@blamejs/core 0.12.16 → 0.12.18

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.12.x
 
+- v0.12.18 (2026-05-24) — **`bundleAdapterStorage.listBundles({ withStats })` + `bundleInfo.createdAt` — opt-in mtime + size from `statKey`.** Two additions on `b.backup.bundleAdapterStorage`. `listBundles({ withStats: true })` fans out `statKey` per bundle and populates `createdAt` (ISO string from mtimeMs) + `size` (bytes) on every entry. Without the opt the default fast path stays a single listKeys call — operators rendering a bundle picker UI choose between O(1) listings and O(N) stat-enriched listings explicitly. `bundleInfo(bundleId)` gains the same `createdAt` field for parity. fsAdapter + objectStoreAdapter both expose `statKey`; legacy adapters without the capability leave the fields null. **Added:** *`storage.listBundles({ withStats: true })` — opt-in per-bundle stat fan-out* — When the adapter exposes `statKey`, populates `createdAt` (ISO string from mtimeMs) + `size` (bytes) per entry. Stat fan-out is O(N) round-trips so the opt is OFF by default — operators wanting cheap one-shot listings stay on `listBundles()`. Format precedence (tar.gz > tar > directory) carries through to which payload key gets stat'd. · *`storage.bundleInfo(bundleId)` returns `createdAt`* — The bundle introspection primitive now returns `{ bundleId, format, envelopeKind, sizeBytes, createdAt }`. `createdAt` is the ISO string derived from `statKey.mtimeMs` (when the adapter exposes it) — null otherwise. Matches the listBundles+withStats shape so operators can use bundleInfo for single-bundle drill-downs without re-mapping field names.
+
+- v0.12.17 (2026-05-23) — **`bundleAdapterStorage.bundleInfo` + `listBundles.format` — per-bundle introspection for envelope kind + format without restore.** Two introspection additions on `b.backup.bundleAdapterStorage`. `listBundles()` now returns the inferred `format` (`"tar"` / `"tar.gz"` / `"directory"`) per bundle from the storage key suffix — no byte read. `storage.bundleInfo(bundleId)` returns `{ bundleId, format, envelopeKind, sizeBytes }` where `envelopeKind` is the result of a 5-byte magic probe (`"recipient"` / `"passphrase"` / `"none"`). Operators administering a multi-strategy backup repository can now filter bundles by encryption posture or by format without a full restore cycle. **Added:** *`listBundles()` carries inferred format per bundle* — Each entry now includes `format` alongside `bundleId` / `createdAt` / `size`. Inference is from the storage key suffix the writeBundle path produced — `<bid>/bundle.tar` → tar, `<bid>/bundle.tar.gz` → tar.gz, anything else → directory. Cheap: no byte read, no per-key stat call. Operators rendering a bundle picker UI now sort + filter by format from a single list call. · *`storage.bundleInfo(bundleId)` — per-bundle introspection* — Returns `{ bundleId, format, envelopeKind, sizeBytes }`. `format` from the storage layout (no byte read). `envelopeKind` from `b.archive.sniffEnvelope` over the bundle payload — `"recipient"` (BAWRP / v0.12.10 hybrid PQC), `"passphrase"` (BAWPP / v0.12.11 Argon2id), `"none"` (plaintext or directory format). `sizeBytes` is the payload byte count for tar / tar.gz; null for directory format (operator's per-file walk applies if exact size matters). Nonexistent bundles refused with `backup/bundle-not-found`.
