@blamejs/core 0.9.15 → 0.9.17

package/lib/middleware/openapi-serve.js

@@ -25,7 +25,7 @@
  * which omits the CORS header.
  */
 
-var nodeCrypto    = require("crypto");
+var nodeCrypto    = require("node:crypto");
 var validateOpts  = require("../validate-opts");
 var lazyRequire   = require("../lazy-require");
 var { defineClass } = require("../framework-error");

package/lib/middleware/require-bound-key.js

@@ -52,7 +52,7 @@ var defineClass = require("../framework-error").defineClass;
 var lazyRequire = require("../lazy-require");
 var validateOpts = require("../validate-opts");
 
-var crypto = lazyRequire(function () { return require("../crypto"); });
+var bCrypto = lazyRequire(function () { return require("../crypto"); });
 var audit  = lazyRequire(function () { return require("../audit"); });
 
 var RequireBoundKeyError = defineClass("RequireBoundKeyError", { alwaysPermanent: true });
@@ -67,7 +67,7 @@ function _parseBearer(req) {
 function _timingSafeStringEqual(a, b) {
   if (typeof a !== "string" || typeof b !== "string") return false;
   if (a.length !== b.length) return false;
-  return crypto().timingSafeEqual(Buffer.from(a), Buffer.from(b));
+  return bCrypto().timingSafeEqual(Buffer.from(a), Buffer.from(b));
 }
 
 /**
@@ -243,7 +243,7 @@ function create(opts) {
       var fpColon = req.peerFingerprint && req.peerFingerprint.colon;
       if (!fpHex && req.peerCert && req.peerCert.raw) {
         try {
-          var fp = crypto().hashCertFingerprint(req.peerCert.raw);
+          var fp = bCrypto().hashCertFingerprint(req.peerCert.raw);
           fpHex = fp.hex; fpColon = fp.colon;
         } catch (_e) { /* fall through to refused below */ }
       }
@@ -256,7 +256,7 @@ function create(opts) {
             keyId: record.id || null,
           });
         }
-      } else if (!crypto().isCertRevoked(req.peerCert.raw, pinned)) {
+      } else if (!bCrypto().isCertRevoked(req.peerCert.raw, pinned)) {
         // isCertRevoked returns true on MATCH against the deny-list
         // shape; we use it here as a fingerprint-set membership test
         // because it does the same constant-time hex/colon comparison

package/lib/middleware/require-mtls.js

@@ -49,7 +49,7 @@ var defineClass = require("../framework-error").defineClass;
 var lazyRequire = require("../lazy-require");
 var validateOpts = require("../validate-opts");
 
-var crypto = lazyRequire(function () { return require("../crypto"); });
+var bCrypto = lazyRequire(function () { return require("../crypto"); });
 var audit  = lazyRequire(function () { return require("../audit"); });
 
 var RequireMtlsError = defineClass("RequireMtlsError", { alwaysPermanent: true });
@@ -169,18 +169,18 @@ function create(opts) {
     // allow/deny matching.
     var fp;
     try {
-      fp = crypto().hashCertFingerprint(peerCert.raw);
+      fp = bCrypto().hashCertFingerprint(peerCert.raw);
     } catch (e) {
       return _refuse(res, "fingerprint-failed", { error: (e && e.message) || String(e) });
     }
 
-    if (denyList.length > 0 && crypto().isCertRevoked(peerCert.raw, denyList)) {
+    if (denyList.length > 0 && bCrypto().isCertRevoked(peerCert.raw, denyList)) {
       return _refuse(res, "fingerprint-on-deny-list", {
         fingerprint: fp.colon,
         subject:     (peerCert.subject && peerCert.subject.CN) || null,
       });
     }
-    if (allowList && allowList.length > 0 && !crypto().isCertRevoked(peerCert.raw, allowList)) {
+    if (allowList && allowList.length > 0 && !bCrypto().isCertRevoked(peerCert.raw, allowList)) {
       return _refuse(res, "fingerprint-not-allowed", {
         fingerprint: fp.colon,
         subject:     (peerCert.subject && peerCert.subject.CN) || null,

