@blamejs/core 0.9.14 → 0.9.15

package/lib/restore.js

@@ -51,11 +51,11 @@
  *     manual recovery)
  */
 
-var fs = require("fs");
+var nodeFs = require("fs");
 var os = require("os");
-var path = require("path");
+var nodePath = require("path");
 var C = require("./constants");
-var crypto = require("./crypto");
+var bCrypto = require("./crypto");
 var numericChecks = require("./numeric-checks");
 var restoreBundle = require("./restore-bundle");
 var restoreRollback = require("./restore-rollback");
@@ -128,11 +128,11 @@ function create(opts) {
     while (stack.length > 0) {
       var current = stack.pop();
       var entries;
-      try { entries = fs.readdirSync(current, { withFileTypes: true }); }
+      try { entries = nodeFs.readdirSync(current, { withFileTypes: true }); }
       catch (_e) { continue; }
       for (var i = 0; i < entries.length; i++) {
         var entry = entries[i];
-        var full = path.join(current, entry.name);
+        var full = nodePath.join(current, entry.name);
         if (entry.isDirectory()) {
           stack.push(full);
         } else if (entry.isFile()) {
@@ -141,7 +141,7 @@ function create(opts) {
             return { tooManyFiles: true, fileCount: fileCount };
           }
           try {
-            totalBytes += fs.statSync(full).size;
+            totalBytes += nodeFs.statSync(full).size;
             if (totalBytes > maxPulledBytes) {
               return { tooManyBytes: true, totalBytes: totalBytes };
             }
@@ -200,8 +200,8 @@ function create(opts) {
         "inspect: bundle '" + bundleId + "' not in storage");
     }
     await _preflightBundleSize(bundleId);
-    var pullDir = path.join(os.tmpdir(),
-      "blamejs-restore-inspect-" + crypto.generateToken(4));
+    var pullDir = nodePath.join(os.tmpdir(),
+      "blamejs-restore-inspect-" + bCrypto.generateToken(4));
     try {
       await storage.readBundle(bundleId, pullDir);
       var pulled = _walkPullDirFootprint(pullDir);
@@ -217,7 +217,7 @@ function create(opts) {
       }
       return restoreBundle.inspect({ bundleDir: pullDir });
     } finally {
-      try { fs.rmSync(pullDir, { recursive: true, force: true }); } catch (_e) { /* best-effort tmpdir cleanup */ }
+      try { nodeFs.rmSync(pullDir, { recursive: true, force: true }); } catch (_e) { /* best-effort tmpdir cleanup */ }
     }
   }
 
@@ -234,13 +234,13 @@ function create(opts) {
         "run: bundle '" + bundleId + "' not in storage");
     }
 
-    var pullId = crypto.generateToken(4);
-    var pullDir    = path.join(os.tmpdir(), "blamejs-restore-pull-"    + pullId);
-    var stagingDir = path.join(os.tmpdir(), "blamejs-restore-staging-" + pullId);
+    var pullId = bCrypto.generateToken(4);
+    var pullDir    = nodePath.join(os.tmpdir(), "blamejs-restore-pull-"    + pullId);
+    var stagingDir = nodePath.join(os.tmpdir(), "blamejs-restore-staging-" + pullId);
 
     function _cleanupTmp() {
-      try { fs.rmSync(pullDir,    { recursive: true, force: true }); } catch (_e) { /* best-effort tmpdir cleanup */ }
-      try { fs.rmSync(stagingDir, { recursive: true, force: true }); } catch (_e) { /* best-effort tmpdir cleanup */ }
+      try { nodeFs.rmSync(pullDir,    { recursive: true, force: true }); } catch (_e) { /* best-effort tmpdir cleanup */ }
+      try { nodeFs.rmSync(stagingDir, { recursive: true, force: true }); } catch (_e) { /* best-effort tmpdir cleanup */ }
     }
 
