@blamejs/blamejs-shop 0.0.111 → 0.0.112

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.0.x
 
+- v0.0.112 (2026-05-23) — **Compose `b.crypto.toBase64Url` instead of reinventing — nine primitives + new detector.** Nine framework primitives (`api-keys`, `carrier-accounts`, `customer-surveys`, `stock-alerts`, `stock-receipts`, `subscription-gifts`, `webhook-receiver`, `wishlist-sharing`, `storefront`'s server-side `_b64u`) shipped with hand-rolled base64url encoding — the canonical four-line `.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "")` chain. The trailing-padding `.replace(/=+$/, "")` strip is polynomial-ReDoS-shaped per CodeQL js/polynomial-redos. The framework's `b.crypto.toBase64Url(buf)` helper routes through Node's built-in `base64url` encoding which is linear-time and produces the same RFC 4648 §5 output. Every server-side callsite now composes the framework primitive. Two browser-side helpers in `lib/storefront.js`'s WebAuthn UI string-template (no `b.crypto` available in the page runtime) carry inline `allow:inline-base64url-three-replace` markers — `window.btoa` plus the three-replace shim is the browser-built-in equivalent. New `inline-base64url-three-replace` codebase-patterns detector enforces the composition shop-wide. **Added:** *`inline-base64url-three-replace` codebase-patterns detector* — Flags `.replace(/=+$/, ...)` anywhere under `lib/` or `worker/`. Catches the canonical four-line base64url reinvention chain at the trailing-padding-strip line. Ported verbatim (with shop-scope) from blamejs's catalog. Browser-side string-template emissions in `lib/storefront.js` carry inline allow markers documenting that the browser has no `b.crypto` runtime — `window.btoa` plus the three-replace shim is the built-in. **Changed:** *Nine primitives compose `b.crypto.toBase64Url`* — `api-keys` `_generateToken`, `carrier-accounts` `_generateSecret`, `customer-surveys` `_generateToken`, `stock-alerts` `_mintToken` (inlined the redundant `_b64url` helper), `stock-receipts` `_generateToken`, `subscription-gifts` `_generateToken`, `webhook-receiver` `_generateSecret`, `wishlist-sharing` `_generateToken`, and `storefront`'s server-side `_b64u` helper all now route through `_b().crypto.toBase64Url(buf)`. Linear-time output, no polynomial-ReDoS surface, no Node-minor-version Buffer-flag-rename risk.
+
 - v0.0.111 (2026-05-23) — **Restore /feed.xml + /sitemap.xml — `b.safeUrl.parse` returns a URL instance, not a string.** `/feed.xml` and `/sitemap.xml` have been responding 503 "temporarily unavailable" since they shipped. Root cause: three edge handlers (sitemap, feed, scheduled cache-warmer) chained `.replace(/\/$/, "")` directly off `b.safeUrl.parse(...)`. The framework primitive returns a WHATWG `URL` instance, not a string — `URL.prototype.replace` doesn't exist, so every request threw `TypeError: ... .replace is not a function`. The handler's catch swallowed the throw and returned the canonical 503, making the routes appear transiently unavailable when they were in fact permanently broken on that callsite. The bug went undetected because production deploys were frozen at v0.0.101 for a separate reason (now fixed in v0.0.110), so the broken handlers never reached live traffic until today. Fix: chain `.href.replace(/\/$/, "")` so the string method operates on the URL's href string. A new `safeurl-parse-string-method` detector catches the shape repo-wide (47 detectors → adds 1, total 47 → 48). **Added:** *`safeurl-parse-string-method` codebase-patterns detector* — Flags `b.safeUrl.parse(...).<strMethod>(` anywhere under `worker/` — covers `replace` / `startsWith` / `endsWith` / `split` / `includes` / `slice` / `indexOf` / `toLowerCase` / `toUpperCase`. Property access (`.href`) is intentionally NOT flagged — that's the correct shape. The detector exists because three handlers shipped this anti-pattern without anyone noticing while production was frozen; pre-merge detection prevents the next instance from regressing through review the same way. **Fixed:** *Restore `/feed.xml`, `/sitemap.xml`, and the scheduled cache-warmer* — Three callsites in `worker/index.js` shipped `b.safeUrl.parse(env.D1_BRIDGE_URL || "https://blamejs.shop").replace(/\/$/, "")` — `URL.prototype.replace` doesn't exist, so the worker threw TypeError on every request and the edge handler's catch returned the canonical 503. Replaced with `.href.replace(...)` so the trailing-slash strip runs against the URL's serialized form. The semantic contract (operator-configured origin with no trailing slash) is preserved across operator inputs with or without a path prefix.
 
 - v0.0.110 (2026-05-23) — **Unblock Cloudflare production deploys + vendor blamejs v0.12.11 + vendor-drift demoted to warning.** Production Cloudflare Workers deploys have been failing on every push since v0.0.102. Root cause: the container image excludes `worker/` via `.dockerignore` (the worker is deployed separately by `wrangler deploy`, the container only ships the long-running backend), but `test/smoke.js` runs inside the container build's `RUN node test/smoke.js` step and calls the `worker-syntax` gate, which tries to read `worker/index.js` and crashes with `ENOENT`. The Docker build exits 1, `wrangler deploy` aborts, and the production worker is left frozen at the last successful build. The fix: `scripts/check-worker-syntax.js` now skips with a no-op stderr message and exits 0 when its entry file isn't present in the current build context — outside the container (host smoke / CI / npm-publish) the entry is always present and the strict scan runs unchanged. Vendor refresh: blamejs v0.12.11 (carries upstream's matching disciplines). Vendor-drift gate demoted from failure to warning: drift surfaces on stderr (still visible in CI logs + operator terminal) but no longer blocks `npm test` — the committed vendor tree is the source of truth, and operators don't need to refresh on every blamejs release before they can ship an unrelated patch. **Changed:** *`vendor-update.sh --check` warns instead of failing on drift* — Drift between vendored blamejs and the latest upstream tag now surfaces on stderr as `[vendor-check] WARNING — vendored vA.B.C, latest vX.Y.Z` and exits 0. The committed vendor tree is the source of truth — there's no integrity loss from an older-but-still-supported vendor version, and forcing a refresh on every minor blamejs release before any unrelated patch could ship was friction without a corresponding safety win. CI logs and the operator's terminal still display the warning prominently. · *Vendor refresh: blamejs v0.12.10 → v0.12.11* — Standard shallow-clone refresh via `scripts/vendor-update.sh blamejs v0.12.11`. No code changes outside `lib/vendor/blamejs/`. **Fixed:** *Worker-syntax gate skips gracefully when `worker/index.js` is absent* — `scripts/check-worker-syntax.js` now checks for the existence of its entry file before scanning. When the file is missing (Cloudflare container build context, where `worker/` is excluded by `.dockerignore`), the gate logs `[worker-syntax] SKIPPED — <entry> not present in this build context (no worker tree to scan)` to stderr and exits 0. When the file IS present (host smoke runs, CI runners, npm-publish workflow, edge-render checks) the strict balance-walker scan runs unchanged and a missing trailing `}` still fails the build. Unblocks production deploys that have been failing since v0.0.102.

package/lib/api-keys.js

@@ -252,15 +252,13 @@ function _now() { return Date.now(); }
 
 // ---- token generation + hashing -----------------------------------------
 
-// 32 bytes -> 43 chars base64url (no padding). We render manually so
-// the primitive doesn't depend on a Buffer-side flag rename across
-// Node minors.
+// 32 bytes -> 43 chars base64url (no padding). Routes through the
+// framework's `b.crypto.toBase64Url` so the linear-time Node
+// built-in `base64url` encoding runs in place of a polynomial-ReDoS-
+// shaped `.replace(/=+$/, "")` strip (CodeQL js/polynomial-redos).
 function _generateToken() {
   var buf = _b().crypto.generateBytes(TOKEN_BYTE_LEN);
-  return buf.toString("base64")
-    .replace(/\+/g, "-")
-    .replace(/\//g, "_")
-    .replace(/=+$/, "");
+  return _b().crypto.toBase64Url(buf);
 }
 
 function _canonicalToken(input) {

package/lib/carrier-accounts.js

@@ -324,14 +324,12 @@ function _shipFromAddress(a) {
 // ---- secret generation + hashing ---------------------------------------
 