package/lib/middleware/tus-upload.js

@@ -40,7 +40,7 @@
  * cannot satisfy.
  */
 
-var nodeCrypto       = require("crypto");                                          // for createHash() in checksum extension
+var nodeCrypto       = require("node:crypto");                                          // for createHash() in checksum extension
 var C                = require("../constants");
 var bCrypto          = require("../crypto");
 var lazyRequire      = require("../lazy-require");

package/lib/migrations.js

@@ -38,14 +38,14 @@
  * down() succeeds.
  */
 
-var nodePath = require("path");
+var nodePath = require("node:path");
 var atomicFile = require("./atomic-file");
 var dbSchema = require("./db-schema");
 var lazyRequire = require("./lazy-require");
 var { boot } = require("./log");
 var migrationFiles = require("./migration-files");
 var numericBounds = require("./numeric-bounds");
-var dbModule = lazyRequire(function () { return require("./db"); });
+var db = lazyRequire(function () { return require("./db"); });
 var validateOpts = require("./validate-opts");
 var { FrameworkError } = require("./framework-error");
 
@@ -224,7 +224,7 @@ function _resolveDb(opts) {
   if (opts && opts.db && typeof opts.db.prepare === "function") return opts.db;
   // Fall back to the framework's singleton db when one isn't passed —
   // operator-side wiring usually does `b.migrations.create({ dir })`.
-  var d = dbModule();
+  var d = db();
   if (typeof d.prepare !== "function") {
     throw new MigrationError("migrations/no-db",
       "no db handle: pass opts.db or initialize b.db before create()",

package/lib/mtls-ca.js

@@ -52,8 +52,8 @@
  *   Mutual TLS Certificate Authority — internal CA cert issuance, mTLS gate setup, fingerprint pinning.
  */
 
-var nodeFs = require("fs");
-var nodePath = require("path");
+var nodeFs = require("node:fs");
+var nodePath = require("node:path");
 var nodeCrypto = require("node:crypto");
 var atomicFile = require("./atomic-file");
 var C = require("./constants");
@@ -324,9 +324,9 @@ function create(opts) {
       // so a genuinely-broken filesystem state surfaces in operator logs
       // rather than getting silently swallowed.
       try { if (nodeFs.existsSync(keyTmp))  nodeFs.unlinkSync(keyTmp); }
-      catch (cleanupErr) { caLog.debug("cleanup-failed", { op: "nodeFs.unlinkSync", path: keyTmp, error: cleanupErr.message }); }
+      catch (cleanupErr) { caLog.debug("cleanup-failed", { op: "fs.unlinkSync", path: keyTmp, error: cleanupErr.message }); }
       try { if (nodeFs.existsSync(certTmp)) nodeFs.unlinkSync(certTmp); }
-      catch (cleanupErr) { caLog.debug("cleanup-failed", { op: "nodeFs.unlinkSync", path: certTmp, error: cleanupErr.message }); }
+      catch (cleanupErr) { caLog.debug("cleanup-failed", { op: "fs.unlinkSync", path: certTmp, error: cleanupErr.message }); }
       throw new MtlsCaError("mtls-ca/commit-failed",
         "atomic CA commit failed: " + ((e && e.message) || String(e)));
     }

package/lib/network-byte-quota.js

@@ -43,7 +43,7 @@ var defineClass = require("./framework-error").defineClass;
 var lazyRequire = require("./lazy-require");
 var validateOpts = require("./validate-opts");
 