+
 - v0.12.16 (2026-05-23) — **`b.safeArchive.inspect` auto-unwraps wrap envelopes (parallel to the v0.12.15 extract path).** Mirrors the v0.12.15 auto-unwrap support into `b.safeArchive.inspect`. Operators enumerating entries of a sealed archive get a single inspect() call regardless of envelope shape — pass `opts.recipient` or `opts.passphrase` alongside `source` and the orchestrator unwraps inline before walking the inner format. Missing-key opt surfaces a structured `safe-archive/no-recipient-for-wrap` / `safe-archive/no-passphrase-for-wrap` refusal upfront. Carries the v0.12.15 P1 + P2 fixes (close original source before replacing + forward opts.signal to inner buffer adapter) into the inspect path so the same descriptor-leak + abort-propagation contracts hold. **Added:** *`b.safeArchive.inspect` auto-unwraps `BAWRP` + `BAWPP` envelopes* — The orchestrator's `format: "auto"` sniffer recognises the wrap magics and routes through `b.archive.unwrap` / `b.archive.unwrapWithPassphrase` inline. After unwrap, the inner bytes are wrapped in a buffer adapter + re-sniffed; the resulting summary carries the INNER `format` (`"tar"` / `"zip"` / etc.) — operators querying `summary.format` see the carrier format, not `"wrap-recipient"`. Entry enumeration walks the inner archive after a single key-derivation pass; no temporary file lands on disk.
 
 - v0.12.15 (2026-05-23) — **`b.safeArchive.extract` auto-unwraps v0.12.10 recipient and v0.12.11 passphrase envelopes inline.** The safeArchive orchestrator's `format: "auto"` sniffer recognises `BAWRP` (v0.12.10 recipient) and `BAWPP` (v0.12.11 passphrase) envelope magics and routes through `b.archive.unwrap` / `b.archive.unwrapWithPassphrase` inline before re-sniffing the inner format. Operators pass `opts.recipient` (or `opts.passphrase`) alongside `source` + `destination` and get a single extract() call regardless of envelope shape. Missing the matching key opt surfaces a structured `safe-archive/no-recipient-for-wrap` / `safe-archive/no-passphrase-for-wrap` refusal upfront rather than a downstream crypto error. **Added:** *`b.safeArchive.extract` auto-unwraps wrap envelopes* — The sniffer at byte 0-4 recognises `BAWRP` (returns `format: "wrap-recipient"`) and `BAWPP` (returns `format: "wrap-passphrase"`). The extract path collects the sealed adapter into a Buffer, routes through `b.archive.unwrap` (recipient) or `b.archive.unwrapWithPassphrase` (passphrase), wraps the inner bytes in a buffer adapter, re-sniffs the inner format, and dispatches to the appropriate `b.archive.read.*` reader. A wrap-around-tar.gz envelope round-trips through wrap → unwrap → gunzip → untar with no operator intervention beyond passing the key opt. **Security:** *Missing-key opt refused upfront with structured error* — When the sniffer identifies a wrap envelope but the operator hasn't supplied `opts.recipient` (BAWRP) or `opts.passphrase` (BAWPP), extract refuses with `safe-archive/no-recipient-for-wrap` / `safe-archive/no-passphrase-for-wrap` BEFORE any decryption attempt. Operators wiring extract behind an HTTP boundary get a typed refusal instead of a leaked crypto-level error.

package/lib/backup/index.js

@@ -1365,8 +1365,23 @@ function bundleAdapterStorage(opts) {
         nodeFs.writeFileSync(destPath, bytes, { flag: "wx", mode: 0o600 });
       }
     },
-    async listBundles() {
+    async listBundles(listOpts) {
       // Get every key, partition by bundleId prefix, return sorted.
+      listOpts = listOpts || {};
+      var withStats = listOpts.withStats === true;
+      // v0.12.17 — each bundle now carries the inferred format
+      // (tar / tar.gz / directory) so operators picking which
+      // bundle to restore can filter by format without touching
+      // bytes. Format is inferred from the key suffix the
+      // writeBundle path produced (rule §2 — the format is part
+      // of the storage layout, not behind a probe).
