@blamejs/core 0.12.18 → 0.12.20

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.12.x
 
+- v0.12.20 (2026-05-24) — **`bundleAdapterStorage.verifyAllBundles(opts)` — bounded-parallel batch integrity walk with stopOnFirstFailure short-circuit.** Batch wrapper over the v0.12.19 verifyBundle primitive. `storage.verifyAllBundles(opts?)` iterates `listBundles()` + walks each bundle with a bounded-parallel pool. Returns `{ total, ok, failed, results }` where `results` carries every per-bundle verifyBundle output (including bundleId, format, envelopeKind, entryCount, errors). `opts.concurrency` defaults to 4 (gentle on the storage backend); `opts.stopOnFirstFailure` short-circuits the walk when an unhealthy bundle is found (default off — operators want the full health report). `opts.recipient` / `opts.passphrase` forwarded to every per-bundle verify call. Operators wiring a periodic cron job over a backup repository now have a single primitive to call instead of hand-rolling the listBundles loop. **Added:** *`storage.verifyAllBundles(opts?)` — batch integrity walk* — Iterates `listBundles()` + calls `verifyBundle(bundleId, opts)` on each. Bounded-parallel fan-out (default 4 workers; `opts.concurrency` raises or lowers); each worker pulls from a shared queue + the warm-up keeps `concurrency` workers in flight until the queue drains. Returns the aggregate `{ total, ok, failed, results }` with `results` sorted by bundleId so the report is stable across runs regardless of completion order. `opts.stopOnFirstFailure` short-circuits the walk when the first unhealthy bundle is found — useful for fast-fail CI gates that don't need to enumerate every failure.
+
+- v0.12.19 (2026-05-24) — **`bundleAdapterStorage.verifyBundle(bundleId)` — bundle integrity check without restore + `b.safeArchive.inspect` tar.gz support.** `storage.verifyBundle(bundleId, opts?)` walks a bundle without restoring it: confirms the payload exists, the envelope (if any) decrypts under the supplied key, and the inner tar / tar.gz walker enumerates every entry without writing to disk. Returns `{ ok, format, envelopeKind, entryCount, errors }` — operators wanting periodic health-check of a backup repository call verifyBundle across `listBundles()` and aggregate `ok === false` results. Composes the bundle's known format directly through the unwrap → gunzip → tar pipeline (skips safeArchive's auto-sniff because the bundle's format is already known from bundleInfo). `b.safeArchive.inspect` separately gains `format: "tar.gz"` dispatch — operators with a known tar.gz payload now get entry enumeration without extracting. **Added:** *`storage.verifyBundle(bundleId, opts?)` — integrity check without restore* — Composes bundleInfo for format/envelope detection + the unwrap → gunzip → tar walker chain directly. opts.recipient / opts.passphrase override the storage's configured keys (useful for verifying a bundle under a different key set than the storage was opened with — e.g. verifying that a key rotation candidate can still read a bundle). Wrong key / corrupted payload returns `ok: false` with a typed error code in the errors array rather than throwing. Directory format reports ok=true based on manifest existence + readability (the inspect walker doesn't apply). · *`b.safeArchive.inspect` accepts `format: "tar.gz"`* — Mirrors the v0.12.9 extract surface: operators handed a `.tar.gz` payload can now enumerate entries without extracting. Composes `b.archive.read.gz` + `.asTar()` internally so the same bomb caps apply (1 GiB output / 100× ratio default) to inspect calls.
+
 - v0.12.18 (2026-05-24) — **`bundleAdapterStorage.listBundles({ withStats })` + `bundleInfo.createdAt` — opt-in mtime + size from `statKey`.** Two additions on `b.backup.bundleAdapterStorage`. `listBundles({ withStats: true })` fans out `statKey` per bundle and populates `createdAt` (ISO string from mtimeMs) + `size` (bytes) on every entry. Without the opt the default fast path stays a single listKeys call — operators rendering a bundle picker UI choose between O(1) listings and O(N) stat-enriched listings explicitly. `bundleInfo(bundleId)` gains the same `createdAt` field for parity. fsAdapter + objectStoreAdapter both expose `statKey`; legacy adapters without the capability leave the fields null. **Added:** *`storage.listBundles({ withStats: true })` — opt-in per-bundle stat fan-out* — When the adapter exposes `statKey`, populates `createdAt` (ISO string from mtimeMs) + `size` (bytes) per entry. Stat fan-out is O(N) round-trips so the opt is OFF by default — operators wanting cheap one-shot listings stay on `listBundles()`. Format precedence (tar.gz > tar > directory) carries through to which payload key gets stat'd. · *`storage.bundleInfo(bundleId)` returns `createdAt`* — The bundle introspection primitive now returns `{ bundleId, format, envelopeKind, sizeBytes, createdAt }`. `createdAt` is the ISO string derived from `statKey.mtimeMs` (when the adapter exposes it) — null otherwise. Matches the listBundles+withStats shape so operators can use bundleInfo for single-bundle drill-downs without re-mapping field names.
 