-var auditFwk = lazyRequire(function () { return require("./audit"); });
+var audit = lazyRequire(function () { return require("./audit"); });
 var observability = lazyRequire(function () { return require("./observability"); });
 
 var ByteQuotaError = defineClass("ByteQuotaError", { alwaysPermanent: true });
@@ -181,7 +181,7 @@ function create(opts) {
   function _emitAudit(action, outcome, metadata) {
     if (!auditOn) return;
     try {
-      auditFwk().safeEmit({
+      audit().safeEmit({
         action:   "network.byte_quota." + action,
         outcome:  outcome,
         metadata: metadata || {},

package/lib/network-smtp-policy.js

@@ -53,7 +53,7 @@
 
 var dns = require("node:dns");
 var dnsPromises = dns.promises;
-var nodeCrypto = require("crypto");
+var nodeCrypto = require("node:crypto");
 var zlib = require("node:zlib");
 var asn1 = require("./asn1-der");
 var lazyRequire = require("./lazy-require");

package/lib/network.js

@@ -33,7 +33,7 @@
 var byteQuota = require("./network-byte-quota");
 var ntpCheck = require("./ntp-check");
 var nts      = require("./network-nts");
-var dns      = require("./network-dns");
+var networkDns = require("./network-dns");
 var networkProxy = require("./network-proxy");
 var networkTls = require("./network-tls");
 var heartbeat = require("./network-heartbeat");
@@ -211,15 +211,15 @@ function bootFromEnv(opts) {
   var dnsServers = env.BLAMEJS_DNS_SERVERS;
   if (dnsServers) {
     var dl = String(dnsServers).split(",").map(function (s) { return s.trim(); }).filter(Boolean);
-    if (dl.length > 0) { dns.setServers(dl); applied.dns.servers = dl.length; }
+    if (dl.length > 0) { networkDns.setServers(dl); applied.dns.servers = dl.length; }
   }
-  if (env.BLAMEJS_DNS_RESULT_ORDER)  { dns.setResultOrder(env.BLAMEJS_DNS_RESULT_ORDER); applied.dns.resultOrder = env.BLAMEJS_DNS_RESULT_ORDER; }
-  if (env.BLAMEJS_DNS_FAMILY)        { dns.setFamily(parseInt(env.BLAMEJS_DNS_FAMILY, 10)); applied.dns.family = parseInt(env.BLAMEJS_DNS_FAMILY, 10); }
-  if (env.BLAMEJS_DNS_LOOKUP_TIMEOUT_MS) { dns.setLookupTimeoutMs(parseInt(env.BLAMEJS_DNS_LOOKUP_TIMEOUT_MS, 10)); applied.dns.lookupTimeoutMs = parseInt(env.BLAMEJS_DNS_LOOKUP_TIMEOUT_MS, 10); }
-  if (env.BLAMEJS_DNS_CACHE_TTL_MS)      { dns.setCacheTtlMs(parseInt(env.BLAMEJS_DNS_CACHE_TTL_MS, 10)); applied.dns.cacheTtlMs = parseInt(env.BLAMEJS_DNS_CACHE_TTL_MS, 10); }
-  if (env.BLAMEJS_DOH_URL)               { dns.useDnsOverHttps({ url: env.BLAMEJS_DOH_URL }); applied.dns.doh = env.BLAMEJS_DOH_URL; }
-  else if (env.BLAMEJS_DOH_PROVIDER)     { dns.useDnsOverHttps({ provider: env.BLAMEJS_DOH_PROVIDER }); applied.dns.dohProvider = env.BLAMEJS_DOH_PROVIDER; }
-  if (env.BLAMEJS_DOT_HOST)              { dns.useDnsOverTls({ host: env.BLAMEJS_DOT_HOST, port: env.BLAMEJS_DOT_PORT ? parseInt(env.BLAMEJS_DOT_PORT, 10) : 853 }); applied.dns.dot = env.BLAMEJS_DOT_HOST; }
+  if (env.BLAMEJS_DNS_RESULT_ORDER)  { networkDns.setResultOrder(env.BLAMEJS_DNS_RESULT_ORDER); applied.dns.resultOrder = env.BLAMEJS_DNS_RESULT_ORDER; }
+  if (env.BLAMEJS_DNS_FAMILY)        { networkDns.setFamily(parseInt(env.BLAMEJS_DNS_FAMILY, 10)); applied.dns.family = parseInt(env.BLAMEJS_DNS_FAMILY, 10); }
+  if (env.BLAMEJS_DNS_LOOKUP_TIMEOUT_MS) { networkDns.setLookupTimeoutMs(parseInt(env.BLAMEJS_DNS_LOOKUP_TIMEOUT_MS, 10)); applied.dns.lookupTimeoutMs = parseInt(env.BLAMEJS_DNS_LOOKUP_TIMEOUT_MS, 10); }
+  if (env.BLAMEJS_DNS_CACHE_TTL_MS)      { networkDns.setCacheTtlMs(parseInt(env.BLAMEJS_DNS_CACHE_TTL_MS, 10)); applied.dns.cacheTtlMs = parseInt(env.BLAMEJS_DNS_CACHE_TTL_MS, 10); }
+  if (env.BLAMEJS_DOH_URL)               { networkDns.useDnsOverHttps({ url: env.BLAMEJS_DOH_URL }); applied.dns.doh = env.BLAMEJS_DOH_URL; }
+  else if (env.BLAMEJS_DOH_PROVIDER)     { networkDns.useDnsOverHttps({ provider: env.BLAMEJS_DOH_PROVIDER }); applied.dns.dohProvider = env.BLAMEJS_DOH_PROVIDER; }
+  if (env.BLAMEJS_DOT_HOST)              { networkDns.useDnsOverTls({ host: env.BLAMEJS_DOT_HOST, port: env.BLAMEJS_DOT_PORT ? parseInt(env.BLAMEJS_DOT_PORT, 10) : 853 }); applied.dns.dot = env.BLAMEJS_DOT_HOST; }
 