+      //
+      // Codex P2 on v0.12.17 PR #168 — track WHICH suffixes a
+      // bundle carries (set of booleans) then apply explicit
+      // precedence at the end: tar.gz > tar > directory. Matches
+      // readBundle's preference (which checks hasTarGz first)
+      // so listBundles' reported format aligns with restore
+      // behavior regardless of adapter.listKeys() order.
       var allKeys = await adapter.listKeys("");
       var byBundle = new Map();
       for (var i = 0; i < allKeys.length; i += 1) {
@@ -1377,28 +1392,143 @@ function bundleAdapterStorage(opts) {
         if (!_isValidBundleId(bid)) continue;
         var stats = byBundle.get(bid);
         if (!stats) {
-          stats = { count: 0, size: 0 };
+          stats = { count: 0, hasTar: false, hasTarGz: false, hasOther: false };
           byBundle.set(bid, stats);
         }
         stats.count += 1;
-        // Note: size is approximate — we'd need a stat-per-key here,
-        // and many adapter implementations don't expose a fast stat
-        // primitive. listBundles is best-effort; operators wanting
-        // exact size do their own walk.
+        var rest = key.slice(slash + 1);
+        if (rest === "bundle.tar")         stats.hasTar = true;
+        else if (rest === "bundle.tar.gz") stats.hasTarGz = true;
+        else                                stats.hasOther = true;
       }
       var out = [];
       var entries = Array.from(byBundle.entries());
       for (var j = 0; j < entries.length; j += 1) {
         var bidJ = entries[j][0];
-        out.push({
+        var statsJ = entries[j][1];
+        var fmtJ;
+        if (statsJ.hasTarGz)    fmtJ = "tar.gz";        // matches readBundle precedence
+        else if (statsJ.hasTar) fmtJ = "tar";
+        else                    fmtJ = "directory";
+        var entry = {
           bundleId:  bidJ,
-          createdAt: null,    // adapter may not expose mtime
-          size:      null,    // best-effort
-        });
+          format:    fmtJ,
+          createdAt: null,                    // adapter may not expose mtime
+          size:      null,                    // best-effort; operators with stat-fast adapters call bundleInfo
+        };
+        // v0.12.18 — when opts.withStats is true AND the adapter
+        // exposes statKey, fan-out a stat call per bundle's
+        // payload key. O(N) round-trips so this is opt-in;
+        // listBundles() with no opts stays cheap (single listKeys
+        // call). Operators wanting per-bundle stats but not the
+        // full bundleInfo envelope probe pick this middle ground.
+        if (withStats && typeof adapter.statKey === "function") {
+          var statKey;
+          if (statsJ.hasTarGz)    statKey = bidJ + TAR_GZ_KEY_SUFFIX;
+          else if (statsJ.hasTar) statKey = bidJ + TAR_KEY_SUFFIX;
+          else                    statKey = bidJ + "/manifest.json";
+          var sk = await adapter.statKey(statKey);
+          if (sk && typeof sk.size === "number") entry.size = sk.size;
+          if (sk && typeof sk.mtimeMs === "number") entry.createdAt = new Date(sk.mtimeMs).toISOString();
+        }
+        out.push(entry);
       }
       out.sort(function (a, b) { return a.bundleId < b.bundleId ? 1 : -1; });
       return out;
     },
+    // bundleInfo(bundleId) — v0.12.17 per-bundle introspection.
+    // Returns `{ bundleId, format, envelopeKind, sizeBytes }`.
+    // `format` is one of `"tar"` / `"tar.gz"` / `"directory"`
+    // inferred from the storage layout (no byte read).
+    // `envelopeKind` is the result of a 5-byte magic probe on the
+    // bundle payload — `"recipient"` (BAWRP) / `"passphrase"`
+    // (BAWPP) / `"none"` (plaintext). `sizeBytes` is the payload
+    // byte count for tar / tar.gz; null for directory format
+    // (operator's per-file walk if exact size matters).
+    //
+    // Instance method — wiki page documents this under the
+    // bundleAdapterStorage primitive rather than as a top-level
+    // b.X primitive.
