/auth/access-lock.js +2 -0
- package/lib/vendor/blamejs/lib/auth/acr-vocabulary.js +2 -0
- package/lib/vendor/blamejs/lib/auth/ato-kill-switch.js +48 -11
- package/lib/vendor/blamejs/lib/auth/auth-time-tracker.js +2 -0
- package/lib/vendor/blamejs/lib/auth/bot-challenge.js +2 -0
- package/lib/vendor/blamejs/lib/auth/ciba.js +2 -0
- package/lib/vendor/blamejs/lib/auth/dpop.js +2 -0
- package/lib/vendor/blamejs/lib/auth/elevation-grant.js +2 -0
- package/lib/vendor/blamejs/lib/auth/fal.js +2 -0
- package/lib/vendor/blamejs/lib/auth/fido-mds3.js +11 -7
- package/lib/vendor/blamejs/lib/auth/jar.js +4 -1
- package/lib/vendor/blamejs/lib/auth/jwt-external.js +16 -3
- package/lib/vendor/blamejs/lib/auth/jwt.js +2 -0
- package/lib/vendor/blamejs/lib/auth/lockout.js +237 -104
- package/lib/vendor/blamejs/lib/auth/oauth.js +98 -17
- package/lib/vendor/blamejs/lib/auth/oid4vci.js +58 -17
- package/lib/vendor/blamejs/lib/auth/oid4vp.js +2 -0
- package/lib/vendor/blamejs/lib/auth/openid-federation.js +2 -0
- package/lib/vendor/blamejs/lib/auth/passkey.js +2 -0
- package/lib/vendor/blamejs/lib/auth/password.js +2 -0
- package/lib/vendor/blamejs/lib/auth/saml.js +68 -7
- package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-disclosure.js +2 -0
- package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-holder.js +2 -0
- package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-issuer.js +2 -0
- package/lib/vendor/blamejs/lib/auth/sd-jwt-vc.js +9 -0
- package/lib/vendor/blamejs/lib/auth/status-list.js +7 -0
- package/lib/vendor/blamejs/lib/auth/step-up-policy.js +2 -0
- package/lib/vendor/blamejs/lib/auth/step-up.js +2 -0
- package/lib/vendor/blamejs/lib/auth-bot-challenge.js +5 -8
- package/lib/vendor/blamejs/lib/auth-header.js +2 -0
- package/lib/vendor/blamejs/lib/backup/bundle.js +2 -0
- package/lib/vendor/blamejs/lib/backup/crypto.js +2 -0
- package/lib/vendor/blamejs/lib/backup/index.js +14 -0
- package/lib/vendor/blamejs/lib/backup/manifest.js +2 -0
- package/lib/vendor/blamejs/lib/base32.js +2 -0
- package/lib/vendor/blamejs/lib/boot-gates.js +2 -0
- package/lib/vendor/blamejs/lib/bounded-map.js +3 -1
- package/lib/vendor/blamejs/lib/breach-deadline.js +2 -0
- package/lib/vendor/blamejs/lib/break-glass.js +10 -9
- package/lib/vendor/blamejs/lib/budr.js +2 -0
- package/lib/vendor/blamejs/lib/bundler.js +2 -0
- package/lib/vendor/blamejs/lib/cache-redis.js +2 -0
- package/lib/vendor/blamejs/lib/cache-status.js +2 -0
- package/lib/vendor/blamejs/lib/cache.js +13 -5
- package/lib/vendor/blamejs/lib/calendar.js +2 -0
- package/lib/vendor/blamejs/lib/canonical-json.js +19 -3
- package/lib/vendor/blamejs/lib/cbor.js +2 -0
- package/lib/vendor/blamejs/lib/cdn-cache-control.js +2 -0
- package/lib/vendor/blamejs/lib/cert.js +2 -0
- package/lib/vendor/blamejs/lib/chain-writer.js +2 -0
- package/lib/vendor/blamejs/lib/circuit-breaker.js +2 -0
- package/lib/vendor/blamejs/lib/cli-helpers.js +2 -0
- package/lib/vendor/blamejs/lib/cli.js +57 -20
- package/lib/vendor/blamejs/lib/client-hints.js +2 -0
- package/lib/vendor/blamejs/lib/cloud-events.js +2 -0
- package/lib/vendor/blamejs/lib/cluster-provider-db.js +2 -0
- package/lib/vendor/blamejs/lib/cluster-storage.js +2 -0
- package/lib/vendor/blamejs/lib/cluster.js +2 -0
- package/lib/vendor/blamejs/lib/cms-codec.js +2 -0
- package/lib/vendor/blamejs/lib/codepoint-class.js +2 -0
- package/lib/vendor/blamejs/lib/compliance-ai-act-logging.js +2 -0
- package/lib/vendor/blamejs/lib/compliance-ai-act-prohibited.js +2 -0
- package/lib/vendor/blamejs/lib/compliance-ai-act-risk.js +2 -0
- package/lib/vendor/blamejs/lib/compliance-ai-act-transparency.js +2 -0
- package/lib/vendor/blamejs/lib/compliance-ai-act.js +2 -0
- package/lib/vendor/blamejs/lib/compliance-eaa.js +2 -0
- package/lib/vendor/blamejs/lib/compliance-sanctions-aliases.js +2 -0
- package/lib/vendor/blamejs/lib/compliance-sanctions-fetcher.js +2 -0
- package/lib/vendor/blamejs/lib/compliance-sanctions-fuzzy.js +2 -0
- package/lib/vendor/blamejs/lib/compliance-sanctions.js +2 -0
- package/lib/vendor/blamejs/lib/compliance.js +2 -0
- package/lib/vendor/blamejs/lib/config-drift.js +2 -0
- package/lib/vendor/blamejs/lib/config.js +2 -0
- package/lib/vendor/blamejs/lib/consent.js +2 -0
- package/lib/vendor/blamejs/lib/constants.js +2 -0
- package/lib/vendor/blamejs/lib/content-credentials.js +2 -0
- package/lib/vendor/blamejs/lib/content-digest.js +2 -0
- package/lib/vendor/blamejs/lib/cookies.js +2 -0
- package/lib/vendor/blamejs/lib/cose.js +2 -0
- package/lib/vendor/blamejs/lib/cra-report.js +2 -0
- package/lib/vendor/blamejs/lib/crdt.js +2 -0
- package/lib/vendor/blamejs/lib/credential-hash.js +2 -0
- package/lib/vendor/blamejs/lib/crypto-field.js +2 -0
- package/lib/vendor/blamejs/lib/crypto-hpke-pq.js +2 -0
- package/lib/vendor/blamejs/lib/crypto-hpke.js +2 -0
- package/lib/vendor/blamejs/lib/crypto-oprf.js +2 -0
- package/lib/vendor/blamejs/lib/crypto-xwing.js +2 -0
- package/lib/vendor/blamejs/lib/crypto.js +2 -0
- package/lib/vendor/blamejs/lib/csp.js +2 -0
- package/lib/vendor/blamejs/lib/csv.js +14 -1
- package/lib/vendor/blamejs/lib/cwt.js +2 -0
- package/lib/vendor/blamejs/lib/daemon.js +2 -0
- package/lib/vendor/blamejs/lib/dark-patterns.js +2 -0
- package/lib/vendor/blamejs/lib/data-act.js +2 -0
- package/lib/vendor/blamejs/lib/db-collection.js +2 -0
- package/lib/vendor/blamejs/lib/db-declare-row-policy.js +2 -0
- package/lib/vendor/blamejs/lib/db-declare-view.js +2 -0
- package/lib/vendor/blamejs/lib/db-file-lifecycle.js +2 -0
- package/lib/vendor/blamejs/lib/db-query.js +2 -0
- package/lib/vendor/blamejs/lib/db-role-context.js +2 -0
- package/lib/vendor/blamejs/lib/db-schema.js +2 -0
- package/lib/vendor/blamejs/lib/db.js +2 -0
- package/lib/vendor/blamejs/lib/dbsc.js +2 -0
- package/lib/vendor/blamejs/lib/ddl-change-control.js +2 -0
- package/lib/vendor/blamejs/lib/deprecate.js +2 -0
- package/lib/vendor/blamejs/lib/dev.js +2 -0
- package/lib/vendor/blamejs/lib/did.js +2 -0
- package/lib/vendor/blamejs/lib/dora.js +2 -0
- package/lib/vendor/blamejs/lib/dr-runbook.js +2 -0
- package/lib/vendor/blamejs/lib/dsa.js +2 -0
- package/lib/vendor/blamejs/lib/dsr.js +2 -0
- package/lib/vendor/blamejs/lib/dual-control.js +11 -15
- package/lib/vendor/blamejs/lib/early-hints.js +2 -0
- package/lib/vendor/blamejs/lib/eat.js +4 -1
- package/lib/vendor/blamejs/lib/error-page.js +2 -0
- package/lib/vendor/blamejs/lib/events.js +2 -0
- package/lib/vendor/blamejs/lib/external-db-migrate.js +2 -0
- package/lib/vendor/blamejs/lib/external-db.js +2 -0
- package/lib/vendor/blamejs/lib/fapi2.js +2 -0
- package/lib/vendor/blamejs/lib/fda-21cfr11.js +2 -0
- package/lib/vendor/blamejs/lib/fdx.js +2 -0
- package/lib/vendor/blamejs/lib/fedcm.js +2 -0
- package/lib/vendor/blamejs/lib/file-type.js +2 -0
- package/lib/vendor/blamejs/lib/file-upload.js +139 -21
- package/lib/vendor/blamejs/lib/flag-cache.js +2 -0
- package/lib/vendor/blamejs/lib/flag-evaluation-context.js +2 -0
- package/lib/vendor/blamejs/lib/flag-providers.js +2 -0
- package/lib/vendor/blamejs/lib/flag-targeting.js +4 -7
- package/lib/vendor/blamejs/lib/flag.js +2 -0
- package/lib/vendor/blamejs/lib/forms.js +11 -0
- package/lib/vendor/blamejs/lib/framework-error.js +2 -0
- package/lib/vendor/blamejs/lib/framework-files.js +2 -0
- package/lib/vendor/blamejs/lib/framework-schema.js +2 -0
- package/lib/vendor/blamejs/lib/framework-sha1-hibp.js +2 -0
- package/lib/vendor/blamejs/lib/fsm.js +2 -0
- package/lib/vendor/blamejs/lib/gate-contract.js +2 -0
- package/lib/vendor/blamejs/lib/gdpr-ropa.js +2 -0
- package/lib/vendor/blamejs/lib/graphql-federation.js +2 -0
- package/lib/vendor/blamejs/lib/guard-agent-registry.js +2 -0
- package/lib/vendor/blamejs/lib/guard-all.js +2 -0
- package/lib/vendor/blamejs/lib/guard-archive.js +2 -0
- package/lib/vendor/blamejs/lib/guard-auth.js +2 -0
- package/lib/vendor/blamejs/lib/guard-cidr.js +2 -0
- package/lib/vendor/blamejs/lib/guard-csv.js +2 -0
- package/lib/vendor/blamejs/lib/guard-domain.js +2 -0
- package/lib/vendor/blamejs/lib/guard-dsn.js +2 -0
- package/lib/vendor/blamejs/lib/guard-email.js +2 -0
- package/lib/vendor/blamejs/lib/guard-envelope.js +2 -0
- package/lib/vendor/blamejs/lib/guard-event-bus-payload.js +2 -0
- package/lib/vendor/blamejs/lib/guard-event-bus-topic.js +2 -0
- package/lib/vendor/blamejs/lib/guard-filename.js +2 -0
- package/lib/vendor/blamejs/lib/guard-graphql.js +2 -0
- package/lib/vendor/blamejs/lib/guard-html-wcag-aria.js +2 -0
- package/lib/vendor/blamejs/lib/guard-html-wcag-forms.js +2 -0
- package/lib/vendor/blamejs/lib/guard-html-wcag-tables.js +2 -0
- package/lib/vendor/blamejs/lib/guard-html-wcag-tagwalk.js +2 -0
- package/lib/vendor/blamejs/lib/guard-html-wcag.js +2 -0
- package/lib/vendor/blamejs/lib/guard-html.js +2 -0
- package/lib/vendor/blamejs/lib/guard-idempotency-key.js +2 -0
- package/lib/vendor/blamejs/lib/guard-image.js +2 -0
- package/lib/vendor/blamejs/lib/guard-imap-command.js +2 -0
- package/lib/vendor/blamejs/lib/guard-jmap.js +2 -0
- package/lib/vendor/blamejs/lib/guard-json.js +2 -0
- package/lib/vendor/blamejs/lib/guard-jsonpath.js +2 -0
- package/lib/vendor/blamejs/lib/guard-jwt.js +2 -0
- package/lib/vendor/blamejs/lib/guard-list-id.js +2 -0
- package/lib/vendor/blamejs/lib/guard-list-unsubscribe.js +2 -0
- package/lib/vendor/blamejs/lib/guard-mail-compose.js +2 -0
- package/lib/vendor/blamejs/lib/guard-mail-move.js +2 -0
- package/lib/vendor/blamejs/lib/guard-mail-query.js +2 -0
- package/lib/vendor/blamejs/lib/guard-mail-reply.js +2 -0
- package/lib/vendor/blamejs/lib/guard-mail-sieve.js +2 -0
- package/lib/vendor/blamejs/lib/guard-managesieve-command.js +2 -0
- package/lib/vendor/blamejs/lib/guard-markdown.js +2 -0
- package/lib/vendor/blamejs/lib/guard-message-id.js +2 -0
- package/lib/vendor/blamejs/lib/guard-mime.js +2 -0
- package/lib/vendor/blamejs/lib/guard-oauth.js +14 -1
- package/lib/vendor/blamejs/lib/guard-pdf.js +2 -0
- package/lib/vendor/blamejs/lib/guard-pop3-command.js +2 -0
- package/lib/vendor/blamejs/lib/guard-posture-chain.js +2 -0
- package/lib/vendor/blamejs/lib/guard-regex.js +59 -0
- package/lib/vendor/blamejs/lib/guard-saga-config.js +2 -0
- package/lib/vendor/blamejs/lib/guard-shell.js +2 -0
- package/lib/vendor/blamejs/lib/guard-smtp-command.js +2 -0
- package/lib/vendor/blamejs/lib/guard-snapshot-envelope.js +2 -0
- package/lib/vendor/blamejs/lib/guard-sql.js +2 -0
- package/lib/vendor/blamejs/lib/guard-stream-args.js +2 -0
- package/lib/vendor/blamejs/lib/guard-svg.js +2 -0
- package/lib/vendor/blamejs/lib/guard-template.js +2 -0
- package/lib/vendor/blamejs/lib/guard-tenant-id.js +2 -0
- package/lib/vendor/blamejs/lib/guard-text.js +2 -0
- package/lib/vendor/blamejs/lib/guard-time.js +2 -0
- package/lib/vendor/blamejs/lib/guard-trace-context.js +2 -0
- package/lib/vendor/blamejs/lib/guard-uuid.js +2 -0
- package/lib/vendor/blamejs/lib/guard-xml.js +2 -0
- package/lib/vendor/blamejs/lib/guard-yaml.js +2 -0
- package/lib/vendor/blamejs/lib/hal.js +2 -0
- package/lib/vendor/blamejs/lib/handlers.js +2 -0
- package/lib/vendor/blamejs/lib/honeytoken.js +2 -0
- package/lib/vendor/blamejs/lib/html-balance.js +2 -0
- package/lib/vendor/blamejs/lib/http-client-cache.js +2 -0
- package/lib/vendor/blamejs/lib/http-client-cookie-jar.js +2 -0
- package/lib/vendor/blamejs/lib/http-client.js +2 -0
- package/lib/vendor/blamejs/lib/http-message-signature.js +144 -11
- package/lib/vendor/blamejs/lib/http2-teardown.js +2 -0
- package/lib/vendor/blamejs/lib/i18n-messageformat.js +35 -6
- package/lib/vendor/blamejs/lib/i18n.js +2 -0
- package/lib/vendor/blamejs/lib/iab-mspa.js +2 -0
- package/lib/vendor/blamejs/lib/iab-tcf.js +2 -0
- package/lib/vendor/blamejs/lib/importmap-integrity.js +2 -0
- package/lib/vendor/blamejs/lib/inbox.js +2 -0
- package/lib/vendor/blamejs/lib/incident-report.js +2 -0
- package/lib/vendor/blamejs/lib/ip-utils.js +2 -0
- package/lib/vendor/blamejs/lib/jobs.js +2 -0
- package/lib/vendor/blamejs/lib/jose-jwe-experimental.js +2 -0
- package/lib/vendor/blamejs/lib/json-merge-patch.js +2 -0
- package/lib/vendor/blamejs/lib/json-patch.js +2 -0
- package/lib/vendor/blamejs/lib/json-path.js +2 -0
- package/lib/vendor/blamejs/lib/json-pointer.js +2 -0
- package/lib/vendor/blamejs/lib/json-schema.js +13 -1
- package/lib/vendor/blamejs/lib/jsonapi.js +2 -0
- package/lib/vendor/blamejs/lib/jtd.js +2 -0
- package/lib/vendor/blamejs/lib/jwk.js +2 -0
- package/lib/vendor/blamejs/lib/keychain.js +32 -10
- package/lib/vendor/blamejs/lib/lazy-require.js +2 -0
- package/lib/vendor/blamejs/lib/legal-hold.js +2 -0
- package/lib/vendor/blamejs/lib/link-header.js +2 -0
- package/lib/vendor/blamejs/lib/local-db-thin.js +2 -0
- package/lib/vendor/blamejs/lib/log-stream-cloudwatch.js +2 -0
- package/lib/vendor/blamejs/lib/log-stream-local.js +2 -0
- package/lib/vendor/blamejs/lib/log-stream-otlp-grpc.js +2 -0
- package/lib/vendor/blamejs/lib/log-stream-otlp.js +2 -0
- package/lib/vendor/blamejs/lib/log-stream-syslog.js +2 -0
- package/lib/vendor/blamejs/lib/log-stream-webhook.js +2 -0
- package/lib/vendor/blamejs/lib/log-stream.js +2 -0
- package/lib/vendor/blamejs/lib/log.js +2 -0
- package/lib/vendor/blamejs/lib/lro.js +2 -0
- package/lib/vendor/blamejs/lib/mail-agent.js +2 -0
- package/lib/vendor/blamejs/lib/mail-arc-reuse-token.js +20 -0
- package/lib/vendor/blamejs/lib/mail-arc-sign.js +32 -14
- package/lib/vendor/blamejs/lib/mail-arf.js +4 -0
- package/lib/vendor/blamejs/lib/mail-auth.js +93 -19
- package/lib/vendor/blamejs/lib/mail-bimi.js +26 -10
- package/lib/vendor/blamejs/lib/mail-bounce.js +23 -6
- package/lib/vendor/blamejs/lib/mail-crypto-pgp.js +2 -0
- package/lib/vendor/blamejs/lib/mail-crypto-smime.js +2 -0
- package/lib/vendor/blamejs/lib/mail-crypto.js +2 -0
- package/lib/vendor/blamejs/lib/mail-dav.js +2 -0
- package/lib/vendor/blamejs/lib/mail-deploy.js +2 -0
- package/lib/vendor/blamejs/lib/mail-dkim.js +44 -5
- package/lib/vendor/blamejs/lib/mail-greylist.js +2 -0
- package/lib/vendor/blamejs/lib/mail-helo.js +16 -0
- package/lib/vendor/blamejs/lib/mail-journal.js +2 -0
- package/lib/vendor/blamejs/lib/mail-mdn.js +17 -0
- package/lib/vendor/blamejs/lib/mail-rbl.js +2 -0
- package/lib/vendor/blamejs/lib/mail-require-tls.js +2 -0
- package/lib/vendor/blamejs/lib/mail-scan.js +2 -0
- package/lib/vendor/blamejs/lib/mail-send-deliver.js +32 -7
- package/lib/vendor/blamejs/lib/mail-server-imap.js +2 -0
- package/lib/vendor/blamejs/lib/mail-server-jmap.js +23 -11
- package/lib/vendor/blamejs/lib/mail-server-managesieve.js +2 -0
- package/lib/vendor/blamejs/lib/mail-server-mx.js +2 -0
- package/lib/vendor/blamejs/lib/mail-server-net.js +2 -0
- package/lib/vendor/blamejs/lib/mail-server-pop3.js +2 -0
- package/lib/vendor/blamejs/lib/mail-server-rate-limit.js +2 -0
- package/lib/vendor/blamejs/lib/mail-server-registry.js +2 -0
- package/lib/vendor/blamejs/lib/mail-server-submission.js +2 -0
- package/lib/vendor/blamejs/lib/mail-server-tls.js +2 -0
- package/lib/vendor/blamejs/lib/mail-sieve.js +2 -0
- package/lib/vendor/blamejs/lib/mail-spam-score.js +2 -0
- package/lib/vendor/blamejs/lib/mail-srs.js +8 -0
- package/lib/vendor/blamejs/lib/mail-store-fts.js +2 -0
- package/lib/vendor/blamejs/lib/mail-store.js +2 -0
- package/lib/vendor/blamejs/lib/mail-unsubscribe.js +2 -0
- package/lib/vendor/blamejs/lib/mail.js +11 -0
- package/lib/vendor/blamejs/lib/markup-escape.js +2 -0
- package/lib/vendor/blamejs/lib/markup-tokenizer.js +2 -0
- package/lib/vendor/blamejs/lib/mcp-tool-registry.js +2 -0
- package/lib/vendor/blamejs/lib/mcp.js +4 -2
- package/lib/vendor/blamejs/lib/mdoc.js +2 -0
- package/lib/vendor/blamejs/lib/metrics.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/age-gate.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/ai-act-disclosure.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/api-encrypt.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/assetlinks.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/asyncapi-serve.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/attach-user.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/bearer-auth.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/body-parser.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/bot-disclose.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/bot-guard.js +10 -1
- package/lib/vendor/blamejs/lib/middleware/clear-site-data.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/compose-pipeline.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/compression.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/cookies.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/cors.js +7 -0
- package/lib/vendor/blamejs/lib/middleware/csp-nonce.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/csp-report.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/csrf-protect.js +12 -5
- package/lib/vendor/blamejs/lib/middleware/daily-byte-quota.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/db-role-for.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/deny-response.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/dpop.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/error-handler.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/fetch-metadata.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/flag-context.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/gpc.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/headers.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/health.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/host-allowlist.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/idempotency-key.js +30 -2
- package/lib/vendor/blamejs/lib/middleware/index.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/nel.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/network-allowlist.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/no-cache.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/openapi-serve.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/protected-resource-metadata.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/rate-limit.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/request-id.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/request-log.js +6 -0
- package/lib/vendor/blamejs/lib/middleware/require-aal.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/require-auth.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/require-bound-key.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/require-content-type.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/require-methods.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/require-mtls.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/require-step-up.js +42 -1
- package/lib/vendor/blamejs/lib/middleware/scim-server.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/security-headers.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/security-txt.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/span-http-server.js +12 -0
- package/lib/vendor/blamejs/lib/middleware/speculation-rules.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/sse.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/trace-log-correlation.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/trace-propagate.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/tus-upload.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/web-app-manifest.js +2 -0
- package/lib/vendor/blamejs/lib/migration-files.js +2 -0
- package/lib/vendor/blamejs/lib/migrations.js +2 -0
- package/lib/vendor/blamejs/lib/mime-parse.js +5 -1
- package/lib/vendor/blamejs/lib/module-loader.js +2 -0
- package/lib/vendor/blamejs/lib/money.js +2 -0
- package/lib/vendor/blamejs/lib/mtls-ca.js +2 -0
- package/lib/vendor/blamejs/lib/mtls-engine-default.js +2 -0
- package/lib/vendor/blamejs/lib/network-byte-quota.js +76 -14
- package/lib/vendor/blamejs/lib/network-dane.js +2 -0
- package/lib/vendor/blamejs/lib/network-dns-resolver.js +55 -18
- package/lib/vendor/blamejs/lib/network-dns.js +2 -0
- package/lib/vendor/blamejs/lib/network-dnssec.js +15 -2
- package/lib/vendor/blamejs/lib/network-heartbeat.js +2 -0
- package/lib/vendor/blamejs/lib/network-nts.js +2 -0
- package/lib/vendor/blamejs/lib/network-proxy.js +2 -0
- package/lib/vendor/blamejs/lib/network-smtp-policy.js +6 -1
- package/lib/vendor/blamejs/lib/network-tls.js +99 -5
- package/lib/vendor/blamejs/lib/network-tsig.js +13 -1
- package/lib/vendor/blamejs/lib/network.js +2 -0
- package/lib/vendor/blamejs/lib/nis2-report.js +2 -0
- package/lib/vendor/blamejs/lib/nist-crosswalk.js +2 -0
- package/lib/vendor/blamejs/lib/nonce-store.js +2 -0
- package/lib/vendor/blamejs/lib/notify.js +2 -0
- package/lib/vendor/blamejs/lib/ntp-check.js +2 -0
- package/lib/vendor/blamejs/lib/numeric-bounds.js +2 -0
- package/lib/vendor/blamejs/lib/numeric-checks.js +2 -0
- package/lib/vendor/blamejs/lib/object-store/azure-blob-bucket-ops.js +2 -0
- package/lib/vendor/blamejs/lib/object-store/azure-blob.js +2 -0
- package/lib/vendor/blamejs/lib/object-store/gcs-bucket-ops.js +2 -0
- package/lib/vendor/blamejs/lib/object-store/gcs.js +2 -0
- package/lib/vendor/blamejs/lib/object-store/http-put.js +2 -0
- package/lib/vendor/blamejs/lib/object-store/http-request.js +2 -0
- package/lib/vendor/blamejs/lib/object-store/index.js +2 -0
- package/lib/vendor/blamejs/lib/object-store/local.js +2 -0
- package/lib/vendor/blamejs/lib/object-store/sigv4-bucket-ops.js +2 -0
- package/lib/vendor/blamejs/lib/object-store/sigv4.js +2 -0
- package/lib/vendor/blamejs/lib/observability-otlp-exporter.js +4 -2
