@blamejs/core 0.14.19 → 0.14.21

package/lib/middleware/scim-server.js

@@ -57,7 +57,7 @@ var BEARER_RE = /^Bearer\s+(.+)$/i;
  *     users:        ScimResourceImpl,
  *     groups?:      ScimResourceImpl,
  *     bearer?:      (token) => Promise<actor>,
- *     maxPageSize?: number,
+ *     maxPageSize?: number,   // default: 200 (config-time positive int)
  *     bulk?: {
  *       maxOperations?:  number,   // default: 1000 (config-time positive int)
  *       maxPayloadSize?: number,   // default: 1 MiB  (config-time positive int, bytes)
@@ -80,6 +80,12 @@ function create(opts) {
   if (opts.groups) _validateResourceImpl(opts.groups, "groups");
 
   var basePath    = opts.basePath || "/scim/v2";
+  // Config-time / entry-point tier: a bad page-size cap THROWS so the
+  // operator catches the typo at boot rather than at request time, where
+  // a non-number would propagate NaN into impl.list({ count }) and
+  // ServiceProviderConfig.filter.maxResults.
+  validateOpts.optionalPositiveInt(opts.maxPageSize, "middleware.scimServer: opts.maxPageSize",
+    ScimServerError, "middleware/scim-server/bad-max-page-size");
   var maxPageSize = opts.maxPageSize || 200;                                                                  // page-size count, not bytes
   var bearer      = opts.bearer || null;
   var bulkCfg     = _resolveBulkConfig(opts.bulk);
@@ -297,11 +303,15 @@ async function _dispatch(req, res, basePath, bearer, opts, maxPageSize, bulkCfg)
 }
 
 // RFC 7644 §3.7 — /Bulk POST. Parses a BulkRequest, enforces the
-// config-time maxOperations / maxPayloadSize caps, optionally
-// short-circuits at failOnErrors, resolves bulkId cross-references
-// (§3.7.2), dispatches each operation through the same per-resource
-// create/update/delete logic the singleton endpoints use, and returns
-// a BulkResponse carrying one result object per operation.
+// config-time maxOperations / maxPayloadSize caps, plans a
+// dependency-ordered execution so bulkId cross-references (§3.7.2) —
+// including forward references — resolve to real ids before dispatch,
+// fails operations with undeclared / circular / failed-dependency
+// references per-op, optionally short-circuits at failOnErrors,
+// dispatches each surviving operation through the same per-resource
+// create/update/delete logic the singleton endpoints use, and returns a
+// BulkResponse carrying one result object per operation in the ORIGINAL
+// request order.
 async function _handleBulk(req, res, opts, bulkCfg, ctx) {
   var body;
   try {
@@ -336,26 +346,265 @@ async function _handleBulk(req, res, opts, bulkCfg, ctx) {
 
   var failOnErrors = _parseFailOnErrors(body.failOnErrors);
   var bulkIdMap    = Object.create(null);   // client bulkId -> assigned resource id
-  var results      = [];
-  var errorCount   = 0;
+  var ops          = body.Operations;
+
+  // RFC 7644 §3.7.2 — a bulkId reference may point at a resource a LATER
+  // operation creates (a forward reference), so processing strictly in
+  // request order leaves the token unresolved. Pre-scan to (a) collect
+  // every declared bulkId and (b) build each operation's dependency set
+  // by walking its data for "bulkId:<id>" cross-references, then execute
+  // in dependency order. The response array is still emitted in the
+  // ORIGINAL request order (results indexed by request position).
+  var plan = _planBulkOperations(ops);
+
+  var results    = new Array(ops.length);   // request-order result entries
+  var executed   = new Array(ops.length);   // index -> { isError } once run
+  var errorCount = 0;
+  var stopped    = false;
+
+  for (var s = 0; s < plan.order.length && !stopped; s++) {
+    var idx = plan.order[s];
+    var planned = plan.ops[idx];
+    var outcome;
+
+    if (planned.staticError) {
+      // Undeclared reference or a reference that lands in a dependency
+      // cycle — fail the op without ever dispatching to the adapter.
+      outcome = _bulkErr(ops[idx], planned.staticError.status,
+        planned.staticError.scimType, planned.staticError.detail);
+    } else if (_anyDependencyFailed(planned.refs, plan, executed, bulkIdMap)) {
+      // RFC 7644 §3.7.2 — a reference to an operation that FAILED cannot
+      // resolve to a real id; fail the dependent op with invalidValue
+      // rather than letting a literal "bulkId:<id>" token reach the
+      // adapter as if it were a real resource identifier.
+      outcome = _bulkErr(ops[idx], "400", "invalidValue",
+        "Operations[" + idx + "] references a bulkId whose creating operation failed");
+    } else {
+      outcome = await _runBulkOperation(ops[idx], idx, opts, ctx, bulkIdMap);
+    }
 