 - v0.12.17 (2026-05-23) — **`bundleAdapterStorage.bundleInfo` + `listBundles.format` — per-bundle introspection for envelope kind + format without restore.** Two introspection additions on `b.backup.bundleAdapterStorage`. `listBundles()` now returns the inferred `format` (`"tar"` / `"tar.gz"` / `"directory"`) per bundle from the storage key suffix — no byte read. `storage.bundleInfo(bundleId)` returns `{ bundleId, format, envelopeKind, sizeBytes }` where `envelopeKind` is the result of a 5-byte magic probe (`"recipient"` / `"passphrase"` / `"none"`). Operators administering a multi-strategy backup repository can now filter bundles by encryption posture or by format without a full restore cycle. **Added:** *`listBundles()` carries inferred format per bundle* — Each entry now includes `format` alongside `bundleId` / `createdAt` / `size`. Inference is from the storage key suffix the writeBundle path produced — `<bid>/bundle.tar` → tar, `<bid>/bundle.tar.gz` → tar.gz, anything else → directory. Cheap: no byte read, no per-key stat call. Operators rendering a bundle picker UI now sort + filter by format from a single list call. · *`storage.bundleInfo(bundleId)` — per-bundle introspection* — Returns `{ bundleId, format, envelopeKind, sizeBytes }`. `format` from the storage layout (no byte read). `envelopeKind` from `b.archive.sniffEnvelope` over the bundle payload — `"recipient"` (BAWRP / v0.12.10 hybrid PQC), `"passphrase"` (BAWPP / v0.12.11 Argon2id), `"none"` (plaintext or directory format). `sizeBytes` is the payload byte count for tar / tar.gz; null for directory format (operator's per-file walk applies if exact size matters). Nonexistent bundles refused with `backup/bundle-not-found`.

