@blamejs/core 0.8.52 → 0.8.58

package/lib/storage.js

@@ -675,6 +675,14 @@ function presignedUploadUrl(key, opts)   { return _presign("Upload", key, opts);
  *   classification:  string,    // route to a backend serving this classification
  *   backend:         string,    // explicit backend by name
  *   expiresInSec:    number,    // URL lifetime; backend-defaulted when omitted
+ *   responseHeaders: {          // S3 response-header overrides (sigv4 backend)
+ *     contentDisposition: string,  // e.g. 'attachment; filename="invoice.pdf"'
+ *     contentType:        string,
+ *     contentLanguage:    string,
+ *     contentEncoding:    string,
+ *     cacheControl:       string,
+ *     expires:            string,
+ *   },
  *
  * @example
  *   b.storage.init({
@@ -694,6 +702,9 @@ function presignedUploadUrl(key, opts)   { return _presign("Upload", key, opts);
  *   var presigned = b.storage.presignedDownloadUrl("public/logo.png", {
  *     backend:      "us-ops",
  *     expiresInSec: 60,
+ *     responseHeaders: {
+ *       contentDisposition: 'attachment; filename="logo.png"',
+ *     },
  *   });
  *   presigned.method;   // → "GET"
  */

package/lib/vendor/MANIFEST.json

@@ -83,6 +83,39 @@
         "server": "sha256:4adb3f0afb4a10cf19ebe48d8c69a46f934bbc8d77c694c210564f9583e7f4ba"
       }
     },
+    "bimi-trust-anchors": {
+      "version": "operator-managed",
+      "license": "BIMI Group / per-issuer",
+      "author": "BIMI Group / DigiCert / Entrust",
+      "source": "https://bimigroup.org/",
+      "_about": "RFC 9091 BIMI Group Verified Mark trust-anchor bundle (PEM, concatenated). Loaded by lib/mail-bimi.js for VMC + CMC chain validation. Source-tree default is empty-of-PEM (operators populate via the documented refresh procedure in the file header); call-site overrides via b.mail.bimi.fetchAndVerifyMark({ trustAnchorsPem }) are supported. Refresh procedure pulls https://www.digicert.com/CACerts/DigiCertVerifiedMarkRootCA.pem + https://web.entrust.com/root-certificates/entrust_verified_mark_root_g3.cer and concatenates them into the file.",
+      "exports": [
+        "bimi-vmc-trust-anchors"
+      ],
+      "files": {
+        "server": "lib/vendor/bimi-trust-anchors.pem"
+      },
+      "bundler": "operator-managed (see file header for refresh procedure)",
+      "bundledAt": "2026-05-09",
+      "hashes": {
+        "server": "sha256:81ff9f5ab3c9774132c845684e783be95cf73146f8b670d964105f0a3765b4b4"
+      }
+    },
+    "publicsuffix-list": {
+      "version": "master",
+      "license": "MPL-2.0",
+      "author": "Mozilla Foundation",
+      "source": "https://publicsuffix.org/list/public_suffix_list.dat",
+      "_about": "Mozilla Public Suffix List — canonical catalog of effective top-level domains used by b.publicSuffix to derive organizational domains for DMARCbis (psd= / np=), BIMI, cookie-scope checks, and same-site policies. Loaded at module-init from lib/vendor/public-suffix-list.dat; the file is the data, not a code bundle.",
+      "files": {
+        "server": "lib/vendor/public-suffix-list.dat"
+      },
+      "bundler": "curl https://publicsuffix.org/list/public_suffix_list.dat",
+      "bundledAt": "2026-05-09",
+      "hashes": {
+        "server": "sha256:a00855bbf027ca86cead1cf0bafc0b9b1ae904dda97f3e24b0062aa2e6e289e2"
+      }
+    },
     "peculiar-pki": {
       "version": "2.0.0+pkijs-3.4.0",
       "license": "MIT",

package/lib/vendor/bimi-trust-anchors.pem

@@ -0,0 +1,33 @@
+# BIMI Group Verified Mark Trust Anchors — RFC 9091
+#
+# This file MUST contain the published BIMI Group VMC + CMC issuing-root
+# X.509 certificates in PEM format, concatenated. The current published
+# anchors are:
+#
+#   - DigiCert Verified Mark Root CA
+#     https://www.digicert.com/CACerts/DigiCertVerifiedMarkRootCA.pem
+#
+#   - Entrust Verified Mark Root Certification Authority - VMR1
+#     https://web.entrust.com/root-certificates/entrust_verified_mark_root_g3.cer
+#
+# Refresh procedure (operator):
+#
+#   1. Fetch each of the above PEM files.
+#   2. Concatenate them into this file (replace the contents below).
+#   3. Re-run the framework's vendor-MANIFEST hash refresh:
+#        node scripts/vendor-update.sh
+#   4. Commit alongside the framework version bump.
+#
+# Operators may also pass a custom anchor bundle at call time via
+# `b.mail.bimi.fetchAndVerifyMark({ ..., trustAnchorsPem: "<PEM bytes>" })`
+# — this overrides the vendored bundle for that single call. Use the
+# override path when integrating with a CA list managed by the operator's
+# own PKI inventory rather than the framework's vendored snapshot.
+#
+# The file is intentionally checked-in EMPTY-of-PEM in pre-1.0 source
+# trees: the live issuers rotate, and committing a snapshot here would
+# rot. Operators MUST either (a) populate via the refresh procedure
+# above OR (b) pass `trustAnchorsPem` at call time. Calls to
+# fetchAndVerifyMark with an empty trust-anchor bundle and no operator
+# override raise `bimi/vmc-chain-invalid` with a "no trust anchors
+# configured" message.