+    async bundleInfo(bundleId) {
+      _ensureBundleId(bundleId);
+      var tarKey = bundleId + TAR_KEY_SUFFIX;
+      var tarGzKey = bundleId + TAR_GZ_KEY_SUFFIX;
+      var manifestKey = bundleId + "/manifest.json";
+      var fmt = null;
+      var payloadKey = null;
+      if (await adapter.hasKey(tarGzKey)) {
+        fmt = "tar.gz"; payloadKey = tarGzKey;
+      } else if (await adapter.hasKey(tarKey)) {
+        fmt = "tar"; payloadKey = tarKey;
+      } else if (await adapter.hasKey(manifestKey)) {
+        fmt = "directory";
+      } else {
+        throw new BackupError("backup/bundle-not-found",
+          "bundleInfo: '" + bundleId + "' not in storage");
+      }
+      var envelopeKind = "none";
+      var sizeBytes = null;
+      var createdAt = null;
+      // Codex P2 on v0.12.18 PR #169 — directory-format bundles
+      // leave payloadKey null but DO have a manifest.json that
+      // statKey can read. For createdAt parity with
+      // listBundles({ withStats }), stat the manifest in the
+      // directory case so the bundleInfo return shape is
+      // populated identically across formats.
+      if (payloadKey === null && fmt === "directory" &&
+          typeof adapter.statKey === "function") {
+        // Stat the manifest.json so directory-format bundles
+        // populate createdAt + sizeBytes identically to how
+        // listBundles({ withStats }) reports them. NOTE: sizeBytes
+        // is the manifest's size here, not the total file-tree
+        // payload (operators wanting the true total walk
+        // per-file keys themselves) — same convention as
+        // listBundles({ withStats }) for parity.
+        var dirSt = await adapter.statKey(manifestKey);
+        if (dirSt && typeof dirSt.size === "number") sizeBytes = dirSt.size;
+        if (dirSt && typeof dirSt.mtimeMs === "number") {
+          createdAt = new Date(dirSt.mtimeMs).toISOString();
+        }
+      }
+      if (payloadKey !== null) {
+        // Codex P1 on v0.12.17 PR #168 — claim was a 5-byte magic
+        // probe; the implementation was reading the entire bundle
+        // into memory. For multi-GB bundles, an administrative
+        // metadata call would allocate the whole payload and put
+        // memory pressure on the host. Prefer the adapter's
+        // optional `readPartial(key, length)` capability for the
+        // probe. fsAdapter + objectStoreAdapter both expose it as
+        // of v0.12.17; legacy adapters without it fall back to a
+        // capped 16-byte readFile via the fallback path (still
+        // bounded; better than full payload).
+        if (typeof adapter.readPartial === "function") {
+          var probe = await adapter.readPartial(payloadKey, 16);                      // allow:raw-byte-literal — 16-byte probe head, magic comparison
+          envelopeKind = archiveLazy().sniffEnvelope(probe);
+        } else {
+          // Legacy adapter — readPartial missing. Operators using
+          // a custom adapter without the capability get
+          // envelopeKind: "unknown" rather than an OOM risk. They
+          // can probe themselves by reading the first N bytes via
+          // their own client.
+          envelopeKind = "unknown";
+        }
+        // sizeBytes is reported via a stat-like path when the
+        // adapter exposes one; otherwise stays null. fsAdapter +
+        // objectStoreAdapter expose `statKey`.
+        if (typeof adapter.statKey === "function") {
+          var st = await adapter.statKey(payloadKey);
+          if (st && typeof st.size === "number") sizeBytes = st.size;
+          if (st && typeof st.mtimeMs === "number") createdAt = new Date(st.mtimeMs).toISOString();
+        }
+      }
+      return {
+        bundleId:     bundleId,
+        format:       fmt,
+        envelopeKind: envelopeKind,
+        sizeBytes:    sizeBytes,
+        createdAt:    createdAt,
+      };
+    },
     async deleteBundle(bundleId) {
       _ensureBundleId(bundleId);
       var keys = await adapter.listKeys(bundleId + "/");
@@ -1494,6 +1624,42 @@ bundleAdapterStorage.fsAdapter = function (fsOpts) {
       try { return nodeFs.existsSync(_keyPath(key)); }
       catch (_e) { return false; }
     },
+    // v0.12.17 — optional capabilities consumed by bundleInfo.