package/lib/backup/index.js

@@ -1436,6 +1436,197 @@ function bundleAdapterStorage(opts) {
       out.sort(function (a, b) { return a.bundleId < b.bundleId ? 1 : -1; });
       return out;
     },
+    // verifyBundle(bundleId, opts?) — v0.12.19 integrity check.
+    // Walks the bundle without restoring: confirms the payload
+    // exists, the envelope (if any) decrypts under the supplied
+    // key, and the inner archive structure is well-formed (every
+    // entry enumerable). Returns `{ ok, format, envelopeKind,
+    // entryCount, errors }`. opts.recipient / opts.passphrase
+    // forwarded when the bundle is wrap-wrapped; omit them for
+    // plaintext bundles. Composes safeArchive.inspect which gates
+    // entries through bomb-policy + entry-type-policy walkers, so
+    // a malformed archive surfaces with a typed error rather than
+    // crashing the verify call.
+    async verifyBundle(bundleId, vOpts) {
+      vOpts = vOpts || {};
+      _ensureBundleId(bundleId);
+      var info;
+      try { info = await this.bundleInfo(bundleId); }
+      catch (e) {
+        return {
+          ok:           false,
+          format:       null,
+          envelopeKind: null,
+          entryCount:   0,
+          errors:       [e.code || e.message || String(e)],
+        };
+      }
+      if (info.format === "directory") {
+        // Directory format isn't archive-shaped — manifest.json
+        // existence + readability via bundleInfo IS the
+        // verification. No inspect walk applies.
+        return {
+          ok:           true,
+          format:       info.format,
+          envelopeKind: info.envelopeKind,
+          entryCount:   null,
+          errors:       [],
+        };
+      }
+      // Compose the reader chain directly so we don't depend on
+      // safeArchive's auto-sniff dispatch (which is conservative
+      // about inferring "tar.gz" from gzip-magic-only inner bytes).
+      // We already know the bundle's format + envelopeKind from
+      // bundleInfo — apply the layers in order: unwrap (if any)
+      // → gunzip (if tar.gz) → tar walker.
+      var keySuffix = info.format === "tar.gz" ? TAR_GZ_KEY_SUFFIX : TAR_KEY_SUFFIX;
+      var payload = await adapter.readFile(bundleId + keySuffix);
+      try {
+        // Layer 1 — unwrap envelope if present.
+        if (info.envelopeKind === "recipient") {
+          var rcp = vOpts.recipient !== undefined ? vOpts.recipient : recipient;
+          if (!rcp) {
+            return {
+              ok: false, format: info.format, envelopeKind: info.envelopeKind,
+              entryCount: 0, errors: ["backup/no-recipient-for-verify"],
+            };
+          }
+          payload = archiveLazy().unwrap(payload, { recipient: rcp });
+        } else if (info.envelopeKind === "passphrase") {
+          var pp = vOpts.passphrase !== undefined ? vOpts.passphrase : passphrase;
+          if (typeof pp !== "string" && !Buffer.isBuffer(pp)) {
+            return {
+              ok: false, format: info.format, envelopeKind: info.envelopeKind,
+              entryCount: 0, errors: ["backup/no-passphrase-for-verify"],
+            };
+          }
+          payload = await archiveLazy().unwrapWithPassphrase(payload, { passphrase: pp });
+        }
+        // Layer 2 — gunzip if tar.gz.
+        var tarReader;
+        if (info.format === "tar.gz") {
+          var gzReader = archiveLazy().read.gz(archiveAdaptersLazy().buffer(payload), {
+            maxDecompressedBytes: maxBundleBytes,
+            maxExpansionRatio:    0,
+          });
+          tarReader = gzReader.asTar();
+        } else {
+          tarReader = archiveLazy().read.tar(archiveAdaptersLazy().buffer(payload));
+        }
+        // Layer 3 — walk the tar entries (inspect doesn't extract).
+        var entries = await tarReader.inspect();
+        return {
+          ok:           true,
+          format:       info.format,
+          envelopeKind: info.envelopeKind,
+          entryCount:   entries.length,
+          errors:       [],
+        };
+      } catch (e) {
+        return {
+          ok:           false,
+          format:       info.format,
+          envelopeKind: info.envelopeKind,
+          entryCount:   0,
+          errors:       [e.code || e.message || String(e)],
+        };
+      }
+    },
+    // verifyAllBundles(opts?) — v0.12.20 batch integrity check.
+    // Iterates listBundles() + calls verifyBundle on each. Returns
+    // `{ total, ok, failed, results }` where `results` is an array
+    // of per-bundle verifyBundle outputs. opts.concurrency caps the
+    // parallelism (default 4 — gentle on the storage backend);
+    // opts.stopOnFirstFailure short-circuits the walk when an
+    // unhealthy bundle is found (default false — operators want
+    // the full report). opts.recipient / opts.passphrase forwarded
+    // to verifyBundle for each bundle.
+    async verifyAllBundles(vOpts) {
+      vOpts = vOpts || {};
+      // Codex P1 on v0.12.20 PR #171 — clamp fractional + zero
+      // floors so a stray `0.5` doesn't spawn zero workers + return
+      // a silent ok=0/failed=0 report on non-empty storage. Default
+      // 4; minimum 1; non-finite / non-positive falls back to
+      // default.
+      var concurrency = 4;                                                            // allow:raw-byte-literal — default fan-out, not byte count
+      if (typeof vOpts.concurrency === "number" && Number.isFinite(vOpts.concurrency) &&
+          vOpts.concurrency > 0) {
+        concurrency = Math.max(1, Math.floor(vOpts.concurrency));
+      }
+      var stopOnFirst = vOpts.stopOnFirstFailure === true;
+      var list = await this.listBundles();
+      var self = this;
+      var results = [];
+      var failed = 0;
+      var ok = 0;
+      var pending = list.slice();
+      var inflight = [];
+      var aborted = false;
+      // Sequential bounded-parallel walk. Bring up `concurrency`
+      // workers; each pulls the next bundleId until the queue is
+      // empty or stopOnFirstFailure trips.
+      function _spawn() {
+        if (aborted) return null;
+        if (pending.length === 0) return null;
+        var entry = pending.shift();
+        // Codex P2 on v0.12.20 PR #171 — wrap each worker so any
+        // verifyBundle rejection becomes a failed-result entry
+        // rather than rejecting the whole batch. Without this, a
+        // mid-walk failure (payload disappeared between listBundles
+        // + readFile, network blip on object-store, etc.) would
+        // throw out of Promise.race and abort verifyAllBundles
+        // without returning the promised aggregate report.
+        var promise = self.verifyBundle(entry.bundleId, {
+          recipient:  vOpts.recipient,
+          passphrase: vOpts.passphrase,
+        }).then(function (r) {
+          results.push(Object.assign({ bundleId: entry.bundleId }, r));
+          if (r.ok) ok += 1;
+          else {
+            failed += 1;
+            if (stopOnFirst) aborted = true;
+          }
+        }, function (err) {
+          // Rejection path — convert to a failed-result entry so
+          // the aggregate stays consistent.
+          results.push({
+            bundleId:     entry.bundleId,
+            ok:           false,
+            format:       null,
+            envelopeKind: null,
+            entryCount:   0,
+            errors:       [err && err.code ? err.code : ((err && err.message) || String(err))],
+          });
+          failed += 1;
+          if (stopOnFirst) aborted = true;
+        });
+        inflight.push(promise);
+        promise.finally(function () {
+          var idx = inflight.indexOf(promise);
+          if (idx !== -1) inflight.splice(idx, 1);
+        });
+        return promise;
+      }
+      // Warm-up: spawn up to concurrency workers.
+      var i;
+      for (i = 0; i < concurrency; i += 1) _spawn();
+      // Drain: as each worker resolves, spawn its replacement.
+      while (inflight.length > 0) {
+        await Promise.race(inflight.slice());
+        if (!aborted && pending.length > 0 && inflight.length < concurrency) {
+          while (inflight.length < concurrency && pending.length > 0) _spawn();
+        }
+      }
+      // Sort results back to listBundles order for operator-
+      // friendly output (concurrency reorders inflight completion).
+      results.sort(function (a, b) { return a.bundleId < b.bundleId ? 1 : -1; });
+      return {
+        total:   list.length,
+        ok:      ok,
+        failed:  failed,
+        results: results,
+      };
+    },
     // bundleInfo(bundleId) — v0.12.17 per-bundle introspection.
     // Returns `{ bundleId, format, envelopeKind, sizeBytes }`.
     // `format` is one of `"tar"` / `"tar.gz"` / `"directory"`

