@blamejs/core 0.8.49 → 0.8.51

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.8.x
 
+- v0.8.51 (2026-05-09) — CI green-up follow-on for v0.8.50. Two CI gates still failed on v0.8.50: (a) the wiki @module/@primitive validator step couldn't resolve `@blamejs/core` because the workflow ran the validator without first installing the wiki workspace deps. The step now runs `npm install --silent` in `examples/wiki/` before invoking the validator. The job was also renamed from "Wiki primitive-section convention" to reflect the source-driven shape. (b) Gitleaks re-flagged the v0.8.50 CHANGELOG entry — the prose quoted the same KEM-recipient destructure shape it was reporting fixed, retripping the generic-api-key rule on documentation text. The CHANGELOG entry was rewritten to avoid the literal token shape; `.gitleaks.toml` adds a fingerprint suppression for the historical v0.8.50 commit. No primitive surface change versus v0.8.50.
+- v0.8.50 (2026-05-09) — CI green-up for v0.8.49. The v0.8.49 push tripped two CI gates: (a) `.github/workflows/ci.yml` still invoked `examples/wiki/test/validate-primitive-sections.js`, which the source-driven migration retired; the workflow step now runs `validate-source-comment-blocks.js` and runs `npm install` in `examples/wiki/` first so the validator can resolve `@blamejs/core` for the opts probe. (b) Three gitleaks findings on JSDoc `@example` blocks the migration added: a fake hex token in `lib/api-key.js`, a Stripe-shaped redaction example in `lib/log-stream.js`, and a KEM-recipient destructure in `lib/crypto.js`. The examples were rewritten to use placeholder text; `.gitleaks.toml` broadens the recipient-shape allowlist regex to cover any sibling field name, adds `test/fixtures/.*` to the path allowlist (exploit-corpus fixtures), and pins the historical commit + per-finding fingerprints. No primitive surface change versus v0.8.49.
 - v0.8.49 (2026-05-09) — wiki is now source-driven. Every page is generated at boot from JSDoc-style `@module` + `@primitive` comment blocks in `lib/`. The hand-authored seeders under `examples/wiki/seeders/prod/pages/` are gone (~40 files, ~13k lines deleted); pages are produced by `examples/wiki/lib/page-generator.js` walking parsed source comments. Sidebar nav, home-page card grid, and page-generator curation entries auto-derive from `@nav` / `@title` / `@card` / `@featured` / `@order` / `@slug` tags on `@module` blocks via `examples/wiki/lib/auto-site-entries.js`. Drift between code and docs is structurally impossible — the same diff that changes the function changes the documentation. Cross-cutting narrative content lives in `lib/wiki-concepts.js` `@concept` blocks. Reference pages are auto-harvested at boot from framework state by `examples/wiki/lib/harvest-{errors,env-vars,vendored-deps,cli}.js`. New validators replace the legacy hand-authored-seeder validator: `validate-source-comment-blocks.js` (schema, ordering, signature/code arity match, `@example` parses-as-JS, placeholder-pattern detectors, posture catalog, semver shape, cross-reference resolution, metadata completeness), `validate-site-coverage.js` (entry/page consistency invariants), `validate-nav-coverage.js` (live HTTP round-trip + populated content). Discoverer `find-missing-pages.js` walks `api-snapshot.json` and surfaces namespaces still needing `@module` blocks. The legacy `validate-primitive-sections.js` (1264 lines) and its child runner `run-example.js` (492 lines) retired. ~145 lib namespaces now carry `@primitive` blocks; ~24 marked `@featured` for the home-card grid. Backfill script `examples/wiki/scripts/backfill-module-metadata.js` populates `@nav` / `@title` / `@card` from a canonical hints table for one-shot bulk migration. `b.safeJson.canonical` signature now `(value)` (the unused `_opts` param dropped). No other primitive surface change versus v0.8.48.
 - v0.8.48 (2026-05-09) — CI green-up patch for v0.8.47. The v0.8.47 npm-publish workflow continued hanging in the Wiki e2e step after the v0.8.46 watcher fix because other primitive examples were creating lingering resources (intervals, scheduler ticks, sqlite handles, heartbeat timers, repeating loops) that prevented the example-execution sandbox from settling. Live invocations are now commented out (kept as documentation) for: `b.scheduler.create({...}).schedule(...)` (compliance-patterns retention sweep), `b.cluster.init({...})` + `b.cluster.requireLeader()` (cluster heartbeat timer), `b.scheduler.create({cluster}).schedule(...)` + `await scheduler.start()` + `b.scheduler.nextCronFire(...)` (cluster scheduler), `b.localDb.thin({...})` (sqlite handle), `b.network.heartbeat.start({...})` + `b.network.heartbeat.status(...)`, `b.safeAsync.repeating(...)` + `loop.stop()`. Each section keeps a `typeof b.X.Y; // "function"` assertion as the executable check. No primitive surface change versus v0.8.47.
 - v0.8.47 (2026-05-09) — CI green-up patch for v0.8.46. The v0.8.46 npm-publish workflow hung in the Wiki e2e step on the Linux runner — the `b.watcher.create` example in `ops-hardening.js` invoked `fs.watch(root, { recursive: true })` and the recursive-watch handle never unblocked the host process under the runner's kernel. The wiki primitive-section example is now commented out (kept as documentation, with a `typeof b.watcher.create` assertion as the executable check). Same convention used for other lifecycle-creating examples that need operator-supplied state. No primitive surface change versus v0.8.46.

package/lib/api-key.js

@@ -177,9 +177,9 @@ function _validateIssueOpts(opts) {
  * that happens inside `verify()` against the stored hash.
  *
  * @example
- *   var parts = b.apiKey.parseFormat("bk_live_5b9e7c8a4f2d1e3a_8a7b6c5d4e3f2a1b");
- *   // → { prefix: "bk", namespace: "live", idHex: "5b9e7c8a4f2d1e3a",
- *   //     secretHex: "8a7b6c5d4e3f2a1b" }
+ *   var parts = b.apiKey.parseFormat("bk_live_<id-hex>_<secret-hex>");
+ *   // → { prefix: "bk", namespace: "live", idHex: "<id-hex>",
+ *   //     secretHex: "<secret-hex>" }
  *
  *   b.apiKey.parseFormat("not-a-token");          // → null
  *   b.apiKey.parseFormat("bk_live_xyz_zzz");      // → null (non-hex)

package/lib/log-stream.js

@@ -175,8 +175,8 @@ function _shouldEmit(level, sinkLevelFilter) {
  *   b.logStream.emit("warn", "checkout retry", {
  *     orderId:    "ord_01HXYZ",
  *     attempt:    3,
- *     apiKey:     "sk_live_4242424242424242",
- *     cardNumber: "4111 1111 1111 1111",
+ *     apiKey:     "<sk-live-placeholder>",
+ *     cardNumber: "<pan-placeholder>",
  *   });
  */
 function emit(level, message, meta) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.8.49",
+  "version": "0.8.51",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:34a5042e-06d2-4db8-8f87-c16c95d50c13",
+  "serialNumber": "urn:uuid:069fa93d-e153-4dee-8435-5b880b47fa13",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-09T14:56:33.086Z",
+    "timestamp": "2026-05-09T17:08:40.341Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.8.49",
+      "bom-ref": "@blamejs/core@0.8.51",
       "type": "library",
       "name": "blamejs",
-      "version": "0.8.49",
+      "version": "0.8.51",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.8.49",
+      "purl": "pkg:npm/%40blamejs/core@0.8.51",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.8.49",
+      "ref": "@blamejs/core@0.8.51",
       "dependsOn": []
     }
   ]