 // 32 bytes -> 43 chars base64url (no padding). Used for rotated api_key
-// / api_secret. We render manually so the primitive doesn't depend on
-// a Buffer-side flag rename across Node minors.
+// / api_secret. Routes through `b.crypto.toBase64Url` (linear-time
+// Node built-in `base64url` encoding) instead of the polynomial-
+// ReDoS-shaped `.replace(/=+$/, "")` strip.
 function _generateSecret() {
   var buf = _b().crypto.generateBytes(SECRET_BYTE_LEN);
-  return buf.toString("base64")
-    .replace(/\+/g, "-")
-    .replace(/\//g, "_")
-    .replace(/=+$/, "");
+  return _b().crypto.toBase64Url(buf);
 }
 
 function _hashAccountNumber(plain) {

package/lib/customer-surveys.js

@@ -409,13 +409,12 @@ function _validateAnswers(answers, questions) {
 
 // 32 random bytes -> 43-char base64url (no padding). Rendered
 // manually so the primitive doesn't depend on a Buffer-side flag
-// rename across Node minors.
+// rename across Node minors. Routes through `b.crypto.toBase64Url`
+// (linear-time built-in encoding) instead of the polynomial-ReDoS-
+// shaped `.replace(/=+$/, "")` strip.
 function _generateToken() {
   var buf = _b().crypto.generateBytes(TOKEN_BYTE_LEN);
-  return buf.toString("base64")
-    .replace(/\+/g, "-")
-    .replace(/\//g, "_")
-    .replace(/=+$/, "");
+  return _b().crypto.toBase64Url(buf);
 }
 
 function _canonicalToken(input) {

package/lib/stock-alerts.js

@@ -142,18 +142,9 @@ function _validateNow(n) {
   return n;
 }
 
-// Base64url with no padding — matches RFC 4648 §5. 24 bytes → 32 chars.
-function _b64url(buf) {
-  return buf
-    .toString("base64")
-    .replace(/\+/g, "-")
-    .replace(/\//g, "_")
-    .replace(/=+$/, "");
-}
-
 function _mintToken() {
   var raw = _b().crypto.generateBytes(TOKEN_BYTES);
-  return _b64url(raw);
+  return _b().crypto.toBase64Url(raw);
 }
 
 function _hashEmail(normalised) {

package/lib/stock-receipts.js

@@ -241,10 +241,7 @@ function _linesArray(arr) {
 
 function _generateToken() {
   var buf = _b().crypto.generateBytes(TOKEN_BYTE_LEN);
-  return buf.toString("base64")
-    .replace(/\+/g, "-")
-    .replace(/\//g, "_")
-    .replace(/=+$/, "");
+  return _b().crypto.toBase64Url(buf);
 }
 
 function _hashToken(canonical) {

package/lib/storefront.js

@@ -1458,7 +1458,7 @@ var ACCOUNT_LOGIN_PAGE =
   "  <script>\n" +
   "  (function () {\n" +
   "    function _b64uToBuf(s){ s = s.replace(/-/g,'+').replace(/_/g,'/'); while(s.length%4)s+='='; var raw=atob(s); var arr=new Uint8Array(raw.length); for(var i=0;i<raw.length;i++)arr[i]=raw.charCodeAt(i); return arr.buffer; }\n" +
-  "    function _bufToB64u(buf){ var b=new Uint8Array(buf), s=''; for(var i=0;i<b.length;i++)s+=String.fromCharCode(b[i]); return btoa(s).replace(/\\+/g,'-').replace(/\\//g,'_').replace(/=+$/,''); }\n" +
+  "    function _bufToB64u(buf){ var b=new Uint8Array(buf), s=''; for(var i=0;i<b.length;i++)s+=String.fromCharCode(b[i]); return btoa(s).replace(/\\+/g,'-').replace(/\\//g,'_').replace(/=+$/,''); }\n" + // allow:inline-base64url-three-replace — browser-side helper; the page has no `b.crypto` to call, btoa is the runtime-built-in equivalent
   "    var form=document.getElementById('login-form');\n" +
   "    var msg=document.getElementById('login-message');\n" +
   "    form.addEventListener('submit', async function(ev){\n" +
@@ -1507,7 +1507,7 @@ var ACCOUNT_REGISTER_PAGE =
   "  <script>\n" +
   "  (function () {\n" +
   "    function _b64uToBuf(s){ s = s.replace(/-/g,'+').replace(/_/g,'/'); while(s.length%4)s+='='; var raw=atob(s); var arr=new Uint8Array(raw.length); for(var i=0;i<raw.length;i++)arr[i]=raw.charCodeAt(i); return arr.buffer; }\n" +
-  "    function _bufToB64u(buf){ var b=new Uint8Array(buf), s=''; for(var i=0;i<b.length;i++)s+=String.fromCharCode(b[i]); return btoa(s).replace(/\\+/g,'-').replace(/\\//g,'_').replace(/=+$/,''); }\n" +
+  "    function _bufToB64u(buf){ var b=new Uint8Array(buf), s=''; for(var i=0;i<b.length;i++)s+=String.fromCharCode(b[i]); return btoa(s).replace(/\\+/g,'-').replace(/\\//g,'_').replace(/=+$/,''); }\n" + // allow:inline-base64url-three-replace — browser-side helper; the page has no `b.crypto` to call, btoa is the runtime-built-in equivalent
   "    var form=document.getElementById('reg-form');\n" +
   "    var msg=document.getElementById('reg-message');\n" +
   "    form.addEventListener('submit', async function(ev){\n" +
@@ -2015,9 +2015,7 @@ function mount(router, deps) {
     var expectedOrigin = deps.shop_origin || ("https://" + rpId);
 
     function _b64u(buf) {
-      // Node Buffer / Uint8Array -> base64url string
-      var b = Buffer.isBuffer(buf) ? buf : Buffer.from(buf);
-      return b.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+      return _b().crypto.toBase64Url(buf);
     }
 
     function _sealEnvelope(obj) {

package/lib/subscription-gifts.js

@@ -229,12 +229,7 @@ function _hashEmail(canonical) {
 
 function _generateToken() {
   var buf = _b().crypto.generateBytes(TOKEN_BYTE_LEN);
-  // base64url, no padding. Manual rewrite so the primitive doesn't
-  // depend on a Buffer-side flag rename across Node minors.
-  return buf.toString("base64")
-    .replace(/\+/g, "-")
-    .replace(/\//g, "_")
-    .replace(/=+$/, "");
+  return _b().crypto.toBase64Url(buf);
 }
 
 function _canonicalToken(input) {

package/lib/vendor/MANIFEST.json

@@ -3,8 +3,8 @@
   "_about": "blamejs.shop vendors a single framework — blamejs — which itself bundles every server-side crypto/identity dependency. The transitive packages blamejs ships are surfaced in its own MANIFEST.json at lib/vendor/blamejs/lib/vendor/MANIFEST.json — Trivy / Grype rely on that nested data for CVE attribution.",
   "packages": {
     "blamejs": {
-      "version": "0.12.11",
-      "tag": "v0.12.11",
+      "version": "0.12.12",
+      "tag": "v0.12.12",
       "license": "Apache-2.0",
       "author": "blamejs contributors",
       "source": "https://github.com/blamejs/blamejs",
@@ -13,7 +13,7 @@
         "server": "lib/vendor/blamejs/"
       },
       "bundler": "shallow git clone of release tag from github.com/blamejs/blamejs",
-      "bundledAt": "2026-05-23"
+      "bundledAt": "2026-05-24"
     }
   }
 }

package/lib/vendor/blamejs/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.12.x
 