- package/lib/vendor/blamejs/lib/observability-tracer.js +2 -0
- package/lib/vendor/blamejs/lib/observability.js +2 -0
- package/lib/vendor/blamejs/lib/openapi-paths-builder.js +2 -0
- package/lib/vendor/blamejs/lib/openapi-schema-walk.js +2 -0
- package/lib/vendor/blamejs/lib/openapi-security.js +2 -0
- package/lib/vendor/blamejs/lib/openapi-yaml.js +2 -0
- package/lib/vendor/blamejs/lib/openapi.js +2 -0
- package/lib/vendor/blamejs/lib/otel-export.js +2 -0
- package/lib/vendor/blamejs/lib/outbox.js +2 -0
- package/lib/vendor/blamejs/lib/pagination.js +2 -0
- package/lib/vendor/blamejs/lib/parsers/index.js +2 -0
- package/lib/vendor/blamejs/lib/parsers/safe-env.js +2 -0
- package/lib/vendor/blamejs/lib/parsers/safe-ini.js +2 -0
- package/lib/vendor/blamejs/lib/parsers/safe-toml.js +2 -0
- package/lib/vendor/blamejs/lib/parsers/safe-xml.js +2 -0
- package/lib/vendor/blamejs/lib/parsers/safe-yaml.js +2 -0
- package/lib/vendor/blamejs/lib/permissions.js +2 -0
- package/lib/vendor/blamejs/lib/pick.js +2 -0
- package/lib/vendor/blamejs/lib/pipl-cn.js +2 -0
- package/lib/vendor/blamejs/lib/pqc-agent.js +2 -0
- package/lib/vendor/blamejs/lib/pqc-gate.js +2 -0
- package/lib/vendor/blamejs/lib/pqc-software.js +2 -0
- package/lib/vendor/blamejs/lib/privacy-pass.js +2 -0
- package/lib/vendor/blamejs/lib/privacy.js +2 -0
- package/lib/vendor/blamejs/lib/problem-details.js +2 -0
- package/lib/vendor/blamejs/lib/process-spawn.js +2 -0
- package/lib/vendor/blamejs/lib/promise-pool.js +2 -0
- package/lib/vendor/blamejs/lib/protobuf-encoder.js +2 -0
- package/lib/vendor/blamejs/lib/protocol-dispatcher.js +2 -0
- package/lib/vendor/blamejs/lib/public-suffix.js +45 -5
- package/lib/vendor/blamejs/lib/pubsub-cluster.js +2 -0
- package/lib/vendor/blamejs/lib/pubsub-redis.js +2 -0
- package/lib/vendor/blamejs/lib/pubsub.js +2 -0
- package/lib/vendor/blamejs/lib/queue-local.js +28 -11
- package/lib/vendor/blamejs/lib/queue-redis.js +79 -17
- package/lib/vendor/blamejs/lib/queue-sqs.js +2 -0
- package/lib/vendor/blamejs/lib/queue.js +5 -3
- package/lib/vendor/blamejs/lib/redact.js +2 -0
- package/lib/vendor/blamejs/lib/redis-client.js +30 -5
- package/lib/vendor/blamejs/lib/render.js +2 -0
- package/lib/vendor/blamejs/lib/request-helpers.js +11 -0
- package/lib/vendor/blamejs/lib/resource-access-lock.js +2 -0
- package/lib/vendor/blamejs/lib/restore-bundle.js +2 -0
- package/lib/vendor/blamejs/lib/restore-rollback.js +2 -0
- package/lib/vendor/blamejs/lib/restore.js +2 -0
- package/lib/vendor/blamejs/lib/retention.js +2 -0
- package/lib/vendor/blamejs/lib/retry.js +2 -0
- package/lib/vendor/blamejs/lib/rfc3339.js +2 -0
- package/lib/vendor/blamejs/lib/router.js +109 -19
- package/lib/vendor/blamejs/lib/safe-archive.js +2 -0
- package/lib/vendor/blamejs/lib/safe-async.js +44 -0
- package/lib/vendor/blamejs/lib/safe-buffer.js +66 -0
- package/lib/vendor/blamejs/lib/safe-decompress.js +2 -0
- package/lib/vendor/blamejs/lib/safe-dns.js +2 -0
- package/lib/vendor/blamejs/lib/safe-ical.js +2 -0
- package/lib/vendor/blamejs/lib/safe-icap.js +7 -0
- package/lib/vendor/blamejs/lib/safe-json.js +2 -0
- package/lib/vendor/blamejs/lib/safe-jsonpath.js +2 -0
- package/lib/vendor/blamejs/lib/safe-mime.js +2 -0
- package/lib/vendor/blamejs/lib/safe-mount-info.js +2 -0
- package/lib/vendor/blamejs/lib/safe-path.js +2 -0
- package/lib/vendor/blamejs/lib/safe-redirect.js +2 -0
- package/lib/vendor/blamejs/lib/safe-schema.js +2 -0
- package/lib/vendor/blamejs/lib/safe-sieve.js +2 -0
- package/lib/vendor/blamejs/lib/safe-smtp.js +2 -0
- package/lib/vendor/blamejs/lib/safe-sql.js +2 -0
- package/lib/vendor/blamejs/lib/safe-url.js +2 -0
- package/lib/vendor/blamejs/lib/safe-vcard.js +2 -0
- package/lib/vendor/blamejs/lib/sandbox-worker.js +2 -0
- package/lib/vendor/blamejs/lib/sandbox.js +2 -0
- package/lib/vendor/blamejs/lib/scheduler.js +2 -0
- package/lib/vendor/blamejs/lib/scitt.js +2 -0
- package/lib/vendor/blamejs/lib/sd-notify.js +2 -0
- package/lib/vendor/blamejs/lib/sec-cyber.js +2 -0
- package/lib/vendor/blamejs/lib/security-assert.js +2 -0
- package/lib/vendor/blamejs/lib/seeders.js +2 -0
- package/lib/vendor/blamejs/lib/self-update-standalone-verifier.js +2 -0
- package/lib/vendor/blamejs/lib/self-update.js +104 -56
- package/lib/vendor/blamejs/lib/server-timing.js +2 -0
- package/lib/vendor/blamejs/lib/session-device-binding.js +2 -0
- package/lib/vendor/blamejs/lib/session-stores.js +2 -0
- package/lib/vendor/blamejs/lib/session.js +71 -32
- package/lib/vendor/blamejs/lib/slug.js +2 -0
- package/lib/vendor/blamejs/lib/sql.js +2 -0
- package/lib/vendor/blamejs/lib/sse.js +2 -0
- package/lib/vendor/blamejs/lib/ssrf-guard.js +9 -1
- package/lib/vendor/blamejs/lib/standard-webhooks.js +2 -0
- package/lib/vendor/blamejs/lib/static.js +54 -20
- package/lib/vendor/blamejs/lib/storage.js +2 -0
- package/lib/vendor/blamejs/lib/stream-throttle.js +2 -0
- package/lib/vendor/blamejs/lib/structured-fields.js +2 -0
- package/lib/vendor/blamejs/lib/subject.js +2 -0
- package/lib/vendor/blamejs/lib/tcpa-10dlc.js +2 -0
- package/lib/vendor/blamejs/lib/template.js +2 -0
- package/lib/vendor/blamejs/lib/tenant-quota.js +2 -0
- package/lib/vendor/blamejs/lib/test-harness.js +2 -0
- package/lib/vendor/blamejs/lib/testing.js +2 -0
- package/lib/vendor/blamejs/lib/time.js +2 -0
- package/lib/vendor/blamejs/lib/tls-exporter.js +2 -0
- package/lib/vendor/blamejs/lib/totp.js +2 -0
- package/lib/vendor/blamejs/lib/tracing.js +2 -0
- package/lib/vendor/blamejs/lib/tsa.js +2 -0
- package/lib/vendor/blamejs/lib/uri-template.js +2 -0
- package/lib/vendor/blamejs/lib/uuid.js +2 -0
- package/lib/vendor/blamejs/lib/validate-opts.js +2 -0
- package/lib/vendor/blamejs/lib/vault/index.js +2 -0
- package/lib/vendor/blamejs/lib/vault/passphrase-ops.js +2 -0
- package/lib/vendor/blamejs/lib/vault/passphrase-source.js +2 -0
- package/lib/vendor/blamejs/lib/vault/rotate.js +2 -0
- package/lib/vendor/blamejs/lib/vault/seal-pem-file.js +2 -0
- package/lib/vendor/blamejs/lib/vault/wrap.js +2 -0
- package/lib/vendor/blamejs/lib/vault-aad.js +2 -0
- package/lib/vendor/blamejs/lib/vc.js +31 -0
- package/lib/vendor/blamejs/lib/vendor/MANIFEST.json +10 -10
- package/lib/vendor/blamejs/lib/vendor/public-suffix-list.dat +2 -4
- package/lib/vendor/blamejs/lib/vendor/public-suffix-list.data.js +745 -745
- package/lib/vendor/blamejs/lib/vendor-data.js +2 -0
- package/lib/vendor/blamejs/lib/vex.js +2 -0
- package/lib/vendor/blamejs/lib/watcher.js +2 -0
- package/lib/vendor/blamejs/lib/web-push-vapid.js +2 -0
- package/lib/vendor/blamejs/lib/webhook-dispatcher.js +33 -5
- package/lib/vendor/blamejs/lib/webhook.js +2 -0
- package/lib/vendor/blamejs/lib/websocket-channels.js +2 -0
- package/lib/vendor/blamejs/lib/websocket.js +2 -0
- package/lib/vendor/blamejs/lib/wiki-concepts.js +2 -0
- package/lib/vendor/blamejs/lib/worker-pool.js +2 -0
- package/lib/vendor/blamejs/lib/worm.js +2 -0
- package/lib/vendor/blamejs/lib/ws-client.js +2 -0
- package/lib/vendor/blamejs/lib/x509-chain.js +2 -0
- package/lib/vendor/blamejs/lib/xml-c14n.js +10 -7
- package/lib/vendor/blamejs/oss-fuzz/projects/blamejs/Dockerfile +7 -6
- package/lib/vendor/blamejs/package-lock.json +533 -0
- package/lib/vendor/blamejs/package.json +3 -3
- package/lib/vendor/blamejs/release-notes/v0.15.x.json +2284 -0
- package/lib/vendor/blamejs/release-notes/v0.16.0.json +44 -0
- package/lib/vendor/blamejs/release-notes/v0.16.1.json +36 -0
- package/lib/vendor/blamejs/release-notes/v0.16.2.json +71 -0
- package/lib/vendor/blamejs/scripts/build-vendored-sbom.js +2 -0
- package/lib/vendor/blamejs/scripts/check-actions-currency.js +113 -1
- package/lib/vendor/blamejs/scripts/check-api-snapshot.js +2 -0
- package/lib/vendor/blamejs/scripts/check-changelog-extract.js +2 -0
- package/lib/vendor/blamejs/scripts/check-esbuild-pin.js +33 -40
- package/lib/vendor/blamejs/scripts/check-pack-against-gitignore.js +2 -0
- package/lib/vendor/blamejs/scripts/check-services.js +2 -0
- package/lib/vendor/blamejs/scripts/check-vendor-currency.js +2 -0
- package/lib/vendor/blamejs/scripts/consolidate-release-notes.js +2 -0
- package/lib/vendor/blamejs/scripts/gen-migrating.js +2 -0
- package/lib/vendor/blamejs/scripts/generate-changelog-entry.js +2 -0
- package/lib/vendor/blamejs/scripts/generate-release-signing-key.js +2 -0
- package/lib/vendor/blamejs/scripts/generate-ssdf-attestation.js +2 -0
- package/lib/vendor/blamejs/scripts/pin-all.js +215 -0
- package/lib/vendor/blamejs/scripts/refresh-api-snapshot.js +2 -0
- package/lib/vendor/blamejs/scripts/refresh-vendor-manifest.js +2 -0
- package/lib/vendor/blamejs/scripts/release.js +5 -1
- package/lib/vendor/blamejs/scripts/sha3-digest.js +2 -0
- package/lib/vendor/blamejs/scripts/sign-release-artifact.js +2 -0
- package/lib/vendor/blamejs/scripts/test-integration.js +2 -0
- package/lib/vendor/blamejs/scripts/test-wiki-integration.js +2 -0
- package/lib/vendor/blamejs/scripts/validate-source-comment-blocks.js +2 -0
- package/lib/vendor/blamejs/scripts/vendor-data-gen.js +2 -0
- package/lib/vendor/blamejs/scripts/vendor-data-keygen.js +2 -0
- package/lib/vendor/blamejs/test/00-primitives.js +35 -1
- package/lib/vendor/blamejs/test/10-state.js +2 -0
- package/lib/vendor/blamejs/test/20-db.js +2 -0
- package/lib/vendor/blamejs/test/30-chain.js +2 -0
- package/lib/vendor/blamejs/test/40-consumers.js +2 -0
- package/lib/vendor/blamejs/test/50-integration.js +2 -0
- package/lib/vendor/blamejs/test/_helpers.js +2 -0
- package/lib/vendor/blamejs/test/_smoke-worker.js +2 -0
- package/lib/vendor/blamejs/test/fixtures/worker-pool/echo.js +2 -0
- package/lib/vendor/blamejs/test/helpers/_codebase-shingle-worker.js +2 -0
- package/lib/vendor/blamejs/test/helpers/_codebase-shingle.js +2 -0
- package/lib/vendor/blamejs/test/helpers/_shape-match.js +2 -0
- package/lib/vendor/blamejs/test/helpers/check.js +2 -0
- package/lib/vendor/blamejs/test/helpers/cluster.js +2 -0
- package/lib/vendor/blamejs/test/helpers/db.js +2 -0
- package/lib/vendor/blamejs/test/helpers/drivers.js +2 -0
- package/lib/vendor/blamejs/test/helpers/fs-watch.js +2 -0
- package/lib/vendor/blamejs/test/helpers/http.js +2 -0
- package/lib/vendor/blamejs/test/helpers/index.js +2 -0
- package/lib/vendor/blamejs/test/helpers/json-round-trip.js +2 -0
- package/lib/vendor/blamejs/test/helpers/mocks.js +2 -0
- package/lib/vendor/blamejs/test/helpers/otel.js +2 -0
- package/lib/vendor/blamejs/test/helpers/services.js +2 -0
- package/lib/vendor/blamejs/test/helpers/wait.js +2 -0
- package/lib/vendor/blamejs/test/integration/audit-actor-binding-pg.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/audit-chain-external-db.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/audit-stack-mysql.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/audit-stack-postgres.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/backup-restore-objectstore.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/cache.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/cluster-provider-mysql.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/data-layer-cluster-mysql.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/data-layer-cluster-pg.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/data-layer-mysql-privacy.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/data-layer-mysql.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/data-layer-pg.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/data-layer-postgres.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/db-layer-mysql.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/db-layer-postgres.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/distributed-scheduler-fencing-pg.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/external-db-postgres.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/federation-auth.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/framework-schema-mysql.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/http-client.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/log-stream-cloudwatch.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/log-stream.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/mail-crypto-smime.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/mail-dkim.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/mail-smtp.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/mtls-ca.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/network-dns.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/network-heartbeat.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/ntp-check.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/object-store-azure.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/object-store-gcs.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/object-store-sigv4.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/object-store-worm-lock.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/pqc-pkcs8-forward-compat.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/pubsub.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/queue-cluster-mysql.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/queue-cluster-pg.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/queue-redis.test.js +115 -0
- package/lib/vendor/blamejs/test/integration/queue-sqs.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/redis-client-tls.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/redis-reconnect-toxiproxy.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/sql-fts5-catalog-sqlite.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/ssrf-guard.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/tls-classical-downgrade-audit.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/webhook-dispatcher-pg.test.js +15 -0
- package/lib/vendor/blamejs/test/integration/websocket-permessage-deflate.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/ws-client-roundtrip.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/a2a-tasks.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/a2a.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/access-lock.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/acme-coverage.test.js +441 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/acme-failclosed.test.js +131 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/acme.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/age-gate.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/agent-event-bus.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/agent-idempotency.test.js +0 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/agent-orchestrator.test.js +23 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/agent-posture-chain.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/agent-saga.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/agent-snapshot.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/agent-stream.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/agent-tenant.test.js +22 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/agent-trace.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ai-adverse-decision.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ai-aedt-bias-audit.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ai-capability.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ai-content-detect.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ai-disclosure-apply-all.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ai-disclosure.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ai-dp.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ai-frontier-protocol.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ai-input.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ai-model-manifest.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ai-output.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ai-pref.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ai-prompt.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ai-quota.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/api-encrypt-rejection-envelope.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/api-encrypt.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/app-shutdown.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/archive-gz.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/archive-read.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/archive-sniff-envelope.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/archive-tar-hardening.test.js +22 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/archive-tar.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/archive-wrap-passphrase.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/archive-wrap.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/archive-zip-stream.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/archive.test.js +4 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/arg-parser.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/asn1-der.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/asyncapi.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-conflict-path.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-exclusive-temp.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-fd-read-errorfor-bypass.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-fd-read.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-open-append-nofollow.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-open-nofollow.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-rename-retry.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-write-excl.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-write-stream.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/attach-user-bearer-scheme.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-chain-corrupted-anchor.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-chain-incremental-verify.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-checkpoint-false-rollback.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-cve-defensive.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-daily-review.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-export-cadf.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-framework-namespaces.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-query-self-log.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-safeemit-redacts-secrets.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-segregation.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-sign-anchor.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-sign-ml-dsa-65.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-signing-key-rotation.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-tools-dual-control.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-tools-return-bytes.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-use-store.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-verifybundle-tamper.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/auth-bot-challenge-verifier.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/auth-bot-challenge.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/auth-jar.test.js +9 -6
