npm - settld - Versions diffs - 0.2.5 → 0.2.7 - Mend

settld 0.2.5 → 0.2.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

package/Dockerfile +2 -2
package/package.json +2 -1
package/packages/api-sdk/README.md +71 -0
package/packages/api-sdk/src/client.js +1021 -0
package/packages/api-sdk/src/express-middleware.js +163 -0
package/packages/api-sdk/src/index.d.ts +1662 -0
package/packages/api-sdk/src/index.js +10 -0
package/packages/api-sdk/src/webhook-signature.js +182 -0
package/packages/api-sdk/src/x402-autopay.js +210 -0
package/scripts/ci/cli-pack-smoke.mjs +2 -0
package/scripts/setup/login.mjs +6 -1
package/scripts/setup/onboard.mjs +27 -1
package/scripts/setup/onboarding-failure-taxonomy.mjs +11 -0
package/services/magic-link/README.md +13 -4
package/services/magic-link/src/buyer-auth.js +33 -2
package/services/magic-link/src/decision-otp.js +33 -2
package/services/magic-link/src/email-resend.js +89 -0
package/services/magic-link/src/maintenance.js +26 -1
package/services/magic-link/src/server.js +72 -11
package/services/magic-link/src/smtp.js +19 -4
package/src/api/app.js +6 -1

package/services/magic-link/src/email-resend.js ADDED Viewed

@@ -0,0 +1,89 @@
+function normalizeBaseUrl(raw) {
+  const text = String(raw ?? "").trim();
+  if (!text) return null;
+  try {
+    const parsed = new URL(text);
+    if (parsed.protocol !== "http:" && parsed.protocol !== "https:") return null;
+    return parsed.toString().replace(/\/+$/, "");
+  } catch {
+    return null;
+  }
+}
+function errorMessageOrFallback(err, fallback = "resend request failed") {
+  const direct = typeof err?.message === "string" ? err.message.trim() : "";
+  if (direct) return direct;
+  const asText = String(err ?? "").trim();
+  if (asText && asText !== "[object Object]") return asText;
+  return fallback;
+}
+export async function sendResendMail({
+  apiKey,
+  from,
+  to,
+  subject,
+  text,
+  baseUrl = "https://api.resend.com",
+  timeoutMs = 10_000,
+  fetchImpl = fetch
+} = {}) {
+  const key = String(apiKey ?? "").trim();
+  if (!key) throw new Error("resend api key required");
+  const sender = String(from ?? "").trim();
+  if (!sender) throw new Error("resend from is required");
+  const recipient = String(to ?? "").trim();
+  if (!recipient) throw new Error("resend to is required");
+  const sub = String(subject ?? "").trim();
+  if (!sub) throw new Error("resend subject is required");
+  const bodyText = String(text ?? "");
+  const urlBase = normalizeBaseUrl(baseUrl);
+  if (!urlBase) throw new Error("resend base URL must be a valid http(s) URL");
+  if (typeof fetchImpl !== "function") throw new Error("resend fetch implementation unavailable");
+  const controller = new AbortController();
+  const t = setTimeout(() => controller.abort(), Math.max(100, Number(timeoutMs) || 10_000));
+  t.unref?.();
+  let res;
+  try {
+    res = await fetchImpl(`${urlBase}/emails`, {
+      method: "POST",
+      headers: {
+        authorization: `Bearer ${key}`,
+        "content-type": "application/json"
+      },
+      body: JSON.stringify({
+        from: sender,
+        to: [recipient],
+        subject: sub,
+        text: bodyText
+      }),
+      signal: controller.signal
+    });
+  } catch (err) {
+    throw new Error(errorMessageOrFallback(err, "resend transport failed"));
+  } finally {
+    clearTimeout(t);
+  }
+  const raw = await res.text();
+  let json = null;
+  try {
+    json = raw ? JSON.parse(raw) : null;
+  } catch {
+    json = null;
+  }
+  if (!res.ok) {
+    const message =
+      (json && typeof json === "object" && (json?.message || json?.error?.message || json?.error)) ||
+      raw ||
+      `HTTP ${res.status}`;
+    throw new Error(`resend send failed (${res.status}): ${String(message)}`);
+  }
+  return {
+    ok: true,
+    id: json && typeof json === "object" && typeof json.id === "string" ? json.id : null
+  };
+}