+- v0.12.12 (2026-05-23) — **`b.ai.disclosure.chatbot` + `b.ai.disclosure.deepfake` + `b.ai.disclosure.emotion` — EU AI Act Art. 50 transparency obligations (calendar-locked 2026-08-02) with US-CA AB-853 + China CAC GenAI cross-walk.** EU AI Act Art. 50 transparency primitives land ahead of the 2026-08-02 enforcement deadline. `b.ai.disclosure.chatbot(session, opts)` emits the Art. 50(1) first-contact "you are interacting with an AI system" disclosure with placement control (`first-message` / `always` / `on-request`). `b.ai.disclosure.deepfake(content, { contentType, placement, jurisdiction })` emits the Art. 50(4) synthetic-content label + machine-readable metadata payload for image / audio / video / text. `b.ai.disclosure.emotion({ systemType })` emits the Art. 50(3) emotion-recognition / biometric-categorisation notice. Each primitive emits a tamper-evident `ai-act/*-disclosure-applied` audit event so the compliance trail backs the user-facing notice. Cross-jurisdiction cross-walk lives in `opts.jurisdiction`: `"eu"` (default), `"us-ca"` adds AB-853 §22949.91 to the cross-walk array, `"cn"` adds CAC GenAI Measures Art. 12. The deepfake primitive returns a `schema: "c2pa-v1.4-ready"` metadata field that the v0.12.21 `b.contentCredentials` C2PA adapter will consume when it lands — this patch ships the label markup + schema; the C2PA manifest emission is the next composition. **Added:** *`b.ai.disclosure.chatbot(session, opts)` — Art. 50(1) first-contact disclosure* — Operators interacting with natural persons via an AI system get a primitive that emits the "you are interacting with an AI system" notice + audits the emission. `placement` opts: `"first-message"` (default — emit on first contact only, tracked via `session.aiDisclosureEmitted`), `"always"` (every response), `"on-request"` (operator wires their own trigger). Returns `{ text, language, jurisdiction, placement, shouldEmit, article, regulation }` — `shouldEmit` is the operator-consumable boolean for response-wire-up logic. · *`b.ai.disclosure.deepfake(content, opts)` — Art. 50(4) synthetic-content label* — Operators emitting model-generated or model-manipulated content get a primitive that returns both the visible label markup AND the machine-readable metadata payload. `contentType: "image" | "audio" | "video" | "text"` is required; `placement: "label" | "metadata" | "both"` (default `"both"`) controls what the primitive populates. The metadata payload includes `schema: "c2pa-v1.4-ready"` — the v0.12.21 `b.contentCredentials` C2PA adapter will consume this schema field when it lands. `crossWalk` array carries `["eu-ai-act/Art. 50(4)"]` plus the per-jurisdiction reference (AB-853 §22949.91 / CAC GenAI Art. 12). · *`b.ai.disclosure.emotion(opts)` — Art. 50(3) emotion-recognition / biometric-categorisation notice* — Operators deploying emotion-recognition or biometric-categorisation systems get the consent-flow notice primitive. `systemType: "emotion" | "biometric-categorisation"` (default `"emotion"`) selects which Art. 50(3) sub-obligation applies. Returns the notice payload + emits an `ai-act/emotion-disclosure-applied` audit event. · *Cross-jurisdiction cross-walk: EU + US-CA + China in a single primitive* — The `opts.jurisdiction` opt accepts `"eu"` (default — Regulation (EU) 2024/1689), `"us-ca"` (California AB-853 effective 2026), or `"cn"` (China CAC GenAI Measures). The chatbot + deepfake primitives both honour the cross-walk: the deepfake response's `crossWalk` array carries every jurisdiction-specific legal reference the same emission satisfies, so operators serving multi-region traffic emit one notice + audit one event + reference all applicable regimes. **Security:** *Drop-silent audit emission preserves the disclosure path under audit-bus failure* — If `opts.audit` is supplied but its `safeEmit` throws (network bus down, audit-sign chain malformed), the disclosure primitive still returns the user-facing notice payload. The Art. 50 obligation is the user-facing notice itself; the audit emission is a parallel best-effort chain-of-custody record. Refusing the disclosure to defend the audit chain would fail the wrong direction — the regulatory contract is satisfied by emitting the notice. Matches the framework's `audit.safeEmit` drop-silent contract for hot-path observability sinks. **Migration:** *C2PA manifest emission lands in v0.12.21* — The deepfake primitive's metadata payload includes a `schema: "c2pa-v1.4-ready"` field that the v0.12.21 `b.contentCredentials` adapter will consume. Operators emitting image / audio / video for v0.12.12-0.12.20 get the label markup + structured metadata; the actual C2PA manifest (signed JUMBF assertion chain) is the next composition layer.
+
 - v0.12.11 (2026-05-23) — **`b.archive.wrapWithPassphrase` + `b.archive.unwrapWithPassphrase` — Argon2id + XChaCha20-Poly1305 archive envelope + `b.backup` `cryptoStrategy: "passphrase"` with HIPAA / PCI-DSS 128-bit entropy floor.** Passphrase wrap lands as the second `b.archive` envelope strategy alongside v0.12.10's recipient wrap. `b.archive.wrapWithPassphrase(bytes, { passphrase, minEntropyBits })` produces a `BAWPP`-prefixed envelope under Argon2id (RFC 9106; framework-default 64 MiB / 3 iterations / 4 parallelism) key derivation with XChaCha20-Poly1305 AEAD; each envelope carries its own fresh salt in the wire format (5-byte magic + 1-byte version + 1-byte saltLen + salt + 24-byte nonce + ciphertext+tag) so KDF parameters can rotate in future minors without per-envelope version bumps. `b.archive.unwrapWithPassphrase(sealed, { passphrase })` verifies the `BAWPP` header before any Argon2id compute so non-envelope inputs fail with `archive-wrap/bad-magic` rather than burning the KDF on bad bytes. `b.backup.bundleAdapterStorage({ cryptoStrategy: "passphrase", passphrase })` composes the wrap layer transparently — bundle bytes hitting the adapter's `writeFile` are an opaque passphrase-derived envelope. Default `passphraseMinEntropyBits: 80` matches OWASP strong-password guidance; HIPAA + PCI-DSS postures raise the floor to 128 bits automatically (matching the framework's existing crypto-grade-password discipline for sealed-storage). The recipient strategy from v0.12.10 + passphrase strategy from v0.12.11 + plaintext strategy from v0.12.7 cover the operator's posture matrix: HIPAA / PCI-DSS pick recipient or passphrase; non-regulated deployments may stay on `"none"` when the storage layer is itself the protective boundary. **Added:** *`b.archive.wrapWithPassphrase(bytes, { passphrase, minEntropyBits })` — Argon2id-derived archive envelope* — Composes `b.backupCrypto.encryptWithFreshSalt(bytes, passphrase)` (Argon2id KDF + XChaCha20-Poly1305 AEAD, fresh per-envelope salt) and prepends a 7-byte `BAWPP` envelope header (5-byte magic + 1-byte version + 1-byte saltLen) so format sniffers can identify passphrase wrap output without trial KDF work. Entropy estimate uses observed-alphabet bit-count (the standard NIST/OWASP character-class approximation). `minEntropyBits` defaults to 80; the gate refuses upfront with `archive-wrap/weak-passphrase` when the estimate falls short. · *`b.archive.unwrapWithPassphrase(sealed, { passphrase })` — inverse with magic-check upfront* — Verifies the 7-byte `BAWPP` header (magic + version + saltLen) before any cryptographic work so non-envelope inputs (raw archives, recipient-wrap envelopes, truncated buffers) fail with `archive-wrap/bad-magic` / `archive-wrap/bad-version` / `archive-wrap/truncated-envelope` rather than wasting Argon2id compute. Routes through `b.backupCrypto.decryptWithPassphrase(encrypted, passphrase, saltHex)` so the framework's locked Argon2id parameters apply. · *`b.backup.bundleAdapterStorage({ cryptoStrategy: "passphrase", passphrase })` — Argon2id-keyed bundle storage* — Composes `b.archive.wrapWithPassphrase` transparently — every `writeBundle` payload is wrapped before `adapter.writeFile`; every `readBundle` payload is unwrapped after `adapter.readFile`. The `passphraseMinEntropyBits` opt defaults to 80 (OWASP strong-password floor); HIPAA + PCI-DSS postures raise the floor to 128 bits automatically. Passphrase + directory format combination refused upfront (same contract as recipient + directory). Wire-format envelope on disk is opaque ciphertext — no information leakage about archive contents through the storage adapter. · *HIPAA + PCI-DSS postures raise entropy floor to 128 bits under passphrase strategy* — `bundleAdapterStorage({ posture: "hipaa", cryptoStrategy: "passphrase", passphrase })` enforces `passphraseMinEntropyBits >= 128` regardless of the operator-supplied opt. The 128-bit floor matches the framework's existing crypto-grade-password discipline for sealed-storage cells. Operators sourcing passphrases from a CSPRNG (`b.crypto.generateBytes(16).toString("base64url")` → ~128 bits) pass without issue; operators typing dictionary phrases trip the gate. **Security:** *Magic-check before KDF work — non-envelope inputs can't burn Argon2id compute* — Adversarial inputs that look like passphrase envelopes but aren't (random bytes, recipient envelopes, raw archives) fail at byte 0-4 (magic check) rather than after a 64 MiB Argon2id round. Operators handing user-supplied bundles to readBundle on a server with concurrent load get bounded refusal latency rather than worst-case KDF compute under a chosen-bytes attack.
 
