@blamejs/blamejs-shop 0.0.129 → 0.1.1

package/lib/vendor/blamejs/lib/vc.js

@@ -51,6 +51,11 @@ var VCDM_V2_CONTEXT = "https://www.w3.org/ns/credentials/v2";
 var JOSE_TYP = "vc+jwt";
 var COSE_TYP = "application/vc+cose";
 var COSE_CONTENT_TYPE = "application/vc";
+var VP_JOSE_TYP = "vp+jwt";
+var VP_COSE_TYP = "application/vp+cose";
+var VP_COSE_CONTENT_TYPE = "application/vp";
+var MAX_PRESENTATION_CREDENTIALS = 64;                 // allow:raw-byte-literal — bounded count of enveloped VCs per presentation
+var ENVELOPED_VC_TYPE = "EnvelopedVerifiableCredential";
 var HDR_COSE_TYP = 16;                                 // allow:raw-byte-literal — COSE "typ" header label (RFC 9596)
 
 // JOSE signature algorithms (final RFC 7518 / 8037), mapped to node
@@ -165,36 +170,43 @@ async function issue(credential, opts) {
   _validateVcdm(credential, null);
   if (!opts.privateKey) throw new VcError("vc/no-key", "vc.issue: opts.privateKey is required");
 
+  return _sign(credential, opts, JOSE_TYP, COSE_TYP, COSE_CONTENT_TYPE, "vc.issue");
+}
+
+// Secure a JSON document (credential or presentation) as a compact JWS
+// (jose) or COSE_Sign1 (cose) with the given media-type headers. The
+// document is the exact signed payload — no claims wrapper.
+function _sign(doc, opts, joseTyp, coseTyp, coseContentType, fnName) {
   if (opts.securing === "cose") {
     var protectedHeaders = {};
-    protectedHeaders[HDR_COSE_TYP] = COSE_TYP;
-    return cose.sign(Buffer.from(JSON.stringify(credential), "utf8"), {
+    protectedHeaders[HDR_COSE_TYP] = coseTyp;
+    return cose.sign(Buffer.from(JSON.stringify(doc), "utf8"), {
       alg:              opts.alg,
       privateKey:       opts.privateKey,
       kid:              opts.kid,
-      contentType:      COSE_CONTENT_TYPE,
+      contentType:      coseContentType,
       protectedHeaders: protectedHeaders,
     });
   }
   if (opts.securing === "jose") {
     var params = JOSE_ALGS[opts.alg];
     if (!params) {
-      throw new VcError("vc/bad-alg", "vc.issue: JOSE securing requires alg ES256/384/512 or EdDSA (got " + opts.alg + ")");
+      throw new VcError("vc/bad-alg", fnName + ": JOSE securing requires alg ES256/384/512 or EdDSA (got " + opts.alg + ")");
     }
     var key = _toKey(opts.privateKey, "private");
-    var header = { alg: opts.alg, typ: JOSE_TYP };
+    var header = { alg: opts.alg, typ: joseTyp };
     if (typeof opts.kid === "string") header.kid = opts.kid;
     if (typeof opts.cty === "string") header.cty = opts.cty;
-    var signingInput = _b64urlJson(header) + "." + _b64urlJson(credential);
+    var signingInput = _b64urlJson(header) + "." + _b64urlJson(doc);
     var sig = params.nodeHash === null
       ? nodeCrypto.sign(null, Buffer.from(signingInput, "ascii"), key)
       : nodeCrypto.sign(params.nodeHash, Buffer.from(signingInput, "ascii"), { key: key, dsaEncoding: params.dsaEncoding });
     return signingInput + "." + sig.toString("base64url");
   }
-  throw new VcError("vc/bad-securing", "vc.issue: securing must be 'jose' or 'cose'");
+  throw new VcError("vc/bad-securing", fnName + ": securing must be 'jose' or 'cose'");
 }
 
-function _verifyJose(token, opts) {
+function _verifyJose(token, opts, expectedTyp) {
   var parts = token.split(".");
   if (parts.length !== 3) {
     throw new VcError("vc/malformed", "vc.verify: not a compact JWS (expected three dot-separated segments)");
@@ -202,8 +214,8 @@ function _verifyJose(token, opts) {
   var header;
   try { header = safeJson.parse(Buffer.from(parts[0], "base64url").toString("utf8")); }
   catch (_e) { throw new VcError("vc/malformed", "vc.verify: JWS header is not valid base64url-JSON"); }
-  if (!header || header.typ !== JOSE_TYP) {
-    throw new VcError("vc/bad-typ", "vc.verify: JWS typ must be '" + JOSE_TYP + "'");
+  if (!header || header.typ !== expectedTyp) {
+    throw new VcError("vc/bad-typ", "vc.verify: JWS typ must be '" + expectedTyp + "'");
   }
   // crit-bypass defense (RFC 7515 §4.1.11): a `crit` header marks
   // extensions the verifier MUST understand and process. This verifier
@@ -228,16 +240,16 @@ function _verifyJose(token, opts) {
     ? nodeCrypto.verify(null, Buffer.from(signingInput, "ascii"), pub, sig)
     : nodeCrypto.verify(params.nodeHash, Buffer.from(signingInput, "ascii"), { key: pub, dsaEncoding: params.dsaEncoding }, sig);
   if (!ok) throw new VcError("vc/bad-signature", "vc.verify: JWS signature did not verify");
-  var credential;
-  try { credential = safeJson.parse(Buffer.from(parts[1], "base64url").toString("utf8")); }
+  var payload;
+  try { payload = safeJson.parse(Buffer.from(parts[1], "base64url").toString("utf8")); }
   catch (_e) { throw new VcError("vc/malformed", "vc.verify: JWS payload is not valid base64url-JSON"); }
-  return { credential: credential, alg: header.alg };
+  return { payload: payload, alg: header.alg };
 }
 