     // 1. Pull bundle out of storage
@@ -319,7 +319,7 @@ function create(opts) {
     } catch (e) {
       // Pull dir is safe to clean (the source bundle is in storage);
       // staging stays for manual recovery.
-      try { fs.rmSync(pullDir, { recursive: true, force: true }); } catch (_e) { /* best-effort tmpdir cleanup */ }
+      try { nodeFs.rmSync(pullDir, { recursive: true, force: true }); } catch (_e) { /* best-effort tmpdir cleanup */ }
       _emitAudit("restore.failure",
         { bundleId: bundleId, reason: "swap: " + ((e && e.message) || String(e)) },
         "failure");
@@ -331,7 +331,7 @@ function create(opts) {
     }
 
     // 4. Clean up the pull dir (source bundle still in storage)
-    try { fs.rmSync(pullDir, { recursive: true, force: true }); } catch (_e) { /* best-effort tmpdir cleanup */ }
+    try { nodeFs.rmSync(pullDir, { recursive: true, force: true }); } catch (_e) { /* best-effort tmpdir cleanup */ }
 
     var summary = {
       bundleId:     bundleId,

package/lib/router.js

@@ -34,8 +34,8 @@
  */
 var http  = require("http");
 var http2 = require("http2");
-var fs = require("fs");
-var path = require("path");
+var nodeFs = require("fs");
+var nodePath = require("path");
 var C = require("./constants");
 var requestHelpers = require("./request-helpers");
 var lazyRequire = require("./lazy-require");
@@ -296,8 +296,8 @@ class Router {
     this.routes = [];
     this.middleware = [];
     // WebSocket routes are kept separate from HTTP routes — they're
-    // matched on the upgrade / Extended CONNECT path, not on a method
-    // verb. Map<path, { handler, opts }>.
+    // matched on the upgrade / Extended CONNECT nodePath, not on a method
+    // verb. Map<nodePath, { handler, opts }>.
     this._wsRoutes = new Map();
     // Active WebSocket connections opened through router.ws(). Tracked
     // so router.closeWebSockets() can do a clean rolling-shutdown.
@@ -407,7 +407,7 @@ class Router {
   //   process.exit(0);
   //
   // Tests use the same primitive in teardown — no parallel cleanup
-  // path, no h1-upgrade detached-socket workaround.
+  // nodePath, no h1-upgrade detached-socket workaround.
   async closeWebSockets(opts) {
     opts = opts || {};
     var timeoutMs = typeof opts.timeoutMs === "number" ? opts.timeoutMs : C.TIME.seconds(5);
@@ -603,7 +603,7 @@ class Router {
 
   // ---- WebSocket route registration ----
   //
-  // ws(path, handler, opts?)
+  // ws(nodePath, handler, opts?)
   //   path     — exact match. Path-param patterns aren't supported on
   //              upgrade requests; operators that need dynamic paths
   //              register one ws route per stable shape.
@@ -1089,7 +1089,7 @@ class Router {
     // server's emitter list clean for HTTP-only deployments.
     if (self._wsRoutes.size > 0) {
       // h1 upgrade event — fires for "Upgrade: websocket" from h1
-      // clients. Routes by path; refuses with 426 in h2-only mode.
+      // clients. Routes by nodePath; refuses with 426 in h2-only mode.
       server.on("upgrade", function (req, socket, head) {
         var pathname = String(req.url || "/").split("?")[0];
         var route = self._wsRoutes.get(pathname);
@@ -1201,18 +1201,18 @@ class Router {
  */
 // Static file serving middleware
 function serveStatic(dir) {
-  var root = path.resolve(dir);
+  var root = nodePath.resolve(dir);
   return (req, res, next) => {
     if (req.method !== "GET") return next();
     var rel = req.pathname;
     if (rel.includes("\0")) return next();
-    var filePath = path.resolve(path.join(root, rel));
+    var filePath = nodePath.resolve(nodePath.join(root, rel));
     if (!filePath.startsWith(root)) return next();
-    if (!fs.existsSync(filePath) || fs.statSync(filePath).isDirectory()) return next();
+    if (!nodeFs.existsSync(filePath) || nodeFs.statSync(filePath).isDirectory()) return next();
 
