npm - @blamejs/blamejs-shop - Versions diffs - 0.0.44 - Mend

@blamejs/blamejs-shop 0.0.44

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1220) hide show

package/lib/vendor/blamejs/CHANGELOG.md ADDED Viewed

@@ -0,0 +1,1351 @@
+# Changelog
+One entry per released tag, grouped by minor. Latest first.
+Pre-1.0 the surface is intentionally evolving — every release may
+change something operators depend on. Read each entry before
+upgrading across more than a few patches at a time.
+## v0.12.x
+- v0.12.2 (2026-05-22) — **Release-process docs point at `scripts/release.js` (the orchestrator shipped in v0.12.0).** `CONTRIBUTING.md` (maintainer section) and `examples/wiki/DEPLOY.md` ("Tag-driven releases") described the old multi-step manual release flow — version bump → commit → push → tag → push tag — without mentioning the v0.12.0 orchestrator. Both docs now point at `node scripts/release.js` as the canonical release mechanism, list the eight idempotent subcommands, and call out the two pre-requisites the script enforces (release-notes JSON + signed-commit config). **Added:** *`scripts/release.js regen` — re-run artifact regeneration mid-flow* — Edits to `release-notes/v<next>.json` after `prepare` (e.g. addressing a Codex finding, fixing a leak-vocabulary refusal) previously required running `node scripts/generate-changelog-entry.js --rebuild` + `scripts/refresh-api-snapshot.js` + `scripts/check-api-snapshot.js` + `scripts/check-changelog-extract.js` manually. The new `regen` subcommand wraps all four into a single idempotent step. Safe to run any time from any branch. The `prepare` phase calls the same shared helper internally so behaviour stays consistent. **Changed:** *`CONTRIBUTING.md` maintainer section names the orchestrator* — The release-process bullet now reads `node scripts/release.js — eight idempotent subcommands (prepare → smoke → commit → push → watch → merge → tag → publish) plus all for a one-shot`. The existing DEPLOY.md link stays as a pointer for the wiki-container side of the same flow. · *`examples/wiki/DEPLOY.md` Tag-driven releases section rewritten* — Replaces the four-bullet manual flow with the orchestrator surface, including the `all` / `all --minor` one-shot, the per-phase subcommands, and the pre-requisites the script enforces (release-notes JSON present, SSH signing config in place). The downstream wiki-image deploy step on the host (pin `docker-compose.prod.yml` + `docker compose pull && up -d`) is unchanged. **Fixed:** *`scripts/release.js` signature verification uses `git verify-commit` as the canonical truth* — The v0.12.0 orchestrator's commit-signature gate parsed `git log -1 --pretty=%h %G? %GS` looking for `G` in the second column. On some platforms the `%G?` format token's `?` character can be eaten by argument resolution, returning empty stdout even when the signature is Good. The fix runs `git verify-commit HEAD` (whose exit code is the canonical signal `required_signatures` GH ruleset enforces) as the primary check; the `%G?` parse stays as a human-readable confirmation but no longer gates the script. Surfaced via dogfooding the orchestrator on this very release. · *`scripts/release.js` Docker bind-mount path handles Windows host paths with spaces* — The `push` phase's gitleaks step bind-mounted the repo root via `-v <path>:/repo`. The previous path transform produced `/C:/Users/...` on Windows, which Docker's `-v src:dst[:mode]` parser interpreted as having three colon-separated fields. Fix: transform `C:\Users\...` to `//c/Users/...` (lowercased drive letter, double-slash prefix — matches Git Bash's `$(pwd)` form Docker Desktop accepts). POSIX hosts pass through unchanged. Operators with Windows paths containing spaces, parentheses, or special characters can now run `node scripts/release.js push` without manual mount fiddling.