-  for (var i = 0; i < body.Operations.length; i++) {
-    var result = await _runBulkOperation(body.Operations[i], i, opts, ctx, bulkIdMap);
-    results.push(result.entry);
-    if (result.isError) {
+    results[idx]  = outcome.entry;
+    executed[idx] = { isError: outcome.isError };
+    if (outcome.isError) {
       errorCount++;
       // RFC 7644 §3.7 — once the error count reaches failOnErrors the
-      // service stops processing and returns the results so far.
-      if (failOnErrors !== null && errorCount >= failOnErrors) break;
+      // service stops processing and returns the results so far. Results
+      // already produced keep their request-order slots; unreached
+      // operations are omitted from the response.
+      if (failOnErrors !== null && errorCount >= failOnErrors) stopped = true;
     }
   }
 
+  // Compact to the operations actually reached, preserving request order.
+  var emitted = [];
+  for (var e = 0; e < results.length; e++) {
+    if (results[e] !== undefined) emitted.push(results[e]);
+  }
+
   _writeJson(res, H.OK, {
     schemas:    [SCIM_MESSAGE_BULK_RESPONSE],
-    Operations: results,
+    Operations: emitted,
   });
 }
 
+// RFC 7644 §3.7.2 — build the dependency-ordered execution plan for a
+// bulk job. Returns { ops, order } where ops[i] = { refs, staticError? }
+// (refs = the set of declared bulkIds operation i depends on) and order
+// is the request indices in a dependency-respecting (topological)
+// sequence. Operations referencing an UNDECLARED bulkId, or caught in a
+// dependency CYCLE, carry a staticError so the executor fails them
+// without dispatching to the adapter. A POST that declares a bulkId is
+// the only operation kind that can satisfy a reference.
+function _planBulkOperations(ops) {
+  var declared    = Object.create(null);   // bulkId -> declaring index
+  var planned     = new Array(ops.length);
+
+  for (var i = 0; i < ops.length; i++) {
+    var op = ops[i];
+    var bulkId = op && typeof op.bulkId === "string" ? op.bulkId : null;
+    var method = op && typeof op.method === "string" ? op.method.toUpperCase() : null;
+    // Only a POST (resource creation) assigns a server id to a bulkId.
+    if (bulkId && method === "POST" && declared[bulkId] === undefined) {
+      declared[bulkId] = i;
+    }
+    planned[i] = { refs: [], staticError: null, ownBulkId: method === "POST" ? bulkId : null };
+  }
+
+  for (var j = 0; j < ops.length; j++) {
+    // RFC 7644 §3.7.2 — a reference can appear in the operation DATA
+    // ("value": "bulkId:u1") or as the resource id in the operation
+    // PATH ("PATCH /Groups/bulkId:g1" targeting a group another
+    // operation in this request creates). Both surfaces feed the same
+    // dependency set so path-referencing operations order and fail
+    // exactly like data-referencing ones.
+    var refs = _collectBulkIdRefs(ops[j] && ops[j].data).concat(_pathBulkIdRefs(ops[j]));
+    var depSet = [];
+    for (var r = 0; r < refs.length; r++) {
+      var refId = refs[r];
+      var decl  = declared[refId];
+      if (decl === undefined) {
+        // RFC 7644 §3.7.2 — a reference to a bulkId no operation declares
+        // can never resolve; fail this op with invalidValue.
+        planned[j].staticError = {
+          status:   "400",
+          scimType: "invalidValue",
+          detail:   "Operations[" + j + "] references undeclared bulkId '" + refId + "'",
+        };
+        depSet = [];
+        break;
+      }
+      if (decl !== j && depSet.indexOf(decl) === -1) depSet.push(decl);
+    }
+    planned[j].refs = depSet;
+  }
+
+  var order = _topoOrderBulk(planned);
+  return { ops: planned, order: order };
+}
+
+// Walk operation data for "bulkId:<id>" cross-references, returning the
+// list of referenced bulkIds (the "<id>" portion). Bounded: the whole
+// payload was capped at maxPayloadSize before parse.
+function _collectBulkIdRefs(value) {
+  var out = [];
+  _walkBulkIdRefs(value, out);
+  return out;
+}
+
+// RFC 7644 §3.7.2 — bulkId references in an operation's PATH segments
+// (e.g. "PATCH /Groups/bulkId:g1"). Returns the referenced bulkIds.
+function _pathBulkIdRefs(op) {
+  if (!op || typeof op.path !== "string") return [];
+  var out = [];
+  var segs = op.path.split("/");
+  for (var i = 0; i < segs.length; i++) {
+    var ref = BULK_ID_REF_RE.exec(segs[i]);
+    if (ref) out.push(ref[1]);
+  }
+  return out;
+}
+
+// Substitute "bulkId:<id>" PATH segments with the server-assigned id,
+// exactly like data references resolve (RFC 7644 §3.7.2). Throws on an
+// unresolved token — surfaced as a per-op invalidValue by the caller —
+// so a literal token never reaches the path parser or the adapter.
+function _resolvePathBulkIdRefs(path, bulkIdMap) {