-    var ext = path.extname(filePath).toLowerCase();
+    var ext = nodePath.extname(filePath).toLowerCase();
     var mime = MIME_TYPES[ext] || "application/octet-stream";
-    var stat = fs.statSync(filePath);
+    var stat = nodeFs.statSync(filePath);
     var hasVersion = req.url && req.url.includes("?v=");
     var cacheControl = hasVersion
       ? "public, max-age=31536000, immutable"
@@ -1222,7 +1222,7 @@ function serveStatic(dir) {
       "Content-Length": stat.size,
       "Cache-Control":  cacheControl,
     });
-    fs.createReadStream(filePath).pipe(res);
+    nodeFs.createReadStream(filePath).pipe(res);
   };
 }
 

package/lib/sandbox.js

@@ -78,11 +78,11 @@
  * arbitrary source from the public internet.
  */
 
-var path = require("path");
+var nodePath = require("path");
 var lazyRequire = require("./lazy-require");
 var validateOpts = require("./validate-opts");
 var numericBounds = require("./numeric-bounds");
-var constants = require("./constants");
+var C = require("./constants");
 var { SandboxError } = require("./framework-error");
 
 var audit = lazyRequire(function () { return require("./audit"); });
@@ -110,14 +110,14 @@ var ALWAYS_AVAILABLE = Object.freeze([
   "Promise", "Error", "TypeError", "RangeError", "RegExp",
 ]);
 
-var WORKER_PATH = path.resolve(__dirname, "sandbox-worker.js");
+var WORKER_PATH = nodePath.resolve(__dirname, "sandbox-worker.js");
 
 // Default caps. Sourced from C.* helpers so the unit lives at the call site.
 var DEFAULT_TIMEOUT_MS = 250;
-var MAX_TIMEOUT_MS = constants.TIME.seconds(10);
-var DEFAULT_MAX_BYTES = constants.BYTES.mib(64);
-var MAX_MAX_BYTES = constants.BYTES.gib(1);
-var MIN_MAX_BYTES = constants.BYTES.mib(4);
+var MAX_TIMEOUT_MS = C.TIME.seconds(10);
+var DEFAULT_MAX_BYTES = C.BYTES.mib(64);
+var MAX_MAX_BYTES = C.BYTES.gib(1);
+var MIN_MAX_BYTES = C.BYTES.mib(4);
 
 function _validateAllowed(allowed) {
   if (allowed === undefined || allowed === null) return [];
@@ -217,7 +217,7 @@ function run(opts) {
   // floor so the worker can boot. Round each cap down to a MiB integer.
   // Floors / caps are quanta of MiB chosen to fit a small embedded
   // worker; passed straight to v8's resourceLimits.
-  var oneMib = constants.BYTES.mib(1);
+  var oneMib = C.BYTES.mib(1);
   // The MiB-unit caps below are integers passed directly to v8's
   // resourceLimits (already typed in MiB by the v8 API), not byte
   // counts - the constants helpers don't apply.

package/lib/sec-cyber.js

@@ -69,7 +69,7 @@
 var audit = require("./audit");
 var C = require("./constants");
 var validateOpts = require("./validate-opts");
-var nb = require("./numeric-bounds");
+var numericBounds = require("./numeric-bounds");
 var { defineClass } = require("./framework-error");
 var SecCyberError = defineClass("SecCyberError", { alwaysPermanent: true });
 
