@blamejs/core 0.15.11 → 0.15.13
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +4 -0
- package/index.js +2 -0
- package/lib/a2a-tasks.js +7 -23
- package/lib/acme.js +13 -16
- package/lib/agent-event-bus.js +5 -4
- package/lib/agent-idempotency.js +2 -5
- package/lib/agent-orchestrator.js +2 -5
- package/lib/agent-saga.js +3 -5
- package/lib/agent-tenant.js +2 -5
- package/lib/ai-adverse-decision.js +2 -15
- package/lib/ai-capability.js +1 -6
- package/lib/ai-dp.js +1 -5
- package/lib/ai-input.js +2 -2
- package/lib/ai-pref.js +3 -8
- package/lib/ai-quota.js +3 -14
- package/lib/api-key.js +37 -28
- package/lib/archive-adapters.js +2 -4
- package/lib/archive-entry-policy.js +32 -0
- package/lib/archive-read.js +5 -17
- package/lib/archive-tar-read.js +5 -16
- package/lib/archive.js +2 -10
- package/lib/arg-parser.js +7 -6
- package/lib/asyncapi-traits.js +2 -6
- package/lib/atomic-file.js +108 -31
- package/lib/audit-chain.js +133 -53
- package/lib/audit-daily-review.js +24 -14
- package/lib/audit-emit.js +82 -0
- package/lib/audit-sign.js +257 -0
- package/lib/audit.js +84 -0
- package/lib/auth/access-lock.js +5 -27
- package/lib/auth/dpop.js +23 -35
- package/lib/auth/fido-mds3.js +9 -15
- package/lib/auth/jwt-external.js +26 -8
- package/lib/auth/jwt.js +13 -15
- package/lib/auth/lockout.js +6 -25
- package/lib/auth/oauth.js +67 -45
- package/lib/auth/oid4vci.js +55 -32
- package/lib/auth/oid4vp.js +3 -2
- package/lib/auth/openid-federation.js +6 -6
- package/lib/auth/passkey.js +3 -3
- package/lib/auth/password.js +7 -1
- package/lib/auth/saml.js +37 -27
- package/lib/auth/sd-jwt-vc-holder.js +2 -14
- package/lib/auth/sd-jwt-vc-issuer.js +2 -14
- package/lib/auth/sd-jwt-vc.js +1 -1
- package/lib/auth/status-list.js +7 -7
- package/lib/auth/step-up.js +6 -12
- package/lib/auth-bot-challenge.js +6 -37
- package/lib/backup/bundle.js +11 -18
- package/lib/backup/index.js +14 -47
- package/lib/bounded-map.js +112 -1
- package/lib/breach-deadline.js +1 -11
- package/lib/cache.js +7 -18
- package/lib/cbor.js +2 -1
- package/lib/cdn-cache-control.js +8 -9
- package/lib/cert.js +3 -10
- package/lib/chain-writer.js +162 -47
- package/lib/cli.js +5 -1
- package/lib/client-hints.js +10 -10
- package/lib/cloud-events.js +40 -31
- package/lib/cluster-storage.js +2 -38
- package/lib/cluster.js +4 -2
- package/lib/cms-codec.js +2 -1
- package/lib/codepoint-class.js +67 -1
- package/lib/compliance-ai-act-logging.js +1 -6
- package/lib/compliance-ai-act-transparency.js +2 -4
- package/lib/compliance-eaa.js +1 -11
- package/lib/compliance-sanctions-fetcher.js +21 -28
- package/lib/compliance-sanctions.js +2 -14
- package/lib/compliance.js +2 -9
- package/lib/config-drift.js +2 -12
- package/lib/content-digest.js +10 -8
- package/lib/cookies.js +5 -11
- package/lib/cose.js +19 -11
- package/lib/cra-report.js +1 -11
- package/lib/crypto-field.js +5 -10
- package/lib/crypto.js +120 -3
- package/lib/csp.js +235 -3
- package/lib/daemon.js +42 -41
- package/lib/data-act.js +19 -9
- package/lib/db-query.js +6 -40
- package/lib/db.js +34 -12