   if (env.HTTP_PROXY || env.http_proxy || env.HTTPS_PROXY || env.https_proxy ||
       env.NO_PROXY  || env.no_proxy  || env.ALL_PROXY    || env.all_proxy) {
@@ -286,7 +286,7 @@ function snapshot() {
       servers:     ntpFacade.getServers(),
       thresholds:  ntpCheck.getThresholds(),
     },
-    dns: dns._stateForTest(),
+    dns: networkDns._stateForTest(),
     proxy: networkProxy.snapshot(),
     tls:  {
       systemTrust: networkTls.isSystemTrustEnabled(),
@@ -305,7 +305,7 @@ function _resetForTest() {
   ntpFacade._defaultServers = null;
   ntpFacade._defaultTimeoutMs = null;
   if (typeof ntpCheck._resetThresholdsForTest === "function") ntpCheck._resetThresholdsForTest();
-  dns._resetForTest();
+  networkDns._resetForTest();
   networkProxy._resetForTest();
   networkTls._resetForTest();
   heartbeat._resetForTest();
@@ -316,7 +316,7 @@ function _resetForTest() {
 
 module.exports = {
   ntp:        ntpFacade,
-  dns:        dns,
+  dns:        networkDns,
   proxy:      networkProxy,
   tls:        networkTls,
   heartbeat:  heartbeat,

package/lib/notify.js

@@ -53,10 +53,10 @@ var { NotifyError } = require("./framework-error");
 // Lazy-required modules to avoid load-order cycles. retry / observability /
 // redact / httpClient don't currently import notify, but treating them
 // the same way every primitive does keeps the load-order story uniform.
-var retryModule = lazyRequire(function () { return require("./retry"); });
+var retryHelper = lazyRequire(function () { return require("./retry"); });
 var observability = lazyRequire(function () { return require("./observability"); });
-var redactModule = lazyRequire(function () { return require("./redact"); });
-var httpClientModule = lazyRequire(function () { return require("./http-client"); });
+var redact = lazyRequire(function () { return require("./redact"); });
+var httpClient = lazyRequire(function () { return require("./http-client"); });
 
 var _err = NotifyError.factory;
 