@@ -104,9 +104,9 @@ function eightKArtifact(opts) {
     "secCyber.eightKArtifact: registrant.name", SecCyberError, "BAD_REGISTRANT_NAME");
   validateOpts.requireNonEmptyString(opts.registrant.cik,
     "secCyber.eightKArtifact: registrant.cik", SecCyberError, "BAD_CIK");
-  nb.requirePositiveFiniteIntIfPresent(opts.detectedAt,
+  numericBounds.requirePositiveFiniteIntIfPresent(opts.detectedAt,
     "secCyber.eightKArtifact: detectedAt", SecCyberError, "BAD_DETECTED_AT");
-  nb.requirePositiveFiniteIntIfPresent(opts.materialityDeterminedAt,
+  numericBounds.requirePositiveFiniteIntIfPresent(opts.materialityDeterminedAt,
     "secCyber.eightKArtifact: materialityDeterminedAt", SecCyberError, "BAD_MAT_AT");
 
   if (FINDINGS.indexOf(opts.materialityFinding) === -1) {

package/lib/security-assert.js

@@ -67,7 +67,7 @@
  * non-function extra entry, etc.) so the operator catches typos at
  * boot, not at the moment they were trying to gate the boot.
  */
-var fs = require("fs");
+var nodeFs = require("fs");
 var nodeTls = require("node:tls");
 var lazyRequire = require("./lazy-require");
 var safeEnv = require("./parsers/safe-env");
@@ -286,7 +286,7 @@ async function assertProduction(opts) {
   if (typeof opts.dataDir === "string" && opts.dataDir.length > 0 && process.platform !== "win32") {
     var maxMode = typeof opts.maxDataDirMode === "number" ? opts.maxDataDirMode : 0o750;
     try {
-      var stat = fs.statSync(opts.dataDir);
+      var stat = nodeFs.statSync(opts.dataDir);
       var mode = stat.mode & 0o777;
       if (mode > maxMode) {
         failures.push({ ok: false, code: "security/datadir-permissions",

package/lib/seeders.js

@@ -15,7 +15,7 @@
  *
  *   module.exports = {
  *     description: "Create default admin user for local dev",
- *     // Optional — when omitted, the env is inferred from the path.
+ *     // Optional — when omitted, the env is inferred from the nodePath.
  *     // When present, this seed only applies under one of these envs.
  *     envs:        ["dev", "test"],
  *     // Default false — applied once and recorded in registry.
@@ -54,7 +54,7 @@
  *     applied state)
  */
 
-var path = require("path");
+var nodePath = require("path");
 var atomicFile = require("./atomic-file");
 var C = require("./constants");
 var dbSchema = require("./db-schema");
@@ -161,7 +161,7 @@ function _resolveDb(opts) {
 // ---- Directory walking + seed loading ----
 
 function _envDir(rootDir, env) {
-  return path.join(rootDir, env);
+  return nodePath.join(rootDir, env);
 }
 
 function _listSeedFiles(rootDir, env) {
@@ -171,7 +171,7 @@ function _listSeedFiles(rootDir, env) {
 }
 
 function _loadSeed(rootDir, env, file) {
-  var fullPath = path.join(_envDir(rootDir, env), file);
+  var fullPath = nodePath.join(_envDir(rootDir, env), file);
   // Drop require cache for this path so a test rewriting a fixture
   // between calls picks it up. Production restarts the process anyway.
   try { delete require.cache[require.resolve(fullPath)]; } catch (_e) { /* not yet cached */ }

package/lib/self-update.js

@@ -47,13 +47,13 @@
  *   Framework / vendored-deps integrity check plus version pinning — refuses to install a new build when the asset's detached signature does not verify against the operator-supplied public key, or when the vendored SHA the new build would ship does not match the manifest the opera...
  */
 
