@blamejs/blamejs-shop 0.5.5 → 0.5.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +4 -0
- package/README.md +1 -1
- package/lib/asset-manifest.json +1 -1
- package/lib/storefront.js +30 -17
- package/lib/vendor/MANIFEST.json +1395 -1409
- package/lib/vendor/blamejs/.clusterfuzzlite/Dockerfile +1 -1
- package/lib/vendor/blamejs/.github/dependabot.yml +12 -2
- package/lib/vendor/blamejs/.github/workflows/cflite_batch.yml +3 -3
- package/lib/vendor/blamejs/.github/workflows/cflite_pr.yml +3 -3
- package/lib/vendor/blamejs/.github/workflows/ci.yml +34 -29
- package/lib/vendor/blamejs/.github/workflows/codeql.yml +2 -2
- package/lib/vendor/blamejs/.github/workflows/npm-publish.yml +6 -6
- package/lib/vendor/blamejs/.github/workflows/release-container.yml +8 -8
- package/lib/vendor/blamejs/.github/workflows/scorecard.yml +1 -1
- package/lib/vendor/blamejs/.gitignore +6 -6
- package/lib/vendor/blamejs/CHANGELOG.md +68 -0
- package/lib/vendor/blamejs/CONTRIBUTING.md +16 -0
- package/lib/vendor/blamejs/README.md +2 -1
- package/lib/vendor/blamejs/ROADMAP.md +51 -0
- package/lib/vendor/blamejs/SECURITY.md +52 -1
- package/lib/vendor/blamejs/api-snapshot.json +22 -2
- package/lib/vendor/blamejs/bench/_helpers.js +2 -0
- package/lib/vendor/blamejs/bench/crypto-hash.bench.js +2 -0
- package/lib/vendor/blamejs/bench/crypto-symmetric.bench.js +2 -0
- package/lib/vendor/blamejs/bench/run.js +2 -0
- package/lib/vendor/blamejs/bench/safe-json.bench.js +2 -0
- package/lib/vendor/blamejs/bin/blamejs.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/Dockerfile +1 -1
- package/lib/vendor/blamejs/examples/wiki/lib/auto-site-entries.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/lib/build-app.js +9 -1
- package/lib/vendor/blamejs/examples/wiki/lib/harvest-cli.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/lib/harvest-env-vars.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/lib/harvest-errors.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/lib/harvest-vendored-deps.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/lib/html-entities.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/lib/nav.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/lib/opts-resolver.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/lib/page-generator.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/lib/section.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/lib/source-comment-block-validator.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/lib/source-doc-parser.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/lib/symbol-index.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/migrations/0001-pages-schema.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/package-lock.json +30 -0
- package/lib/vendor/blamejs/examples/wiki/routes/admin.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/routes/integration.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/routes/pages.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/scripts/backfill-module-metadata.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/seeders/prod/0001-default-pages.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/seeders/prod/pages/_index.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/seeders/prod/pages/api.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/server.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/site.config.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/snippets/auth/password-hash.example.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/src/editor.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/src/wiki.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/test/codebase-patterns.test.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/test/e2e.js +23 -0
- package/lib/vendor/blamejs/examples/wiki/test/find-missing-pages.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/test/integration.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/test/validate-cli-snapshot.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/test/validate-env-snapshot.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/test/validate-nav-coverage.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/test/validate-site-coverage.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/test/validate-source-comment-blocks.js +2 -0
- package/lib/vendor/blamejs/examples/wiki/wiki.config.js +2 -0
- package/lib/vendor/blamejs/fuzz/_expected.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-agent-registry.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-csv.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-dsn.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-email.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-envelope.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-event-bus-payload.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-event-bus-topic.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-html.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-idempotency-key.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-imap-command.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-jmap.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-json.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-list-id.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-list-unsubscribe.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-mail-compose.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-mail-move.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-mail-query.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-mail-reply.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-mail-sieve.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-managesieve-command.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-markdown.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-message-id.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-pop3-command.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-posture-chain.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-saga-config.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-smtp-command.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-snapshot-envelope.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-sql.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-stream-args.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-svg.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-tenant-id.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-text.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-trace-context.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-xml.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/guard-yaml.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/package-lock.json +1239 -0
- package/lib/vendor/blamejs/fuzz/package.json +10 -0
- package/lib/vendor/blamejs/fuzz/parsers__safe-ini.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/parsers__safe-toml.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/parsers__safe-xml.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/parsers__safe-yaml.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/safe-archive.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/safe-decompress.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/safe-dns.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/safe-ical.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/safe-icap.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/safe-json.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/safe-jsonpath.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/safe-mime.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/safe-mount-info.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/safe-sieve.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/safe-smtp.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/safe-url.fuzz.js +2 -0
- package/lib/vendor/blamejs/fuzz/safe-vcard.fuzz.js +2 -0
- package/lib/vendor/blamejs/index.js +2 -0
- package/lib/vendor/blamejs/lib/_test/crypto-fixtures.js +2 -0
- package/lib/vendor/blamejs/lib/a2a-tasks.js +2 -0
- package/lib/vendor/blamejs/lib/a2a.js +2 -0
- package/lib/vendor/blamejs/lib/acme.js +7 -1
- package/lib/vendor/blamejs/lib/agent-audit.js +2 -0
- package/lib/vendor/blamejs/lib/agent-envelope-mac.js +2 -0
- package/lib/vendor/blamejs/lib/agent-event-bus.js +2 -0
- package/lib/vendor/blamejs/lib/agent-idempotency.js +2 -0
- package/lib/vendor/blamejs/lib/agent-orchestrator.js +10 -2
- package/lib/vendor/blamejs/lib/agent-posture-chain.js +2 -0
- package/lib/vendor/blamejs/lib/agent-saga.js +2 -0
- package/lib/vendor/blamejs/lib/agent-snapshot.js +2 -0
- package/lib/vendor/blamejs/lib/agent-stream.js +2 -0
- package/lib/vendor/blamejs/lib/agent-tenant.js +11 -2
- package/lib/vendor/blamejs/lib/agent-trace.js +2 -0
- package/lib/vendor/blamejs/lib/ai-adverse-decision.js +2 -0
- package/lib/vendor/blamejs/lib/ai-aedt-bias-audit.js +2 -0
- package/lib/vendor/blamejs/lib/ai-capability.js +2 -0
- package/lib/vendor/blamejs/lib/ai-content-detect.js +2 -0
- package/lib/vendor/blamejs/lib/ai-disclosure.js +2 -0
- package/lib/vendor/blamejs/lib/ai-dp.js +2 -0
- package/lib/vendor/blamejs/lib/ai-frontier-protocol.js +2 -0
- package/lib/vendor/blamejs/lib/ai-input.js +2 -0
- package/lib/vendor/blamejs/lib/ai-model-manifest.js +2 -0
- package/lib/vendor/blamejs/lib/ai-output.js +2 -0
- package/lib/vendor/blamejs/lib/ai-pref.js +2 -0
- package/lib/vendor/blamejs/lib/ai-prompt.js +2 -0
- package/lib/vendor/blamejs/lib/ai-quota.js +2 -0
- package/lib/vendor/blamejs/lib/api-key.js +2 -0
- package/lib/vendor/blamejs/lib/api-snapshot.js +2 -0
- package/lib/vendor/blamejs/lib/app-shutdown.js +2 -0
- package/lib/vendor/blamejs/lib/app.js +2 -0
- package/lib/vendor/blamejs/lib/archive-adapters.js +2 -0
- package/lib/vendor/blamejs/lib/archive-entry-policy.js +2 -0
- package/lib/vendor/blamejs/lib/archive-gz.js +2 -0
- package/lib/vendor/blamejs/lib/archive-read.js +2 -0
- package/lib/vendor/blamejs/lib/archive-tar-read.js +2 -0
- package/lib/vendor/blamejs/lib/archive-tar.js +9 -0
- package/lib/vendor/blamejs/lib/archive-wrap.js +2 -0
- package/lib/vendor/blamejs/lib/archive.js +6 -0
- package/lib/vendor/blamejs/lib/arg-parser.js +2 -0
- package/lib/vendor/blamejs/lib/argon2-builtin.js +2 -0
- package/lib/vendor/blamejs/lib/asn1-der.js +2 -0
- package/lib/vendor/blamejs/lib/asyncapi-bindings.js +2 -0
- package/lib/vendor/blamejs/lib/asyncapi-traits.js +2 -0
- package/lib/vendor/blamejs/lib/asyncapi.js +2 -0
- package/lib/vendor/blamejs/lib/atomic-file.js +2 -0
- package/lib/vendor/blamejs/lib/audit-chain.js +2 -0
- package/lib/vendor/blamejs/lib/audit-daily-review.js +2 -0
- package/lib/vendor/blamejs/lib/audit-emit.js +2 -0
- package/lib/vendor/blamejs/lib/audit-sign.js +2 -0
- package/lib/vendor/blamejs/lib/audit-tools.js +2 -0
- package/lib/vendor/blamejs/lib/audit.js +2 -0
- package/lib/vendor/blamejs/lib/auth/aal.js +2 -0
- package/lib/vendor/blamejs/lib/auth/access-lock.js +2 -0
- package/lib/vendor/blamejs/lib/auth/acr-vocabulary.js +2 -0
- package/lib/vendor/blamejs/lib/auth/ato-kill-switch.js +48 -11
- package/lib/vendor/blamejs/lib/auth/auth-time-tracker.js +2 -0
- package/lib/vendor/blamejs/lib/auth/bot-challenge.js +2 -0
- package/lib/vendor/blamejs/lib/auth/ciba.js +2 -0
- package/lib/vendor/blamejs/lib/auth/dpop.js +2 -0
- package/lib/vendor/blamejs/lib/auth/elevation-grant.js +2 -0
- package/lib/vendor/blamejs/lib/auth/fal.js +2 -0
- package/lib/vendor/blamejs/lib/auth/fido-mds3.js +11 -7
- package/lib/vendor/blamejs/lib/auth/jar.js +4 -1
- package/lib/vendor/blamejs/lib/auth/jwt-external.js +16 -3
- package/lib/vendor/blamejs/lib/auth/jwt.js +2 -0
- package/lib/vendor/blamejs/lib/auth/lockout.js +237 -104
- package/lib/vendor/blamejs/lib/auth/oauth.js +98 -17
- package/lib/vendor/blamejs/lib/auth/oid4vci.js +58 -17
- package/lib/vendor/blamejs/lib/auth/oid4vp.js +2 -0
- package/lib/vendor/blamejs/lib/auth/openid-federation.js +2 -0
- package/lib/vendor/blamejs/lib/auth/passkey.js +2 -0
- package/lib/vendor/blamejs/lib/auth/password.js +2 -0
- package/lib/vendor/blamejs/lib/auth/saml.js +68 -7
- package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-disclosure.js +2 -0
- package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-holder.js +2 -0
- package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-issuer.js +2 -0
- package/lib/vendor/blamejs/lib/auth/sd-jwt-vc.js +9 -0
- package/lib/vendor/blamejs/lib/auth/status-list.js +7 -0
- package/lib/vendor/blamejs/lib/auth/step-up-policy.js +2 -0
- package/lib/vendor/blamejs/lib/auth/step-up.js +2 -0
- package/lib/vendor/blamejs/lib/auth-bot-challenge.js +5 -8
- package/lib/vendor/blamejs/lib/auth-header.js +2 -0
- package/lib/vendor/blamejs/lib/backup/bundle.js +2 -0
- package/lib/vendor/blamejs/lib/backup/crypto.js +2 -0
- package/lib/vendor/blamejs/lib/backup/index.js +14 -0
- package/lib/vendor/blamejs/lib/backup/manifest.js +2 -0
- package/lib/vendor/blamejs/lib/base32.js +2 -0
- package/lib/vendor/blamejs/lib/boot-gates.js +2 -0
- package/lib/vendor/blamejs/lib/bounded-map.js +3 -1
- package/lib/vendor/blamejs/lib/breach-deadline.js +2 -0
- package/lib/vendor/blamejs/lib/break-glass.js +10 -9
- package/lib/vendor/blamejs/lib/budr.js +2 -0
- package/lib/vendor/blamejs/lib/bundler.js +2 -0
- package/lib/vendor/blamejs/lib/cache-redis.js +2 -0
- package/lib/vendor/blamejs/lib/cache-status.js +2 -0
- package/lib/vendor/blamejs/lib/cache.js +13 -5
- package/lib/vendor/blamejs/lib/calendar.js +2 -0
- package/lib/vendor/blamejs/lib/canonical-json.js +19 -3
- package/lib/vendor/blamejs/lib/cbor.js +2 -0
- package/lib/vendor/blamejs/lib/cdn-cache-control.js +2 -0
- package/lib/vendor/blamejs/lib/cert.js +2 -0
- package/lib/vendor/blamejs/lib/chain-writer.js +2 -0
- package/lib/vendor/blamejs/lib/circuit-breaker.js +2 -0
- package/lib/vendor/blamejs/lib/cli-helpers.js +2 -0
- package/lib/vendor/blamejs/lib/cli.js +57 -20
- package/lib/vendor/blamejs/lib/client-hints.js +2 -0
- package/lib/vendor/blamejs/lib/cloud-events.js +2 -0
- package/lib/vendor/blamejs/lib/cluster-provider-db.js +2 -0
- package/lib/vendor/blamejs/lib/cluster-storage.js +2 -0
- package/lib/vendor/blamejs/lib/cluster.js +2 -0
- package/lib/vendor/blamejs/lib/cms-codec.js +2 -0
- package/lib/vendor/blamejs/lib/codepoint-class.js +2 -0
- package/lib/vendor/blamejs/lib/compliance-ai-act-logging.js +2 -0
- package/lib/vendor/blamejs/lib/compliance-ai-act-prohibited.js +2 -0
- package/lib/vendor/blamejs/lib/compliance-ai-act-risk.js +2 -0
- package/lib/vendor/blamejs/lib/compliance-ai-act-transparency.js +2 -0
- package/lib/vendor/blamejs/lib/compliance-ai-act.js +2 -0
- package/lib/vendor/blamejs/lib/compliance-eaa.js +2 -0
- package/lib/vendor/blamejs/lib/compliance-sanctions-aliases.js +2 -0
- package/lib/vendor/blamejs/lib/compliance-sanctions-fetcher.js +2 -0
- package/lib/vendor/blamejs/lib/compliance-sanctions-fuzzy.js +2 -0
- package/lib/vendor/blamejs/lib/compliance-sanctions.js +2 -0
- package/lib/vendor/blamejs/lib/compliance.js +2 -0
- package/lib/vendor/blamejs/lib/config-drift.js +2 -0
- package/lib/vendor/blamejs/lib/config.js +2 -0
- package/lib/vendor/blamejs/lib/consent.js +2 -0
- package/lib/vendor/blamejs/lib/constants.js +2 -0
- package/lib/vendor/blamejs/lib/content-credentials.js +2 -0
- package/lib/vendor/blamejs/lib/content-digest.js +2 -0
- package/lib/vendor/blamejs/lib/cookies.js +2 -0
- package/lib/vendor/blamejs/lib/cose.js +2 -0
- package/lib/vendor/blamejs/lib/cra-report.js +2 -0
- package/lib/vendor/blamejs/lib/crdt.js +2 -0
- package/lib/vendor/blamejs/lib/credential-hash.js +2 -0
- package/lib/vendor/blamejs/lib/crypto-field.js +2 -0
- package/lib/vendor/blamejs/lib/crypto-hpke-pq.js +2 -0
- package/lib/vendor/blamejs/lib/crypto-hpke.js +2 -0
- package/lib/vendor/blamejs/lib/crypto-oprf.js +2 -0
- package/lib/vendor/blamejs/lib/crypto-xwing.js +2 -0
- package/lib/vendor/blamejs/lib/crypto.js +2 -0
- package/lib/vendor/blamejs/lib/csp.js +2 -0
- package/lib/vendor/blamejs/lib/csv.js +14 -1
- package/lib/vendor/blamejs/lib/cwt.js +2 -0
- package/lib/vendor/blamejs/lib/daemon.js +2 -0
- package/lib/vendor/blamejs/lib/dark-patterns.js +2 -0
- package/lib/vendor/blamejs/lib/data-act.js +2 -0
- package/lib/vendor/blamejs/lib/db-collection.js +2 -0
- package/lib/vendor/blamejs/lib/db-declare-row-policy.js +2 -0
- package/lib/vendor/blamejs/lib/db-declare-view.js +2 -0
- package/lib/vendor/blamejs/lib/db-file-lifecycle.js +2 -0
- package/lib/vendor/blamejs/lib/db-query.js +2 -0
- package/lib/vendor/blamejs/lib/db-role-context.js +2 -0
- package/lib/vendor/blamejs/lib/db-schema.js +2 -0
- package/lib/vendor/blamejs/lib/db.js +2 -0
- package/lib/vendor/blamejs/lib/dbsc.js +2 -0
- package/lib/vendor/blamejs/lib/ddl-change-control.js +2 -0
- package/lib/vendor/blamejs/lib/deprecate.js +2 -0
- package/lib/vendor/blamejs/lib/dev.js +2 -0
- package/lib/vendor/blamejs/lib/did.js +2 -0
- package/lib/vendor/blamejs/lib/dora.js +2 -0
- package/lib/vendor/blamejs/lib/dr-runbook.js +2 -0
- package/lib/vendor/blamejs/lib/dsa.js +2 -0
- package/lib/vendor/blamejs/lib/dsr.js +2 -0
- package/lib/vendor/blamejs/lib/dual-control.js +11 -15
- package/lib/vendor/blamejs/lib/early-hints.js +2 -0
- package/lib/vendor/blamejs/lib/eat.js +4 -1
- package/lib/vendor/blamejs/lib/error-page.js +2 -0
- package/lib/vendor/blamejs/lib/events.js +2 -0
- package/lib/vendor/blamejs/lib/external-db-migrate.js +2 -0
- package/lib/vendor/blamejs/lib/external-db.js +2 -0
- package/lib/vendor/blamejs/lib/fapi2.js +2 -0
- package/lib/vendor/blamejs/lib/fda-21cfr11.js +2 -0
- package/lib/vendor/blamejs/lib/fdx.js +2 -0
- package/lib/vendor/blamejs/lib/fedcm.js +2 -0
- package/lib/vendor/blamejs/lib/file-type.js +2 -0
- package/lib/vendor/blamejs/lib/file-upload.js +139 -21
- package/lib/vendor/blamejs/lib/flag-cache.js +2 -0
- package/lib/vendor/blamejs/lib/flag-evaluation-context.js +2 -0
- package/lib/vendor/blamejs/lib/flag-providers.js +2 -0
- package/lib/vendor/blamejs/lib/flag-targeting.js +4 -7
- package/lib/vendor/blamejs/lib/flag.js +2 -0
- package/lib/vendor/blamejs/lib/forms.js +11 -0
- package/lib/vendor/blamejs/lib/framework-error.js +2 -0
- package/lib/vendor/blamejs/lib/framework-files.js +2 -0
- package/lib/vendor/blamejs/lib/framework-schema.js +2 -0
- package/lib/vendor/blamejs/lib/framework-sha1-hibp.js +2 -0
- package/lib/vendor/blamejs/lib/fsm.js +2 -0
- package/lib/vendor/blamejs/lib/gate-contract.js +2 -0
- package/lib/vendor/blamejs/lib/gdpr-ropa.js +2 -0
- package/lib/vendor/blamejs/lib/graphql-federation.js +2 -0
- package/lib/vendor/blamejs/lib/guard-agent-registry.js +2 -0
- package/lib/vendor/blamejs/lib/guard-all.js +2 -0
- package/lib/vendor/blamejs/lib/guard-archive.js +2 -0
- package/lib/vendor/blamejs/lib/guard-auth.js +2 -0
- package/lib/vendor/blamejs/lib/guard-cidr.js +2 -0
- package/lib/vendor/blamejs/lib/guard-csv.js +2 -0
- package/lib/vendor/blamejs/lib/guard-domain.js +2 -0
- package/lib/vendor/blamejs/lib/guard-dsn.js +2 -0
- package/lib/vendor/blamejs/lib/guard-email.js +2 -0
- package/lib/vendor/blamejs/lib/guard-envelope.js +2 -0
- package/lib/vendor/blamejs/lib/guard-event-bus-payload.js +2 -0
- package/lib/vendor/blamejs/lib/guard-event-bus-topic.js +2 -0
- package/lib/vendor/blamejs/lib/guard-filename.js +2 -0
- package/lib/vendor/blamejs/lib/guard-graphql.js +2 -0
- package/lib/vendor/blamejs/lib/guard-html-wcag-aria.js +2 -0
- package/lib/vendor/blamejs/lib/guard-html-wcag-forms.js +2 -0
- package/lib/vendor/blamejs/lib/guard-html-wcag-tables.js +2 -0
- package/lib/vendor/blamejs/lib/guard-html-wcag-tagwalk.js +2 -0
- package/lib/vendor/blamejs/lib/guard-html-wcag.js +2 -0
- package/lib/vendor/blamejs/lib/guard-html.js +2 -0
- package/lib/vendor/blamejs/lib/guard-idempotency-key.js +2 -0
- package/lib/vendor/blamejs/lib/guard-image.js +2 -0
- package/lib/vendor/blamejs/lib/guard-imap-command.js +2 -0
- package/lib/vendor/blamejs/lib/guard-jmap.js +2 -0
- package/lib/vendor/blamejs/lib/guard-json.js +2 -0
- package/lib/vendor/blamejs/lib/guard-jsonpath.js +2 -0
- package/lib/vendor/blamejs/lib/guard-jwt.js +2 -0
- package/lib/vendor/blamejs/lib/guard-list-id.js +2 -0
- package/lib/vendor/blamejs/lib/guard-list-unsubscribe.js +2 -0
- package/lib/vendor/blamejs/lib/guard-mail-compose.js +2 -0
- package/lib/vendor/blamejs/lib/guard-mail-move.js +2 -0
- package/lib/vendor/blamejs/lib/guard-mail-query.js +2 -0
- package/lib/vendor/blamejs/lib/guard-mail-reply.js +2 -0
- package/lib/vendor/blamejs/lib/guard-mail-sieve.js +2 -0
- package/lib/vendor/blamejs/lib/guard-managesieve-command.js +2 -0
- package/lib/vendor/blamejs/lib/guard-markdown.js +2 -0
- package/lib/vendor/blamejs/lib/guard-message-id.js +2 -0
- package/lib/vendor/blamejs/lib/guard-mime.js +2 -0
- package/lib/vendor/blamejs/lib/guard-oauth.js +14 -1
- package/lib/vendor/blamejs/lib/guard-pdf.js +2 -0
- package/lib/vendor/blamejs/lib/guard-pop3-command.js +2 -0
- package/lib/vendor/blamejs/lib/guard-posture-chain.js +2 -0
- package/lib/vendor/blamejs/lib/guard-regex.js +59 -0
- package/lib/vendor/blamejs/lib/guard-saga-config.js +2 -0
- package/lib/vendor/blamejs/lib/guard-shell.js +2 -0
- package/lib/vendor/blamejs/lib/guard-smtp-command.js +2 -0
- package/lib/vendor/blamejs/lib/guard-snapshot-envelope.js +2 -0
- package/lib/vendor/blamejs/lib/guard-sql.js +2 -0
- package/lib/vendor/blamejs/lib/guard-stream-args.js +2 -0
- package/lib/vendor/blamejs/lib/guard-svg.js +2 -0
- package/lib/vendor/blamejs/lib/guard-template.js +2 -0
- package/lib/vendor/blamejs/lib/guard-tenant-id.js +2 -0
- package/lib/vendor/blamejs/lib/guard-text.js +2 -0
- package/lib/vendor/blamejs/lib/guard-time.js +2 -0
- package/lib/vendor/blamejs/lib/guard-trace-context.js +2 -0
- package/lib/vendor/blamejs/lib/guard-uuid.js +2 -0
- package/lib/vendor/blamejs/lib/guard-xml.js +2 -0
- package/lib/vendor/blamejs/lib/guard-yaml.js +2 -0
- package/lib/vendor/blamejs/lib/hal.js +2 -0
- package/lib/vendor/blamejs/lib/handlers.js +2 -0
- package/lib/vendor/blamejs/lib/honeytoken.js +2 -0
- package/lib/vendor/blamejs/lib/html-balance.js +2 -0
- package/lib/vendor/blamejs/lib/http-client-cache.js +2 -0
- package/lib/vendor/blamejs/lib/http-client-cookie-jar.js +2 -0
- package/lib/vendor/blamejs/lib/http-client.js +2 -0
- package/lib/vendor/blamejs/lib/http-message-signature.js +144 -11
- package/lib/vendor/blamejs/lib/http2-teardown.js +2 -0
- package/lib/vendor/blamejs/lib/i18n-messageformat.js +35 -6
- package/lib/vendor/blamejs/lib/i18n.js +2 -0
- package/lib/vendor/blamejs/lib/iab-mspa.js +2 -0
- package/lib/vendor/blamejs/lib/iab-tcf.js +2 -0
- package/lib/vendor/blamejs/lib/importmap-integrity.js +2 -0
- package/lib/vendor/blamejs/lib/inbox.js +2 -0
- package/lib/vendor/blamejs/lib/incident-report.js +2 -0
- package/lib/vendor/blamejs/lib/ip-utils.js +2 -0
- package/lib/vendor/blamejs/lib/jobs.js +2 -0
- package/lib/vendor/blamejs/lib/jose-jwe-experimental.js +2 -0
- package/lib/vendor/blamejs/lib/json-merge-patch.js +2 -0
- package/lib/vendor/blamejs/lib/json-patch.js +2 -0
- package/lib/vendor/blamejs/lib/json-path.js +2 -0
- package/lib/vendor/blamejs/lib/json-pointer.js +2 -0
- package/lib/vendor/blamejs/lib/json-schema.js +13 -1
- package/lib/vendor/blamejs/lib/jsonapi.js +2 -0
- package/lib/vendor/blamejs/lib/jtd.js +2 -0
- package/lib/vendor/blamejs/lib/jwk.js +2 -0
