@blamejs/blamejs-shop 0.5.5 → 0.5.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (1405) hide show
  1. package/CHANGELOG.md +4 -0
  2. package/README.md +1 -1
  3. package/lib/asset-manifest.json +1 -1
  4. package/lib/storefront.js +30 -17
  5. package/lib/vendor/MANIFEST.json +1395 -1409
  6. package/lib/vendor/blamejs/.clusterfuzzlite/Dockerfile +1 -1
  7. package/lib/vendor/blamejs/.github/dependabot.yml +12 -2
  8. package/lib/vendor/blamejs/.github/workflows/cflite_batch.yml +3 -3
  9. package/lib/vendor/blamejs/.github/workflows/cflite_pr.yml +3 -3
  10. package/lib/vendor/blamejs/.github/workflows/ci.yml +34 -29
  11. package/lib/vendor/blamejs/.github/workflows/codeql.yml +2 -2
  12. package/lib/vendor/blamejs/.github/workflows/npm-publish.yml +6 -6
  13. package/lib/vendor/blamejs/.github/workflows/release-container.yml +8 -8
  14. package/lib/vendor/blamejs/.github/workflows/scorecard.yml +1 -1
  15. package/lib/vendor/blamejs/.gitignore +6 -6
  16. package/lib/vendor/blamejs/CHANGELOG.md +68 -0
  17. package/lib/vendor/blamejs/CONTRIBUTING.md +16 -0
  18. package/lib/vendor/blamejs/README.md +2 -1
  19. package/lib/vendor/blamejs/ROADMAP.md +51 -0
  20. package/lib/vendor/blamejs/SECURITY.md +52 -1
  21. package/lib/vendor/blamejs/api-snapshot.json +22 -2
  22. package/lib/vendor/blamejs/bench/_helpers.js +2 -0
  23. package/lib/vendor/blamejs/bench/crypto-hash.bench.js +2 -0
  24. package/lib/vendor/blamejs/bench/crypto-symmetric.bench.js +2 -0
  25. package/lib/vendor/blamejs/bench/run.js +2 -0
  26. package/lib/vendor/blamejs/bench/safe-json.bench.js +2 -0
  27. package/lib/vendor/blamejs/bin/blamejs.js +2 -0
  28. package/lib/vendor/blamejs/examples/wiki/Dockerfile +1 -1
  29. package/lib/vendor/blamejs/examples/wiki/lib/auto-site-entries.js +2 -0
  30. package/lib/vendor/blamejs/examples/wiki/lib/build-app.js +9 -1
  31. package/lib/vendor/blamejs/examples/wiki/lib/harvest-cli.js +2 -0
  32. package/lib/vendor/blamejs/examples/wiki/lib/harvest-env-vars.js +2 -0
  33. package/lib/vendor/blamejs/examples/wiki/lib/harvest-errors.js +2 -0
  34. package/lib/vendor/blamejs/examples/wiki/lib/harvest-vendored-deps.js +2 -0
  35. package/lib/vendor/blamejs/examples/wiki/lib/html-entities.js +2 -0
  36. package/lib/vendor/blamejs/examples/wiki/lib/nav.js +2 -0
  37. package/lib/vendor/blamejs/examples/wiki/lib/opts-resolver.js +2 -0
  38. package/lib/vendor/blamejs/examples/wiki/lib/page-generator.js +2 -0
  39. package/lib/vendor/blamejs/examples/wiki/lib/section.js +2 -0
  40. package/lib/vendor/blamejs/examples/wiki/lib/source-comment-block-validator.js +2 -0
  41. package/lib/vendor/blamejs/examples/wiki/lib/source-doc-parser.js +2 -0
  42. package/lib/vendor/blamejs/examples/wiki/lib/symbol-index.js +2 -0
  43. package/lib/vendor/blamejs/examples/wiki/migrations/0001-pages-schema.js +2 -0
  44. package/lib/vendor/blamejs/examples/wiki/package-lock.json +30 -0
  45. package/lib/vendor/blamejs/examples/wiki/routes/admin.js +2 -0
  46. package/lib/vendor/blamejs/examples/wiki/routes/integration.js +2 -0
  47. package/lib/vendor/blamejs/examples/wiki/routes/pages.js +2 -0
  48. package/lib/vendor/blamejs/examples/wiki/scripts/backfill-module-metadata.js +2 -0
  49. package/lib/vendor/blamejs/examples/wiki/seeders/prod/0001-default-pages.js +2 -0
  50. package/lib/vendor/blamejs/examples/wiki/seeders/prod/pages/_index.js +2 -0
  51. package/lib/vendor/blamejs/examples/wiki/seeders/prod/pages/api.js +2 -0
  52. package/lib/vendor/blamejs/examples/wiki/server.js +2 -0
  53. package/lib/vendor/blamejs/examples/wiki/site.config.js +2 -0
  54. package/lib/vendor/blamejs/examples/wiki/snippets/auth/password-hash.example.js +2 -0
  55. package/lib/vendor/blamejs/examples/wiki/src/editor.js +2 -0
  56. package/lib/vendor/blamejs/examples/wiki/src/wiki.js +2 -0
  57. package/lib/vendor/blamejs/examples/wiki/test/codebase-patterns.test.js +2 -0
  58. package/lib/vendor/blamejs/examples/wiki/test/e2e.js +23 -0
  59. package/lib/vendor/blamejs/examples/wiki/test/find-missing-pages.js +2 -0
  60. package/lib/vendor/blamejs/examples/wiki/test/integration.js +2 -0
  61. package/lib/vendor/blamejs/examples/wiki/test/validate-cli-snapshot.js +2 -0
  62. package/lib/vendor/blamejs/examples/wiki/test/validate-env-snapshot.js +2 -0
  63. package/lib/vendor/blamejs/examples/wiki/test/validate-nav-coverage.js +2 -0
  64. package/lib/vendor/blamejs/examples/wiki/test/validate-site-coverage.js +2 -0
  65. package/lib/vendor/blamejs/examples/wiki/test/validate-source-comment-blocks.js +2 -0
  66. package/lib/vendor/blamejs/examples/wiki/wiki.config.js +2 -0
  67. package/lib/vendor/blamejs/fuzz/_expected.js +2 -0
  68. package/lib/vendor/blamejs/fuzz/guard-agent-registry.fuzz.js +2 -0
  69. package/lib/vendor/blamejs/fuzz/guard-csv.fuzz.js +2 -0
  70. package/lib/vendor/blamejs/fuzz/guard-dsn.fuzz.js +2 -0
  71. package/lib/vendor/blamejs/fuzz/guard-email.fuzz.js +2 -0
  72. package/lib/vendor/blamejs/fuzz/guard-envelope.fuzz.js +2 -0
  73. package/lib/vendor/blamejs/fuzz/guard-event-bus-payload.fuzz.js +2 -0
  74. package/lib/vendor/blamejs/fuzz/guard-event-bus-topic.fuzz.js +2 -0
  75. package/lib/vendor/blamejs/fuzz/guard-html.fuzz.js +2 -0
  76. package/lib/vendor/blamejs/fuzz/guard-idempotency-key.fuzz.js +2 -0
  77. package/lib/vendor/blamejs/fuzz/guard-imap-command.fuzz.js +2 -0
  78. package/lib/vendor/blamejs/fuzz/guard-jmap.fuzz.js +2 -0
  79. package/lib/vendor/blamejs/fuzz/guard-json.fuzz.js +2 -0
  80. package/lib/vendor/blamejs/fuzz/guard-list-id.fuzz.js +2 -0
  81. package/lib/vendor/blamejs/fuzz/guard-list-unsubscribe.fuzz.js +2 -0
  82. package/lib/vendor/blamejs/fuzz/guard-mail-compose.fuzz.js +2 -0
  83. package/lib/vendor/blamejs/fuzz/guard-mail-move.fuzz.js +2 -0
  84. package/lib/vendor/blamejs/fuzz/guard-mail-query.fuzz.js +2 -0
  85. package/lib/vendor/blamejs/fuzz/guard-mail-reply.fuzz.js +2 -0
  86. package/lib/vendor/blamejs/fuzz/guard-mail-sieve.fuzz.js +2 -0
  87. package/lib/vendor/blamejs/fuzz/guard-managesieve-command.fuzz.js +2 -0
  88. package/lib/vendor/blamejs/fuzz/guard-markdown.fuzz.js +2 -0
  89. package/lib/vendor/blamejs/fuzz/guard-message-id.fuzz.js +2 -0
  90. package/lib/vendor/blamejs/fuzz/guard-pop3-command.fuzz.js +2 -0
  91. package/lib/vendor/blamejs/fuzz/guard-posture-chain.fuzz.js +2 -0
  92. package/lib/vendor/blamejs/fuzz/guard-saga-config.fuzz.js +2 -0
  93. package/lib/vendor/blamejs/fuzz/guard-smtp-command.fuzz.js +2 -0
  94. package/lib/vendor/blamejs/fuzz/guard-snapshot-envelope.fuzz.js +2 -0
  95. package/lib/vendor/blamejs/fuzz/guard-sql.fuzz.js +2 -0
  96. package/lib/vendor/blamejs/fuzz/guard-stream-args.fuzz.js +2 -0
  97. package/lib/vendor/blamejs/fuzz/guard-svg.fuzz.js +2 -0
  98. package/lib/vendor/blamejs/fuzz/guard-tenant-id.fuzz.js +2 -0
  99. package/lib/vendor/blamejs/fuzz/guard-text.fuzz.js +2 -0
  100. package/lib/vendor/blamejs/fuzz/guard-trace-context.fuzz.js +2 -0
  101. package/lib/vendor/blamejs/fuzz/guard-xml.fuzz.js +2 -0
  102. package/lib/vendor/blamejs/fuzz/guard-yaml.fuzz.js +2 -0
  103. package/lib/vendor/blamejs/fuzz/package-lock.json +1239 -0
  104. package/lib/vendor/blamejs/fuzz/package.json +10 -0
  105. package/lib/vendor/blamejs/fuzz/parsers__safe-ini.fuzz.js +2 -0
  106. package/lib/vendor/blamejs/fuzz/parsers__safe-toml.fuzz.js +2 -0
  107. package/lib/vendor/blamejs/fuzz/parsers__safe-xml.fuzz.js +2 -0
  108. package/lib/vendor/blamejs/fuzz/parsers__safe-yaml.fuzz.js +2 -0
  109. package/lib/vendor/blamejs/fuzz/safe-archive.fuzz.js +2 -0
  110. package/lib/vendor/blamejs/fuzz/safe-decompress.fuzz.js +2 -0
  111. package/lib/vendor/blamejs/fuzz/safe-dns.fuzz.js +2 -0
  112. package/lib/vendor/blamejs/fuzz/safe-ical.fuzz.js +2 -0
  113. package/lib/vendor/blamejs/fuzz/safe-icap.fuzz.js +2 -0
  114. package/lib/vendor/blamejs/fuzz/safe-json.fuzz.js +2 -0
  115. package/lib/vendor/blamejs/fuzz/safe-jsonpath.fuzz.js +2 -0
  116. package/lib/vendor/blamejs/fuzz/safe-mime.fuzz.js +2 -0
  117. package/lib/vendor/blamejs/fuzz/safe-mount-info.fuzz.js +2 -0
  118. package/lib/vendor/blamejs/fuzz/safe-sieve.fuzz.js +2 -0
  119. package/lib/vendor/blamejs/fuzz/safe-smtp.fuzz.js +2 -0
  120. package/lib/vendor/blamejs/fuzz/safe-url.fuzz.js +2 -0
  121. package/lib/vendor/blamejs/fuzz/safe-vcard.fuzz.js +2 -0
  122. package/lib/vendor/blamejs/index.js +2 -0
  123. package/lib/vendor/blamejs/lib/_test/crypto-fixtures.js +2 -0
  124. package/lib/vendor/blamejs/lib/a2a-tasks.js +2 -0
  125. package/lib/vendor/blamejs/lib/a2a.js +2 -0
  126. package/lib/vendor/blamejs/lib/acme.js +7 -1
  127. package/lib/vendor/blamejs/lib/agent-audit.js +2 -0
  128. package/lib/vendor/blamejs/lib/agent-envelope-mac.js +2 -0
  129. package/lib/vendor/blamejs/lib/agent-event-bus.js +2 -0
  130. package/lib/vendor/blamejs/lib/agent-idempotency.js +2 -0
  131. package/lib/vendor/blamejs/lib/agent-orchestrator.js +10 -2
  132. package/lib/vendor/blamejs/lib/agent-posture-chain.js +2 -0
  133. package/lib/vendor/blamejs/lib/agent-saga.js +2 -0
  134. package/lib/vendor/blamejs/lib/agent-snapshot.js +2 -0
  135. package/lib/vendor/blamejs/lib/agent-stream.js +2 -0
  136. package/lib/vendor/blamejs/lib/agent-tenant.js +11 -2
  137. package/lib/vendor/blamejs/lib/agent-trace.js +2 -0
  138. package/lib/vendor/blamejs/lib/ai-adverse-decision.js +2 -0
  139. package/lib/vendor/blamejs/lib/ai-aedt-bias-audit.js +2 -0
  140. package/lib/vendor/blamejs/lib/ai-capability.js +2 -0
  141. package/lib/vendor/blamejs/lib/ai-content-detect.js +2 -0
  142. package/lib/vendor/blamejs/lib/ai-disclosure.js +2 -0
  143. package/lib/vendor/blamejs/lib/ai-dp.js +2 -0
  144. package/lib/vendor/blamejs/lib/ai-frontier-protocol.js +2 -0
  145. package/lib/vendor/blamejs/lib/ai-input.js +2 -0
  146. package/lib/vendor/blamejs/lib/ai-model-manifest.js +2 -0
  147. package/lib/vendor/blamejs/lib/ai-output.js +2 -0
  148. package/lib/vendor/blamejs/lib/ai-pref.js +2 -0
  149. package/lib/vendor/blamejs/lib/ai-prompt.js +2 -0
  150. package/lib/vendor/blamejs/lib/ai-quota.js +2 -0
  151. package/lib/vendor/blamejs/lib/api-key.js +2 -0
  152. package/lib/vendor/blamejs/lib/api-snapshot.js +2 -0
  153. package/lib/vendor/blamejs/lib/app-shutdown.js +2 -0
  154. package/lib/vendor/blamejs/lib/app.js +2 -0
  155. package/lib/vendor/blamejs/lib/archive-adapters.js +2 -0
  156. package/lib/vendor/blamejs/lib/archive-entry-policy.js +2 -0
  157. package/lib/vendor/blamejs/lib/archive-gz.js +2 -0
  158. package/lib/vendor/blamejs/lib/archive-read.js +2 -0
  159. package/lib/vendor/blamejs/lib/archive-tar-read.js +2 -0
  160. package/lib/vendor/blamejs/lib/archive-tar.js +9 -0
  161. package/lib/vendor/blamejs/lib/archive-wrap.js +2 -0
  162. package/lib/vendor/blamejs/lib/archive.js +6 -0
  163. package/lib/vendor/blamejs/lib/arg-parser.js +2 -0
  164. package/lib/vendor/blamejs/lib/argon2-builtin.js +2 -0
  165. package/lib/vendor/blamejs/lib/asn1-der.js +2 -0
  166. package/lib/vendor/blamejs/lib/asyncapi-bindings.js +2 -0
  167. package/lib/vendor/blamejs/lib/asyncapi-traits.js +2 -0
  168. package/lib/vendor/blamejs/lib/asyncapi.js +2 -0
  169. package/lib/vendor/blamejs/lib/atomic-file.js +2 -0
  170. package/lib/vendor/blamejs/lib/audit-chain.js +2 -0
  171. package/lib/vendor/blamejs/lib/audit-daily-review.js +2 -0
  172. package/lib/vendor/blamejs/lib/audit-emit.js +2 -0
  173. package/lib/vendor/blamejs/lib/audit-sign.js +2 -0
  174. package/lib/vendor/blamejs/lib/audit-tools.js +2 -0
  175. package/lib/vendor/blamejs/lib/audit.js +2 -0
  176. package/lib/vendor/blamejs/lib/auth/aal.js +2 -0
  177. package/lib/vendor/blamejs/lib/auth/access-lock.js +2 -0
  178. package/lib/vendor/blamejs/lib/auth/acr-vocabulary.js +2 -0
  179. package/lib/vendor/blamejs/lib/auth/ato-kill-switch.js +48 -11
  180. package/lib/vendor/blamejs/lib/auth/auth-time-tracker.js +2 -0
  181. package/lib/vendor/blamejs/lib/auth/bot-challenge.js +2 -0
  182. package/lib/vendor/blamejs/lib/auth/ciba.js +2 -0
  183. package/lib/vendor/blamejs/lib/auth/dpop.js +2 -0
  184. package/lib/vendor/blamejs/lib/auth/elevation-grant.js +2 -0
  185. package/lib/vendor/blamejs/lib/auth/fal.js +2 -0
  186. package/lib/vendor/blamejs/lib/auth/fido-mds3.js +11 -7
  187. package/lib/vendor/blamejs/lib/auth/jar.js +4 -1
  188. package/lib/vendor/blamejs/lib/auth/jwt-external.js +16 -3
  189. package/lib/vendor/blamejs/lib/auth/jwt.js +2 -0
  190. package/lib/vendor/blamejs/lib/auth/lockout.js +237 -104
  191. package/lib/vendor/blamejs/lib/auth/oauth.js +98 -17
  192. package/lib/vendor/blamejs/lib/auth/oid4vci.js +58 -17
  193. package/lib/vendor/blamejs/lib/auth/oid4vp.js +2 -0
  194. package/lib/vendor/blamejs/lib/auth/openid-federation.js +2 -0
  195. package/lib/vendor/blamejs/lib/auth/passkey.js +2 -0
  196. package/lib/vendor/blamejs/lib/auth/password.js +2 -0
  197. package/lib/vendor/blamejs/lib/auth/saml.js +68 -7
  198. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-disclosure.js +2 -0
  199. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-holder.js +2 -0
  200. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-issuer.js +2 -0
  201. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc.js +9 -0
  202. package/lib/vendor/blamejs/lib/auth/status-list.js +7 -0
  203. package/lib/vendor/blamejs/lib/auth/step-up-policy.js +2 -0
  204. package/lib/vendor/blamejs/lib/auth/step-up.js +2 -0
  205. package/lib/vendor/blamejs/lib/auth-bot-challenge.js +5 -8
  206. package/lib/vendor/blamejs/lib/auth-header.js +2 -0
  207. package/lib/vendor/blamejs/lib/backup/bundle.js +2 -0
  208. package/lib/vendor/blamejs/lib/backup/crypto.js +2 -0
  209. package/lib/vendor/blamejs/lib/backup/index.js +14 -0
  210. package/lib/vendor/blamejs/lib/backup/manifest.js +2 -0
  211. package/lib/vendor/blamejs/lib/base32.js +2 -0
  212. package/lib/vendor/blamejs/lib/boot-gates.js +2 -0
  213. package/lib/vendor/blamejs/lib/bounded-map.js +3 -1
  214. package/lib/vendor/blamejs/lib/breach-deadline.js +2 -0
  215. package/lib/vendor/blamejs/lib/break-glass.js +10 -9
  216. package/lib/vendor/blamejs/lib/budr.js +2 -0
  217. package/lib/vendor/blamejs/lib/bundler.js +2 -0
  218. package/lib/vendor/blamejs/lib/cache-redis.js +2 -0
  219. package/lib/vendor/blamejs/lib/cache-status.js +2 -0
  220. package/lib/vendor/blamejs/lib/cache.js +13 -5
  221. package/lib/vendor/blamejs/lib/calendar.js +2 -0
  222. package/lib/vendor/blamejs/lib/canonical-json.js +19 -3
  223. package/lib/vendor/blamejs/lib/cbor.js +2 -0
  224. package/lib/vendor/blamejs/lib/cdn-cache-control.js +2 -0
  225. package/lib/vendor/blamejs/lib/cert.js +2 -0
  226. package/lib/vendor/blamejs/lib/chain-writer.js +2 -0
  227. package/lib/vendor/blamejs/lib/circuit-breaker.js +2 -0
  228. package/lib/vendor/blamejs/lib/cli-helpers.js +2 -0
  229. package/lib/vendor/blamejs/lib/cli.js +57 -20
  230. package/lib/vendor/blamejs/lib/client-hints.js +2 -0
  231. package/lib/vendor/blamejs/lib/cloud-events.js +2 -0
  232. package/lib/vendor/blamejs/lib/cluster-provider-db.js +2 -0
  233. package/lib/vendor/blamejs/lib/cluster-storage.js +2 -0
  234. package/lib/vendor/blamejs/lib/cluster.js +2 -0
  235. package/lib/vendor/blamejs/lib/cms-codec.js +2 -0
  236. package/lib/vendor/blamejs/lib/codepoint-class.js +2 -0
  237. package/lib/vendor/blamejs/lib/compliance-ai-act-logging.js +2 -0
  238. package/lib/vendor/blamejs/lib/compliance-ai-act-prohibited.js +2 -0
  239. package/lib/vendor/blamejs/lib/compliance-ai-act-risk.js +2 -0
  240. package/lib/vendor/blamejs/lib/compliance-ai-act-transparency.js +2 -0
  241. package/lib/vendor/blamejs/lib/compliance-ai-act.js +2 -0
  242. package/lib/vendor/blamejs/lib/compliance-eaa.js +2 -0
  243. package/lib/vendor/blamejs/lib/compliance-sanctions-aliases.js +2 -0
  244. package/lib/vendor/blamejs/lib/compliance-sanctions-fetcher.js +2 -0
  245. package/lib/vendor/blamejs/lib/compliance-sanctions-fuzzy.js +2 -0
  246. package/lib/vendor/blamejs/lib/compliance-sanctions.js +2 -0
  247. package/lib/vendor/blamejs/lib/compliance.js +2 -0
  248. package/lib/vendor/blamejs/lib/config-drift.js +2 -0
  249. package/lib/vendor/blamejs/lib/config.js +2 -0
  250. package/lib/vendor/blamejs/lib/consent.js +2 -0
  251. package/lib/vendor/blamejs/lib/constants.js +2 -0
  252. package/lib/vendor/blamejs/lib/content-credentials.js +2 -0
  253. package/lib/vendor/blamejs/lib/content-digest.js +2 -0
  254. package/lib/vendor/blamejs/lib/cookies.js +2 -0
  255. package/lib/vendor/blamejs/lib/cose.js +2 -0
  256. package/lib/vendor/blamejs/lib/cra-report.js +2 -0
  257. package/lib/vendor/blamejs/lib/crdt.js +2 -0
  258. package/lib/vendor/blamejs/lib/credential-hash.js +2 -0
  259. package/lib/vendor/blamejs/lib/crypto-field.js +2 -0
  260. package/lib/vendor/blamejs/lib/crypto-hpke-pq.js +2 -0
  261. package/lib/vendor/blamejs/lib/crypto-hpke.js +2 -0
  262. package/lib/vendor/blamejs/lib/crypto-oprf.js +2 -0
  263. package/lib/vendor/blamejs/lib/crypto-xwing.js +2 -0
  264. package/lib/vendor/blamejs/lib/crypto.js +2 -0
  265. package/lib/vendor/blamejs/lib/csp.js +2 -0
  266. package/lib/vendor/blamejs/lib/csv.js +14 -1
  267. package/lib/vendor/blamejs/lib/cwt.js +2 -0
  268. package/lib/vendor/blamejs/lib/daemon.js +2 -0
  269. package/lib/vendor/blamejs/lib/dark-patterns.js +2 -0
  270. package/lib/vendor/blamejs/lib/data-act.js +2 -0
  271. package/lib/vendor/blamejs/lib/db-collection.js +2 -0
  272. package/lib/vendor/blamejs/lib/db-declare-row-policy.js +2 -0
  273. package/lib/vendor/blamejs/lib/db-declare-view.js +2 -0
  274. package/lib/vendor/blamejs/lib/db-file-lifecycle.js +2 -0
  275. package/lib/vendor/blamejs/lib/db-query.js +2 -0
  276. package/lib/vendor/blamejs/lib/db-role-context.js +2 -0
  277. package/lib/vendor/blamejs/lib/db-schema.js +2 -0
  278. package/lib/vendor/blamejs/lib/db.js +2 -0
  279. package/lib/vendor/blamejs/lib/dbsc.js +2 -0
  280. package/lib/vendor/blamejs/lib/ddl-change-control.js +2 -0
  281. package/lib/vendor/blamejs/lib/deprecate.js +2 -0
  282. package/lib/vendor/blamejs/lib/dev.js +2 -0
  283. package/lib/vendor/blamejs/lib/did.js +2 -0
  284. package/lib/vendor/blamejs/lib/dora.js +2 -0
  285. package/lib/vendor/blamejs/lib/dr-runbook.js +2 -0
  286. package/lib/vendor/blamejs/lib/dsa.js +2 -0
  287. package/lib/vendor/blamejs/lib/dsr.js +2 -0
  288. package/lib/vendor/blamejs/lib/dual-control.js +11 -15
  289. package/lib/vendor/blamejs/lib/early-hints.js +2 -0
  290. package/lib/vendor/blamejs/lib/eat.js +4 -1
  291. package/lib/vendor/blamejs/lib/error-page.js +2 -0
  292. package/lib/vendor/blamejs/lib/events.js +2 -0
  293. package/lib/vendor/blamejs/lib/external-db-migrate.js +2 -0
  294. package/lib/vendor/blamejs/lib/external-db.js +2 -0
  295. package/lib/vendor/blamejs/lib/fapi2.js +2 -0
  296. package/lib/vendor/blamejs/lib/fda-21cfr11.js +2 -0
  297. package/lib/vendor/blamejs/lib/fdx.js +2 -0
  298. package/lib/vendor/blamejs/lib/fedcm.js +2 -0
  299. package/lib/vendor/blamejs/lib/file-type.js +2 -0
  300. package/lib/vendor/blamejs/lib/file-upload.js +139 -21
  301. package/lib/vendor/blamejs/lib/flag-cache.js +2 -0
  302. package/lib/vendor/blamejs/lib/flag-evaluation-context.js +2 -0
  303. package/lib/vendor/blamejs/lib/flag-providers.js +2 -0
  304. package/lib/vendor/blamejs/lib/flag-targeting.js +4 -7
  305. package/lib/vendor/blamejs/lib/flag.js +2 -0
  306. package/lib/vendor/blamejs/lib/forms.js +11 -0
  307. package/lib/vendor/blamejs/lib/framework-error.js +2 -0
  308. package/lib/vendor/blamejs/lib/framework-files.js +2 -0