package/lib/safe-archive.js

@@ -373,9 +373,21 @@ async function inspect(opts) {
         bombPolicy: opts.bombPolicy,
         audit:      opts.audit,
       });
+    } else if (format === "tar.gz") {
+      // v0.12.19 — inspect parity with extract for tar.gz format.
+      // gz envelope auto-decompresses + the inner tar walker
+      // enumerates entries without writing to disk.
+      reader = archiveGz().read.gz(source, {
+        maxDecompressedBytes: opts.maxDecompressedBytes,
+        maxExpansionRatio:    opts.maxExpansionRatio,
+        audit:                opts.audit,
+      }).asTar({
+        bombPolicy: opts.bombPolicy,
+        audit:      opts.audit,
+      });
     } else {
       throw new SafeArchiveError("safe-archive/format-unsupported",
-        "inspect: format=" + JSON.stringify(format) + " — v0.12.8 ships ZIP + tar; v0.12.16 auto-unwraps wrap envelopes");
+        "inspect: format=" + JSON.stringify(format) + " — v0.12.19 ships ZIP + tar + tar.gz; auto-unwraps wrap envelopes");
     }
     var entries = await reader.inspect();
     var totalCompressed = 0;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.12.18",
+  "version": "0.12.20",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:355b5273-a761-4332-ae06-53ebc6f35a42",
+  "serialNumber": "urn:uuid:d7fb9c32-9b4a-4de6-a37c-b0a5326a3078",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-24T05:15:21.238Z",
+    "timestamp": "2026-05-24T06:29:55.574Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.12.18",
+      "bom-ref": "@blamejs/core@0.12.20",
       "type": "application",
       "name": "blamejs",
-      "version": "0.12.18",
+      "version": "0.12.20",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.12.18",
+      "purl": "pkg:npm/%40blamejs/core@0.12.20",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.12.18",
+      "ref": "@blamejs/core@0.12.20",
       "dependsOn": []
     }
   ]