+  var segs = path.split("/");
+  for (var i = 0; i < segs.length; i++) {
+    var ref = BULK_ID_REF_RE.exec(segs[i]);
+    if (!ref) continue;
+    var resolved = bulkIdMap[ref[1]];
+    if (resolved === undefined) {
+      throw new ScimServerError("middleware/scim-server/unresolved-bulkid",
+        "references unresolved bulkId '" + ref[1] + "' in path");
+    }
+    segs[i] = resolved;
+  }
+  return segs.join("/");
+}
+
+function _walkBulkIdRefs(value, out) {
+  if (typeof value === "string") {
+    var ref = BULK_ID_REF_RE.exec(value);
+    if (ref) out.push(ref[1]);
+    return;
+  }
+  if (Array.isArray(value)) {
+    for (var i = 0; i < value.length; i++) _walkBulkIdRefs(value[i], out);
+    return;
+  }
+  if (value && typeof value === "object") {
+    var keys = Object.keys(value);
+    for (var k = 0; k < keys.length; k++) {
+      if (keys[k] === "__proto__" || keys[k] === "constructor" || keys[k] === "prototype") continue;
+      _walkBulkIdRefs(value[keys[k]], out);
+    }
+  }
+}
+
+// Dependency-respecting order over the planned operations. Operations
+// already carrying a staticError (undeclared reference) are treated as
+// dependency-free roots so they surface their own error in request
+// order. Any operation that cannot be ordered because it participates in
+// a CYCLE is marked with a 409 staticError per RFC 7644 §3.7.1 — "The
+// service provider MUST try to resolve circular cross-references ... but
+// MAY ... return HTTP status code 409 (Conflict)". The returned order
+// always covers every index exactly once.
+function _topoOrderBulk(planned) {
+  var n          = planned.length;
+  var visited    = new Array(n);   // 0 = unseen, 1 = on-stack, 2 = done
+  for (var v = 0; v < n; v++) visited[v] = 0;
+  var order      = [];
+  var inCycle    = Object.create(null);
+
+  // Iterative depth-first post-order so a dependency is emitted before
+  // the operation that needs it. A back-edge (a node still on-stack)
+  // marks a cycle; every node on the active stack at that point is part
+  // of an unresolvable circular reference.
+  for (var start = 0; start < n; start++) {
+    if (visited[start] !== 0) continue;
+    var stack = [{ node: start, edge: 0 }];
+    while (stack.length > 0) {
+      var top  = stack[stack.length - 1];
+      var node = top.node;
+      if (top.edge === 0) visited[node] = 1;
+      var deps = (planned[node].staticError) ? [] : planned[node].refs;
+      if (top.edge < deps.length) {
+        var dep = deps[top.edge];
+        top.edge++;
+        if (visited[dep] === 0) {
+          stack.push({ node: dep, edge: 0 });
+        } else if (visited[dep] === 1) {
+          // Back-edge to a node still on the active stack — every node
+          // from that node up to the current top forms the cycle.
+          var depPos = -1;
+          for (var p = 0; p < stack.length; p++) {
+            if (stack[p].node === dep) { depPos = p; break; }
+          }
+          for (var q = depPos; q >= 0 && q < stack.length; q++) {
+            inCycle[stack[q].node] = true;
+          }
+        }
+      } else {
+        visited[node] = 2;
+        order.push(node);
+        stack.pop();
+      }
+    }
+  }
+
+  for (var c = 0; c < n; c++) {
+    if (inCycle[c] && !planned[c].staticError) {
+      planned[c].staticError = {
+        status:   "409",
+        scimType: "invalidValue",
+        detail:   "Operations[" + c + "] is part of an unresolvable circular bulkId reference",
+      };
+    }
+  }
+  return order;
+}
+
+// True when any of the bulkIds this operation references belongs to a
+// creating operation that ran and FAILED (so no id was recorded in
+// bulkIdMap). A still-pending dependency cannot occur here because the
+// topological order guarantees dependencies execute first.
+function _anyDependencyFailed(refs, plan, executed, bulkIdMap) {
+  for (var i = 0; i < refs.length; i++) {
+    var declIdx = refs[i];
+    var rec = executed[declIdx];
+    if (rec && rec.isError) return true;
+    // A successfully-created dependency records its id in bulkIdMap; if
+    // it ran without error but produced no id, it cannot satisfy a
+    // reference either.
+    var declOp = plan.ops[declIdx];
+    if (rec && !rec.isError && declOp.ownBulkId && bulkIdMap[declOp.ownBulkId] === undefined) {
+      return true;
+    }
+  }
+  return false;
+}
+
 // RFC 7644 §3.7 — failOnErrors is an OPTIONAL integer >= 1. Absent /
 // non-conforming values mean "process every operation" (null).
 function _parseFailOnErrors(value) {
@@ -380,7 +629,19 @@ async function _runBulkOperation(op, index, opts, ctx, bulkIdMap) {
       "Operations[" + index + "].method '" + op.method + "' not in POST/PUT/PATCH/DELETE");
   }
 