-async function _verifyCose(bytes, opts) {
+async function _verifyCose(bytes, opts, expectedTyp) {
   var algorithms = opts.algorithms.filter(function (a) { return a in cose.ALGORITHMS; });
   if (!algorithms.length) {
-    throw new VcError("vc/no-cose-alg", "vc.verify: opts.algorithms has no COSE algorithm for a vc+cose credential");
+    throw new VcError("vc/no-cose-alg", "vc.verify: opts.algorithms has no COSE algorithm for a COSE-secured credential");
   }
   var out = await cose.verify(bytes, {
     algorithms:  algorithms,
@@ -245,13 +257,25 @@ async function _verifyCose(bytes, opts) {
     keyResolver: opts.keyResolver,
   });
   var typ = out.protectedHeaders.get(HDR_COSE_TYP);
-  if (typ !== undefined && typ !== COSE_TYP) {
-    throw new VcError("vc/bad-typ", "vc.verify: COSE typ header is '" + typ + "', expected '" + COSE_TYP + "'");
+  if (typ !== undefined && typ !== expectedTyp) {
+    throw new VcError("vc/bad-typ", "vc.verify: COSE typ header is '" + typ + "', expected '" + expectedTyp + "'");
   }
-  var credential;
-  try { credential = safeJson.parse(out.payload.toString("utf8")); }
+  var payload;
+  try { payload = safeJson.parse(out.payload.toString("utf8")); }
   catch (_e) { throw new VcError("vc/malformed", "vc.verify: COSE payload is not valid JSON"); }
-  return { credential: credential, alg: out.alg };
+  return { payload: payload, alg: out.alg };
+}
+
+// Verify a secured JSON document (the JOSE/COSE envelope) → { payload,
+// alg, securing }. Shared by credential + presentation verification.
+async function _verifySecured(secured, opts, joseTyp, coseTyp) {
+  if (typeof secured === "string") {
+    return Object.assign({ securing: "jose" }, _verifyJose(secured, opts, joseTyp));
+  }
+  if (Buffer.isBuffer(secured) || secured instanceof Uint8Array) {
+    return Object.assign({ securing: "cose" }, await _verifyCose(Buffer.from(secured), opts, coseTyp));
+  }
+  throw new VcError("vc/bad-input", "vc.verify: secured must be a compact-JWS string or COSE_Sign1 bytes");
 }
 
 /**
@@ -300,28 +324,202 @@ async function verify(secured, opts) {
     at = opts.at;
   }
 
-  var securing, result;
-  if (typeof secured === "string") {
-    securing = "jose";
-    result = _verifyJose(secured, opts);
-  } else if (Buffer.isBuffer(secured) || secured instanceof Uint8Array) {
-    securing = "cose";
-    result = await _verifyCose(Buffer.from(secured), opts);
-  } else {
-    throw new VcError("vc/bad-input", "vc.verify: secured must be a compact-JWS string or COSE_Sign1 bytes");
-  }
+  var result = await _verifySecured(secured, opts, JOSE_TYP, COSE_TYP);
 