 - v0.12.10 (2026-05-23) — **`b.archive.wrap` + `b.archive.unwrap` — recipient-encrypted archive envelopes (Flavor 1) + `b.backup` `cryptoStrategy: "recipient"` + HIPAA/PCI-DSS posture refusal.** Flavor 1 lands as the whole-archive recipient-wrap substrate. `b.archive.wrap(bytes, { recipient })` produces a sealed envelope under the framework's hybrid PQC seal (ML-KEM-1024 + P-384 ECDH + SHAKE256 + XChaCha20-Poly1305) prefixed with a 6-byte `BAWRP` archive-wrap header so format sniffers can identify wrap envelopes without trial decryption. `b.archive.unwrap(sealed, { recipient })` is the inverse with magic-check upfront so non-envelope inputs throw `archive-wrap/bad-magic` rather than a crypto-level error. Recipient strategies: static keypair (`{ publicKey, ecPublicKey }`) and peer-cert (`{ peerCertDer, peerKemPubkey }`); the tenant strategy lands in v0.12.11 alongside the backup-crypto refactor + per-tenant key resolution. `b.backup.bundleAdapterStorage({ cryptoStrategy: "recipient", recipient })` composes the wrap/unwrap layer transparently: the bytes hitting the adapter's `writeFile` are a `BAWRP`-prefixed envelope, never the raw tar / tar.gz / directory bundle. HIPAA + PCI-DSS postures refuse `cryptoStrategy: "none"` upfront with `backup/posture-requires-encryption` — the storage adapter cannot itself satisfy the encryption-at-rest requirement; the recipient envelope is the framework-side gate. Flavor 2 (per-entry ZIP wrap with the 0xBADC extra-field marker) and the backup-crypto refactor into `lib/_crypto-base.js` ship in v0.12.11. **Added:** *`b.archive.wrap(bytes, { recipient })` — recipient-encrypted archive envelope* — Composes `b.crypto.encrypt` (or `b.crypto.encryptEnvelopeAsCertPeer` for the peer-cert strategy) under the framework's hybrid PQC seal. The output is a Buffer carrying a 6-byte `BAWRP` archive-wrap header (5-byte magic + 1-byte version) followed by the base64-encoded envelope bytes. Recipient strategies: `{ publicKey, ecPublicKey }` for the static-keypair path (ML-KEM-1024 PEM + P-384 ECDH PEM); `{ peerCertDer, peerKemPubkey }` for the peer-cert path (extracts the P-384 half from the cert per `b.crypto.encryptEnvelopeAsCertPeer`). `"tenant"` returns `archive-wrap/tenant-strategy-deferred` upfront — that strategy lands in v0.12.11 with the per-tenant key resolution. · *`b.archive.unwrap(sealed, { recipient })` — inverse with upfront magic check* — Verifies the 6-byte `BAWRP` header before any cryptographic work so non-envelope inputs (raw archives, other-magic envelopes, truncated buffers) fail with `archive-wrap/bad-magic` / `archive-wrap/bad-version` rather than a downstream `crypto/*` error. Routes through `b.crypto.decrypt(envelope, recipient, { raw: true })` so binary archive payloads (gzip, ZIP, tar) round-trip losslessly — `raw: true` is the contract that preserves bytes vs the default utf-8 decoding. · *`b.backup.bundleAdapterStorage({ cryptoStrategy: "recipient", recipient })` — opt-in envelope storage* — `cryptoStrategy: "none"` (default, v0.12.7-9 behaviour) writes plaintext bundle bytes to the adapter — safe for storage layers that are themselves the protective boundary (S3 SSE, disk-encrypted hosts). `cryptoStrategy: "recipient"` requires `opts.recipient` and wraps every `writeBundle` payload through `b.archive.wrap` before `adapter.writeFile`; `readBundle` unwraps after `adapter.readFile`. The wrap layer sits OUTSIDE the gz / tar layers so the bundle on disk is opaque ciphertext under the operator-controlled recipient key. Passphrase strategy is deferred to v0.12.11 alongside the `_crypto-base.js` refactor. · *HIPAA + PCI-DSS posture refuses plaintext bundles* — `bundleAdapterStorage({ posture: "hipaa" })` (or `"pci-dss"`) refuses `cryptoStrategy: "none"` upfront with `backup/posture-requires-encryption` — adapter-storage's plaintext default cannot itself satisfy encryption-at-rest requirements. Operators under these postures pass `cryptoStrategy: "recipient"` + a recipient key. The refusal message includes the posture name + the strategy that fails so audit-trail operators see exactly which gate blocked the call. **Security:** *Wrap envelope is the framework's hybrid PQC seal — ML-KEM-1024 + P-384 ECDH + SHAKE256 + XChaCha20-Poly1305* — Defence-in-depth posture: a CRQC against ML-KEM-1024 alone still has to defeat the classical P-384 ECDH leg; a future ECDH break alone still has to defeat ML-KEM-1024. The 4-byte envelope header (magic + KEM ID + cipher ID + KDF ID) is bound as AEAD AAD so a header-substitution attack fails Poly1305 verification. `b.archive.wrap` prepends a separate 6-byte archive-wrap header BEFORE the base64 envelope so format sniffing can identify wrap output without trial decryption — non-envelope inputs are refused at byte 0-4 (magic check) instead of after fruitless decapsulation work. **Detectors:** *`backup-adapter-storage-without-posture-check` — postures that mandate encryption must propagate to `cryptoStrategy`* — When a primitive that wires `b.backup.bundleAdapterStorage` carries a `posture:` opt drawn from the HIPAA / PCI-DSS / etc. set, the same code path must propagate `cryptoStrategy: "recipient"` (or refuse before reaching writeBundle). The detector matches `bundleAdapterStorage({ ... posture: ... })` invocations in `lib/` and requires a matching `cryptoStrategy` opt; missing it surfaces during the codebase-patterns gate so a future caller can't silently drop the contract. **Migration:** *Flavor 2 — per-entry ZIP recipient wrap with 0xBADC extra-field* — Per-entry encryption inside the carrier ZIP (method=STORE with the encrypted bytes as the stored payload + a 0xBADC user-defined-range extra-field marker carrying the recipient hint). Inspect-without-decrypt is the operator value: entry list + name-safety gating happens BEFORE any key resolution. Lands in v0.12.11 alongside the backup-crypto refactor. · *`lib/_crypto-base.js` refactor — backup-crypto, Flavor 1, Flavor 2 share substrate* — The legacy per-file Argon2id + XChaCha20-Poly1305 path in `lib/backup/crypto.js` gets factored into a private `_crypto-base.js` helper so all three encryption flavors compose the same primitive set. No operator-visible API change; closes the each-feature-rolls-its-own-crypto smell. · *`cryptoStrategy: "passphrase"` + tenant strategy* — Passphrase strategy on `bundleAdapterStorage` (Argon2id-derived key + XChaCha20-Poly1305) and the `"tenant"` recipient string (composes `b.vault.derivedKey({ tenant, purpose: "archive-wrap" })`) both ship in v0.12.11. The v0.12.10 surface is the recipient substrate; v0.12.11 lights up the per-tenant + passphrase strategies that consume it.

package/lib/vendor/blamejs/api-snapshot.json

@@ -1,7 +1,7 @@
 {
   "version": 1,
-  "frameworkVersion": "0.12.11",
-  "createdAt": "2026-05-23T19:12:47.343Z",
+  "frameworkVersion": "0.12.12",
+  "createdAt": "2026-05-23T21:15:03.328Z",
   "exports": {
     "a2a": {
       "type": "object",
@@ -1498,6 +1498,35 @@
             }
           }
         },
+        "disclosure": {
+          "type": "object",
+          "members": {
+            "AiDisclosureError": {
+              "type": "function",
+              "arity": 4
+            },
+            "DEEPFAKE_CONTENT_TYPES": {
+              "type": "instance",
+              "ctorName": "Array"
+            },
+            "SUPPORTED_JURISDICTIONS": {
+              "type": "instance",
+              "ctorName": "Array"
+            },
+            "chatbot": {
+              "type": "function",
+              "arity": 2
+            },
+            "deepfake": {
+              "type": "function",
+              "arity": 2
+            },
+            "emotion": {
+              "type": "function",
+              "arity": 1
+            }
+          }
+        },
         "input": {
           "type": "object",
           "members": {

package/lib/vendor/blamejs/index.js

@@ -442,6 +442,7 @@ module.exports = {
     input:           aiInput,
     aiContentDetect: require("./lib/ai-content-detect"),
     modelManifest:   require("./lib/ai-model-manifest"),
+    disclosure:      require("./lib/ai-disclosure"),
   },
   promisePool:      require("./lib/promise-pool"),
   sdNotify:         require("./lib/sd-notify"),