- package/lib/vendor/blamejs/lib/keychain.js +32 -10
- package/lib/vendor/blamejs/lib/lazy-require.js +2 -0
- package/lib/vendor/blamejs/lib/legal-hold.js +2 -0
- package/lib/vendor/blamejs/lib/link-header.js +2 -0
- package/lib/vendor/blamejs/lib/local-db-thin.js +2 -0
- package/lib/vendor/blamejs/lib/log-stream-cloudwatch.js +2 -0
- package/lib/vendor/blamejs/lib/log-stream-local.js +2 -0
- package/lib/vendor/blamejs/lib/log-stream-otlp-grpc.js +2 -0
- package/lib/vendor/blamejs/lib/log-stream-otlp.js +2 -0
- package/lib/vendor/blamejs/lib/log-stream-syslog.js +2 -0
- package/lib/vendor/blamejs/lib/log-stream-webhook.js +2 -0
- package/lib/vendor/blamejs/lib/log-stream.js +2 -0
- package/lib/vendor/blamejs/lib/log.js +2 -0
- package/lib/vendor/blamejs/lib/lro.js +2 -0
- package/lib/vendor/blamejs/lib/mail-agent.js +2 -0
- package/lib/vendor/blamejs/lib/mail-arc-reuse-token.js +20 -0
- package/lib/vendor/blamejs/lib/mail-arc-sign.js +32 -14
- package/lib/vendor/blamejs/lib/mail-arf.js +4 -0
- package/lib/vendor/blamejs/lib/mail-auth.js +93 -19
- package/lib/vendor/blamejs/lib/mail-bimi.js +26 -10
- package/lib/vendor/blamejs/lib/mail-bounce.js +23 -6
- package/lib/vendor/blamejs/lib/mail-crypto-pgp.js +2 -0
- package/lib/vendor/blamejs/lib/mail-crypto-smime.js +2 -0
- package/lib/vendor/blamejs/lib/mail-crypto.js +2 -0
- package/lib/vendor/blamejs/lib/mail-dav.js +2 -0
- package/lib/vendor/blamejs/lib/mail-deploy.js +2 -0
- package/lib/vendor/blamejs/lib/mail-dkim.js +44 -5
- package/lib/vendor/blamejs/lib/mail-greylist.js +2 -0
- package/lib/vendor/blamejs/lib/mail-helo.js +16 -0
- package/lib/vendor/blamejs/lib/mail-journal.js +2 -0
- package/lib/vendor/blamejs/lib/mail-mdn.js +17 -0
- package/lib/vendor/blamejs/lib/mail-rbl.js +2 -0
- package/lib/vendor/blamejs/lib/mail-require-tls.js +2 -0
- package/lib/vendor/blamejs/lib/mail-scan.js +2 -0
- package/lib/vendor/blamejs/lib/mail-send-deliver.js +32 -7
- package/lib/vendor/blamejs/lib/mail-server-imap.js +2 -0
- package/lib/vendor/blamejs/lib/mail-server-jmap.js +23 -11
- package/lib/vendor/blamejs/lib/mail-server-managesieve.js +2 -0
- package/lib/vendor/blamejs/lib/mail-server-mx.js +2 -0
- package/lib/vendor/blamejs/lib/mail-server-net.js +2 -0
- package/lib/vendor/blamejs/lib/mail-server-pop3.js +2 -0
- package/lib/vendor/blamejs/lib/mail-server-rate-limit.js +2 -0
- package/lib/vendor/blamejs/lib/mail-server-registry.js +2 -0
- package/lib/vendor/blamejs/lib/mail-server-submission.js +2 -0
- package/lib/vendor/blamejs/lib/mail-server-tls.js +2 -0
- package/lib/vendor/blamejs/lib/mail-sieve.js +2 -0
- package/lib/vendor/blamejs/lib/mail-spam-score.js +2 -0
- package/lib/vendor/blamejs/lib/mail-srs.js +8 -0
- package/lib/vendor/blamejs/lib/mail-store-fts.js +2 -0
- package/lib/vendor/blamejs/lib/mail-store.js +2 -0
- package/lib/vendor/blamejs/lib/mail-unsubscribe.js +2 -0
- package/lib/vendor/blamejs/lib/mail.js +11 -0
- package/lib/vendor/blamejs/lib/markup-escape.js +2 -0
- package/lib/vendor/blamejs/lib/markup-tokenizer.js +2 -0
- package/lib/vendor/blamejs/lib/mcp-tool-registry.js +2 -0
- package/lib/vendor/blamejs/lib/mcp.js +4 -2
- package/lib/vendor/blamejs/lib/mdoc.js +2 -0
- package/lib/vendor/blamejs/lib/metrics.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/age-gate.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/ai-act-disclosure.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/api-encrypt.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/assetlinks.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/asyncapi-serve.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/attach-user.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/bearer-auth.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/body-parser.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/bot-disclose.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/bot-guard.js +10 -1
- package/lib/vendor/blamejs/lib/middleware/clear-site-data.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/compose-pipeline.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/compression.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/cookies.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/cors.js +7 -0
- package/lib/vendor/blamejs/lib/middleware/csp-nonce.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/csp-report.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/csrf-protect.js +12 -5
- package/lib/vendor/blamejs/lib/middleware/daily-byte-quota.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/db-role-for.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/deny-response.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/dpop.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/error-handler.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/fetch-metadata.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/flag-context.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/gpc.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/headers.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/health.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/host-allowlist.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/idempotency-key.js +30 -2
- package/lib/vendor/blamejs/lib/middleware/index.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/nel.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/network-allowlist.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/no-cache.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/openapi-serve.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/protected-resource-metadata.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/rate-limit.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/request-id.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/request-log.js +6 -0
- package/lib/vendor/blamejs/lib/middleware/require-aal.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/require-auth.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/require-bound-key.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/require-content-type.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/require-methods.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/require-mtls.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/require-step-up.js +42 -1
- package/lib/vendor/blamejs/lib/middleware/scim-server.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/security-headers.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/security-txt.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/span-http-server.js +12 -0
- package/lib/vendor/blamejs/lib/middleware/speculation-rules.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/sse.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/trace-log-correlation.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/trace-propagate.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/tus-upload.js +2 -0
- package/lib/vendor/blamejs/lib/middleware/web-app-manifest.js +2 -0
- package/lib/vendor/blamejs/lib/migration-files.js +2 -0
- package/lib/vendor/blamejs/lib/migrations.js +2 -0
- package/lib/vendor/blamejs/lib/mime-parse.js +5 -1
- package/lib/vendor/blamejs/lib/module-loader.js +2 -0
- package/lib/vendor/blamejs/lib/money.js +2 -0
- package/lib/vendor/blamejs/lib/mtls-ca.js +2 -0
- package/lib/vendor/blamejs/lib/mtls-engine-default.js +2 -0
- package/lib/vendor/blamejs/lib/network-byte-quota.js +76 -14
- package/lib/vendor/blamejs/lib/network-dane.js +2 -0
- package/lib/vendor/blamejs/lib/network-dns-resolver.js +55 -18
- package/lib/vendor/blamejs/lib/network-dns.js +2 -0
- package/lib/vendor/blamejs/lib/network-dnssec.js +15 -2
- package/lib/vendor/blamejs/lib/network-heartbeat.js +2 -0
- package/lib/vendor/blamejs/lib/network-nts.js +2 -0
- package/lib/vendor/blamejs/lib/network-proxy.js +2 -0
- package/lib/vendor/blamejs/lib/network-smtp-policy.js +6 -1
- package/lib/vendor/blamejs/lib/network-tls.js +99 -5
- package/lib/vendor/blamejs/lib/network-tsig.js +13 -1
- package/lib/vendor/blamejs/lib/network.js +2 -0
- package/lib/vendor/blamejs/lib/nis2-report.js +2 -0
- package/lib/vendor/blamejs/lib/nist-crosswalk.js +2 -0
- package/lib/vendor/blamejs/lib/nonce-store.js +2 -0
- package/lib/vendor/blamejs/lib/notify.js +2 -0
- package/lib/vendor/blamejs/lib/ntp-check.js +2 -0
- package/lib/vendor/blamejs/lib/numeric-bounds.js +2 -0
- package/lib/vendor/blamejs/lib/numeric-checks.js +2 -0
- package/lib/vendor/blamejs/lib/object-store/azure-blob-bucket-ops.js +2 -0
- package/lib/vendor/blamejs/lib/object-store/azure-blob.js +2 -0
- package/lib/vendor/blamejs/lib/object-store/gcs-bucket-ops.js +2 -0
- package/lib/vendor/blamejs/lib/object-store/gcs.js +2 -0
- package/lib/vendor/blamejs/lib/object-store/http-put.js +2 -0
- package/lib/vendor/blamejs/lib/object-store/http-request.js +2 -0
- package/lib/vendor/blamejs/lib/object-store/index.js +2 -0
- package/lib/vendor/blamejs/lib/object-store/local.js +2 -0
- package/lib/vendor/blamejs/lib/object-store/sigv4-bucket-ops.js +2 -0
- package/lib/vendor/blamejs/lib/object-store/sigv4.js +2 -0
- package/lib/vendor/blamejs/lib/observability-otlp-exporter.js +4 -2
- package/lib/vendor/blamejs/lib/observability-tracer.js +2 -0
- package/lib/vendor/blamejs/lib/observability.js +2 -0
- package/lib/vendor/blamejs/lib/openapi-paths-builder.js +2 -0
- package/lib/vendor/blamejs/lib/openapi-schema-walk.js +2 -0
- package/lib/vendor/blamejs/lib/openapi-security.js +2 -0
- package/lib/vendor/blamejs/lib/openapi-yaml.js +2 -0
- package/lib/vendor/blamejs/lib/openapi.js +2 -0
- package/lib/vendor/blamejs/lib/otel-export.js +2 -0
- package/lib/vendor/blamejs/lib/outbox.js +2 -0
- package/lib/vendor/blamejs/lib/pagination.js +2 -0
- package/lib/vendor/blamejs/lib/parsers/index.js +2 -0
- package/lib/vendor/blamejs/lib/parsers/safe-env.js +2 -0
- package/lib/vendor/blamejs/lib/parsers/safe-ini.js +2 -0
- package/lib/vendor/blamejs/lib/parsers/safe-toml.js +2 -0
- package/lib/vendor/blamejs/lib/parsers/safe-xml.js +2 -0
- package/lib/vendor/blamejs/lib/parsers/safe-yaml.js +2 -0
- package/lib/vendor/blamejs/lib/permissions.js +2 -0
- package/lib/vendor/blamejs/lib/pick.js +2 -0
- package/lib/vendor/blamejs/lib/pipl-cn.js +2 -0
- package/lib/vendor/blamejs/lib/pqc-agent.js +2 -0
- package/lib/vendor/blamejs/lib/pqc-gate.js +2 -0
- package/lib/vendor/blamejs/lib/pqc-software.js +2 -0
- package/lib/vendor/blamejs/lib/privacy-pass.js +2 -0
- package/lib/vendor/blamejs/lib/privacy.js +2 -0
- package/lib/vendor/blamejs/lib/problem-details.js +2 -0
- package/lib/vendor/blamejs/lib/process-spawn.js +2 -0
- package/lib/vendor/blamejs/lib/promise-pool.js +2 -0
- package/lib/vendor/blamejs/lib/protobuf-encoder.js +2 -0
- package/lib/vendor/blamejs/lib/protocol-dispatcher.js +2 -0
- package/lib/vendor/blamejs/lib/public-suffix.js +45 -5
- package/lib/vendor/blamejs/lib/pubsub-cluster.js +2 -0
- package/lib/vendor/blamejs/lib/pubsub-redis.js +2 -0
- package/lib/vendor/blamejs/lib/pubsub.js +2 -0
- package/lib/vendor/blamejs/lib/queue-local.js +28 -11
- package/lib/vendor/blamejs/lib/queue-redis.js +79 -17
- package/lib/vendor/blamejs/lib/queue-sqs.js +2 -0
- package/lib/vendor/blamejs/lib/queue.js +5 -3
- package/lib/vendor/blamejs/lib/redact.js +2 -0
- package/lib/vendor/blamejs/lib/redis-client.js +30 -5
- package/lib/vendor/blamejs/lib/render.js +2 -0
- package/lib/vendor/blamejs/lib/request-helpers.js +11 -0
- package/lib/vendor/blamejs/lib/resource-access-lock.js +2 -0
- package/lib/vendor/blamejs/lib/restore-bundle.js +2 -0
- package/lib/vendor/blamejs/lib/restore-rollback.js +2 -0
- package/lib/vendor/blamejs/lib/restore.js +2 -0
- package/lib/vendor/blamejs/lib/retention.js +2 -0
- package/lib/vendor/blamejs/lib/retry.js +2 -0
- package/lib/vendor/blamejs/lib/rfc3339.js +2 -0
- package/lib/vendor/blamejs/lib/router.js +109 -19
- package/lib/vendor/blamejs/lib/safe-archive.js +2 -0
- package/lib/vendor/blamejs/lib/safe-async.js +44 -0
- package/lib/vendor/blamejs/lib/safe-buffer.js +66 -0
- package/lib/vendor/blamejs/lib/safe-decompress.js +2 -0
- package/lib/vendor/blamejs/lib/safe-dns.js +2 -0
- package/lib/vendor/blamejs/lib/safe-ical.js +2 -0
- package/lib/vendor/blamejs/lib/safe-icap.js +7 -0
- package/lib/vendor/blamejs/lib/safe-json.js +2 -0
- package/lib/vendor/blamejs/lib/safe-jsonpath.js +2 -0
- package/lib/vendor/blamejs/lib/safe-mime.js +2 -0
- package/lib/vendor/blamejs/lib/safe-mount-info.js +2 -0
- package/lib/vendor/blamejs/lib/safe-path.js +2 -0
- package/lib/vendor/blamejs/lib/safe-redirect.js +2 -0
- package/lib/vendor/blamejs/lib/safe-schema.js +2 -0
- package/lib/vendor/blamejs/lib/safe-sieve.js +2 -0
- package/lib/vendor/blamejs/lib/safe-smtp.js +2 -0
- package/lib/vendor/blamejs/lib/safe-sql.js +2 -0
- package/lib/vendor/blamejs/lib/safe-url.js +2 -0
- package/lib/vendor/blamejs/lib/safe-vcard.js +2 -0
- package/lib/vendor/blamejs/lib/sandbox-worker.js +2 -0
- package/lib/vendor/blamejs/lib/sandbox.js +2 -0
- package/lib/vendor/blamejs/lib/scheduler.js +2 -0
- package/lib/vendor/blamejs/lib/scitt.js +2 -0
- package/lib/vendor/blamejs/lib/sd-notify.js +2 -0
- package/lib/vendor/blamejs/lib/sec-cyber.js +2 -0
- package/lib/vendor/blamejs/lib/security-assert.js +2 -0
- package/lib/vendor/blamejs/lib/seeders.js +2 -0
- package/lib/vendor/blamejs/lib/self-update-standalone-verifier.js +2 -0
- package/lib/vendor/blamejs/lib/self-update.js +104 -56
- package/lib/vendor/blamejs/lib/server-timing.js +2 -0
- package/lib/vendor/blamejs/lib/session-device-binding.js +2 -0
- package/lib/vendor/blamejs/lib/session-stores.js +2 -0
- package/lib/vendor/blamejs/lib/session.js +71 -32
- package/lib/vendor/blamejs/lib/slug.js +2 -0
- package/lib/vendor/blamejs/lib/sql.js +2 -0
- package/lib/vendor/blamejs/lib/sse.js +2 -0
- package/lib/vendor/blamejs/lib/ssrf-guard.js +9 -1
- package/lib/vendor/blamejs/lib/standard-webhooks.js +2 -0
- package/lib/vendor/blamejs/lib/static.js +54 -20
- package/lib/vendor/blamejs/lib/storage.js +2 -0
- package/lib/vendor/blamejs/lib/stream-throttle.js +2 -0
- package/lib/vendor/blamejs/lib/structured-fields.js +2 -0
- package/lib/vendor/blamejs/lib/subject.js +2 -0
- package/lib/vendor/blamejs/lib/tcpa-10dlc.js +2 -0
- package/lib/vendor/blamejs/lib/template.js +2 -0
- package/lib/vendor/blamejs/lib/tenant-quota.js +2 -0
- package/lib/vendor/blamejs/lib/test-harness.js +2 -0
- package/lib/vendor/blamejs/lib/testing.js +2 -0
- package/lib/vendor/blamejs/lib/time.js +2 -0
- package/lib/vendor/blamejs/lib/tls-exporter.js +2 -0
- package/lib/vendor/blamejs/lib/totp.js +2 -0
- package/lib/vendor/blamejs/lib/tracing.js +2 -0
- package/lib/vendor/blamejs/lib/tsa.js +2 -0
- package/lib/vendor/blamejs/lib/uri-template.js +2 -0
- package/lib/vendor/blamejs/lib/uuid.js +2 -0
- package/lib/vendor/blamejs/lib/validate-opts.js +2 -0
- package/lib/vendor/blamejs/lib/vault/index.js +2 -0
- package/lib/vendor/blamejs/lib/vault/passphrase-ops.js +2 -0
- package/lib/vendor/blamejs/lib/vault/passphrase-source.js +2 -0
- package/lib/vendor/blamejs/lib/vault/rotate.js +2 -0
- package/lib/vendor/blamejs/lib/vault/seal-pem-file.js +2 -0
- package/lib/vendor/blamejs/lib/vault/wrap.js +2 -0
- package/lib/vendor/blamejs/lib/vault-aad.js +2 -0
- package/lib/vendor/blamejs/lib/vc.js +31 -0
- package/lib/vendor/blamejs/lib/vendor/MANIFEST.json +10 -10
- package/lib/vendor/blamejs/lib/vendor/public-suffix-list.dat +2 -4
- package/lib/vendor/blamejs/lib/vendor/public-suffix-list.data.js +745 -745
- package/lib/vendor/blamejs/lib/vendor-data.js +2 -0
- package/lib/vendor/blamejs/lib/vex.js +2 -0
- package/lib/vendor/blamejs/lib/watcher.js +2 -0
- package/lib/vendor/blamejs/lib/web-push-vapid.js +2 -0
- package/lib/vendor/blamejs/lib/webhook-dispatcher.js +33 -5
- package/lib/vendor/blamejs/lib/webhook.js +2 -0
- package/lib/vendor/blamejs/lib/websocket-channels.js +2 -0
- package/lib/vendor/blamejs/lib/websocket.js +2 -0
- package/lib/vendor/blamejs/lib/wiki-concepts.js +2 -0
- package/lib/vendor/blamejs/lib/worker-pool.js +2 -0
- package/lib/vendor/blamejs/lib/worm.js +2 -0
- package/lib/vendor/blamejs/lib/ws-client.js +2 -0
- package/lib/vendor/blamejs/lib/x509-chain.js +2 -0
- package/lib/vendor/blamejs/lib/xml-c14n.js +10 -7
- package/lib/vendor/blamejs/oss-fuzz/projects/blamejs/Dockerfile +7 -6
- package/lib/vendor/blamejs/package-lock.json +533 -0
- package/lib/vendor/blamejs/package.json +3 -3
- package/lib/vendor/blamejs/release-notes/v0.15.x.json +2284 -0
- package/lib/vendor/blamejs/release-notes/v0.16.0.json +44 -0
- package/lib/vendor/blamejs/release-notes/v0.16.1.json +36 -0
- package/lib/vendor/blamejs/release-notes/v0.16.2.json +71 -0
- package/lib/vendor/blamejs/scripts/build-vendored-sbom.js +2 -0
- package/lib/vendor/blamejs/scripts/check-actions-currency.js +113 -1
- package/lib/vendor/blamejs/scripts/check-api-snapshot.js +2 -0
- package/lib/vendor/blamejs/scripts/check-changelog-extract.js +2 -0
- package/lib/vendor/blamejs/scripts/check-esbuild-pin.js +33 -40
- package/lib/vendor/blamejs/scripts/check-pack-against-gitignore.js +2 -0
- package/lib/vendor/blamejs/scripts/check-services.js +2 -0
- package/lib/vendor/blamejs/scripts/check-vendor-currency.js +2 -0
- package/lib/vendor/blamejs/scripts/consolidate-release-notes.js +2 -0
- package/lib/vendor/blamejs/scripts/gen-migrating.js +2 -0
- package/lib/vendor/blamejs/scripts/generate-changelog-entry.js +2 -0
- package/lib/vendor/blamejs/scripts/generate-release-signing-key.js +2 -0
- package/lib/vendor/blamejs/scripts/generate-ssdf-attestation.js +2 -0
- package/lib/vendor/blamejs/scripts/pin-all.js +215 -0
- package/lib/vendor/blamejs/scripts/refresh-api-snapshot.js +2 -0
- package/lib/vendor/blamejs/scripts/refresh-vendor-manifest.js +2 -0
- package/lib/vendor/blamejs/scripts/release.js +5 -1
- package/lib/vendor/blamejs/scripts/sha3-digest.js +2 -0
- package/lib/vendor/blamejs/scripts/sign-release-artifact.js +2 -0
- package/lib/vendor/blamejs/scripts/test-integration.js +2 -0
- package/lib/vendor/blamejs/scripts/test-wiki-integration.js +2 -0
- package/lib/vendor/blamejs/scripts/validate-source-comment-blocks.js +2 -0
- package/lib/vendor/blamejs/scripts/vendor-data-gen.js +2 -0
- package/lib/vendor/blamejs/scripts/vendor-data-keygen.js +2 -0
- package/lib/vendor/blamejs/test/00-primitives.js +35 -1
- package/lib/vendor/blamejs/test/10-state.js +2 -0
- package/lib/vendor/blamejs/test/20-db.js +2 -0
- package/lib/vendor/blamejs/test/30-chain.js +2 -0
- package/lib/vendor/blamejs/test/40-consumers.js +2 -0
- package/lib/vendor/blamejs/test/50-integration.js +2 -0
- package/lib/vendor/blamejs/test/_helpers.js +2 -0
- package/lib/vendor/blamejs/test/_smoke-worker.js +2 -0
- package/lib/vendor/blamejs/test/fixtures/worker-pool/echo.js +2 -0
- package/lib/vendor/blamejs/test/helpers/_codebase-shingle-worker.js +2 -0
- package/lib/vendor/blamejs/test/helpers/_codebase-shingle.js +2 -0
- package/lib/vendor/blamejs/test/helpers/_shape-match.js +2 -0
- package/lib/vendor/blamejs/test/helpers/check.js +2 -0
- package/lib/vendor/blamejs/test/helpers/cluster.js +2 -0
- package/lib/vendor/blamejs/test/helpers/db.js +2 -0
- package/lib/vendor/blamejs/test/helpers/drivers.js +2 -0
- package/lib/vendor/blamejs/test/helpers/fs-watch.js +2 -0
- package/lib/vendor/blamejs/test/helpers/http.js +2 -0
- package/lib/vendor/blamejs/test/helpers/index.js +2 -0
- package/lib/vendor/blamejs/test/helpers/json-round-trip.js +2 -0
- package/lib/vendor/blamejs/test/helpers/mocks.js +2 -0
- package/lib/vendor/blamejs/test/helpers/otel.js +2 -0
- package/lib/vendor/blamejs/test/helpers/services.js +2 -0
- package/lib/vendor/blamejs/test/helpers/wait.js +2 -0
- package/lib/vendor/blamejs/test/integration/audit-actor-binding-pg.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/audit-chain-external-db.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/audit-stack-mysql.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/audit-stack-postgres.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/backup-restore-objectstore.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/cache.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/cluster-provider-mysql.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/data-layer-cluster-mysql.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/data-layer-cluster-pg.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/data-layer-mysql-privacy.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/data-layer-mysql.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/data-layer-pg.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/data-layer-postgres.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/db-layer-mysql.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/db-layer-postgres.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/distributed-scheduler-fencing-pg.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/external-db-postgres.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/federation-auth.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/framework-schema-mysql.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/http-client.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/log-stream-cloudwatch.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/log-stream.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/mail-crypto-smime.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/mail-dkim.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/mail-smtp.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/mtls-ca.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/network-dns.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/network-heartbeat.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/ntp-check.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/object-store-azure.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/object-store-gcs.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/object-store-sigv4.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/object-store-worm-lock.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/pqc-pkcs8-forward-compat.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/pubsub.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/queue-cluster-mysql.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/queue-cluster-pg.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/queue-redis.test.js +115 -0
- package/lib/vendor/blamejs/test/integration/queue-sqs.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/redis-client-tls.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/redis-reconnect-toxiproxy.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/sql-fts5-catalog-sqlite.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/ssrf-guard.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/tls-classical-downgrade-audit.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/webhook-dispatcher-pg.test.js +15 -0
- package/lib/vendor/blamejs/test/integration/websocket-permessage-deflate.test.js +2 -0