- package/lib/dbsc.js +5 -6
- package/lib/ddl-change-control.js +18 -14
- package/lib/deprecate.js +4 -5
- package/lib/did.js +6 -2
- package/lib/dsr.js +8 -12
- package/lib/external-db-migrate.js +21 -22
- package/lib/external-db.js +14 -26
- package/lib/fda-21cfr11.js +12 -8
- package/lib/fdx.js +22 -18
- package/lib/file-upload.js +80 -66
- package/lib/flag-evaluation-context.js +5 -8
- package/lib/framework-error.js +12 -0
- package/lib/framework-schema.js +19 -0
- package/lib/fsm.js +7 -12
- package/lib/gate-contract.js +869 -38
- package/lib/gdpr-ropa.js +4 -13
- package/lib/graphql-federation.js +1 -1
- package/lib/guard-agent-registry.js +2 -1
- package/lib/guard-all.js +1 -0
- package/lib/guard-archive.js +9 -30
- package/lib/guard-auth.js +23 -80
- package/lib/guard-cidr.js +20 -96
- package/lib/guard-csv.js +135 -196
- package/lib/guard-domain.js +23 -106
- package/lib/guard-dsn.js +16 -13
- package/lib/guard-email.js +46 -53
- package/lib/guard-envelope.js +1 -1
- package/lib/guard-event-bus-topic.js +2 -1
- package/lib/guard-filename.js +18 -62
- package/lib/guard-graphql.js +28 -75
- package/lib/guard-html-wcag.js +15 -2
- package/lib/guard-html.js +65 -117
- package/lib/guard-idempotency-key.js +2 -1
- package/lib/guard-image.js +280 -77
- package/lib/guard-imap-command.js +8 -9
- package/lib/guard-json.js +87 -103
- package/lib/guard-jsonpath.js +20 -88
- package/lib/guard-jwt.js +32 -114
- package/lib/guard-list-id.js +2 -7
- package/lib/guard-list-unsubscribe.js +2 -7
- package/lib/guard-mail-compose.js +5 -6
- package/lib/guard-mail-move.js +2 -1
- package/lib/guard-mail-query.js +5 -3
- package/lib/guard-mail-sieve.js +6 -7
- package/lib/guard-managesieve-command.js +5 -4
- package/lib/guard-markdown.js +76 -110
- package/lib/guard-message-id.js +5 -6
- package/lib/guard-mime.js +20 -99
- package/lib/guard-oauth.js +19 -73
- package/lib/guard-pdf.js +65 -72
- package/lib/guard-pop3-command.js +12 -13
- package/lib/guard-posture-chain.js +2 -1
- package/lib/guard-regex.js +24 -99
- package/lib/guard-saga-config.js +2 -1
- package/lib/guard-shell.js +22 -87
- package/lib/guard-smtp-command.js +8 -11
- package/lib/guard-sql.js +15 -13
- package/lib/guard-stream-args.js +2 -1
- package/lib/guard-svg.js +95 -140
- package/lib/guard-template.js +23 -80
- package/lib/guard-tenant-id.js +2 -1
- package/lib/guard-text.js +592 -0
- package/lib/guard-time.js +27 -95
- package/lib/guard-uuid.js +21 -93
- package/lib/guard-xml.js +76 -106
- package/lib/guard-yaml.js +24 -60
- package/lib/http-client-cache.js +8 -13
- package/lib/http-client-cookie-jar.js +2 -4
- package/lib/http-client.js +8 -21
- package/lib/http-message-signature.js +26 -8
- package/lib/i18n-messageformat.js +5 -7
- package/lib/i18n.js +83 -26
- package/lib/inbox.js +8 -8
- package/lib/incident-report.js +3 -21
- package/lib/ip-utils.js +49 -6
- package/lib/jobs.js +3 -2
- package/lib/keychain.js +6 -18
- package/lib/legal-hold.js +6 -15
- package/lib/log-stream-cloudwatch.js +44 -112
- package/lib/log-stream-otlp-grpc.js +28 -14
- package/lib/log-stream-otlp.js +16 -80