-  var parsed = _parseBulkPath(op.path);
+  // Resolve path bulkId references BEFORE parsing — the dependency-
+  // ordered executor guarantees a referenced creation already ran, so
+  // an unresolved token here is an unsatisfiable reference, failed
+  // per-op (RFC 7644 §3.7.2) rather than handed to the adapter.
+  var path = op.path;
+  if (typeof path === "string" && path.indexOf("bulkId:") !== -1) {
+    try { path = _resolvePathBulkIdRefs(path, bulkIdMap); }
+    catch (refErr) {
+      return _bulkErr(op, "400", "invalidValue",
+        "Operations[" + index + "] " + (refErr && refErr.message ? refErr.message : "has an unresolved bulkId reference in path"));
+    }
+  }
+  var parsed = _parseBulkPath(path);
   if (!parsed) {
     return _bulkErr(op, "400", "invalidValue",
       "Operations[" + index + "].path '" + String(op.path) + "' is not a valid bulk path");
@@ -402,8 +663,17 @@ async function _runBulkOperation(op, index, opts, ctx, bulkIdMap) {
   var data = op.data;
   if (method === "POST" || method === "PUT" || method === "PATCH") {
     // RFC 7644 §3.7.2 — substitute any bulkId cross-references that
-    // earlier operations have resolved before handing data to the adapter.
-    data = _resolveBulkIdRefs(op.data, bulkIdMap);
+    // earlier operations resolved before handing data to the adapter.
+    // The dependency-ordered executor guarantees every referenced
+    // operation ran first; an unresolved token here would mean an
+    // unsatisfiable reference, which is failed per-op rather than passed
+    // through to the adapter as a literal "bulkId:<id>" string.
+    try {
+      data = _resolveBulkIdRefs(op.data, bulkIdMap);
+    } catch (refErr) {
+      return _bulkErr(op, "400", "invalidValue",
+        "Operations[" + index + "] " + (refErr && refErr.message ? refErr.message : "has an unresolved bulkId reference"));
+    }
   }
 