-  _validateVcdm(result.credential, { temporal: true, at: at });
-  var issuer = _issuerId(result.credential);
+  _validateVcdm(result.payload, { temporal: true, at: at });
+  var issuer = _issuerId(result.payload);
   if (opts.expectedIssuer !== undefined && issuer !== opts.expectedIssuer) {
     throw new VcError("vc/issuer-mismatch", "vc.verify: credential issuer does not match expectedIssuer");
   }
-  return { credential: result.credential, securing: securing, alg: result.alg, issuer: issuer };
+  return { credential: result.payload, securing: result.securing, alg: result.alg, issuer: issuer };
+}
+
+// VCDM 2.0 presentation structural rules.
+function _validateVp(vp) {
+  if (!vp || typeof vp !== "object" || Array.isArray(vp)) {
+    throw new VcError("vc/bad-presentation", "vc: presentation must be a JSON object");
+  }
+  var ctx = vp["@context"];
+  if (!Array.isArray(ctx) || ctx[0] !== VCDM_V2_CONTEXT) {
+    throw new VcError("vc/bad-context", "vc: presentation @context must start with '" + VCDM_V2_CONTEXT + "'");
+  }
+  var types = Array.isArray(vp.type) ? vp.type : [vp.type];
+  if (types.indexOf("VerifiablePresentation") === -1) {
+    throw new VcError("vc/bad-type", "vc: type must include 'VerifiablePresentation'");
+  }
+  // verifiableCredential, when present, MUST be an array — a non-array
+  // value must fail closed rather than coerce to empty (which would let
+  // a holder bypass credential verification with a malformed container).
+  if (vp.verifiableCredential !== undefined && !Array.isArray(vp.verifiableCredential)) {
+    throw new VcError("vc/bad-presentation", "vc: verifiableCredential must be an array");
+  }
+}
+
+// An enveloped VC (VC-JOSE-COSE §enveloping): a data: URI whose media
+// type selects the securing and whose body is the secured credential.
+function _envelopeVc(securedVc) {
+  if (typeof securedVc === "string") {
+    return { "@context": [VCDM_V2_CONTEXT], type: ENVELOPED_VC_TYPE, id: "data:application/vc+jwt," + securedVc };
+  }
+  if (Buffer.isBuffer(securedVc) || securedVc instanceof Uint8Array) {
+    return { "@context": [VCDM_V2_CONTEXT], type: ENVELOPED_VC_TYPE,
+      id: "data:application/vc+cose;base64," + Buffer.from(securedVc).toString("base64") };
+  }
+  throw new VcError("vc/bad-credential", "vc.present: each credential must be a compact-JWS string or COSE_Sign1 bytes");
+}
+
+function _parseEnvelopedVc(entry) {
+  if (!entry || typeof entry !== "object" || entry.type !== ENVELOPED_VC_TYPE || typeof entry.id !== "string") {
+    throw new VcError("vc/bad-enveloped", "vc.verifyPresentation: verifiableCredential entries must be EnvelopedVerifiableCredential data: URIs");
+  }
+  var comma = entry.id.indexOf(",");
+  if (entry.id.indexOf("data:") !== 0 || comma === -1) {
+    throw new VcError("vc/bad-enveloped", "vc.verifyPresentation: enveloped credential id is not a data: URI");
+  }
+  var meta = entry.id.slice("data:".length, comma);
+  var body = entry.id.slice(comma + 1);
+  if (meta.indexOf("application/vc+cose") === 0) return Buffer.from(body, "base64");
+  if (meta.indexOf("application/vc+jwt") === 0) return body;
+  throw new VcError("vc/bad-enveloped", "vc.verifyPresentation: unsupported enveloped media type '" + meta + "'");
+}
+
+/**
+ * @primitive b.vc.present
+ * @signature b.vc.present(opts)
+ * @since     0.12.42
+ * @status    experimental
+ * @compliance gdpr, soc2
+ * @related   b.vc.verifyPresentation, b.vc.issue
+ *
+ * Build and sign a W3C Verifiable Presentation: a holder-signed envelope
+ * wrapping one or more secured credentials (each enveloped per
+ * VC-JOSE-COSE). <code>securing</code> and the algorithms match
+ * <code>b.vc.issue</code> (compact JWS <code>vp+jwt</code>, or COSE_Sign1
+ * <code>application/vp+cose</code>). Supply <code>nonce</code> /
+ * <code>audience</code> for holder-binding / replay protection — they
+ * are embedded in the signed presentation and checked at verification.
+ *
+ * @opts
+ *   {
+ *     credentials: array,    // secured VCs (compact-JWS strings or COSE_Sign1 bytes)
+ *     holder:      string,   // the presenter (a DID or other id)
+ *     securing:    string,   // "jose" | "cose"
+ *     alg:         string,   // JOSE: ES256/384/512 | EdDSA. COSE: + ML-DSA-87
+ *     privateKey:  object,   // the holder's key
+ *     kid:         string,   // optional key id
+ *     nonce:       string,   // optional verifier challenge (embedded + checked)
+ *     audience:    string,   // optional intended verifier (embedded + checked)
+ *   }
+ *
+ * @example
+ *   var vp = await b.vc.present({ credentials: [jws], holder: holderDid, securing: "jose", alg: "ES256", privateKey: holderKey, nonce: challenge });
+ */
+async function present(opts) {
+  validateOpts.requireObject(opts, "vc.present", VcError);
+  validateOpts(opts, ["credentials", "holder", "securing", "alg", "privateKey", "kid", "nonce", "audience"], "vc.present");
+  if (!Array.isArray(opts.credentials) || opts.credentials.length === 0) {
+    throw new VcError("vc/no-credentials", "vc.present: opts.credentials must be a non-empty array");
+  }
+  if (opts.credentials.length > MAX_PRESENTATION_CREDENTIALS) {
+    throw new VcError("vc/too-many-credentials", "vc.present: at most " + MAX_PRESENTATION_CREDENTIALS + " credentials per presentation");
+  }
+  if (typeof opts.holder !== "string" || !opts.holder) {
+    throw new VcError("vc/no-holder", "vc.present: opts.holder is required (the presenter id / DID)");
+  }
+  if (!opts.privateKey) throw new VcError("vc/no-key", "vc.present: opts.privateKey is required");
+
+  var vp = {
+    "@context": [VCDM_V2_CONTEXT],
+    type: ["VerifiablePresentation"],
+    holder: opts.holder,
+    verifiableCredential: opts.credentials.map(_envelopeVc),
+  };
+  if (typeof opts.nonce === "string") vp.nonce = opts.nonce;
+  if (typeof opts.audience === "string") vp.audience = opts.audience;
+
+  return _sign(vp, opts, VP_JOSE_TYP, VP_COSE_TYP, VP_COSE_CONTENT_TYPE, "vc.present");
+}
+
+/**
+ * @primitive b.vc.verifyPresentation
+ * @signature b.vc.verifyPresentation(secured, opts)
+ * @since     0.12.42
+ * @status    experimental
+ * @compliance gdpr, soc2
+ * @related   b.vc.present, b.vc.verify
+ *
+ * Verify a Verifiable Presentation: the holder signature (auto-detected
+ * jose / cose, mandatory algorithm allowlist, JOSE <code>none</code>
+ * refused), the VCDM structure, and the embedded <code>nonce</code> /
+ * <code>audience</code> / <code>expectedHolder</code> when given. With
+ * <code>verifyCredentials: true</code> each enveloped credential is
+ * verified through <code>b.vc.verify</code> (using
+ * <code>opts.credentialOpts</code>) and returned.
+ *
+ * @opts
+ *   {
+ *     algorithms:      string[],  // required — holder-signature alg allowlist
+ *     publicKey:       object,    // the holder verification key
+ *     keyResolver:     function,  // (header) → holder key
+ *     expectedHolder:  string,    // require presentation holder to match
+ *     nonce:           string,    // require embedded nonce to match
+ *     audience:        string,    // require embedded audience to match
+ *     verifyCredentials: boolean, // verify each enveloped VC via b.vc.verify
+ *     credentialOpts:  object,    // opts passed to b.vc.verify for each VC
+ *   }
+ *
+ * @example
+ *   var out = await b.vc.verifyPresentation(vp, {
+ *     algorithms: ["ES256"], publicKey: holderKey, nonce: challenge,
+ *     verifyCredentials: true, credentialOpts: { algorithms: ["ES256"], publicKey: issuerKey },
+ *   });
+ *   // → { presentation, holder, credentials: [verified VCs], securing, alg }
+ */
+async function verifyPresentation(secured, opts) {
+  validateOpts.requireObject(opts, "vc.verifyPresentation", VcError);
+  validateOpts(opts, ["algorithms", "publicKey", "keyResolver", "expectedHolder", "nonce", "audience", "verifyCredentials", "credentialOpts"], "vc.verifyPresentation");
+  if (!Array.isArray(opts.algorithms) || opts.algorithms.length === 0) {
+    throw new VcError("vc/algorithms-required", "vc.verifyPresentation: opts.algorithms is required");
+  }
+  if (!opts.publicKey && typeof opts.keyResolver !== "function") {
+    throw new VcError("vc/no-key", "vc.verifyPresentation: pass publicKey or keyResolver");
+  }
+
+  var result = await _verifySecured(secured, opts, VP_JOSE_TYP, VP_COSE_TYP);
+  var vp = result.payload;
+  _validateVp(vp);
+
+  if (opts.expectedHolder !== undefined && vp.holder !== opts.expectedHolder) {
+    throw new VcError("vc/holder-mismatch", "vc.verifyPresentation: presentation holder does not match expectedHolder");
+  }
+  if (opts.nonce !== undefined && vp.nonce !== opts.nonce) {
+    throw new VcError("vc/nonce-mismatch", "vc.verifyPresentation: presentation nonce does not match");
+  }
+  if (opts.audience !== undefined && vp.audience !== opts.audience) {
+    throw new VcError("vc/audience-mismatch", "vc.verifyPresentation: presentation audience does not match");
+  }
+
+  var entries = vp.verifiableCredential || [];   // _validateVp guarantees array-or-absent
+  if (entries.length > MAX_PRESENTATION_CREDENTIALS) {
+    throw new VcError("vc/too-many-credentials", "vc.verifyPresentation: presentation carries more than " + MAX_PRESENTATION_CREDENTIALS + " credentials");
+  }
+  var credentials = [];
+  if (opts.verifyCredentials) {
+    var credOpts = opts.credentialOpts;
+    validateOpts.requireObject(credOpts, "vc.verifyPresentation.credentialOpts", VcError);
+    for (var i = 0; i < entries.length; i += 1) {
+      credentials.push(await verify(_parseEnvelopedVc(entries[i]), credOpts));
+    }
+  }
+
+  return { presentation: vp, holder: vp.holder, credentials: credentials, securing: result.securing, alg: result.alg };
 }
 