  309. package/lib/vendor/blamejs/lib/framework-schema.js +2 -0
  310. package/lib/vendor/blamejs/lib/framework-sha1-hibp.js +2 -0
  311. package/lib/vendor/blamejs/lib/fsm.js +2 -0
  312. package/lib/vendor/blamejs/lib/gate-contract.js +2 -0
  313. package/lib/vendor/blamejs/lib/gdpr-ropa.js +2 -0
  314. package/lib/vendor/blamejs/lib/graphql-federation.js +2 -0
  315. package/lib/vendor/blamejs/lib/guard-agent-registry.js +2 -0
  316. package/lib/vendor/blamejs/lib/guard-all.js +2 -0
  317. package/lib/vendor/blamejs/lib/guard-archive.js +2 -0
  318. package/lib/vendor/blamejs/lib/guard-auth.js +2 -0
  319. package/lib/vendor/blamejs/lib/guard-cidr.js +2 -0
  320. package/lib/vendor/blamejs/lib/guard-csv.js +2 -0
  321. package/lib/vendor/blamejs/lib/guard-domain.js +2 -0
  322. package/lib/vendor/blamejs/lib/guard-dsn.js +2 -0
  323. package/lib/vendor/blamejs/lib/guard-email.js +2 -0
  324. package/lib/vendor/blamejs/lib/guard-envelope.js +2 -0
  325. package/lib/vendor/blamejs/lib/guard-event-bus-payload.js +2 -0
  326. package/lib/vendor/blamejs/lib/guard-event-bus-topic.js +2 -0
  327. package/lib/vendor/blamejs/lib/guard-filename.js +2 -0
  328. package/lib/vendor/blamejs/lib/guard-graphql.js +2 -0
  329. package/lib/vendor/blamejs/lib/guard-html-wcag-aria.js +2 -0
  330. package/lib/vendor/blamejs/lib/guard-html-wcag-forms.js +2 -0
  331. package/lib/vendor/blamejs/lib/guard-html-wcag-tables.js +2 -0
  332. package/lib/vendor/blamejs/lib/guard-html-wcag-tagwalk.js +2 -0
  333. package/lib/vendor/blamejs/lib/guard-html-wcag.js +2 -0
  334. package/lib/vendor/blamejs/lib/guard-html.js +2 -0
  335. package/lib/vendor/blamejs/lib/guard-idempotency-key.js +2 -0
  336. package/lib/vendor/blamejs/lib/guard-image.js +2 -0
  337. package/lib/vendor/blamejs/lib/guard-imap-command.js +2 -0
  338. package/lib/vendor/blamejs/lib/guard-jmap.js +2 -0
  339. package/lib/vendor/blamejs/lib/guard-json.js +2 -0
  340. package/lib/vendor/blamejs/lib/guard-jsonpath.js +2 -0
  341. package/lib/vendor/blamejs/lib/guard-jwt.js +2 -0
  342. package/lib/vendor/blamejs/lib/guard-list-id.js +2 -0
  343. package/lib/vendor/blamejs/lib/guard-list-unsubscribe.js +2 -0
  344. package/lib/vendor/blamejs/lib/guard-mail-compose.js +2 -0
  345. package/lib/vendor/blamejs/lib/guard-mail-move.js +2 -0
  346. package/lib/vendor/blamejs/lib/guard-mail-query.js +2 -0
  347. package/lib/vendor/blamejs/lib/guard-mail-reply.js +2 -0
  348. package/lib/vendor/blamejs/lib/guard-mail-sieve.js +2 -0
  349. package/lib/vendor/blamejs/lib/guard-managesieve-command.js +2 -0
  350. package/lib/vendor/blamejs/lib/guard-markdown.js +2 -0
  351. package/lib/vendor/blamejs/lib/guard-message-id.js +2 -0
  352. package/lib/vendor/blamejs/lib/guard-mime.js +2 -0
  353. package/lib/vendor/blamejs/lib/guard-oauth.js +14 -1
  354. package/lib/vendor/blamejs/lib/guard-pdf.js +2 -0
  355. package/lib/vendor/blamejs/lib/guard-pop3-command.js +2 -0
  356. package/lib/vendor/blamejs/lib/guard-posture-chain.js +2 -0
  357. package/lib/vendor/blamejs/lib/guard-regex.js +59 -0
  358. package/lib/vendor/blamejs/lib/guard-saga-config.js +2 -0
  359. package/lib/vendor/blamejs/lib/guard-shell.js +2 -0
  360. package/lib/vendor/blamejs/lib/guard-smtp-command.js +2 -0
  361. package/lib/vendor/blamejs/lib/guard-snapshot-envelope.js +2 -0
  362. package/lib/vendor/blamejs/lib/guard-sql.js +2 -0
  363. package/lib/vendor/blamejs/lib/guard-stream-args.js +2 -0
  364. package/lib/vendor/blamejs/lib/guard-svg.js +2 -0
  365. package/lib/vendor/blamejs/lib/guard-template.js +2 -0
  366. package/lib/vendor/blamejs/lib/guard-tenant-id.js +2 -0
  367. package/lib/vendor/blamejs/lib/guard-text.js +2 -0
  368. package/lib/vendor/blamejs/lib/guard-time.js +2 -0
  369. package/lib/vendor/blamejs/lib/guard-trace-context.js +2 -0
  370. package/lib/vendor/blamejs/lib/guard-uuid.js +2 -0
  371. package/lib/vendor/blamejs/lib/guard-xml.js +2 -0
  372. package/lib/vendor/blamejs/lib/guard-yaml.js +2 -0
  373. package/lib/vendor/blamejs/lib/hal.js +2 -0
  374. package/lib/vendor/blamejs/lib/handlers.js +2 -0
  375. package/lib/vendor/blamejs/lib/honeytoken.js +2 -0
  376. package/lib/vendor/blamejs/lib/html-balance.js +2 -0
  377. package/lib/vendor/blamejs/lib/http-client-cache.js +2 -0
  378. package/lib/vendor/blamejs/lib/http-client-cookie-jar.js +2 -0
  379. package/lib/vendor/blamejs/lib/http-client.js +2 -0
  380. package/lib/vendor/blamejs/lib/http-message-signature.js +144 -11
  381. package/lib/vendor/blamejs/lib/http2-teardown.js +2 -0
  382. package/lib/vendor/blamejs/lib/i18n-messageformat.js +35 -6
  383. package/lib/vendor/blamejs/lib/i18n.js +2 -0
  384. package/lib/vendor/blamejs/lib/iab-mspa.js +2 -0
  385. package/lib/vendor/blamejs/lib/iab-tcf.js +2 -0
  386. package/lib/vendor/blamejs/lib/importmap-integrity.js +2 -0
  387. package/lib/vendor/blamejs/lib/inbox.js +2 -0
  388. package/lib/vendor/blamejs/lib/incident-report.js +2 -0
  389. package/lib/vendor/blamejs/lib/ip-utils.js +2 -0
  390. package/lib/vendor/blamejs/lib/jobs.js +2 -0
  391. package/lib/vendor/blamejs/lib/jose-jwe-experimental.js +2 -0
  392. package/lib/vendor/blamejs/lib/json-merge-patch.js +2 -0
  393. package/lib/vendor/blamejs/lib/json-patch.js +2 -0
  394. package/lib/vendor/blamejs/lib/json-path.js +2 -0
  395. package/lib/vendor/blamejs/lib/json-pointer.js +2 -0
  396. package/lib/vendor/blamejs/lib/json-schema.js +13 -1
  397. package/lib/vendor/blamejs/lib/jsonapi.js +2 -0
  398. package/lib/vendor/blamejs/lib/jtd.js +2 -0
  399. package/lib/vendor/blamejs/lib/jwk.js +2 -0
  400. package/lib/vendor/blamejs/lib/keychain.js +32 -10
  401. package/lib/vendor/blamejs/lib/lazy-require.js +2 -0
  402. package/lib/vendor/blamejs/lib/legal-hold.js +2 -0
  403. package/lib/vendor/blamejs/lib/link-header.js +2 -0
  404. package/lib/vendor/blamejs/lib/local-db-thin.js +2 -0
  405. package/lib/vendor/blamejs/lib/log-stream-cloudwatch.js +2 -0
  406. package/lib/vendor/blamejs/lib/log-stream-local.js +2 -0
  407. package/lib/vendor/blamejs/lib/log-stream-otlp-grpc.js +2 -0
  408. package/lib/vendor/blamejs/lib/log-stream-otlp.js +2 -0
  409. package/lib/vendor/blamejs/lib/log-stream-syslog.js +2 -0
  410. package/lib/vendor/blamejs/lib/log-stream-webhook.js +2 -0
  411. package/lib/vendor/blamejs/lib/log-stream.js +2 -0
  412. package/lib/vendor/blamejs/lib/log.js +2 -0
  413. package/lib/vendor/blamejs/lib/lro.js +2 -0
  414. package/lib/vendor/blamejs/lib/mail-agent.js +2 -0
  415. package/lib/vendor/blamejs/lib/mail-arc-reuse-token.js +20 -0
  416. package/lib/vendor/blamejs/lib/mail-arc-sign.js +32 -14
  417. package/lib/vendor/blamejs/lib/mail-arf.js +4 -0
  418. package/lib/vendor/blamejs/lib/mail-auth.js +93 -19
  419. package/lib/vendor/blamejs/lib/mail-bimi.js +26 -10
  420. package/lib/vendor/blamejs/lib/mail-bounce.js +23 -6
  421. package/lib/vendor/blamejs/lib/mail-crypto-pgp.js +2 -0
  422. package/lib/vendor/blamejs/lib/mail-crypto-smime.js +2 -0
  423. package/lib/vendor/blamejs/lib/mail-crypto.js +2 -0
  424. package/lib/vendor/blamejs/lib/mail-dav.js +2 -0
  425. package/lib/vendor/blamejs/lib/mail-deploy.js +2 -0
  426. package/lib/vendor/blamejs/lib/mail-dkim.js +44 -5
  427. package/lib/vendor/blamejs/lib/mail-greylist.js +2 -0
  428. package/lib/vendor/blamejs/lib/mail-helo.js +16 -0
  429. package/lib/vendor/blamejs/lib/mail-journal.js +2 -0
  430. package/lib/vendor/blamejs/lib/mail-mdn.js +17 -0
  431. package/lib/vendor/blamejs/lib/mail-rbl.js +2 -0
  432. package/lib/vendor/blamejs/lib/mail-require-tls.js +2 -0
  433. package/lib/vendor/blamejs/lib/mail-scan.js +2 -0
  434. package/lib/vendor/blamejs/lib/mail-send-deliver.js +32 -7
  435. package/lib/vendor/blamejs/lib/mail-server-imap.js +2 -0
  436. package/lib/vendor/blamejs/lib/mail-server-jmap.js +23 -11
  437. package/lib/vendor/blamejs/lib/mail-server-managesieve.js +2 -0
  438. package/lib/vendor/blamejs/lib/mail-server-mx.js +2 -0
  439. package/lib/vendor/blamejs/lib/mail-server-net.js +2 -0
  440. package/lib/vendor/blamejs/lib/mail-server-pop3.js +2 -0
  441. package/lib/vendor/blamejs/lib/mail-server-rate-limit.js +2 -0
  442. package/lib/vendor/blamejs/lib/mail-server-registry.js +2 -0
  443. package/lib/vendor/blamejs/lib/mail-server-submission.js +2 -0
  444. package/lib/vendor/blamejs/lib/mail-server-tls.js +2 -0
  445. package/lib/vendor/blamejs/lib/mail-sieve.js +2 -0
  446. package/lib/vendor/blamejs/lib/mail-spam-score.js +2 -0
  447. package/lib/vendor/blamejs/lib/mail-srs.js +8 -0
  448. package/lib/vendor/blamejs/lib/mail-store-fts.js +2 -0
  449. package/lib/vendor/blamejs/lib/mail-store.js +2 -0
  450. package/lib/vendor/blamejs/lib/mail-unsubscribe.js +2 -0
  451. package/lib/vendor/blamejs/lib/mail.js +11 -0
  452. package/lib/vendor/blamejs/lib/markup-escape.js +2 -0
  453. package/lib/vendor/blamejs/lib/markup-tokenizer.js +2 -0
  454. package/lib/vendor/blamejs/lib/mcp-tool-registry.js +2 -0
  455. package/lib/vendor/blamejs/lib/mcp.js +4 -2
  456. package/lib/vendor/blamejs/lib/mdoc.js +2 -0
  457. package/lib/vendor/blamejs/lib/metrics.js +2 -0
  458. package/lib/vendor/blamejs/lib/middleware/age-gate.js +2 -0
  459. package/lib/vendor/blamejs/lib/middleware/ai-act-disclosure.js +2 -0
  460. package/lib/vendor/blamejs/lib/middleware/api-encrypt.js +2 -0
  461. package/lib/vendor/blamejs/lib/middleware/assetlinks.js +2 -0
  462. package/lib/vendor/blamejs/lib/middleware/asyncapi-serve.js +2 -0
  463. package/lib/vendor/blamejs/lib/middleware/attach-user.js +2 -0
  464. package/lib/vendor/blamejs/lib/middleware/bearer-auth.js +2 -0
  465. package/lib/vendor/blamejs/lib/middleware/body-parser.js +2 -0
  466. package/lib/vendor/blamejs/lib/middleware/bot-disclose.js +2 -0
  467. package/lib/vendor/blamejs/lib/middleware/bot-guard.js +10 -1
  468. package/lib/vendor/blamejs/lib/middleware/clear-site-data.js +2 -0
  469. package/lib/vendor/blamejs/lib/middleware/compose-pipeline.js +2 -0
  470. package/lib/vendor/blamejs/lib/middleware/compression.js +2 -0
  471. package/lib/vendor/blamejs/lib/middleware/cookies.js +2 -0
  472. package/lib/vendor/blamejs/lib/middleware/cors.js +7 -0
  473. package/lib/vendor/blamejs/lib/middleware/csp-nonce.js +2 -0
  474. package/lib/vendor/blamejs/lib/middleware/csp-report.js +2 -0
  475. package/lib/vendor/blamejs/lib/middleware/csrf-protect.js +12 -5
  476. package/lib/vendor/blamejs/lib/middleware/daily-byte-quota.js +2 -0
  477. package/lib/vendor/blamejs/lib/middleware/db-role-for.js +2 -0
  478. package/lib/vendor/blamejs/lib/middleware/deny-response.js +2 -0
  479. package/lib/vendor/blamejs/lib/middleware/dpop.js +2 -0
  480. package/lib/vendor/blamejs/lib/middleware/error-handler.js +2 -0
  481. package/lib/vendor/blamejs/lib/middleware/fetch-metadata.js +2 -0
  482. package/lib/vendor/blamejs/lib/middleware/flag-context.js +2 -0
  483. package/lib/vendor/blamejs/lib/middleware/gpc.js +2 -0
  484. package/lib/vendor/blamejs/lib/middleware/headers.js +2 -0
  485. package/lib/vendor/blamejs/lib/middleware/health.js +2 -0
  486. package/lib/vendor/blamejs/lib/middleware/host-allowlist.js +2 -0
  487. package/lib/vendor/blamejs/lib/middleware/idempotency-key.js +30 -2
  488. package/lib/vendor/blamejs/lib/middleware/index.js +2 -0
  489. package/lib/vendor/blamejs/lib/middleware/nel.js +2 -0
  490. package/lib/vendor/blamejs/lib/middleware/network-allowlist.js +2 -0
  491. package/lib/vendor/blamejs/lib/middleware/no-cache.js +2 -0
  492. package/lib/vendor/blamejs/lib/middleware/openapi-serve.js +2 -0
  493. package/lib/vendor/blamejs/lib/middleware/protected-resource-metadata.js +2 -0
  494. package/lib/vendor/blamejs/lib/middleware/rate-limit.js +2 -0
  495. package/lib/vendor/blamejs/lib/middleware/request-id.js +2 -0
  496. package/lib/vendor/blamejs/lib/middleware/request-log.js +6 -0
  497. package/lib/vendor/blamejs/lib/middleware/require-aal.js +2 -0
  498. package/lib/vendor/blamejs/lib/middleware/require-auth.js +2 -0
  499. package/lib/vendor/blamejs/lib/middleware/require-bound-key.js +2 -0
  500. package/lib/vendor/blamejs/lib/middleware/require-content-type.js +2 -0
  501. package/lib/vendor/blamejs/lib/middleware/require-methods.js +2 -0
  502. package/lib/vendor/blamejs/lib/middleware/require-mtls.js +2 -0
  503. package/lib/vendor/blamejs/lib/middleware/require-step-up.js +42 -1
  504. package/lib/vendor/blamejs/lib/middleware/scim-server.js +2 -0
  505. package/lib/vendor/blamejs/lib/middleware/security-headers.js +2 -0
  506. package/lib/vendor/blamejs/lib/middleware/security-txt.js +2 -0
  507. package/lib/vendor/blamejs/lib/middleware/span-http-server.js +12 -0
  508. package/lib/vendor/blamejs/lib/middleware/speculation-rules.js +2 -0
  509. package/lib/vendor/blamejs/lib/middleware/sse.js +2 -0
  510. package/lib/vendor/blamejs/lib/middleware/trace-log-correlation.js +2 -0
  511. package/lib/vendor/blamejs/lib/middleware/trace-propagate.js +2 -0
  512. package/lib/vendor/blamejs/lib/middleware/tus-upload.js +2 -0
  513. package/lib/vendor/blamejs/lib/middleware/web-app-manifest.js +2 -0
  514. package/lib/vendor/blamejs/lib/migration-files.js +2 -0
  515. package/lib/vendor/blamejs/lib/migrations.js +2 -0
  516. package/lib/vendor/blamejs/lib/mime-parse.js +5 -1
  517. package/lib/vendor/blamejs/lib/module-loader.js +2 -0
  518. package/lib/vendor/blamejs/lib/money.js +2 -0
  519. package/lib/vendor/blamejs/lib/mtls-ca.js +2 -0
  520. package/lib/vendor/blamejs/lib/mtls-engine-default.js +2 -0
  521. package/lib/vendor/blamejs/lib/network-byte-quota.js +76 -14
  522. package/lib/vendor/blamejs/lib/network-dane.js +2 -0
  523. package/lib/vendor/blamejs/lib/network-dns-resolver.js +55 -18
  524. package/lib/vendor/blamejs/lib/network-dns.js +2 -0
  525. package/lib/vendor/blamejs/lib/network-dnssec.js +15 -2
  526. package/lib/vendor/blamejs/lib/network-heartbeat.js +2 -0
  527. package/lib/vendor/blamejs/lib/network-nts.js +2 -0
  528. package/lib/vendor/blamejs/lib/network-proxy.js +2 -0
  529. package/lib/vendor/blamejs/lib/network-smtp-policy.js +6 -1
  530. package/lib/vendor/blamejs/lib/network-tls.js +99 -5
  531. package/lib/vendor/blamejs/lib/network-tsig.js +13 -1
  532. package/lib/vendor/blamejs/lib/network.js +2 -0
  533. package/lib/vendor/blamejs/lib/nis2-report.js +2 -0
  534. package/lib/vendor/blamejs/lib/nist-crosswalk.js +2 -0
  535. package/lib/vendor/blamejs/lib/nonce-store.js +2 -0
  536. package/lib/vendor/blamejs/lib/notify.js +2 -0
  537. package/lib/vendor/blamejs/lib/ntp-check.js +2 -0
  538. package/lib/vendor/blamejs/lib/numeric-bounds.js +2 -0
  539. package/lib/vendor/blamejs/lib/numeric-checks.js +2 -0
  540. package/lib/vendor/blamejs/lib/object-store/azure-blob-bucket-ops.js +2 -0
  541. package/lib/vendor/blamejs/lib/object-store/azure-blob.js +2 -0
  542. package/lib/vendor/blamejs/lib/object-store/gcs-bucket-ops.js +2 -0
  543. package/lib/vendor/blamejs/lib/object-store/gcs.js +2 -0
  544. package/lib/vendor/blamejs/lib/object-store/http-put.js +2 -0
  545. package/lib/vendor/blamejs/lib/object-store/http-request.js +2 -0
  546. package/lib/vendor/blamejs/lib/object-store/index.js +2 -0
  547. package/lib/vendor/blamejs/lib/object-store/local.js +2 -0
  548. package/lib/vendor/blamejs/lib/object-store/sigv4-bucket-ops.js +2 -0
  549. package/lib/vendor/blamejs/lib/object-store/sigv4.js +2 -0
  550. package/lib/vendor/blamejs/lib/observability-otlp-exporter.js +4 -2
  551. package/lib/vendor/blamejs/lib/observability-tracer.js +2 -0
  552. package/lib/vendor/blamejs/lib/observability.js +2 -0
  553. package/lib/vendor/blamejs/lib/openapi-paths-builder.js +2 -0
  554. package/lib/vendor/blamejs/lib/openapi-schema-walk.js +2 -0
  555. package/lib/vendor/blamejs/lib/openapi-security.js +2 -0
  556. package/lib/vendor/blamejs/lib/openapi-yaml.js +2 -0
  557. package/lib/vendor/blamejs/lib/openapi.js +2 -0
  558. package/lib/vendor/blamejs/lib/otel-export.js +2 -0
  559. package/lib/vendor/blamejs/lib/outbox.js +2 -0
  560. package/lib/vendor/blamejs/lib/pagination.js +2 -0
  561. package/lib/vendor/blamejs/lib/parsers/index.js +2 -0
  562. package/lib/vendor/blamejs/lib/parsers/safe-env.js +2 -0
  563. package/lib/vendor/blamejs/lib/parsers/safe-ini.js +2 -0
  564. package/lib/vendor/blamejs/lib/parsers/safe-toml.js +2 -0
  565. package/lib/vendor/blamejs/lib/parsers/safe-xml.js +2 -0
  566. package/lib/vendor/blamejs/lib/parsers/safe-yaml.js +2 -0
  567. package/lib/vendor/blamejs/lib/permissions.js +2 -0
  568. package/lib/vendor/blamejs/lib/pick.js +2 -0
  569. package/lib/vendor/blamejs/lib/pipl-cn.js +2 -0
  570. package/lib/vendor/blamejs/lib/pqc-agent.js +2 -0
  571. package/lib/vendor/blamejs/lib/pqc-gate.js +2 -0
  572. package/lib/vendor/blamejs/lib/pqc-software.js +2 -0
  573. package/lib/vendor/blamejs/lib/privacy-pass.js +2 -0
  574. package/lib/vendor/blamejs/lib/privacy.js +2 -0
  575. package/lib/vendor/blamejs/lib/problem-details.js +2 -0
  576. package/lib/vendor/blamejs/lib/process-spawn.js +2 -0
  577. package/lib/vendor/blamejs/lib/promise-pool.js +2 -0
  578. package/lib/vendor/blamejs/lib/protobuf-encoder.js +2 -0
  579. package/lib/vendor/blamejs/lib/protocol-dispatcher.js +2 -0
  580. package/lib/vendor/blamejs/lib/public-suffix.js +45 -5
  581. package/lib/vendor/blamejs/lib/pubsub-cluster.js +2 -0
  582. package/lib/vendor/blamejs/lib/pubsub-redis.js +2 -0
  583. package/lib/vendor/blamejs/lib/pubsub.js +2 -0
  584. package/lib/vendor/blamejs/lib/queue-local.js +28 -11
  585. package/lib/vendor/blamejs/lib/queue-redis.js +79 -17
  586. package/lib/vendor/blamejs/lib/queue-sqs.js +2 -0
  587. package/lib/vendor/blamejs/lib/queue.js +5 -3
  588. package/lib/vendor/blamejs/lib/redact.js +2 -0
  589. package/lib/vendor/blamejs/lib/redis-client.js +30 -5
  590. package/lib/vendor/blamejs/lib/render.js +2 -0
  591. package/lib/vendor/blamejs/lib/request-helpers.js +11 -0
  592. package/lib/vendor/blamejs/lib/resource-access-lock.js +2 -0
  593. package/lib/vendor/blamejs/lib/restore-bundle.js +2 -0
  594. package/lib/vendor/blamejs/lib/restore-rollback.js +2 -0
  595. package/lib/vendor/blamejs/lib/restore.js +2 -0
  596. package/lib/vendor/blamejs/lib/retention.js +2 -0
  597. package/lib/vendor/blamejs/lib/retry.js +2 -0
  598. package/lib/vendor/blamejs/lib/rfc3339.js +2 -0
  599. package/lib/vendor/blamejs/lib/router.js +109 -19
  600. package/lib/vendor/blamejs/lib/safe-archive.js +2 -0
  601. package/lib/vendor/blamejs/lib/safe-async.js +44 -0
  602. package/lib/vendor/blamejs/lib/safe-buffer.js +66 -0
  603. package/lib/vendor/blamejs/lib/safe-decompress.js +2 -0
  604. package/lib/vendor/blamejs/lib/safe-dns.js +2 -0
  605. package/lib/vendor/blamejs/lib/safe-ical.js +2 -0
  606. package/lib/vendor/blamejs/lib/safe-icap.js +7 -0
  607. package/lib/vendor/blamejs/lib/safe-json.js +2 -0
  608. package/lib/vendor/blamejs/lib/safe-jsonpath.js +2 -0
  609. package/lib/vendor/blamejs/lib/safe-mime.js +2 -0
  610. package/lib/vendor/blamejs/lib/safe-mount-info.js +2 -0
  611. package/lib/vendor/blamejs/lib/safe-path.js +2 -0
  612. package/lib/vendor/blamejs/lib/safe-redirect.js +2 -0
  613. package/lib/vendor/blamejs/lib/safe-schema.js +2 -0
  614. package/lib/vendor/blamejs/lib/safe-sieve.js +2 -0
  615. package/lib/vendor/blamejs/lib/safe-smtp.js +2 -0
  616. package/lib/vendor/blamejs/lib/safe-sql.js +2 -0
  617. package/lib/vendor/blamejs/lib/safe-url.js +2 -0
  618. package/lib/vendor/blamejs/lib/safe-vcard.js +2 -0
  619. package/lib/vendor/blamejs/lib/sandbox-worker.js +2 -0