   try {
@@ -462,7 +732,15 @@ function _resolveBulkIdRefs(value, bulkIdMap) {
     var ref = BULK_ID_REF_RE.exec(value);
     if (ref) {
       var resolved = bulkIdMap[ref[1]];
-      return resolved !== undefined ? resolved : value;
+      // A literal "bulkId:<id>" token MUST never reach the adapter as a
+      // real id. The dependency-ordered executor resolves every
+      // reference before dispatch; an unresolved token here signals an
+      // unsatisfiable reference, surfaced as a per-op error by the caller.
+      if (resolved === undefined) {
+        throw new ScimServerError("middleware/scim-server/unresolved-bulkid",
+          "references unresolved bulkId '" + ref[1] + "'");
+      }
+      return resolved;
     }
     return value;
   }

package/lib/middleware/security-headers.js

@@ -34,6 +34,18 @@
  *     dnsPrefetchControl:   'off' (default) or 'on' or false
  *     csp:                  '<full CSP string>' or false to disable
  *   }
+ *
+ * Monitor-mode opt-ins (all default-off; unset emits no new header):
+ *
+ *   coopReportOnly / coepReportOnly / documentPolicyReportOnly — set a
+ *     policy string to emit the matching `*-Report-Only` header so the
+ *     operator can roll out the enforcing policy in monitor mode first.
+ *     The browser reports violations (to a Reporting-Endpoints group named
+ *     in the value, e.g. `same-origin; report-to="coop"`) without blocking.
+ *   requireDocumentPolicy — the embedder-required Document-Policy a
+ *     subframe must advertise before this document will embed it.
+ *   serviceWorkerAllowed — broadens the max scope a service worker
+ *     registered from this script may claim (the operator opts in).
  */
 
