@blamejs/blamejs-shop 0.0.44

package/lib/vendor/blamejs/lib/fdx.js

@@ -0,0 +1,370 @@
+"use strict";
+/**
+ * @module b.fdx
+ * @nav    Compliance
+ * @title  FDX
+ *
+ * @intro
+ *   Financial Data Exchange (FDX) US open-banking standard —
+ *   consent records, SHA3 transaction hashes, data-recipient
+ *   registry.
+ *
+ *   CFPB §1033 (12 CFR §1033.121-461, final rule 2024-10-22) gives
+ *   US consumers the right to authorize a third party to access
+ *   their financial data through a covered data provider's
+ *   developer interface. FDX (https://financialdataexchange.org)
+ *   is the industry-standard schema + protocol the CFPB rule
+ *   effectively codifies (FDX 6.0+ aligns with the §1033 final
+ *   rule). Compliance deadline 2026-04-01 already past for $250B+
+ *   asset-size banks.
+ *
+ *   The framework can't be the operator's authorization server,
+ *   resource server, or FDX-data origin — those are the operator's
+ *   core banking system. What it can do: bind the operator's auth
+ *   server to the FAPI 2.0 profile (which §1033.351 effectively
+ *   requires), validate FDX response shapes, emit §1033-shape
+ *   audit events on every authorized data access, and generate
+ *   the §1033.401(b) consent receipt.
+ *
+ * @card
+ *   Financial Data Exchange (FDX) US open-banking standard — consent records, SHA3 transaction hashes, data-recipient registry.
+ */
+/*
+ * Original prose retained:
+ *
+ * CFPB §1033 (12 CFR §1033.121-461, final rule 2024-10-22) gives US
+ * consumers the right to authorize a third party to access their
+ * financial data through a covered data provider's developer
+ * interface. FDX (https://financialdataexchange.org) is the
+ * industry-standard schema + protocol the CFPB rule effectively
+ * codifies (FDX 6.0+ aligns with the §1033 final rule).
+ *
+ * Compliance deadline ⏰ 2026-04-01 already past for $250B+ asset-
+ * size banks. Mid-size banks 2026-04-01 to 2027-04-01. Small banks
+ * later. Every covered data provider should be live now.
+ *
+ * The framework can't be the operator's authorization server,
+ * resource server, or FDX-data origin (those are the operator's
+ * core banking system). What it CAN do:
+ *
+ *   - Bind the operator's authorization server config to the FAPI
+ *     2.0 profile (which §1033 effectively requires via the
+ *     security requirements in §1033.351).
+ *   - Validate FDX response shapes — refuse a payload that doesn't
+ *     match the FDX 6.0 schema for accounts / transactions /
+ *     statements / payment-networks.
+ *   - Emit a §1033-shape audit-chain event on every authorized data
+ *     access (the regulator-facing record).
+ *   - Generate the "consent receipt" the consumer gets from the
+ *     authorization server per §1033.401(b).
+ *
+ * Public API:
+ *
+ *   b.fdx.bind(opts) -> { fapi2Posture, schemaValidator, consent }
+ *     opts:
+ *       authServer: { issuer, jwksUri, fapi2 }
+ *       resources:  ["accounts" | "transactions" | "statements" |
+ *                    "payment-networks" | "rewards" | "tax-forms"]
+ *
+ *   b.fdx.validateResponse(resourceType, body) -> { valid, errors }
+ *     Validates an FDX response shape for the named resource.
+ *     Refuses extra-keys / missing-required.