- package/lib/vendor/blamejs/test/integration/ws-client-roundtrip.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/a2a-tasks.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/a2a.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/access-lock.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/acme-coverage.test.js +441 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/acme-failclosed.test.js +131 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/acme.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/age-gate.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/agent-event-bus.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/agent-idempotency.test.js +0 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/agent-orchestrator.test.js +23 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/agent-posture-chain.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/agent-saga.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/agent-snapshot.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/agent-stream.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/agent-tenant.test.js +22 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/agent-trace.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ai-adverse-decision.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ai-aedt-bias-audit.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ai-capability.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ai-content-detect.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ai-disclosure-apply-all.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ai-disclosure.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ai-dp.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ai-frontier-protocol.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ai-input.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ai-model-manifest.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ai-output.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ai-pref.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ai-prompt.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ai-quota.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/api-encrypt-rejection-envelope.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/api-encrypt.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/app-shutdown.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/archive-gz.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/archive-read.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/archive-sniff-envelope.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/archive-tar-hardening.test.js +22 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/archive-tar.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/archive-wrap-passphrase.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/archive-wrap.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/archive-zip-stream.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/archive.test.js +4 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/arg-parser.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/asn1-der.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/asyncapi.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-conflict-path.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-exclusive-temp.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-fd-read-errorfor-bypass.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-fd-read.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-open-append-nofollow.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-open-nofollow.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-rename-retry.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-write-excl.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-write-stream.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/attach-user-bearer-scheme.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-chain-corrupted-anchor.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-chain-incremental-verify.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-checkpoint-false-rollback.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-cve-defensive.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-daily-review.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-export-cadf.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-framework-namespaces.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-query-self-log.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-safeemit-redacts-secrets.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-segregation.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-sign-anchor.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-sign-ml-dsa-65.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-signing-key-rotation.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-tools-dual-control.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-tools-return-bytes.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-use-store.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-verifybundle-tamper.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/auth-bot-challenge-verifier.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/auth-bot-challenge.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/auth-jar.test.js +9 -6
- package/lib/vendor/blamejs/test/layer-0-primitives/auth-jwt-defenses.test.js +56 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/auth-lockout.test.js +121 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/auth-oauth-coverage.test.js +482 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/auth-oauth-failclosed.test.js +257 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/auth-password-audit.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/auth-saml-coverage.test.js +671 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/auth-saml-failclosed.test.js +179 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/auth-status-list.test.js +19 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/azure-blob-bucket-ops.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/azure-blob-key-encoding.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/backup-bundle-info.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/backup-clone-bundle.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/backup-find-bundles.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/backup-index-coverage.test.js +690 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/backup-index-failclosed.test.js +103 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/backup-key-rotation.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/backup-manifest-signature.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/backup-object-store-adapter.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/backup-residency-posture.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/backup-rewrap-all.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/backup-rewrap-bundle.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/backup-scheduletest-drill.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/backup-verify-all-bundles.test.js +0 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/backup-verify-bundle.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/backup-worker.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/base32.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/bearer-auth.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/body-parser-chunked-malformed.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/body-parser-error-redaction.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/body-parser-smuggling.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/boot-gates.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/bot-guard.test.js +12 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/bounded-map.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/breach-deadline.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/break-glass.test.js +46 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/budr.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/bundler-engine.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cache-status.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cache.test.js +12 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/calendar.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/canonical-json-jcs.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/canonical-json.test.js +28 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cbor.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cdn-cache-control.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cert.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/chain-writer-multichain.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ciba-authreqid-binding.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/clear-site-data.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cli-api-key.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cli-audit-verify-chain.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cli-backup.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cli-config-drift.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cli-coverage.test.js +238 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cli-erase.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cli-file-type.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cli-helpers.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cli-mtls.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cli-password.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cli-restore.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cli-retention.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cli-security.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cli-vault.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/client-hints.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cloud-events.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cluster-storage.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cluster-vault-rotation.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cms-codec.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +791 -13
- package/lib/vendor/blamejs/test/layer-0-primitives/codepoint-class.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/compliance-ai-act.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/compliance-cascade.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/compliance-eaa.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/compliance-eu-ai-act-posture.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/compliance-sanctions.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/compliance.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/compression-range.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/config-drift.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/config.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/consent-purposes.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/content-credentials.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/content-digest.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cors.test.js +12 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cose.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cra-report.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crdt.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/credential-hash.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-base64url.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-envelope.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-field-aad-downgrade.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-field-derived-hash.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-field-dual-read-migrate.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-field-per-row-key.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-field-unseal-rate-cap.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-field-upgrade-dialect.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-hash-files-parallel.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-hash-stream.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-hpke-pq.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-hpke.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-interop-oracles.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-mlkem768-x25519.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-namespace-hash.test.js +0 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-oprf.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-random-int.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-self-test.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-xwing.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/csp-builder.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/csp-nonce.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/csp-report.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/csrf-protect.test.js +40 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/csv.test.js +11 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cwt.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/daemon.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/daily-byte-quota.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/dane.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/dark-patterns.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/data-act.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/db-collection-extensions.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/db-collection.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/db-column-gate.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/db-init-extensions.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/db-key-aad.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/db-query-cross-schema.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/db-query-extensions.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/db-query-sealed-field-in.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/db-raw-residency-gate.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/db-role-for.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/db-schema-drift.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/db-schema-reconcile-emittable.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/db-schema-transaction.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/db-stream-and-payload-shape.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/db-vacuum.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/db-worm.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ddl-change-control.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/declare-row-policy.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/declare-view.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/defineguard-default-gate-posture-caps.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/defineguard-resolve-opts.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/deny-response.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/did.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/dns-dnssec-algorithm.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/dns-null-mx.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/dnssec.test.js +37 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/dora.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/dpop-alg-kty.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/dpop-htu-peergating.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/dpop-middleware-replaystore-required.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/dr-runbook.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/dsa.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/dsr-state-rules.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/dsr.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/dual-control.test.js +28 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/early-hints.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/eat.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/erase-posture-vacuum.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/events.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/exploit-replay.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/external-db-hardening.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/external-db-migrate.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/external-db-non-atomic-backend.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/external-db-routing.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/fal.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/fapi2.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/fda-21cfr11.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/fdx.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/fedcm-dbsc.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/federation-vc-suite.test.js +124 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/fetch-metadata.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/fido-mds3-cert-bad-validity.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/fido-mds3.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/file-type.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/file-upload-content-safety-skip-audit.test.js +66 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/file-upload-ownership.test.js +214 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/flag.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/forensic-snapshot.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/fsm.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/gate-contract-content-gate.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/gcs-bucket-ops.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/gdpr-ropa.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/graphql-federation.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-agent-registry.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-all.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-archive.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-csv.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-dsn.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-email.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-envelope.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-event-bus-payload.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-event-bus-topic.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-filename.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-gate-disposition-coverage.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-html-wcag.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-html.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-idempotency-key.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-image.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-imap-command.test.js +0 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-jmap.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-json.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-list-id.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-list-unsubscribe.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-mail-compose.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-mail-move.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-mail-query.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-mail-reply.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-mail-sieve.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-managesieve-command.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-markdown.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-message-id.test.js +0 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-oauth-replay-failopen.test.js +57 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-pdf.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-pop3-command.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-posture-chain.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-saga-config.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-smtp-command.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-snapshot-envelope.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-stream-args.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-svg.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-tenant-id.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-text.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-trace-context.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-xml.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-yaml.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/hal.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/honeytoken.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/html-balance.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/http-client-cache.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/http-client-stream.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/http-client-throttle-transform.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/http-message-signature.test.js +315 -3