  620. package/lib/vendor/blamejs/lib/sandbox.js +2 -0
  621. package/lib/vendor/blamejs/lib/scheduler.js +2 -0
  622. package/lib/vendor/blamejs/lib/scitt.js +2 -0
  623. package/lib/vendor/blamejs/lib/sd-notify.js +2 -0
  624. package/lib/vendor/blamejs/lib/sec-cyber.js +2 -0
  625. package/lib/vendor/blamejs/lib/security-assert.js +2 -0
  626. package/lib/vendor/blamejs/lib/seeders.js +2 -0
  627. package/lib/vendor/blamejs/lib/self-update-standalone-verifier.js +2 -0
  628. package/lib/vendor/blamejs/lib/self-update.js +104 -56
  629. package/lib/vendor/blamejs/lib/server-timing.js +2 -0
  630. package/lib/vendor/blamejs/lib/session-device-binding.js +2 -0
  631. package/lib/vendor/blamejs/lib/session-stores.js +2 -0
  632. package/lib/vendor/blamejs/lib/session.js +71 -32
  633. package/lib/vendor/blamejs/lib/slug.js +2 -0
  634. package/lib/vendor/blamejs/lib/sql.js +2 -0
  635. package/lib/vendor/blamejs/lib/sse.js +2 -0
  636. package/lib/vendor/blamejs/lib/ssrf-guard.js +9 -1
  637. package/lib/vendor/blamejs/lib/standard-webhooks.js +2 -0
  638. package/lib/vendor/blamejs/lib/static.js +54 -20
  639. package/lib/vendor/blamejs/lib/storage.js +2 -0
  640. package/lib/vendor/blamejs/lib/stream-throttle.js +2 -0
  641. package/lib/vendor/blamejs/lib/structured-fields.js +2 -0
  642. package/lib/vendor/blamejs/lib/subject.js +2 -0
  643. package/lib/vendor/blamejs/lib/tcpa-10dlc.js +2 -0
  644. package/lib/vendor/blamejs/lib/template.js +2 -0
  645. package/lib/vendor/blamejs/lib/tenant-quota.js +2 -0
  646. package/lib/vendor/blamejs/lib/test-harness.js +2 -0
  647. package/lib/vendor/blamejs/lib/testing.js +2 -0
  648. package/lib/vendor/blamejs/lib/time.js +2 -0
  649. package/lib/vendor/blamejs/lib/tls-exporter.js +2 -0
  650. package/lib/vendor/blamejs/lib/totp.js +2 -0
  651. package/lib/vendor/blamejs/lib/tracing.js +2 -0
  652. package/lib/vendor/blamejs/lib/tsa.js +2 -0
  653. package/lib/vendor/blamejs/lib/uri-template.js +2 -0
  654. package/lib/vendor/blamejs/lib/uuid.js +2 -0
  655. package/lib/vendor/blamejs/lib/validate-opts.js +2 -0
  656. package/lib/vendor/blamejs/lib/vault/index.js +2 -0
  657. package/lib/vendor/blamejs/lib/vault/passphrase-ops.js +2 -0
  658. package/lib/vendor/blamejs/lib/vault/passphrase-source.js +2 -0
  659. package/lib/vendor/blamejs/lib/vault/rotate.js +2 -0
  660. package/lib/vendor/blamejs/lib/vault/seal-pem-file.js +2 -0
  661. package/lib/vendor/blamejs/lib/vault/wrap.js +2 -0
  662. package/lib/vendor/blamejs/lib/vault-aad.js +2 -0
  663. package/lib/vendor/blamejs/lib/vc.js +31 -0
  664. package/lib/vendor/blamejs/lib/vendor/MANIFEST.json +10 -10
  665. package/lib/vendor/blamejs/lib/vendor/public-suffix-list.dat +2 -4
  666. package/lib/vendor/blamejs/lib/vendor/public-suffix-list.data.js +745 -745
  667. package/lib/vendor/blamejs/lib/vendor-data.js +2 -0
  668. package/lib/vendor/blamejs/lib/vex.js +2 -0
  669. package/lib/vendor/blamejs/lib/watcher.js +2 -0
  670. package/lib/vendor/blamejs/lib/web-push-vapid.js +2 -0
  671. package/lib/vendor/blamejs/lib/webhook-dispatcher.js +33 -5
  672. package/lib/vendor/blamejs/lib/webhook.js +2 -0
  673. package/lib/vendor/blamejs/lib/websocket-channels.js +2 -0
  674. package/lib/vendor/blamejs/lib/websocket.js +2 -0
  675. package/lib/vendor/blamejs/lib/wiki-concepts.js +2 -0
  676. package/lib/vendor/blamejs/lib/worker-pool.js +2 -0
  677. package/lib/vendor/blamejs/lib/worm.js +2 -0
  678. package/lib/vendor/blamejs/lib/ws-client.js +2 -0
  679. package/lib/vendor/blamejs/lib/x509-chain.js +2 -0
  680. package/lib/vendor/blamejs/lib/xml-c14n.js +10 -7
  681. package/lib/vendor/blamejs/oss-fuzz/projects/blamejs/Dockerfile +7 -6
  682. package/lib/vendor/blamejs/package-lock.json +533 -0
  683. package/lib/vendor/blamejs/package.json +3 -3
  684. package/lib/vendor/blamejs/release-notes/v0.15.x.json +2284 -0
  685. package/lib/vendor/blamejs/release-notes/v0.16.0.json +44 -0
  686. package/lib/vendor/blamejs/release-notes/v0.16.1.json +36 -0
  687. package/lib/vendor/blamejs/release-notes/v0.16.2.json +71 -0
  688. package/lib/vendor/blamejs/scripts/build-vendored-sbom.js +2 -0
  689. package/lib/vendor/blamejs/scripts/check-actions-currency.js +113 -1
  690. package/lib/vendor/blamejs/scripts/check-api-snapshot.js +2 -0
  691. package/lib/vendor/blamejs/scripts/check-changelog-extract.js +2 -0
  692. package/lib/vendor/blamejs/scripts/check-esbuild-pin.js +33 -40
  693. package/lib/vendor/blamejs/scripts/check-pack-against-gitignore.js +2 -0
  694. package/lib/vendor/blamejs/scripts/check-services.js +2 -0
  695. package/lib/vendor/blamejs/scripts/check-vendor-currency.js +2 -0
  696. package/lib/vendor/blamejs/scripts/consolidate-release-notes.js +2 -0
  697. package/lib/vendor/blamejs/scripts/gen-migrating.js +2 -0
  698. package/lib/vendor/blamejs/scripts/generate-changelog-entry.js +2 -0
  699. package/lib/vendor/blamejs/scripts/generate-release-signing-key.js +2 -0
  700. package/lib/vendor/blamejs/scripts/generate-ssdf-attestation.js +2 -0
  701. package/lib/vendor/blamejs/scripts/pin-all.js +215 -0
  702. package/lib/vendor/blamejs/scripts/refresh-api-snapshot.js +2 -0
  703. package/lib/vendor/blamejs/scripts/refresh-vendor-manifest.js +2 -0
  704. package/lib/vendor/blamejs/scripts/release.js +5 -1
  705. package/lib/vendor/blamejs/scripts/sha3-digest.js +2 -0
  706. package/lib/vendor/blamejs/scripts/sign-release-artifact.js +2 -0
  707. package/lib/vendor/blamejs/scripts/test-integration.js +2 -0
  708. package/lib/vendor/blamejs/scripts/test-wiki-integration.js +2 -0
  709. package/lib/vendor/blamejs/scripts/validate-source-comment-blocks.js +2 -0
  710. package/lib/vendor/blamejs/scripts/vendor-data-gen.js +2 -0
  711. package/lib/vendor/blamejs/scripts/vendor-data-keygen.js +2 -0
  712. package/lib/vendor/blamejs/test/00-primitives.js +35 -1
  713. package/lib/vendor/blamejs/test/10-state.js +2 -0
  714. package/lib/vendor/blamejs/test/20-db.js +2 -0
  715. package/lib/vendor/blamejs/test/30-chain.js +2 -0
  716. package/lib/vendor/blamejs/test/40-consumers.js +2 -0
  717. package/lib/vendor/blamejs/test/50-integration.js +2 -0
  718. package/lib/vendor/blamejs/test/_helpers.js +2 -0
  719. package/lib/vendor/blamejs/test/_smoke-worker.js +2 -0
  720. package/lib/vendor/blamejs/test/fixtures/worker-pool/echo.js +2 -0
  721. package/lib/vendor/blamejs/test/helpers/_codebase-shingle-worker.js +2 -0
  722. package/lib/vendor/blamejs/test/helpers/_codebase-shingle.js +2 -0
  723. package/lib/vendor/blamejs/test/helpers/_shape-match.js +2 -0
  724. package/lib/vendor/blamejs/test/helpers/check.js +2 -0
  725. package/lib/vendor/blamejs/test/helpers/cluster.js +2 -0
  726. package/lib/vendor/blamejs/test/helpers/db.js +2 -0
  727. package/lib/vendor/blamejs/test/helpers/drivers.js +2 -0
  728. package/lib/vendor/blamejs/test/helpers/fs-watch.js +2 -0
  729. package/lib/vendor/blamejs/test/helpers/http.js +2 -0
  730. package/lib/vendor/blamejs/test/helpers/index.js +2 -0
  731. package/lib/vendor/blamejs/test/helpers/json-round-trip.js +2 -0
  732. package/lib/vendor/blamejs/test/helpers/mocks.js +2 -0
  733. package/lib/vendor/blamejs/test/helpers/otel.js +2 -0
  734. package/lib/vendor/blamejs/test/helpers/services.js +2 -0
  735. package/lib/vendor/blamejs/test/helpers/wait.js +2 -0
  736. package/lib/vendor/blamejs/test/integration/audit-actor-binding-pg.test.js +2 -0
  737. package/lib/vendor/blamejs/test/integration/audit-chain-external-db.test.js +2 -0
  738. package/lib/vendor/blamejs/test/integration/audit-stack-mysql.test.js +2 -0
  739. package/lib/vendor/blamejs/test/integration/audit-stack-postgres.test.js +2 -0
  740. package/lib/vendor/blamejs/test/integration/backup-restore-objectstore.test.js +2 -0
  741. package/lib/vendor/blamejs/test/integration/cache.test.js +2 -0
  742. package/lib/vendor/blamejs/test/integration/cluster-provider-mysql.test.js +2 -0
  743. package/lib/vendor/blamejs/test/integration/data-layer-cluster-mysql.test.js +2 -0
  744. package/lib/vendor/blamejs/test/integration/data-layer-cluster-pg.test.js +2 -0
  745. package/lib/vendor/blamejs/test/integration/data-layer-mysql-privacy.test.js +2 -0
  746. package/lib/vendor/blamejs/test/integration/data-layer-mysql.test.js +2 -0
  747. package/lib/vendor/blamejs/test/integration/data-layer-pg.test.js +2 -0
  748. package/lib/vendor/blamejs/test/integration/data-layer-postgres.test.js +2 -0
  749. package/lib/vendor/blamejs/test/integration/db-layer-mysql.test.js +2 -0
  750. package/lib/vendor/blamejs/test/integration/db-layer-postgres.test.js +2 -0
  751. package/lib/vendor/blamejs/test/integration/distributed-scheduler-fencing-pg.test.js +2 -0
  752. package/lib/vendor/blamejs/test/integration/external-db-postgres.test.js +2 -0
  753. package/lib/vendor/blamejs/test/integration/federation-auth.test.js +2 -0
  754. package/lib/vendor/blamejs/test/integration/framework-schema-mysql.test.js +2 -0
  755. package/lib/vendor/blamejs/test/integration/http-client.test.js +2 -0
  756. package/lib/vendor/blamejs/test/integration/log-stream-cloudwatch.test.js +2 -0
  757. package/lib/vendor/blamejs/test/integration/log-stream.test.js +2 -0
  758. package/lib/vendor/blamejs/test/integration/mail-crypto-smime.test.js +2 -0
  759. package/lib/vendor/blamejs/test/integration/mail-dkim.test.js +2 -0
  760. package/lib/vendor/blamejs/test/integration/mail-smtp.test.js +2 -0
  761. package/lib/vendor/blamejs/test/integration/mtls-ca.test.js +2 -0
  762. package/lib/vendor/blamejs/test/integration/network-dns.test.js +2 -0
  763. package/lib/vendor/blamejs/test/integration/network-heartbeat.test.js +2 -0
  764. package/lib/vendor/blamejs/test/integration/ntp-check.test.js +2 -0
  765. package/lib/vendor/blamejs/test/integration/object-store-azure.test.js +2 -0
  766. package/lib/vendor/blamejs/test/integration/object-store-gcs.test.js +2 -0
  767. package/lib/vendor/blamejs/test/integration/object-store-sigv4.test.js +2 -0
  768. package/lib/vendor/blamejs/test/integration/object-store-worm-lock.test.js +2 -0
  769. package/lib/vendor/blamejs/test/integration/pqc-pkcs8-forward-compat.test.js +2 -0
  770. package/lib/vendor/blamejs/test/integration/pubsub.test.js +2 -0
  771. package/lib/vendor/blamejs/test/integration/queue-cluster-mysql.test.js +2 -0
  772. package/lib/vendor/blamejs/test/integration/queue-cluster-pg.test.js +2 -0
  773. package/lib/vendor/blamejs/test/integration/queue-redis.test.js +115 -0
  774. package/lib/vendor/blamejs/test/integration/queue-sqs.test.js +2 -0
  775. package/lib/vendor/blamejs/test/integration/redis-client-tls.test.js +2 -0
  776. package/lib/vendor/blamejs/test/integration/redis-reconnect-toxiproxy.test.js +2 -0
  777. package/lib/vendor/blamejs/test/integration/sql-fts5-catalog-sqlite.test.js +2 -0
  778. package/lib/vendor/blamejs/test/integration/ssrf-guard.test.js +2 -0
  779. package/lib/vendor/blamejs/test/integration/tls-classical-downgrade-audit.test.js +2 -0
  780. package/lib/vendor/blamejs/test/integration/webhook-dispatcher-pg.test.js +15 -0
  781. package/lib/vendor/blamejs/test/integration/websocket-permessage-deflate.test.js +2 -0
  782. package/lib/vendor/blamejs/test/integration/ws-client-roundtrip.test.js +2 -0
  783. package/lib/vendor/blamejs/test/layer-0-primitives/a2a-tasks.test.js +2 -0
  784. package/lib/vendor/blamejs/test/layer-0-primitives/a2a.test.js +2 -0
  785. package/lib/vendor/blamejs/test/layer-0-primitives/access-lock.test.js +2 -0
  786. package/lib/vendor/blamejs/test/layer-0-primitives/acme-coverage.test.js +441 -0
  787. package/lib/vendor/blamejs/test/layer-0-primitives/acme-failclosed.test.js +131 -0
  788. package/lib/vendor/blamejs/test/layer-0-primitives/acme.test.js +2 -0
  789. package/lib/vendor/blamejs/test/layer-0-primitives/age-gate.test.js +2 -0
  790. package/lib/vendor/blamejs/test/layer-0-primitives/agent-event-bus.test.js +2 -0
  791. package/lib/vendor/blamejs/test/layer-0-primitives/agent-idempotency.test.js +0 -0
  792. package/lib/vendor/blamejs/test/layer-0-primitives/agent-orchestrator.test.js +23 -0
  793. package/lib/vendor/blamejs/test/layer-0-primitives/agent-posture-chain.test.js +2 -0
  794. package/lib/vendor/blamejs/test/layer-0-primitives/agent-saga.test.js +2 -0
  795. package/lib/vendor/blamejs/test/layer-0-primitives/agent-snapshot.test.js +2 -0
  796. package/lib/vendor/blamejs/test/layer-0-primitives/agent-stream.test.js +2 -0
  797. package/lib/vendor/blamejs/test/layer-0-primitives/agent-tenant.test.js +22 -0
  798. package/lib/vendor/blamejs/test/layer-0-primitives/agent-trace.test.js +2 -0
  799. package/lib/vendor/blamejs/test/layer-0-primitives/ai-adverse-decision.test.js +2 -0
  800. package/lib/vendor/blamejs/test/layer-0-primitives/ai-aedt-bias-audit.test.js +2 -0
  801. package/lib/vendor/blamejs/test/layer-0-primitives/ai-capability.test.js +2 -0
  802. package/lib/vendor/blamejs/test/layer-0-primitives/ai-content-detect.test.js +2 -0
  803. package/lib/vendor/blamejs/test/layer-0-primitives/ai-disclosure-apply-all.test.js +2 -0
  804. package/lib/vendor/blamejs/test/layer-0-primitives/ai-disclosure.test.js +2 -0
  805. package/lib/vendor/blamejs/test/layer-0-primitives/ai-dp.test.js +2 -0
  806. package/lib/vendor/blamejs/test/layer-0-primitives/ai-frontier-protocol.test.js +2 -0
  807. package/lib/vendor/blamejs/test/layer-0-primitives/ai-input.test.js +2 -0
  808. package/lib/vendor/blamejs/test/layer-0-primitives/ai-model-manifest.test.js +2 -0
  809. package/lib/vendor/blamejs/test/layer-0-primitives/ai-output.test.js +2 -0
  810. package/lib/vendor/blamejs/test/layer-0-primitives/ai-pref.test.js +2 -0
  811. package/lib/vendor/blamejs/test/layer-0-primitives/ai-prompt.test.js +2 -0
  812. package/lib/vendor/blamejs/test/layer-0-primitives/ai-quota.test.js +2 -0
  813. package/lib/vendor/blamejs/test/layer-0-primitives/api-encrypt-rejection-envelope.test.js +2 -0
  814. package/lib/vendor/blamejs/test/layer-0-primitives/api-encrypt.test.js +2 -0
  815. package/lib/vendor/blamejs/test/layer-0-primitives/app-shutdown.test.js +2 -0
  816. package/lib/vendor/blamejs/test/layer-0-primitives/archive-gz.test.js +2 -0
  817. package/lib/vendor/blamejs/test/layer-0-primitives/archive-read.test.js +2 -0
  818. package/lib/vendor/blamejs/test/layer-0-primitives/archive-sniff-envelope.test.js +2 -0
  819. package/lib/vendor/blamejs/test/layer-0-primitives/archive-tar-hardening.test.js +22 -0
  820. package/lib/vendor/blamejs/test/layer-0-primitives/archive-tar.test.js +2 -0
  821. package/lib/vendor/blamejs/test/layer-0-primitives/archive-wrap-passphrase.test.js +2 -0
  822. package/lib/vendor/blamejs/test/layer-0-primitives/archive-wrap.test.js +2 -0
  823. package/lib/vendor/blamejs/test/layer-0-primitives/archive-zip-stream.test.js +2 -0
  824. package/lib/vendor/blamejs/test/layer-0-primitives/archive.test.js +4 -0
  825. package/lib/vendor/blamejs/test/layer-0-primitives/arg-parser.test.js +2 -0
  826. package/lib/vendor/blamejs/test/layer-0-primitives/asn1-der.test.js +2 -0
  827. package/lib/vendor/blamejs/test/layer-0-primitives/asyncapi.test.js +2 -0
  828. package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-conflict-path.test.js +2 -0
  829. package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-exclusive-temp.test.js +2 -0
  830. package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-fd-read-errorfor-bypass.test.js +2 -0
  831. package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-fd-read.test.js +2 -0
  832. package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-open-append-nofollow.test.js +2 -0
  833. package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-open-nofollow.test.js +2 -0
  834. package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-rename-retry.test.js +2 -0
  835. package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-write-excl.test.js +2 -0
  836. package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-write-stream.test.js +2 -0
  837. package/lib/vendor/blamejs/test/layer-0-primitives/attach-user-bearer-scheme.test.js +2 -0
  838. package/lib/vendor/blamejs/test/layer-0-primitives/audit-chain-corrupted-anchor.test.js +2 -0
  839. package/lib/vendor/blamejs/test/layer-0-primitives/audit-chain-incremental-verify.test.js +2 -0
  840. package/lib/vendor/blamejs/test/layer-0-primitives/audit-checkpoint-false-rollback.test.js +2 -0
  841. package/lib/vendor/blamejs/test/layer-0-primitives/audit-cve-defensive.test.js +2 -0
  842. package/lib/vendor/blamejs/test/layer-0-primitives/audit-daily-review.test.js +2 -0
  843. package/lib/vendor/blamejs/test/layer-0-primitives/audit-export-cadf.test.js +2 -0
  844. package/lib/vendor/blamejs/test/layer-0-primitives/audit-framework-namespaces.test.js +2 -0
  845. package/lib/vendor/blamejs/test/layer-0-primitives/audit-query-self-log.test.js +2 -0
  846. package/lib/vendor/blamejs/test/layer-0-primitives/audit-safeemit-redacts-secrets.test.js +2 -0
  847. package/lib/vendor/blamejs/test/layer-0-primitives/audit-segregation.test.js +2 -0
  848. package/lib/vendor/blamejs/test/layer-0-primitives/audit-sign-anchor.test.js +2 -0
  849. package/lib/vendor/blamejs/test/layer-0-primitives/audit-sign-ml-dsa-65.test.js +2 -0
  850. package/lib/vendor/blamejs/test/layer-0-primitives/audit-signing-key-rotation.test.js +2 -0
  851. package/lib/vendor/blamejs/test/layer-0-primitives/audit-tools-dual-control.test.js +2 -0
  852. package/lib/vendor/blamejs/test/layer-0-primitives/audit-tools-return-bytes.test.js +2 -0
  853. package/lib/vendor/blamejs/test/layer-0-primitives/audit-use-store.test.js +2 -0
  854. package/lib/vendor/blamejs/test/layer-0-primitives/audit-verifybundle-tamper.test.js +2 -0
  855. package/lib/vendor/blamejs/test/layer-0-primitives/auth-bot-challenge-verifier.test.js +2 -0
  856. package/lib/vendor/blamejs/test/layer-0-primitives/auth-bot-challenge.test.js +2 -0
  857. package/lib/vendor/blamejs/test/layer-0-primitives/auth-jar.test.js +9 -6
  858. package/lib/vendor/blamejs/test/layer-0-primitives/auth-jwt-defenses.test.js +56 -0
  859. package/lib/vendor/blamejs/test/layer-0-primitives/auth-lockout.test.js +121 -1
  860. package/lib/vendor/blamejs/test/layer-0-primitives/auth-oauth-coverage.test.js +482 -0
  861. package/lib/vendor/blamejs/test/layer-0-primitives/auth-oauth-failclosed.test.js +257 -0
  862. package/lib/vendor/blamejs/test/layer-0-primitives/auth-password-audit.test.js +2 -0
  863. package/lib/vendor/blamejs/test/layer-0-primitives/auth-saml-coverage.test.js +671 -0
  864. package/lib/vendor/blamejs/test/layer-0-primitives/auth-saml-failclosed.test.js +179 -0
  865. package/lib/vendor/blamejs/test/layer-0-primitives/auth-status-list.test.js +19 -0
  866. package/lib/vendor/blamejs/test/layer-0-primitives/azure-blob-bucket-ops.test.js +2 -0
  867. package/lib/vendor/blamejs/test/layer-0-primitives/azure-blob-key-encoding.test.js +2 -0
  868. package/lib/vendor/blamejs/test/layer-0-primitives/backup-bundle-info.test.js +2 -0
  869. package/lib/vendor/blamejs/test/layer-0-primitives/backup-clone-bundle.test.js +2 -0
  870. package/lib/vendor/blamejs/test/layer-0-primitives/backup-find-bundles.test.js +2 -0
  871. package/lib/vendor/blamejs/test/layer-0-primitives/backup-index-coverage.test.js +690 -0
  872. package/lib/vendor/blamejs/test/layer-0-primitives/backup-index-failclosed.test.js +103 -0
  873. package/lib/vendor/blamejs/test/layer-0-primitives/backup-key-rotation.test.js +2 -0
  874. package/lib/vendor/blamejs/test/layer-0-primitives/backup-manifest-signature.test.js +2 -0