 var requestHelpers = require("../request-helpers");
@@ -186,6 +198,11 @@ function _validatePermissionsPolicy(value) {
  *     criticalCh:         string|false,
  *     reportingEndpoints: object,
  *     trustProxy:         boolean|number,
+ *     coopReportOnly:           string,  // default: off — monitor-mode COOP
+ *     coepReportOnly:           string,  // default: off — monitor-mode COEP
+ *     documentPolicyReportOnly: string,  // default: off — monitor-mode Document-Policy
+ *     requireDocumentPolicy:    string,  // default: off — embedder-required subframe policy
+ *     serviceWorkerAllowed:     string,  // default: off — broadens SW registration scope
  *   }
  *
  * @example
@@ -202,6 +219,8 @@ function create(opts) {
     "permissionsPolicy", "coop", "coep", "corp",
     "originAgentCluster", "dnsPrefetchControl", "csp", "trustProxy",
     "reportingEndpoints", "documentPolicy", "criticalCh", "acceptCh",
+    "coopReportOnly", "coepReportOnly", "documentPolicyReportOnly",
+    "requireDocumentPolicy", "serviceWorkerAllowed",
   ], "middleware.securityHeaders");
   if (opts.permissionsPolicy && typeof opts.permissionsPolicy === "string") {
     _validatePermissionsPolicy(opts.permissionsPolicy);
@@ -222,6 +241,26 @@ function create(opts) {
   var docPolicy = opts.documentPolicy === undefined ? DEFAULT_DOCUMENT_POLICY : opts.documentPolicy;
   var criticalCh = opts.criticalCh && typeof opts.criticalCh === "string" ? opts.criticalCh : false;
   var acceptCh   = opts.acceptCh   && typeof opts.acceptCh   === "string" ? opts.acceptCh   : false;
+  // Monitor-mode + scope opt-ins — all default-off. Each only emits its
+  // header when the operator passes a non-empty string; unset = silent.
+  //   coopReportOnly / coepReportOnly — WHATWG HTML cross-origin isolation
+  //     report-only variants: the UA evaluates the policy and reports
+  //     violations to the named Reporting-Endpoints group without
+  //     enforcing, so an operator can verify a same-origin / require-corp
+  //     rollout won't break embeds before flipping the enforcing header.
+  //   documentPolicyReportOnly — W3C Document Policy report-only variant
+  //     (same monitor-mode semantics for the Document-Policy feature set).
+  //   requireDocumentPolicy — W3C Document Policy: the policy a subframe
+  //     must itself advertise (via Document-Policy) before this document
+  //     will embed it; the embedder declares its floor.
+  //   serviceWorkerAllowed — W3C Service Workers §Service-Worker-Allowed:
+  //     widens the max scope a worker registered from this script may
+  //     claim beyond the script's own path. Operator opts in explicitly.
+  var coopReportOnly = opts.coopReportOnly && typeof opts.coopReportOnly === "string" ? opts.coopReportOnly : false;
+  var coepReportOnly = opts.coepReportOnly && typeof opts.coepReportOnly === "string" ? opts.coepReportOnly : false;
+  var docPolicyReportOnly = opts.documentPolicyReportOnly && typeof opts.documentPolicyReportOnly === "string" ? opts.documentPolicyReportOnly : false;
+  var requireDocPolicy = opts.requireDocumentPolicy && typeof opts.requireDocumentPolicy === "string" ? opts.requireDocumentPolicy : false;
+  var serviceWorkerAllowed = opts.serviceWorkerAllowed && typeof opts.serviceWorkerAllowed === "string" ? opts.serviceWorkerAllowed : false;
   // Reporting-Endpoints (W3C Reporting API) — when operator passes a
   // map of endpoint-name → URL, we emit `Reporting-Endpoints: name="url",
   // name2="url2", ...` and (when default CSP is in force) append
@@ -273,6 +312,14 @@ function create(opts) {
     if (acceptCh)           res.setHeader("Accept-CH", acceptCh);
     if (criticalCh)         res.setHeader("Critical-CH", criticalCh);
     if (reportingEndpoints) res.setHeader("Reporting-Endpoints", reportingEndpoints);
+    // Monitor-mode + scope opt-ins — emitted only when the operator set
+    // the corresponding opt; the enforcing COOP/COEP/Document-Policy
+    // headers above are unaffected.
+    if (coopReportOnly)       res.setHeader("Cross-Origin-Opener-Policy-Report-Only", coopReportOnly);
+    if (coepReportOnly)       res.setHeader("Cross-Origin-Embedder-Policy-Report-Only", coepReportOnly);
+    if (docPolicyReportOnly)  res.setHeader("Document-Policy-Report-Only", docPolicyReportOnly);
+    if (requireDocPolicy)     res.setHeader("Require-Document-Policy", requireDocPolicy);
+    if (serviceWorkerAllowed) res.setHeader("Service-Worker-Allowed", serviceWorkerAllowed);
     next();
   };
 }

package/lib/middleware/security-txt.js

@@ -82,7 +82,6 @@ function _isoFuture(s) {
  *     hiring:             string,
  *     canonical:          string|string[],
  *     alsoAtRoot:         boolean,
- *     audit:              boolean,
  *   }
  *
  * @example
@@ -99,7 +98,7 @@ function create(opts) {
   validateOpts(opts, [
     "contact", "expires", "encryption", "policy", "ack",
     "preferredLanguages", "hiring", "canonical",
-    "alsoAtRoot", "audit",
+    "alsoAtRoot",
   ], "middleware.securityTxt");
 
   var contact = _arrayOfStrings(opts.contact, "contact");

