@blamejs/core 0.8.42 → 0.8.49

package/lib/pqc-software.js

@@ -1,59 +1,39 @@
 "use strict";
 /**
- * b.pqcSoftware — pure-JS post-quantum primitives sourced from the
- * vendored @noble/post-quantum bundle (lib/vendor/noble-post-quantum.cjs).
+ * @module b.pqcSoftware
+ * @nav    Crypto
+ * @title  PQC Software
  *
- * Usable server-side and client-side. Ciphertexts are FIPS 203
- * conformant in both directions — encapsulating with Node's WebCrypto
- * ML-KEM-1024 (used by b.crypto.encrypt / b.middleware.apiEncrypt)
- * decapsulates with b.pqcSoftware.ml_kem_1024 and vice versa.
+ * @intro
+ *   Pure-JS post-quantum cryptography wrapper around the vendored
+ *   `@noble/post-quantum` bundle (`lib/vendor/noble-post-quantum.cjs`).
+ *   Ships the FIPS-203 ML-KEM family, FIPS-204 ML-DSA family, and
+ *   FIPS-205 SLH-DSA family (both SHAKE and SHA-2 hash variants) as
+ *   first-class accessors on `b.pqcSoftware.*`.
  *
- * Operator wiring:
+ *   Defaults pin to the highest category-5 parameter set per family:
+ *   `DEFAULT_KEM` = ML-KEM-1024, `DEFAULT_LATTICE_SIG` = ML-DSA-87,
+ *   `DEFAULT_HASH_SIG` = SLH-DSA-SHAKE-256f. Ciphertexts are FIPS-203
+ *   conformant in both directions — output produced by Node's
+ *   WebCrypto ML-KEM-1024 (used by `b.crypto.encrypt` and
+ *   `b.middleware.apiEncrypt`) decapsulates here, and vice versa,
+ *   making this the reference-implementation path for interop tests
+ *   against Node WebCrypto or a hardware HSM.
  *
- *   - Server-side: import b.pqcSoftware directly. Use it as the
- *     primary PQC path on Node releases without the experimental
- *     WebCrypto ML-KEM extension, or for reference-implementation
- *     interop testing against Node WebCrypto / hardware HSMs.
+ *   Each KEM exposes `keygen()` / `encapsulate()` / `decapsulate()`;
+ *   each signature object exposes `keygen()` / `sign()` / `verify()`
+ *   — both shapes match the upstream `@noble/post-quantum` API
+ *   directly, so the module is also re-bundlable into a browser
+ *   build that ships `b.middleware.apiEncrypt.client`.
  *
- *   - Client-side: re-bundle this module or import @noble/post-quantum
- *     directly into the build that ships b.middleware.apiEncrypt.client.
+ *   The vendored bundle is a build artifact. In deployments that
+ *   stripped `lib/vendor/`, `isAvailable()` returns `false` and every
+ *   accessor returns a stub that throws `PqcError` on call —
+ *   operators in that posture fall back to Node WebCrypto via
+ *   `b.crypto.encrypt` / `b.crypto.decrypt`.
  *
- * Defaults pin to the highest cat-5 level:
- *
- *   - DEFAULT_KEM         = ML-KEM-1024 (FIPS 203)
- *   - DEFAULT_LATTICE_SIG = ML-DSA-87   (FIPS 204)
- *   - DEFAULT_HASH_SIG    = SLH-DSA-SHAKE-256f (FIPS 205)
- *
- * Public surface (b.pqcSoftware.*):
- *
- *   .ml_kem_1024 / .ml_kem_768 / .ml_kem_512   — FIPS 203 KEM objects
- *   .ml_dsa_87 / .ml_dsa_65 / .ml_dsa_44       — FIPS 204 lattice sig
- *   .slh_dsa_shake_256f / 192f / 128f          — FIPS 205 (SHAKE)
- *   .slh_dsa_sha2_256f / 192f / 128f           — FIPS 205 (SHA-2)
- *
- *   .DEFAULT_KEM         — alias to ml_kem_1024
- *   .DEFAULT_LATTICE_SIG — alias to ml_dsa_87
- *   .DEFAULT_HASH_SIG    — alias to slh_dsa_shake_256f
- *
- *   .isAvailable()    — boolean: is the vendored bundle loadable?
- *   .listAlgorithms() — string[] of algorithm names
- *
- * Each KEM / signature object exposes `keygen()` / `encapsulate()` /
- * `decapsulate()` (KEMs) or `keygen()` / `sign()` / `verify()`
- * (signatures), matching the @noble/post-quantum API directly.
- *
- * Operators chaining this into other primitives:
- *
- *   var pqc = b.pqcSoftware;
- *   var kp  = pqc.DEFAULT_KEM.keygen();
- *   var enc = pqc.DEFAULT_KEM.encapsulate(kp.publicKey);
- *   //  enc.cipherText / enc.sharedSecret
- *
- * Note on availability: the bundle is a build artifact in
- * lib/vendor/noble-post-quantum.cjs. In tightly-locked deployments
- * where operators stripped the vendor directory, .isAvailable()
- * returns false and the module exposes a stub that throws on every
- * primitive call.
+ * @card
+ *   Pure-JS post-quantum cryptography wrapper around the vendored `@noble/post-quantum` bundle (`lib/vendor/noble-post-quantum.cjs`).
  */
 