- package/lib/vendor/blamejs/test/layer-0-primitives/auth-jwt-defenses.test.js +56 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/auth-lockout.test.js +121 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/auth-oauth-coverage.test.js +482 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/auth-oauth-failclosed.test.js +257 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/auth-password-audit.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/auth-saml-coverage.test.js +671 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/auth-saml-failclosed.test.js +179 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/auth-status-list.test.js +19 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/azure-blob-bucket-ops.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/azure-blob-key-encoding.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/backup-bundle-info.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/backup-clone-bundle.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/backup-find-bundles.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/backup-index-coverage.test.js +690 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/backup-index-failclosed.test.js +103 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/backup-key-rotation.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/backup-manifest-signature.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/backup-object-store-adapter.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/backup-residency-posture.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/backup-rewrap-all.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/backup-rewrap-bundle.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/backup-scheduletest-drill.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/backup-verify-all-bundles.test.js +0 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/backup-verify-bundle.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/backup-worker.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/base32.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/bearer-auth.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/body-parser-chunked-malformed.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/body-parser-error-redaction.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/body-parser-smuggling.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/boot-gates.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/bot-guard.test.js +12 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/bounded-map.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/breach-deadline.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/break-glass.test.js +46 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/budr.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/bundler-engine.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cache-status.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cache.test.js +12 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/calendar.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/canonical-json-jcs.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/canonical-json.test.js +28 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cbor.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cdn-cache-control.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cert.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/chain-writer-multichain.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ciba-authreqid-binding.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/clear-site-data.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cli-api-key.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cli-audit-verify-chain.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cli-backup.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cli-config-drift.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cli-coverage.test.js +238 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cli-erase.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cli-file-type.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cli-helpers.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cli-mtls.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cli-password.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cli-restore.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cli-retention.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cli-security.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cli-vault.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/client-hints.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cloud-events.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cluster-storage.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cluster-vault-rotation.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cms-codec.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +791 -13
- package/lib/vendor/blamejs/test/layer-0-primitives/codepoint-class.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/compliance-ai-act.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/compliance-cascade.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/compliance-eaa.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/compliance-eu-ai-act-posture.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/compliance-sanctions.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/compliance.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/compression-range.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/config-drift.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/config.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/consent-purposes.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/content-credentials.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/content-digest.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cors.test.js +12 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cose.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cra-report.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crdt.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/credential-hash.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-base64url.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-envelope.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-field-aad-downgrade.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-field-derived-hash.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-field-dual-read-migrate.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-field-per-row-key.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-field-unseal-rate-cap.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-field-upgrade-dialect.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-hash-files-parallel.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-hash-stream.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-hpke-pq.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-hpke.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-interop-oracles.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-mlkem768-x25519.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-namespace-hash.test.js +0 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-oprf.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-random-int.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-self-test.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-xwing.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/csp-builder.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/csp-nonce.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/csp-report.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/csrf-protect.test.js +40 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/csv.test.js +11 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cwt.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/daemon.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/daily-byte-quota.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/dane.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/dark-patterns.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/data-act.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/db-collection-extensions.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/db-collection.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/db-column-gate.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/db-init-extensions.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/db-key-aad.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/db-query-cross-schema.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/db-query-extensions.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/db-query-sealed-field-in.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/db-raw-residency-gate.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/db-role-for.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/db-schema-drift.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/db-schema-reconcile-emittable.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/db-schema-transaction.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/db-stream-and-payload-shape.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/db-vacuum.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/db-worm.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ddl-change-control.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/declare-row-policy.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/declare-view.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/defineguard-default-gate-posture-caps.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/defineguard-resolve-opts.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/deny-response.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/did.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/dns-dnssec-algorithm.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/dns-null-mx.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/dnssec.test.js +37 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/dora.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/dpop-alg-kty.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/dpop-htu-peergating.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/dpop-middleware-replaystore-required.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/dr-runbook.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/dsa.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/dsr-state-rules.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/dsr.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/dual-control.test.js +28 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/early-hints.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/eat.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/erase-posture-vacuum.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/events.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/exploit-replay.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/external-db-hardening.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/external-db-migrate.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/external-db-non-atomic-backend.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/external-db-routing.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/fal.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/fapi2.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/fda-21cfr11.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/fdx.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/fedcm-dbsc.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/federation-vc-suite.test.js +124 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/fetch-metadata.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/fido-mds3-cert-bad-validity.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/fido-mds3.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/file-type.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/file-upload-content-safety-skip-audit.test.js +66 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/file-upload-ownership.test.js +214 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/flag.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/forensic-snapshot.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/fsm.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/gate-contract-content-gate.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/gcs-bucket-ops.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/gdpr-ropa.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/graphql-federation.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-agent-registry.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-all.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-archive.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-csv.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-dsn.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-email.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-envelope.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-event-bus-payload.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-event-bus-topic.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-filename.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-gate-disposition-coverage.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-html-wcag.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-html.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-idempotency-key.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-image.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-imap-command.test.js +0 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-jmap.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-json.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-list-id.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-list-unsubscribe.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-mail-compose.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-mail-move.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-mail-query.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-mail-reply.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-mail-sieve.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-managesieve-command.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-markdown.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-message-id.test.js +0 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-oauth-replay-failopen.test.js +57 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-pdf.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-pop3-command.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-posture-chain.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-saga-config.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-smtp-command.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-snapshot-envelope.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-stream-args.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-svg.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-tenant-id.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-text.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-trace-context.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-xml.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-yaml.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/hal.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/honeytoken.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/html-balance.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/http-client-cache.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/http-client-stream.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/http-client-throttle-transform.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/http-message-signature.test.js +315 -3
- package/lib/vendor/blamejs/test/layer-0-primitives/i18n-messageformat.test.js +26 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/i18n.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/iab-mspa.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/iab-tcf.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/idempotency-key.test.js +40 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/importmap-integrity.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/inbox.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/incident-report.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ip-utils.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/jose-jwe-experimental.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/json-api.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/json-merge-patch.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/json-patch.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/json-path.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/json-round-trip-helper.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/json-schema.test.js +26 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/jtd.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/jwk.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/jwt-external.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/keychain-coverage.test.js +0 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/keychain-failclosed.test.js +185 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/keychain.test.js +0 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/legal-hold.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/link-header.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/local-db-thin.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/log-stream-cloudwatch.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/log-stream-otlp-grpc.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/log-stream-otlp.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/lro.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-agent.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-arf.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-auth-coverage.test.js +437 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-auth-dmarc-policy-failclosed.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-auth-failclosed.test.js +144 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-auth.test.js +289 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-bimi-cert-validity-unparseable.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-bimi.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-bounce.test.js +61 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-canspam.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-crypto-pgp-experimental.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-crypto-pgp.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-crypto-smime-bad-validity.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-crypto-smime.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-dav.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-deploy-tlsrpt.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-deploy.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-dkim-numericdate-failclosed.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-dkim.test.js +130 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-feedback-id.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-greylist.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-header-injection.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-helo.test.js +17 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-journal.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-mdn.test.js +29 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-proxy-framing-bounds.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-rbl.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-require-tls.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-scan.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-send-deliver.test.js +113 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-imap.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-jmap.test.js +50 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-managesieve.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-mx.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-pop3.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-rate-limit.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-registry.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-submission.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-tls.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-sieve.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-spam-score.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-srs.test.js +21 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-store-fts.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-store.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-unsubscribe.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mcp-tool-registry.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mcp.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mdoc.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/metrics-shadow-registry.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/metrics-snapshot.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/middleware-compose-pipeline.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mime-parse.test.js +11 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/money.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mtls-ca-paths.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mtls-ca-revocation.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/nel.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/network-allowlist.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/network-byte-quota.test.js +65 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/network-dns-lookup-timeout-default.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/network-dns-resolver-timeout.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/network-dns-resolver.test.js +28 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/network-dns.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/network-heartbeat-passive.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/network-nts-handshake-byte-cap.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/network-smtp-policy-coverage.test.js +565 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/network-tls-build-options.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/network-tls-ct-inclusion.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/network-tls.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/network-tsig.test.js +26 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/network.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/nis2-report.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/nist-crosswalk.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/no-cache.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/nonce-store-release.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/notify.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/numeric-bounds.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/oauth-callback.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/object-store-range-header.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/object-store-versioned-delete.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/observability-tracing.test.js +22 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/observability.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/openapi.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/otel-export.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/otlp-attr-redaction.test.js +8 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/outbox-inflight-reaper.