- package/lib/vendor/blamejs/test/layer-0-primitives/i18n-messageformat.test.js +26 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/i18n.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/iab-mspa.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/iab-tcf.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/idempotency-key.test.js +40 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/importmap-integrity.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/inbox.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/incident-report.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ip-utils.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/jose-jwe-experimental.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/json-api.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/json-merge-patch.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/json-patch.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/json-path.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/json-round-trip-helper.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/json-schema.test.js +26 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/jtd.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/jwk.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/jwt-external.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/keychain-coverage.test.js +0 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/keychain-failclosed.test.js +185 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/keychain.test.js +0 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/legal-hold.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/link-header.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/local-db-thin.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/log-stream-cloudwatch.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/log-stream-otlp-grpc.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/log-stream-otlp.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/lro.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-agent.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-arf.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-auth-coverage.test.js +437 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-auth-dmarc-policy-failclosed.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-auth-failclosed.test.js +144 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-auth.test.js +289 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-bimi-cert-validity-unparseable.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-bimi.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-bounce.test.js +61 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-canspam.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-crypto-pgp-experimental.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-crypto-pgp.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-crypto-smime-bad-validity.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-crypto-smime.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-dav.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-deploy-tlsrpt.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-deploy.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-dkim-numericdate-failclosed.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-dkim.test.js +130 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-feedback-id.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-greylist.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-header-injection.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-helo.test.js +17 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-journal.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-mdn.test.js +29 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-proxy-framing-bounds.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-rbl.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-require-tls.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-scan.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-send-deliver.test.js +113 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-imap.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-jmap.test.js +50 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-managesieve.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-mx.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-pop3.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-rate-limit.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-registry.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-submission.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-server-tls.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-sieve.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-spam-score.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-srs.test.js +21 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-store-fts.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-store.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-unsubscribe.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mcp-tool-registry.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mcp.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mdoc.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/metrics-shadow-registry.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/metrics-snapshot.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/middleware-compose-pipeline.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mime-parse.test.js +11 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/money.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mtls-ca-paths.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mtls-ca-revocation.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/nel.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/network-allowlist.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/network-byte-quota.test.js +65 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/network-dns-lookup-timeout-default.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/network-dns-resolver-timeout.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/network-dns-resolver.test.js +28 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/network-dns.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/network-heartbeat-passive.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/network-nts-handshake-byte-cap.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/network-smtp-policy-coverage.test.js +565 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/network-tls-build-options.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/network-tls-ct-inclusion.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/network-tls.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/network-tsig.test.js +26 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/network.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/nis2-report.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/nist-crosswalk.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/no-cache.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/nonce-store-release.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/notify.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/numeric-bounds.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/oauth-callback.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/object-store-range-header.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/object-store-versioned-delete.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/observability-tracing.test.js +22 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/observability.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/openapi.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/otel-export.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/otlp-attr-redaction.test.js +8 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/outbox-inflight-reaper.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/output-header-hardening.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/pagination.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/parser-verify-hardening.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/parsers-standalone.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/passkey-real-vectors.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/passkey.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/permissions.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/pipl-cn.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/pqc-agent-curve.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/pqc-software.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/privacy-pass.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/privacy-vendor-review.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/problem-details.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/process-spawn.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/promise-pool.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/protected-resource-metadata.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/proto-shadow-allowlist.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/protobuf-encoder.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/protocol-dispatcher.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/public-suffix.test.js +29 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/pubsub.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/queue-byo-db.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/queue-dlq-extend-lease.test.js +44 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/queue-flow-repeat.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/queue-priority-rate-progress.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/queue-sqs.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-cluster.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-memory-getorinsert.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-registry.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-xff-spoofing.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/redact-dlp.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/redis-client.test.js +16 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/request-helpers.test.js +7 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/request-id-async-context.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/request-log.test.js +3 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/require-auth-cache-control.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/require-mtls.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/resource-access-lock.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/restore-blob-remap.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/retention-dryrun-no-vacuum.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/retention-floor.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/retention-sweep-termination.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/retry.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/router-body-validation.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/router-coverage.test.js +592 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/router-cross-origin-redirect.test.js +0 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/router-failclosed.test.js +0 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/router-tls0rtt.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/router-use-path-scope.test.js +59 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-archive-auto-unwrap.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-archive-inspect-unwrap.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-async-loops.test.js +41 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-async-parallel.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-buffer-linear-scans.test.js +13 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-decompress.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-dns.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-ical.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-icap.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-json-stringify-for-script.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-jsonpath.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-mime.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-mount-info.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-path.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-redirect.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-sieve.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-smtp.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-url-canonicalize.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-url-idn-homograph.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-vcard.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-xml.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/saml-mdq-wrapping.test.js +237 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/saml-slo.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/saml-subjectconfirmation-notbefore.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/saml-subjectconfirmation-notonorafter.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/sandbox.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/scheduler-exactly-once.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/scheduler-watchdog-stale-settle.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/scim-server.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/scitt.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/sd-jwt-vc-ecdsa-p1363.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/sd-jwt-vc.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/sd-notify.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/sec-cyber.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/security-assert.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/security-headers.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/security-txt.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/seeders.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/self-update-poll-asset-digest.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/self-update-standalone-verifier-ecdsa-encoding.test.js +9 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/self-update-standalone-verifier.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/self-update.test.js +87 -4
- package/lib/vendor/blamejs/test/layer-0-primitives/server-timing.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/session-binding-unreadable-failclosed.test.js +80 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/session-destroy-all-store-backed.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/session-device-binding-ipv6-canonical-and-no-store.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/session-device-binding.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/session-extensions.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/session-valid-from.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/shape-match.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/sigv4-bucket-ops.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/sigv4-multipart-sse.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/slug.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/smtp-policy.test.js +5 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/source-comment-blocks.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/speculation-rules.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/sql-coverage.test.js +422 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/sql.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/sse-backpressure.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/sse.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ssrf-guard.test.js +23 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/standard-webhooks.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/static.test.js +33 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/step-up.test.js +44 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/storage-chunk-scratch.test.js +0 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/storage-presigned-url.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/stream-throttle.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/structured-fields-codec.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/structured-fields.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/tcpa-10dlc.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/template-escape-html.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/tenant-quota.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/test-coverage.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/test-harness.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/testing-request.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/testing.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/time.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/tls-exporter.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/tls-ocsp-ct.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/tls-ocsp-freshness.test.js +6 -2
- package/lib/vendor/blamejs/test/layer-0-primitives/tls-ocsp-verify.test.js +127 -3
- package/lib/vendor/blamejs/test/layer-0-primitives/tls-pinset-drift.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/tls-preferred-groups.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/tracing.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/tsa.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/uri-template.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/uuid.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/validate-opts-port.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/validate-opts-shape.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/vault-aad.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/vault-default-store.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/vault-rotate-aad.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/vault-seal-pem-file.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/vc.test.js +25 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/vendor-currency-classify.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/vendor-data.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/vendor-manifest.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/vex.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/watcher.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/web-push-vapid.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/webhook-dispatcher.test.js +77 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/webhook-verify-nonce-atomic.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/webhook.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/websocket-channels.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/websocket-extension-header.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/worker-pool-recycle-race.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/worker-pool.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/worm.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ws-client.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/x509-chain-ca-enforcement.test.js +117 -1
- package/lib/vendor/blamejs/test/layer-1-state/api-key.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-5-integration/bundler-output.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-5-integration/external-db-residency.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-5-integration/guard-host-integration.test.js +2 -0
- package/lib/vendor/blamejs/test/layer-5-integration/security-chaos.test.js +2 -0
- package/lib/vendor/blamejs/test/smoke.js +2 -0
- package/package.json +5 -2
- package/lib/vendor/blamejs/release-notes/v0.15.0.json +0 -77
- package/lib/vendor/blamejs/release-notes/v0.15.1.json +0 -22
- package/lib/vendor/blamejs/release-notes/v0.15.10.json +0 -53
- package/lib/vendor/blamejs/release-notes/v0.15.11.json +0 -52
- package/lib/vendor/blamejs/release-notes/v0.15.12.json +0 -47
- package/lib/vendor/blamejs/release-notes/v0.15.13.json +0 -81
- package/lib/vendor/blamejs/release-notes/v0.15.14.json +0 -122
- package/lib/vendor/blamejs/release-notes/v0.15.15.json +0 -73
- package/lib/vendor/blamejs/release-notes/v0.15.16.json +0 -94
- package/lib/vendor/blamejs/release-notes/v0.15.17.json +0 -52
- package/lib/vendor/blamejs/release-notes/v0.15.18.json +0 -49
- package/lib/vendor/blamejs/release-notes/v0.15.19.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.15.2.json +0 -22
- package/lib/vendor/blamejs/release-notes/v0.15.20.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.15.21.json +0 -51
- package/lib/vendor/blamejs/release-notes/v0.15.22.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.15.23.json +0 -22
- package/lib/vendor/blamejs/release-notes/v0.15.24.json +0 -22
- package/lib/vendor/blamejs/release-notes/v0.15.25.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.15.26.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.15.27.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.15.28.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.15.29.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.15.3.json +0 -39
- package/lib/vendor/blamejs/release-notes/v0.15.30.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.15.31.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.15.32.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.15.33.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.15.34.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.15.35.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.15.36.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.15.37.json +0 -26
- package/lib/vendor/blamejs/release-notes/v0.15.38.json +0 -26
- package/lib/vendor/blamejs/release-notes/v0.15.4.json +0 -39
- package/lib/vendor/blamejs/release-notes/v0.15.5.json +0 -22
- package/lib/vendor/blamejs/release-notes/v0.15.6.json +0 -59
- package/lib/vendor/blamejs/release-notes/v0.15.7.json +0 -43
- package/lib/vendor/blamejs/release-notes/v0.15.8.json +0 -48
- package/lib/vendor/blamejs/release-notes/v0.15.9.json +0 -58
|
@@ -1,22 +0,0 @@
|
|
|
1
|
-
{
|
|
2
|
-
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
-
"version": "0.15.23",
|
|
4
|
-
"date": "2026-06-24",
|
|
5
|
-
"headline": "`b.wsClient` error objects now carry a usable terminal-vs-transient signal (and the client's auto-reconnect, previously dead, works again), and `b.safePath` resolves cross-platform containment with the target platform's path semantics — fixing both a false refusal of in-base paths and a backslash-traversal escape when validating for Windows on a POSIX host",
|
|
6
|
-
"summary": "Two correctness fixes. b.wsClient marked every WsClientError permanent, so a consumer driving its own reconnect loop could not tell a terminal handshake failure (a bad URL, a 4xx rejection, an accept-mismatch, a protocol-violation frame) from a transient one (a 5xx handshake rejection, a pong/handshake timeout, a dropped socket) and had to re-derive the taxonomy from error codes. err.permanent now reflects the actual transience of each error, the single bad-status code is split by the carried HTTP status (4xx terminal, 5xx transient) with the status exposed as err.statusCode, and — because the client's own auto-reconnect keyed off the same always-true flag — auto-reconnect was silently disabled for every transient failure and now fires correctly. Separately, b.safePath.resolve / resolveOrNull / validate performed its lexical containment with the runtime path module while the per-segment naming walk used opts.platform. The two disagreeing broke cross-platform validation both ways: every legitimate in-base path was refused with safe-path/escapes-base when opts.platform differed from the host, and — more seriously — a POSIX host validating opts.platform: \"windows\" accepted a backslash traversal (ok\\..\\..\\outside), because the runtime resolver treats \\ as an ordinary filename character and never collapsed the .. segments, so the path escaped the base once a Windows consumer read the backslashes. The lexical resolve and containment boundary now use the target platform's path module (node:path.win32 / node:path.posix), matching the segment walk, so in-base paths resolve and cross-platform traversals are refused under any opts.platform override; the realpath check, which touches the live filesystem, keeps its runtime resolve.",
|
|
7
|
-
"sections": [
|
|
8
|
-
{
|
|
9
|
-
"heading": "Fixed",
|
|
10
|
-
"items": [
|
|
11
|
-
{
|
|
12
|
-
"title": "b.wsClient: WsClientError carries a real terminal/transient signal, and auto-reconnect works again",
|
|
13
|
-
"body": "WsClientError was declared always-permanent, so err.permanent was true for every error — a consumer's reconnect loop could not distinguish a terminal handshake failure (bad URL, bad subprotocol, malformed handshake header, accept-mismatch, bad upgrade, bad status line, a 4xx rejection, an oversized/protocol-violation frame) from a transient one (a 5xx handshake rejection, a pong- or handshake-timeout, a dropped socket) and had to maintain its own error-code list tracking the framework's taxonomy. err.permanent now reflects each error's actual transience, derived from its code (a new/unknown code defaults to terminal, so it fails closed rather than redialing a hopeless target forever); the single ws-client/bad-status code is split by the response status (4xx terminal, 5xx transient) and the status is exposed as err.statusCode (the existing err.status alias is preserved). The same always-permanent flag also drove the client's built-in auto-reconnect, which therefore never retried any framework-surfaced transient failure (a 5xx handshake or a keepalive timeout); reconnect now fires for transient failures and still skips terminal ones."