 module.exports = {
   issue:          issue,
   verify:         verify,
+  present:        present,
+  verifyPresentation: verifyPresentation,
   JOSE_ALGS:      JOSE_ALGS,
   VCDM_V2_CONTEXT: VCDM_V2_CONTEXT,
   VcError:        VcError,

package/lib/vendor/blamejs/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.12.40",
+  "version": "0.12.48",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/lib/vendor/blamejs/release-notes/v0.12.41.json

@@ -0,0 +1,18 @@
+{
+  "$schema": "../scripts/release-notes-schema.json",
+  "version": "0.12.41",
+  "date": "2026-05-24",
+  "headline": "`b.did` — W3C DID resolution (did:key + did:web) feeding the credential verifiers",
+  "summary": "Resolve W3C Decentralized Identifiers (DID Core 1.0) to verification keys — the link that lets a credential's issuer be named by a DID rather than a raw key. Resolve the issuer DID of a b.vc / b.mdoc / b.scitt credential to a node:crypto KeyObject and hand it to the verifier. did:key encodes the public key in the identifier (multicodec + base58btc), so resolution is deterministic and offline — Ed25519, P-256, P-384, and secp256k1 round-trip; did:web places the DID document at an HTTPS URL derived from the identifier, with the network fetch left to the operator (the framework parses the operator-fetched document and extracts its verification methods, as publicKeyMultibase or publicKeyJwk). b.did.keyToDid encodes a KeyObject as a did:key (an issuer naming itself), b.did.parse splits the identifier (and returns the did:web URL to fetch), and b.did.resolve returns the document and verification keys. DID Core 1.0 is a W3C Recommendation; the method specs (did:key W3C CCG report, did:web DID method registry — EUDI-mandated) are deployed-stable. Composes node:crypto; no new runtime dependency.",
+  "sections": [
+    {
+      "heading": "Added",
+      "items": [
+        {
+          "title": "`b.did.resolve(did, opts?)` / `b.did.keyToDid(publicKey)` / `b.did.parse(did)`",
+          "body": "`resolve` returns `{ didDocument, verificationMethods: [{ id, controller, type, publicKey }] }` with each `publicKey` a `node:crypto` KeyObject ready for `b.vc.verify` / `b.mdoc.verifyIssuerSigned` / `b.scitt.verifyStatement`. did:key resolves deterministically and offline (base58btc + multicodec → Ed25519 raw key or EC compressed point, rebuilt via SPKI); did:web requires the operator to pass the fetched DID document as `opts.document` (the URL to GET is on `b.did.parse(did).url`) and the document `id` must match the requested DID. A publicKeyJwk in a DID document is imported only after its `kty`/`crv` is allowlisted (Ed25519 / P-256 / P-384 / secp256k1) — an unexpected key type from an untrusted document is refused, not blindly imported. `keyToDid` encodes an Ed25519 / P-256 / P-384 / secp256k1 KeyObject as a did:key; `parse` derives the did:web HTTPS URL (`host[:port][:path]` → `https://host/path/did.json`, or `/.well-known/did.json`). Unknown methods, malformed base58, unsupported multicodec codes, and unsupported key types are each refused."
+        }
+      ]
+    }
+  ]
+}