 var { defineClass } = require("./framework-error");
@@ -107,10 +87,50 @@ function _accessor(name) {
   return algo;
 }
 
+/**
+ * @primitive b.pqcSoftware.isAvailable
+ * @signature b.pqcSoftware.isAvailable()
+ * @since     0.7.28
+ * @status    stable
+ * @related   b.pqcSoftware.listAlgorithms, b.pqcSoftware.runKnownAnswerTest
+ *
+ * Returns `true` when the vendored `@noble/post-quantum` bundle loaded
+ * successfully and its KEM / signature objects are wired into the
+ * accessors. Returns `false` when `lib/vendor/noble-post-quantum.cjs`
+ * is missing or threw at require time — every accessor in that
+ * posture returns a stub whose primitive calls throw `PqcError`.
+ *
+ * @example
+ *   var b = require("blamejs").create();
+ *   if (b.pqcSoftware.isAvailable()) {
+ *     var ss = b.pqcSoftware.DEFAULT_KEM.keygen();
+ *     ss.publicKey.length;
+ *     // → 1568 (ML-KEM-1024 public key, FIPS 203 §8 |pk| = 1568)
+ *   }
+ */
 function isAvailable() {
   return _load() !== null;
 }
 
+/**
+ * @primitive b.pqcSoftware.listAlgorithms
+ * @signature b.pqcSoftware.listAlgorithms()
+ * @since     0.7.28
+ * @status    stable
+ * @related   b.pqcSoftware.isAvailable, b.pqcSoftware.runKnownAnswerTest
+ *
+ * Returns the names of every PQC algorithm exposed on the
+ * `b.pqcSoftware` surface — the three ML-KEM parameter sets, the
+ * three ML-DSA parameter sets, and six SLH-DSA parameter sets (three
+ * SHAKE + three SHA-2). Returns an empty array when the vendored
+ * bundle is unavailable.
+ *
+ * @example
+ *   var b = require("blamejs").create();
+ *   var names = b.pqcSoftware.listAlgorithms();
+ *   names.indexOf("ml_kem_1024") >= 0;
+ *   // → true (when the vendored bundle is present)
+ */
 function listAlgorithms() {
   if (!isAvailable()) return [];
   return [
@@ -193,17 +213,31 @@ Object.defineProperty(pqc, "DEFAULT_HASH_SIG", {
   get: function () { return _accessor("slh_dsa_shake_256f"); },
 });
 