  875. package/lib/vendor/blamejs/test/layer-0-primitives/backup-object-store-adapter.test.js +2 -0
  876. package/lib/vendor/blamejs/test/layer-0-primitives/backup-residency-posture.test.js +2 -0
  877. package/lib/vendor/blamejs/test/layer-0-primitives/backup-rewrap-all.test.js +2 -0
  878. package/lib/vendor/blamejs/test/layer-0-primitives/backup-rewrap-bundle.test.js +2 -0
  879. package/lib/vendor/blamejs/test/layer-0-primitives/backup-scheduletest-drill.test.js +2 -0
  880. package/lib/vendor/blamejs/test/layer-0-primitives/backup-verify-all-bundles.test.js +0 -0
  881. package/lib/vendor/blamejs/test/layer-0-primitives/backup-verify-bundle.test.js +2 -0
  882. package/lib/vendor/blamejs/test/layer-0-primitives/backup-worker.test.js +2 -0
  883. package/lib/vendor/blamejs/test/layer-0-primitives/base32.test.js +2 -0
  884. package/lib/vendor/blamejs/test/layer-0-primitives/bearer-auth.test.js +2 -0
  885. package/lib/vendor/blamejs/test/layer-0-primitives/body-parser-chunked-malformed.test.js +2 -0
  886. package/lib/vendor/blamejs/test/layer-0-primitives/body-parser-error-redaction.test.js +2 -0
  887. package/lib/vendor/blamejs/test/layer-0-primitives/body-parser-smuggling.test.js +2 -0
  888. package/lib/vendor/blamejs/test/layer-0-primitives/boot-gates.test.js +2 -0
  889. package/lib/vendor/blamejs/test/layer-0-primitives/bot-guard.test.js +12 -0
  890. package/lib/vendor/blamejs/test/layer-0-primitives/bounded-map.test.js +2 -0
  891. package/lib/vendor/blamejs/test/layer-0-primitives/breach-deadline.test.js +2 -0
  892. package/lib/vendor/blamejs/test/layer-0-primitives/break-glass.test.js +46 -0
  893. package/lib/vendor/blamejs/test/layer-0-primitives/budr.test.js +2 -0
  894. package/lib/vendor/blamejs/test/layer-0-primitives/bundler-engine.test.js +2 -0
  895. package/lib/vendor/blamejs/test/layer-0-primitives/cache-status.test.js +2 -0
  896. package/lib/vendor/blamejs/test/layer-0-primitives/cache.test.js +12 -0
  897. package/lib/vendor/blamejs/test/layer-0-primitives/calendar.test.js +2 -0
  898. package/lib/vendor/blamejs/test/layer-0-primitives/canonical-json-jcs.test.js +2 -0
  899. package/lib/vendor/blamejs/test/layer-0-primitives/canonical-json.test.js +28 -0
  900. package/lib/vendor/blamejs/test/layer-0-primitives/cbor.test.js +2 -0
  901. package/lib/vendor/blamejs/test/layer-0-primitives/cdn-cache-control.test.js +2 -0
  902. package/lib/vendor/blamejs/test/layer-0-primitives/cert.test.js +2 -0
  903. package/lib/vendor/blamejs/test/layer-0-primitives/chain-writer-multichain.test.js +2 -0
  904. package/lib/vendor/blamejs/test/layer-0-primitives/ciba-authreqid-binding.test.js +2 -0
  905. package/lib/vendor/blamejs/test/layer-0-primitives/clear-site-data.test.js +2 -0
  906. package/lib/vendor/blamejs/test/layer-0-primitives/cli-api-key.test.js +2 -0
  907. package/lib/vendor/blamejs/test/layer-0-primitives/cli-audit-verify-chain.test.js +2 -0
  908. package/lib/vendor/blamejs/test/layer-0-primitives/cli-backup.test.js +2 -0
  909. package/lib/vendor/blamejs/test/layer-0-primitives/cli-config-drift.test.js +2 -0
  910. package/lib/vendor/blamejs/test/layer-0-primitives/cli-coverage.test.js +238 -0
  911. package/lib/vendor/blamejs/test/layer-0-primitives/cli-erase.test.js +2 -0
  912. package/lib/vendor/blamejs/test/layer-0-primitives/cli-file-type.test.js +2 -0
  913. package/lib/vendor/blamejs/test/layer-0-primitives/cli-helpers.test.js +2 -0
  914. package/lib/vendor/blamejs/test/layer-0-primitives/cli-mtls.test.js +2 -0
  915. package/lib/vendor/blamejs/test/layer-0-primitives/cli-password.test.js +2 -0
  916. package/lib/vendor/blamejs/test/layer-0-primitives/cli-restore.test.js +2 -0
  917. package/lib/vendor/blamejs/test/layer-0-primitives/cli-retention.test.js +2 -0
  918. package/lib/vendor/blamejs/test/layer-0-primitives/cli-security.test.js +2 -0
  919. package/lib/vendor/blamejs/test/layer-0-primitives/cli-vault.test.js +2 -0
  920. package/lib/vendor/blamejs/test/layer-0-primitives/client-hints.test.js +2 -0
  921. package/lib/vendor/blamejs/test/layer-0-primitives/cloud-events.test.js +2 -0
  922. package/lib/vendor/blamejs/test/layer-0-primitives/cluster-storage.test.js +2 -0
  923. package/lib/vendor/blamejs/test/layer-0-primitives/cluster-vault-rotation.test.js +2 -0
  924. package/lib/vendor/blamejs/test/layer-0-primitives/cms-codec.test.js +2 -0
  925. package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +791 -13
  926. package/lib/vendor/blamejs/test/layer-0-primitives/codepoint-class.test.js +2 -0
  927. package/lib/vendor/blamejs/test/layer-0-primitives/compliance-ai-act.test.js +2 -0
  928. package/lib/vendor/blamejs/test/layer-0-primitives/compliance-cascade.test.js +2 -0
  929. package/lib/vendor/blamejs/test/layer-0-primitives/compliance-eaa.test.js +2 -0
  930. package/lib/vendor/blamejs/test/layer-0-primitives/compliance-eu-ai-act-posture.test.js +2 -0
  931. package/lib/vendor/blamejs/test/layer-0-primitives/compliance-sanctions.test.js +2 -0
  932. package/lib/vendor/blamejs/test/layer-0-primitives/compliance.test.js +2 -0
  933. package/lib/vendor/blamejs/test/layer-0-primitives/compression-range.test.js +2 -0
  934. package/lib/vendor/blamejs/test/layer-0-primitives/config-drift.test.js +2 -0
  935. package/lib/vendor/blamejs/test/layer-0-primitives/config.test.js +2 -0
  936. package/lib/vendor/blamejs/test/layer-0-primitives/consent-purposes.test.js +2 -0
  937. package/lib/vendor/blamejs/test/layer-0-primitives/content-credentials.test.js +2 -0
  938. package/lib/vendor/blamejs/test/layer-0-primitives/content-digest.test.js +2 -0
  939. package/lib/vendor/blamejs/test/layer-0-primitives/cors.test.js +12 -0
  940. package/lib/vendor/blamejs/test/layer-0-primitives/cose.test.js +2 -0
  941. package/lib/vendor/blamejs/test/layer-0-primitives/cra-report.test.js +2 -0
  942. package/lib/vendor/blamejs/test/layer-0-primitives/crdt.test.js +2 -0
  943. package/lib/vendor/blamejs/test/layer-0-primitives/credential-hash.test.js +2 -0
  944. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-base64url.test.js +2 -0
  945. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-envelope.test.js +2 -0
  946. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-field-aad-downgrade.test.js +2 -0
  947. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-field-derived-hash.test.js +2 -0
  948. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-field-dual-read-migrate.test.js +2 -0
  949. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-field-per-row-key.test.js +2 -0
  950. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-field-unseal-rate-cap.test.js +2 -0
  951. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-field-upgrade-dialect.test.js +2 -0
  952. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-hash-files-parallel.test.js +2 -0
  953. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-hash-stream.test.js +2 -0
  954. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-hpke-pq.test.js +2 -0
  955. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-hpke.test.js +2 -0
  956. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-interop-oracles.test.js +2 -0
  957. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-mlkem768-x25519.test.js +2 -0
  958. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-namespace-hash.test.js +0 -0
  959. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-oprf.test.js +2 -0
  960. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-random-int.test.js +2 -0
  961. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-self-test.test.js +2 -0
  962. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-xwing.test.js +2 -0
  963. package/lib/vendor/blamejs/test/layer-0-primitives/csp-builder.test.js +2 -0
  964. package/lib/vendor/blamejs/test/layer-0-primitives/csp-nonce.test.js +2 -0
  965. package/lib/vendor/blamejs/test/layer-0-primitives/csp-report.test.js +2 -0
  966. package/lib/vendor/blamejs/test/layer-0-primitives/csrf-protect.test.js +40 -0
  967. package/lib/vendor/blamejs/test/layer-0-primitives/csv.test.js +11 -0
  968. package/lib/vendor/blamejs/test/layer-0-primitives/cwt.test.js +2 -0
  969. package/lib/vendor/blamejs/test/layer-0-primitives/daemon.test.js +2 -0
  970. package/lib/vendor/blamejs/test/layer-0-primitives/daily-byte-quota.test.js +2 -0
  971. package/lib/vendor/blamejs/test/layer-0-primitives/dane.test.js +2 -0
  972. package/lib/vendor/blamejs/test/layer-0-primitives/dark-patterns.test.js +2 -0
  973. package/lib/vendor/blamejs/test/layer-0-primitives/data-act.test.js +2 -0
  974. package/lib/vendor/blamejs/test/layer-0-primitives/db-collection-extensions.test.js +2 -0
  975. package/lib/vendor/blamejs/test/layer-0-primitives/db-collection.test.js +2 -0
  976. package/lib/vendor/blamejs/test/layer-0-primitives/db-column-gate.test.js +2 -0
  977. package/lib/vendor/blamejs/test/layer-0-primitives/db-init-extensions.test.js +2 -0
  978. package/lib/vendor/blamejs/test/layer-0-primitives/db-key-aad.test.js +2 -0
  979. package/lib/vendor/blamejs/test/layer-0-primitives/db-query-cross-schema.test.js +2 -0
  980. package/lib/vendor/blamejs/test/layer-0-primitives/db-query-extensions.test.js +2 -0
  981. package/lib/vendor/blamejs/test/layer-0-primitives/db-query-sealed-field-in.test.js +2 -0
  982. package/lib/vendor/blamejs/test/layer-0-primitives/db-raw-residency-gate.test.js +2 -0
  983. package/lib/vendor/blamejs/test/layer-0-primitives/db-role-for.test.js +2 -0
  984. package/lib/vendor/blamejs/test/layer-0-primitives/db-schema-drift.test.js +2 -0
  985. package/lib/vendor/blamejs/test/layer-0-primitives/db-schema-reconcile-emittable.test.js +2 -0
  986. package/lib/vendor/blamejs/test/layer-0-primitives/db-schema-transaction.test.js +2 -0
  987. package/lib/vendor/blamejs/test/layer-0-primitives/db-stream-and-payload-shape.test.js +2 -0
  988. package/lib/vendor/blamejs/test/layer-0-primitives/db-vacuum.test.js +2 -0
  989. package/lib/vendor/blamejs/test/layer-0-primitives/db-worm.test.js +2 -0
  990. package/lib/vendor/blamejs/test/layer-0-primitives/ddl-change-control.test.js +2 -0
  991. package/lib/vendor/blamejs/test/layer-0-primitives/declare-row-policy.test.js +2 -0
  992. package/lib/vendor/blamejs/test/layer-0-primitives/declare-view.test.js +2 -0
  993. package/lib/vendor/blamejs/test/layer-0-primitives/defineguard-default-gate-posture-caps.test.js +2 -0
  994. package/lib/vendor/blamejs/test/layer-0-primitives/defineguard-resolve-opts.test.js +2 -0
  995. package/lib/vendor/blamejs/test/layer-0-primitives/deny-response.test.js +2 -0
  996. package/lib/vendor/blamejs/test/layer-0-primitives/did.test.js +2 -0
  997. package/lib/vendor/blamejs/test/layer-0-primitives/dns-dnssec-algorithm.test.js +2 -0
  998. package/lib/vendor/blamejs/test/layer-0-primitives/dns-null-mx.test.js +2 -0
  999. package/lib/vendor/blamejs/test/layer-0-primitives/dnssec.test.js +37 -0
  1000. package/lib/vendor/blamejs/test/layer-0-primitives/dora.test.js +2 -0
  1001. package/lib/vendor/blamejs/test/layer-0-primitives/dpop-alg-kty.test.js +2 -0
  1002. package/lib/vendor/blamejs/test/layer-0-primitives/dpop-htu-peergating.test.js +2 -0
  1003. package/lib/vendor/blamejs/test/layer-0-primitives/dpop-middleware-replaystore-required.test.js +2 -0
  1004. package/lib/vendor/blamejs/test/layer-0-primitives/dr-runbook.test.js +2 -0
  1005. package/lib/vendor/blamejs/test/layer-0-primitives/dsa.test.js +2 -0
  1006. package/lib/vendor/blamejs/test/layer-0-primitives/dsr-state-rules.test.js +2 -0
  1007. package/lib/vendor/blamejs/test/layer-0-primitives/dsr.test.js +2 -0
  1008. package/lib/vendor/blamejs/test/layer-0-primitives/dual-control.test.js +28 -0
  1009. package/lib/vendor/blamejs/test/layer-0-primitives/early-hints.test.js +2 -0
  1010. package/lib/vendor/blamejs/test/layer-0-primitives/eat.test.js +2 -0
  1011. package/lib/vendor/blamejs/test/layer-0-primitives/erase-posture-vacuum.test.js +2 -0
  1012. package/lib/vendor/blamejs/test/layer-0-primitives/events.test.js +2 -0
  1013. package/lib/vendor/blamejs/test/layer-0-primitives/exploit-replay.test.js +2 -0
  1014. package/lib/vendor/blamejs/test/layer-0-primitives/external-db-hardening.test.js +2 -0
  1015. package/lib/vendor/blamejs/test/layer-0-primitives/external-db-migrate.test.js +2 -0
  1016. package/lib/vendor/blamejs/test/layer-0-primitives/external-db-non-atomic-backend.test.js +2 -0
  1017. package/lib/vendor/blamejs/test/layer-0-primitives/external-db-routing.test.js +2 -0
  1018. package/lib/vendor/blamejs/test/layer-0-primitives/fal.test.js +2 -0
  1019. package/lib/vendor/blamejs/test/layer-0-primitives/fapi2.test.js +2 -0
  1020. package/lib/vendor/blamejs/test/layer-0-primitives/fda-21cfr11.test.js +2 -0
  1021. package/lib/vendor/blamejs/test/layer-0-primitives/fdx.test.js +2 -0
  1022. package/lib/vendor/blamejs/test/layer-0-primitives/fedcm-dbsc.test.js +2 -0
  1023. package/lib/vendor/blamejs/test/layer-0-primitives/federation-vc-suite.test.js +124 -0
  1024. package/lib/vendor/blamejs/test/layer-0-primitives/fetch-metadata.test.js +2 -0
  1025. package/lib/vendor/blamejs/test/layer-0-primitives/fido-mds3-cert-bad-validity.test.js +2 -0
  1026. package/lib/vendor/blamejs/test/layer-0-primitives/fido-mds3.test.js +2 -0
  1027. package/lib/vendor/blamejs/test/layer-0-primitives/file-type.test.js +2 -0
  1028. package/lib/vendor/blamejs/test/layer-0-primitives/file-upload-content-safety-skip-audit.test.js +66 -0
  1029. package/lib/vendor/blamejs/test/layer-0-primitives/file-upload-ownership.test.js +214 -0
  1030. package/lib/vendor/blamejs/test/layer-0-primitives/flag.test.js +2 -0
  1031. package/lib/vendor/blamejs/test/layer-0-primitives/forensic-snapshot.test.js +2 -0
  1032. package/lib/vendor/blamejs/test/layer-0-primitives/fsm.test.js +2 -0
  1033. package/lib/vendor/blamejs/test/layer-0-primitives/gate-contract-content-gate.test.js +2 -0
  1034. package/lib/vendor/blamejs/test/layer-0-primitives/gcs-bucket-ops.test.js +2 -0
  1035. package/lib/vendor/blamejs/test/layer-0-primitives/gdpr-ropa.test.js +2 -0
  1036. package/lib/vendor/blamejs/test/layer-0-primitives/graphql-federation.test.js +2 -0
  1037. package/lib/vendor/blamejs/test/layer-0-primitives/guard-agent-registry.test.js +2 -0
  1038. package/lib/vendor/blamejs/test/layer-0-primitives/guard-all.test.js +2 -0
  1039. package/lib/vendor/blamejs/test/layer-0-primitives/guard-archive.test.js +2 -0
  1040. package/lib/vendor/blamejs/test/layer-0-primitives/guard-csv.test.js +2 -0
  1041. package/lib/vendor/blamejs/test/layer-0-primitives/guard-dsn.test.js +2 -0
  1042. package/lib/vendor/blamejs/test/layer-0-primitives/guard-email.test.js +2 -0
  1043. package/lib/vendor/blamejs/test/layer-0-primitives/guard-envelope.test.js +2 -0
  1044. package/lib/vendor/blamejs/test/layer-0-primitives/guard-event-bus-payload.test.js +2 -0
  1045. package/lib/vendor/blamejs/test/layer-0-primitives/guard-event-bus-topic.test.js +2 -0
  1046. package/lib/vendor/blamejs/test/layer-0-primitives/guard-filename.test.js +2 -0
  1047. package/lib/vendor/blamejs/test/layer-0-primitives/guard-gate-disposition-coverage.test.js +2 -0
  1048. package/lib/vendor/blamejs/test/layer-0-primitives/guard-html-wcag.test.js +2 -0
  1049. package/lib/vendor/blamejs/test/layer-0-primitives/guard-html.test.js +2 -0
  1050. package/lib/vendor/blamejs/test/layer-0-primitives/guard-idempotency-key.test.js +2 -0
  1051. package/lib/vendor/blamejs/test/layer-0-primitives/guard-image.test.js +2 -0
  1052. package/lib/vendor/blamejs/test/layer-0-primitives/guard-imap-command.test.js +0 -0
  1053. package/lib/vendor/blamejs/test/layer-0-primitives/guard-jmap.test.js +2 -0
  1054. package/lib/vendor/blamejs/test/layer-0-primitives/guard-json.test.js +2 -0
  1055. package/lib/vendor/blamejs/test/layer-0-primitives/guard-list-id.test.js +2 -0
  1056. package/lib/vendor/blamejs/test/layer-0-primitives/guard-list-unsubscribe.test.js +2 -0
  1057. package/lib/vendor/blamejs/test/layer-0-primitives/guard-mail-compose.test.js +2 -0
  1058. package/lib/vendor/blamejs/test/layer-0-primitives/guard-mail-move.test.js +2 -0
  1059. package/lib/vendor/blamejs/test/layer-0-primitives/guard-mail-query.test.js +2 -0
  1060. package/lib/vendor/blamejs/test/layer-0-primitives/guard-mail-reply.test.js +2 -0
  1061. package/lib/vendor/blamejs/test/layer-0-primitives/guard-mail-sieve.test.js +2 -0
  1062. package/lib/vendor/blamejs/test/layer-0-primitives/guard-managesieve-command.test.js +2 -0
  1063. package/lib/vendor/blamejs/test/layer-0-primitives/guard-markdown.test.js +2 -0
  1064. package/lib/vendor/blamejs/test/layer-0-primitives/guard-message-id.test.js +0 -0
  1065. package/lib/vendor/blamejs/test/layer-0-primitives/guard-oauth-replay-failopen.test.js +57 -0
  1066. package/lib/vendor/blamejs/test/layer-0-primitives/guard-pdf.test.js +2 -0
  1067. package/lib/vendor/blamejs/test/layer-0-primitives/guard-pop3-command.test.js +2 -0
  1068. package/lib/vendor/blamejs/test/layer-0-primitives/guard-posture-chain.test.js +2 -0
  1069. package/lib/vendor/blamejs/test/layer-0-primitives/guard-saga-config.test.js +2 -0
  1070. package/lib/vendor/blamejs/test/layer-0-primitives/guard-smtp-command.test.js +2 -0
  1071. package/lib/vendor/blamejs/test/layer-0-primitives/guard-snapshot-envelope.test.js +2 -0
  1072. package/lib/vendor/blamejs/test/layer-0-primitives/guard-stream-args.test.js +2 -0
  1073. package/lib/vendor/blamejs/test/layer-0-primitives/guard-svg.test.js +2 -0
  1074. package/lib/vendor/blamejs/test/layer-0-primitives/guard-tenant-id.test.js +2 -0
  1075. package/lib/vendor/blamejs/test/layer-0-primitives/guard-text.test.js +2 -0
  1076. package/lib/vendor/blamejs/test/layer-0-primitives/guard-trace-context.test.js +2 -0
  1077. package/lib/vendor/blamejs/test/layer-0-primitives/guard-xml.test.js +2 -0
  1078. package/lib/vendor/blamejs/test/layer-0-primitives/guard-yaml.test.js +2 -0
  1079. package/lib/vendor/blamejs/test/layer-0-primitives/hal.test.js +2 -0
  1080. package/lib/vendor/blamejs/test/layer-0-primitives/honeytoken.test.js +2 -0
  1081. package/lib/vendor/blamejs/test/layer-0-primitives/html-balance.test.js +2 -0
  1082. package/lib/vendor/blamejs/test/layer-0-primitives/http-client-cache.test.js +2 -0
  1083. package/lib/vendor/blamejs/test/layer-0-primitives/http-client-stream.test.js +2 -0
  1084. package/lib/vendor/blamejs/test/layer-0-primitives/http-client-throttle-transform.test.js +2 -0
  1085. package/lib/vendor/blamejs/test/layer-0-primitives/http-message-signature.test.js +315 -3
  1086. package/lib/vendor/blamejs/test/layer-0-primitives/i18n-messageformat.test.js +26 -0
  1087. package/lib/vendor/blamejs/test/layer-0-primitives/i18n.test.js +2 -0
  1088. package/lib/vendor/blamejs/test/layer-0-primitives/iab-mspa.test.js +2 -0
  1089. package/lib/vendor/blamejs/test/layer-0-primitives/iab-tcf.test.js +2 -0
  1090. package/lib/vendor/blamejs/test/layer-0-primitives/idempotency-key.test.js +40 -0
  1091. package/lib/vendor/blamejs/test/layer-0-primitives/importmap-integrity.test.js +2 -0
  1092. package/lib/vendor/blamejs/test/layer-0-primitives/inbox.test.js +2 -0
  1093. package/lib/vendor/blamejs/test/layer-0-primitives/incident-report.test.js +2 -0
  1094. package/lib/vendor/blamejs/test/layer-0-primitives/ip-utils.test.js +2 -0
  1095. package/lib/vendor/blamejs/test/layer-0-primitives/jose-jwe-experimental.test.js +2 -0
  1096. package/lib/vendor/blamejs/test/layer-0-primitives/json-api.test.js +2 -0
  1097. package/lib/vendor/blamejs/test/layer-0-primitives/json-merge-patch.test.js +2 -0