package/lib/vendor/blamejs/lib/ai-disclosure.js

@@ -0,0 +1,349 @@
+"use strict";
+/**
+ * @module b.ai.disclosure
+ * @nav    Compliance
+ * @title  AI Act Art. 50 disclosures
+ *
+ * @intro
+ *   EU AI Act Regulation (EU) 2024/1689 Article 50 transparency
+ *   obligations enter force 2026-08-02. This module ships the active
+ *   runtime primitives that emit disclosure markup at request time:
+ *
+ *   - `b.ai.disclosure.chatbot(session, opts)` — Art. 50(1).
+ *     Operators interacting with natural persons must disclose the
+ *     AI nature of the interaction. Returns the disclosure payload
+ *     (visible text / structured metadata) to wire into the response.
+ *
+ *   - `b.ai.disclosure.deepfake(content, opts)` — Art. 50(4).
+ *     Operators emitting AI-generated / AI-manipulated content
+ *     (image / audio / video / text) must label the output as
+ *     synthetic. Returns the disclosure payload + suggested
+ *     embedding points (visible label / C2PA metadata / both).
+ *
+ *   - `b.ai.disclosure.emotion(opts)` — Art. 50(3). Emotion-
+ *     recognition / biometric-categorisation systems must inform
+ *     the natural person of operation. Returns the notice payload.
+ *
+ *   Cross-jurisdiction:
+ *     - California AB-853 (effective 2026) — watermarking on
+ *       AI-generated content. The deepfake primitive emits both
+ *       AI Act Art. 50(4) AND AB-853 markup when `jurisdiction:
+ *       "us-ca"` is requested.
+ *     - China CAC GenAI Measures — content review marker. Same
+ *       primitive handles the cross-walk via the `jurisdiction:
+ *       "cn"` opt.
+ *
+ *   Composition:
+ *     - `b.audit-sign` chains every disclosure emission so the
+ *       Art. 50 compliance trail is tamper-evident.
+ *     - `b.agent.idempotency` (v0.9.22) ensures the chatbot
+ *       first-contact disclosure isn't double-emitted across
+ *       retry / reconnect.
+ *     - `b.contentCredentials` (v0.12.21 — deferred) will wire
+ *       C2PA manifest emission alongside the visible label.
+ *
+ *   Out of scope (this patch):
+ *     - C2PA manifest emission — defers to v0.12.21 b.contentCredentials.
+ *     - Watermark frame embedding into image/audio/video bytes —
+ *       operator's encoder pipeline (this primitive supplies the
+ *       label markup; the operator chooses the embed point).
+ *     - Real-time prohibited-content moderation — orthogonal,
+ *       composes with b.ai.input.refuseIfMalicious.
+ *
+ * @card
+ *   EU AI Act Art. 50 transparency obligation primitives — chatbot
+ *   disclosure, deepfake / synthetic-content labels, emotion-
+ *   recognition notices. Calendar-locked 2026-08-02.
+ */
+
+var { defineClass } = require("./framework-error");
+
+var AiDisclosureError = defineClass("AiDisclosureError", { alwaysPermanent: true });
+
+// Audit emissions route through opts.audit (operator-supplied
+// instance) — see _emitAudit below. No framework-side audit
+// require needed; the primitive is a pure value-returning function
+// with the optional safeEmit-via-opts side-effect.
+
+var DEFAULT_CHATBOT_TEXT = "You are interacting with an AI system.";
+var DEFAULT_DEEPFAKE_TEXT = "This content has been generated or manipulated using artificial intelligence.";
+var DEFAULT_EMOTION_TEXT = "This system uses AI to recognise emotions or biometrically categorise individuals.";
+
+// Recognised jurisdiction codes. EU is implicit (the AI Act applies
+// throughout the Union); US-CA layers in AB-853; CN layers in the
+// CAC GenAI Measures.
+var SUPPORTED_JURISDICTIONS = ["eu", "us-ca", "cn"];
+
+// Content types eligible for a deepfake notice per Art. 50(4):
+// image / audio / video / text. Each carries different recommended
+// placement defaults (image+video → both label & metadata; audio →
+// audible preamble or metadata; text → visible disclaimer).
+var DEEPFAKE_CONTENT_TYPES = ["image", "audio", "video", "text"];
+
+/**
+ * @primitive b.ai.disclosure.chatbot
+ * @signature b.ai.disclosure.chatbot(session, opts)
+ * @since     0.12.12
+ * @status    stable
+ * @compliance eu-ai-act, ca-ab-853, cac-genai-label
+ * @related   b.ai.disclosure.deepfake, b.ai.disclosure.emotion, b.audit
+ *
+ * EU AI Act Art. 50(1) first-contact disclosure. Operators
+ * interacting with natural persons via an AI system must inform
+ * the person they are interacting with AI unless it is obvious from
+ * the circumstances (Art. 50(1) carve-out). This primitive returns
+ * the disclosure payload + emits an audit event per emission so
+ * the compliance trail is tamper-evident under `b.audit-sign`.
+ *
+ * @opts
+ *   placement:      "first-message" | "always" | "on-request",  // default "first-message"
+ *   language:       string,    // BCP 47 tag; defaults to en
+ *   text:           string,    // override the default disclosure text
+ *   jurisdiction:   string,    // "eu" (default) | "us-ca" | "cn"
+ *   audit:          object,    // b.audit instance for tamper-evident logging
+ *   correlationId:  string,    // audit chain correlation
+ *
+ * @example
+ *   var disclosure = b.ai.disclosure.chatbot({ id: "session-42" }, {
+ *     placement: "first-message",
+ *     language:  "en",
+ *   });
+ *   // disclosure.text   → "You are interacting with an AI system."
+ *   // disclosure.shouldEmit → true (first contact)
+ *   // operator wires disclosure.text into the response payload
+ */
+function chatbot(session, opts) {
+  opts = opts || {};
+  if (!session || typeof session !== "object") {
+    throw new AiDisclosureError("ai-disclosure/bad-session",
+      "chatbot: session must be an object carrying at minimum an id");
+  }
+  if (typeof session.id !== "string" || session.id.length === 0) {
+    throw new AiDisclosureError("ai-disclosure/bad-session",
+      "chatbot: session.id must be a non-empty string");
+  }
+  var placement = opts.placement || "first-message";
+  if (placement !== "first-message" && placement !== "always" && placement !== "on-request") {
+    throw new AiDisclosureError("ai-disclosure/bad-arg",
+      "chatbot: opts.placement must be \"first-message\" (default) | \"always\" | \"on-request\"; got " +
+      JSON.stringify(placement));
+  }
+  var jurisdiction = opts.jurisdiction || "eu";
+  _validateJurisdiction(jurisdiction, "chatbot");
+  var text = typeof opts.text === "string" && opts.text.length > 0
+    ? opts.text
+    : DEFAULT_CHATBOT_TEXT;
+  // Codex P1A on v0.12.12 PR #163 — "on-request" placement gates on
+  // the operator's explicit `opts.requested: true` signal. Without
+  // it, "on-request" collapsed into "always" semantics and emitted
+  // every call. The operator wires this from an explicit user
+  // gesture ("show me what AI features are in use") or an admin
+  // toggle. Default false so the gate stays closed when the opt
+  // isn't passed.
+  var requested = opts.requested === true;
+  var firstSeen = !session.aiDisclosureEmitted;
+  var shouldEmit = placement === "always" ||
+    (placement === "first-message" && firstSeen) ||
+    (placement === "on-request" && requested);
+  var emission = {
+    text:           text,
+    language:       opts.language || "en",
+    jurisdiction:   jurisdiction,
+    placement:      placement,
+    shouldEmit:     shouldEmit,
+    article:        "Art. 50(1)",
+    regulation:     "Regulation (EU) 2024/1689",
+  };
+  if (shouldEmit) {
+    // Codex P1B on v0.12.12 PR #163 — mark the session so subsequent
+    // calls with the same session under "first-message" placement
+    // see `aiDisclosureEmitted: true` and return shouldEmit=false.
+    // Without this mutation operators had to remember to flip the
+    // flag themselves; the default would re-emit on every call.
+    if (placement === "first-message") {
+      session.aiDisclosureEmitted = true;
+    }
+    _emitAudit(opts, "ai-act/chatbot-disclosure-applied", "success", {
+      sessionId:      session.id,
+      placement:      placement,
+      jurisdiction:   jurisdiction,
+      correlationId:  opts.correlationId || null,
+    });
+  }
+  return emission;
+}
+
+/**
+ * @primitive b.ai.disclosure.deepfake
+ * @signature b.ai.disclosure.deepfake(content, opts)
+ * @since     0.12.12
+ * @status    stable
+ * @compliance eu-ai-act, ca-ab-853, cac-genai-label
+ * @related   b.ai.disclosure.chatbot, b.contentCredentials
+ *
+ * EU AI Act Art. 50(4) synthetic-content disclosure. Operators
+ * emitting AI-generated or AI-manipulated content (image / audio /
+ * video / text) must label the output as synthetic in a clear and
+ * machine-readable manner. This primitive returns the disclosure
+ * payload (visible label + structured metadata) the operator wires
+ * into the encoder / response pipeline. C2PA manifest emission is
+ * deferred to v0.12.21 `b.contentCredentials` — this primitive
+ * supplies the label markup and the metadata schema that the C2PA
+ * adapter consumes when it lands.
+ *
+ * @opts
+ *   contentType:   "image" | "audio" | "video" | "text",        // required
+ *   placement:     "label" | "metadata" | "both",                // default "both"
+ *   jurisdiction:  string,    // "eu" (default) | "us-ca" | "cn"
+ *   language:      string,    // BCP 47 tag; defaults to en
+ *   text:          string,    // override the default disclosure text
+ *   audit:         object,
+ *   correlationId: string,
+ *
+ * @example
+ *   var disclosure = b.ai.disclosure.deepfake(imageBytes, {
+ *     contentType:  "image",
+ *     placement:    "both",
+ *     jurisdiction: "us-ca",
+ *   });
+ *   // disclosure.label    → "This content has been generated ..."
+ *   // disclosure.metadata → { ai_generated: true, schema: "c2pa-v1.4-ready" }
+ *   // disclosure.crossWalk → ["eu-ai-act/Art. 50(4)", "us-ca/AB-853 §22949.91"]
+ */
+function deepfake(content, opts) {
+  opts = opts || {};
+  if (content === undefined || content === null) {
+    throw new AiDisclosureError("ai-disclosure/bad-content",
+      "deepfake: content is required (Buffer | string | { type, bytes })");
+  }
+  if (typeof opts.contentType !== "string" ||
+      DEEPFAKE_CONTENT_TYPES.indexOf(opts.contentType) === -1) {
+    throw new AiDisclosureError("ai-disclosure/bad-arg",
+      "deepfake: opts.contentType must be one of " +
+      DEEPFAKE_CONTENT_TYPES.join(" | ") + "; got " + JSON.stringify(opts.contentType));
+  }
+  var placement = opts.placement || "both";
+  if (placement !== "label" && placement !== "metadata" && placement !== "both") {
+    throw new AiDisclosureError("ai-disclosure/bad-arg",
+      "deepfake: opts.placement must be \"label\" | \"metadata\" | \"both\" (default); got " +
+      JSON.stringify(placement));
+  }
+  var jurisdiction = opts.jurisdiction || "eu";
+  _validateJurisdiction(jurisdiction, "deepfake");
+  var text = typeof opts.text === "string" && opts.text.length > 0
+    ? opts.text
+    : DEFAULT_DEEPFAKE_TEXT;
+  var crossWalk = ["eu-ai-act/Art. 50(4)"];
+  if (jurisdiction === "us-ca") crossWalk.push("us-ca/AB-853 §22949.91");
+  if (jurisdiction === "cn") crossWalk.push("cn/CAC-GenAI Measures Art. 12");
+  var emission = {
+    label:          placement === "metadata" ? null : text,
+    metadata:       placement === "label" ? null : {
+      ai_generated:  true,
+      content_type:  opts.contentType,
+      schema:        "c2pa-v1.4-ready",                                              // v0.12.21 b.contentCredentials lights this up
+      jurisdiction:  jurisdiction,
+      regulation:    "Regulation (EU) 2024/1689",
+      article:       "Art. 50(4)",
+    },
+    language:       opts.language || "en",
+    contentType:    opts.contentType,
+    placement:      placement,
+    crossWalk:      crossWalk,
+  };
+  _emitAudit(opts, "ai-act/deepfake-disclosure-applied", "success", {
+    contentType:    opts.contentType,
+    placement:      placement,
+    jurisdiction:   jurisdiction,
+    correlationId:  opts.correlationId || null,
+  });
+  return emission;
+}
+
+/**
+ * @primitive b.ai.disclosure.emotion
+ * @signature b.ai.disclosure.emotion(opts)
+ * @since     0.12.12
+ * @status    stable
+ * @compliance eu-ai-act
+ * @related   b.ai.disclosure.chatbot, b.ai.disclosure.deepfake
+ *
+ * EU AI Act Art. 50(3) emotion-recognition / biometric-
+ * categorisation disclosure. Operators deploying these systems
+ * must inform the natural person of operation. Returns the notice
+ * payload the operator wires into the consent / pre-interaction
+ * flow.
+ *
+ * @opts
+ *   language:      string,
+ *   text:          string,
+ *   systemType:    "emotion" | "biometric-categorisation",   // default "emotion"
+ *   audit:         object,
+ *   correlationId: string,
+ *
+ * @example
+ *   var notice = b.ai.disclosure.emotion({ systemType: "emotion" });
+ *   // notice.text → "This system uses AI to recognise emotions ..."
+ *   // notice.article → "Art. 50(3)"
+ */
+function emotion(opts) {
+  opts = opts || {};
+  var systemType = opts.systemType || "emotion";
+  if (systemType !== "emotion" && systemType !== "biometric-categorisation") {
+    throw new AiDisclosureError("ai-disclosure/bad-arg",
+      "emotion: opts.systemType must be \"emotion\" (default) | \"biometric-categorisation\"; got " +
+      JSON.stringify(systemType));
+  }
+  var text = typeof opts.text === "string" && opts.text.length > 0
+    ? opts.text
+    : DEFAULT_EMOTION_TEXT;
+  var emission = {
+    text:           text,
+    language:       opts.language || "en",
+    systemType:     systemType,
+    article:        "Art. 50(3)",
+    regulation:     "Regulation (EU) 2024/1689",
+  };
+  _emitAudit(opts, "ai-act/emotion-disclosure-applied", "success", {
+    systemType:     systemType,
+    correlationId:  opts.correlationId || null,
+  });
+  return emission;
+}
+
+function _validateJurisdiction(jurisdiction, primitive) {
+  if (SUPPORTED_JURISDICTIONS.indexOf(jurisdiction) === -1) {
+    throw new AiDisclosureError("ai-disclosure/bad-jurisdiction",
+      primitive + ": opts.jurisdiction must be one of " +
+      SUPPORTED_JURISDICTIONS.join(" | ") + " (eu = default; us-ca = California AB-853; " +
+      "cn = China CAC GenAI Measures); got " + JSON.stringify(jurisdiction));
+  }
+}
+
+function _emitAudit(opts, action, outcome, metadata) {
+  if (!opts.audit || typeof opts.audit.safeEmit !== "function") return;
+  try {
+    opts.audit.safeEmit({
+      action:    action,
+      outcome:   outcome,
+      metadata:  metadata || {},
+    });
+  } catch (_e) {
+    // drop-silent — audit emit failure cannot crash the disclosure
+    // path. The Art. 50 obligation is the user-facing notice the
+    // primitive returns; the audit emission is a parallel best-
+    // effort chain-of-custody record. Throwing here would refuse
+    // the disclosure to defend the audit chain, which fails the
+    // wrong direction (the regulatory contract is satisfied by
+    // emitting the notice; the audit trail backs it up).
+  }
+}
+
+module.exports = {
+  chatbot:                  chatbot,
+  deepfake:                 deepfake,
+  emotion:                  emotion,
+  AiDisclosureError:        AiDisclosureError,
+  SUPPORTED_JURISDICTIONS:  Object.freeze(SUPPORTED_JURISDICTIONS.slice()),
+  DEEPFAKE_CONTENT_TYPES:   Object.freeze(DEEPFAKE_CONTENT_TYPES.slice()),
+};