-// runKnownAnswerTest — round-trip the vendored ML-KEM-1024 against
-// itself with a self-generated keypair. This is NOT the FIPS 203
-// Appendix A KAT vector (those are 800 KB of test data the framework
-// chooses not to vendor); it's a self-consistency check that the
-// vendored bundle's keygen / encapsulate / decapsulate survives a
-// full cycle and produces a 32-byte shared secret. The fallback
-// path becomes load-bearing if Node strips the WebCrypto ML-KEM
-// extension; this gate fails fast at boot rather than mid-request.
-//
-//   var result = b.pqcSoftware.runKnownAnswerTest();
-//   if (!result.ok) throw new Error("PQC KAT failed: " + result.reason);
+/**
+ * @primitive b.pqcSoftware.runKnownAnswerTest
+ * @signature b.pqcSoftware.runKnownAnswerTest()
+ * @since     0.7.28
+ * @status    stable
+ * @related   b.pqcSoftware.isAvailable, b.pqcSoftware.listAlgorithms
+ *
+ * Round-trips ML-KEM-1024 against itself with a self-generated
+ * keypair: `keygen` → `encapsulate` → `decapsulate`, then a
+ * constant-time compare of the two shared secrets. This is a self-
+ * consistency gate, not the FIPS 203 Appendix A KAT vectors (those
+ * ~800 KB of test data are intentionally not vendored). The check
+ * fails fast at boot if the vendored bundle is broken, rather than
+ * mid-request when an envelope decrypt aborts.
+ *
+ * Returns `{ ok, reason?, sharedSecretLength? }`. `ok: true` means
+ * keygen / encapsulate / decapsulate cycled cleanly and the two
+ * shared secrets are byte-identical (32 bytes per FIPS 203 §1).
+ *
+ * @example
+ *   var b = require("blamejs").create();
+ *   var result = b.pqcSoftware.runKnownAnswerTest();
+ *   result.ok;
+ *   // → true (or { ok: false, reason: "<diagnostic>" } when broken)
+ */
 function runKnownAnswerTest() {
   if (!isAvailable()) {
     return { ok: false, reason: "vendored @noble/post-quantum bundle not loadable" };

package/lib/process-spawn.js

@@ -1,29 +1,37 @@
 "use strict";
 /**
- * b.processSpawn — child-process launcher that strips connection-string
- * secrets from the environment before exec. Operators reaching for
- * `child_process.spawn` directly inherit `process.env` by default —
- * which means a child (jq, postgres CLI, an unzipper) sees
- * `DATABASE_URL`, `PG*`, `REDIS_URL`, `S3_*`, `AWS_*`. OWASP-1 closes
- * that class: every spawn through this primitive uses a filtered env
- * by default; operators opt in to specific secret env vars when the
- * child genuinely needs them.
+ * @module b.processSpawn
+ * @nav    Production
+ * @title  Process Spawn
  *
- *   var child = b.processSpawn.spawn("jq", [".name"], {
- *     stdio:    "pipe",
- *     // env: { ... }            // optional override; defaults to filtered
- *     // allowEnv: ["AWS_REGION"] // explicit pass-through whitelist
- *   });
+ * @intro
+ *   Secret-safe `child_process.spawn` wrapper — argv allowlist via
+ *   the operator's caller, no `shell:true` reliance, env scrubbing of
+ *   connection strings and credential variables, and output redaction
+ *   in the audit metadata (env-var NAMES are recorded, never values).
+ *
+ *   Operators reaching for `child_process.spawn` directly inherit
+ *   `process.env` by default — which means a child (`jq`, the
+ *   postgres CLI, an unzipper) sees `DATABASE_URL`, `PG*`, `REDIS_URL`,
+ *   `S3_*`, `AWS_*`. OWASP-1 closes that class: every spawn through
+ *   `b.processSpawn` uses a filtered env by default; operators opt in
+ *   to specific secret env vars via `opts.allowEnv` when the child
+ *   genuinely needs them.
  *
- * Filter list (case-insensitive — matches Windows env var names):
- *   DATABASE_URL, PG*, POSTGRES*, MYSQL*, REDIS_URL, MONGO_URL,
- *   AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN,
- *   S3_*, AZURE_*, GCP_*, GOOGLE_APPLICATION_CREDENTIALS,
- *   *_TOKEN, *_SECRET, *_PASSWORD, *_API_KEY, *_PRIVATE_KEY.
+ *   Filter patterns (case-insensitive — matches Windows env-var
+ *   capitalization too): `DATABASE_URL`, `PG*`, `POSTGRES*`, `MYSQL*`,
+ *   `REDIS_URL`, `MONGO*`, `AWS_(ACCESS_KEY_ID|SECRET_ACCESS_KEY|
+ *   SESSION_TOKEN)`, `S3_*`, `AZURE_*`, `GCP_*`,
+ *   `GOOGLE_APPLICATION_CREDENTIALS`, suffixes `*_TOKEN`, `*_SECRET`,
+ *   `*_PASSWORD`, `*_API_KEY`, `*_PRIVATE_KEY`, `*_PASSPHRASE`. The
+ *   frozen pattern list is exposed as
+ *   `b.processSpawn.FILTER_PATTERNS` for operator inspection.
  *
- * Audit: `process.spawn` (success) — metadata carries command + arg
- * count + which env vars were filtered out (NOT their values). On
- * exec failure: `process.spawn.failed` with the error code.
+ *   Audit: `process.spawn` (success) — metadata carries command, arg
+ *   count, and the redacted list of env-var names that were stripped.
+ *
+ * @card
+ *   Secret-safe `child_process.spawn` wrapper — argv allowlist via the operator's caller, no `shell:true` reliance, env scrubbing of connection strings and credential variables, and output redaction in the audit metadata (env-var NAMES are recorded, never values).
  */
 