- package/lib/log-stream-syslog.js +6 -0
- package/lib/log-stream-webhook.js +20 -92
- package/lib/log.js +24 -2
- package/lib/mail-arc-sign.js +8 -3
- package/lib/mail-arf.js +3 -2
- package/lib/mail-auth.js +40 -66
- package/lib/mail-bimi.js +19 -39
- package/lib/mail-crypto-pgp.js +3 -2
- package/lib/mail-dav.js +8 -35
- package/lib/mail-deploy.js +6 -9
- package/lib/mail-dkim.js +19 -38
- package/lib/mail-greylist.js +15 -26
- package/lib/mail-helo.js +2 -3
- package/lib/mail-journal.js +2 -1
- package/lib/mail-mdn.js +4 -3
- package/lib/mail-rbl.js +5 -8
- package/lib/mail-scan.js +2 -2
- package/lib/mail-send-deliver.js +33 -20
- package/lib/mail-server-imap.js +32 -87
- package/lib/mail-server-jmap.js +35 -51
- package/lib/mail-server-managesieve.js +29 -83
- package/lib/mail-server-mx.js +33 -74
- package/lib/mail-server-net.js +177 -0
- package/lib/mail-server-pop3.js +30 -83
- package/lib/mail-server-rate-limit.js +30 -6
- package/lib/mail-server-submission.js +34 -73
- package/lib/mail-server-tls.js +89 -0
- package/lib/mail-spam-score.js +7 -8
- package/lib/mail-store.js +3 -2
- package/lib/mail.js +11 -11
- package/lib/markup-escape.js +31 -0
- package/lib/markup-tokenizer.js +54 -0
- package/lib/mcp-tool-registry.js +26 -23
- package/lib/mcp.js +1 -1
- package/lib/mdoc.js +11 -12
- package/lib/metrics.js +32 -30
- package/lib/middleware/age-gate.js +3 -23
- package/lib/middleware/api-encrypt.js +11 -22
- package/lib/middleware/assetlinks.js +2 -7
- package/lib/middleware/bearer-auth.js +2 -1
- package/lib/middleware/body-parser.js +79 -54
- package/lib/middleware/bot-disclose.js +7 -10
- package/lib/middleware/bot-guard.js +2 -10
- package/lib/middleware/csrf-protect.js +13 -2
- package/lib/middleware/daily-byte-quota.js +6 -26
- package/lib/middleware/deny-response.js +19 -1
- package/lib/middleware/fetch-metadata.js +7 -0
- package/lib/middleware/idempotency-key.js +4 -20
- package/lib/middleware/rate-limit.js +20 -28
- package/lib/middleware/scim-server.js +3 -2
- package/lib/middleware/security-headers.js +9 -1
- package/lib/middleware/security-txt.js +2 -6
- package/lib/middleware/tus-upload.js +12 -27
- package/lib/middleware/web-app-manifest.js +2 -7
- package/lib/migrations.js +4 -13
- package/lib/mime-parse.js +34 -17
- package/lib/module-loader.js +44 -0
- package/lib/money.js +105 -0
- package/lib/mtls-ca.js +116 -36
- package/lib/network-byte-quota.js +4 -18
- package/lib/network-dane.js +8 -6
- package/lib/network-dns-resolver.js +97 -6
- package/lib/network-dns.js +22 -26
- package/lib/network-dnssec.js +16 -16
- package/lib/network-heartbeat.js +6 -5
- package/lib/network-proxy.js +3 -7
- package/lib/network-smtp-policy.js +29 -41
- package/lib/network-tls.js +74 -55
- package/lib/network.js +2 -6
- package/lib/nis2-report.js +1 -11
- package/lib/nonce-store.js +81 -3
- package/lib/notify.js +7 -12
- package/lib/numeric-bounds.js +22 -8
- package/lib/object-store/azure-blob-bucket-ops.js +2 -6
- package/lib/object-store/azure-blob.js +5 -45
- package/lib/object-store/gcs.js +8 -71