+ *
+ *   b.fdx.consentReceipt(opts) -> string (JSON)
+ *     §1033.401(b) consent receipt the authorization server gives
+ *     the consumer at authorization time. Contains:
+ *       - data provider name + identifier
+ *       - data subject (consumer) reference
+ *       - third-party recipient name + duration
+ *       - data scopes (account ids, resources)
+ *       - revocation URL
+ *       - issued + expires timestamps
+ */
+
+var fapi2 = require("./fapi2");
+var C = require("./constants");
+var audit = require("./audit");
+var validateOpts = require("./validate-opts");
+var numericBounds = require("./numeric-bounds");
+var { defineClass } = require("./framework-error");
+var FdxError = defineClass("FdxError", { alwaysPermanent: true });
+
+var FDX_RESOURCES = [
+  "accounts",
+  "transactions",
+  "statements",
+  "payment-networks",
+  "rewards",
+  "tax-forms",
+];
+
+// FDX 6.0 minimum schemas — operator-facing required-field gates.
+// Not exhaustive validation (operators with strict needs route
+// through `b.safeSchema` against the full FDX OpenAPI spec).
+var FDX_SCHEMAS = {
+  accounts: {
+    required: ["accountId", "accountType", "accountNumberDisplay",
+               "currency", "currentBalance"],
+  },
+  transactions: {
+    required: ["transactionId", "accountId", "postedTimestamp",
+               "amount", "description", "transactionType"],
+  },
+  statements: {
+    required: ["statementId", "accountId", "statementDate", "amount"],
+  },
+  "payment-networks": {
+    required: ["paymentNetworkId", "name", "currency"],
+  },
+  rewards: {
+    required: ["rewardsProgramId", "accountId", "balance", "currency"],
+  },
+  "tax-forms": {
+    required: ["taxFormId", "taxYear", "formType"],
+  },
+};
+
+/**
+ * @primitive b.fdx.bind
+ * @signature b.fdx.bind(opts)
+ * @since     0.8.0
+ * @status    stable
+ * @compliance fdx, fapi2
+ * @related   b.fdx.validateResponse, b.fdx.consentReceipt, b.fapi2.assertOAuthConfig
+ *
+ * Bind an operator's authorization-server config to the FDX 6.0
+ * data-sharing surface and the FAPI 2.0 security profile. Refuses
+ * unknown FDX resources, refuses missing issuer/jwksUri, and runs
+ * `b.fapi2.assertOAuthConfig` on the supplied FAPI opts so a
+ * non-conformant deployment fails at boot. Returns a handle with
+ * `schemaValidator(resource, body)` and `consent.receipt(opts)`.
+ *
+ * @opts
+ *   authServer: {
+ *     issuer:  string,        // required, non-empty
+ *     jwksUri: string,        // required, non-empty
+ *     fapi2:   { pkce, dpop?, mtls?, par },
+ *   },
+ *   resources: ["accounts" | "transactions" | "statements" |
+ *               "payment-networks" | "rewards" | "tax-forms"],
+ *
+ * @example
+ *   var fdx = b.fdx.bind({
+ *     authServer: {
+ *       issuer:  "https://auth.example-bank.com",
+ *       jwksUri: "https://auth.example-bank.com/.well-known/jwks.json",
+ *       fapi2:   { pkce: true, mtls: true, par: true },
+ *     },
+ *     resources: ["accounts", "transactions"],
+ *   });
+ *   fdx.fapi2Posture;
+ *   // → "fapi-2.0"
+ */
+function bind(opts) {
+  if (!opts || typeof opts !== "object") {
+    throw FdxError.factory("BAD_OPTS", "fdx.bind: opts required");
+  }
+  if (!opts.authServer || typeof opts.authServer !== "object") {
+    throw FdxError.factory("BAD_AUTH_SERVER",
+      "fdx.bind: authServer object required");
+  }
+  validateOpts.requireNonEmptyString(opts.authServer.issuer,
+    "fdx.bind: authServer.issuer", FdxError, "BAD_ISSUER");
+  validateOpts.requireNonEmptyString(opts.authServer.jwksUri,
+    "fdx.bind: authServer.jwksUri", FdxError, "BAD_JWKS_URI");
+
+  if (!Array.isArray(opts.resources) || opts.resources.length === 0) {
+    throw FdxError.factory("BAD_RESOURCES",
+      "fdx.bind: resources must be a non-empty array");
+  }
+  for (var i = 0; i < opts.resources.length; i += 1) {
+    if (FDX_RESOURCES.indexOf(opts.resources[i]) === -1) {
+      throw FdxError.factory("UNKNOWN_RESOURCE",
+        "fdx.bind: unknown resource '" + opts.resources[i] +
+        "' (allowed: " + FDX_RESOURCES.join(", ") + ")");
+    }
+  }
+
+  // §1033.351 security requirements ≈ FAPI 2.0 — assert the operator
+  // pinned the FAPI 2.0 profile. fapi2.assertOAuthConfig refuses
+  // PKCE-disabled / no-sender-constraint / etc.