package/lib/vendor/blamejs/release-notes/v0.12.42.json

@@ -0,0 +1,18 @@
+{
+  "$schema": "../scripts/release-notes-schema.json",
+  "version": "0.12.42",
+  "date": "2026-05-24",
+  "headline": "`b.vc.present` / `b.vc.verifyPresentation` — W3C Verifiable Presentations",
+  "summary": "Completes b.vc with the holder side: a Verifiable Presentation is a holder-signed envelope wrapping one or more credentials, proving the presenter controls the key the credentials were issued to. b.vc.present builds and signs a VerifiablePresentation (each credential enveloped per VC-JOSE-COSE) as a compact JWS (vp+jwt) or COSE_Sign1 (application/vp+cose), matching b.vc.issue's algorithms; an optional nonce / audience is embedded in the signed presentation for holder-binding and replay protection. b.vc.verifyPresentation verifies the holder signature (auto-detected jose/cose, mandatory algorithm allowlist, JOSE none refused), the VCDM structure, and the embedded nonce / audience / expectedHolder when given, and — with verifyCredentials: true — verifies each enveloped credential through b.vc.verify and returns them. The holder is typically a DID, resolved to a key via b.did. Composes b.cose; no new runtime dependency.",
+  "sections": [
+    {
+      "heading": "Added",
+      "items": [
+        {
+          "title": "`b.vc.present(opts)` / `b.vc.verifyPresentation(secured, opts)`",
+          "body": "`present` wraps `opts.credentials` (secured VCs — compact-JWS strings or COSE_Sign1 bytes, each enveloped as an `EnvelopedVerifiableCredential` data: URI) in a `VerifiablePresentation` signed by the holder, with optional `nonce` / `audience` embedded for binding. `verifyPresentation` verifies the holder signature against the mandatory `opts.algorithms` allowlist (JOSE `none` always refused), re-checks the VCDM structure, enforces `expectedHolder` / `nonce` / `audience` when supplied, and with `verifyCredentials: true` verifies each enveloped credential through `b.vc.verify` (using `opts.credentialOpts`), returning `{ presentation, holder, credentials, securing, alg }`. The enveloped-credential count is bounded. A `vp+jwt` presentation is refused by `b.vc.verify` and a `vc+jwt` credential is refused by `verifyPresentation` — the media-type binding keeps the two surfaces distinct."
+        }
+      ]
+    }
+  ]
+}

package/lib/vendor/blamejs/release-notes/v0.12.43.json

@@ -0,0 +1,18 @@
+{
+  "$schema": "../scripts/release-notes-schema.json",
+  "version": "0.12.43",
+  "date": "2026-05-25",
+  "headline": "`b.crypto.selfTest` — FIPS 140-3-style power-on self-test for the crypto stack",
+  "summary": "A power-on self-test over the framework's cryptographic primitives — the integrity check a FIPS 140-3-validated module runs at start-up. The hash / XOF checks are known-answer tests against NIST FIPS 202 published vectors (SHA3-256 / SHA3-512 / SHAKE256), so they confirm the framework's hashing matches the standard rather than merely itself; the AEAD check round-trips XChaCha20-Poly1305 and confirms a tampered ciphertext is rejected; and the post-quantum checks run a pairwise-consistency + negative test for ML-KEM-1024, ML-DSA-87, and SLH-DSA-SHAKE-256f (a fresh keypair must encaps/decaps and sign/verify consistently and reject a tampered signature — FIPS 140-3 §10.3 pairwise consistency, since the runtime exposes no seed-injection API for a fixed-seed KAT). selfTest returns a structured report and, by default, throws on any failure so a broken crypto stack fails closed at boot rather than silently producing bad output. Operators in regulated deployments can run it at start-up as a self-integrity gate.",
+  "sections": [
+    {
+      "heading": "Added",
+      "items": [
+        {
+          "title": "`b.crypto.selfTest(opts?)`",
+          "body": "Runs eight checks — SHA3-512 / SHA3-256 / SHAKE256 known-answer tests (NIST FIPS 202), HMAC-SHA3-512 determinism, XChaCha20-Poly1305 round-trip + tamper-detect, and ML-KEM-1024 / ML-DSA-87 / SLH-DSA-SHAKE-256f pairwise-consistency + negative tests — and returns `{ ok, results: [{ name, ok, detail? }], failures, ranAt }`. Throws `crypto/self-test-failed` (with the report attached) on any failure unless `opts.throwOnFailure` is `false`. Exercises the framework's real primitive paths so a self-test failure means the shipped crypto is broken."
+        }
+      ]
+    }
+  ]
+}

package/lib/vendor/blamejs/release-notes/v0.12.44.json

@@ -0,0 +1,18 @@
+{
+  "$schema": "../scripts/release-notes-schema.json",
+  "version": "0.12.44",
+  "date": "2026-05-25",
+  "headline": "`b.did` adds the did:jwk method",
+  "summary": "Completes b.did's method set with did:jwk alongside did:key and did:web. did:jwk encodes a public key as a base64url-encoded JWK directly in the identifier, so resolution is deterministic and offline — the same self-contained shape as did:key but in JWK form, which is what OpenID4VCI and the EU Digital Identity Wallet ecosystem commonly use. b.did.resolve(\"did:jwk:…\") returns the verification key as a node:crypto KeyObject (kty/crv allowlisted — Ed25519 / P-256 / P-384 / secp256k1 — so an unexpected key type is refused, not blindly imported), and b.did.keyToDid(publicKey, { method: \"jwk\" }) produces a did:jwk from a key (the private member is stripped). No new runtime dependency.",
+  "sections": [
+    {
+      "heading": "Added",
+      "items": [
+        {
+          "title": "did:jwk in `b.did.resolve` / `b.did.keyToDid`",
+          "body": "`resolve` decodes the base64url JWK (bounded via `b.safeJson`), allowlists its `kty`/`crv`, and returns `{ didDocument, verificationMethods: [{ publicKey, … }] }` with the key as a KeyObject ready for `b.vc` / `b.mdoc` / `b.scitt`; `keyToDid(publicKey, { method: \"jwk\" })` encodes a public key as `did:jwk:<base64url-JWK>` (default remains `did:key`). Malformed base64url-JSON is refused with `did/bad-jwk` and an unsupported key type with `did/unsupported-key`."
+        }
+      ]
+    }
+  ]
+}