package/services/magic-link/src/maintenance.js CHANGED Viewed

@@ -11,11 +11,21 @@ function nowIso() {
   return new Date().toISOString();
 }
-const dataDir = process.env.MAGIC_LINK_DATA_DIR ? path.resolve(process.env.MAGIC_LINK_DATA_DIR) : path.join(os.tmpdir(), "settld-magic-link");
+const dataDirRaw = process.env.MAGIC_LINK_DATA_DIR ? String(process.env.MAGIC_LINK_DATA_DIR).trim() : "";
+const dataDir = dataDirRaw ? path.resolve(dataDirRaw) : path.join(os.tmpdir(), "settld-magic-link");
+const dataDirLikelyEphemeral =
+  dataDir === "/tmp" ||
+  dataDir.startsWith("/tmp/") ||
+  dataDir === os.tmpdir() ||
+  dataDir.startsWith(`${os.tmpdir()}${path.sep}`);
+const requireDurableDataDir = String(process.env.MAGIC_LINK_REQUIRE_DURABLE_DATA_DIR ?? "0").trim() === "1";
 const migrateOnStartup = String(process.env.MAGIC_LINK_MIGRATE_ON_STARTUP ?? "1").trim() !== "0";
 const intervalSeconds = Number.parseInt(String(process.env.MAGIC_LINK_MAINTENANCE_INTERVAL_SECONDS ?? "86400"), 10);
 if (!Number.isInteger(intervalSeconds) || intervalSeconds < 5) throw new Error("MAGIC_LINK_MAINTENANCE_INTERVAL_SECONDS must be an integer >= 5");
+if (requireDurableDataDir && dataDirLikelyEphemeral) {
+  throw new Error("MAGIC_LINK_REQUIRE_DURABLE_DATA_DIR=1 but MAGIC_LINK_DATA_DIR resolves to an ephemeral path (/tmp)");
+}
 await fs.mkdir(dataDir, { recursive: true });
 const fmt = await checkAndMigrateDataDir({ dataDir, migrateOnStartup });
@@ -35,6 +45,21 @@ process.on("SIGTERM", () => shutdown("SIGTERM"));
 // eslint-disable-next-line no-console
 console.log(JSON.stringify({ at: nowIso(), event: "magic_link_maintenance.start", dataDir, intervalSeconds }, null, 2));
+if (dataDirLikelyEphemeral) {
+  // eslint-disable-next-line no-console
+  console.warn(
+    JSON.stringify(
+      {
+        at: nowIso(),
+        event: "magic_link_maintenance.ephemeral_data_dir_warning",
+        dataDir,
+        message: "data dir looks ephemeral; use persistent volume + MAGIC_LINK_REQUIRE_DURABLE_DATA_DIR=1 in production"
+      },
+      null,
+      2
+    )
+  );
+}
 while (!stopped) {
   const loopStartMs = Date.now();