+  var fapi2Opts = opts.authServer.fapi2 || { pkce: true, dpop: true, par: true };
+  fapi2.assertOAuthConfig(fapi2Opts);
+
+  audit.safeEmit({
+    action:   "fdx.bound",
+    outcome:  "success",
+    metadata: {
+      issuer:    opts.authServer.issuer,
+      resources: opts.resources.slice(),
+    },
+  });
+
+  return {
+    fapi2Posture:    "fapi-2.0",
+    schemaValidator: function (resourceType, body) {
+      return validateResponse(resourceType, body);
+    },
+    consent: {
+      receipt: function (consentOpts) {
+        return consentReceipt(Object.assign({
+          dataProvider: opts.authServer.issuer,
+        }, consentOpts || {}));
+      },
+    },
+  };
+}
+
+/**
+ * @primitive b.fdx.validateResponse
+ * @signature b.fdx.validateResponse(resourceType, body)
+ * @since     0.8.0
+ * @status    stable
+ * @compliance fdx
+ * @related   b.fdx.bind
+ *
+ * Validate an FDX response payload against the framework's FDX 6.0
+ * minimum-required-field schema. Accepts both envelope form
+ * (`{ accounts: [...] }`) and bare-array / single-record form.
+ * Returns `{ valid, errors }` so the operator can decide whether
+ * to refuse, redact, or pass through. Throws `FdxError` only when
+ * `resourceType` is unknown.
+ *
+ * @example
+ *   var result = b.fdx.validateResponse("accounts", {
+ *     accounts: [{
+ *       accountId:            "acct-1",
+ *       accountType:          "DEPOSIT",
+ *       accountNumberDisplay: "****1234",
+ *       currency:             "USD",
+ *       currentBalance:       1234.56,
+ *     }],
+ *   });
+ *   result.valid;
+ *   // → true
+ *   result.errors.length;
+ *   // → 0
+ */
+function validateResponse(resourceType, body) {
+  var schema = FDX_SCHEMAS[resourceType];
+  if (!schema) {
+    throw FdxError.factory("UNKNOWN_RESOURCE",
+      "fdx.validateResponse: unknown resource '" + resourceType + "'");
+  }
+  if (!body || typeof body !== "object") {
+    return { valid: false, errors: ["body-not-object"] };
+  }
+  // FDX responses are envelopes carrying an array under the resource
+  // name (e.g. { accounts: [...] }) OR a single record. Accept both.
+  var records = Array.isArray(body[resourceType]) ? body[resourceType] :
+                Array.isArray(body)               ? body :
+                [body];
+  var errors = [];
+  for (var i = 0; i < records.length; i += 1) {
+    var rec = records[i];
+    if (!rec || typeof rec !== "object") {
+      errors.push("record[" + i + "]: not-an-object");
+      continue;
+    }
+    for (var j = 0; j < schema.required.length; j += 1) {
+      var f = schema.required[j];
+      if (rec[f] === undefined || rec[f] === null) {
+        errors.push("record[" + i + "]: missing-" + f);
+      }
+    }
+  }
+  return { valid: errors.length === 0, errors: errors };
+}
+
+/**
+ * @primitive b.fdx.consentReceipt
+ * @signature b.fdx.consentReceipt(opts)
+ * @since     0.8.0
+ * @status    stable
+ * @compliance fdx
+ * @related   b.fdx.bind
+ *
+ * Mint the §1033.401(b) consent receipt the authorization server
+ * gives the consumer at authorization time. Required fields:
+ * dataProvider, consumerRef, thirdParty, revocationUrl, scopes.