 var lazyRequire = require("./lazy-require");
@@ -62,6 +70,37 @@ function _shouldFilter(name) {
   return false;
 }
 
+/**
+ * @primitive b.processSpawn.filteredEnv
+ * @signature b.processSpawn.filteredEnv(source, allowEnv)
+ * @since     0.8.42
+ * @status    stable
+ * @related   b.processSpawn.spawn
+ *
+ * Pure helper that returns `{ env, filtered }` — `env` is `source`
+ * with every variable matching `FILTER_PATTERNS` removed, except for
+ * names listed in `allowEnv` (explicit pass-through). `filtered` is
+ * the array of stripped variable names; values are never returned or
+ * logged.
+ *
+ * `source` defaults to `process.env` when omitted. Useful for
+ * pre-flight inspection (which secrets would the spawn drop?) without
+ * actually launching a child.
+ *
+ * @example
+ *   var report = b.processSpawn.filteredEnv({
+ *     PATH:                 "/usr/bin",
+ *     AWS_ACCESS_KEY_ID:    "AKIA...",
+ *     AWS_SECRET_ACCESS_KEY: "wJalr...",
+ *     AWS_REGION:           "us-east-1",
+ *     DATABASE_URL:         "postgres://...",
+ *   }, ["AWS_REGION"]);
+ *   report.env.PATH;       // → "/usr/bin"
+ *   report.env.AWS_REGION; // → "us-east-1"
+ *   report.env.DATABASE_URL;       // → undefined
+ *   report.filtered.indexOf("AWS_ACCESS_KEY_ID") !== -1; // → true
+ *   report.filtered.indexOf("DATABASE_URL")      !== -1; // → true
+ */
 function filteredEnv(source, allowEnv) {
   var src = source || process.env;
   var allowSet = {};
@@ -81,6 +120,41 @@ function filteredEnv(source, allowEnv) {
   return { env: out, filtered: filtered };
 }
 
+/**
+ * @primitive b.processSpawn.spawn
+ * @signature b.processSpawn.spawn(command, args, opts)
+ * @since     0.8.42
+ * @status    stable
+ * @related   b.processSpawn.filteredEnv, b.daemon.start, b.audit.safeEmit
+ *
+ * Spawn a child process with the connection-string filter applied to
+ * `process.env` before exec. Returns the underlying
+ * `child_process.ChildProcess` so operators can attach the usual
+ * `stdout` / `stderr` / `close` listeners. Emits one `process.spawn`
+ * audit row carrying the command, arg count, and the names (never
+ * values) of the env vars that were stripped.
+ *
+ * Throws `ProcessSpawnError("process-spawn/bad-command")` when
+ * `command` is not a non-empty string. `opts.env`, when supplied, is
+ * trusted verbatim — operators that pass an explicit env take full
+ * responsibility for what reaches the child.
+ *
+ * @opts
+ *   stdio:    string | Array,                  // forwarded to child_process.spawn
+ *   cwd:      string,                          // forwarded to child_process.spawn
+ *   detached: boolean,                         // forwarded to child_process.spawn
+ *   env:      object,                          // explicit override; bypasses filter
+ *   allowEnv: string[],                        // pass-through whitelist applied to process.env
+ *   ...                                        // every other Node spawn opt is forwarded
+ *
+ * @example
+ *   var child = b.processSpawn.spawn(process.execPath, ["-e", "process.exit(0)"], {
+ *     stdio:    "ignore",
+ *     allowEnv: ["AWS_REGION"],
+ *   });
+ *   typeof child.pid; // → "number"
+ *   child.kill();
+ */
 function spawn(command, args, opts) {
   if (typeof command !== "string" || command.length === 0) {
     throw new ProcessSpawnError("process-spawn/bad-command",