-var fs = require("fs");
-var path = require("path");
+var nodeFs = require("fs");
+var nodePath = require("path");
 var nodeCrypto = require("crypto");
-var nb = require("./numeric-bounds");
+var numericBounds = require("./numeric-bounds");
 var atomicFile = require("./atomic-file");
 var validateOpts = require("./validate-opts");
-var bjCrypto = require("./crypto");
+var bCrypto = require("./crypto");
 var httpClient = require("./http-client");
 var safeJson = require("./safe-json");
 var { URL: NodeUrl } = require("url");
@@ -153,9 +153,9 @@ function _validatePollOpts(opts) {
     throw new SelfUpdateError("selfupdate/bad-sig-pattern",
       "selfUpdate.poll: opts.signaturePattern must be a RegExp or string when present");
   }
-  nb.requirePositiveFiniteIntIfPresent(opts.maxBytes,
+  numericBounds.requirePositiveFiniteIntIfPresent(opts.maxBytes,
     "selfUpdate.poll: opts.maxBytes", SelfUpdateError, "selfupdate/bad-max-bytes");
-  nb.requirePositiveFiniteIntIfPresent(opts.timeoutMs,
+  numericBounds.requirePositiveFiniteIntIfPresent(opts.timeoutMs,
     "selfUpdate.poll: opts.timeoutMs", SelfUpdateError, "selfupdate/bad-timeout");
 }
 
@@ -178,7 +178,7 @@ function _matchAsset(name, pattern, fallback) {
  * Fetch a releases feed and report whether a newer tag is available.
  * Tags are compared semver-style with a leading `v` stripped. When
  * `opts.etag` is supplied an `If-None-Match` header makes a 304 a fast
- * "no update" path. The match against asset and signature URLs uses
+ * "no update" nodePath. The match against asset and signature URLs uses
  * `opts.assetPattern` and `opts.signaturePattern` (RegExp or substring)
  * with conservative fallbacks. Throws SelfUpdateError on a non-2xx
  * upstream, malformed JSON, or unexpected shape.
@@ -367,7 +367,7 @@ function _validateVerifyOpts(opts) {
     throw new SelfUpdateError("selfupdate/bad-hash-algo",
       "selfUpdate.verify: opts.hashAlgo must be one of " + ALLOWED_HASH_ALGS.join(", "));
   }
-  nb.requirePositiveFiniteIntIfPresent(opts.maxBytes,
+  numericBounds.requirePositiveFiniteIntIfPresent(opts.maxBytes,
     "selfUpdate.verify: opts.maxBytes", SelfUpdateError, "selfupdate/bad-max-bytes");
 }
 
@@ -426,7 +426,7 @@ async function verify(opts) {
   }
 
   var ok = false;
-  try { ok = bjCrypto.verify(assetBytes, sigBytes, opts.pubkeyPem); }
+  try { ok = bCrypto.verify(assetBytes, sigBytes, opts.pubkeyPem); }
   catch (e) {
     _safeAuditEmit("selfupdate.verify.failed", "denied", {
       assetPath: opts.assetPath, signaturePath: opts.signaturePath,
@@ -515,19 +515,19 @@ async function swap(opts) {
   var to       = opts.to;
   var backupTo = opts.backupTo;
 
-  if (!fs.existsSync(from)) {
+  if (!nodeFs.existsSync(from)) {
     throw new SelfUpdateError("selfupdate/missing-from",
       "selfUpdate.swap: from path does not exist: " + from);
   }
 
-  var toDir       = path.dirname(to);
-  var backupDir   = path.dirname(backupTo);
+  var toDir       = nodePath.dirname(to);
+  var backupDir   = nodePath.dirname(backupTo);
   atomicFile.ensureDir(toDir);
   atomicFile.ensureDir(backupDir);
 