+- v0.12.1 (2026-05-22) — **`b.compliance` posture catalog coverage — 65 missing entries backfilled + drift detector.** Two posture-catalog drifts surfaced during audit: 16 postures had `POSTURE_DEFAULTS` configuration wired but weren't in `KNOWN_POSTURES`, so `b.compliance.set("42-cfr-part-2")` (and 15 others) refused with `bad-posture` despite the cascade defaults existing in the codebase. Separately, 49 `KNOWN_POSTURES` entries had no `REGIME_MAP` record, so `b.compliance.describe(posture)` returned null and admin UI / generated audit reports rendering `"running under <name> (<citation>)"` got empty strings. All 65 entries are now backfilled. New codebase-patterns detector enforces `KNOWN_POSTURES ⊇ POSTURE_DEFAULTS` and `REGIME_MAP ⊇ KNOWN_POSTURES` so the same drift class can't reappear. **Added:** *Sixteen postures promoted into `KNOWN_POSTURES`* — `42-cfr-part-2` (Confidentiality of Substance Use Disorder Patient Records), `hti-1` (ONC HTI-1 health-IT certification), `uscdi-v4` (US Core Data for Interoperability), `irs-1075` (Tax Information Security Guidelines), `nist-800-172-r3` (Enhanced CUI Security), `tlp-2.0` (FIRST Traffic Light Protocol), `soci-au` (Australia SOCI Act), `ffiec-cat-2` (FFIEC Cybersecurity Assessment Tool 2.0), `cri-profile-v2.0` (Cyber Risk Institute Profile), `m-22-09` (OMB Zero Trust Strategy), `m-22-18` (OMB Supply Chain SSDF Attestation), `nist-800-53-r5-privacy` (NIST 800-53 Privacy overlay), `nist-ai-600-1-genai` (NIST GenAI Profile), `nist-csf-2.0` (Cybersecurity Framework 2.0), `sb-53` (California Transparency in Frontier AI Act), `nyc-ll144-2024` (NYC AEDT bias audits). Operators pinning these via `b.compliance.set()` now work end-to-end. · *Forty-nine `REGIME_MAP` records backfilled* — Every `KNOWN_POSTURES` entry now has a `{ name, citation, jurisdiction, domain }` record. Spans US state privacy (vcdpa / co-cpa / ctdpa / ucpa / tdpsa / or-cpa / mt-cdpa / ia-icdpa / in-indpa / de-dpdpa / modpa / wmhmda / bipa / ccpa / nydfs-500), EU regulation (dora / nis2 / cra / ai-act / dsa), international (lgpd-br / pipl-cn / appi-jp / pdpa-sg / pipeda-ca / uk-gdpr / irap / bsi-c5 / ens-es), cybersecurity frameworks (nist-800-53 / nist-csf-2.0 / cis-controls-v8 / cwe-top-25-2024), AI (nist-ai-rmf-1.0 / iso-42001-2023 / iso-23894-2023 / owasp-llm-top-10-2025), supply-chain (slsa-v1.0-build-l3 / cyclonedx-v1.6 / spdx-v3.0 / vex-csaf-2.1 / nist-800-218-ssdf), CMMC levels, and sectoral standards (hipaa-security-rule / hitrust-csf-v11.4 / nerc-cip-007-6 / psd2-rts-sca / swift-cscf-v2026 / iec-62443-3-3 / nist-800-82-r3 / nist-800-63b-rev4 / fda-21cfr11 / fda-annex-11 / sec-1.05 / sox-404 / soc2-cc1.3 / cfpb-1033 / fapi-2.0 / staterramp / uk-g-cloud / hipaa-2026 / quebec-25 / 5 US state student-privacy postures / tcpa-10dlc / iab-tcf-v2.3 / iab-mspa). **Detectors:** *Compliance posture coverage gate* — `testCompliancePostureCoverage` enforces two invariants on every release: (1) every `POSTURE_DEFAULTS` key is in `KNOWN_POSTURES` so `b.compliance.set()` accepts it; (2) every `KNOWN_POSTURES` entry has a `REGIME_MAP` record so `b.compliance.describe()` resolves. Each violation reports the specific posture-name + file:line of the bad entry. Future operators adding a posture see the gate fire if either invariant breaks.