  1098. package/lib/vendor/blamejs/test/layer-0-primitives/json-patch.test.js +2 -0
  1099. package/lib/vendor/blamejs/test/layer-0-primitives/json-path.test.js +2 -0
  1100. package/lib/vendor/blamejs/test/layer-0-primitives/json-round-trip-helper.test.js +2 -0
  1101. package/lib/vendor/blamejs/test/layer-0-primitives/json-schema.test.js +26 -0
  1102. package/lib/vendor/blamejs/test/layer-0-primitives/jtd.test.js +2 -0
  1103. package/lib/vendor/blamejs/test/layer-0-primitives/jwk.test.js +2 -0
  1104. package/lib/vendor/blamejs/test/layer-0-primitives/jwt-external.test.js +2 -0
  1105. package/lib/vendor/blamejs/test/layer-0-primitives/keychain-coverage.test.js +0 -0
  1106. package/lib/vendor/blamejs/test/layer-0-primitives/keychain-failclosed.test.js +185 -0
  1107. package/lib/vendor/blamejs/test/layer-0-primitives/keychain.test.js +0 -0
  1108. package/lib/vendor/blamejs/test/layer-0-primitives/legal-hold.test.js +2 -0
  1109. package/lib/vendor/blamejs/test/layer-0-primitives/link-header.test.js +2 -0
  1110. package/lib/vendor/blamejs/test/layer-0-primitives/local-db-thin.test.js +2 -0
  1111. package/lib/vendor/blamejs/test/layer-0-primitives/log-stream-cloudwatch.test.js +2 -0
  1112. package/lib/vendor/blamejs/test/layer-0-primitives/log-stream-otlp-grpc.test.js +2 -0
  1113. package/lib/vendor/blamejs/test/layer-0-primitives/log-stream-otlp.test.js +2 -0
  1114. package/lib/vendor/blamejs/test/layer-0-primitives/lro.test.js +2 -0
  1115. package/lib/vendor/blamejs/test/layer-0-primitives/mail-agent.test.js +2 -0
  1116. package/lib/vendor/blamejs/test/layer-0-primitives/mail-arf.test.js +2 -0
  1117. package/lib/vendor/blamejs/test/layer-0-primitives/mail-auth-coverage.test.js +437 -0
  1118. package/lib/vendor/blamejs/test/layer-0-primitives/mail-auth-dmarc-policy-failclosed.test.js +2 -0
  1119. package/lib/vendor/blamejs/test/layer-0-primitives/mail-auth-failclosed.test.js +144 -0
  1120. package/lib/vendor/blamejs/test/layer-0-primitives/mail-auth.test.js +289 -0
  1121. package/lib/vendor/blamejs/test/layer-0-primitives/mail-bimi-cert-validity-unparseable.test.js +2 -0
  1122. package/lib/vendor/blamejs/test/layer-0-primitives/mail-bimi.test.js +2 -0
  1123. package/lib/vendor/blamejs/test/layer-0-primitives/mail-bounce.test.js +61 -0
  1124. package/lib/vendor/blamejs/test/layer-0-primitives/mail-canspam.test.js +2 -0
  1125. package/lib/vendor/blamejs/test/layer-0-primitives/mail-crypto-pgp-experimental.test.js +2 -0
  1126. package/lib/vendor/blamejs/test/layer-0-primitives/mail-crypto-pgp.test.js +2 -0
  1127. package/lib/vendor/blamejs/test/layer-0-primitives/mail-crypto-smime-bad-validity.test.js +2 -0
  1128. package/lib/vendor/blamejs/test/layer-0-primitives/mail-crypto-smime.test.js +2 -0
  1129. package/lib/vendor/blamejs/test/layer-0-primitives/mail-dav.test.js +2 -0
  1130. package/lib/vendor/blamejs/test/layer-0-primitives/mail-deploy-tlsrpt.test.js +2 -0
  1131. package/lib/vendor/blamejs/test/layer-0-primitives/mail-deploy.test.js +2 -0
  1132. package/lib/vendor/blamejs/test/layer-0-primitives/mail-dkim-numericdate-failclosed.test.js +2 -0
  1133. package/lib/vendor/blamejs/test/layer-0-primitives/mail-dkim.test.js +130 -0
  1134. package/lib/vendor/blamejs/test/layer-0-primitives/mail-feedback-id.test.js +2 -0
  1135. package/lib/vendor/blamejs/test/layer-0-primitives/mail-greylist.test.js +2 -0
  1136. package/lib/vendor/blamejs/test/layer-0-primitives/mail-header-injection.test.js +2 -0
  1137. package/lib/vendor/blamejs/test/layer-0-primitives/mail-helo.test.js +17 -0
  1138. package/lib/vendor/blamejs/test/layer-0-primitives/mail-journal.test.js +2 -0
  1139. package/lib/vendor/blamejs/test/layer-0-primitives/mail-mdn.test.js +29 -0
  1140. package/lib/vendor/blamejs/test/layer-0-primitives/mail-proxy-framing-bounds.test.js +2 -0
  1141. package/lib/vendor/blamejs/test/layer-0-primitives/mail-rbl.test.js +2 -0
  1142. package/lib/vendor/blamejs/test/layer-0-primitives/mail-require-tls.test.js +2 -0
  1143. package/lib/vendor/blamejs/test/layer-0-primitives/mail-scan.test.js +2 -0
  1144. package/lib/vendor/blamejs/test/layer-0-primitives/mail-send-deliver.test.js +113 -0
  1145. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-imap.test.js +2 -0
  1146. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-jmap.test.js +50 -0
  1147. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-managesieve.test.js +2 -0
  1148. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-mx.test.js +2 -0
  1149. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-pop3.test.js +2 -0
  1150. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-rate-limit.test.js +2 -0
  1151. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-registry.test.js +2 -0
  1152. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-submission.test.js +2 -0
  1153. package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-tls.test.js +2 -0
  1154. package/lib/vendor/blamejs/test/layer-0-primitives/mail-sieve.test.js +2 -0
  1155. package/lib/vendor/blamejs/test/layer-0-primitives/mail-spam-score.test.js +2 -0
  1156. package/lib/vendor/blamejs/test/layer-0-primitives/mail-srs.test.js +21 -0
  1157. package/lib/vendor/blamejs/test/layer-0-primitives/mail-store-fts.test.js +2 -0
  1158. package/lib/vendor/blamejs/test/layer-0-primitives/mail-store.test.js +2 -0
  1159. package/lib/vendor/blamejs/test/layer-0-primitives/mail-unsubscribe.test.js +2 -0
  1160. package/lib/vendor/blamejs/test/layer-0-primitives/mail.test.js +2 -0
  1161. package/lib/vendor/blamejs/test/layer-0-primitives/mcp-tool-registry.test.js +2 -0
  1162. package/lib/vendor/blamejs/test/layer-0-primitives/mcp.test.js +2 -0
  1163. package/lib/vendor/blamejs/test/layer-0-primitives/mdoc.test.js +2 -0
  1164. package/lib/vendor/blamejs/test/layer-0-primitives/metrics-shadow-registry.test.js +2 -0
  1165. package/lib/vendor/blamejs/test/layer-0-primitives/metrics-snapshot.test.js +2 -0
  1166. package/lib/vendor/blamejs/test/layer-0-primitives/middleware-compose-pipeline.test.js +2 -0
  1167. package/lib/vendor/blamejs/test/layer-0-primitives/mime-parse.test.js +11 -0
  1168. package/lib/vendor/blamejs/test/layer-0-primitives/money.test.js +2 -0
  1169. package/lib/vendor/blamejs/test/layer-0-primitives/mtls-ca-paths.test.js +2 -0
  1170. package/lib/vendor/blamejs/test/layer-0-primitives/mtls-ca-revocation.test.js +2 -0
  1171. package/lib/vendor/blamejs/test/layer-0-primitives/nel.test.js +2 -0
  1172. package/lib/vendor/blamejs/test/layer-0-primitives/network-allowlist.test.js +2 -0
  1173. package/lib/vendor/blamejs/test/layer-0-primitives/network-byte-quota.test.js +65 -0
  1174. package/lib/vendor/blamejs/test/layer-0-primitives/network-dns-lookup-timeout-default.test.js +2 -0
  1175. package/lib/vendor/blamejs/test/layer-0-primitives/network-dns-resolver-timeout.test.js +2 -0
  1176. package/lib/vendor/blamejs/test/layer-0-primitives/network-dns-resolver.test.js +28 -0
  1177. package/lib/vendor/blamejs/test/layer-0-primitives/network-dns.test.js +2 -0
  1178. package/lib/vendor/blamejs/test/layer-0-primitives/network-heartbeat-passive.test.js +2 -0
  1179. package/lib/vendor/blamejs/test/layer-0-primitives/network-nts-handshake-byte-cap.test.js +2 -0
  1180. package/lib/vendor/blamejs/test/layer-0-primitives/network-smtp-policy-coverage.test.js +565 -0
  1181. package/lib/vendor/blamejs/test/layer-0-primitives/network-tls-build-options.test.js +2 -0
  1182. package/lib/vendor/blamejs/test/layer-0-primitives/network-tls-ct-inclusion.test.js +2 -0
  1183. package/lib/vendor/blamejs/test/layer-0-primitives/network-tls.test.js +2 -0
  1184. package/lib/vendor/blamejs/test/layer-0-primitives/network-tsig.test.js +26 -0
  1185. package/lib/vendor/blamejs/test/layer-0-primitives/network.test.js +2 -0
  1186. package/lib/vendor/blamejs/test/layer-0-primitives/nis2-report.test.js +2 -0
  1187. package/lib/vendor/blamejs/test/layer-0-primitives/nist-crosswalk.test.js +2 -0
  1188. package/lib/vendor/blamejs/test/layer-0-primitives/no-cache.test.js +2 -0
  1189. package/lib/vendor/blamejs/test/layer-0-primitives/nonce-store-release.test.js +2 -0
  1190. package/lib/vendor/blamejs/test/layer-0-primitives/notify.test.js +2 -0
  1191. package/lib/vendor/blamejs/test/layer-0-primitives/numeric-bounds.test.js +2 -0
  1192. package/lib/vendor/blamejs/test/layer-0-primitives/oauth-callback.test.js +2 -0
  1193. package/lib/vendor/blamejs/test/layer-0-primitives/object-store-range-header.test.js +2 -0
  1194. package/lib/vendor/blamejs/test/layer-0-primitives/object-store-versioned-delete.test.js +2 -0
  1195. package/lib/vendor/blamejs/test/layer-0-primitives/observability-tracing.test.js +22 -0
  1196. package/lib/vendor/blamejs/test/layer-0-primitives/observability.test.js +2 -0
  1197. package/lib/vendor/blamejs/test/layer-0-primitives/openapi.test.js +2 -0
  1198. package/lib/vendor/blamejs/test/layer-0-primitives/otel-export.test.js +2 -0
  1199. package/lib/vendor/blamejs/test/layer-0-primitives/otlp-attr-redaction.test.js +8 -0
  1200. package/lib/vendor/blamejs/test/layer-0-primitives/outbox-inflight-reaper.test.js +2 -0
  1201. package/lib/vendor/blamejs/test/layer-0-primitives/output-header-hardening.test.js +2 -0
  1202. package/lib/vendor/blamejs/test/layer-0-primitives/pagination.test.js +2 -0
  1203. package/lib/vendor/blamejs/test/layer-0-primitives/parser-verify-hardening.test.js +2 -0
  1204. package/lib/vendor/blamejs/test/layer-0-primitives/parsers-standalone.test.js +2 -0
  1205. package/lib/vendor/blamejs/test/layer-0-primitives/passkey-real-vectors.test.js +2 -0
  1206. package/lib/vendor/blamejs/test/layer-0-primitives/passkey.test.js +2 -0
  1207. package/lib/vendor/blamejs/test/layer-0-primitives/permissions.test.js +2 -0
  1208. package/lib/vendor/blamejs/test/layer-0-primitives/pipl-cn.test.js +2 -0
  1209. package/lib/vendor/blamejs/test/layer-0-primitives/pqc-agent-curve.test.js +2 -0
  1210. package/lib/vendor/blamejs/test/layer-0-primitives/pqc-software.test.js +2 -0
  1211. package/lib/vendor/blamejs/test/layer-0-primitives/privacy-pass.test.js +2 -0
  1212. package/lib/vendor/blamejs/test/layer-0-primitives/privacy-vendor-review.test.js +2 -0
  1213. package/lib/vendor/blamejs/test/layer-0-primitives/problem-details.test.js +2 -0
  1214. package/lib/vendor/blamejs/test/layer-0-primitives/process-spawn.test.js +2 -0
  1215. package/lib/vendor/blamejs/test/layer-0-primitives/promise-pool.test.js +2 -0
  1216. package/lib/vendor/blamejs/test/layer-0-primitives/protected-resource-metadata.test.js +2 -0
  1217. package/lib/vendor/blamejs/test/layer-0-primitives/proto-shadow-allowlist.test.js +2 -0
  1218. package/lib/vendor/blamejs/test/layer-0-primitives/protobuf-encoder.test.js +2 -0
  1219. package/lib/vendor/blamejs/test/layer-0-primitives/protocol-dispatcher.test.js +2 -0
  1220. package/lib/vendor/blamejs/test/layer-0-primitives/public-suffix.test.js +29 -0
  1221. package/lib/vendor/blamejs/test/layer-0-primitives/pubsub.test.js +2 -0
  1222. package/lib/vendor/blamejs/test/layer-0-primitives/queue-byo-db.test.js +2 -0
  1223. package/lib/vendor/blamejs/test/layer-0-primitives/queue-dlq-extend-lease.test.js +44 -0
  1224. package/lib/vendor/blamejs/test/layer-0-primitives/queue-flow-repeat.test.js +2 -0
  1225. package/lib/vendor/blamejs/test/layer-0-primitives/queue-priority-rate-progress.test.js +2 -0
  1226. package/lib/vendor/blamejs/test/layer-0-primitives/queue-sqs.test.js +2 -0
  1227. package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-cluster.test.js +2 -0
  1228. package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-memory-getorinsert.test.js +2 -0
  1229. package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-registry.test.js +2 -0
  1230. package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-xff-spoofing.test.js +2 -0
  1231. package/lib/vendor/blamejs/test/layer-0-primitives/redact-dlp.test.js +2 -0
  1232. package/lib/vendor/blamejs/test/layer-0-primitives/redis-client.test.js +16 -0
  1233. package/lib/vendor/blamejs/test/layer-0-primitives/request-helpers.test.js +7 -0
  1234. package/lib/vendor/blamejs/test/layer-0-primitives/request-id-async-context.test.js +2 -0
  1235. package/lib/vendor/blamejs/test/layer-0-primitives/request-log.test.js +3 -0
  1236. package/lib/vendor/blamejs/test/layer-0-primitives/require-auth-cache-control.test.js +2 -0
  1237. package/lib/vendor/blamejs/test/layer-0-primitives/require-mtls.test.js +2 -0
  1238. package/lib/vendor/blamejs/test/layer-0-primitives/resource-access-lock.test.js +2 -0
  1239. package/lib/vendor/blamejs/test/layer-0-primitives/restore-blob-remap.test.js +2 -0
  1240. package/lib/vendor/blamejs/test/layer-0-primitives/retention-dryrun-no-vacuum.test.js +2 -0
  1241. package/lib/vendor/blamejs/test/layer-0-primitives/retention-floor.test.js +2 -0
  1242. package/lib/vendor/blamejs/test/layer-0-primitives/retention-sweep-termination.test.js +2 -0
  1243. package/lib/vendor/blamejs/test/layer-0-primitives/retry.test.js +2 -0
  1244. package/lib/vendor/blamejs/test/layer-0-primitives/router-body-validation.test.js +2 -0
  1245. package/lib/vendor/blamejs/test/layer-0-primitives/router-coverage.test.js +592 -0
  1246. package/lib/vendor/blamejs/test/layer-0-primitives/router-cross-origin-redirect.test.js +0 -0
  1247. package/lib/vendor/blamejs/test/layer-0-primitives/router-failclosed.test.js +0 -0
  1248. package/lib/vendor/blamejs/test/layer-0-primitives/router-tls0rtt.test.js +2 -0
  1249. package/lib/vendor/blamejs/test/layer-0-primitives/router-use-path-scope.test.js +59 -0
  1250. package/lib/vendor/blamejs/test/layer-0-primitives/safe-archive-auto-unwrap.test.js +2 -0
  1251. package/lib/vendor/blamejs/test/layer-0-primitives/safe-archive-inspect-unwrap.test.js +2 -0
  1252. package/lib/vendor/blamejs/test/layer-0-primitives/safe-async-loops.test.js +41 -0
  1253. package/lib/vendor/blamejs/test/layer-0-primitives/safe-async-parallel.test.js +2 -0
  1254. package/lib/vendor/blamejs/test/layer-0-primitives/safe-buffer-linear-scans.test.js +13 -0
  1255. package/lib/vendor/blamejs/test/layer-0-primitives/safe-decompress.test.js +2 -0
  1256. package/lib/vendor/blamejs/test/layer-0-primitives/safe-dns.test.js +2 -0
  1257. package/lib/vendor/blamejs/test/layer-0-primitives/safe-ical.test.js +2 -0
  1258. package/lib/vendor/blamejs/test/layer-0-primitives/safe-icap.test.js +2 -0
  1259. package/lib/vendor/blamejs/test/layer-0-primitives/safe-json-stringify-for-script.test.js +2 -0
  1260. package/lib/vendor/blamejs/test/layer-0-primitives/safe-jsonpath.test.js +2 -0
  1261. package/lib/vendor/blamejs/test/layer-0-primitives/safe-mime.test.js +2 -0
  1262. package/lib/vendor/blamejs/test/layer-0-primitives/safe-mount-info.test.js +2 -0
  1263. package/lib/vendor/blamejs/test/layer-0-primitives/safe-path.test.js +2 -0
  1264. package/lib/vendor/blamejs/test/layer-0-primitives/safe-redirect.test.js +2 -0
  1265. package/lib/vendor/blamejs/test/layer-0-primitives/safe-sieve.test.js +2 -0
  1266. package/lib/vendor/blamejs/test/layer-0-primitives/safe-smtp.test.js +2 -0
  1267. package/lib/vendor/blamejs/test/layer-0-primitives/safe-url-canonicalize.test.js +2 -0
  1268. package/lib/vendor/blamejs/test/layer-0-primitives/safe-url-idn-homograph.test.js +2 -0
  1269. package/lib/vendor/blamejs/test/layer-0-primitives/safe-vcard.test.js +2 -0
  1270. package/lib/vendor/blamejs/test/layer-0-primitives/safe-xml.test.js +2 -0
  1271. package/lib/vendor/blamejs/test/layer-0-primitives/saml-mdq-wrapping.test.js +237 -0
  1272. package/lib/vendor/blamejs/test/layer-0-primitives/saml-slo.test.js +2 -0
  1273. package/lib/vendor/blamejs/test/layer-0-primitives/saml-subjectconfirmation-notbefore.test.js +2 -0
  1274. package/lib/vendor/blamejs/test/layer-0-primitives/saml-subjectconfirmation-notonorafter.test.js +2 -0
  1275. package/lib/vendor/blamejs/test/layer-0-primitives/sandbox.test.js +2 -0
  1276. package/lib/vendor/blamejs/test/layer-0-primitives/scheduler-exactly-once.test.js +2 -0
  1277. package/lib/vendor/blamejs/test/layer-0-primitives/scheduler-watchdog-stale-settle.test.js +2 -0
  1278. package/lib/vendor/blamejs/test/layer-0-primitives/scim-server.test.js +2 -0
  1279. package/lib/vendor/blamejs/test/layer-0-primitives/scitt.test.js +2 -0
  1280. package/lib/vendor/blamejs/test/layer-0-primitives/sd-jwt-vc-ecdsa-p1363.test.js +2 -0
  1281. package/lib/vendor/blamejs/test/layer-0-primitives/sd-jwt-vc.test.js +2 -0
  1282. package/lib/vendor/blamejs/test/layer-0-primitives/sd-notify.test.js +2 -0
  1283. package/lib/vendor/blamejs/test/layer-0-primitives/sec-cyber.test.js +2 -0
  1284. package/lib/vendor/blamejs/test/layer-0-primitives/security-assert.test.js +2 -0
  1285. package/lib/vendor/blamejs/test/layer-0-primitives/security-headers.test.js +2 -0
  1286. package/lib/vendor/blamejs/test/layer-0-primitives/security-txt.test.js +2 -0
  1287. package/lib/vendor/blamejs/test/layer-0-primitives/seeders.test.js +2 -0
  1288. package/lib/vendor/blamejs/test/layer-0-primitives/self-update-poll-asset-digest.test.js +2 -0
  1289. package/lib/vendor/blamejs/test/layer-0-primitives/self-update-standalone-verifier-ecdsa-encoding.test.js +9 -1
  1290. package/lib/vendor/blamejs/test/layer-0-primitives/self-update-standalone-verifier.test.js +2 -0
  1291. package/lib/vendor/blamejs/test/layer-0-primitives/self-update.test.js +87 -4
  1292. package/lib/vendor/blamejs/test/layer-0-primitives/server-timing.test.js +2 -0
  1293. package/lib/vendor/blamejs/test/layer-0-primitives/session-binding-unreadable-failclosed.test.js +80 -0
  1294. package/lib/vendor/blamejs/test/layer-0-primitives/session-destroy-all-store-backed.test.js +2 -0
  1295. package/lib/vendor/blamejs/test/layer-0-primitives/session-device-binding-ipv6-canonical-and-no-store.test.js +2 -0
  1296. package/lib/vendor/blamejs/test/layer-0-primitives/session-device-binding.test.js +2 -0
  1297. package/lib/vendor/blamejs/test/layer-0-primitives/session-extensions.test.js +2 -0
  1298. package/lib/vendor/blamejs/test/layer-0-primitives/session-valid-from.test.js +2 -0
  1299. package/lib/vendor/blamejs/test/layer-0-primitives/shape-match.test.js +2 -0
  1300. package/lib/vendor/blamejs/test/layer-0-primitives/sigv4-bucket-ops.test.js +2 -0
  1301. package/lib/vendor/blamejs/test/layer-0-primitives/sigv4-multipart-sse.test.js +2 -0
  1302. package/lib/vendor/blamejs/test/layer-0-primitives/slug.test.js +2 -0
  1303. package/lib/vendor/blamejs/test/layer-0-primitives/smtp-policy.test.js +5 -1
  1304. package/lib/vendor/blamejs/test/layer-0-primitives/source-comment-blocks.test.js +2 -0
  1305. package/lib/vendor/blamejs/test/layer-0-primitives/speculation-rules.test.js +2 -0
  1306. package/lib/vendor/blamejs/test/layer-0-primitives/sql-coverage.test.js +422 -0
  1307. package/lib/vendor/blamejs/test/layer-0-primitives/sql.test.js +2 -0
  1308. package/lib/vendor/blamejs/test/layer-0-primitives/sse-backpressure.test.js +2 -0
  1309. package/lib/vendor/blamejs/test/layer-0-primitives/sse.test.js +2 -0
  1310. package/lib/vendor/blamejs/test/layer-0-primitives/ssrf-guard.test.js +23 -1
  1311. package/lib/vendor/blamejs/test/layer-0-primitives/standard-webhooks.test.js +2 -0
  1312. package/lib/vendor/blamejs/test/layer-0-primitives/static.test.js +33 -0
  1313. package/lib/vendor/blamejs/test/layer-0-primitives/step-up.test.js +44 -0
  1314. package/lib/vendor/blamejs/test/layer-0-primitives/storage-chunk-scratch.test.js +0 -0
  1315. package/lib/vendor/blamejs/test/layer-0-primitives/storage-presigned-url.test.js +2 -0