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/output-header-hardening.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/pagination.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/parser-verify-hardening.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/parsers-standalone.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/passkey-real-vectors.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/passkey.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/permissions.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/pipl-cn.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/pqc-agent-curve.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/pqc-software.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/privacy-pass.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/privacy-vendor-review.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/problem-details.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/process-spawn.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/promise-pool.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/protected-resource-metadata.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/proto-shadow-allowlist.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/protobuf-encoder.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/protocol-dispatcher.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/public-suffix.test.js +29 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/pubsub.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/queue-byo-db.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/queue-dlq-extend-lease.test.js +44 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/queue-flow-repeat.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/queue-priority-rate-progress.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/queue-sqs.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-cluster.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-memory-getorinsert.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-registry.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-xff-spoofing.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/redact-dlp.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/redis-client.test.js +16 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/request-helpers.test.js +7 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/request-id-async-context.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/request-log.test.js +3 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/require-auth-cache-control.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/require-mtls.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/resource-access-lock.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/restore-blob-remap.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/retention-dryrun-no-vacuum.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/retention-floor.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/retention-sweep-termination.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/retry.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/router-body-validation.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/router-coverage.test.js +592 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/router-cross-origin-redirect.test.js +0 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/router-failclosed.test.js +0 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/router-tls0rtt.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/router-use-path-scope.test.js +59 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-archive-auto-unwrap.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-archive-inspect-unwrap.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-async-loops.test.js +41 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-async-parallel.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-buffer-linear-scans.test.js +13 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-decompress.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-dns.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-ical.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-icap.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-json-stringify-for-script.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-jsonpath.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-mime.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-mount-info.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-path.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-redirect.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-sieve.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-smtp.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-url-canonicalize.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-url-idn-homograph.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-vcard.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-xml.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/saml-mdq-wrapping.test.js +237 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/saml-slo.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/saml-subjectconfirmation-notbefore.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/saml-subjectconfirmation-notonorafter.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/sandbox.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/scheduler-exactly-once.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/scheduler-watchdog-stale-settle.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/scim-server.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/scitt.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/sd-jwt-vc-ecdsa-p1363.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/sd-jwt-vc.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/sd-notify.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/sec-cyber.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/security-assert.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/security-headers.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/security-txt.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/seeders.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/self-update-poll-asset-digest.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/self-update-standalone-verifier-ecdsa-encoding.test.js +9 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/self-update-standalone-verifier.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/self-update.test.js +87 -4
- package/lib/vendor/blamejs/test/layer-0-primitives/server-timing.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/session-binding-unreadable-failclosed.test.js +80 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/session-destroy-all-store-backed.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/session-device-binding-ipv6-canonical-and-no-store.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/session-device-binding.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/session-extensions.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/session-valid-from.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/shape-match.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/sigv4-bucket-ops.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/sigv4-multipart-sse.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/slug.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/smtp-policy.test.js +5 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/source-comment-blocks.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/speculation-rules.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/sql-coverage.test.js +422 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/sql.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/sse-backpressure.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/sse.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ssrf-guard.test.js +23 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/standard-webhooks.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/static.test.js +33 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/step-up.test.js +44 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/storage-chunk-scratch.test.js +0 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/storage-presigned-url.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/stream-throttle.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/structured-fields-codec.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/structured-fields.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/tcpa-10dlc.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/template-escape-html.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/tenant-quota.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/test-coverage.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/test-harness.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/testing-request.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/testing.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/time.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/tls-exporter.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/tls-ocsp-ct.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/tls-ocsp-freshness.test.js +6 -2
- package/lib/vendor/blamejs/test/layer-0-primitives/tls-ocsp-verify.test.js +127 -3
- package/lib/vendor/blamejs/test/layer-0-primitives/tls-pinset-drift.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/tls-preferred-groups.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/tracing.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/tsa.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/uri-template.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/uuid.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/validate-opts-port.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/validate-opts-shape.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/vault-aad.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/vault-default-store.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/vault-rotate-aad.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/vault-seal-pem-file.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/vc.test.js +25 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/vendor-currency-classify.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/vendor-data.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/vendor-manifest.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/vex.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/watcher.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/web-push-vapid.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/webhook-dispatcher.test.js +77 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/webhook-verify-nonce-atomic.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/webhook.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/websocket-channels.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/websocket-extension-header.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/worker-pool-recycle-race.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/worker-pool.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/worm.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ws-client.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/x509-chain-ca-enforcement.test.js +117 -1
- package/lib/vendor/blamejs/test/layer-1-state/api-key.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-5-integration/bundler-output.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-5-integration/external-db-residency.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-5-integration/guard-host-integration.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-5-integration/security-chaos.test.js +2 -0
- package/lib/vendor/blamejs/test/smoke.js +2 -0
- package/package.json +5 -2
- package/lib/vendor/blamejs/release-notes/v0.15.0.json +0 -77
- package/lib/vendor/blamejs/release-notes/v0.15.1.json +0 -22
- package/lib/vendor/blamejs/release-notes/v0.15.10.json +0 -53
- package/lib/vendor/blamejs/release-notes/v0.15.11.json +0 -52
- package/lib/vendor/blamejs/release-notes/v0.15.12.json +0 -47
- package/lib/vendor/blamejs/release-notes/v0.15.13.json +0 -81
- package/lib/vendor/blamejs/release-notes/v0.15.14.json +0 -122
- package/lib/vendor/blamejs/release-notes/v0.15.15.json +0 -73
- package/lib/vendor/blamejs/release-notes/v0.15.16.json +0 -94
- package/lib/vendor/blamejs/release-notes/v0.15.17.json +0 -52
- package/lib/vendor/blamejs/release-notes/v0.15.18.json +0 -49
- package/lib/vendor/blamejs/release-notes/v0.15.19.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.15.2.json +0 -22
- package/lib/vendor/blamejs/release-notes/v0.15.20.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.15.21.json +0 -51
- package/lib/vendor/blamejs/release-notes/v0.15.22.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.15.23.json +0 -22
- package/lib/vendor/blamejs/release-notes/v0.15.24.json +0 -22
- package/lib/vendor/blamejs/release-notes/v0.15.25.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.15.26.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.15.27.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.15.28.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.15.29.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.15.3.json +0 -39
- package/lib/vendor/blamejs/release-notes/v0.15.30.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.15.31.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.15.32.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.15.33.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.15.34.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.15.35.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.15.36.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.15.37.json +0 -26
- package/lib/vendor/blamejs/release-notes/v0.15.38.json +0 -26
- package/lib/vendor/blamejs/release-notes/v0.15.4.json +0 -39
- package/lib/vendor/blamejs/release-notes/v0.15.5.json +0 -22
- package/lib/vendor/blamejs/release-notes/v0.15.6.json +0 -59
- package/lib/vendor/blamejs/release-notes/v0.15.7.json +0 -43
- package/lib/vendor/blamejs/release-notes/v0.15.8.json +0 -48
- package/lib/vendor/blamejs/release-notes/v0.15.9.json +0 -58
|
@@ -1,3 +1,5 @@
|
|
|
1
|
+
// SPDX-License-Identifier: Apache-2.0
|
|
2
|
+
// Copyright (c) blamejs contributors
|
|
1
3
|
"use strict";
|
|
2
4
|
|
|
3
5
|
// SMOKE_RUN_SOLO — the smoke runner (test/smoke.js) runs this file ALONE
|
|
@@ -337,6 +339,7 @@ var VALID_ALLOW_CLASSES = {
|
|
|
337
339
|
"inline-require-non-empty-string-validation": 1,
|
|
338
340
|
"internal-binding-in-prose": 1,
|
|
339
341
|
"internal-narrative-comment": 1,
|
|
342
|
+
"leftmost-domain-informational": 1,
|
|
340
343
|
"list-without-pagination": 1,
|
|
341
344
|
"math-random-noncrypto-jitter-sampling": 1,
|
|
342
345
|
"no-number-money-arithmetic": 1,
|
|
@@ -1173,6 +1176,9 @@ var CANONICAL_REQUIRE_BINDINGS = {
|
|
|
1173
1176
|
// public namespace and doesn't shadow node:crypto.
|
|
1174
1177
|
"./crypto": "bCrypto",
|
|
1175
1178
|
"../crypto": "bCrypto",
|
|
1179
|
+
// Internal ARC/DKIM reuse handshake token (a Symbol) — same constant-style
|
|
1180
|
+
// name in mail-dkim (checker) and mail-auth (setter).
|
|
1181
|
+
"./mail-arc-reuse-token": "ARC_AMS_REUSE",
|
|
1176
1182
|
};
|
|
1177
1183
|
|
|
1178
1184
|
// Node built-ins that the framework requires anywhere — used by the
|
|
@@ -1881,6 +1887,616 @@ function testNoDynamicRegexFromOperatorInput() {
|
|
|
1881
1887
|
matches);
|
|
1882
1888
|
}
|
|
1883
1889
|
|
|
1890
|
+
// ---- Pattern: operator RegExp instance matched against request input without a ReDoS screen ----
|
|
1891
|
+
//
|
|
1892
|
+
// A primitive that accepts an operator-supplied RegExp (`instanceof RegExp`
|
|
1893
|
+
// from opts) AND executes it (`.test` / `.exec` / `.match`) is a ReDoS surface
|
|
1894
|
+
// when the matched value is attacker-controllable (User-Agent, Origin, request
|
|
1895
|
+
// path, form field, SMTP HELO, remote asset name): an accidentally-catastrophic
|
|
1896
|
+
// operator pattern pins a CPU on a crafted input, and a length cap does not
|
|
1897
|
+
// bound backtracking. v0.15.38 / v0.15.39 swept the whole family — bot-guard,
|
|
1898
|
+
// cors, span-http-server, request-log, request-helpers, forms, static,
|
|
1899
|
+
// mail-helo, self-update (+ the string-compile siblings flag-targeting / mcp,
|
|
1900
|
+
// covered by the dynamic-regex detector) — and routed every operator pattern
|
|
1901
|
+
// through `b.guardRegex.assertSafe` at config time. A NEW such site must do the
|
|
1902
|
+
// same. This is the structural guard the operator-regex-ReDoS class (a Codex
|
|
1903
|
+
// finding) earns so it can't be reintroduced. The ALLOW map covers files whose
|
|
1904
|
+
// accepted RegExp is matched against a TRUSTED value, not attacker request data.
|
|
1905
|
+
function testOperatorRegexScreenedForReDoS() {
|
|
1906
|
+
var ALLOW = {
|
|
1907
|
+
"lib/dev.js": "ignore RegExp matched against an fs.watch filename in the operator's local source tree; dev-loop only, hard-refused under NODE_ENV=production",
|
|
1908
|
+
"lib/parsers/safe-env.js": "keyShape RegExp matched against env-var keys parsed from the operator's .env config at boot, not request input",
|
|
1909
|
+
"lib/safe-json.js": "JSON Schema `pattern` is part of the operator-owned schema (the documented trust boundary), not request data — same stance as the dynamic-regex detector's safe-json exclusion",
|
|
1910
|
+
};
|
|
1911
|
+
var files = _libFiles();
|
|
1912
|
+
var bad = [];
|
|
1913
|
+
for (var fi = 0; fi < files.length; fi++) {
|
|
1914
|
+
var rel = _relPath(files[fi]);
|
|
1915
|
+
if (ALLOW[rel]) continue;
|
|
1916
|
+
var content;
|
|
1917
|
+
try { content = fs.readFileSync(files[fi], "utf8"); }
|
|
1918
|
+
catch (_e) { continue; }
|
|
1919
|
+
if (!/instanceof RegExp/.test(content)) continue; // accepts an operator RegExp opt
|
|
1920
|
+
if (!/\.(?:test|exec|match)\s*\(/.test(content)) continue; // and executes a regex
|
|
1921
|
+
if (/\bassertSafe\s*\(/.test(content)) continue; // already ReDoS-screened
|
|
1922
|
+
var lines = content.split(/\r?\n/);
|
|
1923
|
+
for (var li = 0; li < lines.length; li++) {
|
|
1924
|
+
if (/instanceof RegExp/.test(lines[li])) {
|
|
1925
|
+
bad.push({
|
|
1926
|
+
file: rel,
|
|
1927
|
+
line: li + 1,
|
|
1928
|
+
content: "accepts an operator-supplied RegExp + executes a regex but never calls b.guardRegex.assertSafe — screen the operator pattern for ReDoS at config time, or add the file to this detector's ALLOW map with a reason if the regex is matched against trusted (non-request) input",
|
|
1929
|
+
});
|
|
1930
|
+
break;
|
|
1931
|
+
}
|
|
1932
|
+
}
|
|
1933
|
+
}
|
|
1934
|
+
_report("a primitive accepting + executing an operator-supplied RegExp must ReDoS-screen it via b.guardRegex.assertSafe (or be allowlisted as matched-against-trusted-input)",
|
|
1935
|
+
bad);
|
|
1936
|
+
}
|
|
1937
|
+
|
|
1938
|
+
// ---- Pattern: process.moduleLoadList filter must match the "NativeModule X" naming ----
|
|
1939
|
+
//
|
|
1940
|
+
// An edge-runtime guard test inspects process.moduleLoadList to assert a
|
|
1941
|
+
// networking builtin did NOT eager-load. Node 20+ records a loaded builtin as
|
|
1942
|
+
// "NativeModule http" (Node <24 also used "node:http"); filtering ONLY the
|
|
1943
|
+
// `node:` form silently passes even after a top-level networking require is
|
|
1944
|
+
// reintroduced — the test rots green and the regression ships (Codex P2, PR
|
|
1945
|
+
// #381). Any test that filters moduleLoadList must also match "NativeModule ".
|
|
1946
|
+
function testModuleLoadListMatchesNativeModuleNaming() {
|
|
1947
|
+
var files = _testFiles();
|
|
1948
|
+
var bad = [];
|
|
1949
|
+
for (var fi = 0; fi < files.length; fi++) {
|
|
1950
|
+
var rel = _relPath(files[fi]);
|
|
1951
|
+
var content;
|
|
1952
|
+
try { content = fs.readFileSync(files[fi], "utf8"); }
|
|
1953
|
+
catch (_e) { continue; }
|
|
1954
|
+
if (!/moduleLoadList/.test(content)) continue;
|
|
1955
|
+
if (/NativeModule/.test(content)) continue; // matches the Node 20+ form
|
|
1956
|
+
var lines = content.split(/\r?\n/);
|
|
1957
|
+
for (var li = 0; li < lines.length; li++) {
|
|
1958
|
+
if (/moduleLoadList/.test(lines[li])) {
|
|
1959
|
+
bad.push({
|
|
1960
|
+
file: rel,
|
|
1961
|
+
line: li + 1,
|
|
1962
|
+
content: "filters process.moduleLoadList without matching the 'NativeModule X' naming (Node 20+) — a `node:`-only filter rots green when a top-level builtin require is reintroduced; match `NativeModule ` too",
|
|
1963
|
+
});
|
|
1964
|
+
break;
|
|
1965
|
+
}
|
|
1966
|
+
}
|
|
1967
|
+
}
|
|
1968
|
+
_report("a test filtering process.moduleLoadList must match the 'NativeModule X' naming (Node 20+), not only 'node:X'",
|
|
1969
|
+
bad);
|
|
1970
|
+
}
|
|
1971
|
+
|
|
1972
|
+
// (No structural detector for the PR #370 sync-run().catch class: a sync
|
|
1973
|
+
// `function run()` that RETURNS a promise chain is the common, correct pattern,
|
|
1974
|
+
// so `run().then/.catch` cannot be distinguished lexically from the bug shape
|
|
1975
|
+
// — sync run() returning UNDEFINED. That case is behavioral, guarded by the
|
|
1976
|
+
// inline fix + the test-detached-async-iife / test-unguarded-module-level-run
|
|
1977
|
+
// detectors for adjacent shapes.)