+- v0.12.0 (2026-05-22) — **`scripts/release.js` — orchestrated release flow with idempotent subcommands.** A single script automates the framework's release-flow mechanics. Eight subcommands run in sequence (`prepare` → `smoke` → `commit` → `push` → `watch` → `merge` → `tag` → `publish`), each idempotent so an operator can stop and resume at any phase. The script reads `release-notes/v<next>.json` to drive the commit body + PR body so the same operator-facing content lands in CHANGELOG + commit + PR. The judgment-requiring parts (writing release-notes content, reviewing Codex P1/P2 findings, choosing minor vs patch) stay manual — the script flags + stops on those, never silently chooses for the operator. Minor bump because this is an additive operator-facing surface (a new top-level script + workflow). **Added:** *`node scripts/release.js prepare [--minor]`* — Bumps `package.json` (patch by default, `--minor` for a minor bump), regenerates `CHANGELOG.md` from `release-notes/v<next>.json`, refreshes `api-snapshot.json`, runs `eslint` + `codebase-patterns` + `validate-source-comment-blocks` + `check-api-snapshot` + `check-changelog-extract`. Refuses if the release-notes JSON is missing — prints a stub template to stdout so the operator fills in headline + summary + sections before re-running. · *`node scripts/release.js smoke`* — Runs `SMOKE_PARALLEL=64 node test/smoke.js`. Auto-detects wiki changes via `git diff --name-only` and runs the wiki e2e suite when `examples/wiki/**` was touched; skips otherwise. · *`node scripts/release.js commit`* — Creates the `release/v<next>` branch, composes the commit body from the release-notes JSON (headline + summary + sections summarised as bullets), and creates a signed commit. Verifies the signature shows `G` (Good + trusted); refuses with a pointer to the SSH-signing setup section of the deploy docs when it shows `U` (Untrusted) or `N` (Unsigned). · *`node scripts/release.js push`* — Runs gitleaks against the whole git history. Pushes the release branch. Opens the PR with title `<version> — <headline>` and a body that includes the release-notes summary + a Test plan checklist. Mounts the working directory via the platform-appropriate Docker bind path (handles Windows Git Bash's `/$(pwd)` quirk). · *`node scripts/release.js watch`* — Runs `gh pr checks --watch` then enumerates open review threads via GraphQL. When any Codex (or human) thread is unresolved, prints the per-thread author + first line + exits non-zero so the operator addresses them in a new commit + re-runs watch. When all threads are resolved + CI is clean, the next step (`merge`) becomes the obvious continuation. · *`node scripts/release.js merge`* — Refuses unless the PR is `mergeStateStatus=CLEAN` + `mergeable=MERGEABLE` + zero unresolved review threads. Squash-merges + deletes the release branch. Pulls main. · *`node scripts/release.js tag`* — Creates the signed annotated tag `v<version>` + pushes it. Verifies the tag signature reports `Good`. Refuses if the tag already exists locally. · *`node scripts/release.js publish`* — Watches the npm-publish + release-container workflows triggered by the tag push. Cross-checks `npm view @blamejs/core version` against the expected version; warns if they don't match (workflow may still be in flight or have failed). · *`node scripts/release.js all [--minor]`* — Runs all eight subcommands in sequence. Pauses on the watch phase if any review thread is unresolved (operator addresses + re-runs `all` from `watch` onward). · *`node scripts/release.js status` + `help`* — `status` reports the current branch, working-tree cleanliness, package version, presence of `release-notes/v<version>.json`, and any open PR for the current release branch. `help` prints the subcommand banner. Both are read-only — safe to run anytime. **Changed:** *Minor bump (additive surface)* — First minor bump since v0.11.0. The release script is a new top-level operator surface — additive, no existing API breaks. Operators following the previous multi-step release flow keep working unchanged; the script is opt-in.
+## v0.11.x
+- v0.11.45 (2026-05-22) — **Wiki compose pins track framework version.** The dev and prod compose pins for `ghcr.io/blamejs/blamejs-wiki` move from the legacy `0.3.x` wiki-only versioning (`0.3.24` prod, `0.3.8` dev) to the framework version (`0.11.45`). The wiki container's build tag has matched the framework version since the v0.11.44 release-container workflow fix; the compose pins now follow suit so a fresh clone + `docker compose up` works against the most recent published image without manual edits. **Changed:** *`examples/wiki/docker-compose.prod.yml` pin: `0.3.24` → `0.11.45`* — The prod compose now pulls `ghcr.io/blamejs/blamejs-wiki:0.11.45`. Operators deploying to a host running an older pin keep working unchanged — their `.env` / image override takes precedence. To upgrade, the operator runs `docker compose -f docker-compose.yml -f docker-compose.prod.yml pull && docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d` on the host. · *`examples/wiki/docker-compose.yml` pin: `0.3.8` → `0.11.45`* — The dev compose (local-build path) also tracks the framework version. Aligns the locally-built dev image tag with the published image tag so the two paths don't drift over time.