@@ -222,7 +222,7 @@ function httpJson(opts) {
   return {
     name: name,
     send: async function (message, sendOpts) {
-      var client = customClient || httpClientModule();
+      var client = customClient || httpClient();
       var body;
       var contentType;
       if (bodyFormat === "form") {
@@ -380,7 +380,7 @@ function create(opts) {
   var redactFn = (typeof opts.redact === "function")
     ? opts.redact
     // Default: b.redact.redact — the framework's PII detector chain.
-    : function (m) { return redactModule().redact(m); };
+    : function (m) { return redact().redact(m); };
   var defaultTimeoutMs = cfg.defaultTimeoutMs;
   var defaultRetry = opts.defaultRetry || null;
   var defaultBreaker = opts.defaultBreaker || null;
@@ -402,7 +402,7 @@ function create(opts) {
     };
     var breakerOpts = entry.breaker || defaultBreaker;
     if (breakerOpts) {
-      registry.breaker = new (retryModule().CircuitBreaker)(n, breakerOpts);
+      registry.breaker = new (retryHelper().CircuitBreaker)(n, breakerOpts);
     }
     if (entry.serialize) registry.mutex = new safeAsync.Mutex();
     channels[n] = registry;
@@ -519,7 +519,7 @@ function create(opts) {
       try {
         // b.retry.withRetry IS the retry loop. Notify never hand-rolls
         // backoff/jitter/classification — the framework owns it.
-        var result = await retryModule().withRetry(function (attempt) {
+        var result = await retryHelper().withRetry(function (attempt) {
           return _attemptSerialized(attempt);
         }, perCallRetry);
 
@@ -647,7 +647,7 @@ function create(opts) {
       mutex:     null,
     };
     var breakerOpts = entry.breaker || defaultBreaker;
-    if (breakerOpts) registry.breaker = new (retryModule().CircuitBreaker)(name, breakerOpts);
+    if (breakerOpts) registry.breaker = new (retryHelper().CircuitBreaker)(name, breakerOpts);
     if (entry.serialize) registry.mutex = new safeAsync.Mutex();
     channels[name] = registry;
   }

package/lib/ntp-check.js

@@ -44,7 +44,7 @@
  * @card
  *   Boot-time clock-drift verification against an external NTP / NTS-KE reference.
  */
-var dgram = require("dgram");
+var dgram = require("node:dgram");
 var C = require("./constants");
 var lazyRequire = require("./lazy-require");
 var safeAsync = require("./safe-async");

package/lib/object-store/azure-blob.js

@@ -30,9 +30,9 @@
  *   - PutBlock + PutBlockList (multipart for >256MB blobs) is not
  *     implemented; uploads above that ceiling will fail at the API.
  */
-var nodeCrypto = require("crypto");
-var { URL } = require("url");
-var { Readable } = require("stream");
+var nodeCrypto = require("node:crypto");
+var { URL } = require("node:url");
+var { Readable } = require("node:stream");
 var safeXml = require("../parsers/safe-xml");
 var sharedRequest = require("./http-request");
 var C = require("../constants");

package/lib/object-store/gcs.js

@@ -22,9 +22,9 @@
  *   https://cloud.google.com/storage/docs/json_api/v1
  *   https://developers.google.com/identity/protocols/oauth2/service-account
  */
-var nodeFs = require("fs");
-var nodeCrypto = require("crypto");
-var { Readable } = require("stream");
+var nodeFs = require("node:fs");
+var nodeCrypto = require("node:crypto");
+var { Readable } = require("node:stream");
 var safeJson = require("../safe-json");
 var C = require("../constants");
 var numericBounds = require("../numeric-bounds");

package/lib/object-store/http-put.js

@@ -16,7 +16,7 @@
  * Errors are surfaced as object-store errors with statusCode set so the
  * retry layer can classify retryable vs permanent.
  */
-var { Readable } = require("stream");
+var { Readable } = require("node:stream");
 var { ObjectStoreError } = require("../framework-error");
 var safeUrl = require("../safe-url");
 var sharedRequest = require("./http-request");