   // Step 2 — backup if `to` exists. Use atomicFile.copy so the backup
   // hits disk via temp+fsync+rename.
-  var hadOriginal = fs.existsSync(to);
+  var hadOriginal = nodeFs.existsSync(to);
   if (hadOriginal) {
     try {
       await atomicFile.copy(to, backupTo, { fileMode: 0o600 });
@@ -541,14 +541,14 @@ async function swap(opts) {
   // Step 3 — install. Rename is atomic on same FS; on cross-device we
   // fall back to copy + unlink.
   try {
-    fs.renameSync(from, to);
+    nodeFs.renameSync(from, to);
   } catch (e) {
     if (e && e.code === "EXDEV") {
       // Cross-device — copy + unlink. Use atomicFile.copy for the safety
       // net (temp+fsync+rename on dest FS); then remove the source.
       try {
         await atomicFile.copy(from, to, { fileMode: 0o600 });
-        try { fs.unlinkSync(from); } catch (_u) { /* tmp source leak — operator-cleanable */ }
+        try { nodeFs.unlinkSync(from); } catch (_u) { /* tmp source leak — operator-cleanable */ }
       } catch (ce) {
         // Roll back from backup if we have one.
         if (hadOriginal) {
@@ -613,12 +613,12 @@ async function rollback(opts) {
   var to       = opts.to;
   var backupTo = opts.backupTo;
 
-  if (!fs.existsSync(backupTo)) {
+  if (!nodeFs.existsSync(backupTo)) {
     throw new SelfUpdateError("selfupdate/missing-backup",
       "selfUpdate.rollback: backupTo path does not exist: " + backupTo);
   }
 
-  atomicFile.ensureDir(path.dirname(to));
+  atomicFile.ensureDir(nodePath.dirname(to));
   try {
     await atomicFile.copy(backupTo, to, { fileMode: 0o600 });
   } catch (e) {
@@ -626,7 +626,7 @@ async function rollback(opts) {
       "selfUpdate.rollback: copy " + backupTo + " -> " + to + " failed: " +
       ((e && e.message) || String(e)));
   }
-  atomicFile.fsyncDir(path.dirname(to));
+  atomicFile.fsyncDir(nodePath.dirname(to));
 
   _safeAuditEmit("selfupdate.rollback.completed", "success", {
     to: to, backupTo: backupTo,

package/lib/session-device-binding.js

@@ -69,7 +69,7 @@
  */
 
 var C            = require("./constants");
-var blamejsCrypto = require("./crypto");
+var bCrypto = require("./crypto");
 var nodeCrypto   = require("crypto");
 var lazyRequire  = require("./lazy-require");
 var requestHelpers = require("./request-helpers");
@@ -386,7 +386,7 @@ function create(opts) {
       return { ok: false, reason: "missing-bind" };
     }
     if (!Buffer.isBuffer(stored) || stored.length !== fpResult.fingerprint.length ||
-        !blamejsCrypto.timingSafeEqual(stored, fpResult.fingerprint)) {
+        !bCrypto.timingSafeEqual(stored, fpResult.fingerprint)) {
       _emitObs("session.device.drift", {});
       _emitAudit("session.device.drift", _hashTokenForAudit(token), "denied",
         { components: fpResult.components, stage: "verify" }, req);

package/lib/static.js

@@ -31,10 +31,10 @@
  * passing while opening the surface.
  */
 
-var fs = require("node:fs");
+var nodeFs = require("node:fs");
 var fsp = require("node:fs/promises");
 var nodeCrypto = require("node:crypto");
-var path = require("node:path");
+var nodePath = require("node:path");
 var C = require("./constants");
 var gateContract = require("./gate-contract");
 var lazyRequire = require("./lazy-require");
@@ -157,7 +157,7 @@ async function _readMeta(absPath) {
   var sri = nodeCrypto.createHash("sha384");
   var sha3 = nodeCrypto.createHash("sha3-512");
   await new Promise(function (resolve, reject) {
-    var s = fs.createReadStream(absPath);
+    var s = nodeFs.createReadStream(absPath);
     s.on("data", function (chunk) { sri.update(chunk); sha3.update(chunk); });
     s.on("end", resolve);
     s.on("error", reject);
@@ -181,10 +181,10 @@ async function _readMeta(absPath) {
 function _resolveSafe(root, requestedPath) {
   if (typeof requestedPath !== "string" || requestedPath.length === 0) return null;
   if (requestedPath.indexOf("\0") !== -1) return null;
-  var resolved = path.resolve(root, "." + requestedPath);
-  var rootResolved = path.resolve(root);
+  var resolved = nodePath.resolve(root, "." + requestedPath);
+  var rootResolved = nodePath.resolve(root);
   if (resolved !== rootResolved &&
-      !resolved.startsWith(rootResolved + path.sep)) return null;
+      !resolved.startsWith(rootResolved + nodePath.sep)) return null;
 