+ * Optional `durationMs` defaults to 52 weeks. Emits
+ * `fdx.consent_receipt_issued` to the audit chain so the regulator
+ * sees a record per receipt.
+ *
+ * @opts
+ *   dataProvider:  string,         // issuer / data provider name
+ *   consumerRef:   string,         // operator-side consumer identifier
+ *   thirdParty:    string,         // recipient name
+ *   revocationUrl: string,         // public revocation endpoint
+ *   scopes:        [string, ...],  // data scopes (account ids, resources)
+ *   durationMs:    number,         // optional; defaults to 52 weeks
+ *
+ * @example
+ *   var receipt = b.fdx.consentReceipt({
+ *     dataProvider:  "https://auth.example-bank.com",
+ *     consumerRef:   "consumer-42",
+ *     thirdParty:    "Aggregator Inc.",
+ *     revocationUrl: "https://example-bank.com/consent/revoke/abc",
+ *     scopes:        ["accounts", "transactions"],
+ *     durationMs:    365 * 86400 * 1000,
+ *   });
+ *   receipt.type;
+ *   // → "fdx.consent-receipt"
+ */
+function consentReceipt(opts) {
+  if (!opts || typeof opts !== "object") {
+    throw FdxError.factory("BAD_OPTS", "fdx.consentReceipt: opts required");
+  }
+  validateOpts.requireNonEmptyString(opts.dataProvider,
+    "fdx.consentReceipt: dataProvider", FdxError, "BAD_DATA_PROVIDER");
+  validateOpts.requireNonEmptyString(opts.consumerRef,
+    "fdx.consentReceipt: consumerRef", FdxError, "BAD_CONSUMER_REF");
+  validateOpts.requireNonEmptyString(opts.thirdParty,
+    "fdx.consentReceipt: thirdParty", FdxError, "BAD_THIRD_PARTY");
+  validateOpts.requireNonEmptyString(opts.revocationUrl,
+    "fdx.consentReceipt: revocationUrl", FdxError, "BAD_REVOCATION_URL");
+  if (!Array.isArray(opts.scopes) || opts.scopes.length === 0) {
+    throw FdxError.factory("BAD_SCOPES",
+      "fdx.consentReceipt: scopes must be a non-empty array");
+  }
+  numericBounds.requirePositiveFiniteIntIfPresent(opts.durationMs,
+    "fdx.consentReceipt: durationMs", FdxError, "BAD_DURATION");
+
+  var issuedAt = Date.now();
+  var expiresAt = issuedAt + (opts.durationMs || C.TIME.weeks(52));
+
+  var receipt = {
+    "@context":      "https://financialdataexchange.org/fdx/consent-receipt/1.0",
+    type:            "fdx.consent-receipt",
+    dataProvider:    opts.dataProvider,
+    consumer:        opts.consumerRef,
+    thirdParty:      opts.thirdParty,
+    scopes:          opts.scopes.slice(),
+    revocationUrl:   opts.revocationUrl,
+    issuedAt:        issuedAt,
+    expiresAt:       expiresAt,
+    issuedAtIso:     new Date(issuedAt).toISOString(),
+    expiresAtIso:    new Date(expiresAt).toISOString(),
+    citations:       ["cfpb-1033", "fdx-6.0"],
+  };
+  audit.safeEmit({
+    action:   "fdx.consent_receipt_issued",
+    outcome:  "success",
+    metadata: {
+      dataProvider:  opts.dataProvider,
+      consumer:      opts.consumerRef,
+      thirdParty:    opts.thirdParty,
+      scopes:        receipt.scopes,
+      durationMs:    expiresAt - issuedAt,
+    },
+  });
+  return receipt;
+}
+
+module.exports = {
+  bind:              bind,
+  validateResponse:  validateResponse,
+  consentReceipt:    consentReceipt,
+  FDX_RESOURCES:     FDX_RESOURCES.slice(),
+  FdxError:          FdxError,
+};

package/lib/vendor/blamejs/lib/fedcm.js

@@ -0,0 +1,264 @@
+"use strict";
+/**
+ * @module b.fedcm
+ * @nav    Identity
+ * @title  FedCM Identity Provider
+ * @order  375
+ *
+ * @intro
+ *   W3C FedCM (Federated Credential Management API, candidate
+ *   recommendation 2024) identity-provider-side helpers. Operators
+ *   running an IdP wire four endpoints per the spec; this module
+ *   ships response-shape builders + the well-known config emitter.
