npm - @blamejs/core - Versions diffs - 0.11.6 → 0.11.18 - Mend

@blamejs/core 0.11.6 → 0.11.18

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/lib/audit.js CHANGED Viewed

@@ -74,8 +74,8 @@ var log = boot("audit");
 // audit critical path — b.audit.record() must return, emit/safeEmit
 // drains must not stall behind it. On timeout the shadow record is
 // dropped (audit.shadow_timeout observability event) and the
-// framework chain row remains committed. CLAUDE.md rule §5 drop-
-// silent posture for hot-path observability sinks.
+// framework chain row remains committed — audit emission MUST NOT
+// crash or stall the request that triggered it.
 var EXTERNAL_STORE_TIMEOUT_MS = C.TIME.seconds(30);
 // External shadow store registered via `b.audit.useStore({ record })`.
@@ -88,11 +88,11 @@ var EXTERNAL_STORE_TIMEOUT_MS = C.TIME.seconds(30);
 // the operator's record receives the fully-formed row (logical fields +
 // `_id` + `recordedAt` + `monotonicCounter` + `prevHash` + `rowHash`).
 //
-// Shadow failures are drop-silent (rule §5 — hot-path observability
-// sinks must not crash the path that emitted them). An audit-shadow
-// failure surfaces via `b.observability` as `audit.shadow_failed`; the
-// framework chain row still committed and downstream verifyChain still
-// works against the framework store.
+// Shadow failures are drop-silent — hot-path observability sinks
+// must not crash the path that emitted them. An audit-shadow
+// failure surfaces via `b.observability` as `audit.shadow_failed`;
+// the framework chain row still committed and downstream
+// verifyChain still works against the framework store.
 var _externalStore = null;
 // Per-operation timeout for framework-state SQL. A misbehaving
@@ -481,8 +481,9 @@ async function record(event) {
       var appended = await _chainWriter.append(logical);
       // Operator-registered shadow store: replicate the fully-formed
       // row to an immutable external destination. Drop-silent on
-      // failure (rule §5) — the framework chain is authoritative and
-      // already committed; the shadow is a best-effort archival.
+      // failure — the framework chain is authoritative and already
+      // committed; the shadow is a best-effort archival, and an
+      // unreachable destination must not crash the audit caller.
       // The operator's record receives the SAME object the framework
       // returns to its caller, so external consumers see identical
       // hashes / counters / ids for cross-store reconciliation.
@@ -547,10 +548,10 @@ async function record(event) {
  * or `audit.shadow_timeout` (cap exceeded) with `{ action,
  * monotonicCounter, error, timeoutMs }` metadata, and the framework
  * chain append still succeeds (the row is durable in the framework's
- * own table; the shadow is a best-effort archival). This is the
- * rule §5 drop-silent posture for hot-path observability sinks — an
- * unreachable / hanging shadow MUST NOT crash or stall the request
- * path that triggered the audit attempt.
+ * own table; the shadow is a best-effort archival). Hot-path
+ * observability sinks emit drop-silent — an unreachable / hanging
+ * shadow MUST NOT crash or stall the request path that triggered
+ * the audit attempt.
  *
  * Call this once at boot, BEFORE the first `b.audit.record` /
  * `b.audit.emit` / `b.audit.safeEmit`. Switching stores on a running

package/lib/auth/oid4vci.js CHANGED Viewed

@@ -451,10 +451,11 @@ function create(opts) {
           "exchangePreAuthorizedCode: tx_code required (offer mandates it)");
       }
       var txHash = sha3Hash("oid4vci-tx:" + eopts.txCode);
-      // Constant-time compare on the hashed tx_code (audit 2026-05-11
-      // — was `!==` on fixed-width sha3 hex; per CLAUDE.md rule §5
-      // every framework-internal compare against attacker-controlled
-      // input routes through timingSafeEqual).
+      // Constant-time compare on the hashed tx_code — `===` on a
+      // hex digest leaks per-byte timing under attacker-controlled
+      // input. Every framework compare against attacker-influenced
+      // bytes routes through timingSafeEqual regardless of the
+      // operand length being fixed.
       if (!timingSafeEqual(txHash, entry.txCodeHash)) {
         // Don't consume on failure — wallet may be retrying. Operator
         // attaches their own attempt counter / lockout via b.auth.lockout.