- package/lib/object-store/http-put.js +1 -5
- package/lib/object-store/http-request.js +128 -0
- package/lib/object-store/sigv4-bucket-ops.js +2 -1
- package/lib/object-store/sigv4.js +9 -77
- package/lib/observability-otlp-exporter.js +9 -25
- package/lib/observability.js +95 -0
- package/lib/openapi-paths-builder.js +7 -3
- package/lib/otel-export.js +7 -10
- package/lib/outbox.js +43 -37
- package/lib/pagination.js +11 -15
- package/lib/parsers/safe-env.js +5 -4
- package/lib/parsers/safe-ini.js +10 -4
- package/lib/parsers/safe-toml.js +11 -9
- package/lib/parsers/safe-xml.js +2 -2
- package/lib/parsers/safe-yaml.js +7 -6
- package/lib/pick.js +63 -5
- package/lib/pipl-cn.js +69 -59
- package/lib/privacy-pass.js +8 -6
- package/lib/problem-details.js +2 -5
- package/lib/pubsub.js +4 -8
- package/lib/redact.js +2 -1
- package/lib/render.js +4 -2
- package/lib/request-helpers.js +133 -6
- package/lib/restore.js +5 -22
- package/lib/retention.js +3 -5
- package/lib/safe-async.js +457 -0
- package/lib/safe-buffer.js +137 -6
- package/lib/safe-decompress.js +2 -1
- package/lib/safe-dns.js +2 -1
- package/lib/safe-ical.js +12 -26
- package/lib/safe-json.js +7 -8
- package/lib/safe-jsonpath.js +6 -5
- package/lib/safe-mime.js +25 -29
- package/lib/safe-redirect.js +2 -5
- package/lib/safe-schema.js +7 -6
- package/lib/safe-sql.js +126 -0
- package/lib/safe-vcard.js +12 -26
- package/lib/sandbox-worker.js +9 -2
- package/lib/sandbox.js +3 -2
- package/lib/scheduler.js +5 -12
- package/lib/sec-cyber.js +82 -37
- package/lib/seeders.js +9 -21
- package/lib/self-update.js +92 -69
- package/lib/session-device-binding.js +112 -66
- package/lib/session.js +194 -6
- package/lib/sql.js +225 -78
- package/lib/sse.js +6 -10
- package/lib/static.js +136 -98
- package/lib/storage.js +4 -2
- package/lib/structured-fields.js +313 -17
- package/lib/tenant-quota.js +2 -20
- package/lib/tsa.js +11 -15
- package/lib/validate-opts.js +154 -8
- package/lib/vault/seal-pem-file.js +30 -48
- package/lib/vault-aad.js +3 -2
- package/lib/vc.js +2 -7
- package/lib/vex.js +35 -13
- package/lib/web-push-vapid.js +23 -20
- package/lib/webhook-dispatcher.js +706 -0
- package/lib/webhook.js +43 -18
- package/lib/websocket-channels.js +9 -7
- package/lib/websocket.js +7 -3
- package/lib/worm.js +2 -3
- package/lib/ws-client.js +8 -10
- package/package.json +1 -1
- package/sbom.cdx.json +6 -6
package/lib/framework-error.js
CHANGED
|
@@ -144,6 +144,11 @@ var SchedulerError = defineClass("SchedulerError");
|
|
|
144
144
|
var SessionError = defineClass("SessionError");
|
|
145
145
|
var SlugError = defineClass("SlugError", { alwaysPermanent: true });
|
|
146
146
|
var WebhookError = defineClass("WebhookError", { alwaysPermanent: true });
|
|
147
|
+
// WebhookDispatcherError covers the durable signed-webhook delivery store
|
|
148
|
+
// (b.webhook.dispatcher): endpoint registration, fan-out, retry/backoff, and
|
|
149
|
+
// dead-letter operations. Distinct from WebhookError (the stateless
|
|
150
|
+
// sign/verify surface) so the persistence-layer error codes stay separable.