|
|
14
|
-
},
|
|
15
|
-
{
|
|
16
|
-
"title": "b.safePath: cross-platform containment resolves with the target platform's path semantics",
|
|
17
|
-
"body": "b.safePath.resolve / resolveOrNull / validate performed its lexical containment (resolve rel under base, then bound the result with a separator slice) using the runtime path module, while the per-segment naming walk used opts.platform. When the two disagreed, validation broke both ways. Benign direction: a Linux service validating server-origin names against the stricter Windows ruleset (the recommended cross-platform pattern) had every legitimate in-base path refused with safe-path/escapes-base, because the runtime-separated resolved path could never match a Windows-separator boundary. Security direction: a POSIX host validating opts.platform: \"windows\" accepted a backslash traversal such as ok\\..\\..\\outside — the segment walk splits on \\ for Windows, but the runtime resolver on POSIX treats \\ as an ordinary filename character and never collapsed the .. segments, so the path passed containment and resolved to <base>/ok\\..\\..\\outside, which escapes the base once a Windows consumer interprets the backslashes. The lexical resolve and the containment boundary now use the target platform's path module (node:path.win32 when validating for Windows, node:path.posix otherwise), matching the segment walk, so in-base paths resolve correctly and a genuine traversal is refused under any opts.platform override. The realpath check, which resolves symlinks on the live filesystem, keeps a separate runtime resolve because a foreign-platform path cannot be symlink-resolved on the host. opts.platform continues to gate the per-segment naming rules (reserved names, trailing dot/space, NTFS ADS colon)."
|
|
18
|
-
}
|
|
19
|
-
]
|
|
20
|
-
}
|
|
21
|
-
]
|
|
22
|
-
}
|
|
@@ -1,22 +0,0 @@
|
|
|
1
|
-
{
|
|
2
|
-
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
-
"version": "0.15.24",
|
|
4
|
-
"date": "2026-06-25",
|
|
5
|
-
"headline": "Supply-chain hardening for the build: the example wiki container's base images are digest-pinned (and tracked for patches by Dependabot), and the SEA-build esbuild binary pin is centralized and release-enforced so a version bump can't silently lose its reviewed hash",
|
|
6
|
-
"summary": "A build supply-chain hardening release; no runtime API changes. The example wiki container's Chainguard base images are now pinned by digest (tag@sha256) for reproducible builds and provenance, with Dependabot's docker updater bumping the digests so they keep tracking Chainguard's continuous CVE rebuilds; the published multi-arch image is unaffected because the release workflow still resolves the rolling tag to a fresh digest at build time, so the scanned image equals the published image and the committed digest never reaches the image-scan gate. The esbuild native-binary supply-chain pin — the reviewed per-platform SHA-256 the bundler smoke gate checks the on-disk compiler against — is centralized in one file and enforced both at release time and in the pattern gate by a single shared verifier: the version package.json and the CI/publish workflows install must carry a complete reviewed-hash entry, so bumping esbuild without re-reviewing and re-pinning the binary now fails closed instead of silently degrading the verification to a skip.",
|
|
7
|
-
"sections": [
|
|
8
|
-
{
|
|
9
|
-
"heading": "Security",
|
|
10
|
-
"items": [
|
|
11
|
-
{
|
|
12
|
-
"title": "Wiki container base images are digest-pinned and patch-tracked",
|
|
13
|
-
"body": "examples/wiki/Dockerfile now pins its Chainguard base images by digest (cgr.dev/chainguard/node:<tag>@sha256:...) for reproducible local builds and supply-chain provenance, and Dependabot's docker updater bumps those digests so they keep tracking Chainguard's continuously-rebuilt CVE fixes instead of freezing. The published multi-arch image is unchanged: the release workflow still resolves the rolling tag to a fresh digest at build time and passes it as a build-arg, so the scanned image equals the published image and always carries current patches — the committed digest never reaches the image-scan gate."
|
|
14
|
-
},
|
|
15
|
-
{
|
|
16
|
-
"title": "esbuild SEA-build binary pin is centralized and fails closed on an un-reviewed bump",
|
|
17
|
-
"body": "The reviewed per-platform SHA-256 hashes that the bundler smoke gate verifies the esbuild native compiler against are now a single source of truth (scripts/esbuild-binary-pin.json), checked by one shared verifier that runs both at release time and in the pattern gate. It enforces that the esbuild version package.json declares and the CI/publish workflows install carries a complete reviewed-hash entry for every required platform. Previously a bump to a version with no reviewed hash made the smoke gate note-and-skip the binary verification; that omission now fails the release, so the binary pin can no longer be silently lost. The hashes remain captured by hand on each bump (diff the published tarballs, sha256 the binary) — the verifier checks the pin is present, it never derives it."
|
|
18
|
-
}
|
|
19
|
-
]
|
|
20
|
-
}
|
|
21
|
-
]
|
|
22
|
-
}
|
|
@@ -1,18 +0,0 @@
|
|
|
1
|
-
{
|
|
2
|
-
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
-
"version": "0.15.25",
|
|
4
|
-
"date": "2026-06-25",
|
|
5
|
-
"headline": "`b.sandbox.run` no longer leaks the worker thread's MessagePort — it now waits for the worker to terminate before resolving",
|
|
6
|
-
"summary": "b.sandbox.run spawned a worker thread to execute untrusted code and called worker.terminate() on both the result and timeout paths, but it settled the caller's promise BEFORE the asynchronous terminate() completed — leaving the worker's MessagePort alive past the resolve. In a long-lived process that runs sandboxed code repeatedly, each call leaked a MessagePort handle, keeping the event loop populated and slowing graceful shutdown. The call now awaits worker.terminate() before settling, so the handle is released when the promise resolves. Behaviour and return values are unchanged.",
|
|
7
|
-
"sections": [
|
|
8
|
-
{
|
|
9
|
-
"heading": "Fixed",
|
|
10
|
-
"items": [
|
|
11
|
-
{
|
|
12
|
-
"title": "b.sandbox.run releases the worker MessagePort before resolving",
|
|
13
|
-
"body": "b.sandbox.run resolved (or rejected) the caller's promise as soon as the worker reported a result or the timeout fired, while worker.terminate() — which is asynchronous — was still in flight, so the worker thread's MessagePort outlived the call and lingered as an open handle. Repeated sandbox runs in a long-lived process accumulated leaked MessagePorts that kept the event loop alive and delayed shutdown. The result and timeout paths now defer settling until worker.terminate() resolves; the error and exit paths already imply the worker is gone. The return value, audit events, and timeout semantics are unchanged."
|
|
14
|
-
}
|
|
15
|
-
]
|
|
16
|
-
}
|
|
17
|
-
]
|
|
18
|
-
}
|
|
@@ -1,18 +0,0 @@
|
|
|
1
|
-
{
|
|
2
|
-
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
-
"version": "0.15.26",
|
|
4
|
-
"date": "2026-06-25",
|
|
5
|
-
"headline": "Internal test-harness correctness only — the published library is byte-for-byte identical to 0.15.25",
|
|
6
|
-
"summary": "The smoke runner requires each test module and awaits its exported run(). Several tests were instead written as a top-level (async function () {...})() IIFE that runs detached at require-time, so the runner measured and reported the test's result before the IIFE's post-await assertions executed — those checks silently never ran (one parser test exercised 4 of its 26 assertions, and a failure after the first await would have gone unseen as a false pass). Those tests are converted to the exported-run form so the runner awaits their full assertion set, and a codebase-patterns detector now refuses a top-level async IIFE in a test file so the pattern cannot return. No shipped framework code changed; this release is byte-for-byte identical to 0.15.25 for operators.",
|
|
7
|
-
"sections": [
|
|
8
|
-
{
|
|
9
|
-
"heading": "Fixed",
|
|
10
|
-
"items": [
|
|
11
|
-
{
|
|
12
|
-
"title": "Detached-IIFE tests now run their full assertion set under the smoke runner",
|
|
13
|
-
"body": "A test written as a top-level (async function () {...})() IIFE runs detached when the runner requires it: the runner only awaits an exported run(), so it reported the file's result before the IIFE's awaited assertions executed, and every check after the first await silently did not count (one parsers test ran 4 of 26). Such tests are rewritten to define async function run(), export it, and invoke it under if (require.main === module), so the runner awaits the complete set; a detector refuses a re-introduced top-level async IIFE in a test file. This is test-harness correctness only — no shipped framework behavior changed."
|
|
14
|
-
}
|
|
15
|
-
]
|
|
16
|
-
}
|
|
17
|
-
]
|
|
18
|
-
}
|
|
@@ -1,18 +0,0 @@
|
|
|
1
|
-
{
|
|
2
|
-
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
-
"version": "0.15.27",
|
|
4
|
-
"date": "2026-06-25",
|
|
5
|
-
"headline": "Internal test-harness reliability only — the published library is byte-for-byte identical to 0.15.26",
|
|
6
|
-
"summary": "The legacy single-layer smoke files used fixed-duration setTimeout sleeps to wait for asynchronous conditions (a job processed, a lease TTL lapsing, an audit flush completing). On a contended CI runner a fixed sleep is both flake-prone (too short under load) and slow (it always burns the full budget). Those condition-waits are converted to the harness's polling helpers — waitUntil for observable predicates, passiveObserve for deliberate real-time elapses, withTestTimeout for hang guards — which exit early on fast platforms and give contended platforms the full budget. No shipped framework code changed; this release is byte-for-byte identical to 0.15.26 for operators.",
|
|
7
|
-
"sections": [
|
|
8
|
-
{
|
|
9
|
-
"heading": "Fixed",
|
|
10
|
-
"items": [
|
|
11
|
-
{
|
|
12
|
-
"title": "Smoke layer files poll for conditions instead of fixed setTimeout sleeps",
|
|
13
|
-
"body": "The single-layer smoke files waited on asynchronous conditions with fixed-duration setTimeout sleeps, which flake under SMOKE_PARALLEL load and always burn their full budget. The condition-waits are converted to the polling helpers (waitUntil / passiveObserve / withTestTimeout) so they exit early on fast platforms and stay robust on contended ones; non-wait timers (abort triggers, child/socket watchdogs, simulated-latency mocks) are unchanged. This is test-harness reliability only — no shipped framework behavior changed."
|
|
14
|
-
}
|
|
15
|
-
]
|
|
16
|
-
}
|
|
17
|
-
]
|
|
18
|
-
}
|
|
@@ -1,18 +0,0 @@
|
|
|
1
|
-
{
|
|
2
|
-
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
-
"version": "0.15.28",
|
|
4
|
-
"date": "2026-06-25",
|
|
5
|
-
"headline": "`b.network.dns` and `b.network.tls` errors now carry a usable terminal-vs-transient signal on `err.permanent`, so a caller's retry loop re-attempts only the failures a retry can fix",
|
|
6
|
-
"summary": "DnsError was declared always-transient and NetworkTlsError always-permanent, so a consumer driving its own retry loop got the wrong signal in both directions: it would retry a permanent DNS failure (a bad host, bad options, an unsupported query, an NXDOMAIN-style no-result, or a caller-shape/config error such as an unconfigured transport or an invalid resolver list) forever, and it would refuse to retry a transient TLS-over-network failure (an ECH connection failure, a handshake timeout, DNS momentarily unavailable). err.permanent now reflects each error's actual transience, derived from its code and failing closed (an unknown code is permanent, so a hopeless target is not retried indefinitely): for DnsError only a failed network round-trip (a lookup timeout, a resolve/reverse query that failed on the wire, a failed DoH/DoT exchange, a DDR discovery that found nothing) is transient — config, input, and environment errors raised before any network work are permanent; for NetworkTlsError only the network-layer ECH failures are transient. TlsTrustError remains always-permanent by design — a trust-verification failure (bad CA, fingerprint mismatch, OCSP not-good, CT violation, an unreachable OCSP responder) must never be silently retried past the trust decision.",
|
|
7
|
-
"sections": [
|
|
8
|
-
{
|
|
9
|
-
"heading": "Fixed",
|
|
10
|
-
"items": [
|
|
11
|
-
{
|
|
12
|
-
"title": "DnsError / NetworkTlsError expose a correct terminal/transient signal; TlsTrustError stays terminal",
|
|
13
|
-
"body": "b.network.dns's DnsError was always-transient and b.network.tls's NetworkTlsError always-permanent, so err.permanent misled a consumer's retry loop in both directions — retrying a permanent DNS error (bad host / options / unsupported type / no-result) indefinitely, and never retrying a transient TLS network error (ECH connect failure, handshake timeout, DNS unavailable). err.permanent now reflects each error's actual transience by code and fails closed (unknown codes are permanent): DnsError is transient only for a failed network round-trip (dns/lookup-timeout, dns/resolve-failed, dns/reverse-failed, dns/doh-failed, dns/dot-failed, dns/dot-handshake-failed, dns/ddr-not-discovered, dns/system-failed), and permanent otherwise — including the caller-shape / environment errors raised before any network work (dns/transport-unavailable for an unconfigured transport, dns/dnr-no-resolvers for an empty/invalid resolver list, dns/setservers-failed for an invalid address, dns/no-system-resolvers when none are configured). NetworkTlsError is transient only for the network-layer ECH failures (tls/ech-connect-failed, tls/ech-timeout, tls/ech-dns-unavailable), permanent otherwise. TlsTrustError remains always-permanent so a trust-verification failure is never silently retried."