package/lib/vendor/blamejs/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.12.11",
+  "version": "0.12.12",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/lib/vendor/blamejs/release-notes/v0.12.12.json

@@ -0,0 +1,48 @@
+{
+  "$schema": "../scripts/release-notes-schema.json",
+  "version": "0.12.12",
+  "date": "2026-05-23",
+  "headline": "`b.ai.disclosure.chatbot` + `b.ai.disclosure.deepfake` + `b.ai.disclosure.emotion` — EU AI Act Art. 50 transparency obligations (calendar-locked 2026-08-02) with US-CA AB-853 + China CAC GenAI cross-walk",
+  "summary": "EU AI Act Art. 50 transparency primitives land ahead of the 2026-08-02 enforcement deadline. `b.ai.disclosure.chatbot(session, opts)` emits the Art. 50(1) first-contact \"you are interacting with an AI system\" disclosure with placement control (`first-message` / `always` / `on-request`). `b.ai.disclosure.deepfake(content, { contentType, placement, jurisdiction })` emits the Art. 50(4) synthetic-content label + machine-readable metadata payload for image / audio / video / text. `b.ai.disclosure.emotion({ systemType })` emits the Art. 50(3) emotion-recognition / biometric-categorisation notice. Each primitive emits a tamper-evident `ai-act/*-disclosure-applied` audit event so the compliance trail backs the user-facing notice. Cross-jurisdiction cross-walk lives in `opts.jurisdiction`: `\"eu\"` (default), `\"us-ca\"` adds AB-853 §22949.91 to the cross-walk array, `\"cn\"` adds CAC GenAI Measures Art. 12. The deepfake primitive returns a `schema: \"c2pa-v1.4-ready\"` metadata field that the v0.12.21 `b.contentCredentials` C2PA adapter will consume when it lands — this patch ships the label markup + schema; the C2PA manifest emission is the next composition.",
+  "sections": [
+    {
+      "heading": "Added",
+      "items": [
+        {
+          "title": "`b.ai.disclosure.chatbot(session, opts)` — Art. 50(1) first-contact disclosure",
+          "body": "Operators interacting with natural persons via an AI system get a primitive that emits the \"you are interacting with an AI system\" notice + audits the emission. `placement` opts: `\"first-message\"` (default — emit on first contact only, tracked via `session.aiDisclosureEmitted`), `\"always\"` (every response), `\"on-request\"` (operator wires their own trigger). Returns `{ text, language, jurisdiction, placement, shouldEmit, article, regulation }` — `shouldEmit` is the operator-consumable boolean for response-wire-up logic."
+        },
+        {
+          "title": "`b.ai.disclosure.deepfake(content, opts)` — Art. 50(4) synthetic-content label",
+          "body": "Operators emitting model-generated or model-manipulated content get a primitive that returns both the visible label markup AND the machine-readable metadata payload. `contentType: \"image\" | \"audio\" | \"video\" | \"text\"` is required; `placement: \"label\" | \"metadata\" | \"both\"` (default `\"both\"`) controls what the primitive populates. The metadata payload includes `schema: \"c2pa-v1.4-ready\"` — the v0.12.21 `b.contentCredentials` C2PA adapter will consume this schema field when it lands. `crossWalk` array carries `[\"eu-ai-act/Art. 50(4)\"]` plus the per-jurisdiction reference (AB-853 §22949.91 / CAC GenAI Art. 12)."
+        },
+        {
+          "title": "`b.ai.disclosure.emotion(opts)` — Art. 50(3) emotion-recognition / biometric-categorisation notice",
+          "body": "Operators deploying emotion-recognition or biometric-categorisation systems get the consent-flow notice primitive. `systemType: \"emotion\" | \"biometric-categorisation\"` (default `\"emotion\"`) selects which Art. 50(3) sub-obligation applies. Returns the notice payload + emits an `ai-act/emotion-disclosure-applied` audit event."
+        },
+        {
+          "title": "Cross-jurisdiction cross-walk: EU + US-CA + China in a single primitive",
+          "body": "The `opts.jurisdiction` opt accepts `\"eu\"` (default — Regulation (EU) 2024/1689), `\"us-ca\"` (California AB-853 effective 2026), or `\"cn\"` (China CAC GenAI Measures). The chatbot + deepfake primitives both honour the cross-walk: the deepfake response's `crossWalk` array carries every jurisdiction-specific legal reference the same emission satisfies, so operators serving multi-region traffic emit one notice + audit one event + reference all applicable regimes."
+        }
+      ]
+    },
+    {
+      "heading": "Security",
+      "items": [
+        {
+          "title": "Drop-silent audit emission preserves the disclosure path under audit-bus failure",
+          "body": "If `opts.audit` is supplied but its `safeEmit` throws (network bus down, audit-sign chain malformed), the disclosure primitive still returns the user-facing notice payload. The Art. 50 obligation is the user-facing notice itself; the audit emission is a parallel best-effort chain-of-custody record. Refusing the disclosure to defend the audit chain would fail the wrong direction — the regulatory contract is satisfied by emitting the notice. Matches the framework's `audit.safeEmit` drop-silent contract for hot-path observability sinks."
+        }
+      ]
+    },
+    {
+      "heading": "Migration",
+      "items": [
+        {
+          "title": "C2PA manifest emission lands in v0.12.21",
+          "body": "The deepfake primitive's metadata payload includes a `schema: \"c2pa-v1.4-ready\"` field that the v0.12.21 `b.contentCredentials` adapter will consume. Operators emitting image / audio / video for v0.12.12-0.12.20 get the label markup + structured metadata; the actual C2PA manifest (signed JUMBF assertion chain) is the next composition layer."
+        }
+      ]
+    }
+  ]
+}