  1316. package/lib/vendor/blamejs/test/layer-0-primitives/stream-throttle.test.js +2 -0
  1317. package/lib/vendor/blamejs/test/layer-0-primitives/structured-fields-codec.test.js +2 -0
  1318. package/lib/vendor/blamejs/test/layer-0-primitives/structured-fields.test.js +2 -0
  1319. package/lib/vendor/blamejs/test/layer-0-primitives/tcpa-10dlc.test.js +2 -0
  1320. package/lib/vendor/blamejs/test/layer-0-primitives/template-escape-html.test.js +2 -0
  1321. package/lib/vendor/blamejs/test/layer-0-primitives/tenant-quota.test.js +2 -0
  1322. package/lib/vendor/blamejs/test/layer-0-primitives/test-coverage.test.js +2 -0
  1323. package/lib/vendor/blamejs/test/layer-0-primitives/test-harness.test.js +2 -0
  1324. package/lib/vendor/blamejs/test/layer-0-primitives/testing-request.test.js +2 -0
  1325. package/lib/vendor/blamejs/test/layer-0-primitives/testing.test.js +2 -0
  1326. package/lib/vendor/blamejs/test/layer-0-primitives/time.test.js +2 -0
  1327. package/lib/vendor/blamejs/test/layer-0-primitives/tls-exporter.test.js +2 -0
  1328. package/lib/vendor/blamejs/test/layer-0-primitives/tls-ocsp-ct.test.js +2 -0
  1329. package/lib/vendor/blamejs/test/layer-0-primitives/tls-ocsp-freshness.test.js +6 -2
  1330. package/lib/vendor/blamejs/test/layer-0-primitives/tls-ocsp-verify.test.js +127 -3
  1331. package/lib/vendor/blamejs/test/layer-0-primitives/tls-pinset-drift.test.js +2 -0
  1332. package/lib/vendor/blamejs/test/layer-0-primitives/tls-preferred-groups.test.js +2 -0
  1333. package/lib/vendor/blamejs/test/layer-0-primitives/tracing.test.js +2 -0
  1334. package/lib/vendor/blamejs/test/layer-0-primitives/tsa.test.js +2 -0
  1335. package/lib/vendor/blamejs/test/layer-0-primitives/uri-template.test.js +2 -0
  1336. package/lib/vendor/blamejs/test/layer-0-primitives/uuid.test.js +2 -0
  1337. package/lib/vendor/blamejs/test/layer-0-primitives/validate-opts-port.test.js +2 -0
  1338. package/lib/vendor/blamejs/test/layer-0-primitives/validate-opts-shape.test.js +2 -0
  1339. package/lib/vendor/blamejs/test/layer-0-primitives/vault-aad.test.js +2 -0
  1340. package/lib/vendor/blamejs/test/layer-0-primitives/vault-default-store.test.js +2 -0
  1341. package/lib/vendor/blamejs/test/layer-0-primitives/vault-rotate-aad.test.js +2 -0
  1342. package/lib/vendor/blamejs/test/layer-0-primitives/vault-seal-pem-file.test.js +2 -0
  1343. package/lib/vendor/blamejs/test/layer-0-primitives/vc.test.js +25 -0
  1344. package/lib/vendor/blamejs/test/layer-0-primitives/vendor-currency-classify.test.js +2 -0
  1345. package/lib/vendor/blamejs/test/layer-0-primitives/vendor-data.test.js +2 -0
  1346. package/lib/vendor/blamejs/test/layer-0-primitives/vendor-manifest.test.js +2 -0
  1347. package/lib/vendor/blamejs/test/layer-0-primitives/vex.test.js +2 -0
  1348. package/lib/vendor/blamejs/test/layer-0-primitives/watcher.test.js +2 -0
  1349. package/lib/vendor/blamejs/test/layer-0-primitives/web-push-vapid.test.js +2 -0
  1350. package/lib/vendor/blamejs/test/layer-0-primitives/webhook-dispatcher.test.js +77 -0
  1351. package/lib/vendor/blamejs/test/layer-0-primitives/webhook-verify-nonce-atomic.test.js +2 -0
  1352. package/lib/vendor/blamejs/test/layer-0-primitives/webhook.test.js +2 -0
  1353. package/lib/vendor/blamejs/test/layer-0-primitives/websocket-channels.test.js +2 -0
  1354. package/lib/vendor/blamejs/test/layer-0-primitives/websocket-extension-header.test.js +2 -0
  1355. package/lib/vendor/blamejs/test/layer-0-primitives/worker-pool-recycle-race.test.js +2 -0
  1356. package/lib/vendor/blamejs/test/layer-0-primitives/worker-pool.test.js +2 -0
  1357. package/lib/vendor/blamejs/test/layer-0-primitives/worm.test.js +2 -0
  1358. package/lib/vendor/blamejs/test/layer-0-primitives/ws-client.test.js +2 -0
  1359. package/lib/vendor/blamejs/test/layer-0-primitives/x509-chain-ca-enforcement.test.js +117 -1
  1360. package/lib/vendor/blamejs/test/layer-1-state/api-key.test.js +2 -0
  1361. package/lib/vendor/blamejs/test/layer-5-integration/bundler-output.test.js +2 -0
  1362. package/lib/vendor/blamejs/test/layer-5-integration/external-db-residency.test.js +2 -0
  1363. package/lib/vendor/blamejs/test/layer-5-integration/guard-host-integration.test.js +2 -0
  1364. package/lib/vendor/blamejs/test/layer-5-integration/security-chaos.test.js +2 -0
  1365. package/lib/vendor/blamejs/test/smoke.js +2 -0
  1366. package/package.json +5 -2
  1367. package/lib/vendor/blamejs/release-notes/v0.15.0.json +0 -77
  1368. package/lib/vendor/blamejs/release-notes/v0.15.1.json +0 -22
  1369. package/lib/vendor/blamejs/release-notes/v0.15.10.json +0 -53
  1370. package/lib/vendor/blamejs/release-notes/v0.15.11.json +0 -52
  1371. package/lib/vendor/blamejs/release-notes/v0.15.12.json +0 -47
  1372. package/lib/vendor/blamejs/release-notes/v0.15.13.json +0 -81
  1373. package/lib/vendor/blamejs/release-notes/v0.15.14.json +0 -122
  1374. package/lib/vendor/blamejs/release-notes/v0.15.15.json +0 -73
  1375. package/lib/vendor/blamejs/release-notes/v0.15.16.json +0 -94
  1376. package/lib/vendor/blamejs/release-notes/v0.15.17.json +0 -52
  1377. package/lib/vendor/blamejs/release-notes/v0.15.18.json +0 -49
  1378. package/lib/vendor/blamejs/release-notes/v0.15.19.json +0 -18
  1379. package/lib/vendor/blamejs/release-notes/v0.15.2.json +0 -22
  1380. package/lib/vendor/blamejs/release-notes/v0.15.20.json +0 -27
  1381. package/lib/vendor/blamejs/release-notes/v0.15.21.json +0 -51
  1382. package/lib/vendor/blamejs/release-notes/v0.15.22.json +0 -18
  1383. package/lib/vendor/blamejs/release-notes/v0.15.23.json +0 -22
  1384. package/lib/vendor/blamejs/release-notes/v0.15.24.json +0 -22
  1385. package/lib/vendor/blamejs/release-notes/v0.15.25.json +0 -18
  1386. package/lib/vendor/blamejs/release-notes/v0.15.26.json +0 -18
  1387. package/lib/vendor/blamejs/release-notes/v0.15.27.json +0 -18
  1388. package/lib/vendor/blamejs/release-notes/v0.15.28.json +0 -18
  1389. package/lib/vendor/blamejs/release-notes/v0.15.29.json +0 -27
  1390. package/lib/vendor/blamejs/release-notes/v0.15.3.json +0 -39
  1391. package/lib/vendor/blamejs/release-notes/v0.15.30.json +0 -18
  1392. package/lib/vendor/blamejs/release-notes/v0.15.31.json +0 -18
  1393. package/lib/vendor/blamejs/release-notes/v0.15.32.json +0 -18
  1394. package/lib/vendor/blamejs/release-notes/v0.15.33.json +0 -18
  1395. package/lib/vendor/blamejs/release-notes/v0.15.34.json +0 -27
  1396. package/lib/vendor/blamejs/release-notes/v0.15.35.json +0 -27
  1397. package/lib/vendor/blamejs/release-notes/v0.15.36.json +0 -18
  1398. package/lib/vendor/blamejs/release-notes/v0.15.37.json +0 -26
  1399. package/lib/vendor/blamejs/release-notes/v0.15.38.json +0 -26
  1400. package/lib/vendor/blamejs/release-notes/v0.15.4.json +0 -39
  1401. package/lib/vendor/blamejs/release-notes/v0.15.5.json +0 -22
  1402. package/lib/vendor/blamejs/release-notes/v0.15.6.json +0 -59
  1403. package/lib/vendor/blamejs/release-notes/v0.15.7.json +0 -43
  1404. package/lib/vendor/blamejs/release-notes/v0.15.8.json +0 -48
  1405. package/lib/vendor/blamejs/release-notes/v0.15.9.json +0 -58
@@ -1,3 +1,5 @@
1
+ // SPDX-License-Identifier: Apache-2.0
2
+ // Copyright (c) blamejs contributors
1
3
  "use strict";
2
4
 
3
5
  // SMOKE_RUN_SOLO — the smoke runner (test/smoke.js) runs this file ALONE
@@ -337,6 +339,7 @@ var VALID_ALLOW_CLASSES = {
337
339
  "inline-require-non-empty-string-validation": 1,
338
340
  "internal-binding-in-prose": 1,
339
341
  "internal-narrative-comment": 1,
342
+ "leftmost-domain-informational": 1,
340
343
  "list-without-pagination": 1,
341
344
  "math-random-noncrypto-jitter-sampling": 1,
342
345
  "no-number-money-arithmetic": 1,
@@ -1173,6 +1176,9 @@ var CANONICAL_REQUIRE_BINDINGS = {
1173
1176
  // public namespace and doesn't shadow node:crypto.
1174
1177
  "./crypto": "bCrypto",
1175
1178
  "../crypto": "bCrypto",
1179
+ // Internal ARC/DKIM reuse handshake token (a Symbol) — same constant-style
1180
+ // name in mail-dkim (checker) and mail-auth (setter).
1181
+ "./mail-arc-reuse-token": "ARC_AMS_REUSE",
1176
1182
  };
1177
1183
 
1178
1184
  // Node built-ins that the framework requires anywhere — used by the
@@ -1881,6 +1887,616 @@ function testNoDynamicRegexFromOperatorInput() {
1881
1887
  matches);
1882
1888
  }
1883
1889
 
1890
+ // ---- Pattern: operator RegExp instance matched against request input without a ReDoS screen ----
1891
+ //
1892
+ // A primitive that accepts an operator-supplied RegExp (`instanceof RegExp`
1893
+ // from opts) AND executes it (`.test` / `.exec` / `.match`) is a ReDoS surface
1894
+ // when the matched value is attacker-controllable (User-Agent, Origin, request
1895
+ // path, form field, SMTP HELO, remote asset name): an accidentally-catastrophic
1896
+ // operator pattern pins a CPU on a crafted input, and a length cap does not
1897
+ // bound backtracking. v0.15.38 / v0.15.39 swept the whole family — bot-guard,
1898
+ // cors, span-http-server, request-log, request-helpers, forms, static,
1899
+ // mail-helo, self-update (+ the string-compile siblings flag-targeting / mcp,
1900
+ // covered by the dynamic-regex detector) — and routed every operator pattern
1901
+ // through `b.guardRegex.assertSafe` at config time. A NEW such site must do the
1902
+ // same. This is the structural guard the operator-regex-ReDoS class (a Codex
1903
+ // finding) earns so it can't be reintroduced. The ALLOW map covers files whose
1904
+ // accepted RegExp is matched against a TRUSTED value, not attacker request data.
1905
+ function testOperatorRegexScreenedForReDoS() {
1906
+ var ALLOW = {
1907
+ "lib/dev.js": "ignore RegExp matched against an fs.watch filename in the operator's local source tree; dev-loop only, hard-refused under NODE_ENV=production",
1908
+ "lib/parsers/safe-env.js": "keyShape RegExp matched against env-var keys parsed from the operator's .env config at boot, not request input",
1909
+ "lib/safe-json.js": "JSON Schema `pattern` is part of the operator-owned schema (the documented trust boundary), not request data — same stance as the dynamic-regex detector's safe-json exclusion",
1910
+ };
1911
+ var files = _libFiles();
1912
+ var bad = [];
1913
+ for (var fi = 0; fi < files.length; fi++) {
1914
+ var rel = _relPath(files[fi]);
1915
+ if (ALLOW[rel]) continue;
1916
+ var content;
1917
+ try { content = fs.readFileSync(files[fi], "utf8"); }
1918
+ catch (_e) { continue; }
1919
+ if (!/instanceof RegExp/.test(content)) continue; // accepts an operator RegExp opt
1920
+ if (!/\.(?:test|exec|match)\s*\(/.test(content)) continue; // and executes a regex
1921
+ if (/\bassertSafe\s*\(/.test(content)) continue; // already ReDoS-screened
1922
+ var lines = content.split(/\r?\n/);
1923
+ for (var li = 0; li < lines.length; li++) {
1924
+ if (/instanceof RegExp/.test(lines[li])) {
1925
+ bad.push({
1926
+ file: rel,
1927
+ line: li + 1,
1928
+ content: "accepts an operator-supplied RegExp + executes a regex but never calls b.guardRegex.assertSafe — screen the operator pattern for ReDoS at config time, or add the file to this detector's ALLOW map with a reason if the regex is matched against trusted (non-request) input",
1929
+ });
1930
+ break;
1931
+ }
1932
+ }
1933
+ }
1934
+ _report("a primitive accepting + executing an operator-supplied RegExp must ReDoS-screen it via b.guardRegex.assertSafe (or be allowlisted as matched-against-trusted-input)",
1935
+ bad);
1936
+ }
1937
+
1938
+ // ---- Pattern: process.moduleLoadList filter must match the "NativeModule X" naming ----
1939
+ //
1940
+ // An edge-runtime guard test inspects process.moduleLoadList to assert a
1941
+ // networking builtin did NOT eager-load. Node 20+ records a loaded builtin as
1942
+ // "NativeModule http" (Node <24 also used "node:http"); filtering ONLY the
1943
+ // `node:` form silently passes even after a top-level networking require is
1944
+ // reintroduced — the test rots green and the regression ships (Codex P2, PR
1945
+ // #381). Any test that filters moduleLoadList must also match "NativeModule ".
1946
+ function testModuleLoadListMatchesNativeModuleNaming() {
1947
+ var files = _testFiles();
1948
+ var bad = [];
1949
+ for (var fi = 0; fi < files.length; fi++) {
1950
+ var rel = _relPath(files[fi]);
1951
+ var content;
1952
+ try { content = fs.readFileSync(files[fi], "utf8"); }
1953
+ catch (_e) { continue; }
1954
+ if (!/moduleLoadList/.test(content)) continue;
1955
+ if (/NativeModule/.test(content)) continue; // matches the Node 20+ form
1956
+ var lines = content.split(/\r?\n/);
1957
+ for (var li = 0; li < lines.length; li++) {
1958
+ if (/moduleLoadList/.test(lines[li])) {
1959
+ bad.push({
1960
+ file: rel,
1961
+ line: li + 1,
1962
+ content: "filters process.moduleLoadList without matching the 'NativeModule X' naming (Node 20+) — a `node:`-only filter rots green when a top-level builtin require is reintroduced; match `NativeModule ` too",
1963
+ });
1964
+ break;
1965
+ }
1966
+ }
1967
+ }
1968
+ _report("a test filtering process.moduleLoadList must match the 'NativeModule X' naming (Node 20+), not only 'node:X'",
1969
+ bad);
1970
+ }
1971
+
1972
+ // (No structural detector for the PR #370 sync-run().catch class: a sync
1973
+ // `function run()` that RETURNS a promise chain is the common, correct pattern,
1974
+ // so `run().then/.catch` cannot be distinguished lexically from the bug shape
1975
+ // — sync run() returning UNDEFINED. That case is behavioral, guarded by the
1976
+ // inline fix + the test-detached-async-iife / test-unguarded-module-level-run
1977
+ // detectors for adjacent shapes.)
1978
+
1979
+ // ---- Pattern: a competing-consumer claim must use FOR UPDATE SKIP LOCKED ----
1980
+ //
1981
+ // A poller that claims due rows across concurrent workers — SELECT
1982
+ // status='pending' inside a transaction, then flip the rows to
1983
+ // 'in-flight'/'inflight' — MUST hold a row lock via FOR UPDATE SKIP LOCKED on
1984
+ // the row-locking backends (Postgres / MySQL). Without it, two pollers under
1985
+ // READ COMMITTED both SELECT the same pending row; the loser's gated UPDATE
1986
+ // matches zero rows, but a reselect-by-id re-reads the row the WINNER just
1987
+ // flipped to in-flight and hands it back — so both workers process the same row
1988
+ // in one cycle. sqlite's single writer is safe via the mark-then-reselect
1989
+ // fallback, but that fallback ALONE (no skipLocked branch) is the bug.
1990
+ // b.outbox._claimBatch and b.queue-local are the canonical correct claims; the
1991
+ // webhook dispatcher's processRetries shipped without the skipLocked branch and
1992
+ // double-claimed under Postgres / MySQL (fixed this release). This guards every
1993
+ // future poller from re-introducing the no-SKIP-LOCKED shape.
1994
+ function testCompetingConsumerClaimUsesSkipLocked() {
1995
+ var bad = [];
1996
+ var files = _libFiles();
1997
+ for (var fi = 0; fi < files.length; fi++) {
1998
+ var rel = _relPath(files[fi]);
1999
+ var content;
2000
+ try { content = fs.readFileSync(files[fi], "utf8"); }
2001
+ catch (_e) { continue; }
2002
+ // The claim shape: marks rows to in-flight/inflight via a builder .set AND
2003
+ // selects rows by status='pending' (the competing-consumer claim idiom).
2004
+ var marksInflight = /\.set\(\s*\{[^{}]*status:\s*["']in-?flight["']/.test(content)
2005
+ || /\.set\(\s*["']status["']\s*,\s*["']in-?flight["']/.test(content);
2006
+ if (!marksInflight) continue;
2007
+ var selectsPending = /status\s*=\s*'pending'/.test(content)
2008
+ || /\.where\(\s*["']status["']\s*,\s*["']pending["']/.test(content);
2009
+ if (!selectsPending) continue;
2010
+ if (/skipLocked|SKIP LOCKED/.test(content)) continue; // competing-consumer safe
2011
+ var lines = content.split(/\r?\n/);
2012
+ for (var li = 0; li < lines.length; li++) {
2013
+ if (/status:\s*["']in-?flight["']|["']status["']\s*,\s*["']in-?flight["']/.test(lines[li])) {
2014
+ bad.push({
2015
+ file: rel,
2016
+ line: li + 1,
2017
+ content: "a competing-consumer claim (SELECT status='pending' then flip to in-flight) must use FOR UPDATE SKIP LOCKED on the row-locking backends (Postgres / MySQL) so concurrent pollers see disjoint sets — mirror b.outbox._claimBatch; a mark-then-reselect with no skipLocked branch double-claims under READ COMMITTED",
2018
+ });
2019
+ break;
2020
+ }
2021
+ }
2022
+ }
2023
+ _report("every competing-consumer claim (pending->in-flight poller) must use FOR UPDATE SKIP LOCKED (mirror b.outbox._claimBatch)",
2024
+ bad);
2025
+ }
2026
+
2027
+ // ---- Pattern: a cache-backed counter must use atomic cache.update ----
2028
+ //
2029
+ // Accumulating on a cache with `await cache.get(K)` → mutate/increment →
2030
+ // `await cache.set(K, ...)` is a non-atomic read-modify-write: two concurrent
2031
+ // writers read the same value and one set clobbers the other (lost update),
2032
+ // under-counting on a shared / cluster cache and letting a quota / rate /
2033
+ // bandwidth / concurrency cap be bypassed. b.cache.update is the atomic
2034
+ // compare-and-set RMW. The byte-quota and static bandwidth/concurrency
2035
+ // lost-updates (fixed this release) were this shape. Allowlisted: a cache used
2036
+ // for lookups or cache-aside (the stored value is recomputed or replaced
2037
+ // wholesale, never incremented) or whose writes are serialized another way (an
2038
+ // in-process per-key chain) — none of which can lose an increment.
2039
+ function testCacheCounterUsesAtomicUpdate() {
2040
+ var ALLOW = {
2041
+ "lib/network-dns-resolver.js": "a DNS lookup cache (cache-aside): get a cached resolution, set the freshly-resolved entry — the stored value is replaced wholesale, never incremented, so there is no lost-update counter",
2042
+ "lib/tenant-quota.js": "a cache-aside for bytesUsed (recomputed by walking the tenant's tables, then cached) — the value is replaced from source, not incremented; the QPS/rows budget counter is an in-process Map, not the cache",
2043
+ };
2044
+ var bad = [];
2045
+ var files = _libFiles();
2046
+ for (var fi = 0; fi < files.length; fi++) {
2047
+ var rel = _relPath(files[fi]);
2048
+ if (ALLOW[rel]) continue;
2049
+ var content;
2050
+ try { content = fs.readFileSync(files[fi], "utf8"); } catch (_e) { continue; }
2051
+ if (!/\bcache\.get\s*\(/.test(content)) continue;
2052
+ if (!/\bcache\.set\s*\(/.test(content)) continue;
2053
+ if (/\bcache\.update\s*\(/.test(content)) continue; // already atomic
2054
+ var lines = content.split(/\r?\n/);
2055
+ for (var li = 0; li < lines.length; li++) {
2056
+ if (/\bcache\.set\s*\(/.test(lines[li])) {
2057
+ bad.push({
2058
+ file: rel,
2059
+ line: li + 1,
2060
+ content: "a cache-backed counter must use atomic cache.update, not a cache.get -> mutate -> cache.set read-modify-write (loses concurrent updates on a shared cache) — use cache.update, or allowlist this file with the reason its get/set is not a lost-update counter (lookup / cache-aside, or in-process-serialized)",
2061
+ });
2062
+ break;
2063
+ }
2064
+ }
2065
+ }
2066
+ _report("a cache-backed counter must use the atomic cache.update, not a get->set read-modify-write", bad);
2067
+ }
2068
+
2069
+ // ---- Pattern: a registry check-then-create must serialize per key ----
2070
+ //
2071
+ // An async check-then-create on a pluggable backend — `await backend.get(key)`
2072
+ // -> throw a `/duplicate` error if present -> `await backend.set(key, ...)` —
2073
+ // has an await between the read and the write, so two concurrent calls for one
2074
+ // key both observe absence and both write (duplicate-create / lost-registration).