package/lib/vendor/blamejs/release-notes/v0.12.45.json

@@ -0,0 +1,18 @@
+{
+  "$schema": "../scripts/release-notes-schema.json",
+  "version": "0.12.45",
+  "date": "2026-05-25",
+  "headline": "`b.cose` adds detached-payload sign/verify + `b.cose.importKey` (COSE_Key)",
+  "summary": "Two RFC 9052 / 9053 completions to the COSE substrate, both useable today and the prerequisites for mdoc device authentication and C2PA claim verification. Detached payloads (RFC 9052 §4.1): b.cose.sign with detached:true emits a COSE_Sign1 whose payload slot is nil — the signature still covers the payload, and the caller transmits it out of band; b.cose.verify takes the payload back as opts.externalPayload and binds it into the Sig_structure. A detached token verified without externalPayload is refused, and supplying externalPayload for an attached token is refused as ambiguous. COSE_Key import (RFC 9052 §7): b.cose.importKey turns a COSE_Key CBOR map into a node:crypto public KeyObject for b.cose.verify, accepting EC2 (P-256 / P-384 / P-521) and OKP (Ed25519) with the curve allowlisted so an unexpected key type is refused. No new runtime dependency.",
+  "sections": [
+    {
+      "heading": "Added",
+      "items": [
+        {
+          "title": "Detached COSE_Sign1 payloads + `b.cose.importKey(coseKey)`",
+          "body": "`b.cose.sign(payload, { detached: true })` emits a nil-payload COSE_Sign1 (the signature covers the payload regardless); `b.cose.verify(coseSign1, { externalPayload })` reconstructs the Sig_structure from the supplied payload, refusing a detached token with no `externalPayload` (`cose/detached-no-payload`) and refusing `externalPayload` on an attached token (`cose/payload-ambiguous`). `b.cose.importKey(coseKey)` maps a COSE_Key map (`kty` 2/EC2 with `crv` P-256/384/521, or `kty` 1/OKP with Ed25519) to a public KeyObject, allowlisting `kty`/`crv` and refusing anything else with `cose/unsupported-key` — the verification key embedded in an mdoc MSO or COSE_Key header is consumed this way."
+        }
+      ]
+    }
+  ]
+}

package/lib/vendor/blamejs/release-notes/v0.12.46.json

@@ -0,0 +1,18 @@
+{
+  "$schema": "../scripts/release-notes-schema.json",
+  "version": "0.12.46",
+  "date": "2026-05-25",
+  "headline": "`b.mdoc.verifyDeviceAuth` — ISO 18013-5 mdoc device authentication",
+  "summary": "Completes mdoc verification with the holder-binding half (ISO 18013-5 §9.1.3, signature variant). verifyIssuerSigned proves the data is issuer-signed; verifyDeviceAuth proves the presenter controls the device key the issuer bound into the MSO, so a captured issuer-signed document cannot be replayed by anyone else. The device's COSE_Sign1 (deviceSigned.deviceAuth.deviceSignature) is verified over the detached DeviceAuthentication structure [\"DeviceAuthentication\", SessionTranscript, DocType, DeviceNameSpacesBytes] using the device key from verifyIssuerSigned().deviceKey (now surfaced) and the operator-supplied SessionTranscript that binds the proof to this exact exchange (the presentation protocol — e.g. OpenID4VP — defines the transcript). Composes the v0.12.45 b.cose detached-payload verify + importKey. The MAC variant (deviceMac / COSE_Mac0, used in proximity flows with a reader ephemeral key) is deferred and refused with mdoc/device-mac-unsupported. No new runtime dependency.",
+  "sections": [
+    {
+      "heading": "Added",
+      "items": [
+        {
+          "title": "`b.mdoc.verifyDeviceAuth(opts)` + `deviceKey` on the verifyIssuerSigned result",
+          "body": "`verifyDeviceAuth({ deviceKey, deviceSigned, docType, sessionTranscript, algorithms })` imports the device key (a COSE_Key via `b.cose.importKey`, or a KeyObject), reconstructs the detached `DeviceAuthentication` payload, and verifies the `deviceSignature` COSE_Sign1 against the mandatory algorithm allowlist — a mismatched `sessionTranscript` or `docType` fails the signature. `verifyIssuerSigned` now returns `deviceKey` (the MSO `deviceKeyInfo.deviceKey`) so the two checks chain. The MAC variant (`deviceMac`) is refused with `mdoc/device-mac-unsupported` pending COSE_Mac0 + reader-key support."
+        }
+      ]
+    }
+  ]
+}

package/lib/vendor/blamejs/release-notes/v0.12.47.json

@@ -0,0 +1,18 @@
+{
+  "$schema": "../scripts/release-notes-schema.json",
+  "version": "0.12.47",
+  "date": "2026-05-25",
+  "headline": "`b.cose.mac0` / `b.cose.macVerify0` — COSE_Mac0 (RFC 9052 §6.2)",
+  "summary": "Completes the COSE message-type set (COSE_Sign1 / COSE_Encrypt0 / COSE_Mac0) with single shared-key MACs. b.cose.mac0 produces a tagged COSE_Mac0 over a payload using HMAC-SHA-256/384/512 (the COSE-standard MAC algorithms; HMAC is symmetric, so its post-quantum strength is preserved). b.cose.macVerify0 recomputes the tag over the MAC_structure and compares it in constant time, with a mandatory algorithm allowlist. Use when both parties hold a shared key — e.g. an ECDH-derived key — and a non-repudiable signature is not wanted; detached payloads are supported (the proximity mdoc device-MAC variant and MACed CWTs are the consumers). Composes b.cbor + the framework's constant-time compare; no new runtime dependency.",
+  "sections": [
+    {
+      "heading": "Added",
+      "items": [
+        {
+          "title": "`b.cose.mac0(payload, opts)` / `b.cose.macVerify0(coseMac0, opts)`",
+          "body": "`mac0` emits a tagged COSE_Mac0 (tag 17) with `alg` (`HMAC-256/256` | `HMAC-384/384` | `HMAC-512/512`) in the protected header and the HMAC tag computed over the MAC_structure `[\"MAC0\", protected, external_aad, payload]`; `detached: true` emits a nil payload. `macVerify0` reads the algorithm from the protected header (must be in the required `opts.algorithms` allowlist), recomputes the tag, and compares it constant-time — a wrong key, tampered tag, or `external_aad` mismatch is refused with `cose/bad-tag`; a detached payload is supplied via `opts.externalPayload`. `external_aad` binds context into the tag."
+        }
+      ]
+    }
+  ]
+}