package/lib/vendor/blamejs/test/layer-0-primitives/ai-disclosure.test.js

@@ -0,0 +1,192 @@
+"use strict";
+/**
+ * Layer 0 — b.ai.disclosure.chatbot + .deepfake + .emotion
+ * (EU AI Act Art. 50 transparency obligations).
+ */
+
+var b = require("../../index");
+var helpers = require("../helpers");
+var check = helpers.check;
+
+function _makeFakeAudit() {
+  var events = [];
+  return {
+    safeEmit: function (e) { events.push(e); },
+    events:   events,
+  };
+}
+
+async function testChatbotFirstContact() {
+  var audit = _makeFakeAudit();
+  var d = b.ai.disclosure.chatbot({ id: "s1" }, {
+    placement: "first-message",
+    audit:     audit,
+  });
+  check("chatbot: shouldEmit true on first contact (placement first-message)", d.shouldEmit);
+  check("chatbot: carries Art. 50(1) reference", d.article === "Art. 50(1)");
+  check("chatbot: default text is generic AI interaction notice",
+    d.text === "You are interacting with an AI system.");
+  check("chatbot: audit event emitted",
+    audit.events.length === 1 && audit.events[0].action === "ai-act/chatbot-disclosure-applied");
+}
+
+async function testChatbotPostFirstContact() {
+  var d = b.ai.disclosure.chatbot({ id: "s2", aiDisclosureEmitted: true }, {
+    placement: "first-message",
+  });
+  check("chatbot: shouldEmit false after first-message already emitted", !d.shouldEmit);
+}
+
+async function testChatbotFirstMessageMutatesSession() {
+  // Codex P1B on v0.12.12 PR #163 — first-message must mutate
+  // session.aiDisclosureEmitted so the next call sees it.
+  var session = { id: "s-codex-b" };
+  var d1 = b.ai.disclosure.chatbot(session, { placement: "first-message" });
+  check("chatbot: first call emits", d1.shouldEmit === true);
+  check("chatbot: session.aiDisclosureEmitted mutated after first emit",
+    session.aiDisclosureEmitted === true);
+  var d2 = b.ai.disclosure.chatbot(session, { placement: "first-message" });
+  check("chatbot: second call on same session no longer emits", d2.shouldEmit === false);
+}
+
+async function testChatbotOnRequestGatesOnRequested() {
+  // Codex P1A on v0.12.12 PR #163 — "on-request" without
+  // opts.requested must NOT emit (otherwise on-request collapses
+  // to always-on).
+  var d1 = b.ai.disclosure.chatbot({ id: "s-or-1" }, { placement: "on-request" });
+  check("chatbot: on-request without opts.requested does not emit", d1.shouldEmit === false);
+  var d2 = b.ai.disclosure.chatbot({ id: "s-or-2" }, {
+    placement: "on-request",
+    requested: true,
+  });
+  check("chatbot: on-request with opts.requested:true emits", d2.shouldEmit === true);
+}
+
+async function testChatbotAlwaysPlacement() {
+  var d = b.ai.disclosure.chatbot({ id: "s3", aiDisclosureEmitted: true }, {
+    placement: "always",
+  });
+  check("chatbot: shouldEmit true under placement: always regardless of prior emission",
+    d.shouldEmit);
+}
+
+async function testChatbotRefusesBadJurisdiction() {
+  var refused = null;
+  try {
+    b.ai.disclosure.chatbot({ id: "s4" }, { jurisdiction: "not-a-jurisdiction" });
+  } catch (e) { refused = e; }
+  check("chatbot: bad jurisdiction refused with typed error",
+    refused && /bad-jurisdiction/.test(refused.code || refused.message));
+  check("chatbot: refusal is a b.ai.disclosure.AiDisclosureError",
+    refused instanceof b.ai.disclosure.AiDisclosureError);
+}
+
+async function testDeepfakeImage() {
+  var audit = _makeFakeAudit();
+  var d = b.ai.disclosure.deepfake("imageBytes", {
+    contentType: "image",
+    placement:   "both",
+    audit:       audit,
+  });
+  check("deepfake: image carries visible label", typeof d.label === "string" && d.label.length > 0);
+  check("deepfake: image carries machine-readable metadata", d.metadata !== null && d.metadata.ai_generated === true);
+  check("deepfake: schema reserved for C2PA v0.12.21 hand-off",
+    d.metadata.schema === "c2pa-v1.4-ready");
+  check("deepfake: default jurisdiction is eu (cross-walk single-entry)",
+    d.crossWalk.length === 1 && d.crossWalk[0] === "eu-ai-act/Art. 50(4)");
+  check("deepfake: audit event emitted",
+    audit.events.length === 1 && audit.events[0].action === "ai-act/deepfake-disclosure-applied");
+}
+
+async function testDeepfakeCrossWalkCalifornia() {
+  var d = b.ai.disclosure.deepfake("imageBytes", {
+    contentType:  "image",
+    jurisdiction: "us-ca",
+  });
+  check("deepfake: us-ca jurisdiction adds AB-853 cross-walk entry",
+    d.crossWalk.length === 2 && d.crossWalk.indexOf("us-ca/AB-853 §22949.91") !== -1);
+}
+
+async function testDeepfakeCrossWalkChina() {
+  var d = b.ai.disclosure.deepfake("imageBytes", {
+    contentType:  "image",
+    jurisdiction: "cn",
+  });
+  check("deepfake: cn jurisdiction adds CAC GenAI Art. 12 cross-walk entry",
+    d.crossWalk.length === 2 && d.crossWalk.indexOf("cn/CAC-GenAI Measures Art. 12") !== -1);
+}
+
+async function testDeepfakeRefusesBadContentType() {
+  var refused = null;
+  try {
+    b.ai.disclosure.deepfake("bytes", { contentType: "spreadsheet" });
+  } catch (e) { refused = e; }
+  check("deepfake: invalid contentType refused upfront",
+    refused && /bad-arg/.test(refused.code || refused.message));
+}
+
+async function testDeepfakeLabelOnlyPlacement() {
+  var d = b.ai.disclosure.deepfake("bytes", { contentType: "text", placement: "label" });
+  check("deepfake: placement: label yields no metadata payload", d.metadata === null);
+  check("deepfake: placement: label yields visible label", typeof d.label === "string");
+}
+
+async function testDeepfakeMetadataOnlyPlacement() {
+  var d = b.ai.disclosure.deepfake("bytes", { contentType: "video", placement: "metadata" });
+  check("deepfake: placement: metadata yields no visible label", d.label === null);
+  check("deepfake: placement: metadata yields structured payload",
+    d.metadata !== null && d.metadata.content_type === "video");
+}
+
+async function testEmotionDisclosure() {
+  var audit = _makeFakeAudit();
+  var d = b.ai.disclosure.emotion({ systemType: "emotion", audit: audit });
+  check("emotion: carries Art. 50(3) reference", d.article === "Art. 50(3)");
+  check("emotion: audit event emitted",
+    audit.events.length === 1 && audit.events[0].action === "ai-act/emotion-disclosure-applied");
+}
+
+async function testEmotionBiometricCategorisation() {
+  var d = b.ai.disclosure.emotion({ systemType: "biometric-categorisation" });
+  check("emotion: biometric-categorisation systemType accepted",
+    d.systemType === "biometric-categorisation");
+}
+
+async function testAuditDropSilent() {
+  // Per rule §5 — hot-path observability sinks drop silent. Pass an
+  // audit whose safeEmit throws + verify the primitive doesn't fail.
+  var throwingAudit = { safeEmit: function () { throw new Error("audit-bus-down"); } };
+  var d = b.ai.disclosure.chatbot({ id: "s5" }, {
+    placement: "first-message",
+    audit:     throwingAudit,
+  });
+  check("chatbot: audit emit failure does not crash the disclosure path",
+    d.shouldEmit === true);
+}
+
+async function run() {
+  await testChatbotFirstContact();
+  await testChatbotFirstMessageMutatesSession();
+  await testChatbotOnRequestGatesOnRequested();
+  await testChatbotPostFirstContact();
+  await testChatbotAlwaysPlacement();
+  await testChatbotRefusesBadJurisdiction();
+  await testDeepfakeImage();
+  await testDeepfakeCrossWalkCalifornia();
+  await testDeepfakeCrossWalkChina();
+  await testDeepfakeRefusesBadContentType();
+  await testDeepfakeLabelOnlyPlacement();
+  await testDeepfakeMetadataOnlyPlacement();
+  await testEmotionDisclosure();
+  await testEmotionBiometricCategorisation();
+  await testAuditDropSilent();
+}
+
+module.exports = { run: run };
+
+if (require.main === module) {
+  run().then(
+    function () { console.log("[ai-disclosure] OK — " + helpers.getChecks() + " checks passed"); },
+    function (e) { console.error("FAIL:", e && e.stack || e); process.exit(1); }
+  );
+}