+ *
+ *   Endpoints (FedCM §5):
+ *     - `/.well-known/web-identity` — discovery
+ *     - `<config_url>` — IdP config doc (FedCM §6.3 IdentityProviderAPIConfig)
+ *     - `accounts_endpoint` — returns the user's accounts at this IdP
+ *     - `id_assertion_endpoint` — mints the id_token / verifiable
+ *       credential bound to the relying-party origin
+ *
+ *   The framework does NOT make the FedCM browser API call itself —
+ *   that's user-agent surface. Operators wire response builders into
+ *   their router and supply the per-account session state.
+ *
+ * @card
+ *   FedCM IdP-side response builders (well-known + config + accounts + id_assertion) per W3C FedCM 2024 candidate recommendation.
+ */
+
+var validateOpts  = require("./validate-opts");
+var safeUrl       = require("./safe-url");
+var { defineClass } = require("./framework-error");
+
+var FedcmError = defineClass("FedcmError", { alwaysPermanent: true });
+
+/**
+ * @primitive b.fedcm.wellKnown
+ * @signature b.fedcm.wellKnown({ provider_urls })
+ * @since     0.10.16
+ * @status    stable
+ *
+ * Build the `/.well-known/web-identity` JSON body. `provider_urls`
+ * lists the operator's IdP config URLs (FedCM §5).
+ *
+ * @example
+ *   res.setHeader("Content-Type", "application/json");
+ *   res.end(JSON.stringify(b.fedcm.wellKnown({
+ *     provider_urls: ["https://idp.example/fedcm/config.json"],
+ *   })));
+ */
+function wellKnown(opts) {
+  opts = validateOpts.requireObject(opts, "fedcm.wellKnown", FedcmError, "fedcm/bad-opts");
+  if (!Array.isArray(opts.provider_urls) || opts.provider_urls.length === 0) {
+    throw new FedcmError("fedcm/no-provider-urls",
+      "wellKnown: provider_urls must be a non-empty array");
+  }
+  for (var i = 0; i < opts.provider_urls.length; i += 1) {
+    var u = opts.provider_urls[i];
+    var parsed;
+    try { parsed = safeUrl.parse(u); }
+    catch (_e) {
+      throw new FedcmError("fedcm/bad-provider-url",
+        "wellKnown: provider_urls[" + i + "] is not a parseable URL");
+    }
+    if (parsed.protocol !== "https:") {
+      throw new FedcmError("fedcm/bad-provider-url",
+        "wellKnown: provider_urls[" + i + "] must be https");
+    }
+  }
+  return { provider_urls: opts.provider_urls.slice() };
+}
+
+/**
+ * @primitive b.fedcm.config
+ * @signature b.fedcm.config(opts)
+ * @since     0.10.16
+ * @status    stable
+ *
+ * Build the IdentityProviderAPIConfig JSON body served at the
+ * operator's `config_url` per FedCM §6.3. Required fields:
+ * accounts_endpoint, client_metadata_endpoint, id_assertion_endpoint,
+ * login_url, branding (icon / name / colors).