|
|
151
|
+
var WebhookDispatcherError = defineClass("WebhookDispatcherError", { alwaysPermanent: true });
|
|
147
152
|
var ApiKeyError = defineClass("ApiKeyError", { alwaysPermanent: true });
|
|
148
153
|
var PermissionsError = defineClass("PermissionsError", { alwaysPermanent: true });
|
|
149
154
|
// CacheError is alwaysPermanent: bad opts / missing key / closed-state
|
|
@@ -196,6 +201,11 @@ var GateContractError = defineClass("GateContractError", { alwaysPermane
|
|
|
196
201
|
// validate paths. alwaysPermanent — chunk-shape errors / formula-injection
|
|
197
202
|
// attempts / schema drift are all caller-shape errors.
|
|
198
203
|
var GuardCsvError = defineClass("GuardCsvError", { alwaysPermanent: true });
|
|
204
|
+
// GuardTextError covers free-text codepoint-threat violations on the validate /
|
|
205
|
+
// sanitize / gate paths (bidi-override / control / null / zero-width /
|
|
206
|
+
// Unicode-Tags / mixed-script-confusable). alwaysPermanent — every case is a
|
|
207
|
+
// hostile-codepoint detection or a caller-shape opt error.
|
|
208
|
+
var GuardTextError = defineClass("GuardTextError", { alwaysPermanent: true });
|
|
199
209
|
// GuardAllError covers parity-check failures, exceptFor opt validation, and
|
|
200
210
|
// override opt validation in the b.guardAll registry. alwaysPermanent — every
|
|
201
211
|
// case is a config-time programming bug, not a transient runtime condition.
|
|
@@ -693,6 +703,7 @@ module.exports = {
|
|
|
693
703
|
SessionError: SessionError,
|
|
694
704
|
SlugError: SlugError,
|
|
695
705
|
WebhookError: WebhookError,
|
|
706
|
+
WebhookDispatcherError: WebhookDispatcherError,
|
|
696
707
|
ApiKeyError: ApiKeyError,
|
|
697
708
|
PermissionsError: PermissionsError,
|
|
698
709
|
CacheError: CacheError,
|
|
@@ -705,6 +716,7 @@ module.exports = {
|
|
|
705
716
|
StaticServeError: StaticServeError,
|
|
706
717
|
GateContractError: GateContractError,
|
|
707
718
|
GuardCsvError: GuardCsvError,
|
|
719
|
+
GuardTextError: GuardTextError,
|
|
708
720
|
GuardAllError: GuardAllError,
|
|
709
721
|
GuardHtmlError: GuardHtmlError,
|
|
710
722
|
GuardSvgError: GuardSvgError,
|
package/lib/framework-schema.js
CHANGED
|
@@ -116,6 +116,10 @@ var LOCAL_TO_EXTERNAL = Object.freeze({
|
|
|
116
116
|
// places — cluster-storage.execute routes the SQL to the right DB
|
|
117
117
|
// based on cluster.isClusterMode().
|
|
118
118
|
_blamejs_sessions: "_blamejs_sessions",
|
|
119
|
+
// _blamejs_session_valid_from — per-subject valid-from boundary for
|
|
120
|
+
// stateless-token revocation (b.session.bump / check / validFrom). Same
|
|
121
|
+
// dual-storage shape as _blamejs_sessions; identity-mapped.