|
|
14
|
-
}
|
|
15
|
-
]
|
|
16
|
-
}
|
|
17
|
-
]
|
|
18
|
-
}
|
|
@@ -1,27 +0,0 @@
|
|
|
1
|
-
{
|
|
2
|
-
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
-
"version": "0.15.29",
|
|
4
|
-
"date": "2026-06-25",
|
|
5
|
-
"headline": "JSON parsing of operator and untrusted input is routed through `b.safeJson` everywhere, so a `\"__proto__\"` member is stripped and the parse is size-bounded — `b.openapi.parse`, `b.asyncapi.parse`, and `b.sandbox.run` were using a raw `JSON.parse`",
|
|
6
|
-
"summary": "b.openapi.parse and b.asyncapi.parse parsed an operator-supplied document string with a raw JSON.parse, which re-creates a \"__proto__\" member as an own key and imposes no size bound; b.sandbox.run parsed the untrusted sandboxed code's serialized result the same way (proto member kept, depth unbounded). All three now route through b.safeJson, which strips the prototype-pollution keys and applies the depth / key / size caps. A new b.safeJson.parseStringOrObject primitive captures the recurring \"accept a document as a JSON string OR a pre-built object\" shape (a string is parsed safely, an object passes through) that openapi and asyncapi had each hand-rolled, with each consumer's typed error class and a generous document size cap passed as data. Valid input parses identically to before; a malicious or oversized document is now defused rather than accepted.",
|
|
7
|
-
"sections": [
|
|
8
|
-
{
|
|
9
|
-
"heading": "Security",
|
|
10
|
-
"items": [
|
|
11
|
-
{
|
|
12
|
-
"title": "Operator and untrusted JSON parses strip __proto__ and bound size (no raw JSON.parse)",
|
|
13
|
-
"body": "A raw JSON.parse keeps a \"__proto__\" object member as an own key (a prototype-pollution gadget for any downstream merge) and parses unbounded input. b.openapi.parse and b.asyncapi.parse used it on operator document strings, and b.sandbox.run used it on the untrusted sandboxed code's JSON-serialized result. All now route through b.safeJson — the prototype-pollution keys are stripped and the depth / key / size caps apply (a 16 MiB document cap for openapi/asyncapi, the existing result-bytes cap for the sandbox). Internal JSON parses (the sealed DSR store payloads, the VEX canonical re-format) route through the same primitive too, so the guarantee cannot be bypassed one call site at a time. Valid input is unaffected; a \"__proto__\"-laden or oversized payload is defused."
|
|
14
|
-
}
|
|
15
|
-
]
|
|
16
|
-
},
|
|
17
|
-
{
|
|
18
|
-
"heading": "Added",
|
|
19
|
-
"items": [
|
|
20
|
-
{
|
|
21
|
-
"title": "b.safeJson.parseStringOrObject(input, opts?)",
|
|
22
|
-
"body": "Accepts either a JSON string — parsed through b.safeJson.parse, so the prototype-pollution-key strip and depth / key / size caps apply — or an already-decoded plain object (returned unchanged). For the recurring \"operator hands me a document as a JSON string or a pre-built object\" surface (b.openapi / b.asyncapi). The consumer's typed error class, error codes, label, and size cap are passed as options, so a raw JSON.parse on operator input cannot be hand-rolled per consumer."
|
|
23
|
-
}
|
|
24
|
-
]
|
|
25
|
-
}
|
|
26
|
-
]
|
|
27
|
-
}
|
|
@@ -1,39 +0,0 @@
|
|
|
1
|
-
{
|
|
2
|
-
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
-
"version": "0.15.3",
|
|
4
|
-
"date": "2026-06-12",
|
|
5
|
-
"headline": "DDL hardening in b.sql, schema-confined column introspection on Postgres and MySQL, and a classical-downgrade audit on proxy-tunneled TLS",
|
|
6
|
-
"summary": "This release hardens the data layer and closes a transport audit gap. The b.sql builder refuses an unrecognised column type that carries a statement terminator, quote, or comment marker - the one position in an otherwise quote-by-construction DDL builder where a verbatim string reached the emitted statement - and routes the finished CREATE TABLE through the same single-statement gate every other verb uses. The schema reconciler's column introspection is now confined to the schema or database the bare-named CREATE TABLE actually writes into (current_schema() on Postgres, DATABASE() on MySQL), so a same-named table in another schema no longer pollutes the column set, silently skipping an ADD COLUMN or fabricating false schema drift that refuses a regulated-posture boot. Two further builder gaps are fixed: a column-level primary key combined with a composite primaryKey now fails at build time with a clear error instead of producing invalid DDL, and a MySQL upsert read-back keyed by a cast or a server-evaluated function now renders the cast (or refuses the function) instead of binding an internal wrapper. Finally, an HTTPS request sent through a configured proxy now emits the tls.classical_downgrade audit when the handshake falls back to a classical group, the same as a direct connection.",
|
|
7
|
-
"sections": [
|
|
8
|
-
{
|
|
9
|
-
"heading": "Security",
|
|
10
|
-
"items": [
|
|
11
|
-
{
|
|
12
|
-
"title": "b.sql refuses an injection-bearing verbatim column type and gates every CREATE TABLE",
|
|
13
|
-
"body": "An unrecognised column type passed to b.sql.createTable / alterTable was emitted into the DDL verbatim - the single raw-emission position in a builder that otherwise quotes every identifier and guards every constraint fragment. A type such as \"text); DROP TABLE secrets; --\" could therefore smuggle a stacked statement. The builder now refuses, at build time, a verbatim type carrying a statement terminator or comment marker, and routes the finished CREATE TABLE / ALTER TABLE statement through the same single-statement / NUL / unterminated-quote / unbalanced-paren gate every SELECT / INSERT / UPDATE / DELETE / UPSERT already used - so an unbalanced quote is caught there. Legitimate types are unaffected: VARCHAR(255), NUMERIC(10,2), DOUBLE PRECISION, TIMESTAMP WITH TIME ZONE, and MySQL ENUM('a','b') / SET(...) (which need balanced quotes) all still pass."
|
|
14
|
-
}
|
|
15
|
-
]
|
|
16
|
-
},
|
|
17
|
-
{
|
|
18
|
-
"heading": "Fixed",
|
|
19
|
-
"items": [
|
|
20
|
-
{
|
|
21
|
-
"title": "Schema reconciliation reads columns from the right schema on Postgres and MySQL",
|
|
22
|
-
"body": "The reconciler's column introspection queried information_schema with no schema filter, so on a Postgres instance or MySQL server hosting more than one schema/database with a same-named table, the live column set was the union across schemas. That could silently skip an ADD COLUMN the table needed, or report false drift that refuses a boot under a pinned regulated posture. Introspection is now confined to current_schema() (Postgres) / DATABASE() (MySQL) - the schema the bare-named CREATE TABLE lands in. SQLite (PRAGMA, per-file) is unchanged."
|
|
23
|
-
},
|
|
24
|
-
{
|
|
25
|
-
"title": "createTable rejects a contradictory primary-key declaration at build time",
|
|
26
|
-
"body": "Declaring both a column-level primary key (primaryKey / autoIncrement / serial) and a composite opts.primaryKey emitted two PRIMARY KEY clauses, which every dialect rejects at the driver mid-migration. The builder now refuses the contradiction at build time with a clear error; a single column PK, or a composite primaryKey with no column-level PK, is unaffected."
|
|
27
|
-
},
|
|
28
|
-
{
|
|
29
|
-
"title": "MySQL upsert read-back resolves a cast or function conflict key instead of binding a wrapper",
|
|
30
|
-
"body": "On MySQL, an upsert whose conflict key was a b.sql.cast(...) or b.sql.fn(...) built a read-back SELECT that bound the wrapper object, so the read-back matched no rows. A cast conflict key now renders as CAST(? AS type) binding the inner value; a server-evaluated function conflict key (which has no stable read-back identity) is refused with a clear error. Plain scalar conflict keys are unchanged."
|
|
31
|
-
},
|
|
32
|
-
{
|
|
33
|
-
"title": "Proxy-tunneled TLS emits the classical-downgrade audit",
|
|
34
|
-
"body": "An HTTPS upstream reached through a configured proxy performed its TLS handshake without emitting the tls.classical_downgrade audit on a classical-group fallback, leaving the post-quantum-readiness inventory incomplete for proxied requests. Both the upstream handshake and the proxy-leg handshake now emit the audit on a classical fallback, matching the direct connection path. The handshake itself is unchanged (still hybrid-preferred TLSv1.3)."
|
|
35
|
-
}
|
|
36
|
-
]
|
|
37
|
-
}
|
|
38
|
-
]
|
|
39
|
-
}
|
|
@@ -1,18 +0,0 @@
|
|
|
1
|
-
{
|
|
2
|
-
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
-
"version": "0.15.30",
|
|
4
|
-
"date": "2026-06-26",
|
|
5
|
-
"headline": "Importing the webhook module for inbound signature verification no longer pulls the Node HTTP client (or its `node:http` / `node:https` / `node:http2` chain), so `b.webhook.verify` runs in a Worker / edge runtime when the module is imported directly",
|
|
6
|
-
"summary": "lib/webhook and its delivery store eagerly required the outbound HTTP client at module load — directly, and transitively through the persistence-backed dispatcher — so importing the webhook module threw in a Cloudflare Workers / edge runtime that has no node:http / node:net / node:tls, even though b.webhook.verify needs only HMAC-SHA-256 and a timing-safe compare. The HTTP client and the SQL-backed dispatcher are now resolved lazily, only on the outbound send / dispatch paths; importing the module for inbound verification loads no Node networking module. Verified by asserting no networking builtin appears in process.moduleLoadList on the verify path. The framework's aggregate entry point still initializes the networking stack eagerly, so the edge verify path is the webhook module imported directly rather than the aggregate b namespace.",
|
|
7
|
-
"sections": [
|
|
8
|
-
{
|
|
9
|
-
"heading": "Fixed",
|
|
10
|
-
"items": [
|
|
11
|
-
{
|
|
12
|
-
"title": "Inbound webhook verification loads without the Node networking stack (Worker / edge runtime)",
|
|
13
|
-
"body": "The webhook module and its dispatcher delivery store required the outbound HTTP client (node:http / node:https / node:http2) at module load, so importing the module threw in a runtime without those builtins — even though b.webhook.verify is HMAC-SHA-256 plus a timing-safe compare and the dispatcher (SQL-backed persistence) is only needed for outbound delivery. The HTTP client and the dispatcher are now resolved lazily, on the outbound send / dispatch paths only; the inbound verify path loads no Node networking module. An edge handler that imports the webhook module directly can pre-verify an inbound Stripe webhook signature with the primitive's hardening (Stripe-Signature size cap, v1-hex anti-DoS cap, minimum-tolerance floor, optional atomic replay store) instead of hand-rolling the t=/v1= parse, tolerance window, and timing-safe compare. The framework's aggregate entry still loads the networking stack eagerly; import the webhook module directly for the edge verify path."
|
|
14
|
-
}
|
|
15
|
-
]
|
|
16
|
-
}
|
|
17
|
-
]
|
|
18
|
-
}
|
|
@@ -1,18 +0,0 @@
|
|
|
1
|
-
{
|
|
2
|
-
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
-
"version": "0.15.31",
|
|
4
|
-
"date": "2026-06-26",
|
|
5
|
-
"headline": "Internal test-suite hardening only — the published library's runtime behavior and public API are unchanged (source-comment marker text aside)",
|
|
6
|
-
"summary": "The codebase-patterns guard suite gains a gate that retires a renamed suppression-marker token: once a suppression class is re-verified and renamed, its old token cannot be silently re-registered, so a later suppression has to be re-examined under the new name instead of inheriting a stale approval. Eight suppression classes were re-verified and renamed to descriptive tokens this release, and their in-source marker comments were updated to match. No runtime code, public API, or wire format changed.",
|
|
7
|
-
"sections": [
|
|
8
|
-
{
|
|
9
|
-
"heading": "Detectors",
|
|
10
|
-
"items": [
|
|
11
|
-
{
|
|
12
|
-
"title": "Re-verification gate retires a renamed suppression-marker token",
|
|
13
|
-
"body": "A new guard refuses to re-register a retired suppression-marker token, and the orphan check points a stale marker at its current name. When a suppression class is re-verified, it is renamed to a descriptive token and the old name is recorded as retired, so the old approval cannot be quietly resurrected — a future suppression must be re-examined and re-stamped under the new name. This is test-suite tooling; no shipped framework behavior changed."
|
|
14
|
-
}
|
|
15
|
-
]
|
|
16
|
-
}
|
|
17
|
-
]
|
|
18
|
-
}
|
|
@@ -1,18 +0,0 @@
|
|
|
1
|
-
{
|
|
2
|
-
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
-
"version": "0.15.32",
|
|
4
|
-
"date": "2026-06-26",
|
|
5
|
-
"headline": "Internal test-suite hardening only — the published library's runtime behavior and public API are unchanged (source-comment marker text aside)",
|
|
6
|
-
"summary": "Three more suppression classes in the codebase-patterns guard suite were re-verified from scratch and renamed to descriptive tokens, with their old names recorded as retired so the prior approval cannot be silently resurrected and their in-source marker comments updated to match. No runtime code, public API, or wire format changed.",
|
|
7
|
-
"sections": [
|
|
8
|
-
{
|
|
9
|
-
"heading": "Detectors",
|
|
10
|
-
"items": [
|
|
11
|
-
{
|
|
12
|
-
"title": "Three more suppression-marker classes re-verified and their tokens retired",
|
|
13
|
-
"body": "Continuing the re-verification pass: each marked site for the process-exit, hand-rolled buffer-collect, and raw-outbound-http guard classes was re-read and confirmed (operator-opt-in exits; bounded protocol-framing / TLV assembly; framework-routed outbound calls), then the class was renamed to a descriptive token and its old name added to the retired-token set. This is test-suite tooling; no shipped framework behavior changed."
|
|
14
|
-
}
|
|
15
|
-
]
|
|
16
|
-
}
|
|
17
|
-
]
|
|
18
|
-
}
|
|
@@ -1,18 +0,0 @@
|
|
|
1
|
-
{
|
|
2
|
-
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
-
"version": "0.15.33",
|
|
4
|
-
"date": "2026-06-26",
|
|
5
|
-
"headline": "Internal test-suite hardening only — the published library's runtime behavior and public API are unchanged (source-comment marker text aside)",
|
|
6
|
-
"summary": "Three more suppression classes in the codebase-patterns guard suite were re-verified from scratch and renamed to descriptive tokens, with their old names recorded as retired and their in-source marker comments updated to match. No runtime code, public API, or wire format changed.",
|
|
7
|
-
"sections": [
|
|
8
|
-
{
|
|
9
|
-
"heading": "Detectors",
|
|
10
|
-
"items": [
|
|
11
|
-
{
|
|
12
|
-
"title": "Three more suppression-marker classes re-verified and their tokens retired",
|
|
13
|
-
"body": "Continuing the re-verification pass: each marked site for the math-random-noncrypto, raw-new-url, and dynamic-require guard classes was re-read and confirmed (non-security jitter/sampling; URL parsing for shape/origin inspection or behind the safe wrapper; operator-supplied module loads), then the class was renamed to a descriptive token and its old name added to the retired-token set. This is test-suite tooling; no shipped framework behavior changed."