2075
+ // It must be serialized per key (b.safeAsync.keyedSerializer, exposed on ctx as
2076
+ // registrySerializer) so the second call sees the first's row and is refused.
2077
+ // The agent orchestrator + tenant registries were this shape (fixed this release).
2078
+ function testRegistryCheckThenCreateSerialized() {
2079
+ var bad = [];
2080
+ var files = _libFiles();
2081
+ for (var fi = 0; fi < files.length; fi++) {
2082
+ var rel = _relPath(files[fi]);
2083
+ var content;
2084
+ try { content = fs.readFileSync(files[fi], "utf8"); } catch (_e) { continue; }
2085
+ if (!/\/duplicate["']/.test(content)) continue; // throws a duplicate error
2086
+ if (!/backend\.get\s*\(/.test(content)) continue; // the check
2087
+ if (!/backend\.set\s*\(/.test(content)) continue; // the create
2088
+ if (/keyedSerializer|registrySerializer/.test(content)) continue; // serialized per key
2089
+ var lines = content.split(/\r?\n/);
2090
+ for (var li = 0; li < lines.length; li++) {
2091
+ if (/\/duplicate["']/.test(lines[li])) {
2092
+ bad.push({
2093
+ file: rel,
2094
+ line: li + 1,
2095
+ content: "a check-then-create on a pluggable backend (await backend.get -> throw /duplicate -> await backend.set) must be serialized per key (b.safeAsync.keyedSerializer / ctx.registrySerializer) so two concurrent calls for one key can't both create",
2096
+ });
2097
+ break;
2098
+ }
2099
+ }
2100
+ }
2101
+ _report("a registry check-then-create on a pluggable backend must serialize per key (b.safeAsync.keyedSerializer)", bad);
2102
+ }
2103
+
2104
+ // ---- Pattern: a cert-chain issuance link must use issuerValidlyIssued ----
2105
+ //
2106
+ // A multi-hop X.509 chain walker must test each ISSUANCE link with
2107
+ // x509Chain.issuerValidlyIssued (which enforces basicConstraints cA:TRUE),
2108
+ // NOT a bare X509Certificate.checkIssued(): node's checkIssued does not enforce
2109
+ // the CA bit, so a non-CA / end-entity cert (cA:FALSE) spliced in as an
2110
+ // intermediate is wrongly accepted as an issuer — the classic basicConstraints
2111
+ // bypass (CVE-2002-0862 class). fido-mds3 was the sole outlier (fixed this
2112
+ // release); mdoc / tsa / bimi / content-credentials / smime all route through
2113
+ // issuerValidlyIssued. A self-signed-root check (cert.checkIssued(cert) — same
2114
+ // receiver and argument) is NOT an issuance hop and is fine. lib/x509-chain.js
2115
+ // owns the one legitimate checkIssued (inside issuerValidlyIssued).
2116
+ function testCertChainIssuanceUsesIssuerValidlyIssued() {
2117
+ var bad = [];
2118
+ var files = _libFiles();
2119
+ var RE = /([\w$.[\]]+)\.checkIssued\s*\(\s*([\w$.[\]\s+]+?)\s*\)/;
2120
+ for (var fi = 0; fi < files.length; fi++) {
2121
+ var rel = _relPath(files[fi]);
2122
+ if (rel === "lib/x509-chain.js") continue; // the canonical home (inside issuerValidlyIssued)
2123
+ var content;
2124
+ try { content = fs.readFileSync(files[fi], "utf8"); } catch (_e) { continue; }
2125
+ if (content.indexOf(".checkIssued(") === -1) continue;
2126
+ var lines = content.split(/\r?\n/);
2127
+ for (var li = 0; li < lines.length; li++) {
2128
+ var t = lines[li].trim();
2129
+ if (t.indexOf("//") === 0 || t.indexOf("*") === 0) continue; // comment line
2130
+ var m = RE.exec(lines[li]);
2131
+ if (!m) continue;
2132
+ if (m[1].replace(/\s+/g, "") === m[2].replace(/\s+/g, "")) continue; // self-signed check, not an issuance hop
2133
+ bad.push({
2134
+ file: rel,
2135
+ line: li + 1,
2136
+ content: "a cert-chain issuance link uses bare X509Certificate.checkIssued() (no basicConstraints cA:TRUE enforcement) — route it through x509Chain.issuerValidlyIssued(issuer, subject), like mdoc / tsa / bimi / content-credentials, so a non-CA intermediate is refused (basicConstraints bypass, CVE-2002-0862)",
2137
+ });
2138
+ }
2139
+ }
2140
+ _report("a cert-chain issuance link must use x509Chain.issuerValidlyIssued (cA-enforcing), not bare checkIssued", bad);
2141
+ }
2142
+
2143
+ // ---- Pattern: domainToASCII must reject URL delimiters before a host compare ----
2144
+ // node:url.domainToASCII silently TRUNCATES at "/" "?" "#" "\" — e.g.
2145
+ // domainToASCII("victim.example/evil") === "victim.example" — so a host carrying
2146
+ // a delimiter canonicalizes to a trusted PREFIX. A canonicalizer that feeds the
2147
+ // raw result into an identity / authorization comparison lets a hostile host
2148
+ // masquerade as a trusted one (the BIMI/VMC SubjectAltName bypass class, and a
2149
+ // DMARC-alignment spoof). The two guarded homes — public-suffix._normalizeInput
2150
+ // and mail.toAscii — reject those delimiters BEFORE calling domainToASCII; every
2151
+ // other consumer must route through publicSuffix.canonicalDomain (delimiter-safe,
2152
+ // fails closed to "").
2153
+ function testDomainToAsciiRejectsUrlDelimiters() {
2154
+ var bad = [];
2155
+ var files = _libFiles();
2156
+ var RE = /\bdomainToASCII\s*\(/;
2157
+ for (var fi = 0; fi < files.length; fi++) {
2158
+ var rel = _relPath(files[fi]);
2159
+ // The two homes that reject "/" "?" "#" "\" before calling domainToASCII.
2160
+ if (rel === "lib/public-suffix.js" || rel === "lib/mail.js") continue;
2161
+ var content;
2162
+ try { content = fs.readFileSync(files[fi], "utf8"); } catch (_e) { continue; }
2163
+ if (content.indexOf("domainToASCII(") === -1) continue;
2164
+ var lines = content.split(/\r?\n/);
2165
+ for (var li = 0; li < lines.length; li++) {
2166
+ var t = lines[li].trim();
2167
+ if (t.indexOf("//") === 0 || t.indexOf("*") === 0) continue; // comment line
2168
+ if (RE.test(lines[li])) {
2169
+ bad.push({
2170
+ file: rel,
2171
+ line: li + 1,
2172
+ content: "raw node:url.domainToASCII() used for host normalization — it silently TRUNCATES at a URL delimiter (\"/\" \"?\" \"#\"), reducing a hostile host to a trusted prefix (the BIMI/VMC SAN bypass + DMARC-alignment spoof class). Route the host through publicSuffix.canonicalDomain, which rejects delimiters and fails closed.",
2173
+ });
2174
+ }
2175
+ }
2176
+ }
2177
+ _report("a host canonicalizer must route domainToASCII through publicSuffix.canonicalDomain (delimiter-safe), not call it raw", bad);
2178
+ }
2179
+
2180
+ // ---- Pattern: URLSearchParams("..."+x) must escape "&" in the concatenated x ----
2181
+ // new URLSearchParams(str) parses str as a query and splits pairs on "&". A
2182
+ // caller value concatenated into that string (e.g. new URLSearchParams("k=" +
2183
+ // token)) is split + truncated at any literal "&" the value carries — silently
2184
+ // dropping everything after it (the httpSig @query-param decoded-name bug). The
2185
+ // value must be "&"-escaped (.replace(/&/g, "%26")) before concatenation.
2186
+ function testUrlSearchParamsConcatEscapesAmpersand() {
2187
+ var bad = [];
2188
+ var files = _libFiles();
2189
+ var RE = /new\s+URLSearchParams\s*\(\s*["'][^"']*["']\s*\+/; // string-literal + concat into the query
2190
+ for (var fi = 0; fi < files.length; fi++) {
2191
+ var rel = _relPath(files[fi]);
2192
+ var content;
2193
+ try { content = fs.readFileSync(files[fi], "utf8"); } catch (_e) { continue; }
2194
+ if (content.indexOf("URLSearchParams") === -1) continue;
2195
+ var lines = content.split(/\r?\n/);
2196
+ for (var li = 0; li < lines.length; li++) {
2197
+ var line = lines[li];
2198
+ if (/^\s*(\/\/|\*|\/\*)/.test(line)) continue;
2199
+ if (!RE.test(line)) continue;
2200
+ // Safe iff the concatenated value is "&"-escaped on the same expression.
2201
+ if (/replace\s*\(\s*\/&\//.test(line) || line.indexOf("%26") !== -1) continue;
2202
+ bad.push({
2203
+ file: rel,
2204
+ line: li + 1,
2205
+ content: "new URLSearchParams() built by concatenating a value into the query string — it splits on a literal \"&\" in that value, silently truncating it (the httpSig @query-param bug). Escape the value with .replace(/&/g, \"%26\") before concatenation.",
2206
+ });
2207
+ }
2208
+ }
2209
+ _report("a URLSearchParams query built by string concatenation must escape \"&\" in the concatenated value", bad);
2210
+ }
2211
+
2212
+ // ---- Pattern: email-domain via split("@")[1] must reject a multi-@ addr-spec ----
2213
+ // An RFC 5322 addr-spec has exactly one "@". str.split("@")[1] pulls the
2214
+ // LEFTMOST segment, so on a multi-@ string (x@attacker@victim) it derives
2215
+ // attacker's domain — while a rightmost-@ parser (lastIndexOf) derives victim.
2216
+ // When one site authorizes/routes on the leftmost domain and another gates on
2217
+ // the rightmost, DMARC/SPF authorizes a domain the attacker controls while the
2218
+ // displayed From is the victim's (CWE-290), or outbound delivery routes to an
2219
+ // unintended host. Every leftmost-@ domain pull must first reject a multi-@
2220
+ // address (str.indexOf("@") !== str.lastIndexOf("@")) within its function; a
2221
+ // purely informational, non-routing use is marked inline.
2222
+ function testEmailDomainDerivationGuardsMultiAt() {
2223
+ var bad = [];
2224
+ var files = _libFiles();
2225
+ var SPLIT_RE = /\.split\(\s*["']@["']\s*\)\s*\[\s*1\s*\]/; // leftmost-@ domain pull
2226
+ var GUARD_RE = /lastIndexOf\(\s*["']@["']\s*\)/; // single-@ rejection anchor
2227
+ var FN_RE = /^\s*(?:async\s+)?function\b/; // function-head boundary
2228
+ for (var fi = 0; fi < files.length; fi++) {
2229
+ var rel = _relPath(files[fi]);
2230
+ var content;
2231
+ try { content = fs.readFileSync(files[fi], "utf8"); } catch (_e) { continue; }
2232
+ if (content.indexOf('split("@")') === -1 && content.indexOf("split('@')") === -1) continue;
2233
+ var lines = content.split(/\r?\n/);
2234
+ for (var li = 0; li < lines.length; li++) {
2235
+ var line = lines[li];
2236
+ if (/^\s*(?:\/\/|\*|\/\*)/.test(line)) continue; // comment line
2237
+ if (!SPLIT_RE.test(line)) continue;
2238
+ // Safe iff a single-@ rejection (lastIndexOf "@") appears on this line or
2239
+ // anywhere above it within the same function body.
2240
+ var guarded = GUARD_RE.test(line);
2241
+ for (var w = li - 1; w >= 0 && !guarded && w >= li - 200; w--) {
2242
+ if (GUARD_RE.test(lines[w])) { guarded = true; break; }
2243
+ if (FN_RE.test(lines[w])) break; // hit the function head, no guard
2244
+ }
2245
+ if (!guarded) {
2246
+ bad.push({
2247
+ file: rel,
2248
+ line: li + 1,
2249
+ content: "email-domain derived via str.split(\"@\")[1] (the LEFTMOST segment). On a multi-@ addr-spec (x@attacker@victim) this authorizes/routes to attacker's domain while a rightmost-@ parser reads victim — the DMARC/SPF-alignment + delivery-routing bypass class (CWE-290). Reject a multi-@ address first (str.indexOf(\"@\") !== str.lastIndexOf(\"@\")), or mark an informational non-routing use with // allow:leftmost-domain-informational.",
2250
+ });
2251
+ }
2252
+ }
2253
+ }
2254
+ bad = _filterMarkers(bad, "leftmost-domain-informational");
2255
+ _report("an email-domain derivation via split(\"@\")[1] must first reject a multi-@ addr-spec (single-@ guard)", bad);
2256
+ }
2257
+
2258
+ // ---- Pattern: fileUpload lifecycle methods enforce per-upload ownership ----
2259
+ // A fileUpload lifecycle method that loads an upload by a request-supplied
2260
+ // uploadId (_readMeta(uploadId)) and then acts on it MUST call _checkOwnership
2261
+ // before mutating/returning, or a caller can act on another actor's upload by
2262
+ // guessing its uploadId (IDOR / CWE-639). A behavioral test covers the four
2263
+ // current methods; this detector keeps a NEW lifecycle method from silently
2264
+ // reintroducing the gap (the internal enumerate/cleanup sweeps read
2265
+ // _readMeta(e.name), not uploadId, so they are not matched).
2266
+ function testFileUploadLifecycleChecksOwnership() {
2267
+ var bad = [];
2268
+ var rel = "lib/file-upload.js";
2269
+ var content;
2270
+ try {
2271
+ content = fs.readFileSync(path.resolve(path.resolve(__dirname, "..", ".."), rel), "utf8");
2272
+ } catch (_e) { _report("fileUpload lifecycle methods enforce per-upload ownership", bad); return; }
2273
+ var lines = content.split(/\r?\n/);
2274
+ for (var li = 0; li < lines.length; li++) {
2275
+ // The CALL shape (`= _readMeta(uploadId)`), not the `function _readMeta(...)`
2276
+ // definition.
2277
+ if (!/=\s*_readMeta\(uploadId\)/.test(lines[li])) continue;
2278
+ // _checkOwnership must appear after the read, within the same method body
2279
+ // (a method-closing brace at 2-space indent ends the scan).
2280
+ var guarded = false;
2281
+ for (var w = li + 1; w < lines.length && w <= li + 30; w++) {
2282
+ if (/^ {2}\}/.test(lines[w])) break; // method-closing brace
2283
+ if (/_checkOwnership\(/.test(lines[w])) { guarded = true; break; }
2284
+ }
2285
+ if (!guarded) {
2286
+ bad.push({
2287
+ file: rel,
2288
+ line: li + 1,
2289
+ content: "a fileUpload lifecycle method loads an upload by request-supplied uploadId (_readMeta(uploadId)) but does not call _checkOwnership before acting — a caller could act on another actor's upload by guessing its uploadId (IDOR / CWE-639).",
2290
+ });
2291
+ }
2292
+ }
2293
+ _report("every fileUpload lifecycle method reading _readMeta(uploadId) must call _checkOwnership before acting (IDOR guard)", bad);
2294
+ }
2295
+
2296
+ // ---- Pattern: scope/role wildcard matching must use b.permissions.match ----
2297
+ // The hand-rolled wildcard idiom — detect a trailing "*" (charAt(len-1)==="*"),
2298
+ // strip it (slice(0,-1)), then raw-prefix-match (indexOf(prefix)===0) — ignores
2299
+ // ":" segment boundaries, so a partial-segment scope "phi:a*" wrongly satisfies
2300
+ // "phi:admin". Scope/role wildcard matching must route through the segment-aware
2301
+ // b.permissions.match (break-glass + dual-control hand-rolled it independently).
2302
+ function testScopeWildcardUsesPermissionsMatch() {
2303
+ var bad = [];
2304
+ var files = _libFiles();
2305
+ var STAR = /charAt\([^)]*\.length\s*-\s*1\)\s*===\s*"\*"/;
2306
+ var SLICE = /\.slice\(\s*0\s*,\s*-\s*1\s*\)/;
2307
+ var PREFIX = /\.indexOf\([^)]*\)\s*===\s*0/;
2308
+ for (var fi = 0; fi < files.length; fi++) {
2309
+ var rel = _relPath(files[fi]);
2310
+ var content;
2311
+ try { content = fs.readFileSync(files[fi], "utf8"); } catch (_e) { continue; }
2312
+ if (!STAR.test(content)) continue;
2313
+ var lines = content.split(/\r?\n/);
2314
+ for (var li = 0; li < lines.length; li++) {
2315
+ if (!STAR.test(lines[li])) continue;
2316
+ // The full hand-rolled-wildcard signature is the trailing-"*" check plus a
2317
+ // slice(0,-1) strip plus a raw indexOf(...)===0 prefix match, all within
2318
+ // the same small block (a trailing-"*" check alone — e.g. URI-template
2319
+ // explode, array-key parsing — is not a scope match).
2320
+ var hasSlice = false, hasPrefix = false;
2321
+ for (var w = li; w < lines.length && w <= li + 12; w++) {
2322
+ if (SLICE.test(lines[w])) hasSlice = true;
2323
+ if (PREFIX.test(lines[w])) hasPrefix = true;
2324
+ }
2325
+ if (hasSlice && hasPrefix) {
2326
+ bad.push({
2327
+ file: rel,
2328
+ line: li + 1,
2329
+ content: "hand-rolled scope/role wildcard match (trailing-\"*\" + slice(0,-1) + indexOf(prefix)===0) ignores \":\" segment boundaries, so a partial-segment scope wrongly satisfies a different value — route through the segment-aware b.permissions.match.",
2330
+ });
2331
+ }
2332
+ }
2333
+ }
2334
+ _report("scope/role wildcard matching must use the segment-aware b.permissions.match, not a hand-rolled prefix match", bad);
2335
+ }
2336
+
2337
+ // ---- Pattern: queue-redis inflight-transition LUA result must be captured ----
2338
+ // COMPLETE_LUA / FAIL_LUA atomically ZREM a job from the inflight set and
2339
+ // return whether THIS call won that transition (1 = won, 0/-1 = stale). The
2340
+ // caller MUST capture that result and gate its side effects on it: a stale
2341
+ // worker whose lease expired (the job swept back to ready and re-leased /
2342
+ // completed by another worker) must NOT run complete()'s cron re-enqueue +
2343
+ // flow release, nor fail()'s retry/dlq re-queue — doing so double-fires a cron
2344
+ // repeat or resurrects an already-finished job. A bare
2345
+ // `await client.runScript(COMPLETE_LUA, …)` (result discarded) is the bug
2346
+ // shape; it must be `var x = await client.runScript(COMPLETE_LUA, …)` + a
2347
+ // gate. The SQL backends carry the equivalent `WHERE status='inflight'` guard;
2348
+ // this keeps the redis backend from diverging.
2349
+ function testQueueRedisGateLuaResultCaptured() {
2350
+ var bad = [];
2351
+ var rel = "lib/queue-redis.js";
2352
+ var content;
2353
+ try {
2354
+ content = fs.readFileSync(path.resolve(path.resolve(__dirname, "..", ".."), rel), "utf8");
2355
+ } catch (_e) { _report("queue-redis gate-LUA results captured + gated", bad); return; }
2356
+ var lines = content.split(/\r?\n/);
2357
+ for (var li = 0; li < lines.length; li++) {
2358
+ if (!/client\.runScript\(/.test(lines[li])) continue;
2359
+ // The first ARGUMENT identifies the script. It may sit on the call line or
2360
+ // the next few lines (the call is multi-line).
2361
+ var gate = null;
2362
+ for (var w = li; w < lines.length && w <= li + 3; w++) {
2363
+ var m = lines[w].match(/(?:runScript\(\s*)?\b(COMPLETE_LUA|FAIL_LUA)\b/);
2364
+ if (m && (w === li ? /runScript\(\s*(COMPLETE_LUA|FAIL_LUA)\b/.test(lines[w]) : /^\s*(COMPLETE_LUA|FAIL_LUA)\b/.test(lines[w]))) {
2365
+ gate = m[1]; break;
2366
+ }
2367
+ }
2368
+ if (!gate) continue;
2369
+ // The call line MUST assign the result (so a guard can read it). A bare
2370
+ // `await client.runScript(...)` statement discards the gate.
2371
+ if (!/=\s*await\s+client\.runScript\(/.test(lines[li]) &&
2372
+ !/=\s*client\.runScript\(/.test(lines[li])) {
2373
+ bad.push({
2374
+ file: rel,
2375
+ line: li + 1,
2376
+ content: "the result of client.runScript(" + gate + ") is discarded — it must be captured into a variable and gated (a stale worker must not run the post-transition side effects: double cron-fire / resurrected job).",
2377
+ });
2378
+ }
2379
+ }
2380
+ _report("queue-redis complete()/fail() must capture + gate the inflight-transition LUA result (COMPLETE_LUA / FAIL_LUA)", bad);
2381
+ }
2382
+
2383
+ // ---- Pattern: ARC instance (i=) parsing must route through _arcInstanceOf ----
2384
+ // The ARC instance tag is parsed in several passes: the indexing pass that
2385
+ // drives the AMS/AS crypto checks, the AMS h= retention test, and the finalAr
2386
+ // surfacing in arcEvaluate. If any pass uses a looser i= regex than the
2387
+ // indexer (allowing "i = 1" with a space, or unbounded digits), an attacker
2388
+ // can inject an ARC-Authentication-Results that the strict crypto pass ignores
2389
+ // while the loose pass consumes it — forging the upstream auth-results
2390
+ // (finalAr) on a chain that still verifies pass, with no signing key. Every
2391
+ // instance read must go through the one shared _arcInstanceOf reader; flag any
2392
+ // instance-capturing regex (`i\s*=...(\d` or `i=(\d`) elsewhere in mail-auth.
2393
+ function testArcInstanceParseUsesSharedHelper() {
2394
+ var bad = [];
2395
+ var rel = "lib/mail-auth.js";
2396
+ var content;
2397
+ try {
2398
+ content = fs.readFileSync(path.resolve(path.resolve(__dirname, "..", ".."), rel), "utf8");
2399
+ } catch (_e) { _report("ARC i= instance parse routes through _arcInstanceOf", bad); return; }
2400
+ var lines = content.split(/\r?\n/);
2401
+ // Matches an instance-capturing regex literal: `i\s*=` (spaced form) or
2402
+ // `i=(\d` (bare capture). Prose like "i=1" / "(i=)" lacks the digit capture
2403
+ // and the `\s*`, so comments are not flagged.
2404
+ var ARC_I_REGEX = /i\\s\*=|i=\(\\d/;
2405
+ var inHelper = false;
2406
+ for (var li = 0; li < lines.length; li++) {
2407
+ if (/function _arcInstanceOf\b/.test(lines[li])) { inHelper = true; continue; }
2408
+ if (inHelper) { if (/^\}/.test(lines[li])) inHelper = false; continue; }
2409
+ if (ARC_I_REGEX.test(lines[li])) {
2410
+ bad.push({
2411
+ file: rel,
2412
+ line: li + 1,
2413
+ content: "an ARC instance (i=) parsing regex outside _arcInstanceOf — route it through _arcInstanceOf so the crypto-indexing pass and the finalAr / AMS passes parse the instance identically (a divergent parser forges finalAr on a passing chain).",
2414
+ });
2415
+ }
2416
+ }
2417
+ _report("ARC i= instance parsing must route through the shared _arcInstanceOf reader (no divergent regex)", bad);
2418
+ }
2419
+
2420
+ // ---- Pattern: OID4VCI single-use store claims must gate on the delete ----
2421
+ // A pre-authorized code (codeStore) and a single-use access token (atStore)
2422
+ // are single-use: issuance must proceed only when THIS request's atomic delete
2423
+ // removed the entry. cache.del returns true only for the winner of two racing
2424
+ // deletes, so the return must be captured and checked — a bare
2425
+ // `await codeStore.del(...)` / `await atStore.del(...)` discards it, letting two
2426
+ // concurrent requests both mint (two access tokens from one code / two
2427
+ // credentials from one single-use token). cNonceStore.del is cleanup, not a
2428
+ // claim, so it is allowed to be bare.