package/lib/object-store/local.js

@@ -4,15 +4,15 @@
  *
  * Implements the uniform protocol surface (put / get / getStream / delete /
  * head / list) against a directory tree. Streaming is via Node's native
- * nodeFs.createReadStream / createWriteStream — no in-memory buffering of
+ * fs.createReadStream / createWriteStream — no in-memory buffering of
  * full files.
  *
  * Path safety: every key resolves under the configured rootDir, with an
  * alphanumeric + `_-./` charset whitelist and explicit rejection of any
  * path that escapes rootDir after resolution.
  */
-var nodeFs = require("fs");
-var nodePath = require("path");
+var nodeFs = require("node:fs");
+var nodePath = require("node:path");
 var atomicFile = require("../atomic-file");
 var cluster = require("../cluster");
 var { ObjectStoreError } = require("../framework-error");

package/lib/object-store/sigv4-bucket-ops.js

@@ -49,7 +49,7 @@
  * with codes (BUCKET_INVALID_NAME, INVALID_LIFECYCLE, INVALID_CORS_RULE,
  * BUCKET_ALREADY_OWNED, BUCKET_NOT_EMPTY, etc.).
  */
-var nodeCrypto = require("crypto");
+var nodeCrypto = require("node:crypto");
 var C = require("../constants");
 var requestHelpers = require("../request-helpers");
 var sigv4 = require("./sigv4");

package/lib/object-store/sigv4.js

@@ -23,9 +23,9 @@
  * Reference:
  *   https://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html
  */
-var nodeCrypto = require("crypto");
-var { URL } = require("url");
-var { Readable } = require("stream");
+var nodeCrypto = require("node:crypto");
+var { URL } = require("node:url");
+var { Readable } = require("node:stream");
 var safeXml = require("../parsers/safe-xml");
 var sharedRequest = require("./http-request");
 var C = require("../constants");

package/lib/observability.js

@@ -469,7 +469,7 @@ function _buildTraceparent(opts) {
   return "00-" + traceId + "-" + parentId + "-" + flags;
 }
 
-var _nodeCryptoForTrace = require("crypto");
+var _nodeCryptoForTrace = require("node:crypto");
 
 function _newTraceId() {
   var hex = _nodeCryptoForTrace.randomBytes(_TRACE_ID_BYTES).toString("hex");

package/lib/parsers/safe-env.js

@@ -68,7 +68,7 @@ var { boot } = require("../log");
 // (transitively) vault, which leaves safe-env's module.exports
 // half-built when vault first reaches readVar. Defer audit resolution
 // until the first emit-driven call.
-var auditModule = lazyRequire(function () { return require("../audit"); });
+var audit = lazyRequire(function () { return require("../audit"); });
 
 var log = boot("env");
 
@@ -519,11 +519,11 @@ function _writeAuditRows(filepath, diff) {
   // we're a follower, audit.record will throw NotLeaderError. Catch
   // explicitly: a follower's local config-load shouldn't crash because
   // the cluster's audit chain belongs to the leader.
-  var audit = auditModule();   // resolve the lazy-required audit module
+  var auditInst = audit();   // resolve the lazy-required audit module
 
   function _safeRecord(action, metadata) {
     try {
-      audit.emit({
+      auditInst.emit({
         actor:    { kind: "system", id: "config-loader" },
         action:   action,
         outcome:  "success",

package/lib/process-spawn.js

@@ -171,8 +171,8 @@ function spawn(command, args, opts) {
     filtered = built.filtered;
   }
   delete spawnOpts.allowEnv;
-  var nodeChild = require("node:child_process");
-  var child = nodeChild.spawn(command, args || [], spawnOpts);
+  var childProcess = require("node:child_process");
+  var child = childProcess.spawn(command, args || [], spawnOpts);
   try {
     audit().safeEmit({
       action:  "process.spawn",

package/lib/restore-bundle.js

@@ -45,8 +45,8 @@
  *   Backup-bundle reader — verify the manifest signature, list bundle contents without decrypting, and cherry-pick a restore subset to a staging directory the caller atomically swaps into place.
  */
 