package/services/magic-link/src/server.js CHANGED Viewed

@@ -713,11 +713,24 @@ async function readJsonIfExists(fp) {
   }
 }
+function isLikelyEphemeralDataDir(dirPath) {
+  const resolved = path.resolve(String(dirPath ?? ""));
+  return (
+    resolved === "/tmp" ||
+    resolved.startsWith("/tmp/") ||
+    resolved === os.tmpdir() ||
+    resolved.startsWith(`${os.tmpdir()}${path.sep}`)
+  );
+}
 const port = Number(process.env.MAGIC_LINK_PORT ?? "8787");
 const host = process.env.MAGIC_LINK_HOST ? String(process.env.MAGIC_LINK_HOST) : "127.0.0.1";
 const socketPath = process.env.MAGIC_LINK_SOCKET_PATH ? path.resolve(String(process.env.MAGIC_LINK_SOCKET_PATH)) : null;
 const apiKey = process.env.MAGIC_LINK_API_KEY ?? null;
-const dataDir = process.env.MAGIC_LINK_DATA_DIR ? path.resolve(process.env.MAGIC_LINK_DATA_DIR) : path.join(os.tmpdir(), "settld-magic-link");
+const dataDirRaw = process.env.MAGIC_LINK_DATA_DIR ? String(process.env.MAGIC_LINK_DATA_DIR).trim() : "";
+const dataDir = dataDirRaw ? path.resolve(dataDirRaw) : path.join(os.tmpdir(), "settld-magic-link");
+const dataDirLikelyEphemeral = isLikelyEphemeralDataDir(dataDir);
+const requireDurableDataDir = String(process.env.MAGIC_LINK_REQUIRE_DURABLE_DATA_DIR ?? "0").trim() === "1";
 const maxUploadBytes = Number(process.env.MAGIC_LINK_MAX_UPLOAD_BYTES ?? String(50 * 1024 * 1024));
 const tokenTtlSeconds = Number(process.env.MAGIC_LINK_TOKEN_TTL_SECONDS ?? String(7 * 24 * 3600));
 const verifyTimeoutMs = Number(process.env.MAGIC_LINK_VERIFY_TIMEOUT_MS ?? String(60_000));
@@ -897,6 +910,10 @@ const smtpUser = process.env.MAGIC_LINK_SMTP_USER ? String(process.env.MAGIC_LIN
 const smtpPass = process.env.MAGIC_LINK_SMTP_PASS ? String(process.env.MAGIC_LINK_SMTP_PASS) : "";
 const smtpFrom = process.env.MAGIC_LINK_SMTP_FROM ? String(process.env.MAGIC_LINK_SMTP_FROM).trim() : "";
 const smtpConfig = smtpHost && smtpFrom ? { host: smtpHost, port: smtpPort, secure: smtpSecure, starttls: smtpStarttls, user: smtpUser, pass: smtpPass, from: smtpFrom } : null;
+const resendApiKey = process.env.MAGIC_LINK_RESEND_API_KEY ? String(process.env.MAGIC_LINK_RESEND_API_KEY).trim() : "";
+const resendFrom = process.env.MAGIC_LINK_RESEND_FROM ? String(process.env.MAGIC_LINK_RESEND_FROM).trim() : "";
+const resendBaseUrl = process.env.MAGIC_LINK_RESEND_BASE_URL ? String(process.env.MAGIC_LINK_RESEND_BASE_URL).trim() : "https://api.resend.com";
+const resendConfig = resendApiKey && resendFrom ? { apiKey: resendApiKey, from: resendFrom, baseUrl: resendBaseUrl } : null;
 const onboardingEmailSequenceDeliveryMode =
   onboardingEmailSequenceDeliveryModeRaw || (smtpConfig ? "smtp" : "record");
@@ -985,10 +1002,14 @@ if (billingProvider === "stripe" && stripeWebhookSecret && !stripeWebhookSecret.
 }
 if (!Number.isInteger(decisionOtpTtlSeconds) || decisionOtpTtlSeconds <= 0) throw new Error("MAGIC_LINK_DECISION_OTP_TTL_SECONDS must be a positive integer");
 if (!Number.isInteger(decisionOtpMaxAttempts) || decisionOtpMaxAttempts < 1) throw new Error("MAGIC_LINK_DECISION_OTP_MAX_ATTEMPTS must be an integer >= 1");
-if (decisionOtpDeliveryMode !== "record" && decisionOtpDeliveryMode !== "log" && decisionOtpDeliveryMode !== "smtp") throw new Error("MAGIC_LINK_DECISION_OTP_DELIVERY_MODE must be record|log|smtp");
+if (decisionOtpDeliveryMode !== "record" && decisionOtpDeliveryMode !== "log" && decisionOtpDeliveryMode !== "smtp" && decisionOtpDeliveryMode !== "resend") {
+  throw new Error("MAGIC_LINK_DECISION_OTP_DELIVERY_MODE must be record|log|smtp|resend");
+}
 if (!Number.isInteger(buyerOtpTtlSeconds) || buyerOtpTtlSeconds <= 0) throw new Error("MAGIC_LINK_BUYER_OTP_TTL_SECONDS must be a positive integer");
 if (!Number.isInteger(buyerOtpMaxAttempts) || buyerOtpMaxAttempts < 1) throw new Error("MAGIC_LINK_BUYER_OTP_MAX_ATTEMPTS must be an integer >= 1");