package/lib/compliance.js CHANGED Viewed

@@ -1087,8 +1087,9 @@ var POSTURE_DEFAULTS = Object.freeze({
   // being certified for the ML-KEM / ML-DSA primitives upstream.
   //
   // Conflict resolution: PQC-first remains the framework default
-  // (CLAUDE.md rule §2 — never weaken security middleware), but
-  // operators in a FedRAMP boundary opt into `fipsMode: true` to
+  // — the framework refuses to weaken security middleware to fit a
+  // posture flag. Operators in a FedRAMP boundary opt into
+  // `fipsMode: true` to
   // switch `b.audit.sign` from SLH-DSA-SHAKE-256f to FIPS-validated
   // AES-GCM + SHA-384 for the audit-chain signing path. The runtime
   // emits a `compliance.posture.fips_conflict` audit warning when

package/lib/crypto.js CHANGED Viewed

@@ -52,7 +52,9 @@ var C = require("./constants");
 // Circular: audit imports b.crypto for sha3Hash + envelope sign. Lazy-
 // load the audit module so the legacy-envelope decrypt path can emit
 // `system.crypto.decrypt.allow_legacy` events without an inline
-// require() inside setImmediate (top-of-file requires per rule §3).
+// require() inside setImmediate. (The framework's convention is
+// top-of-file require() except where a documented circular-load
+// reason forces lazy-load; this is one of those reasons.)
 var lazyRequire = require("./lazy-require");
 var audit       = lazyRequire(function () { return require("./audit"); });
 // safe-buffer hosts the canonical hasCrlf(s) helper used by every

package/lib/safe-decompress.js CHANGED Viewed

@@ -266,7 +266,7 @@ function safeDecompress(input, opts) {
   return out;
 }
-// Drop-silent audit emission per rule §5: refuse-emit is best-effort,
+// Drop-silent audit emission — refuse-emit is best-effort,
 // failures here don't crash the operator's path. Then throw the typed
 // error so the caller's catch block decides downstream.
 function _refuse(opts, code, message, originalError) {
@@ -283,7 +283,7 @@ function _refuse(opts, code, message, originalError) {
           reason:    message,
         },
       });
-    } catch (_e) { /* drop-silent per rule §5 */ }
+    } catch (_e) { /* drop-silent — observability is itself hot-path */ }
   }
   var err = new SafeDecompressError(code, message);
   if (originalError) err.cause = originalError;

package/lib/safe-mount-info.js CHANGED Viewed

@@ -59,7 +59,7 @@
  *   Composes:
  *     - lib/safe-decompress / lib/audit — operator-supplied audit
  *       handle receives `system.safe_mount_info.refused` events on
- *       read-failed and parse-failed (drop-silent per rule §5).
+ *       read-failed and parse-failed (drop-silent — observability emission must not crash the hot path that emitted the event).
  *
  * RFC / kernel-doc citations:
  *   - [Linux Documentation/filesystems/proc.rst §3.5 — /proc/<pid>/mountinfo](https://www.kernel.org/doc/Documentation/filesystems/proc.txt)
@@ -292,7 +292,7 @@ function _refuseEmit(opts, code, message) {
         outcome:  "denied",
         metadata: { code: code, reason: message },
       });
-    } catch (_e) { /* drop-silent per rule §5 */ }
+    } catch (_e) { /* drop-silent — observability emission must not crash the hot path that emitted the event */ }
   }
 }

package/lib/subject.js CHANGED Viewed

@@ -634,9 +634,9 @@ function _subjectHash(subjectId) {
 }
 function _writeAudit(action, subjectId, outcome, metadata) {
-  // recordSafe — audit failure must not roll back the subject mutation
-  // that already touched the database. Drop-silent per CLAUDE.md rule
-  // §5 (hot-path audit sinks): swallow any throw from audit.emit so a
+  // recordSafe — audit failure must not roll back the subject
+  // mutation that already touched the database. Hot-path audit
+  // sinks are drop-silent: swallow any throw from audit.emit so a
   // misconfigured sink doesn't crash a partially-committed subject
   // mutation. Errors surface via the audit sink's own logger.
   try {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.11.6",
+  "version": "0.11.18",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json CHANGED Viewed

@@ -1,11 +1,11 @@
 {
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
-  "specVersion": "1.6",
-  "serialNumber": "urn:uuid:47f41007-66d3-47f2-ba7e-e47db1d7370f",
+  "specVersion": "1.5",
+  "serialNumber": "urn:uuid:df277d76-8998-4935-acd7-542eefc40caa",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-20T00:03:39.026Z",
+    "timestamp": "2026-05-20T17:38:57.164Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.11.6",
-      "type": "library",
+      "bom-ref": "@blamejs/core@0.11.18",
+      "type": "application",
       "name": "blamejs",
-      "version": "0.11.6",
+      "version": "0.11.18",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.11.6",
+      "purl": "pkg:npm/%40blamejs/core@0.11.18",
       "properties": [],
       "externalReferences": [
         {
@@ -54,8 +54,8 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.11.6",
+      "ref": "@blamejs/core@0.11.18",
       "dependsOn": []
     }
   ]
-}
+}