|
|
1978
|
+
|
|
1979
|
+
// ---- Pattern: a competing-consumer claim must use FOR UPDATE SKIP LOCKED ----
|
|
1980
|
+
//
|
|
1981
|
+
// A poller that claims due rows across concurrent workers — SELECT
|
|
1982
|
+
// status='pending' inside a transaction, then flip the rows to
|
|
1983
|
+
// 'in-flight'/'inflight' — MUST hold a row lock via FOR UPDATE SKIP LOCKED on
|
|
1984
|
+
// the row-locking backends (Postgres / MySQL). Without it, two pollers under
|
|
1985
|
+
// READ COMMITTED both SELECT the same pending row; the loser's gated UPDATE
|
|
1986
|
+
// matches zero rows, but a reselect-by-id re-reads the row the WINNER just
|
|
1987
|
+
// flipped to in-flight and hands it back — so both workers process the same row
|
|
1988
|
+
// in one cycle. sqlite's single writer is safe via the mark-then-reselect
|
|
1989
|
+
// fallback, but that fallback ALONE (no skipLocked branch) is the bug.
|
|
1990
|
+
// b.outbox._claimBatch and b.queue-local are the canonical correct claims; the
|
|
1991
|
+
// webhook dispatcher's processRetries shipped without the skipLocked branch and
|
|
1992
|
+
// double-claimed under Postgres / MySQL (fixed this release). This guards every
|
|
1993
|
+
// future poller from re-introducing the no-SKIP-LOCKED shape.
|
|
1994
|
+
function testCompetingConsumerClaimUsesSkipLocked() {
|
|
1995
|
+
var bad = [];
|
|
1996
|
+
var files = _libFiles();
|
|
1997
|
+
for (var fi = 0; fi < files.length; fi++) {
|
|
1998
|
+
var rel = _relPath(files[fi]);
|
|
1999
|
+
var content;
|
|
2000
|
+
try { content = fs.readFileSync(files[fi], "utf8"); }
|
|
2001
|
+
catch (_e) { continue; }
|
|
2002
|
+
// The claim shape: marks rows to in-flight/inflight via a builder .set AND
|
|
2003
|
+
// selects rows by status='pending' (the competing-consumer claim idiom).
|
|
2004
|
+
var marksInflight = /\.set\(\s*\{[^{}]*status:\s*["']in-?flight["']/.test(content)
|
|
2005
|
+
|| /\.set\(\s*["']status["']\s*,\s*["']in-?flight["']/.test(content);
|
|
2006
|
+
if (!marksInflight) continue;
|
|
2007
|
+
var selectsPending = /status\s*=\s*'pending'/.test(content)
|
|
2008
|
+
|| /\.where\(\s*["']status["']\s*,\s*["']pending["']/.test(content);
|
|
2009
|
+
if (!selectsPending) continue;
|
|
2010
|
+
if (/skipLocked|SKIP LOCKED/.test(content)) continue; // competing-consumer safe
|
|
2011
|
+
var lines = content.split(/\r?\n/);
|
|
2012
|
+
for (var li = 0; li < lines.length; li++) {
|
|
2013
|
+
if (/status:\s*["']in-?flight["']|["']status["']\s*,\s*["']in-?flight["']/.test(lines[li])) {
|
|
2014
|
+
bad.push({
|
|
2015
|
+
file: rel,
|
|
2016
|
+
line: li + 1,
|
|
2017
|
+
content: "a competing-consumer claim (SELECT status='pending' then flip to in-flight) must use FOR UPDATE SKIP LOCKED on the row-locking backends (Postgres / MySQL) so concurrent pollers see disjoint sets — mirror b.outbox._claimBatch; a mark-then-reselect with no skipLocked branch double-claims under READ COMMITTED",
|
|
2018
|
+
});
|
|
2019
|
+
break;
|
|
2020
|
+
}
|
|
2021
|
+
}
|
|
2022
|
+
}
|
|
2023
|
+
_report("every competing-consumer claim (pending->in-flight poller) must use FOR UPDATE SKIP LOCKED (mirror b.outbox._claimBatch)",
|
|
2024
|
+
bad);
|
|
2025
|
+
}
|
|
2026
|
+
|
|
2027
|
+
// ---- Pattern: a cache-backed counter must use atomic cache.update ----
|
|
2028
|
+
//
|
|
2029
|
+
// Accumulating on a cache with `await cache.get(K)` → mutate/increment →
|
|
2030
|
+
// `await cache.set(K, ...)` is a non-atomic read-modify-write: two concurrent
|
|
2031
|
+
// writers read the same value and one set clobbers the other (lost update),
|
|
2032
|
+
// under-counting on a shared / cluster cache and letting a quota / rate /
|
|
2033
|
+
// bandwidth / concurrency cap be bypassed. b.cache.update is the atomic
|
|
2034
|
+
// compare-and-set RMW. The byte-quota and static bandwidth/concurrency
|
|
2035
|
+
// lost-updates (fixed this release) were this shape. Allowlisted: a cache used
|
|
2036
|
+
// for lookups or cache-aside (the stored value is recomputed or replaced
|
|
2037
|
+
// wholesale, never incremented) or whose writes are serialized another way (an
|
|
2038
|
+
// in-process per-key chain) — none of which can lose an increment.
|
|
2039
|
+
function testCacheCounterUsesAtomicUpdate() {
|
|
2040
|
+
var ALLOW = {
|
|
2041
|
+
"lib/network-dns-resolver.js": "a DNS lookup cache (cache-aside): get a cached resolution, set the freshly-resolved entry — the stored value is replaced wholesale, never incremented, so there is no lost-update counter",
|
|
2042
|
+
"lib/tenant-quota.js": "a cache-aside for bytesUsed (recomputed by walking the tenant's tables, then cached) — the value is replaced from source, not incremented; the QPS/rows budget counter is an in-process Map, not the cache",
|
|
2043
|
+
};
|
|
2044
|
+
var bad = [];
|
|
2045
|
+
var files = _libFiles();
|
|
2046
|
+
for (var fi = 0; fi < files.length; fi++) {
|
|
2047
|
+
var rel = _relPath(files[fi]);
|
|
2048
|
+
if (ALLOW[rel]) continue;
|
|
2049
|
+
var content;
|
|
2050
|
+
try { content = fs.readFileSync(files[fi], "utf8"); } catch (_e) { continue; }
|
|
2051
|
+
if (!/\bcache\.get\s*\(/.test(content)) continue;
|
|
2052
|
+
if (!/\bcache\.set\s*\(/.test(content)) continue;
|
|
2053
|
+
if (/\bcache\.update\s*\(/.test(content)) continue; // already atomic
|
|
2054
|
+
var lines = content.split(/\r?\n/);
|
|
2055
|
+
for (var li = 0; li < lines.length; li++) {
|
|
2056
|
+
if (/\bcache\.set\s*\(/.test(lines[li])) {
|
|
2057
|
+
bad.push({
|
|
2058
|
+
file: rel,
|
|
2059
|
+
line: li + 1,
|
|
2060
|
+
content: "a cache-backed counter must use atomic cache.update, not a cache.get -> mutate -> cache.set read-modify-write (loses concurrent updates on a shared cache) — use cache.update, or allowlist this file with the reason its get/set is not a lost-update counter (lookup / cache-aside, or in-process-serialized)",
|
|
2061
|
+
});
|
|
2062
|
+
break;
|
|
2063
|
+
}
|
|
2064
|
+
}
|
|
2065
|
+
}
|
|
2066
|
+
_report("a cache-backed counter must use the atomic cache.update, not a get->set read-modify-write", bad);
|
|
2067
|
+
}
|
|
2068
|
+
|
|
2069
|
+
// ---- Pattern: a registry check-then-create must serialize per key ----
|
|
2070
|
+
//
|
|
2071
|
+
// An async check-then-create on a pluggable backend — `await backend.get(key)`
|
|
2072
|
+
// -> throw a `/duplicate` error if present -> `await backend.set(key, ...)` —
|
|
2073
|
+
// has an await between the read and the write, so two concurrent calls for one
|
|
2074
|
+
// key both observe absence and both write (duplicate-create / lost-registration).
|
|
2075
|
+
// It must be serialized per key (b.safeAsync.keyedSerializer, exposed on ctx as
|
|
2076
|
+
// registrySerializer) so the second call sees the first's row and is refused.
|
|
2077
|
+
// The agent orchestrator + tenant registries were this shape (fixed this release).
|
|
2078
|
+
function testRegistryCheckThenCreateSerialized() {
|
|
2079
|
+
var bad = [];
|
|
2080
|
+
var files = _libFiles();
|
|
2081
|
+
for (var fi = 0; fi < files.length; fi++) {
|
|
2082
|
+
var rel = _relPath(files[fi]);
|
|
2083
|
+
var content;
|
|
2084
|
+
try { content = fs.readFileSync(files[fi], "utf8"); } catch (_e) { continue; }
|
|
2085
|
+
if (!/\/duplicate["']/.test(content)) continue; // throws a duplicate error
|
|
2086
|
+
if (!/backend\.get\s*\(/.test(content)) continue; // the check
|
|
2087
|
+
if (!/backend\.set\s*\(/.test(content)) continue; // the create
|
|
2088
|
+
if (/keyedSerializer|registrySerializer/.test(content)) continue; // serialized per key
|
|
2089
|
+
var lines = content.split(/\r?\n/);
|
|
2090
|
+
for (var li = 0; li < lines.length; li++) {
|
|
2091
|
+
if (/\/duplicate["']/.test(lines[li])) {
|
|
2092
|
+
bad.push({
|
|
2093
|
+
file: rel,
|
|
2094
|
+
line: li + 1,
|
|
2095
|
+
content: "a check-then-create on a pluggable backend (await backend.get -> throw /duplicate -> await backend.set) must be serialized per key (b.safeAsync.keyedSerializer / ctx.registrySerializer) so two concurrent calls for one key can't both create",
|
|
2096
|
+
});
|
|
2097
|
+
break;
|
|
2098
|
+
}
|
|
2099
|
+
}
|
|
2100
|
+
}
|
|
2101
|
+
_report("a registry check-then-create on a pluggable backend must serialize per key (b.safeAsync.keyedSerializer)", bad);
|
|
2102
|
+
}
|
|
2103
|
+
|
|
2104
|
+
// ---- Pattern: a cert-chain issuance link must use issuerValidlyIssued ----
|
|
2105
|
+
//
|
|
2106
|
+
// A multi-hop X.509 chain walker must test each ISSUANCE link with
|
|
2107
|
+
// x509Chain.issuerValidlyIssued (which enforces basicConstraints cA:TRUE),
|
|
2108
|
+
// NOT a bare X509Certificate.checkIssued(): node's checkIssued does not enforce
|
|
2109
|
+
// the CA bit, so a non-CA / end-entity cert (cA:FALSE) spliced in as an
|
|
2110
|
+
// intermediate is wrongly accepted as an issuer — the classic basicConstraints
|
|
2111
|
+
// bypass (CVE-2002-0862 class). fido-mds3 was the sole outlier (fixed this
|
|
2112
|
+
// release); mdoc / tsa / bimi / content-credentials / smime all route through
|
|
2113
|
+
// issuerValidlyIssued. A self-signed-root check (cert.checkIssued(cert) — same
|
|
2114
|
+
// receiver and argument) is NOT an issuance hop and is fine. lib/x509-chain.js
|
|
2115
|
+
// owns the one legitimate checkIssued (inside issuerValidlyIssued).
|
|
2116
|
+
function testCertChainIssuanceUsesIssuerValidlyIssued() {
|
|
2117
|
+
var bad = [];
|
|
2118
|
+
var files = _libFiles();
|
|
2119
|
+
var RE = /([\w$.[\]]+)\.checkIssued\s*\(\s*([\w$.[\]\s+]+?)\s*\)/;
|
|
2120
|
+
for (var fi = 0; fi < files.length; fi++) {
|
|
2121
|
+
var rel = _relPath(files[fi]);
|
|
2122
|
+
if (rel === "lib/x509-chain.js") continue; // the canonical home (inside issuerValidlyIssued)
|
|
2123
|
+
var content;
|
|
2124
|
+
try { content = fs.readFileSync(files[fi], "utf8"); } catch (_e) { continue; }
|
|
2125
|
+
if (content.indexOf(".checkIssued(") === -1) continue;
|
|
2126
|
+
var lines = content.split(/\r?\n/);
|
|
2127
|
+
for (var li = 0; li < lines.length; li++) {
|
|
2128
|
+
var t = lines[li].trim();
|
|
2129
|
+
if (t.indexOf("//") === 0 || t.indexOf("*") === 0) continue; // comment line
|
|
2130
|
+
var m = RE.exec(lines[li]);
|
|
2131
|
+
if (!m) continue;
|
|
2132
|
+
if (m[1].replace(/\s+/g, "") === m[2].replace(/\s+/g, "")) continue; // self-signed check, not an issuance hop
|
|
2133
|
+
bad.push({
|
|
2134
|
+
file: rel,
|
|
2135
|
+
line: li + 1,
|
|
2136
|
+
content: "a cert-chain issuance link uses bare X509Certificate.checkIssued() (no basicConstraints cA:TRUE enforcement) — route it through x509Chain.issuerValidlyIssued(issuer, subject), like mdoc / tsa / bimi / content-credentials, so a non-CA intermediate is refused (basicConstraints bypass, CVE-2002-0862)",
|
|
2137
|
+
});
|
|
2138
|
+
}
|
|
2139
|
+
}
|
|
2140
|
+
_report("a cert-chain issuance link must use x509Chain.issuerValidlyIssued (cA-enforcing), not bare checkIssued", bad);
|
|
2141
|
+
}
|
|
2142
|
+
|
|
2143
|
+
// ---- Pattern: domainToASCII must reject URL delimiters before a host compare ----
|
|
2144
|
+
// node:url.domainToASCII silently TRUNCATES at "/" "?" "#" "\" — e.g.
|
|
2145
|
+
// domainToASCII("victim.example/evil") === "victim.example" — so a host carrying
|
|
2146
|
+
// a delimiter canonicalizes to a trusted PREFIX. A canonicalizer that feeds the
|
|
2147
|
+
// raw result into an identity / authorization comparison lets a hostile host
|
|
2148
|
+
// masquerade as a trusted one (the BIMI/VMC SubjectAltName bypass class, and a
|
|
2149
|
+
// DMARC-alignment spoof). The two guarded homes — public-suffix._normalizeInput
|
|
2150
|
+
// and mail.toAscii — reject those delimiters BEFORE calling domainToASCII; every
|
|
2151
|
+
// other consumer must route through publicSuffix.canonicalDomain (delimiter-safe,
|
|
2152
|
+
// fails closed to "").
|
|
2153
|
+
function testDomainToAsciiRejectsUrlDelimiters() {
|
|
2154
|
+
var bad = [];
|
|
2155
|
+
var files = _libFiles();
|
|
2156
|
+
var RE = /\bdomainToASCII\s*\(/;
|
|
2157
|
+
for (var fi = 0; fi < files.length; fi++) {
|
|
2158
|
+
var rel = _relPath(files[fi]);
|
|
2159
|
+
// The two homes that reject "/" "?" "#" "\" before calling domainToASCII.