-if (buyerOtpDeliveryMode !== "record" && buyerOtpDeliveryMode !== "log" && buyerOtpDeliveryMode !== "smtp") throw new Error("MAGIC_LINK_BUYER_OTP_DELIVERY_MODE must be record|log|smtp");
+if (buyerOtpDeliveryMode !== "record" && buyerOtpDeliveryMode !== "log" && buyerOtpDeliveryMode !== "smtp" && buyerOtpDeliveryMode !== "resend") {
+  throw new Error("MAGIC_LINK_BUYER_OTP_DELIVERY_MODE must be record|log|smtp|resend");
+}
 if (!Number.isInteger(buyerSessionTtlSeconds) || buyerSessionTtlSeconds <= 0) throw new Error("MAGIC_LINK_BUYER_SESSION_TTL_SECONDS must be a positive integer");
 if (
   onboardingEmailSequenceDeliveryMode !== "record" &&
@@ -1001,10 +1022,18 @@ if (!Number.isInteger(paymentTriggerRetryIntervalMs) || paymentTriggerRetryInter
 if (!Number.isInteger(paymentTriggerMaxAttempts) || paymentTriggerMaxAttempts < 1) throw new Error("MAGIC_LINK_PAYMENT_TRIGGER_MAX_ATTEMPTS must be an integer >= 1");
 if (!Number.isInteger(paymentTriggerRetryBackoffMs) || paymentTriggerRetryBackoffMs < 0) throw new Error("MAGIC_LINK_PAYMENT_TRIGGER_RETRY_BACKOFF_MS must be an integer >= 0");
 if (typeof migrateOnStartup !== "boolean") throw new Error("MAGIC_LINK_MIGRATE_ON_STARTUP must be 1|0");
+if (requireDurableDataDir && dataDirLikelyEphemeral) {
+  throw new Error("MAGIC_LINK_REQUIRE_DURABLE_DATA_DIR=1 but MAGIC_LINK_DATA_DIR resolves to an ephemeral path (/tmp)");
+}
 if (smtpHost) {
   if (!Number.isInteger(smtpPort) || smtpPort < 1 || smtpPort > 65535) throw new Error("MAGIC_LINK_SMTP_PORT must be 1..65535");
   if (!smtpFrom) throw new Error("MAGIC_LINK_SMTP_FROM is required when MAGIC_LINK_SMTP_HOST is set");
 }
+if (buyerOtpDeliveryMode === "resend" || decisionOtpDeliveryMode === "resend") {
+  if (!resendApiKey || !resendFrom) {
+    throw new Error("MAGIC_LINK_RESEND_API_KEY and MAGIC_LINK_RESEND_FROM are required when OTP delivery mode is resend");
+  }
+}
 if (publicBaseUrl !== null && publicBaseUrl !== "") {
   // Minimal validation; URL constructor will throw on invalid.
   // eslint-disable-next-line no-new
@@ -1062,6 +1091,12 @@ const verifyDurationsWindow = 500;
 await fs.mkdir(dataDir, { recursive: true });
 const dataDirFormat = await checkAndMigrateDataDir({ dataDir, migrateOnStartup });
 if (!dataDirFormat.ok) throw new Error(`magic-link data dir check failed: ${dataDirFormat.code ?? "UNKNOWN"}`);
+if (dataDirLikelyEphemeral) {
+  // eslint-disable-next-line no-console
+  console.warn(
+    `magic-link warning: MAGIC_LINK_DATA_DIR (${dataDir}) is likely ephemeral; use a persistent volume and set MAGIC_LINK_REQUIRE_DURABLE_DATA_DIR=1 in production`
+  );
+}
 function recordVerifyDurationMs(ms) {
   const n = Math.max(0, Number(ms));
@@ -1093,6 +1128,8 @@ async function readinessSignals() {
   metrics.setGauge("magic_link_data_dir_writable_gauge", null, dataDirWritable ? 1 : 0);
   return {
     dataDir,
+    dataDirLikelyEphemeral,
+    requireDurableDataDir,
     dataDirWritable,
     dataFormatVersion: MAGIC_LINK_DATA_FORMAT_VERSION_CURRENT,
     migrateOnStartup,
@@ -10123,10 +10160,18 @@ async function handleBuyerLoginOtpRequest(req, res, tenantId) {
     return sendJson(res, 400, { ok: false, code: "BUYER_EMAIL_DOMAIN_FORBIDDEN", message: "email domain is not allowed" });
   }
-  const issued = await issueBuyerOtp({ dataDir, tenantId, email, ttlSeconds: buyerOtpTtlSeconds, deliveryMode: buyerOtpDeliveryMode, smtp: smtpConfig });
+  const issued = await issueBuyerOtp({
+    dataDir,
+    tenantId,
+    email,
+    ttlSeconds: buyerOtpTtlSeconds,
+    deliveryMode: buyerOtpDeliveryMode,
+    smtp: smtpConfig,
+    resend: resendConfig
+  });
   if (!issued.ok) {
     metrics.incCounter("login_otp_requests_total", { tenantId, ok: "false", code: String(issued.error ?? "OTP_FAILED") }, 1);
-    return sendJson(res, 400, { ok: false, code: issued.error ?? "OTP_FAILED", message: issued.message ?? "otp failed" });