   // Symlink-escape defense — the lexical resolve above only sees the
   // requested path tokens; a symlink anywhere along `resolved` can
@@ -195,9 +195,9 @@ function _resolveSafe(root, requestedPath) {
   // breaks deploys where the OS prefix-symlinks the temp dir
   // (macOS: /var/folders/X/Y → /private/var/folders/X/Y).
   try {
-    var real = fs.realpathSync(resolved);
-    var rootReal = fs.realpathSync(rootResolved);
-    if (real !== rootReal && !real.startsWith(rootReal + path.sep)) return null;
+    var real = nodeFs.realpathSync(resolved);
+    var rootReal = nodeFs.realpathSync(rootResolved);
+    if (real !== rootReal && !real.startsWith(rootReal + nodePath.sep)) return null;
   } catch (_e) {
     // Path doesn't exist (or is denied) — fall through with the lexical
     // resolution so the caller's stat() returns the natural ENOENT and
@@ -213,7 +213,7 @@ function _resolveSafe(root, requestedPath) {
   // legitimate `<name>.<hash>.js` bundler output) are valid here. The
   // other balanced checks still reject the traversal + smuggling
   // surface the user surfaced.
-  var fname = path.basename(resolved);
+  var fname = nodePath.basename(resolved);
   var rv = guardFilename().validate(fname, {
     profile:             "balanced",
     shellExecExtPolicy:  "allow",
@@ -224,7 +224,7 @@ function _resolveSafe(root, requestedPath) {
 }
 
 function _contentTypeFor(filePath, table) {
-  var ext = path.extname(filePath).toLowerCase();
+  var ext = nodePath.extname(filePath).toLowerCase();
   return (table && table[ext]) || DEFAULT_CONTENT_TYPES[ext] || "application/octet-stream";
 }
 