package/lib/middleware/trace-log-correlation.js

@@ -123,7 +123,6 @@ function _wrapLogger(baseLogger, req, opts) {
  *     logger:         object,    // required b.log instance
  *     reqField:       string,    // default "log" → req.log
  *     includeBaggage: boolean,   // default true
- *     audit:          boolean,
  *   }
  *
  * @example
@@ -138,7 +137,7 @@ function _wrapLogger(baseLogger, req, opts) {
 function create(opts) {
   validateOpts.requireObject(opts, "middleware.traceLogCorrelation", TraceLogError);
   validateOpts(opts, [
-    "logger", "reqField", "includeBaggage", "audit",
+    "logger", "reqField", "includeBaggage",
   ], "middleware.traceLogCorrelation");
 
   if (!opts.logger || typeof opts.logger !== "object") {

package/lib/network-smtp-policy.js

@@ -21,7 +21,7 @@
  *
  *   policy.tlsRpt.recordShape({
  *     organization: "example.com",
- *     reportingMta: "mx1.example.com",
+ *     policies:     [ ... ],
  *     ...
  *   }) → { ... RFC 8460 TLS-RPT JSON shape ... }
  *
@@ -519,8 +519,8 @@ function daneVerifyChain(certChain, tlsaRecords, opts) {
 function tlsRptRecordShape(opts) {
   opts = opts || {};
   validateOpts(opts, [
-    "organization", "reportingMta", "contact",
-    "datestart", "dateend", "policies",
+    "organization", "contact",
+    "datestart", "dateend", "policies", "reportId",
   ], "tlsRpt.recordShape");
 
   if (typeof opts.organization !== "string") {
@@ -637,7 +637,7 @@ async function tlsRptSubmit(report, opts) {
       "tlsRpt.submit: report must be an object");
   }
   opts = opts || {};
-  validateOpts(opts, ["rua", "httpClient", "timeoutMs", "audit"], "tlsRpt.submit");
+  validateOpts(opts, ["rua", "httpClient", "timeoutMs"], "tlsRpt.submit");
   if (!Array.isArray(opts.rua) || opts.rua.length === 0) {
     throw new SmtpPolicyError("smtp/tls-rpt-bad-rua",
       "tlsRpt.submit: opts.rua must be a non-empty array of URIs");

package/lib/object-store/sigv4-bucket-ops.js

@@ -418,7 +418,6 @@ function create(config) {
     "protocol", "region", "accessKeyId", "secretAccessKey", "sessionToken",
     "endpoint", "pathStyle", "forcePathStyle",
     "allowedProtocols", "allowInternal", "timeoutMs",
-    "ca",
     "audit", "observability", "auditSuccess", "auditFailures",
   ], "bucketOps");
   if (config.protocol && config.protocol !== "sigv4") {
@@ -464,7 +463,17 @@ function create(config) {
   }
 
   function _actor(callerOpts) {
-    return requestHelpers.resolveActorWithOverride(callerOpts || {}, null);
+    // `req` resolves IP / user-agent / userId from the live request;
+    // `actor` is an explicit override bag (e.g. { userId: "ops-admin" })
+    // for callers that perform a compliance-sensitive bucket change on
+    // behalf of an operator and want that identity on the audit row.
+    // Passed as the override seed: explicit `actor` fields win over the
+    // request-derived ones, while request-derived fields fill any key the
+    // operator left unset.
+    var seed = (callerOpts && callerOpts.actor && typeof callerOpts.actor === "object")
+      ? callerOpts.actor
+      : null;
+    return requestHelpers.resolveActorWithOverride(callerOpts || {}, seed);
   }
 
   // S3 subresource queries (`?lifecycle`, `?cors`, `?object-lock`,

package/lib/observability-tracer.js

@@ -156,7 +156,7 @@ function create(opts) {
   validateOpts(opts, [
     "service", "resource", "scope",
     "maxAttributes", "maxEvents", "maxAttributeValueLength",
-    "onEnd", "onStart", "audit",
+    "onEnd", "onStart",
   ], "tracer.create");
   validateOpts.requireNonEmptyString(opts.service,
     "tracer.create: service", TracerError, "tracer/bad-service");