+    return sendJson(res, 400, { ok: false, code: issued.error ?? "OTP_FAILED", message: issued.message || "otp failed" });
   }
   metrics.incCounter("login_otp_requests_total", { tenantId, ok: "true" }, 1);
   try {
@@ -10160,7 +10205,7 @@ async function handleBuyerLogin(req, res, tenantId) {
   if (!isEmailAllowedByDomains({ email, allowedDomains })) return sendJson(res, 400, { ok: false, code: "BUYER_EMAIL_DOMAIN_FORBIDDEN", message: "email domain is not allowed" });
   const verified = await verifyAndConsumeBuyerOtp({ dataDir, tenantId, email, code, maxAttempts: buyerOtpMaxAttempts });
-  if (!verified.ok) return sendJson(res, 400, { ok: false, code: verified.error ?? "OTP_FAILED", message: verified.message ?? "otp failed" });
+  if (!verified.ok) return sendJson(res, 400, { ok: false, code: verified.error ?? "OTP_FAILED", message: verified.message || "otp failed" });
   const session = createBuyerSessionToken({ sessionKey, tenantId, email, ttlSeconds: buyerSessionTtlSeconds });
   if (!session.ok) return sendJson(res, 500, { ok: false, code: session.error ?? "SESSION_FAILED", message: "failed to create buyer session" });
@@ -10336,7 +10381,15 @@ async function handlePublicSignup(req, res) {
     status: "active"
   });
-  const issued = await issueBuyerOtp({ dataDir, tenantId, email, ttlSeconds: buyerOtpTtlSeconds, deliveryMode: buyerOtpDeliveryMode, smtp: smtpConfig });
+  const issued = await issueBuyerOtp({
+    dataDir,
+    tenantId,
+    email,
+    ttlSeconds: buyerOtpTtlSeconds,
+    deliveryMode: buyerOtpDeliveryMode,
+    smtp: smtpConfig,
+    resend: resendConfig
+  });
   if (!issued.ok) {
     return sendJson(res, 202, {
       ok: true,
@@ -10344,7 +10397,7 @@ async function handlePublicSignup(req, res) {
       email,
       otpIssued: false,
       warning: issued.error ?? "OTP_FAILED",
-      message: issued.message ?? "tenant created, otp issue failed"
+      message: issued.message || "tenant created, otp issue failed"
     });
   }
@@ -14515,10 +14568,18 @@ async function handleDecisionOtpRequest(req, res, token) {
     return sendJson(res, 400, { ok: false, code: "OTP_EMAIL_DOMAIN_FORBIDDEN", message: "email domain is not allowed" });
   }
-  const issued = await issueDecisionOtp({ dataDir, token, email, ttlSeconds: decisionOtpTtlSeconds, deliveryMode: decisionOtpDeliveryMode, smtp: smtpConfig });
+  const issued = await issueDecisionOtp({
+    dataDir,
+    token,
+    email,
+    ttlSeconds: decisionOtpTtlSeconds,
+    deliveryMode: decisionOtpDeliveryMode,
+    smtp: smtpConfig,
+    resend: resendConfig
+  });
   if (!issued.ok) {
     metrics.incCounter("decision_otp_requests_total", { tenantId: String(tenantId ?? "default"), ok: "false", code: String(issued.error ?? "OTP_FAILED") }, 1);
-    return sendJson(res, 400, { ok: false, code: issued.error ?? "OTP_FAILED", message: issued.message ?? "otp failed" });
+    return sendJson(res, 400, { ok: false, code: issued.error ?? "OTP_FAILED", message: issued.message || "otp failed" });
   }
   metrics.incCounter("decision_otp_requests_total", { tenantId: String(tenantId ?? "default"), ok: "true" }, 1);
@@ -14724,7 +14785,7 @@ async function handleDecision(req, res, token, { internalAutoDecision = false }
       return sendJson(res, 400, { ok: false, code: "OTP_REQUIRED", message: "otp code is required" });
     }
     const verified = await verifyAndConsumeDecisionOtp({ dataDir, token, email: actorEmailNorm, code: otp, maxAttempts: decisionOtpMaxAttempts });
-    if (!verified.ok) return sendJson(res, 400, { ok: false, code: verified.error ?? "OTP_FAILED", message: verified.message ?? "otp failed" });
+    if (!verified.ok) return sendJson(res, 400, { ok: false, code: verified.error ?? "OTP_FAILED", message: verified.message || "otp failed" });
   }
   let cliOut = null;