|
|
2160
|
+
if (rel === "lib/public-suffix.js" || rel === "lib/mail.js") continue;
|
|
2161
|
+
var content;
|
|
2162
|
+
try { content = fs.readFileSync(files[fi], "utf8"); } catch (_e) { continue; }
|
|
2163
|
+
if (content.indexOf("domainToASCII(") === -1) continue;
|
|
2164
|
+
var lines = content.split(/\r?\n/);
|
|
2165
|
+
for (var li = 0; li < lines.length; li++) {
|
|
2166
|
+
var t = lines[li].trim();
|
|
2167
|
+
if (t.indexOf("//") === 0 || t.indexOf("*") === 0) continue; // comment line
|
|
2168
|
+
if (RE.test(lines[li])) {
|
|
2169
|
+
bad.push({
|
|
2170
|
+
file: rel,
|
|
2171
|
+
line: li + 1,
|
|
2172
|
+
content: "raw node:url.domainToASCII() used for host normalization — it silently TRUNCATES at a URL delimiter (\"/\" \"?\" \"#\"), reducing a hostile host to a trusted prefix (the BIMI/VMC SAN bypass + DMARC-alignment spoof class). Route the host through publicSuffix.canonicalDomain, which rejects delimiters and fails closed.",
|
|
2173
|
+
});
|
|
2174
|
+
}
|
|
2175
|
+
}
|
|
2176
|
+
}
|
|
2177
|
+
_report("a host canonicalizer must route domainToASCII through publicSuffix.canonicalDomain (delimiter-safe), not call it raw", bad);
|
|
2178
|
+
}
|
|
2179
|
+
|
|
2180
|
+
// ---- Pattern: URLSearchParams("..."+x) must escape "&" in the concatenated x ----
|
|
2181
|
+
// new URLSearchParams(str) parses str as a query and splits pairs on "&". A
|
|
2182
|
+
// caller value concatenated into that string (e.g. new URLSearchParams("k=" +
|
|
2183
|
+
// token)) is split + truncated at any literal "&" the value carries — silently
|
|
2184
|
+
// dropping everything after it (the httpSig @query-param decoded-name bug). The
|
|
2185
|
+
// value must be "&"-escaped (.replace(/&/g, "%26")) before concatenation.
|
|
2186
|
+
function testUrlSearchParamsConcatEscapesAmpersand() {
|
|
2187
|
+
var bad = [];
|
|
2188
|
+
var files = _libFiles();
|
|
2189
|
+
var RE = /new\s+URLSearchParams\s*\(\s*["'][^"']*["']\s*\+/; // string-literal + concat into the query
|
|
2190
|
+
for (var fi = 0; fi < files.length; fi++) {
|
|
2191
|
+
var rel = _relPath(files[fi]);
|
|
2192
|
+
var content;
|
|
2193
|
+
try { content = fs.readFileSync(files[fi], "utf8"); } catch (_e) { continue; }
|
|
2194
|
+
if (content.indexOf("URLSearchParams") === -1) continue;
|
|
2195
|
+
var lines = content.split(/\r?\n/);
|
|
2196
|
+
for (var li = 0; li < lines.length; li++) {
|
|
2197
|
+
var line = lines[li];
|
|
2198
|
+
if (/^\s*(\/\/|\*|\/\*)/.test(line)) continue;
|
|
2199
|
+
if (!RE.test(line)) continue;
|
|
2200
|
+
// Safe iff the concatenated value is "&"-escaped on the same expression.
|
|
2201
|
+
if (/replace\s*\(\s*\/&\//.test(line) || line.indexOf("%26") !== -1) continue;
|
|
2202
|
+
bad.push({
|
|
2203
|
+
file: rel,
|
|
2204
|
+
line: li + 1,
|
|
2205
|
+
content: "new URLSearchParams() built by concatenating a value into the query string — it splits on a literal \"&\" in that value, silently truncating it (the httpSig @query-param bug). Escape the value with .replace(/&/g, \"%26\") before concatenation.",
|
|
2206
|
+
});
|
|
2207
|
+
}
|
|
2208
|
+
}
|
|
2209
|
+
_report("a URLSearchParams query built by string concatenation must escape \"&\" in the concatenated value", bad);
|
|
2210
|
+
}
|
|
2211
|
+
|
|
2212
|
+
// ---- Pattern: email-domain via split("@")[1] must reject a multi-@ addr-spec ----
|
|
2213
|
+
// An RFC 5322 addr-spec has exactly one "@". str.split("@")[1] pulls the
|
|
2214
|
+
// LEFTMOST segment, so on a multi-@ string (x@attacker@victim) it derives
|
|
2215
|
+
// attacker's domain — while a rightmost-@ parser (lastIndexOf) derives victim.
|
|
2216
|
+
// When one site authorizes/routes on the leftmost domain and another gates on
|
|
2217
|
+
// the rightmost, DMARC/SPF authorizes a domain the attacker controls while the
|
|
2218
|
+
// displayed From is the victim's (CWE-290), or outbound delivery routes to an
|
|
2219
|
+
// unintended host. Every leftmost-@ domain pull must first reject a multi-@
|
|
2220
|
+
// address (str.indexOf("@") !== str.lastIndexOf("@")) within its function; a
|
|
2221
|
+
// purely informational, non-routing use is marked inline.
|
|
2222
|
+
function testEmailDomainDerivationGuardsMultiAt() {
|
|
2223
|
+
var bad = [];
|
|
2224
|
+
var files = _libFiles();
|
|
2225
|
+
var SPLIT_RE = /\.split\(\s*["']@["']\s*\)\s*\[\s*1\s*\]/; // leftmost-@ domain pull
|
|
2226
|
+
var GUARD_RE = /lastIndexOf\(\s*["']@["']\s*\)/; // single-@ rejection anchor
|
|
2227
|
+
var FN_RE = /^\s*(?:async\s+)?function\b/; // function-head boundary
|
|
2228
|
+
for (var fi = 0; fi < files.length; fi++) {
|
|
2229
|
+
var rel = _relPath(files[fi]);
|
|
2230
|
+
var content;
|
|
2231
|
+
try { content = fs.readFileSync(files[fi], "utf8"); } catch (_e) { continue; }
|
|
2232
|
+
if (content.indexOf('split("@")') === -1 && content.indexOf("split('@')") === -1) continue;
|
|
2233
|
+
var lines = content.split(/\r?\n/);
|
|
2234
|
+
for (var li = 0; li < lines.length; li++) {
|
|
2235
|
+
var line = lines[li];
|
|
2236
|
+
if (/^\s*(?:\/\/|\*|\/\*)/.test(line)) continue; // comment line
|
|
2237
|
+
if (!SPLIT_RE.test(line)) continue;
|
|
2238
|
+
// Safe iff a single-@ rejection (lastIndexOf "@") appears on this line or
|
|
2239
|
+
// anywhere above it within the same function body.
|
|
2240
|
+
var guarded = GUARD_RE.test(line);
|
|
2241
|
+
for (var w = li - 1; w >= 0 && !guarded && w >= li - 200; w--) {
|
|
2242
|
+
if (GUARD_RE.test(lines[w])) { guarded = true; break; }
|
|
2243
|
+
if (FN_RE.test(lines[w])) break; // hit the function head, no guard
|
|
2244
|
+
}
|
|
2245
|
+
if (!guarded) {
|
|
2246
|
+
bad.push({
|
|
2247
|
+
file: rel,
|
|
2248
|
+
line: li + 1,
|
|
2249
|
+
content: "email-domain derived via str.split(\"@\")[1] (the LEFTMOST segment). On a multi-@ addr-spec (x@attacker@victim) this authorizes/routes to attacker's domain while a rightmost-@ parser reads victim — the DMARC/SPF-alignment + delivery-routing bypass class (CWE-290). Reject a multi-@ address first (str.indexOf(\"@\") !== str.lastIndexOf(\"@\")), or mark an informational non-routing use with // allow:leftmost-domain-informational.",
|
|
2250
|
+
});
|
|
2251
|
+
}
|
|
2252
|
+
}
|
|
2253
|
+
}
|
|
2254
|
+
bad = _filterMarkers(bad, "leftmost-domain-informational");
|
|
2255
|
+
_report("an email-domain derivation via split(\"@\")[1] must first reject a multi-@ addr-spec (single-@ guard)", bad);
|
|
2256
|
+
}
|
|
2257
|
+
|
|
2258
|
+
// ---- Pattern: fileUpload lifecycle methods enforce per-upload ownership ----
|
|
2259
|
+
// A fileUpload lifecycle method that loads an upload by a request-supplied
|
|
2260
|
+
// uploadId (_readMeta(uploadId)) and then acts on it MUST call _checkOwnership
|
|
2261
|
+
// before mutating/returning, or a caller can act on another actor's upload by
|
|
2262
|
+
// guessing its uploadId (IDOR / CWE-639). A behavioral test covers the four
|
|
2263
|
+
// current methods; this detector keeps a NEW lifecycle method from silently
|
|
2264
|
+
// reintroducing the gap (the internal enumerate/cleanup sweeps read
|
|
2265
|
+
// _readMeta(e.name), not uploadId, so they are not matched).
|
|
2266
|
+
function testFileUploadLifecycleChecksOwnership() {
|
|
2267
|
+
var bad = [];
|
|
2268
|
+
var rel = "lib/file-upload.js";
|
|
2269
|
+
var content;
|
|
2270
|
+
try {
|
|
2271
|
+
content = fs.readFileSync(path.resolve(path.resolve(__dirname, "..", ".."), rel), "utf8");
|
|
2272
|
+
} catch (_e) { _report("fileUpload lifecycle methods enforce per-upload ownership", bad); return; }
|
|
2273
|
+
var lines = content.split(/\r?\n/);
|
|
2274
|
+
for (var li = 0; li < lines.length; li++) {
|
|
2275
|
+
// The CALL shape (`= _readMeta(uploadId)`), not the `function _readMeta(...)`
|
|
2276
|
+
// definition.
|
|
2277
|
+
if (!/=\s*_readMeta\(uploadId\)/.test(lines[li])) continue;
|
|
2278
|
+
// _checkOwnership must appear after the read, within the same method body
|
|
2279
|
+
// (a method-closing brace at 2-space indent ends the scan).
|
|
2280
|
+
var guarded = false;
|
|
2281
|
+
for (var w = li + 1; w < lines.length && w <= li + 30; w++) {
|
|
2282
|
+
if (/^ {2}\}/.test(lines[w])) break; // method-closing brace
|
|
2283
|
+
if (/_checkOwnership\(/.test(lines[w])) { guarded = true; break; }
|
|
2284
|
+
}
|
|
2285
|
+
if (!guarded) {
|
|
2286
|
+
bad.push({
|
|
2287
|
+
file: rel,
|
|
2288
|
+
line: li + 1,
|
|
2289
|
+
content: "a fileUpload lifecycle method loads an upload by request-supplied uploadId (_readMeta(uploadId)) but does not call _checkOwnership before acting — a caller could act on another actor's upload by guessing its uploadId (IDOR / CWE-639).",
|
|
2290
|
+
});
|
|
2291
|
+
}
|
|
2292
|
+
}
|
|
2293
|
+
_report("every fileUpload lifecycle method reading _readMeta(uploadId) must call _checkOwnership before acting (IDOR guard)", bad);
|
|
2294
|
+
}
|
|
2295
|
+
|
|
2296
|
+
// ---- Pattern: scope/role wildcard matching must use b.permissions.match ----
|
|
2297
|
+
// The hand-rolled wildcard idiom — detect a trailing "*" (charAt(len-1)==="*"),
|
|
2298
|
+
// strip it (slice(0,-1)), then raw-prefix-match (indexOf(prefix)===0) — ignores
|
|
2299
|
+
// ":" segment boundaries, so a partial-segment scope "phi:a*" wrongly satisfies
|
|
2300
|
+
// "phi:admin". Scope/role wildcard matching must route through the segment-aware
|
|
2301
|
+
// b.permissions.match (break-glass + dual-control hand-rolled it independently).
|
|
2302
|
+
function testScopeWildcardUsesPermissionsMatch() {
|
|
2303
|
+
var bad = [];
|
|
2304
|
+
var files = _libFiles();
|
|
2305
|
+
var STAR = /charAt\([^)]*\.length\s*-\s*1\)\s*===\s*"\*"/;
|
|
2306
|
+
var SLICE = /\.slice\(\s*0\s*,\s*-\s*1\s*\)/;
|
|
2307
|
+
var PREFIX = /\.indexOf\([^)]*\)\s*===\s*0/;
|
|
2308
|
+
for (var fi = 0; fi < files.length; fi++) {
|
|
2309
|
+
var rel = _relPath(files[fi]);
|
|
2310
|
+
var content;
|
|
2311
|
+
try { content = fs.readFileSync(files[fi], "utf8"); } catch (_e) { continue; }
|
|
2312
|
+
if (!STAR.test(content)) continue;
|
|
2313
|
+
var lines = content.split(/\r?\n/);
|
|
2314
|
+
for (var li = 0; li < lines.length; li++) {
|
|
2315
|
+
if (!STAR.test(lines[li])) continue;
|
|
2316
|
+
// The full hand-rolled-wildcard signature is the trailing-"*" check plus a
|
|
2317
|
+
// slice(0,-1) strip plus a raw indexOf(...)===0 prefix match, all within
|
|
2318
|
+
// the same small block (a trailing-"*" check alone — e.g. URI-template
|
|
2319
|
+
// explode, array-key parsing — is not a scope match).
|
|
2320
|
+
var hasSlice = false, hasPrefix = false;
|
|
2321
|
+
for (var w = li; w < lines.length && w <= li + 12; w++) {
|
|
2322
|
+
if (SLICE.test(lines[w])) hasSlice = true;
|
|
2323
|
+
if (PREFIX.test(lines[w])) hasPrefix = true;
|
|
2324
|
+
}
|
|
2325
|
+
if (hasSlice && hasPrefix) {
|
|
2326
|
+
bad.push({
|
|
2327
|
+
file: rel,
|
|
2328
|
+
line: li + 1,
|
|
2329
|
+
content: "hand-rolled scope/role wildcard match (trailing-\"*\" + slice(0,-1) + indexOf(prefix)===0) ignores \":\" segment boundaries, so a partial-segment scope wrongly satisfies a different value — route through the segment-aware b.permissions.match.",
|
|
2330
|
+
});
|
|
2331
|
+
}
|
|
2332
|
+
}
|
|
2333
|
+
}
|
|
2334
|
+
_report("scope/role wildcard matching must use the segment-aware b.permissions.match, not a hand-rolled prefix match", bad);
|
|
2335
|
+
}
|
|
2336
|
+
|
|
2337
|
+
// ---- Pattern: queue-redis inflight-transition LUA result must be captured ----
|
|
2338
|
+
// COMPLETE_LUA / FAIL_LUA atomically ZREM a job from the inflight set and
|
|
2339
|
+
// return whether THIS call won that transition (1 = won, 0/-1 = stale). The
|
|
2340
|
+
// caller MUST capture that result and gate its side effects on it: a stale
|
|
2341
|
+
// worker whose lease expired (the job swept back to ready and re-leased /
|
|
2342
|
+
// completed by another worker) must NOT run complete()'s cron re-enqueue +
|
|
2343
|
+
// flow release, nor fail()'s retry/dlq re-queue — doing so double-fires a cron
|
|
2344
|
+
// repeat or resurrects an already-finished job. A bare
|
|
2345
|
+
// `await client.runScript(COMPLETE_LUA, …)` (result discarded) is the bug
|
|
2346
|
+
// shape; it must be `var x = await client.runScript(COMPLETE_LUA, …)` + a
|
|
2347
|
+
// gate. The SQL backends carry the equivalent `WHERE status='inflight'` guard;
|
|
2348
|
+
// this keeps the redis backend from diverging.
|
|
2349
|
+
function testQueueRedisGateLuaResultCaptured() {
|
|
2350
|
+
var bad = [];
|
|
2351
|
+
var rel = "lib/queue-redis.js";
|
|
2352
|
+
var content;
|
|
2353
|
+
try {
|
|
2354
|
+
content = fs.readFileSync(path.resolve(path.resolve(__dirname, "..", ".."), rel), "utf8");
|
|
2355
|
+
} catch (_e) { _report("queue-redis gate-LUA results captured + gated", bad); return; }
|
|
2356
|
+
var lines = content.split(/\r?\n/);
|
|
2357
|
+
for (var li = 0; li < lines.length; li++) {
|
|
2358
|
+
if (!/client\.runScript\(/.test(lines[li])) continue;
|
|
2359
|
+
// The first ARGUMENT identifies the script. It may sit on the call line or
|
|
2360
|
+
// the next few lines (the call is multi-line).
|
|
2361
|
+
var gate = null;
|
|
2362
|
+
for (var w = li; w < lines.length && w <= li + 3; w++) {
|
|
2363
|
+
var m = lines[w].match(/(?:runScript\(\s*)?\b(COMPLETE_LUA|FAIL_LUA)\b/);
|
|
2364
|
+
if (m && (w === li ? /runScript\(\s*(COMPLETE_LUA|FAIL_LUA)\b/.test(lines[w]) : /^\s*(COMPLETE_LUA|FAIL_LUA)\b/.test(lines[w]))) {
|
|
2365
|
+
gate = m[1]; break;
|
|
2366
|
+
}
|
|
2367
|
+
}
|
|
2368
|
+
if (!gate) continue;
|
|
2369
|
+
// The call line MUST assign the result (so a guard can read it). A bare
|
|
2370
|
+
// `await client.runScript(...)` statement discards the gate.