+ *
+ * @example
+ *   res.end(JSON.stringify(b.fedcm.config({
+ *     accounts_endpoint:        "/fedcm/accounts",
+ *     client_metadata_endpoint: "/fedcm/client_metadata",
+ *     id_assertion_endpoint:    "/fedcm/id_assertion",
+ *     login_url:                "https://idp.example/login",
+ *     branding: { background_color: "#000", color: "#fff", name: "Example IdP" },
+ *   })));
+ */
+function config(opts) {
+  opts = validateOpts.requireObject(opts, "fedcm.config", FedcmError, "fedcm/bad-opts");
+  validateOpts(opts, ["accounts_endpoint", "client_metadata_endpoint",
+                       "id_assertion_endpoint", "login_url", "branding",
+                       "disconnect_endpoint"], "fedcm.config");
+  var required = ["accounts_endpoint", "client_metadata_endpoint",
+                   "id_assertion_endpoint", "login_url"];
+  for (var i = 0; i < required.length; i += 1) {
+    validateOpts.requireNonEmptyString(opts[required[i]], required[i],
+      FedcmError, "fedcm/missing-" + required[i]);
+  }
+  if (!opts.branding || typeof opts.branding !== "object") {
+    throw new FedcmError("fedcm/missing-branding", "config: opts.branding required");
+  }
+  var out = {
+    accounts_endpoint:        opts.accounts_endpoint,
+    client_metadata_endpoint: opts.client_metadata_endpoint,
+    id_assertion_endpoint:    opts.id_assertion_endpoint,
+    login_url:                opts.login_url,
+    branding: {
+      name:             opts.branding.name             || "",
+      background_color: opts.branding.background_color || "#000000",
+      color:            opts.branding.color            || "#ffffff",
+    },
+  };
+  if (opts.branding.icons) out.branding.icons = opts.branding.icons.slice();
+  if (opts.disconnect_endpoint) out.disconnect_endpoint = opts.disconnect_endpoint;
+  return out;
+}
+
+/**
+ * @primitive b.fedcm.accountsResponse
+ * @signature b.fedcm.accountsResponse({ accounts })
+ * @since     0.10.16
+ * @status    stable
+ *
+ * Build the JSON body for the accounts_endpoint response. Each
+ * account: { id, name, email, picture?, approved_clients? }
+ * Operator supplies the per-user account state.
+ *
+ * @example
+ *   res.setHeader("Set-Cookie", "Sec-FedCM-CSRF=...");
+ *   res.end(JSON.stringify(b.fedcm.accountsResponse({
+ *     accounts: [{
+ *       id: "1234", name: "Alice", email: "alice@example.com",
+ *       approved_clients: ["rp.example"],
+ *     }],
+ *   })));
+ */
+function accountsResponse(opts) {
+  opts = validateOpts.requireObject(opts, "fedcm.accountsResponse",
+    FedcmError, "fedcm/bad-opts");
+  if (!Array.isArray(opts.accounts)) {
+    throw new FedcmError("fedcm/no-accounts",
+      "accountsResponse: opts.accounts must be an array");
+  }
+  var sanitized = opts.accounts.map(function (a, i) {
+    if (!a || typeof a !== "object") {
+      throw new FedcmError("fedcm/bad-account",
+        "accountsResponse: accounts[" + i + "] must be an object");
+    }
+    if (typeof a.id !== "string" || a.id.length === 0) {
+      throw new FedcmError("fedcm/bad-account",
+        "accountsResponse: accounts[" + i + "].id required (string)");
+    }
+    var out = { id: a.id, name: a.name || "", email: a.email || "" };
+    if (a.given_name)   out.given_name   = a.given_name;
+    if (a.picture)      out.picture      = a.picture;
+    if (Array.isArray(a.approved_clients)) out.approved_clients = a.approved_clients.slice();
+    return out;
+  });
+  return { accounts: sanitized };
+}
+
+/**
+ * @primitive b.fedcm.idAssertionResponse
+ * @signature b.fedcm.idAssertionResponse({ token })
+ * @since     0.10.16
+ * @status    stable
+ *
+ * Build the JSON body for the id_assertion_endpoint response. The
+ * operator mints the `token` (typically a signed JWT or verifiable
+ * credential) and the framework wraps it in the FedCM-spec shape.