package/services/magic-link/src/smtp.js CHANGED Viewed

@@ -21,6 +21,19 @@ function clampText(v, { max }) {
   return s.slice(0, Math.max(0, max - 1)) + "…";
 }
+const SIMPLE_EMAIL_RE = /^[^\s@<>]+@[^\s@<>]+$/;
+export function extractSmtpEnvelopeAddress(value, { fieldName = "address" } = {}) {
+  const raw = String(value ?? "").trim();
+  if (!raw) throw new Error(`smtp ${fieldName} required`);
+  const bracketed = /<\s*([^<>\s@]+@[^\s@<>]+)\s*>/.exec(raw);
+  const candidate = (bracketed ? bracketed[1] : raw).trim();
+  if (!SIMPLE_EMAIL_RE.test(candidate)) {
+    throw new Error(`smtp ${fieldName} must be an email address`);
+  }
+  return candidate;
+}
 export function formatSmtpMessage({ from, to, subject, text, messageIdDomain }) {
   const subj = clampText(subject, { max: 200 });
   const body = String(text ?? "");
@@ -133,6 +146,8 @@ export async function sendSmtpMail({
   if (!h) throw new Error("smtp host required");
   if (!Number.isInteger(p) || p < 1 || p > 65535) throw new Error("smtp port invalid");
   if (!from || !to) throw new Error("smtp from/to required");
+  const envelopeFrom = extractSmtpEnvelopeAddress(from, { fieldName: "from" });
+  const envelopeTo = extractSmtpEnvelopeAddress(to, { fieldName: "to" });
   const connect = secure
     ? () => tls.connect({ host: h, port: p, servername: h })
@@ -178,13 +193,13 @@ export async function sendSmtpMail({
     }
   }
-  await sendCmd(socket, reader, `MAIL FROM:<${from}>`, 250);
-  await sendCmd(socket, reader, `RCPT TO:<${to}>`, [250, 251]);
+  await sendCmd(socket, reader, `MAIL FROM:<${envelopeFrom}>`, 250);
+  await sendCmd(socket, reader, `RCPT TO:<${envelopeTo}>`, [250, 251]);
   await sendCmd(socket, reader, "DATA", 354);
   const domain = (() => {
-    const i = String(from).indexOf("@");
-    return i !== -1 ? String(from).slice(i + 1) : "localhost";
+    const i = envelopeFrom.indexOf("@");
+    return i !== -1 ? envelopeFrom.slice(i + 1) : "localhost";
   })();
   const msg = formatSmtpMessage({ from, to, subject, text, messageIdDomain: domain });

package/src/api/app.js CHANGED Viewed

@@ -7588,7 +7588,12 @@ export function createApi({
     const out = [];
     const seen = new Set();
     for (const entry of parsed) {
-      const id = normalizeOptionalX402RefInput(entry, fieldPath, { allowNull: true, max });
+      if (entry === null || entry === undefined || String(entry).trim() === "") continue;
+      if (typeof entry !== "string") throw new TypeError(`${fieldPath} must contain only strings`);
+      const id = String(entry).trim();
+      if (!id) continue;
+      if (id.length > max) throw new TypeError(`${fieldPath} must be <= ${max} chars`);
+      if (!/^[A-Za-z0-9:_.-]+$/.test(id)) throw new TypeError(`${fieldPath} must match ^[A-Za-z0-9:_.-]+$`);
       if (!id) continue;
       if (seen.has(id)) continue;
       seen.add(id);