-var nodeFs = require("fs");
-var nodePath = require("path");
+var nodeFs = require("node:fs");
+var nodePath = require("node:path");
 var atomicFile = require("./atomic-file");
 var backupCrypto = require("./backup/crypto");
 var backupManifest = require("./backup/manifest");
@@ -131,7 +131,7 @@ async function extract(opts) {
   if (nodeFs.existsSync(opts.stagingDir)) {
     throw new RestoreBundleError("restore-bundle/staging-exists",
       "extract: stagingDir already exists: " + opts.stagingDir +
-      " (refusing to merge into existing directory — pick a fresh nodePath)");
+      " (refusing to merge into existing directory — pick a fresh path)");
   }
   if (!Buffer.isBuffer(opts.passphrase) && typeof opts.passphrase !== "string") {
     throw new RestoreBundleError("restore-bundle/no-passphrase",

package/lib/restore-rollback.js

@@ -6,7 +6,7 @@
  *
  * @intro
  *   Backup-restore safety net — atomic dataDir swap with a versioned
- *   rollback nodePath. The primitive `b.restore` calls to put a
+ *   rollback path. The primitive `b.restore` calls to put a
  *   freshly-decrypted bundle into place: filesystem rename is atomic
  *   on POSIX (and on Windows when nothing has the dir open), so the
  *   swap either fully completes or the previous `dataDir` is
@@ -39,11 +39,11 @@
  *   corrupting state.
  *
  * @card
- *   Backup-restore safety net — atomic dataDir swap with a versioned rollback nodePath.
+ *   Backup-restore safety net — atomic dataDir swap with a versioned rollback path.
  */
 
-var nodeFs = require("fs");
-var nodePath = require("path");
+var nodeFs = require("node:fs");
+var nodePath = require("node:path");
 var atomicFile = require("./atomic-file");
 var C = require("./constants");
 var numericBounds = require("./numeric-bounds");

package/lib/restore.js

@@ -51,9 +51,9 @@
  *     manual recovery)
  */
 
-var nodeFs = require("fs");
-var os = require("os");
-var nodePath = require("path");
+var nodeFs = require("node:fs");
+var os = require("node:os");
+var nodePath = require("node:path");
 var C = require("./constants");
 var bCrypto = require("./crypto");
 var numericChecks = require("./numeric-checks");

package/lib/retry.js

@@ -39,7 +39,7 @@
 
 var C = require("./constants");
 var lazyRequire = require("./lazy-require");
-var nodeCrypto = require("crypto");
+var nodeCrypto = require("node:crypto");
 var numericChecks = require("./numeric-checks");
 // safe-async re-exports withRetry + CircuitBreaker from this module, so a
 // direct top-level require would create a cycle. Lazy-require defers the

package/lib/router.js

@@ -32,10 +32,10 @@
  * @card
  *   HTTP route registration + dispatch.
  */
-var http  = require("http");
-var http2 = require("http2");
-var nodeFs = require("fs");
-var nodePath = require("path");
+var http  = require("node:http");
+var http2 = require("node:http2");
+var nodeFs = require("node:fs");
+var nodePath = require("node:path");
 var C = require("./constants");
 var requestHelpers = require("./request-helpers");
 var lazyRequire = require("./lazy-require");
@@ -46,11 +46,11 @@ var websocket = require("./websocket");
 var { boot } = require("./log");
 var { RouterError } = require("./framework-error");
 
-var auditFwk = lazyRequire(function () { return require("./audit"); });
+var audit = lazyRequire(function () { return require("./audit"); });
 // compliance — lazy because router.js is required during boot before
 // the operator's `b.compliance.set(...)` runs; the posture lookup only
 // matters at listen() time, well after boot finishes.
-var complianceLazy = lazyRequire(function () { return require("./compliance"); });
+var compliance = lazyRequire(function () { return require("./compliance"); });
 