package/lib/observability.js

@@ -309,7 +309,12 @@ function timed(name, fn, labels) {
 // pass attribute keys that should match the keys below. The map is
 // frozen — adding a new attribute requires a release.
 //
-// Reference: https://opentelemetry.io/docs/specs/semconv/general/attributes/
+// References:
+//   https://opentelemetry.io/docs/specs/semconv/general/attributes/
+//   https://opentelemetry.io/docs/specs/semconv/resource/  (resource,
+//     telemetry-sdk, deployment-environment)
+//   https://opentelemetry.io/docs/specs/semconv/resource/k8s/
+//   https://opentelemetry.io/docs/specs/semconv/resource/faas/
 var SEMCONV = Object.freeze({
   // HTTP server (stable per OTel semconv)
   HTTP_REQUEST_METHOD:        "http.request.method",
@@ -370,10 +375,33 @@ var SEMCONV = Object.freeze({
   SERVICE_NAME:               "service.name",
   SERVICE_VERSION:             "service.version",
   SERVICE_INSTANCE_ID:        "service.instance.id",
+  // peer.service — logical name of the remote service a span talks to,
+  // distinct from server.address (the host). OTel semconv (general).
+  PEER_SERVICE:               "peer.service",
+  // Deployment environment (aka deployment tier: "production",
+  // "staging"). The bare `deployment.environment` key was deprecated in
+  // favour of `deployment.environment.name`; this carries the current
+  // stable key. OTel semconv resource/deployment-environment.
+  DEPLOYMENT_ENVIRONMENT_NAME: "deployment.environment.name",
   // Telemetry SDK self-identification
   TELEMETRY_SDK_NAME:         "telemetry.sdk.name",
   TELEMETRY_SDK_LANGUAGE:     "telemetry.sdk.language",
   TELEMETRY_SDK_VERSION:      "telemetry.sdk.version",
+  // Telemetry distribution self-identification — the redistribution of
+  // an OTel SDK an operator runs (e.g. a vendor distro). OTel semconv
+  // resource/telemetry-sdk.
+  TELEMETRY_DISTRO_NAME:      "telemetry.distro.name",
+  TELEMETRY_DISTRO_VERSION:   "telemetry.distro.version",
+  // Instrumentation scope self-identification — the scope (library)
+  // that produced a span/metric. OTel semconv otel namespace.
+  OTEL_SCOPE_NAME:            "otel.scope.name",
+  OTEL_SCOPE_VERSION:         "otel.scope.version",
+  // FaaS (serverless) — function-as-a-service execution context. OTel
+  // semconv resource/faas + attributes-registry/faas.
+  FAAS_NAME:                  "faas.name",
+  FAAS_VERSION:               "faas.version",
+  FAAS_INSTANCE:              "faas.instance",
+  FAAS_TRIGGER:               "faas.trigger",
   // GenAI — OpenTelemetry semantic conventions for generative AI
   // workloads (LLM clients, vector DB queries, agent frameworks).
   // Tracking the otel-spec experimental namespace; covers the stable
@@ -410,9 +438,19 @@ var SEMCONV = Object.freeze({
   CONTAINER_ID:                   "container.id",
   CONTAINER_IMAGE_NAME:           "container.image.name",
   CONTAINER_IMAGE_TAG:            "container.image.tag",
+  // Kubernetes — OTel semconv resource/k8s. Namespace / pod /
+  // deployment plus the surrounding workload + node + cluster context.
   K8S_NAMESPACE_NAME:             "k8s.namespace.name",
   K8S_POD_NAME:                   "k8s.pod.name",
   K8S_DEPLOYMENT_NAME:            "k8s.deployment.name",
+  K8S_NODE_NAME:                  "k8s.node.name",
+  K8S_CLUSTER_NAME:               "k8s.cluster.name",
+  K8S_CONTAINER_NAME:             "k8s.container.name",
+  K8S_STATEFULSET_NAME:           "k8s.statefulset.name",
+  K8S_DAEMONSET_NAME:             "k8s.daemonset.name",
+  K8S_JOB_NAME:                   "k8s.job.name",
+  K8S_CRONJOB_NAME:               "k8s.cronjob.name",
+  K8S_REPLICASET_NAME:            "k8s.replicaset.name",
 });
 
 // W3C Trace Context — parse / build the `traceparent` HTTP header