package/lib/vendor/blamejs/release-notes/v0.12.48.json

@@ -0,0 +1,22 @@
+{
+  "$schema": "../scripts/release-notes-schema.json",
+  "version": "0.12.48",
+  "date": "2026-05-25",
+  "headline": "`b.network.dns.dnssec` — local DNSSEC signature verification (RFC 4035)",
+  "summary": "Verify a DNS answer's RRSIG signature yourself instead of trusting the upstream resolver's AD bit. b.network.dns.dnssec.verifyRrset reconstructs the RFC 4034 §3.1.8.1 signed data — the RRSIG RDATA without the signature, followed by the RRset in canonical form (owner names lowercased, RRs ordered by canonical RDATA, the RRSIG's Original TTL) — and checks the signature against the DNSKEY, enforcing the inception / expiration window. Supports RSA/SHA-256 (alg 8), ECDSA P-256/SHA-256 (13), ECDSA P-384/SHA-384 (14), and Ed25519 (15) — the modern deployed set. verifyDs checks a delegation-signer digest against a DNSKEY (SHA-256 / SHA-384) and keyTag computes the RFC 4034 Appendix B key tag. The verification core is what a chain-walker composes; it defends against a compromised or on-path resolver that lies about authentication.",
+  "sections": [
+    {
+      "heading": "Added",
+      "items": [
+        {
+          "title": "`b.network.dns.dnssec.verifyRrset(opts)`",
+          "body": "Verifies an RRSIG over a canonicalised RRset against a DNSKEY. `opts` carries the owner `name`, the RR `type`, the wire-format `rdatas`, the parsed `rrsig` (algorithm / labels / originalTtl / inception / expiration / keyTag / signerName / signature), and the `dnskey` (algorithm + raw public key). The signed data is rebuilt per RFC 4034 §3.1.8.1: the RRSIG prefix (type covered | algorithm | labels | original TTL | expiration | inception | key tag | canonical signer name) followed by each RR in canonical form (lowercased owner | type | class | original TTL | rdlen | rdata), sorted by `Buffer.compare` on the RDATA. The validity window is enforced against `opts.at` (defaults to now; an invalid Date is refused, not treated as now). An RRSIG whose algorithm disagrees with the DNSKEY is refused before any key is built. RR types that embed domain names in their RDATA (NS, CNAME, SOA, MX, SRV, …) need RDATA-internal name-lowercasing this version does not perform, so they are refused with `dnssec/uncanonicalizable-type` rather than mis-validated; the security-critical DNSKEY / DS and the name-free address / text types (A, AAAA, TXT, CAA, TLSA, …) are fully supported."
+        },
+        {
+          "title": "`b.network.dns.dnssec.verifyDs(opts)` / `b.network.dns.dnssec.keyTag(dnskeyRdata)`",
+          "body": "`verifyDs` confirms a delegation-signer record matches a DNSKEY: it checks the key tag, then compares the DS digest (SHA-256 type 2 / SHA-384 type 4) against the digest computed over the canonical owner name and the DNSKEY RDATA, constant-time. `keyTag` computes the RFC 4034 Appendix B 16-bit key tag from a DNSKEY's full RDATA — the identifier an RRSIG or DS uses to select the signing key. Together with `verifyRrset` these are the per-RRset building blocks a recursive chain-walk (root → TLD → zone) composes; the chain-walk itself, NSEC / NSEC3 denial-of-existence, and the bundled IANA root trust anchor are not part of this core."
+        }
+      ]
+    }
+  ]
+}