 var log = boot("router");
 var HTTP_STATUS = requestHelpers.HTTP_STATUS;
@@ -733,12 +733,12 @@ class Router {
     if (declared !== "replay-cache") return declared;
     var active = null;
     try {
-      var compliance = complianceLazy();
-      if (compliance && typeof compliance.current === "function") active = compliance.current();
+      var complianceInst = compliance();
+      if (complianceInst && typeof complianceInst.current === "function") active = complianceInst.current();
     } catch (_e) { /* compliance not initialized */ }
     if (active && TLS_0RTT_FAILCLOSED_POSTURES.indexOf(active) !== -1) {
       try {
-        auditFwk().safeEmit({
+        audit().safeEmit({
           action:   "tls.0rtt.refused",
           outcome:  "denied",
           metadata: { reason: "posture-failclosed", posture: active, declared: declared },
@@ -759,7 +759,7 @@ class Router {
     if (String(earlyDataHeader).trim() !== "1") return null;                       // RFC 8470: only "1" means early data
     if (posture === "refuse") {
       try {
-        auditFwk().safeEmit({
+        audit().safeEmit({
           action:   "tls.0rtt.refused",
           outcome:  "denied",
           metadata: { reason: "posture-refuse", method: req.method, url: req.url },
@@ -783,7 +783,7 @@ class Router {
     var key = hash.digest("hex");
     if (this._tls0RttReplayCache.has(key)) {
       try {
-        auditFwk().safeEmit({
+        audit().safeEmit({
           action:   "tls.0rtt.replayed",
           outcome:  "denied",
           metadata: { reason: "cache-hit", method: req.method, url: req.url,
@@ -805,7 +805,7 @@ class Router {
     }
     this._tls0RttReplayCache.set(key, nowMs + TLS_0RTT_REPLAY_WINDOW_MS);
     try {
-      auditFwk().safeEmit({
+      audit().safeEmit({
         action:   "tls.0rtt.accepted",
         outcome:  "success",
         metadata: { method: req.method, url: req.url, windowMs: TLS_0RTT_REPLAY_WINDOW_MS },
@@ -889,7 +889,7 @@ class Router {
           });
         } catch (parseErr) {
           try {
-            auditFwk().safeEmit({
+            audit().safeEmit({
               action:   "router.redirect.cross_origin.refused",
               outcome:  "denied",
               metadata: {
@@ -913,7 +913,7 @@ class Router {
         }
         if (!match) {
           try {
-            auditFwk().safeEmit({
+            audit().safeEmit({
               action:   "router.redirect.cross_origin.refused",
               outcome:  "denied",
               metadata: {
@@ -930,7 +930,7 @@ class Router {
           );
         }
         try {
-          auditFwk().safeEmit({
+          audit().safeEmit({
             action:   "router.redirect.cross_origin.allowed",
             outcome:  "success",
             metadata: { target: url, origin: targetOrigin },
@@ -1064,7 +1064,7 @@ class Router {
         // (a clean peer would not initiate after GOAWAY).
         h2session.on("stream", function (stream) {
           if (h2session._blamejsGoawaySent) {
-            try { auditFwk().safeEmit({
+            try { audit().safeEmit({
               action:   "http2.window_update.refused",
               outcome:  "denied",
               metadata: { reason: "post-goaway-stream", streamId: stream.id || null,

package/lib/safe-url.js

@@ -49,8 +49,8 @@ var codepointClass = require("./codepoint-class");
 var lazyRequire = require("./lazy-require");
 var numericBounds = require("./numeric-bounds");
 var { FrameworkError } = require("./framework-error");
-var nodeUrl = require("url");
-var { URL } = require("url");
+var nodeUrl = require("node:url");
+var { URL } = require("node:url");
 
 var audit = lazyRequire(function () { return require("./audit"); });
 

package/lib/sandbox.js

@@ -78,7 +78,7 @@
  * arbitrary source from the public internet.
  */
 
-var nodePath = require("path");
+var nodePath = require("node:path");
 var lazyRequire = require("./lazy-require");
 var validateOpts = require("./validate-opts");
 var numericBounds = require("./numeric-bounds");

package/lib/security-assert.js

@@ -67,7 +67,7 @@
  * non-function extra entry, etc.) so the operator catches typos at
  * boot, not at the moment they were trying to gate the boot.
  */
-var nodeFs = require("fs");
+var nodeFs = require("node:fs");
 var nodeTls = require("node:tls");
 var lazyRequire = require("./lazy-require");
 var safeEnv = require("./parsers/safe-env");