package/lib/pubsub.js

@@ -1,76 +1,41 @@
 "use strict";
 /**
- * pubsub — distributed pub/sub primitive.
+ * @module b.pubsub
+ * @nav    Communication
+ * @title  Pubsub
  *
- * Generalizes the cluster-table fan-out pattern that previously lived
- * inline in `lib/websocket-channels.js` and the `NOT_SUPPORTED` cache
- * cluster `invalidateTag` path. Three backends:
+ * @intro
+ *   Cluster-aware pub/sub channel for in-process and cross-replica
+ *   messaging. Three backends share one operator API:
  *
- *   local    — in-process Map<channel, Set<handler>>; publish dispatches
- *              SYNCHRONOUSLY before returning. Single-node deploys pay
- *              zero coordination overhead.
- *   cluster  — shared `_blamejs_pubsub_messages` table polled at
- *              pollIntervalMs; publish writes a row + dispatches locally;
- *              other nodes pick up rows via `id > lastSeenId AND
- *              publishedBy <> selfNodeId`. Default cluster mode for any
- *              `b.cluster`-aware deploy.
- *   redis    — Redis PUB/SUB on the bespoke `lib/redis-client.js`. One
- *              connection per pubsub instance enters subscribe mode
- *              (demultiplexed via `setOnPushMessage`); publish goes
- *              through a separate command-mode connection.
+ *     local    — in-process `Map<channel, Set<handler>>`; publish
+ *                dispatches synchronously before returning. Single-node
+ *                deploys pay zero coordination overhead.
+ *     cluster  — shared `_blamejs_pubsub_messages` table polled at
+ *                `pollIntervalMs`; publish writes a row + dispatches
+ *                locally; other nodes pick up rows via
+ *                `id > lastSeenId AND publishedBy <> selfNodeId`. The
+ *                default for any `b.cluster`-aware deploy.
+ *     redis    — Redis PUB/SUB on `lib/redis-client.js`. One connection
+ *                enters subscribe mode (demultiplexed via
+ *                `setOnPushMessage`); publish goes through a separate
+ *                command-mode connection.
  *
- * Operator API:
+ *   Pattern subscribe accepts glob-style topic matchers (`*` matches one
+ *   `.`-delimited segment, `**` matches any suffix). Channel names cap
+ *   at 1 KiB to defeat pathological matcher inputs. Subscribe /
+ *   unsubscribe is ref-counted across local handlers so the remote
+ *   backend only carries one subscription per scoped channel.
  *
- *   var ps = b.pubsub.create({
- *     backend:        'local' | 'cluster' | 'redis' | { custom },
- *     // cluster opts
- *     cluster:        clusterInstance,
- *     pollIntervalMs: C.TIME.ms?    — default 100ms
- *     retentionMs:    C.TIME.ms?    — default 60s
- *     pruneEveryMs:   C.TIME.ms?    — default 5min
- *     // redis opts
- *     redisUrl:       string        — required for redis backend
- *     redisPassword:  string?
- *     redisUsername:  string?
- *     redisTls:       boolean?
- *     redisCa:        string|Buffer?
- *     redisServername: string?
- *     // common
- *     topicPrefix:    string?       — every publish/subscribe channel
- *                                     scoped to `<topicPrefix>:<channel>`
- *                                     so independent pubsub instances
- *                                     sharing a backend don't collide.
- *     audit:          boolean?      — default false. When true emits
- *                                     `system.pubsub.publish` per call.
- *   });
- *
- *   var token = ps.subscribe(channel, function (payload, ev) {
- *     // payload is whatever publish() received (objects survive JSON
- *     // round-trip on remote backends; on the local backend the
- *     // reference is passed through). ev = { channel, source: 'local'
- *     // | 'remote', publishedBy?, publishedAt? }.
- *   });
- *   ps.unsubscribe(token);
- *
- *   await ps.publish(channel, payload);          // returns { local, remote? }
- *
- *   await ps.close();                            // tears down backend
+ *   Local dispatch always happens BEFORE `publish()` resolves regardless
+ *   of backend — same-node subscribers see the payload with near-zero
+ *   latency. Handler errors are caught and logged via the boot logger;
+ *   they never abort dispatch to siblings. Bad-shape remote payloads
+ *   drop silently after a logged warning so one malformed cross-node
+ *   message can't poison the local handler chain.
  *
- * Local dispatch always happens BEFORE the publish() promise resolves,
- * regardless of backend — same-node subscribers see the payload with
- * near-zero latency. The remote write is awaited so the caller knows
- * the cross-node fan-out completed.
- *
- * Subscription handler errors are caught and logged via the framework's
- * boot logger; they never abort dispatch to other handlers on the same
- * channel.
- *
- * Channel naming is operator-defined — pubsub treats names as opaque
- * strings (with the optional topicPrefix prepended). Pattern subscribe
- * (Redis-style `news.*`) is exposed via `subscribePattern(pattern,
- * handler)`; not every backend supports it (cluster-table backend
- * matches client-side, redis backend uses PSUBSCRIBE, local backend
- * matches client-side too).
+ * @card
+ *   Cluster-aware pub/sub channel for in-process and cross-replica messaging.
  */
 var C = require("./constants");
 var lazyRequire = require("./lazy-require");
@@ -196,6 +161,71 @@ function _matchPattern(pattern, channel) {
   return false;
 }
 