|
|
2371
|
+
if (!/=\s*await\s+client\.runScript\(/.test(lines[li]) &&
|
|
2372
|
+
!/=\s*client\.runScript\(/.test(lines[li])) {
|
|
2373
|
+
bad.push({
|
|
2374
|
+
file: rel,
|
|
2375
|
+
line: li + 1,
|
|
2376
|
+
content: "the result of client.runScript(" + gate + ") is discarded — it must be captured into a variable and gated (a stale worker must not run the post-transition side effects: double cron-fire / resurrected job).",
|
|
2377
|
+
});
|
|
2378
|
+
}
|
|
2379
|
+
}
|
|
2380
|
+
_report("queue-redis complete()/fail() must capture + gate the inflight-transition LUA result (COMPLETE_LUA / FAIL_LUA)", bad);
|
|
2381
|
+
}
|
|
2382
|
+
|
|
2383
|
+
// ---- Pattern: ARC instance (i=) parsing must route through _arcInstanceOf ----
|
|
2384
|
+
// The ARC instance tag is parsed in several passes: the indexing pass that
|
|
2385
|
+
// drives the AMS/AS crypto checks, the AMS h= retention test, and the finalAr
|
|
2386
|
+
// surfacing in arcEvaluate. If any pass uses a looser i= regex than the
|
|
2387
|
+
// indexer (allowing "i = 1" with a space, or unbounded digits), an attacker
|
|
2388
|
+
// can inject an ARC-Authentication-Results that the strict crypto pass ignores
|
|
2389
|
+
// while the loose pass consumes it — forging the upstream auth-results
|
|
2390
|
+
// (finalAr) on a chain that still verifies pass, with no signing key. Every
|
|
2391
|
+
// instance read must go through the one shared _arcInstanceOf reader; flag any
|
|
2392
|
+
// instance-capturing regex (`i\s*=...(\d` or `i=(\d`) elsewhere in mail-auth.
|
|
2393
|
+
function testArcInstanceParseUsesSharedHelper() {
|
|
2394
|
+
var bad = [];
|
|
2395
|
+
var rel = "lib/mail-auth.js";
|
|
2396
|
+
var content;
|
|
2397
|
+
try {
|
|
2398
|
+
content = fs.readFileSync(path.resolve(path.resolve(__dirname, "..", ".."), rel), "utf8");
|
|
2399
|
+
} catch (_e) { _report("ARC i= instance parse routes through _arcInstanceOf", bad); return; }
|
|
2400
|
+
var lines = content.split(/\r?\n/);
|
|
2401
|
+
// Matches an instance-capturing regex literal: `i\s*=` (spaced form) or
|
|
2402
|
+
// `i=(\d` (bare capture). Prose like "i=1" / "(i=)" lacks the digit capture
|
|
2403
|
+
// and the `\s*`, so comments are not flagged.
|
|
2404
|
+
var ARC_I_REGEX = /i\\s\*=|i=\(\\d/;
|
|
2405
|
+
var inHelper = false;
|
|
2406
|
+
for (var li = 0; li < lines.length; li++) {
|
|
2407
|
+
if (/function _arcInstanceOf\b/.test(lines[li])) { inHelper = true; continue; }
|
|
2408
|
+
if (inHelper) { if (/^\}/.test(lines[li])) inHelper = false; continue; }
|
|
2409
|
+
if (ARC_I_REGEX.test(lines[li])) {
|
|
2410
|
+
bad.push({
|
|
2411
|
+
file: rel,
|
|
2412
|
+
line: li + 1,
|
|
2413
|
+
content: "an ARC instance (i=) parsing regex outside _arcInstanceOf — route it through _arcInstanceOf so the crypto-indexing pass and the finalAr / AMS passes parse the instance identically (a divergent parser forges finalAr on a passing chain).",
|
|
2414
|
+
});
|
|
2415
|
+
}
|
|
2416
|
+
}
|
|
2417
|
+
_report("ARC i= instance parsing must route through the shared _arcInstanceOf reader (no divergent regex)", bad);
|
|
2418
|
+
}
|
|
2419
|
+
|
|
2420
|
+
// ---- Pattern: OID4VCI single-use store claims must gate on the delete ----
|
|
2421
|
+
// A pre-authorized code (codeStore) and a single-use access token (atStore)
|
|
2422
|
+
// are single-use: issuance must proceed only when THIS request's atomic delete
|
|
2423
|
+
// removed the entry. cache.del returns true only for the winner of two racing
|
|
2424
|
+
// deletes, so the return must be captured and checked — a bare
|
|
2425
|
+
// `await codeStore.del(...)` / `await atStore.del(...)` discards it, letting two
|
|
2426
|
+
// concurrent requests both mint (two access tokens from one code / two
|
|
2427
|
+
// credentials from one single-use token). cNonceStore.del is cleanup, not a
|
|
2428
|
+
// claim, so it is allowed to be bare.
|
|
2429
|
+
function testOid4vciSingleUseClaimGated() {
|
|
2430
|
+
var bad = [];
|
|
2431
|
+
var rel = "lib/auth/oid4vci.js";
|
|
2432
|
+
var content;
|
|
2433
|
+
try {
|
|
2434
|
+
content = fs.readFileSync(path.resolve(path.resolve(__dirname, "..", ".."), rel), "utf8");
|
|
2435
|
+
} catch (_e) { _report("OID4VCI single-use store claims gate on the delete", bad); return; }
|
|
2436
|
+
var lines = content.split(/\r?\n/);
|
|
2437
|
+
for (var li = 0; li < lines.length; li++) {
|
|
2438
|
+
var m = lines[li].match(/\bawait\s+(codeStore|atStore)\.del\(/);
|
|
2439
|
+
if (!m) continue;
|
|
2440
|
+
// Must be captured into a variable (`var x = await codeStore.del(...)`),
|
|
2441
|
+
// never a bare expression statement.
|
|
2442
|
+
if (!/=\s*await\s+(codeStore|atStore)\.del\(/.test(lines[li])) {
|
|
2443
|
+
bad.push({
|
|
2444
|
+
file: rel,
|
|
2445
|
+
line: li + 1,
|
|
2446
|
+
content: "the result of await " + m[1] + ".del(...) is discarded — a single-use claim must capture the delete result and issue only when it removed the entry (two concurrent requests would otherwise both mint).",
|
|
2447
|
+
});
|
|
2448
|
+
}
|
|
2449
|
+
}
|
|
2450
|
+
_report("OID4VCI single-use claims (codeStore/atStore .del) must capture + gate the delete result", bad);
|
|
2451
|
+
}
|
|
2452
|
+
|
|
2453
|
+
// ---- Pattern: clock-skew / tolerance opts must be finite-guarded ----
|
|
2454
|
+
// A token/signature verifier that reads a skew or tolerance opt with a bare
|
|
2455
|
+
// `typeof opts.x === "number"` lets Infinity / NaN through, and the resulting
|
|
2456
|
+
// `exp + Infinity < now` / `ageMs > Infinity` comparison is always false —
|
|
2457
|
+
// silently DISABLING the expiry / not-before / future-dating gate so an expired
|
|
2458
|
+
// (or future-dated, or replayed) token or signature verifies. Every such opt
|
|
2459
|
+
// must be finite-guarded: a numericBounds.requireNonNegativeFiniteIntIfPresent
|
|
2460
|
+
// throw (jwt verifiers), an inline `isFinite(...) && >= 0` fallback (verdict-
|
|
2461
|
+
// returning verifiers), or a create-time `validateOpts` "optional-non-negative"
|
|
2462
|
+
// schema. This is the OCSP non-finite-clockSkew bug class generalized across
|
|
2463
|
+
// the JWT / SD-JWT-VC / OAuth / HTTP-message-signature verifiers.
|
|
2464
|
+
function testClockSkewOptsAreFiniteGuarded() {
|
|
2465
|
+
var bad = [];
|
|
2466
|
+
var SKEW = "clockSkewMs|clockSkewSec|maxClockSkewSec|maxPopAgeSec|toleranceMs";
|
|
2467
|
+
var READ = new RegExp("typeof\\s+\\w+\\.(" + SKEW + ")\\s*===\\s*\"number\"");
|
|
2468
|
+
var files = _libFiles();
|
|
2469
|
+
for (var fi = 0; fi < files.length; fi++) {
|
|
2470
|
+
var rel = _relPath(files[fi]);
|
|
2471
|
+
var content;
|
|
2472
|
+
try { content = fs.readFileSync(files[fi], "utf8"); } catch (_e) { continue; }
|
|
2473
|
+
if (!READ.test(content)) continue;
|
|
2474
|
+
var lines = content.split(/\r?\n/);
|
|
2475
|
+
for (var li = 0; li < lines.length; li++) {
|
|
2476
|
+
var m = lines[li].match(READ);
|
|
2477
|
+
if (!m) continue;
|
|
2478
|
+
var opt = m[1];
|
|
2479
|
+
// (a) inline isFinite on the read line itself.
|
|
2480
|
+
if (/isFinite/.test(lines[li])) continue;
|
|
2481
|
+
// (b) a numericBounds / isFinite guard for the same opt in the preceding lines.
|
|
2482
|
+
var guardRe = new RegExp("(requireNonNegativeFiniteIntIfPresent|isFinite)\\([^)]*\\b" + opt + "\\b");
|
|
2483
|
+
var guarded = false;
|
|
2484
|
+
for (var w = Math.max(0, li - 10); w < li; w++) {
|
|
2485
|
+
if (guardRe.test(lines[w])) { guarded = true; break; }
|
|
2486
|
+
}
|
|
2487
|
+
if (guarded) continue;
|
|
2488
|
+
// (c) the opt is validated at create() via a non-negative-finite validateOpts schema.
|
|
2489
|
+
if (new RegExp("\\b" + opt + "\\b\\s*:\\s*\"optional-non-negative").test(content)) continue;
|
|
2490
|
+
bad.push({
|
|
2491
|
+
file: rel,
|
|
2492
|
+
line: li + 1,
|
|
2493
|
+
content: "clock-skew/tolerance opt '" + opt + "' is read with a bare `typeof === \"number\"` and is not finite-guarded — Infinity/NaN would disable the time-window gate (an expired/future/replayed token or signature would verify). Guard it (numericBounds.requireNonNegativeFiniteIntIfPresent, an inline isFinite check, or a create-time validateOpts non-negative-finite schema).",
|
|
2494
|
+
});
|
|
2495
|
+
}
|
|
2496
|
+
}
|
|
2497
|
+
_report("clock-skew / tolerance verifier opts must be finite-guarded (no bare typeof===\"number\")", bad);
|
|
2498
|
+
}
|
|
2499
|
+
|
|
1884
2500
|
// ---- Pattern 20: trustProxy bypass — raw req.headers x-forwarded-for read ----
|
|
1885
2501
|
|
|
1886
2502
|
function testNoRawXffRead() {
|
|
@@ -2878,6 +3494,26 @@ async function testNoDuplicateCodeBlocks() {
|
|
|
2878
3494
|
// so the audit trail records exactly which body of code shares the
|
|
2879
3495
|
// shape.
|
|
2880
3496
|
var KNOWN_CLUSTERS = [
|
|
3497
|
+
{
|
|
3498
|
+
// Opts-passthrough / allow-list token run — shape-only. A run of
|
|
3499
|
+
// `<ident>: <ident>.<ident>,` assignments (jar.parse forwarding its
|
|
3500
|
+
// verify options to verifyExternal) and the parallel `validateOpts(opts,
|
|
3501
|
+
// [ ...string keys ])` allow-list tokenize to the same skeleton as
|
|
3502
|
+
// db.init's per-table `cryptoField.registerTable` metadata object,
|
|
3503
|
+
// eat.verify's option forwarding, and the cookie-jar's getAll loop. The
|
|
3504
|
+
// functions are wholly unrelated (OAuth request-object parsing vs schema
|
|
3505
|
+
// registration vs EAT verification vs cookie enumeration); the longest
|
|
3506
|
+
// byte-identical run across any pair is a single `key: value,` line. There
|
|
3507
|
+
// is no shared primitive to extract — the coincidence is the generic
|
|
3508
|
+
// object-literal / key-array shape, not behavior.
|
|
3509
|
+
mode: "family-subset",
|
|
3510
|
+
files: [
|
|
3511
|
+
"lib/auth/jar.js:parse",
|
|
3512
|
+
"lib/db.js:init",
|
|
3513
|
+
"lib/eat.js:verify",
|
|
3514
|
+
"lib/http-client-cookie-jar.js:getAll",
|
|
3515
|
+
],
|
|
3516
|
+
},
|
|
2881
3517
|
{
|
|
2882
3518
|
// Delimited key/value split idiom — shape-only. The "split a string on a
|
|
2883
3519
|
// separator, slice each piece at the first `=` into key + value" loop
|
|
@@ -2931,13 +3567,29 @@ async function testNoDuplicateCodeBlocks() {
|
|
|
2931
3567
|
// The prior JOSE pass (jwtExternal.algParams) deliberately kept the
|
|
2932
3568
|
// verify-assembly per-caller (PQC/EdDSA/sign-vs-verify diverge); the one
|
|
2933
3569
|
// genuine within-SAML signature-EXTRACTION pair is consolidated in
|
|
2934
|
-
// saml._extractRedirectSignature.
|
|
3570
|
+
// saml._extractRedirectSignature. The family spans every JWS/signature
|
|
3571
|
+
// verifier (dpop proof, fido-mds3 metadata JWS, jwt-external compact JWS,
|
|
3572
|
+
// oauth id-token / attestation / backchannel-logout, oid4vci proof,
|
|
3573
|
+
// mail-auth inbound, SAML SLO POST/SOAP + redirect) — each with its own
|
|
3574
|
+
// key shape, error class, and canonical-byte rules; only the tokenized
|
|
3575
|
+
// verify-skeleton coincides. Membership tracked from the MIGRATE-DUMP.
|
|
2935
3576
|
mode: "family-subset",
|
|
2936
3577
|
files: [
|
|
3578
|
+
"lib/auth/dpop.js:buildProof",
|
|
3579
|
+
"lib/auth/dpop.js:verify",
|
|
2937
3580
|
"lib/auth/fido-mds3.js:_verifyJws",
|
|
2938
3581
|
"lib/auth/jwt.js:verify",
|
|
3582
|
+
"lib/auth/jwt-external.js:_signCompactJws",
|
|
3583
|
+
"lib/auth/jwt-external.js:verifyExternal",
|
|
3584
|
+
"lib/auth/oauth.js:_verifyAttestationJws",
|
|
3585
|
+
"lib/auth/oauth.js:verifyBackchannelLogoutToken",
|
|
3586
|
+
"lib/auth/oauth.js:verifyClientAttestation",
|
|
3587
|
+
"lib/auth/oauth.js:verifyIdToken",
|
|
3588
|
+
"lib/auth/oid4vci.js:_verifyProofJwt",
|
|
3589
|
+
"lib/auth/saml.js:_verifyEmbeddedXmlDsig",
|
|
2939
3590
|
"lib/auth/saml.js:parseLogoutRequest",
|
|
2940
3591
|
"lib/auth/saml.js:parseLogoutResponse",
|
|
3592
|
+
"lib/mail-auth.js:inboundVerify",
|
|
2941
3593
|
],
|
|
2942
3594
|
},
|
|
2943
3595
|
{
|
|
@@ -5266,6 +5918,91 @@ var KNOWN_ANTIPATTERNS = [
|
|
|
5266
5918
|
allowlist: ["lib/x509-chain.js"],
|
|
5267
5919
|
reason: "basicConstraints cA:TRUE enforcement is owned by x509Chain.issuerValidlyIssued / x509Chain.isCaCert; tsa/mail-bimi/mail-crypto-smime route through it. Any lib file calling X.checkIssued(Y) (Y!=X) directly bypasses the cA check and must use x509Chain instead. lib/x509-chain.js is the home of the primitive.",
|
|
5268
5920
|
},
|
|
5921
|
+
{
|
|
5922
|
+
id: "mail-report-header-builder-must-guard-crlf",
|
|
5923
|
+
primitive: "b.safeBuffer.assertHeaderSafe",
|
|
5924
|
+
scanScope: "lib",
|
|
5925
|
+
// A DSN / MDN / ARC report-header builder interpolates operator- or
|
|
5926
|
+
// peer-supplied fields (recipients, MTA names, the 5xx diagnostic
|
|
5927
|
+
// reply, ARC authserv/domain/selector) into `Name: value\r\n` lines. An
|
|
5928
|
+
// unguarded field lets a hostile original sender or a malicious peer MX
|
|
5929
|
+
// smuggle a new header or forge a report part (CRLF injection). Every
|
|
5930
|
+
// such field must route through safeBuffer.assertHeaderSafe (reject
|
|
5931
|
+
// structured fields) or stripCrlf (fold free-text like the SMTP reply).