+ *
+ * @example
+ *   res.end(JSON.stringify(b.fedcm.idAssertionResponse({ token: jwt })));
+ */
+function idAssertionResponse(opts) {
+  opts = validateOpts.requireObject(opts, "fedcm.idAssertionResponse",
+    FedcmError, "fedcm/bad-opts");
+  validateOpts.requireNonEmptyString(opts.token, "token",
+    FedcmError, "fedcm/missing-token");
+  return { token: opts.token };
+}
+
+/**
+ * @primitive b.fedcm.clientMetadataResponse
+ * @signature b.fedcm.clientMetadataResponse(opts)
+ * @since     0.10.16
+ * @status    stable
+ *
+ * Build the JSON body for the FedCM client_metadata_endpoint
+ * response. Returns the relying-party policy URLs the browser
+ * surfaces during the IdP login prompt (privacy policy + terms of
+ * service). Both URLs are validated as https.
+ *
+ * @opts
+ *   privacy_policy_url:    string,    // required https URL
+ *   terms_of_service_url:  string,    // required https URL
+ *
+ * @example
+ *   res.end(JSON.stringify(b.fedcm.clientMetadataResponse({
+ *     privacy_policy_url:   "https://rp.example/privacy",
+ *     terms_of_service_url: "https://rp.example/tos",
+ *   })));
+ */
+function clientMetadataResponse(opts) {
+  opts = validateOpts.requireObject(opts, "fedcm.clientMetadataResponse",
+    FedcmError, "fedcm/bad-opts");
+  validateOpts(opts, ["privacy_policy_url", "terms_of_service_url"],
+    "fedcm.clientMetadataResponse");
+  validateOpts.requireNonEmptyString(opts.privacy_policy_url, "privacy_policy_url",
+    FedcmError, "fedcm/missing-privacy-url");
+  validateOpts.requireNonEmptyString(opts.terms_of_service_url, "terms_of_service_url",
+    FedcmError, "fedcm/missing-tos-url");
+  if (!/^https:/i.test(opts.privacy_policy_url)) {
+    throw new FedcmError("fedcm/bad-privacy-url",
+      "clientMetadataResponse: privacy_policy_url must be https");
+  }
+  if (!/^https:/i.test(opts.terms_of_service_url)) {
+    throw new FedcmError("fedcm/bad-tos-url",
+      "clientMetadataResponse: terms_of_service_url must be https");
+  }
+  return {
+    privacy_policy_url:   opts.privacy_policy_url,
+    terms_of_service_url: opts.terms_of_service_url,
+  };
+}
+
+/**
+ * @primitive b.fedcm.disconnectResponse
+ * @signature b.fedcm.disconnectResponse(opts)
+ * @since     0.10.16
+ * @status    stable
+ *
+ * Build the JSON body for the FedCM disconnect_endpoint response.
+ * The browser calls this when the user revokes their FedCM grant;
+ * the IdP returns the disconnected account id so the browser can
+ * update its local state. `account_id` is REQUIRED per the spec.
+ *
+ * @opts
+ *   account_id: string,   // required — identifier of the account that was disconnected
+ *
+ * @example
+ *   res.end(JSON.stringify(b.fedcm.disconnectResponse({ account_id: "1234" })));
+ */
+function disconnectResponse(opts) {
+  opts = validateOpts.requireObject(opts, "fedcm.disconnectResponse",
+    FedcmError, "fedcm/bad-opts");
+  validateOpts.requireNonEmptyString(opts.account_id, "account_id",
+    FedcmError, "fedcm/missing-account-id");
+  return { account_id: opts.account_id };
+}
+
+module.exports = {
+  wellKnown:              wellKnown,
+  config:                 config,
+  accountsResponse:       accountsResponse,
+  clientMetadataResponse: clientMetadataResponse,
+  idAssertionResponse:    idAssertionResponse,
+  disconnectResponse:     disconnectResponse,
+  FedcmError:             FedcmError,
+};