|
|
122
|
+
_blamejs_session_valid_from: "_blamejs_session_valid_from",
|
|
119
123
|
// _blamejs_jobs — same dual-storage pattern as sessions. The local-
|
|
120
124
|
// protocol queue (lib/queue-local.js) routes through cluster-storage
|
|
121
125
|
// so writes/reads land in the leader's external-db when cluster
|
|
@@ -649,6 +653,20 @@ function _sessionsDDL(dialect) {
|
|
|
649
653
|
]);
|
|
650
654
|
}
|
|
651
655
|
|
|
656
|
+
// _blamejs_session_valid_from — monotonic per-subject valid-from boundary for
|
|
657
|
+
// stateless-token revocation. Mirrors the local-SQLite schema in db.js's
|
|
658
|
+
// FRAMEWORK_SCHEMA so single-node and cluster behavior are identical.
|
|
659
|
+
// subjectHash is the PRIMARY KEY (the plaintext subject id never lands here);
|
|
660
|
+
// validFromEpoch is the monotonic boundary (ms); updatedAt records the bump.
|
|
661
|
+
function _sessionValidFromDDL(dialect) {
|
|
662
|
+
var t = _types(dialect);
|
|
663
|
+
return _table(tableName("_blamejs_session_valid_from"), dialect, [
|
|
664
|
+
{ col: "subjectHash", def: t.KT + " PRIMARY KEY" },
|
|
665
|
+
{ col: "validFromEpoch", def: t.INT + " NOT NULL" },
|
|
666
|
+
{ col: "updatedAt", def: t.INT + " NOT NULL" },
|
|
667
|
+
], []);
|
|
668
|
+
}
|
|
669
|
+
|
|
652
670
|
// _blamejs_jobs — local-protocol queue jobs. Mirrors db.js's
|
|
653
671
|
// FRAMEWORK_SCHEMA for the same table; sealed columns (payload,
|
|
654
672
|
// lastError) are stored vault-sealed. Indexes target the lease
|
|
@@ -824,6 +842,7 @@ function _allDDLs(dialect) {
|
|
|
824
842
|
_apiEncryptNoncesDDL(dialect),
|
|
825
843
|
_apiKeysDDL(dialect),
|
|
826
844
|
_sessionsDDL(dialect),
|
|
845
|
+
_sessionValidFromDDL(dialect),
|
|
827
846
|
_jobsDDL(dialect),
|
|
828
847
|
_cacheDDL(dialect),
|
|
829
848
|
_cacheTagsDDL(dialect),
|
package/lib/fsm.js
CHANGED
|
@@ -439,18 +439,13 @@ async function _runTransition(instance, name, opts) {
|
|
|
439
439
|
// drop-silent; the additional try/catch protects against the
|
|
440
440
|
// lazy-loaded audit module throwing at first-access time.
|
|
441
441
|
try {
|
|
442
|
-
audit().
|
|
443
|
-
|
|
444
|
-
|
|
445
|
-
|
|
446
|
-
|
|
447
|
-
|
|
448
|
-
|
|
449
|
-
transition: name,
|
|
450
|
-
machine: instance._def.name,
|
|
451
|
-
callerMeta: opts.metadata || null,
|
|
452
|
-
},
|
|
453
|
-
});
|
|
442
|
+
audit().namespaced("fsm")(instance._def.name + ".transition", "success", {
|
|
443
|
+
from: fromState,
|
|
444
|
+
to: toState,
|
|
445
|
+
transition: name,
|
|
446
|
+
machine: instance._def.name,
|
|
447
|
+
callerMeta: opts.metadata || null,
|
|
448
|
+
}, { actor: opts.actor ? { id: opts.actor } : { id: "<system>" } });
|
|
454
449
|
} catch (_e) { /* drop-silent — audit best-effort */ }
|
|
455
450
|
return { from: fromState, to: toState, on: name };
|
|
456
451
|
}
|