2429
+ function testOid4vciSingleUseClaimGated() {
2430
+ var bad = [];
2431
+ var rel = "lib/auth/oid4vci.js";
2432
+ var content;
2433
+ try {
2434
+ content = fs.readFileSync(path.resolve(path.resolve(__dirname, "..", ".."), rel), "utf8");
2435
+ } catch (_e) { _report("OID4VCI single-use store claims gate on the delete", bad); return; }
2436
+ var lines = content.split(/\r?\n/);
2437
+ for (var li = 0; li < lines.length; li++) {
2438
+ var m = lines[li].match(/\bawait\s+(codeStore|atStore)\.del\(/);
2439
+ if (!m) continue;
2440
+ // Must be captured into a variable (`var x = await codeStore.del(...)`),
2441
+ // never a bare expression statement.
2442
+ if (!/=\s*await\s+(codeStore|atStore)\.del\(/.test(lines[li])) {
2443
+ bad.push({
2444
+ file: rel,
2445
+ line: li + 1,
2446
+ content: "the result of await " + m[1] + ".del(...) is discarded — a single-use claim must capture the delete result and issue only when it removed the entry (two concurrent requests would otherwise both mint).",
2447
+ });
2448
+ }
2449
+ }
2450
+ _report("OID4VCI single-use claims (codeStore/atStore .del) must capture + gate the delete result", bad);
2451
+ }
2452
+
2453
+ // ---- Pattern: clock-skew / tolerance opts must be finite-guarded ----
2454
+ // A token/signature verifier that reads a skew or tolerance opt with a bare
2455
+ // `typeof opts.x === "number"` lets Infinity / NaN through, and the resulting
2456
+ // `exp + Infinity < now` / `ageMs > Infinity` comparison is always false —
2457
+ // silently DISABLING the expiry / not-before / future-dating gate so an expired
2458
+ // (or future-dated, or replayed) token or signature verifies. Every such opt
2459
+ // must be finite-guarded: a numericBounds.requireNonNegativeFiniteIntIfPresent
2460
+ // throw (jwt verifiers), an inline `isFinite(...) && >= 0` fallback (verdict-
2461
+ // returning verifiers), or a create-time `validateOpts` "optional-non-negative"
2462
+ // schema. This is the OCSP non-finite-clockSkew bug class generalized across
2463
+ // the JWT / SD-JWT-VC / OAuth / HTTP-message-signature verifiers.
2464
+ function testClockSkewOptsAreFiniteGuarded() {
2465
+ var bad = [];
2466
+ var SKEW = "clockSkewMs|clockSkewSec|maxClockSkewSec|maxPopAgeSec|toleranceMs";
2467
+ var READ = new RegExp("typeof\\s+\\w+\\.(" + SKEW + ")\\s*===\\s*\"number\"");
2468
+ var files = _libFiles();
2469
+ for (var fi = 0; fi < files.length; fi++) {
2470
+ var rel = _relPath(files[fi]);
2471
+ var content;
2472
+ try { content = fs.readFileSync(files[fi], "utf8"); } catch (_e) { continue; }
2473
+ if (!READ.test(content)) continue;
2474
+ var lines = content.split(/\r?\n/);
2475
+ for (var li = 0; li < lines.length; li++) {
2476
+ var m = lines[li].match(READ);
2477
+ if (!m) continue;
2478
+ var opt = m[1];
2479
+ // (a) inline isFinite on the read line itself.
2480
+ if (/isFinite/.test(lines[li])) continue;
2481
+ // (b) a numericBounds / isFinite guard for the same opt in the preceding lines.
2482
+ var guardRe = new RegExp("(requireNonNegativeFiniteIntIfPresent|isFinite)\\([^)]*\\b" + opt + "\\b");
2483
+ var guarded = false;
2484
+ for (var w = Math.max(0, li - 10); w < li; w++) {
2485
+ if (guardRe.test(lines[w])) { guarded = true; break; }
2486
+ }
2487
+ if (guarded) continue;
2488
+ // (c) the opt is validated at create() via a non-negative-finite validateOpts schema.
2489
+ if (new RegExp("\\b" + opt + "\\b\\s*:\\s*\"optional-non-negative").test(content)) continue;
2490
+ bad.push({
2491
+ file: rel,
2492
+ line: li + 1,
2493
+ content: "clock-skew/tolerance opt '" + opt + "' is read with a bare `typeof === \"number\"` and is not finite-guarded — Infinity/NaN would disable the time-window gate (an expired/future/replayed token or signature would verify). Guard it (numericBounds.requireNonNegativeFiniteIntIfPresent, an inline isFinite check, or a create-time validateOpts non-negative-finite schema).",
2494
+ });
2495
+ }
2496
+ }
2497
+ _report("clock-skew / tolerance verifier opts must be finite-guarded (no bare typeof===\"number\")", bad);
2498
+ }
2499
+
1884
2500
  // ---- Pattern 20: trustProxy bypass — raw req.headers x-forwarded-for read ----
1885
2501
 
1886
2502
  function testNoRawXffRead() {
@@ -2878,6 +3494,26 @@ async function testNoDuplicateCodeBlocks() {
2878
3494
  // so the audit trail records exactly which body of code shares the
2879
3495
  // shape.
2880
3496
  var KNOWN_CLUSTERS = [
3497
+ {
3498
+ // Opts-passthrough / allow-list token run — shape-only. A run of
3499
+ // `<ident>: <ident>.<ident>,` assignments (jar.parse forwarding its
3500
+ // verify options to verifyExternal) and the parallel `validateOpts(opts,
3501
+ // [ ...string keys ])` allow-list tokenize to the same skeleton as
3502
+ // db.init's per-table `cryptoField.registerTable` metadata object,
3503
+ // eat.verify's option forwarding, and the cookie-jar's getAll loop. The
3504
+ // functions are wholly unrelated (OAuth request-object parsing vs schema
3505
+ // registration vs EAT verification vs cookie enumeration); the longest
3506
+ // byte-identical run across any pair is a single `key: value,` line. There
3507
+ // is no shared primitive to extract — the coincidence is the generic
3508
+ // object-literal / key-array shape, not behavior.
3509
+ mode: "family-subset",
3510
+ files: [
3511
+ "lib/auth/jar.js:parse",
3512
+ "lib/db.js:init",
3513
+ "lib/eat.js:verify",
3514
+ "lib/http-client-cookie-jar.js:getAll",
3515
+ ],
3516
+ },
2881
3517
  {
2882
3518
  // Delimited key/value split idiom — shape-only. The "split a string on a
2883
3519
  // separator, slice each piece at the first `=` into key + value" loop
@@ -2931,13 +3567,29 @@ async function testNoDuplicateCodeBlocks() {
2931
3567
  // The prior JOSE pass (jwtExternal.algParams) deliberately kept the
2932
3568
  // verify-assembly per-caller (PQC/EdDSA/sign-vs-verify diverge); the one
2933
3569
  // genuine within-SAML signature-EXTRACTION pair is consolidated in
2934
- // saml._extractRedirectSignature.
3570
+ // saml._extractRedirectSignature. The family spans every JWS/signature
3571
+ // verifier (dpop proof, fido-mds3 metadata JWS, jwt-external compact JWS,
3572
+ // oauth id-token / attestation / backchannel-logout, oid4vci proof,
3573
+ // mail-auth inbound, SAML SLO POST/SOAP + redirect) — each with its own
3574
+ // key shape, error class, and canonical-byte rules; only the tokenized
3575
+ // verify-skeleton coincides. Membership tracked from the MIGRATE-DUMP.
2935
3576
  mode: "family-subset",
2936
3577
  files: [
3578
+ "lib/auth/dpop.js:buildProof",
3579
+ "lib/auth/dpop.js:verify",
2937
3580
  "lib/auth/fido-mds3.js:_verifyJws",
2938
3581
  "lib/auth/jwt.js:verify",
3582
+ "lib/auth/jwt-external.js:_signCompactJws",
3583
+ "lib/auth/jwt-external.js:verifyExternal",
3584
+ "lib/auth/oauth.js:_verifyAttestationJws",
3585
+ "lib/auth/oauth.js:verifyBackchannelLogoutToken",
3586
+ "lib/auth/oauth.js:verifyClientAttestation",
3587
+ "lib/auth/oauth.js:verifyIdToken",
3588
+ "lib/auth/oid4vci.js:_verifyProofJwt",
3589
+ "lib/auth/saml.js:_verifyEmbeddedXmlDsig",
2939
3590
  "lib/auth/saml.js:parseLogoutRequest",
2940
3591
  "lib/auth/saml.js:parseLogoutResponse",
3592
+ "lib/mail-auth.js:inboundVerify",
2941
3593
  ],
2942
3594
  },
2943
3595
  {
@@ -5266,6 +5918,91 @@ var KNOWN_ANTIPATTERNS = [
5266
5918
  allowlist: ["lib/x509-chain.js"],
5267
5919
  reason: "basicConstraints cA:TRUE enforcement is owned by x509Chain.issuerValidlyIssued / x509Chain.isCaCert; tsa/mail-bimi/mail-crypto-smime route through it. Any lib file calling X.checkIssued(Y) (Y!=X) directly bypasses the cA check and must use x509Chain instead. lib/x509-chain.js is the home of the primitive.",
5268
5920
  },
5921
+ {
5922
+ id: "mail-report-header-builder-must-guard-crlf",
5923
+ primitive: "b.safeBuffer.assertHeaderSafe",
5924
+ scanScope: "lib",
5925
+ // A DSN / MDN / ARC report-header builder interpolates operator- or
5926
+ // peer-supplied fields (recipients, MTA names, the 5xx diagnostic
5927
+ // reply, ARC authserv/domain/selector) into `Name: value\r\n` lines. An
5928
+ // unguarded field lets a hostile original sender or a malicious peer MX
5929
+ // smuggle a new header or forge a report part (CRLF injection). Every
5930
+ // such field must route through safeBuffer.assertHeaderSafe (reject
5931
+ // structured fields) or stripCrlf (fold free-text like the SMTP reply).
5932
+ // The anchor matches a quoted report-header prefix immediately
5933
+ // concatenated (`"Diagnostic-Code: smtp; " +`, `"ARC-Message-Signature: " +`)
5934
+ // or the mail-bounce `_foldFieldValue(` choke point — the shape only a
5935
+ // builder has (parsers/validators match field names in lowercased maps,
5936
+ // not quoted `"Name: " +` literals), so guard-dsn / mail-arf / mail-auth
5937
+ // are correctly excluded.
5938
+ regex: /"(?:Final-Recipient|Diagnostic-Code|Disposition|Original-Recipient|Reporting-MTA|ARC-Message-Signature|ARC-Seal|ARC-Authentication-Results)\b[^"\n]*"\s*\+|_foldFieldValue\s*\(/,
5939
+ requires: /assertHeaderSafe/,
5940
+ allowlist: [],
5941
+ reason: "DSN (mail-send-deliver.buildDsn, mail-bounce.dsn.build), MDN (mail-mdn.build) and ARC (mail-arc-sign.sign) report-header builders MUST compose safeBuffer.assertHeaderSafe on every structured field (and stripCrlf-fold the free-text 5xx reason). An unguarded `Name: value\\r\\n` built from a hostile original sender / peer MX is a header-injection vector (v0.15.68 root sweep — 4 HIGH + archive + srs). A new builder in this family that matches the report-header anchor but drops the guard re-opens the class.",
5942
+ },
5943
+ {
5944
+ id: "dsn-diagnostic-free-text-fold-must-strip-nul",
5945
+ primitive: "b.safeBuffer.foldHeaderText",
5946
+ scanScope: "lib",
5947
+ // A DSN builder folds the peer's free-text 5xx diagnostic (which may
5948
+ // legitimately wrap) onto the Diagnostic-Code header line. That fold must
5949
+ // use foldHeaderText (removes CR/LF AND NUL), not a bare CR/LF strip — a
5950
+ // NUL is never valid in an RFC 5322 header value and is treated specially
5951
+ // by downstream SMTP parsers, so a CR/LF-only fold serializes it
5952
+ // verbatim. Only mail-send-deliver + mail-bounce build a Diagnostic-Code
5953
+ // line, and both now compose foldHeaderText.
5954
+ regex: /"Diagnostic-Code/,
5955
+ requires: /foldHeaderText/,
5956
+ allowlist: [],
5957
+ reason: "A builder emitting a Diagnostic-Code header must fold the free-text diagnostic with safeBuffer.foldHeaderText (CR/LF + NUL), not a bare stripCrlf — otherwise a NUL in the peer's 5xx reply is serialized into the header line. Reverting the fold to stripCrlf drops the foldHeaderText reference and trips this.",
5958
+ },
5959
+ {
5960
+ id: "xml-c14n-parseElement-must-thread-depth",
5961
+ primitive: "xml-c14n nesting-depth cap",
5962
+ scanScope: "lib",
5963
+ // lib/xml-c14n.js parseElement must thread the nesting depth through the
5964
+ // recursion (parseElement(depth) at entry, parseElement(depth + 1) on
5965
+ // descent, parseElement(0) at the root) so the MAX_DEPTH cap can
5966
+ // actually fire. The pre-fix code kept a per-frame-local `var depth = 0`
5967
+ // incremented then decremented around each single recursive call, so it
5968
+ // was always 1 at the check — a dead cap and a stack-overflow DoS on
5969
+ // deeply-nested untrusted SAML / WebDAV XML. `parseElement` is unique to
5970
+ // xml-c14n; an empty-arg parseElement() (definition or self-call)
5971
+ // re-introduces the dead cap.
5972
+ regex: /parseElement\s*\(\s*\)/,
5973
+ allowlist: [],
5974
+ reason: "xml-c14n's recursive-descent parseElement must thread the depth argument so the MAX_DEPTH nesting cap fires. An arg-less parseElement() (definition or self-call) drops the threading and re-opens the stack-exhaustion DoS on deeply-nested untrusted XML.",
5975
+ },
5976
+ {
5977
+ id: "idempotency-replay-slot-must-bind-principal",
5978
+ primitive: "b.requestHelpers.extractActorContext",
5979
+ scanScope: "lib",
5980
+ // The Idempotency-Key replay/response cache must key its slot on the
5981
+ // authenticated principal (requestHelpers.extractActorContext /
5982
+ // opts.scopeFn -> scopedKey), not on the client-supplied Idempotency-Key
5983
+ // alone. Otherwise principal B is served principal A's cached response
5984
+ // via a shared / guessed key (cross-actor disclosure), or A pre-seeds a
5985
+ // key to force a 422 on B (cross-actor denial). `opts.store.set(` is
5986
+ // unique to the idempotency middleware's replay-write.
5987
+ regex: /opts\.store\.set\s*\(/,
5988
+ requires: /scopeFn|scopedKey/,
5989
+ allowlist: [],
5990
+ reason: "The idempotency replay cache write must use a principal-scoped key (scopedKey derived via scopeFn / extractActorContext), not the raw client Idempotency-Key. Reverting store.get/set to the raw key drops the scopedKey reference and re-opens cross-actor disclosure / denial.",
5991
+ },
5992
+ {
5993
+ id: "vc-jose-verify-must-bind-alg-to-key",
5994
+ primitive: "b.vc.verify",
5995
+ scanScope: "lib",
5996
+ // vc._verifyJose resolves the public key then calls nodeCrypto.verify
5997
+ // with the header-declared alg. Without binding the alg to the key's
5998
+ // type/curve (_assertJoseAlgKey), an attacker picks the alg (hash +
5999
+ // dsaEncoding) independent of the key an ECDSA curve/type confusion
6000
+ // (CWE-347, RFC 7518 3.4). The binding check must stay composed.
6001
+ regex: /function _verifyJose\b/,
6002
+ requires: /_assertJoseAlgKey/,
6003
+ allowlist: [],
6004
+ reason: "The JOSE verify path must bind the header alg to the resolved key's curve/type via _assertJoseAlgKey before nodeCrypto.verify. Dropping the call re-opens ECDSA alg/curve confusion (an ES384 header verified against a P-256 key).",
6005
+ },
5269
6006
  {
5270
6007
  id: "fingerprint-pin-against-claimed-field-not-recomputed",
5271
6008
  primitive: "b.auditSign.fingerprintOf",
@@ -6308,6 +7045,13 @@ var KNOWN_ANTIPATTERNS = [
6308
7045
  "lib/cose.js", // protMap.has(HDR_CRIT) → validate the crit array if present
6309
7046
  "lib/cwt.js", // raw.has(exp) → validate the exp claim if present
6310
7047
  "lib/db-query.js", // JSONB_CONTAINMENT_OPS.has(op) → special-case the operator if it is one
7048
+ // (3) Single-flight coalescing table — `if (inflight.has(key))` awaits an
7049
+ // in-flight async cache fill and returns the shared result; NOTHING is
7050
+ // inserted-then-rejected (the winner registers its own promise via a
7051
+ // plain `inflight.set` after the check). The matched `throw` is a
7052
+ // per-caller DNSSEC validate gate on the shared answer, not a
7053
+ // duplicate-key reject, so requireAbsent can't express it.
7054
+ "lib/network-dns-resolver.js", // inflight single-flight map, not a uniqueness register
6311
7055
  // (NB: the prototype-pollution POISONED_KEYS deny-set guards that used to
6312
7056
  // live here — body-parser, the safe-* parsers, safe-schema — were
6313
7057
  // extracted into the pick.isPoisonedKey primitive and no longer fire.)
@@ -9498,6 +10242,24 @@ var KNOWN_ANTIPATTERNS = [
9498
10242
  allowlist: [],
9499
10243
  reason: "#123 macOS codebase-patterns watchdog hang. _scanShardInWorker rejected on worker error/exit without w.terminate(), so an errored worker thread stayed alive holding open handles; the parent then could not exit and the smoke run ran to the 25-min watchdog on memory-starved macOS-arm64 runners (it hung this very release's CI). Every settle path must reap the worker via w.terminate() first; the fix funnels message/error/exit through a settle() guard that terminates before resolve/reject. Fires on the bare `w.once(\"error\", reject)` shape; silent once error/exit route through settle().",
9500
10244
  },
10245
+ {
10246
+ // A test that asserts a raw ECDSA signature's first byte is NOT 0x30 (the
10247
+ // DER SEQUENCE tag) to prove "this is raw, not DER" is NONDETERMINISTIC: the
10248
+ // first byte of an IEEE-P1363 r||s signature is r's high octet, which equals
10249
+ // 0x30 ~1/256 of the time, so a bare check flakes ~1/256 (it blocked a
10250
+ // release's ubuntu smoke). The fixed r||s LENGTH (64 for P-256, 96 for
10251
+ // P-384) is the deterministic raw-vs-DER distinguisher and what the verifier
10252
+ // keys off, so the byte check must be guarded with a `|| sig.length === <N>`
10253
+ // disjunction (the sd-jwt-vc-ecdsa-p1363 convention). Structural test-flake
10254
+ // drift a behavioral test can't assert (it passes 255/256 of the time).
10255
+ id: "test-ecdsa-raw-sig-der-tag-byte-flake",
10256
+ primitive: "a test asserting a raw ECDSA signature's first byte !== 0x30 (DER SEQUENCE tag) must guard it with a `|| sig.length === <N>` disjunction — the byte is r's high octet and equals 0x30 ~1/256 of the time, so a bare check flakes nondeterministically",
10257
+ scanScope: "test",
10258
+ regex: /\[0\]\s*!==\s*0x30(?!.*\|\|.*length)/,
10259
+ skipCommentLines: true,
10260
+ allowlist: [],
10261
+ reason: "0.15.54 — self-update-standalone-verifier-ecdsa-encoding.test.js:189 asserted that a raw IEEE-P1363 P-384 signature's first byte was not the DER SEQUENCE tag 0x30, to prove it was not DER-encoded; that byte is r's high octet, which equals 0x30 ~1/256 of the time, so the setup assertion flaked and blocked the release's ubuntu smoke (the saml-mdq-wrapping release CI). The deterministic distinguisher is the fixed 96-byte (P-384) / 64-byte (P-256) raw length; the fix guards the byte check with a `|| sig.length === N` disjunction, matching sd-jwt-vc-ecdsa-p1363.test.js:51. Fires on a bare first-byte-not-0x30 check with no length disjunction on the same line; silent once guarded.",
10262
+ },
9501
10263
  {
9502
10264
  // A test file must invoke its run()/IIFE ONLY under
9503
10265
  // `if (require.main === module)`. The smoke worker REQUIRES each test
@@ -12363,21 +13125,22 @@ function testWikiPortAgreesAcrossArtifacts() {
12363
13125
  bad);
12364
13126
  }
12365
13127
 
12366
- // The esbuild dev-tool is pinned across artifacts that carry no lockfile to keep
12367
- // them in sync: package.json devDependencies (the version source-of-truth, also
12368
- // postject), ci.yml + npm-publish.yml's exact `npm install esbuild@<v>` for the
12369
- // SEA / bundler-output build, and scripts/esbuild-binary-pin.json's reviewed
12370
- // per-platform binary hashes (verified on disk by the bundler-output smoke
12371
- // gate). A bump that updates one and not the others is the v0.11.40 silent-drift
12372
- // class: ci.yml tested 0.28.0 while package.json declared 0.28.1, so CI verified
12373
- // an unreviewed version. The agreement + per-platform hash COMPLETENESS is owned
12374
- // by one shared checker (scripts/check-esbuild-pin.js), called here and by
12375
- // release.js regen so neither path can silently drift — a bump that forgets the
12376
- // reviewed hashes fails closed instead of degrading the smoke pin to a skip.
13128
+ // The esbuild dev-tool is pinned across three artifacts kept in sync:
13129
+ // package.json devDependencies (the version source-of-truth, also postject), the
13130
+ // committed root package-lock.json that ci.yml + npm-publish.yml install via
13131
+ // `npm ci` for the SEA / bundler-output build, and scripts/esbuild-binary-pin.json's
13132
+ // reviewed per-platform binary hashes (verified on disk by the bundler-output
13133
+ // smoke gate). A bump that updates one and not the others is the v0.11.40
13134
+ // silent-drift class: CI verified an unreviewed version while package.json
13135
+ // declared another. The lockfile-package.json agreement + per-platform hash
13136
+ // COMPLETENESS is owned by one shared checker (scripts/check-esbuild-pin.js),
13137
+ // called here and by release.js regen so neither path can silently drift — a
13138
+ // bump that forgets the reviewed hashes fails closed instead of degrading the
13139
+ // smoke pin to a skip.
12377
13140
  function testEsbuildPinAgreesAcrossArtifacts() {
12378
13141
  var checkEsbuildPin = require("../../scripts/check-esbuild-pin.js").checkEsbuildPin;
12379
13142
  var bad = _filterMarkers(checkEsbuildPin().violations, "esbuild-pin-cross-artifact-drift");
12380
- _report("esbuild pin agrees across package.json devDep + ci.yml/npm-publish.yml install + " +
13143
+ _report("esbuild pin agrees across package.json devDep + package-lock.json (npm ci) + " +
12381
13144
  "esbuild-binary-pin.json reviewed per-platform hashes (prevent a workflow / pin silently " +
12382
13145
  "drifting from the reviewed version)",
12383
13146
  bad);
@@ -13278,6 +14041,21 @@ async function run() {
13278
14041
  testBuildProfileWrongKey();
13279
14042
  testNoSilentCatchSwallow();
13280
14043
  testNoDynamicRegexFromOperatorInput();
14044
+ testOperatorRegexScreenedForReDoS();
14045
+ testModuleLoadListMatchesNativeModuleNaming();
14046
+ testCompetingConsumerClaimUsesSkipLocked();
14047
+ testCacheCounterUsesAtomicUpdate();
14048
+ testRegistryCheckThenCreateSerialized();
14049
+ testCertChainIssuanceUsesIssuerValidlyIssued();
14050
+ testDomainToAsciiRejectsUrlDelimiters();
14051
+ testUrlSearchParamsConcatEscapesAmpersand();
14052
+ testEmailDomainDerivationGuardsMultiAt();
14053
+ testFileUploadLifecycleChecksOwnership();
14054
+ testScopeWildcardUsesPermissionsMatch();
14055
+ testQueueRedisGateLuaResultCaptured();
14056
+ testArcInstanceParseUsesSharedHelper();
14057
+ testOid4vciSingleUseClaimGated();
14058
+ testClockSkewOptsAreFiniteGuarded();
13281
14059
  testNoRawXffRead();
13282
14060
  testNoRawForwardedProtoHostRead();
13283
14061
  testNoRawRemoteAddress();