package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js

@@ -2241,6 +2241,7 @@ async function testNoDuplicateCodeBlocks() {
       mode:  "family-subset",
       files: [
         "lib/cose.js:verify",
+        "lib/cose.js:macVerify0",
         "lib/auth/sd-jwt-vc-issuer.js:create",
         "lib/break-glass.js:_validatePolicySet",
         "lib/calendar.js:validate",
@@ -2256,10 +2257,20 @@ async function testNoDuplicateCodeBlocks() {
       mode:  "family-subset",
       files: [
         "lib/mdoc.js:verifyIssuerSigned",
+        "lib/network-dnssec.js:verifyRrset",
         "lib/tsa.js:verifyToken",
         "lib/vc.js:verify",
       ],
-      reason: "v0.12.40 — signature-verify entry preamble shared by three credential / token verifiers: `validateOpts(allowedKeys) + mandatory algorithms-allowlist check + opts.at valid-Date guard + publicKey/keyResolver presence check`, then divergent domain logic. tsa.verifyToken verifies an RFC 3161 timestamp token (CMS SignedData + message-imprint + EKU); vc.verify verifies a W3C VC-JOSE-COSE credential (JWS/COSE + VCDM structural + validity window); mdoc.verifyIssuerSigned verifies an ISO 18013-5 mdoc (COSE_Sign1 IssuerAuth + MSO valueDigests matching). Each consumes a different wire format, returns a different shape, and throws a primitive-specific typed error — the shingle is the validate-then-guard preamble, not behaviour. Same family as the v0.12.33 cose.verify cluster.",
+      reason: "v0.12.40 — signature-verify entry preamble shared by four credential / token / DNS verifiers: `validateOpts(allowedKeys) + mandatory algorithms-allowlist check + opts.at valid-Date guard + publicKey/keyResolver presence check`, then divergent domain logic. tsa.verifyToken verifies an RFC 3161 timestamp token (CMS SignedData + message-imprint + EKU); vc.verify verifies a W3C VC-JOSE-COSE credential (JWS/COSE + VCDM structural + validity window); mdoc.verifyIssuerSigned verifies an ISO 18013-5 mdoc (COSE_Sign1 IssuerAuth + MSO valueDigests matching); network-dnssec.verifyRrset verifies a DNSSEC RRSIG (RFC 4034 canonical RRset + RRSIG-prefix reconstruction). Each consumes a different wire format, returns a different shape, and throws a primitive-specific typed error — the shingle is the validate-then-guard preamble, not behaviour. Same family as the v0.12.33 cose.verify cluster.",
+    },
+    {
+      mode:  "family-subset",
+      files: [
+        "lib/cose.js:_coseKeyBytes",
+        "lib/mdoc.js:_bytes",
+        "lib/network-dnssec.js:_bytes",
+      ],
+      reason: "v0.12.48 — Buffer-coercion guard (`if (Buffer.isBuffer(x)) return x; if (x instanceof Uint8Array) return Buffer.from(x); throw <Error>`) repeats across three byte-string-consuming primitives. Each throws a MODULE-LOCAL typed error code (cose/bad-cose-key, mdoc/bad-input, dnssec/bad-bytes) naming the local argument; the duplicated three-line shape is the symptom, the cause is that JS can't throw a caller-namespaced ErrorClass without the local closure. Same documented exception as the v0.12.7 require-non-empty-string cluster — the typed-error CODE is the divergence the dup detector can't see.",
     },
     {
       mode:  "family-subset",
@@ -2270,6 +2281,15 @@ async function testNoDuplicateCodeBlocks() {
       ],
       reason: "v0.12.40 — validateOpts-then-guard prelude shared between a create-style validator (dual-control.create builds a two-person-rule grant after validating its opts) and the timestamp / mdoc verifiers. The common shingle is the `validateOpts(allowedKeys) + chained guard + typed-error` idiom; the bodies diverge entirely (dual-control persists a control record; tsa/mdoc verify cryptographic structures). Same validate-then-guard family as the v0.12.29 / v0.12.33 clusters.",
     },
+    {
+      mode:  "family-subset",
+      files: [
+        "lib/cert.js:create",
+        "lib/mail-send-deliver.js:deliver",
+        "lib/vc.js:present",
+      ],
+      reason: "v0.12.42 — validateOpts-then-guard prelude shared by three builder-style functions: cert.create mints a certificate, mail-send-deliver.deliver sends a message, vc.present builds + signs a Verifiable Presentation. The common shingle is the `validateOpts(allowedKeys) + required-field / non-empty-array guards + typed-error throw` idiom; the bodies diverge entirely (X.509 minting / SMTP delivery / VC-JOSE-COSE presentation envelope). Same validate-then-guard family as the v0.12.29 / v0.12.33 / v0.12.40 clusters.",
+    },
     {
       mode:  "family-subset",
       files: [
@@ -6215,8 +6235,33 @@ var KNOWN_ANTIPATTERNS = [
       // jwtExternal._assertAlgKtyMatch BEFORE createPublicKey on
       // the browser-supplied DBSC binding JWK.
       "lib/dbsc.js",
+      // did.js — _jwkToKey allowlists the JWK's kty/crv (OKP/Ed25519 or
+      // EC/P-256/P-384/secp256k1) and refuses any other type BEFORE
+      // createPublicKey, which is the DID-context equivalent of the
+      // alg/kty cross-check: a DID document carries verification keys,
+      // not a verification alg (the consuming verifier — b.vc / b.mdoc —
+      // supplies the alg allowlist), so there is no `alg` to pass to
+      // _assertAlgKtyMatch; the kty/crv allowlist is the confusion guard.
+      "lib/did.js",
+      // cose.js — importKey maps a COSE_Key to a KeyObject after
+      // allowlisting kty (OKP/EC2) + crv (Ed25519 / P-256 / P-384 /
+      // P-521 — the curves b.cose.verify has an algorithm for); the JWK
+      // is constructed from the COSE_Key, not
+      // attacker-chosen alg-vs-kty, and b.cose.verify supplies the alg
+      // allowlist separately. Same kty/crv-allowlist confusion guard as
+      // did.js — there is no verification `alg` carried in a COSE_Key.
+      "lib/cose.js",
+      // network-dnssec.js — _dnskeyToKey constructs the JWK ITSELF from
+      // the DNSSEC algorithm number (8/13/14/15, validated against the
+      // ALGORITHMS table) — kty/crv are derived from that number, never
+      // read from an attacker-supplied JWK. verifyRrset also refuses an
+      // RRSIG whose algorithm disagrees with the DNSKEY's before the key
+      // is built, so the alg→kty/crv binding is fixed at the source. The
+      // confused-deputy (alg-vs-kty) shape cannot arise — there is no
+      // externally-chosen kty to confuse.
+      "lib/network-dnssec.js",
     ],
-    reason: "CVE-2026-22817 — every JWT verifier that resolves a JWK BY ATTACKER-CONTROLLED HEADER (kid / x5t) must cross-check the declared alg against the JWK's kty (and crv for EC) BEFORE handing the key to node:crypto.verify. Imports that skip the check are exactly the confused-deputy shape (RS256→HS256 family). The shared helper `jwtExternal._assertAlgKtyMatch(alg, jwk)` is the single point of enforcement; new code routes through it. Allowlist entries are sign-side / pinned-cert paths where the JWK is not attacker-supplied.",
+    reason: "CVE-2026-22817 — every JWT verifier that resolves a JWK BY ATTACKER-CONTROLLED HEADER (kid / x5t) must cross-check the declared alg against the JWK's kty (and crv for EC) BEFORE handing the key to node:crypto.verify. Imports that skip the check are exactly the confused-deputy shape (RS256→HS256 family). The shared helper `jwtExternal._assertAlgKtyMatch(alg, jwk)` is the single point of enforcement; new code routes through it. Allowlist entries are sign-side / pinned-cert paths where the JWK is not attacker-supplied, or (did.js) where a kty/crv allowlist stands in for alg/kty because the format carries no verification alg.",
   },
   {
     // CVE-2026-23552 — cross-realm JWT acceptance via non-CT iss