fix(bundle): allow bundle parsing under Zod v4 pick-with-refinements …

[seansica]

Fixes #67.

Summary

parseStixBundle validates a bundle's top-level id and type by calling stixBundleSchema.pick({ id: true, type: true }). Zod v4 disallows .pick() on any schema that has refinements attached, and stixBundleSchema carries three (validateXMitreCollection, validateXMitreContentsReferences, validateNoDuplicates). As a result, every call into registerDataSource / loadDataModel threw:

Error: .pick() cannot be used on object schemas containing refinements

Fix

Split stixBundleSchema into two exports:

• stixBundleBaseSchema — the plain z.object({...}).strict() shape, no refinements. Safe to compose with .pick(), .extend(), etc.
• stixBundleSchema — stixBundleBaseSchema.check(...) with the existing collection/contents/duplicate refinements. Used for full bundle validation, unchanged.

parseStixBundle now picks id and type from stixBundleBaseSchema, which sidesteps the Zod v4 restriction without weakening any validation: the top-level check was always meant to be a shallow gate (note the existing .loose() so objects passes through to per-object validation), and full bundle validation via stixBundleSchema is still available to callers that want it.

Test plan

• npx vitest run test/objects/stix-bundle.test.ts — 23/23 pass
• npx vitest run test/documentation/README.test.ts — 13/13 pass (exercises the registerDataSource → loadDataModel path from the bug report)
• npx tsc --noEmit clean
• Reproduce the original failing snippet from [BUG] Error loading latest enterprise-attack data #67 against a local build and confirm it loads techniques/tactics without throwing

[github-actions]

🎉 This PR is included in version 4.11.3 🎉

The release is available on:

• npm package (@next dist-tag)
• GitHub release

Your semantic-release bot 📦🚀