|
|
5932
|
+
// The anchor matches a quoted report-header prefix immediately
|
|
5933
|
+
// concatenated (`"Diagnostic-Code: smtp; " +`, `"ARC-Message-Signature: " +`)
|
|
5934
|
+
// or the mail-bounce `_foldFieldValue(` choke point — the shape only a
|
|
5935
|
+
// builder has (parsers/validators match field names in lowercased maps,
|
|
5936
|
+
// not quoted `"Name: " +` literals), so guard-dsn / mail-arf / mail-auth
|
|
5937
|
+
// are correctly excluded.
|
|
5938
|
+
regex: /"(?:Final-Recipient|Diagnostic-Code|Disposition|Original-Recipient|Reporting-MTA|ARC-Message-Signature|ARC-Seal|ARC-Authentication-Results)\b[^"\n]*"\s*\+|_foldFieldValue\s*\(/,
|
|
5939
|
+
requires: /assertHeaderSafe/,
|
|
5940
|
+
allowlist: [],
|
|
5941
|
+
reason: "DSN (mail-send-deliver.buildDsn, mail-bounce.dsn.build), MDN (mail-mdn.build) and ARC (mail-arc-sign.sign) report-header builders MUST compose safeBuffer.assertHeaderSafe on every structured field (and stripCrlf-fold the free-text 5xx reason). An unguarded `Name: value\\r\\n` built from a hostile original sender / peer MX is a header-injection vector (v0.15.68 root sweep — 4 HIGH + archive + srs). A new builder in this family that matches the report-header anchor but drops the guard re-opens the class.",
|
|
5942
|
+
},
|
|
5943
|
+
{
|
|
5944
|
+
id: "dsn-diagnostic-free-text-fold-must-strip-nul",
|
|
5945
|
+
primitive: "b.safeBuffer.foldHeaderText",
|
|
5946
|
+
scanScope: "lib",
|
|
5947
|
+
// A DSN builder folds the peer's free-text 5xx diagnostic (which may
|
|
5948
|
+
// legitimately wrap) onto the Diagnostic-Code header line. That fold must
|
|
5949
|
+
// use foldHeaderText (removes CR/LF AND NUL), not a bare CR/LF strip — a
|
|
5950
|
+
// NUL is never valid in an RFC 5322 header value and is treated specially
|
|
5951
|
+
// by downstream SMTP parsers, so a CR/LF-only fold serializes it
|
|
5952
|
+
// verbatim. Only mail-send-deliver + mail-bounce build a Diagnostic-Code
|
|
5953
|
+
// line, and both now compose foldHeaderText.
|
|
5954
|
+
regex: /"Diagnostic-Code/,
|
|
5955
|
+
requires: /foldHeaderText/,
|
|
5956
|
+
allowlist: [],
|
|
5957
|
+
reason: "A builder emitting a Diagnostic-Code header must fold the free-text diagnostic with safeBuffer.foldHeaderText (CR/LF + NUL), not a bare stripCrlf — otherwise a NUL in the peer's 5xx reply is serialized into the header line. Reverting the fold to stripCrlf drops the foldHeaderText reference and trips this.",
|
|
5958
|
+
},
|
|
5959
|
+
{
|
|
5960
|
+
id: "xml-c14n-parseElement-must-thread-depth",
|
|
5961
|
+
primitive: "xml-c14n nesting-depth cap",
|
|
5962
|
+
scanScope: "lib",
|
|
5963
|
+
// lib/xml-c14n.js parseElement must thread the nesting depth through the
|
|
5964
|
+
// recursion (parseElement(depth) at entry, parseElement(depth + 1) on
|
|
5965
|
+
// descent, parseElement(0) at the root) so the MAX_DEPTH cap can
|
|
5966
|
+
// actually fire. The pre-fix code kept a per-frame-local `var depth = 0`
|
|
5967
|
+
// incremented then decremented around each single recursive call, so it
|
|
5968
|
+
// was always 1 at the check — a dead cap and a stack-overflow DoS on
|
|
5969
|
+
// deeply-nested untrusted SAML / WebDAV XML. `parseElement` is unique to
|
|
5970
|
+
// xml-c14n; an empty-arg parseElement() (definition or self-call)
|
|
5971
|
+
// re-introduces the dead cap.
|
|
5972
|
+
regex: /parseElement\s*\(\s*\)/,
|
|
5973
|
+
allowlist: [],
|
|
5974
|
+
reason: "xml-c14n's recursive-descent parseElement must thread the depth argument so the MAX_DEPTH nesting cap fires. An arg-less parseElement() (definition or self-call) drops the threading and re-opens the stack-exhaustion DoS on deeply-nested untrusted XML.",
|
|
5975
|
+
},
|
|
5976
|
+
{
|
|
5977
|
+
id: "idempotency-replay-slot-must-bind-principal",
|
|
5978
|
+
primitive: "b.requestHelpers.extractActorContext",
|
|
5979
|
+
scanScope: "lib",
|
|
5980
|
+
// The Idempotency-Key replay/response cache must key its slot on the
|
|
5981
|
+
// authenticated principal (requestHelpers.extractActorContext /
|
|
5982
|
+
// opts.scopeFn -> scopedKey), not on the client-supplied Idempotency-Key
|
|
5983
|
+
// alone. Otherwise principal B is served principal A's cached response
|
|
5984
|
+
// via a shared / guessed key (cross-actor disclosure), or A pre-seeds a
|
|
5985
|
+
// key to force a 422 on B (cross-actor denial). `opts.store.set(` is
|
|
5986
|
+
// unique to the idempotency middleware's replay-write.
|
|
5987
|
+
regex: /opts\.store\.set\s*\(/,
|
|
5988
|
+
requires: /scopeFn|scopedKey/,
|
|
5989
|
+
allowlist: [],
|
|
5990
|
+
reason: "The idempotency replay cache write must use a principal-scoped key (scopedKey derived via scopeFn / extractActorContext), not the raw client Idempotency-Key. Reverting store.get/set to the raw key drops the scopedKey reference and re-opens cross-actor disclosure / denial.",
|
|
5991
|
+
},
|
|
5992
|
+
{
|
|
5993
|
+
id: "vc-jose-verify-must-bind-alg-to-key",
|
|
5994
|
+
primitive: "b.vc.verify",
|
|
5995
|
+
scanScope: "lib",
|
|
5996
|
+
// vc._verifyJose resolves the public key then calls nodeCrypto.verify
|
|
5997
|
+
// with the header-declared alg. Without binding the alg to the key's
|
|
5998
|
+
// type/curve (_assertJoseAlgKey), an attacker picks the alg (hash +
|
|
5999
|
+
// dsaEncoding) independent of the key an ECDSA curve/type confusion
|
|
6000
|
+
// (CWE-347, RFC 7518 3.4). The binding check must stay composed.
|
|
6001
|
+
regex: /function _verifyJose\b/,
|
|
6002
|
+
requires: /_assertJoseAlgKey/,
|
|
6003
|
+
allowlist: [],
|
|
6004
|
+
reason: "The JOSE verify path must bind the header alg to the resolved key's curve/type via _assertJoseAlgKey before nodeCrypto.verify. Dropping the call re-opens ECDSA alg/curve confusion (an ES384 header verified against a P-256 key).",
|
|
6005
|
+
},
|
|
5269
6006
|
{
|
|
5270
6007
|
id: "fingerprint-pin-against-claimed-field-not-recomputed",
|
|
5271
6008
|
primitive: "b.auditSign.fingerprintOf",
|
|
@@ -6308,6 +7045,13 @@ var KNOWN_ANTIPATTERNS = [
|
|
|
6308
7045
|
"lib/cose.js", // protMap.has(HDR_CRIT) → validate the crit array if present
|
|
6309
7046
|
"lib/cwt.js", // raw.has(exp) → validate the exp claim if present
|
|
6310
7047
|
"lib/db-query.js", // JSONB_CONTAINMENT_OPS.has(op) → special-case the operator if it is one
|
|
7048
|
+
// (3) Single-flight coalescing table — `if (inflight.has(key))` awaits an
|
|
7049
|
+
// in-flight async cache fill and returns the shared result; NOTHING is
|
|
7050
|
+
// inserted-then-rejected (the winner registers its own promise via a
|
|
7051
|
+
// plain `inflight.set` after the check). The matched `throw` is a
|
|
7052
|
+
// per-caller DNSSEC validate gate on the shared answer, not a
|
|
7053
|
+
// duplicate-key reject, so requireAbsent can't express it.
|
|
7054
|
+
"lib/network-dns-resolver.js", // inflight single-flight map, not a uniqueness register
|
|
6311
7055
|
// (NB: the prototype-pollution POISONED_KEYS deny-set guards that used to
|
|
6312
7056
|
// live here — body-parser, the safe-* parsers, safe-schema — were
|
|
6313
7057
|
// extracted into the pick.isPoisonedKey primitive and no longer fire.)
|
|
@@ -9498,6 +10242,24 @@ var KNOWN_ANTIPATTERNS = [
|
|
|
9498
10242
|
allowlist: [],
|
|
9499
10243
|
reason: "#123 macOS codebase-patterns watchdog hang. _scanShardInWorker rejected on worker error/exit without w.terminate(), so an errored worker thread stayed alive holding open handles; the parent then could not exit and the smoke run ran to the 25-min watchdog on memory-starved macOS-arm64 runners (it hung this very release's CI). Every settle path must reap the worker via w.terminate() first; the fix funnels message/error/exit through a settle() guard that terminates before resolve/reject. Fires on the bare `w.once(\"error\", reject)` shape; silent once error/exit route through settle().",
|
|
9500
10244
|
},
|
|
10245
|
+
{
|
|
10246
|
+
// A test that asserts a raw ECDSA signature's first byte is NOT 0x30 (the
|
|
10247
|
+
// DER SEQUENCE tag) to prove "this is raw, not DER" is NONDETERMINISTIC: the
|
|
10248
|
+
// first byte of an IEEE-P1363 r||s signature is r's high octet, which equals
|
|
10249
|
+
// 0x30 ~1/256 of the time, so a bare check flakes ~1/256 (it blocked a
|
|
10250
|
+
// release's ubuntu smoke). The fixed r||s LENGTH (64 for P-256, 96 for
|
|
10251
|
+
// P-384) is the deterministic raw-vs-DER distinguisher and what the verifier
|
|
10252
|
+
// keys off, so the byte check must be guarded with a `|| sig.length === <N>`
|
|
10253
|
+
// disjunction (the sd-jwt-vc-ecdsa-p1363 convention). Structural test-flake
|
|
10254
|
+
// drift a behavioral test can't assert (it passes 255/256 of the time).
|
|
10255
|
+
id: "test-ecdsa-raw-sig-der-tag-byte-flake",
|
|
10256
|
+
primitive: "a test asserting a raw ECDSA signature's first byte !== 0x30 (DER SEQUENCE tag) must guard it with a `|| sig.length === <N>` disjunction — the byte is r's high octet and equals 0x30 ~1/256 of the time, so a bare check flakes nondeterministically",
|
|
10257
|
+
scanScope: "test",
|
|
10258
|
+
regex: /\[0\]\s*!==\s*0x30(?!.*\|\|.*length)/,
|
|
10259
|
+
skipCommentLines: true,
|
|
10260
|
+
allowlist: [],
|
|
10261
|
+
reason: "0.15.54 — self-update-standalone-verifier-ecdsa-encoding.test.js:189 asserted that a raw IEEE-P1363 P-384 signature's first byte was not the DER SEQUENCE tag 0x30, to prove it was not DER-encoded; that byte is r's high octet, which equals 0x30 ~1/256 of the time, so the setup assertion flaked and blocked the release's ubuntu smoke (the saml-mdq-wrapping release CI). The deterministic distinguisher is the fixed 96-byte (P-384) / 64-byte (P-256) raw length; the fix guards the byte check with a `|| sig.length === N` disjunction, matching sd-jwt-vc-ecdsa-p1363.test.js:51. Fires on a bare first-byte-not-0x30 check with no length disjunction on the same line; silent once guarded.",
|
|
10262
|
+
},
|
|
9501
10263
|
{
|
|
9502
10264
|
// A test file must invoke its run()/IIFE ONLY under
|
|
9503
10265
|
// `if (require.main === module)`. The smoke worker REQUIRES each test
|
|
@@ -12363,21 +13125,22 @@ function testWikiPortAgreesAcrossArtifacts() {
|
|
|
12363
13125
|
bad);
|
|
12364
13126
|
}
|
|
12365
13127
|
|
|
12366
|
-
// The esbuild dev-tool is pinned across artifacts
|
|
12367
|
-
//
|
|
12368
|
-
//
|
|
12369
|
-
// SEA / bundler-output build, and scripts/esbuild-binary-pin.json's
|
|
12370
|
-
// per-platform binary hashes (verified on disk by the bundler-output
|
|
12371
|
-
// gate). A bump that updates one and not the others is the v0.11.40
|
|
12372
|
-
// class:
|
|
12373
|
-
//
|
|
12374
|
-
// by one shared checker (scripts/check-esbuild-pin.js),
|
|
12375
|
-
// release.js regen so neither path can silently drift — a
|
|
12376
|
-
// reviewed hashes fails closed instead of degrading the
|
|
13128
|
+
// The esbuild dev-tool is pinned across three artifacts kept in sync:
|
|
13129
|
+
// package.json devDependencies (the version source-of-truth, also postject), the
|
|
13130
|
+
// committed root package-lock.json that ci.yml + npm-publish.yml install via
|
|
13131
|
+
// `npm ci` for the SEA / bundler-output build, and scripts/esbuild-binary-pin.json's
|
|
13132
|
+
// reviewed per-platform binary hashes (verified on disk by the bundler-output
|
|
13133
|
+
// smoke gate). A bump that updates one and not the others is the v0.11.40
|
|
13134
|
+
// silent-drift class: CI verified an unreviewed version while package.json
|
|
13135
|
+
// declared another. The lockfile-package.json agreement + per-platform hash
|
|
13136
|
+
// COMPLETENESS is owned by one shared checker (scripts/check-esbuild-pin.js),
|
|
13137
|
+
// called here and by release.js regen so neither path can silently drift — a
|
|
13138
|
+
// bump that forgets the reviewed hashes fails closed instead of degrading the
|
|
13139
|
+
// smoke pin to a skip.
|
|
12377
13140
|
function testEsbuildPinAgreesAcrossArtifacts() {
|
|
12378
13141
|
var checkEsbuildPin = require("../../scripts/check-esbuild-pin.js").checkEsbuildPin;
|
|
12379
13142
|
var bad = _filterMarkers(checkEsbuildPin().violations, "esbuild-pin-cross-artifact-drift");
|
|
12380
|
-
_report("esbuild pin agrees across package.json devDep +
|
|
13143
|
+
_report("esbuild pin agrees across package.json devDep + package-lock.json (npm ci) + " +
|
|
12381
13144
|
"esbuild-binary-pin.json reviewed per-platform hashes (prevent a workflow / pin silently " +
|
|
12382
13145
|
"drifting from the reviewed version)",
|
|
12383
13146
|
bad);
|
|
@@ -13278,6 +14041,21 @@ async function run() {
|
|
|
13278
14041
|
testBuildProfileWrongKey();
|
|
13279
14042
|
testNoSilentCatchSwallow();
|
|
13280
14043
|
testNoDynamicRegexFromOperatorInput();
|
|
14044
|
+
testOperatorRegexScreenedForReDoS();
|
|
14045
|
+
testModuleLoadListMatchesNativeModuleNaming();
|
|
14046
|
+
testCompetingConsumerClaimUsesSkipLocked();
|
|
14047
|
+
testCacheCounterUsesAtomicUpdate();
|
|
14048
|
+
testRegistryCheckThenCreateSerialized();
|
|
14049
|
+
testCertChainIssuanceUsesIssuerValidlyIssued();
|
|
14050
|
+
testDomainToAsciiRejectsUrlDelimiters();
|
|
14051
|
+
testUrlSearchParamsConcatEscapesAmpersand();
|
|
14052
|
+
testEmailDomainDerivationGuardsMultiAt();
|
|
14053
|
+
testFileUploadLifecycleChecksOwnership();
|
|
14054
|
+
testScopeWildcardUsesPermissionsMatch();
|
|
14055
|
+
testQueueRedisGateLuaResultCaptured();
|
|
14056
|
+
testArcInstanceParseUsesSharedHelper();
|
|
14057
|
+
testOid4vciSingleUseClaimGated();
|
|
14058
|
+
testClockSkewOptsAreFiniteGuarded();
|
|
13281
14059
|
testNoRawXffRead();
|
|
13282
14060
|
testNoRawForwardedProtoHostRead();
|
|
13283
14061
|
testNoRawRemoteAddress();
|