package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js

@@ -2242,11 +2242,33 @@ async function testNoDuplicateCodeBlocks() {
     {
       mode:  "family-subset",
       files: [
+        "lib/ai-disclosure.js:chatbot",
         "lib/backup/index.js:bundleAdapterStorage",
         "lib/importmap-integrity.js:build",
         "lib/metrics.js:shadowRegistry",
       ],
-      reason: "v0.12.11 — bundleAdapterStorage's opts-validation cascade (cryptoStrategy / recipient / passphrase / posture branches each with their own throw-on-bad-shape gates) reaches 50-token duplication with importmap-integrity.build's manifest-shape cascade + metrics.shadowRegistry's registry-config cascade by coincidence of the chained-if-throw-Error pattern. Each cascade carries primitive-specific semantics (crypto strategy vs SRI hash list vs shadow-collector config); extracting would require a generic options-cascade helper that loses the per-primitive error codes operators grep for in audit logs.",
+      reason: "v0.12.11/v0.12.12 — opts-validation cascade shape (chained `if (typeof opts.X !== \"...\") throw ...`) reaches 50-token duplication across primitives that each carry distinct semantic vocabulary. bundleAdapterStorage validates cryptoStrategy / recipient / passphrase / posture; importmap-integrity.build validates SRI hash list / nonce policy; metrics.shadowRegistry validates collector config; ai-disclosure.chatbot validates session / placement / jurisdiction per EU AI Act Art. 50(1). Extracting would require a generic options-cascade helper that loses per-primitive error codes operators grep for in audit logs.",
+    },
+    {
+      mode:  "family-subset",
+      files: [
+        "lib/ai-disclosure.js:chatbot",
+        "lib/auth/dpop.js:_canonicalJwk",
+        "lib/auth/sd-jwt-vc-holder.js:store",
+        "lib/compliance-sanctions.js:screen",
+        "lib/dora.js:_validateReportInput",
+        "lib/fda-21cfr11.js:_validateSignatureInput",
+        "lib/guard-envelope.js:check",
+        "lib/guard-list-unsubscribe.js:validate",
+        "lib/guard-mail-query.js:validateActor",
+        "lib/guard-mail-reply.js:validate",
+        "lib/guard-saga-config.js:validate",
+        "lib/guard-trace-context.js:validate",
+        "lib/incident-report.js:open",
+        "lib/mail-greylist.js:check",
+        "lib/mail-helo.js:evaluate",
+      ],
+      reason: "v0.12.12 — `if (!opts || typeof opts !== \"object\") throw Error(...) ; if (typeof opts.X !== \"string\") throw Error(...)` argument-shape preamble is the framework's standard primitive boundary check. Every guard family member + every compliance / mail / auth primitive that takes an opts object shares this shingle. Extracting would require a generic argShape helper, but the throw-on-bad-shape carries primitive-specific Error subclasses (AiDisclosureError, GuardEnvelopeError, etc.) that operators grep for. Family is wide and stays inline by design.",
     },
     {
       mode:  "family-subset",
@@ -5624,6 +5646,25 @@ var KNOWN_ANTIPATTERNS = [
     reason: "Codex P1 on v0.12.7 PR #158 — archive-read.extract used renameSync to atomically place each decompressed entry at its canonical destination + tracked written[].path for catch-block cleanup. When the destination directory was non-empty, the rename silently overwrote operator files; on extract abort, the cleanup deleted them. Fix: refuse upfront if destination path exists, force operators to use a fresh / empty subtree. Detector locks the shape: any extract code that tracks resolvedPath for catch-block cleanup MUST carry a `destination-exists` refusal in the same file.",
   },
 
+  {
+    // Codex P1A on v0.12.12 PR #163 — "on-request" placement
+    // semantics collapsed into "always" when shouldEmit didn't
+    // gate on an explicit `opts.requested` signal. Detector locks
+    // the contract: any compliance-disclosure primitive in
+    // lib/ai-disclosure.js with a placement-mode dispatch MUST
+    // gate the "on-request" branch on an explicit opt rather than
+    // unconditionally returning true. The pattern is narrow
+    // (file-scoped to ai-disclosure.js) because the bug shape was
+    // specific to the Art. 50 placement enum.
+    id: "ai-disclosure-on-request-without-requested-gate",
+    primitive: "in lib/ai-disclosure.js, placement === \"on-request\" branches must gate on an explicit opt (e.g. opts.requested === true) so the disclosure doesn't fire on every call. Without the gate, on-request collapses into always-on semantics and the operator's three placement modes become two.",
+    regex: /placement\s*===\s*["']on-request["']/,
+    requires: /requested|allow:ai-disclosure-on-request-without-requested-gate/,
+    skipCommentLines: true,
+    allowlist: [],
+    reason: "Codex P1A on v0.12.12 PR #163 — ai-disclosure.chatbot's on-request placement returned shouldEmit=true unconditionally, breaking the three-mode placement contract. Detector locks the static shape so a future placement primitive in ai-disclosure.js can't regress.",
+  },
+
   // Codex P1 on v0.12.11 PR #162 — surfaced the NaN/Infinity bypass
   // through `typeof X === "number" ? X : default` gating. The
   // pattern exists widely in the codebase (~29 call sites at the

package/lib/webhook-receiver.js

@@ -293,10 +293,7 @@ function _coerceBodyBytes(body) {
 
 function _generateSecret() {
   var buf = _b().crypto.generateBytes(SECRET_BYTE_LEN);
-  return buf.toString("base64")
-    .replace(/\+/g, "-")
-    .replace(/\//g, "_")
-    .replace(/=+$/, "");
+  return _b().crypto.toBase64Url(buf);
 }
 
 function _canonicalSecret(input) {

package/lib/wishlist-sharing.js

@@ -216,15 +216,11 @@ function _viewerSessionId(s) {
 
 // ---- token generation + hashing -----------------------------------------
 
-// 32 random bytes -> 43-char base64url (no padding). Manual encode
-// so the primitive doesn't depend on a Buffer-side flag rename
-// across Node minors.
+// 32 random bytes -> 43-char base64url (no padding) via
+// `b.crypto.toBase64Url`.
 function _generateToken() {
   var buf = _b().crypto.generateBytes(TOKEN_BYTE_LEN);
-  return buf.toString("base64")
-    .replace(/\+/g, "-")
-    .replace(/\//g, "_")
-    .replace(/=+$/, "");
+  return _b().crypto.toBase64Url(buf);
 }
 
 function _canonicalToken(input) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/blamejs-shop",
-  "version": "0.0.111",
+  "version": "0.0.112",
   "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
   "main": "lib/index.js",
   "scripts": {