|
|
14
|
-
}
|
|
15
|
-
]
|
|
16
|
-
}
|
|
17
|
-
]
|
|
18
|
-
}
|
|
@@ -1,27 +0,0 @@
|
|
|
1
|
-
{
|
|
2
|
-
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
-
"version": "0.15.34",
|
|
4
|
-
"date": "2026-06-26",
|
|
5
|
-
"headline": "`b.mail.crypto.pgp.verify` now accepts every valid RSA OpenPGP signature — one whose value happened to have a high zero byte (about 1 in 256) was being rejected",
|
|
6
|
-
"summary": "An OpenPGP RSA signature is an integer modulo the key's modulus, and ~1 in 256 signatures have a value that begins with a zero byte. The MPI encoding strips those leading zero bytes (RFC 9580 §3.2), but b.mail.crypto.pgp.verify passed the stripped value straight to the RSA verification, which requires a signature exactly the modulus byte length — so a perfectly valid signature was intermittently reported invalid. The signature is now left-padded back to the modulus width before verification, exactly as the Ed25519 path already pads its components. Verification of every valid RSA signature is now reliable, including signatures produced by other OpenPGP implementations. Also includes internal test-tooling: two more guard-suite suppression classes were re-verified and their tokens retired.",
|
|
7
|
-
"sections": [
|
|
8
|
-
{
|
|
9
|
-
"heading": "Fixed",
|
|
10
|
-
"items": [
|
|
11
|
-
{
|
|
12
|
-
"title": "RSA OpenPGP signatures with a high zero byte now verify reliably",
|
|
13
|
-
"body": "b.mail.crypto.pgp.verify read the RSA signature MPI (whose leading zero bytes the OpenPGP wire format strips) and handed it to the RSA verification without restoring the stripped bytes. Node's RSA verify requires the signature to be exactly the modulus byte length, so a signature whose value had one or more high zero bytes — about 1 in 256 of all signatures, for any key — was rejected as invalid even though it was correct. The signature is now left-padded to the modulus width before verification (the same correction the Ed25519 verification path already applied to its R/S components). This affects signatures the framework produces and signatures from other OpenPGP implementations alike. A deterministic regression test searches for a short-MPI signature and asserts it verifies."
|
|
14
|
-
}
|
|
15
|
-
]
|
|
16
|
-
},
|
|
17
|
-
{
|
|
18
|
-
"heading": "Detectors",
|
|
19
|
-
"items": [
|
|
20
|
-
{
|
|
21
|
-
"title": "Two more suppression-marker classes re-verified and their tokens retired",
|
|
22
|
-
"body": "The raw-hash-compare and seal-without-aad guard classes were re-read and confirmed (a data-residency region tag compared with === — not a secret; and two intentional non-AEAD-bound seals — a non-regulated plain-mode column whose AAD is enforced by the posture seal-envelope floor where it matters, and a throwaway vault-readiness probe), then renamed to descriptive tokens with their old names added to the retired-token set. Test-suite tooling only."
|
|
23
|
-
}
|
|
24
|
-
]
|
|
25
|
-
}
|
|
26
|
-
]
|
|
27
|
-
}
|
|
@@ -1,27 +0,0 @@
|
|
|
1
|
-
{
|
|
2
|
-
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
-
"version": "0.15.35",
|
|
4
|
-
"date": "2026-06-26",
|
|
5
|
-
"headline": "`b.metrics` shadow registry no longer lets a comma in a label value forge extra Prometheus label pairs — a label-injection that downstream tenant-scoping or authorization selectors could be tricked by",
|
|
6
|
-
"summary": "The shadow registry serialized a metric's label set into a `name=value,name=value` string key and re-split it on `,` to build the Prometheus exposition. A label VALUE containing a comma therefore split into multiple label pairs, so a single operator-set label could forge additional label pairs in the scrape output (for example turning one `route` label into a `route` plus an attacker-named label), which downstream tenant-scoping filters, authorization selectors, recording rules, and alerting trust as a boundary; two distinct label sets could also collide into one cardinality bucket. The label key now uses canonical-JSON of the string-coerced label set (the same approach the main registry already used) and the render path emits the structured label set kept alongside that key rather than splitting or re-parsing, so a `,` or `=` inside a label value stays inside the value and a label NAMED `constructor`, `prototype`, or `__proto__` (all valid Prometheus label names) is preserved instead of being dropped. Note: the cardinality keys exposed by `shadowRegistry().snapshot()` are now canonical-JSON strings (e.g. `{\"route\":\"/api\"}`) rather than `route=/api`.",
|
|
7
|
-
"sections": [
|
|
8
|
-
{
|
|
9
|
-
"heading": "Security",
|
|
10
|
-
"items": [
|
|
11
|
-
{
|
|
12
|
-
"title": "Label values can no longer forge extra Prometheus label pairs in the shadow registry",
|
|
13
|
-
"body": "b.metrics shadowRegistry built a metric's cardinality key by joining `name=value` pairs with commas, then split that string on commas when rendering the Prometheus exposition. A comma (and `=`) in a label value therefore broke one value into several forged label pairs in the scrape output, and two different label sets could collide into the same cardinality bucket. The key is now canonical-JSON of the string-coerced label set and the render emits the structured label set kept alongside that key rather than splitting or re-parsing, so a label value is emitted as a single quoted value with its commas/equals intact, distinct label sets get distinct keys, and a label NAMED `constructor`, `prototype`, or `__proto__` (each a valid Prometheus label name) is preserved rather than dropped. Deterministic regression tests assert a comma-bearing label value produces exactly one label pair and that the reserved-name labels survive render."
|
|
14
|
-
}
|
|
15
|
-
]
|
|
16
|
-
},
|
|
17
|
-
{
|
|
18
|
-
"heading": "Changed",
|
|
19
|
-
"items": [
|
|
20
|
-
{
|
|
21
|
-
"title": "shadowRegistry().snapshot() cardinality keys are canonical-JSON",
|
|
22
|
-
"body": "As a consequence of the label-injection fix, the per-series cardinality keys in a shadow-registry snapshot are now canonical-JSON strings (e.g. `{\"tenant\":\"a\"}`) instead of the previous `tenant=a` form. Code that reads those keys directly from snapshot() should parse them as JSON; the Prometheus render output is unchanged for conforming label values."
|
|
23
|
-
}
|
|
24
|
-
]
|
|
25
|
-
}
|
|
26
|
-
]
|
|
27
|
-
}
|
|
@@ -1,18 +0,0 @@
|
|
|
1
|
-
{
|
|
2
|
-
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
-
"version": "0.15.36",
|
|
4
|
-
"date": "2026-06-27",
|
|
5
|
-
"headline": "Internal test-suite hardening only — the published library's runtime behavior and public API are unchanged (source-comment marker text aside)",
|
|
6
|
-
"summary": "The codebase-patterns guard class that allows a bare comma/semicolon split on token-only RFC header grammars was re-verified from scratch and renamed to a descriptive token, with its old name recorded as retired. Each live marked site (RRULE, RFC 9421 component identifiers, TLS-RPT rua, SCIM attribute paths) was re-read and confirmed to split a grammar with no quoted-string members. Five marker comments that suppressed nothing were removed or turned into plain explanatory comments. No runtime code, public API, or wire format changed.",
|
|
7
|
-
"sections": [
|
|
8
|
-
{
|
|
9
|
-
"heading": "Detectors",
|
|
10
|
-
"items": [
|
|
11
|
-
{
|
|
12
|
-
"title": "Bare token-only header-split suppression class re-verified, renamed, and pruned of inert markers",
|
|
13
|
-
"body": "Each marked bare `.split(\",\")` / `.split(\";\")` on an RFC header value was re-read and confirmed to operate on a token-only grammar (no quoted-string members, so a quote-aware splitter is unnecessary): RFC 5545 RRULE, RFC 9421 signature component identifiers, RFC 8460 TLS-RPT rua, and RFC 7644 SCIM attribute paths. The guard class was renamed to a descriptive token and its old name added to the retired-token set. Five marker comments that the detector never actually evaluated (two sat on a date-normalizing `.replace`, three in header parsers the guard intentionally does not scan) were removed or converted to plain comments. This is test-suite tooling plus source-comment text; no shipped framework behavior changed."
|
|
14
|
-
}
|
|
15
|
-
]
|
|
16
|
-
}
|
|
17
|
-
]
|
|
18
|
-
}
|
|
@@ -1,26 +0,0 @@
|
|
|
1
|
-
{
|
|
2
|
-
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
-
"version": "0.15.37",
|
|
4
|
-
"date": "2026-06-27",
|
|
5
|
-
"headline": "Several numeric options that silently accepted a non-finite value — disabling a clock-skew / freshness check or a resource cap — now reject it, so an `Infinity` skew or limit can no longer turn off the protection it configures",
|
|
6
|
-
"summary": "A number of configuration options validated a numeric value with a bare `typeof === \"number\" && value >= 0` check, which accepts `Infinity`. Where the value is a clock-skew tolerance or a resource cap, an `Infinity` (or `NaN`) silently disabled the very check it tunes: a CWT / OCSP-staple / ARC clock-skew of `Infinity` made the expiry, freshness, and expiration comparisons unsatisfiable (an expired token / a replayed pre-revocation \"good\" response / an expired ARC seal would be accepted); a WebSocket-client `maxMessageBytes` / `maxFrameBytes` / `handshakeTimeoutMs` of `Infinity` disabled the inbound-OOM and stalled-handshake defenses; and inbox / flag-cache / audit-chain size and count caps of `Infinity` admitted unbounded data. These options now route through the finite-bounds validator: a present non-finite value is refused at the entry point (or falls back to the safe default on the result-returning paths). Options where an unbounded value is a deliberate intent — reconnect \"retry indefinitely\", inbox \"retain indefinitely\" — continue to accept `Infinity`.",
|
|
7
|
-
"sections": [
|
|
8
|
-
{
|
|
9
|
-
"heading": "Security",
|
|
10
|
-
"items": [
|
|
11
|
-
{
|
|
12
|
-
"title": "A non-finite clock-skew no longer disables CWT / OCSP / ARC time checks",
|
|
13
|
-
"body": "b.cwt.verify, the OCSP-staple freshness check in b.network.tls, and b.mail.arc.verify each took an operator clock-skew tolerance validated as `typeof === \"number\" && >= 0`, which accepts `Infinity`. Because each check is of the form `now > deadline + skew`, a skew of `Infinity` made it unsatisfiable and silently turned the check off: an expired CWT verified, a stale (post-nextUpdate) OCSP \"good\" response — the exact reply an attacker replays after the certificate is revoked — was accepted, and an expired ARC seal passed. A present clock-skew that is not a non-negative finite integer is now refused (b.cwt.verify throws cwt/bad-clock-skew; the OCSP and ARC paths fall back to their safe default). Regression tests assert an expired token / stale staple / expired ARC seal is still rejected when the skew is `Infinity`."
|
|
14
|
-
},
|
|
15
|
-
{
|
|
16
|
-
"title": "WebSocket-client inbound caps can no longer be disabled by an Infinity value",
|
|
17
|
-
"body": "b.wsClient.connect validated maxMessageBytes, maxFrameBytes, and handshakeTimeoutMs (and the ping/pong keepalive intervals) with a bare numeric check that accepted `Infinity`, which disabled the inbound-message and frame size limits — the defenses against a malicious server sending an unbounded message — and the handshake timeout. A present non-finite value for these is now refused at connect time. The reconnect maxAttempts still accepts `Infinity` (a deliberate \"reconnect indefinitely\" intent)."
|
|
18
|
-
},
|
|
19
|
-
{
|
|
20
|
-
"title": "Inbox, flag-cache, and audit-chain caps reject a non-finite limit",
|
|
21
|
-
"body": "The inbox maxPayloadBytes / messageIdMaxLen / sourceMaxLen caps, the flag-cache ttlMs / maxEntries, and the audit-chain partition fan-out cap each accepted `Infinity`, disabling the cap (unbounded stored payloads, a never-expiring or unbounded cache, unbounded fan-out). These now require a positive finite integer — refused at create time, or clamped to the bounded default on the result-returning verify path. The inbox retentionDays still accepts `Infinity` (retain indefinitely)."
|
|
22
|
-
}
|
|
23
|
-
]
|
|
24
|
-
}
|
|
25
|
-
]
|
|
26
|
-
}
|
|
@@ -1,26 +0,0 @@
|
|
|
1
|
-
{
|
|
2
|
-
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
-
"version": "0.15.38",
|
|
4
|
-
"date": "2026-06-27",
|
|
5
|
-
"headline": "Regex patterns supplied in feature-flag targeting rules and MCP tool input schemas are now screened for catastrophic-backtracking (ReDoS) shapes before compilation, so a pattern matched against request data can't pin a CPU",
|
|
6
|
-
"summary": "Two places compiled a caller-supplied regex pattern and `.test()`'d it against request-controlled input with only a length bound as the stated defense: a feature-flag targeting condition (`op: \"regex\"`) matched against runtime attribute values, and an MCP tool's input-schema `pattern` matched against tool-call arguments. A length bound is not a ReDoS defense — a catastrophic-backtracking pattern such as `(a+)+$` is six characters and pins a CPU on a crafted input. Both patterns now pass through `b.guardRegex` (strict profile) before compilation, which refuses nested-quantifier, alternation-with-quantifier, and quantifier-inside-lookaround shapes. A ReDoS-shaped flag pattern is refused when the rules are validated; a ReDoS-shaped MCP schema pattern fails tool-input validation. Patterns built from the framework's own static tables, operator-owned JSON Schema patterns, the Sieve glob translator (which cannot express nested quantifiers), and the I-Regexp translator (linear by dialect) are unchanged.",
|
|
7
|
-
"sections": [
|
|
8
|
-
{
|
|
9
|
-
"heading": "Security",
|
|
10
|
-
"items": [
|
|
11
|
-
{
|
|
12
|
-
"title": "Feature-flag regex targeting conditions are screened for ReDoS before compilation",
|
|
13
|
-
"body": "A flag targeting rule with `op: \"regex\"` compiled the operator-supplied pattern and `.test()`'d it against runtime attribute values, guarded only by a 200-character length cap. Length does not bound catastrophic backtracking, so a pattern like `(a+)+$` combined with an attacker-controlled attribute value could pin a CPU during flag evaluation. The pattern is now screened through b.guardRegex (strict) when the rules are validated, and a catastrophic-backtracking shape is refused with a clear error."
|
|
14
|
-
},
|
|
15
|
-
{
|
|
16
|
-
"title": "MCP tool input-schema patterns are screened for ReDoS before matching request input",
|
|
17
|
-
"body": "b.mcp.validateToolInput compiled a tool author's input-schema `pattern` and matched it against tool-call argument values; the 4096-character input cap does not bound backtracking (a `(a+)+$` pattern blows up at roughly forty input characters). The schema pattern is now screened through b.guardRegex (strict) before compilation, so a ReDoS-shaped pattern in a registered tool's schema fails input validation instead of letting hostile arguments hang the validator."
|
|
18
|
-
},
|
|
19
|
-
{
|
|
20
|
-
"title": "b.guardRegex now catches wrapped nested-quantifier patterns",
|
|
21
|
-
"body": "The nested-quantifier detector matched a quantified group whose body contained a quantifier, but its inner match was paren-blind, so wrapping the inner quantifier in an extra group — `((a)+)+`, `(([a-z]+)*)*`, `((a+))+` — slipped past it while remaining catastrophic. A structural scan now tracks group nesting and refuses an unbounded-quantified group whose body itself contains an unbounded quantifier at any depth, so the wrapped forms are rejected alongside the bare `(a+)+`. Bounded repeats (`{n}`, `{n,m}`) are unaffected. This strengthens every b.guardRegex caller, including the flag-targeting and MCP screening above."