+/**
+ * @primitive b.pubsub.create
+ * @signature b.pubsub.create(opts)
+ * @since     0.6.34
+ * @status    stable
+ * @related   b.cluster, b.websocketChannels
+ *
+ * Build a pub/sub instance bound to one of the supported backends.
+ * Returned object exposes `subscribe(channel, handler)` /
+ * `subscribePattern(pattern, handler)` for receive,
+ * `unsubscribe(token)` for cleanup, `publish(channel, payload)` for
+ * fan-out, and `close()` for teardown. Tokens returned by subscribe
+ * are opaque records; pass them back to `unsubscribe` verbatim.
+ *
+ * Throws `PubsubError("UNKNOWN_BACKEND")` when `opts.backend` is not
+ * one of `"local"`, `"cluster"`, `"redis"`, or a custom backend object
+ * implementing `{ publishRemote, start, stop }`. Throws
+ * `PubsubError("BAD_BACKEND")` when a custom backend object is missing
+ * those methods.
+ *
+ * @opts
+ *   backend:         "local" | "cluster" | "redis" | object  // default "local"
+ *   cluster:         object,                                 // required for backend "cluster"
+ *   pollIntervalMs:  number,                                 // cluster poll cadence; default 100ms
+ *   retentionMs:     number,                                 // cluster row retention; default 60_000
+ *   pruneEveryMs:    number,                                 // cluster prune cadence; default 300_000
+ *   redisUrl:        string,                                 // required for backend "redis"
+ *   redisPassword:   string,
+ *   redisUsername:   string,
+ *   redisTls:        boolean,
+ *   redisCa:         string | Buffer,
+ *   redisServername: string,
+ *   topicPrefix:     string,                                 // scopes every channel as `<prefix>:<channel>`
+ *   audit:           boolean,                                // default false; emit system.pubsub.publish
+ *
+ * @example
+ *   var ps = b.pubsub.create({ backend: "local" });
+ *
+ *   var token = ps.subscribe("user.created", function (payload, ev) {
+ *     console.log(ev.channel, ev.source, payload.id);
+ *     // → user.created local 42
+ *   });
+ *
+ *   await ps.publish("user.created", { id: 42 });
+ *   ps.unsubscribe(token);
+ *   await ps.close();
+ *
+ * @example
+ *   // Glob-style topic matchers: '*' matches one segment, '**' any suffix.
+ *   var ps = b.pubsub.create({ backend: "local" });
+ *
+ *   ps.subscribePattern("orders.*.created", function (payload, ev) {
+ *     console.log(ev.channel);
+ *     // → orders.eu.created
+ *   });
+ *
+ *   ps.subscribePattern("audit.**", function (payload, ev) {
+ *     console.log(ev.channel);
+ *     // → audit.security.login.failed
+ *   });
+ *
+ *   await ps.publish("orders.eu.created", { orderId: "ord_1" });
+ *   await ps.publish("audit.security.login.failed", { userId: "u_7" });
+ *   await ps.close();
+ */
 function create(opts) {
   opts = opts || {};
   validateOpts(opts, [