@@ -293,7 +293,7 @@ function _bareMime(contentType) {
 // gate is wired AND `safeRenderSvg` is enabled, PDF renders inline
 // ONLY when `safeRenderPdf` is explicitly enabled. text/html and
 // text/javascript are inside `text/*` but the browser executes them
-// — they go through the risky path. Everything else (HTML, JS, MJS,
+// — they go through the risky nodePath. Everything else (HTML, JS, MJS,
 // XML, executables, archives, fonts when served from a user-upload
 // directory) gets forced download to defeat stored-XSS via the
 // upload directory.
@@ -301,7 +301,7 @@ function _shouldForceAttachment(contentType, ext, contentSafetyMap, allowSvgRend
   var bare = _bareMime(contentType);
   if (bare.length === 0) return true; // unknown MIME → safest path
   // text/html / text/xml / text/javascript / xhtml are inside `text/*`
-  // but the browser executes them — risky path.
+  // but the browser executes them — risky nodePath.
   if (bare === "text/html" || bare === "text/xml" ||
       bare === "text/javascript" || bare === "application/xhtml+xml") {
     return true;
@@ -339,7 +339,7 @@ function _shouldForceAttachment(contentType, ext, contentSafetyMap, allowSvgRend
 // filename is RFC 5987-encoded so non-ASCII characters survive without
 // allowing CR/LF header injection.
 function _attachmentDisposition(filePath) {
-  var name = path.basename(filePath);
+  var name = nodePath.basename(filePath);
   // Refuse CR/LF/NUL outright — they're already filtered upstream by
   // the path-traversal guard, but defense-in-depth here.
   if (/[\r\n\0]/.test(name)) name = "download";
@@ -399,7 +399,7 @@ function _httpDate(date) {
 function _validateCreateOpts(opts) {
   validateOpts.requireObject(opts, "staticServe.create", StaticServeError);
   validateOpts.requireNonEmptyString(opts.root, "staticServe.create: root", StaticServeError, "BAD_OPT");
-  if (!fs.existsSync(opts.root)) {
+  if (!nodeFs.existsSync(opts.root)) {
     throw _err("BAD_OPT", "staticServe.create: root does not exist: " + opts.root);
   }
   if (typeof opts.mountPath === "string" && opts.mountPath.length === 0) {
@@ -586,7 +586,7 @@ async function integrity(absPath) {
   if (typeof absPath !== "string" || absPath.length === 0) {
     throw _err("BAD_OPT", "staticServe.integrity: absPath must be a non-empty string");
   }
-  var meta = await _readMeta(path.resolve(absPath));
+  var meta = await _readMeta(nodePath.resolve(absPath));
   if (!meta) throw _err("NOT_FOUND", "staticServe.integrity: file not found: " + absPath);
   return meta.integrity;
 }
@@ -609,7 +609,7 @@ function create(opts) {
   ], "staticServe.create");
   _validateCreateOpts(opts);
   var cfg = validateOpts.applyDefaults(opts, DEFAULTS);
-  var root            = path.resolve(opts.root);
+  var root            = nodePath.resolve(opts.root);
   var mountPath       = opts.mountPath || "";
   var hashedPattern   = opts.hashedPathPattern || DEFAULT_HASHED_PATTERN;
   var indexFile       = opts.indexFile === null ? null : (opts.indexFile || DEFAULT_INDEX_FILE);
@@ -772,7 +772,7 @@ function create(opts) {
     catch (_e) { return next(); }
     if (stat.isDirectory()) {
       if (!indexFile) return next();
-      absPath = path.join(absPath, indexFile);
+      absPath = nodePath.join(absPath, indexFile);
     }
 
     // Force-revoke (404 — opaque to clients)
@@ -831,7 +831,7 @@ function create(opts) {
     //   - audit-only / warn → continue (gate emits to audit)
     var gateBytesOverride = null;
     if (contentSafety) {
-      var ext = path.extname(absPath).toLowerCase();
+      var ext = nodePath.extname(absPath).toLowerCase();
       var safetyGate = contentSafety[ext];
       if (safetyGate && typeof safetyGate.check === "function") {
         var gateBuf;
@@ -846,7 +846,7 @@ function create(opts) {
           gateDecision = await safetyGate.check({
             bytes:       gateBuf,
             contentType: _contentTypeFor(absPath, contentTypes),
-            filename:    path.basename(absPath),
+            filename:    nodePath.basename(absPath),
             actor:       actorCtx,
             route:       urlPath,
             direction:   "outbound",
@@ -1026,7 +1026,7 @@ function create(opts) {
     // explicitly on). Pairs with X-Content-Type-Options: nosniff so
     // browsers can't sniff the bytes back into an executable type.
     if (forceAttachmentForNonText) {
-      var dispoExt = path.extname(absPath).toLowerCase();
+      var dispoExt = nodePath.extname(absPath).toLowerCase();
       if (_shouldForceAttachment(headers["Content-Type"], dispoExt, contentSafety,
                                  allowSvgRender, allowPdfRender)) {
         headers["Content-Disposition"] = _attachmentDisposition(absPath);
@@ -1110,7 +1110,7 @@ function create(opts) {
     }
 
     var streamOpts = range ? { start: range.start, end: range.end } : {};
-    var fileStream = fs.createReadStream(absPath, streamOpts);
+    var fileStream = nodeFs.createReadStream(absPath, streamOpts);
 
     // Idle timeout — close the connection if the client stalls. Pattern is
     // a deadline-style debounce (clearTimeout + setTimeout) tied directly