+    // readPartial: open + read up to `length` bytes from the start
+    // of the file without materializing the whole payload.
+    // Bundle-info's envelope probe needs at most 16 bytes — the
+    // partial read keeps multi-GB bundle metadata cheap.
+    async readPartial(key, length) {
+      // CodeQL js/file-system-race + js/insecure-temporary-file —
+      // drop the existsSync probe (TOCTOU) and the default mode on
+      // open. Use openSync with explicit owner-only mode + handle
+      // ENOENT atomically; the system call is itself the existence
+      // check.
+      var p = _keyPath(key);
+      var fd;
+      try {
+        fd = nodeFs.openSync(p, "r", 0o600);
+      } catch (e) {
+        if (e && e.code === "ENOENT") {
+          throw new BackupError("backup/no-key",
+            "fsAdapter.readPartial: key not found: " + JSON.stringify(key));
+        }
+        throw e;
+      }
+      try {
+        var buf = Buffer.alloc(length);
+        var bytesRead = nodeFs.readSync(fd, buf, 0, length, 0);
+        return buf.slice(0, bytesRead);
+      } finally {
+        try { nodeFs.closeSync(fd); } catch (_e) { /* drop-silent */ }
+      }
+    },
+    async statKey(key) {
+      var p = _keyPath(key);
+      if (!nodeFs.existsSync(p)) return null;
+      var st = nodeFs.statSync(p);
+      return { size: st.size, mtimeMs: st.mtimeMs };
+    },
   };
 };
 
@@ -1682,6 +1848,36 @@ bundleAdapterStorage.objectStoreAdapter = function (client, osOpts) {
         throw e;
       }
     },
+    // v0.12.17 — readPartial uses the b.objectStore client's range
+    // capability (every shipped backend honours `{ range: [start,
+    // end] }` per the client contract). bundleInfo's envelope probe
+    // reads 16 bytes regardless of bundle size.
+    async readPartial(key, length) {
+      var scoped = _scopedKey(key);
+      try {
+        var body = await client.get(scoped, { range: [0, Math.max(0, length - 1)] });
+        var buf = Buffer.isBuffer(body) ? body : Buffer.from(body);
+        return buf.slice(0, length);
+      } catch (e) {
+        if (e && (e.code === "NOT_FOUND" || /NOT_FOUND|not found/i.test(e.message || ""))) {
+          throw new BackupError("backup/no-key",
+            "objectStoreAdapter.readPartial: key not found: " + JSON.stringify(key));
+        }
+        throw e;
+      }
+    },
+    async statKey(key) {
+      try {
+        var meta = await client.head(_scopedKey(key));
+        if (!meta || typeof meta.size !== "number") return null;
+        return { size: meta.size, mtimeMs: meta.lastModified || null };
+      } catch (e) {
+        if (e && (e.code === "NOT_FOUND" || /NOT_FOUND|not found/i.test(e.message || ""))) {
+          return null;
+        }
+        throw e;
+      }
+    },
   };
 };
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.12.16",
+  "version": "0.12.18",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:bd84dcb6-2b84-41e8-bf62-21fe1685fe31",
+  "serialNumber": "urn:uuid:355b5273-a761-4332-ae06-53ebc6f35a42",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-24T03:36:28.547Z",
+    "timestamp": "2026-05-24T05:15:21.238Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.12.16",
+      "bom-ref": "@blamejs/core@0.12.18",
       "type": "application",
       "name": "blamejs",
-      "version": "0.12.16",
+      "version": "0.12.18",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.12.16",
+      "purl": "pkg:npm/%40blamejs/core@0.12.18",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.12.16",
+      "ref": "@blamejs/core@0.12.18",
       "dependsOn": []
     }
   ]