|
|
22
|
-
}
|
|
23
|
-
]
|
|
24
|
-
}
|
|
25
|
-
]
|
|
26
|
-
}
|
|
@@ -1,39 +0,0 @@
|
|
|
1
|
-
{
|
|
2
|
-
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
-
"version": "0.15.4",
|
|
4
|
-
"date": "2026-06-12",
|
|
5
|
-
"headline": "Telemetry attribute values are redacted before they leave the process, per-row data residency is enforced on every write and export path, DDL routes through the single-statement gate, the DPoP middleware requires its replay store, and session rotation re-keys the device binding",
|
|
6
|
-
"summary": "This release closes a set of egress, data-residency, and session-binding gaps. OTLP span, span-event, and resource attributes are now scrubbed through the telemetry redactor before serialization, on both the JSON and protobuf paths, matching the metric exporter - an attribute value holding a bearer token, password, or API key no longer reaches the collector verbatim. Per-row data residency, previously enforced only at the structured query builder, is now enforced on the three paths that bypassed it: raw SQL writes, read-replica fan-out, and backup export. Every CREATE TABLE / ALTER TABLE the schema reconciler and the DSR store emit now passes through the same single-statement gate the query builder uses. The DPoP middleware now requires its replay store at mount time instead of silently mounting a proof-of-possession gate that performed no replay check. And session rotation re-keys the device fingerprint to the new session id, so a rotated session stays bound to its device instead of falsely reporting drift on the next request.",
|
|
7
|
-
"sections": [
|
|
8
|
-
{
|
|
9
|
-
"heading": "Security",
|
|
10
|
-
"items": [
|
|
11
|
-
{
|
|
12
|
-
"title": "OTLP exporter redacts span, event, and resource attribute values before egress",
|
|
13
|
-
"body": "Span, span-event, and resource attributes were serialized to the OTLP collector verbatim on both the JSON and protobuf encodings - the metric exporter scrubbed its attributes through the telemetry redactor, but the span exporter did not. An attribute value carrying a secret or PII (a bearer token in `authorization`, a `password`, an `api_key`) was therefore shipped in clear to whatever collector the deployment points at (CWE-532). Every attribute-map encoder now runs each value through `b.observability.redactAttrs` (default composes `b.redact.redact`, dropping any attribute whose redactor throws) before the wire payload, so telemetry is redacted like the log and audit egress paths. The new `b.observability.redactAttrs(attrs)` is available for operators building custom exporters."
|
|
14
|
-
},
|
|
15
|
-
{
|
|
16
|
-
"title": "Per-row data residency is enforced on raw writes, read replicas, and backups",
|
|
17
|
-
"body": "Per-row residency was enforced only at the structured query builder. Three paths reached storage or left the deployment without it: raw SQL writes (`b.db.runSql` / `b.db.prepare().run()`, INSERT and UPDATE forms) bypassed the local residency check entirely, so a cross-border row could be written under a regulated posture with no refusal; read-replica fan-out dropped the row-residency tag, routing a regulated read with no row region identified to a residency-tagged, non-cross-border replica with no check; and `b.backup.create`'s residency check compared only the single deployment region to the destination, blind to a per-row-residency table that admits rows from several regions. Raw writes now parse the target table and residency value and apply the same gate the builder does; the replica read now fails closed when the row region is unidentified; and backup now emits a per-row cross-border advisory for any declared residency table whose admitted regions differ from the backup destination."
|
|
18
|
-
},
|
|
19
|
-
{
|
|
20
|
-
"title": "Schema and DSR DDL routes through the single-statement gate",
|
|
21
|
-
"body": "The CREATE TABLE / ALTER TABLE statements emitted by the schema reconciler and the DSR ticket store were assembled and run without the single-statement / NUL / unterminated-quote / unbalanced-paren gate that every query the builder emits already passes. That gate is now a shared check both the builder's catalog emitter and the schema/DSR DDL path call, so a terminator, comment marker, or unbalanced quote that reached a DDL fragment is refused at emit time on every backend."
|
|
22
|
-
},
|
|
23
|
-
{
|
|
24
|
-
"title": "DPoP middleware requires its replay store at mount time",
|
|
25
|
-
"body": "`b.middleware.dpop` documented `replayStore` as required, but the factory read it optionally and gated the jti-replay check behind its presence - omitting it mounted a proof-of-possession gate that performed no replay check, so a captured DPoP proof could be replayed indefinitely (RFC 9449 §11.1). The middleware now requires the store at config time: a missing store, or a store lacking `checkAndInsert`, throws when the middleware is created instead of failing open at request time. The low-level `b.auth.dpop.verify` primitive keeps `replayStore` optional for advanced callers that track jti themselves."
|
|
26
|
-
}
|
|
27
|
-
]
|
|
28
|
-
},
|
|
29
|
-
{
|
|
30
|
-
"heading": "Fixed",
|
|
31
|
-
"items": [
|
|
32
|
-
{
|
|
33
|
-
"title": "Session rotation re-keys the device fingerprint to the new session id",
|
|
34
|
-
"body": "A session's optional device fingerprint is keyed to its session id, so that a stolen database cannot replay the binding. `b.session.rotate` moved the session id but left the stored fingerprint keyed to the old id, so the next `verify` recomputed the fingerprint against the new id and mismatched - reporting a false `fingerprintDrift` (which destroys the session under strict operators, logging the user out on every rotation) or silently breaking the binding. Rotation now re-keys the fingerprint to the new session id from the live request: pass the same `{ req, fingerprintFields }` to `rotate`. A fingerprint-bound session rotated without `req` now throws, because the binding cannot otherwise follow the new id; unbound sessions are unaffected."
|
|
35
|
-
}
|
|
36
|
-
]
|
|
37
|
-
}
|
|
38
|
-
]
|
|
39
|
-
}
|
|
@@ -1,22 +0,0 @@
|
|
|
1
|
-
{
|
|
2
|
-
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
-
"version": "0.15.5",
|
|
4
|
-
"date": "2026-06-12",
|
|
5
|
-
"headline": "Legal-hold and subject-restriction PII is sealed at rest, and a guard's compliance-posture forensic and runtime caps are applied on its default gate",
|
|
6
|
-
"summary": "This release closes two data-protection gaps. The legal-hold registry and the subject-restriction flag stored their free-text fields - the legal basis, custodian, ticket citation, and restriction reason that link a data subject to a legal matter - in clear, because those local tables were written through a raw SQL path that bypassed the structured builder's at-rest sealing. Those columns are now sealed on write and unsealed on read, the same way the DSR ticket store already seals subject identifiers. Separately, a content guard built on the standard gate contract and gated with a compliance posture (for example b.guardCidr.gate({ compliancePosture: \"hipaa\" })) silently dropped that posture's forensic-snapshot cap and the profile's runtime cap, because the default gate passed the caller's raw options straight to the gate builder instead of resolving the profile and posture first - so a regulated-posture refusal carried no forensic evidence. The default gate now resolves the profile and posture before building the gate, matching the hand-written guard gates.",
|
|
7
|
-
"sections": [
|
|
8
|
-
{
|
|
9
|
-
"heading": "Security",
|
|
10
|
-
"items": [
|
|
11
|
-
{
|
|
12
|
-
"title": "Legal-hold and subject-restriction PII is sealed at rest",
|
|
13
|
-
"body": "`b.legalHold`'s `_blamejs_legal_hold` registry stored the hold reason, custodian, placed-by, and citation in clear, and `b.subject.restrict`'s `_blamejs_subject_restrictions` stored the restriction reason in clear - free text that ties a data subject to a litigation hold or an Art. 18 processing restriction. Those rows were written through a raw `sql.insert` + `prepare().run()` path that bypassed the structured builder's automatic field sealing (the subject-restrictions table even declared the field as sealed, but the raw write never applied it). Both now seal those columns on write and unseal on read through `cryptoField`, so the legal-basis and custodian text is encrypted at rest under the deployment's vault key. Pre-existing plaintext rows continue to read correctly (the unseal path passes through an already-plaintext value)."
|
|
14
|
-
},
|
|
15
|
-
{
|
|
16
|
-
"title": "A guard's default gate applies its compliance-posture forensic and runtime caps",
|
|
17
|
-
"body": "A guard built on `b.gateContract.defineGuard` with the standard gate (no bespoke gate) and gated with a compliance posture dropped that posture's `forensicSnippetBytes` cap and the profile's `maxRuntimeMs` cap: the default gate passed the caller's raw options straight to the gate builder, which reads those caps directly, but the values live on the resolved profile and posture, not the raw options. The effect was that a regulated-posture refusal captured no forensic snapshot (the cap defaulted to 0, i.e. disabled) and the check ran without the profile's runtime bound. The default gate now resolves the profile and posture before building the gate - matching the hand-written guard gates - so `gate({ compliancePosture: \"hipaa\" })` applies the posture's forensic cap and the profile's runtime cap as documented."
|
|
18
|
-
}
|
|
19
|
-
]
|
|
20
|
-
}
|
|
21
|
-
]
|
|
22
|
-
}
|
|
@@ -1,59 +0,0 @@
|
|
|
1
|
-
{
|
|
2
|
-
"$schema": "../scripts/release-notes-schema.json",
|
|
3
|
-
"version": "0.15.6",
|
|
4
|
-
"date": "2026-06-12",
|
|
5
|
-
"headline": "Closes SAML and OIDC assertion-replay windows, bounds SSE memory under a slow client, restores at-least-once delivery for a crashed outbox publisher, makes sealed-column membership queries work, ships JOSE-conformant SD-JWT signatures, and adds a URL canonicalizer for SSRF-safe comparison",
|
|
6
|
-
"summary": "A security and correctness release. On the identity surface: a SAML Response whose Bearer (or Holder-of-Key) SubjectConfirmation omits NotOnOrAfter is now rejected instead of accepted as fresh-forever, and the OIDC ID-token verifier no longer lets a caller disable expiry validation on a normal token - the exp bypass is restricted to back-channel-logout tokens and bounded by an issued-at freshness floor. SD-JWT-VC ES256/ES384 signatures are now emitted as JOSE raw r||s, so credentials this issuer signs verify in conformant wallets and verifiers. A new b.safeUrl.canonicalize (and b.ssrfGuard.canonicalizeHost) collapses obfuscated host and IP forms to one canonical string so allowlist and SSRF comparisons can't be bypassed by encoding tricks. On the reliability side: server-sent-event channels now cap their per-connection outbound buffer and evict a stalled client instead of growing the heap without bound; the outbox reclaims a job left in-flight by a publisher that crashed mid-delivery; the background worker pool no longer drops a task queued behind one that timed out; a retention preview no longer rewrites the whole database file; an equality / membership query on an encrypted column now hashes each candidate (membership queries previously failed outright); and the on-read re-hash of a legacy lookup digest now runs on Postgres and MySQL handles, not only SQLite.",
|
|
7
|
-
"sections": [
|
|
8
|
-
{
|
|
9
|
-
"heading": "Security",
|
|
10
|
-
"items": [
|
|
11
|
-
{
|
|
12
|
-
"title": "SAML SubjectConfirmation without NotOnOrAfter is rejected",
|
|
13
|
-
"body": "`b.auth.saml` SP response verification treated the `NotOnOrAfter` attribute on a Bearer SubjectConfirmationData as optional: a confirmation that omitted it was accepted with no upper bound on the assertion's freshness - a captured assertion replayable indefinitely. SAML 2.0 Web Browser SSO Profile §4.1.4.2 requires Bearer confirmations to carry NotOnOrAfter. `verifyResponse` now rejects a confirmation that is missing NotOnOrAfter, has an unparseable value, or is expired; the Holder-of-Key path (Profile §3.1) is hardened the same way, including the previously-accepted unparseable-value case."
|
|
14
|
-
},
|
|
15
|
-
{
|
|
16
|
-
"title": "ID-token expiry can no longer be disabled on a normal token",
|
|
17
|
-
"body": "`b.auth.oauth`'s `verifyIdToken` honored a `skipExpCheck` option with no constraint, so any caller could verify an expired - or replayed - ID token. That option exists only for OIDC Back-Channel Logout tokens, which carry no `exp`. It is now self-guarding: `verifyIdToken` rejects `skipExpCheck` (`auth-oauth/skip-exp-check-not-allowed`) on any token that lacks the back-channel-logout event claim, and even for a logout token it enforces an `iat` freshness floor (`auth-oauth/logout-token-stale`). The internal logout path is unaffected."
|
|
18
|
-
},
|
|
19
|
-
{
|
|
20
|
-
"title": "Server-sent-event channels bound their outbound buffer",
|
|
21
|
-
"body": "An SSE channel wrote to the response with no regard for backpressure and no cap on buffered bytes, so a single stalled client could make the server buffer events until the heap was exhausted (a memory-exhaustion denial of service). Each channel now tracks its unflushed-byte count and, past a per-channel cap (`maxBufferedBytes`, default 1 MiB), closes the connection and throws `sse/backpressure` - evicting the slow consumer instead of buffering without limit. A client that keeps up is never affected."
|
|
22
|
-
},
|
|
23
|
-
{
|
|
24
|
-
"title": "URL and host canonicalizer for SSRF-safe comparison",
|
|
25
|
-
"body": "New `b.safeUrl.canonicalize(url, opts?)` and `b.ssrfGuard.canonicalizeHost(host)` return the canonical, comparable form of a URL or host: scheme and host lowercased, IDN hosts emitted as their punycode A-label (a confusable / mixed-script host is rejected), every base of an IP literal (decimal, octal, hex, dotted, IPv4-mapped and zero-compressed IPv6) collapsed to one canonical address, default ports stripped, trailing-dot hosts normalized, and path percent-encoding normalized per RFC 3986. Use it to build host allowlists, deduplicate URLs, or compare a fetch target so an allowlist check can't be bypassed by encoding the same address a different way."
|
|
26
|
-
}
|
|
27
|
-
]
|
|
28
|
-
},
|
|
29
|
-
{
|
|
30
|
-
"heading": "Fixed",
|
|
31
|
-
"items": [
|
|
32
|
-
{
|
|
33
|
-
"title": "SD-JWT-VC ES256 / ES384 signatures are JOSE-conformant",
|
|
34
|
-
"body": "`b.auth.sdJwtVc` signed and verified ES256 / ES384 credentials with node:crypto's default DER ECDSA encoding instead of the raw r||s (`ieee-p1363`) form JOSE and EUDI wallets require, so a credential this issuer signed was rejected by conformant verifiers and the library rejected conformant holders' key-binding JWTs. The issuer JWT and the holder KB-JWT now both sign and verify with `ieee-p1363`, matching the rest of the framework's JOSE signers."
|
|
35
|
-
},
|
|
36
|
-
{
|
|
37
|
-
"title": "Membership queries on an encrypted column now work",
|
|
38
|
-
"body": "Querying an encrypted (sealed) column with `IN` / `$in` - `b.db.from(table).whereIn(\"email\", [...])` or `b.db.collection(table).find({ email: { $in: [...] } })` - threw, because the sealed-field-to-derived-hash rewrite passed the whole candidate array to the hash lookup as a single value. Each candidate is now hashed individually and matched against both its active keyed digest and its legacy digest, so membership queries on an encrypted column return the right rows, including rows written before the lookup-hash default changed."
|
|
39
|
-
},
|
|
40
|
-
{
|
|
41
|
-
"title": "A timing-out background task no longer drops the task queued behind it",
|
|
42
|
-
"body": "When a `b.workerPool` task timed out or its worker errored, the slot was returned to the idle pool and drained one moment before it was marked for recycling, so a task queued behind it could be dispatched to the worker about to be terminated - and came back as `workerpool/worker-exit` (or hung) instead of running. The slot is now marked recycling before the queue is drained, so the queued task waits for the replacement worker."
|
|
43
|
-
},
|
|
44
|
-
{
|
|
45
|
-
"title": "The outbox recovers a job stranded by a crashed publisher",
|
|
46
|
-
"body": "`b.outbox` claims a row by flipping it to in-flight, but the claim scan only selected pending rows, so a publisher that crashed between claiming a row and recording delivery left that row in-flight forever - the event was silently dropped, breaking at-least-once delivery. The outbox now stamps each claim with a timestamp and, at the start of every poll, returns any in-flight row older than the claim lease (`claimReclaimMs`, default 5 minutes) to the pending pool so it is delivered. An existing outbox table gains the new column automatically."
|
|
47
|
-
},
|
|
48
|
-
{
|
|
49
|
-
"title": "A retention preview no longer rewrites the whole database",
|
|
50
|
-
"body": "Previewing a retention rule with `b.retention` (`run(name, { dryRun: true })` or the `retention preview` command) ran a full database VACUUM for every candidate row under a regulated posture (gdpr / hipaa / and similar), because the per-row erase - which schedules the vacuum - ran before the dry-run check. A preview now computes what it would erase without touching the database; the vacuum runs only on a real erase."
|
|
51
|
-
},
|
|
52
|
-
{
|
|
53
|
-
"title": "On-read lookup-digest upgrade runs on Postgres and MySQL",
|
|
54
|
-
"body": "When `b.cryptoField.unsealRow` re-hashed a legacy lookup digest to the current keyed form and persisted it, the UPDATE was always built for SQLite, so on a Postgres or MySQL handle the durable rewrite quoted identifiers for the wrong dialect and silently no-opped - the legacy digest stayed on disk and the migration never completed off SQLite. The rewrite now uses the handle's own dialect."
|
|
55
|
-
}
|
|
56
|
-
]
|
|
57
|
-
}
|
|
58
|
-
]
|
|
59
|
-
}
|