+- v0.11.44 (2026-05-22) — **Fix wiki container build — release-container smoke step still hit port 8080.** The v0.11.40 wiki port swap (8080 → 3008) missed `.github/workflows/release-container.yml`'s post-publish smoke step. The smoke ran `docker run -p 8080:8080` + curled `localhost:8080/healthz`, but the v0.11.40+ wiki container listens on 3008 — so the smoke failed and the wiki container was NOT pushed to GHCR for v0.11.40, v0.11.42, or v0.11.43. The npm package was unaffected (publish completes on a different job). Operators pulling `ghcr.io/blamejs/blamejs-wiki:latest` were getting the v0.11.39 build until this fix. This release fixes the workflow + adds a codebase-patterns detector that gates the Dockerfile's `WIKI_PORT` against the workflow's port map + curl host so the same silent-deploy failure can't recur. **Fixed:** *release-container.yml smoke step uses port 3008* — Three locations updated: comment header references port 3008; `-p 3008:3008` host port mapping; `curl http://localhost:3008/healthz` health check. Tagging v0.11.44 triggers a fresh container build + push that lands the v0.11.40 / v0.11.42 / v0.11.43 changes (port 3008 default, JSCalendar Group, BYSETPOS, multi-rule recurrence union, JMAP EmailSubmission/set, wiki nav alphabetical) in GHCR for the first time. **Detectors:** *Wiki-port cross-artifact agreement gate* — `testWikiPortAgreesAcrossArtifacts` reads `WIKI_PORT=<n>` from `examples/wiki/Dockerfile` and asserts every `docker run -p X:X` mapping + every `curl http://localhost:X/healthz` reference in `.github/workflows/release-container.yml` matches. Smoke-tested by introducing a deliberate mismatch — detector fires with file:line + the conflicting values. Prevents the v0.11.40 silent-deploy failure class from recurring on any future port change.
+- v0.11.43 (2026-05-22) — **Wiki nav: alphabetical sidebar + dedup drifted category labels.** The wiki sidebar now lists categories alphabetically (case-insensitive) instead of in editorial order. Welcome remains pinned first (landing page); Other and Reference remain pinned last (catch-all groups). Three category-label dups are also consolidated at the source comment-blocks: `Agent Protocols` (one entry — `a2a-tasks`) joins `Agent` with the rest of the agent substrate; `Networking` (two entries — `stream-throttle`, `web-push-vapid`) joins `Network`; `Audit & Compliance` (one entry — `nist-crosswalk`) joins `Compliance`. New `@nav` categories now land in their alphabetical slot automatically without a site.config edit. **Changed:** *Wiki sidebar group order alphabetical* — Replaces the curated `GROUP_ORDER` editorial list in `examples/wiki/site.config.js` with an alphabetical sort. Pinning preserved: `Welcome` always first; `Other` and `Reference` always last. Adding a new `@nav` category to any `lib/*.js` `@module` block now slots into its alphabetical position automatically — no separate site.config update required. · *Category consolidation: Agent Protocols → Agent* — `a2a-tasks` was the sole entry under `Agent Protocols`. Moved to `Agent` to live alongside the orchestrator / saga / idempotency / event-bus / posture-chain / stream / trace / tenant / snapshot / fsm primitives — the W3C A2A task surface is part of the same agent-substrate concern. · *Category consolidation: Networking → Network* — `stream-throttle` and `web-push-vapid` were tagged `Networking` while every other network-layer primitive used `Network`. Drift cleanup — both now live under `Network`. · *Category consolidation: Audit & Compliance → Compliance* — `nist-crosswalk` was the sole entry under `Audit & Compliance`. Moved to `Compliance` alongside the other regulatory primitives. **Detectors:** *Nav-category allowlist gate* — `testNavCategoryAllowlist` in the codebase-patterns runner walks every `lib/*.js` `@module` block and refuses any `@nav` value not in the canonical category list. Adding a new sidebar category is a deliberate edit — it lands in `NAV_ALLOWLIST` + the operator-facing `FIRST_GROUPS` / `LAST_GROUPS` pin list in `examples/wiki/site.config.js` at the same time. Prevents the Networking-vs-Network and Agent-vs-Agent-Protocols dup classes from re-emerging silently.
+- v0.11.42 (2026-05-22) — **`b.calendar` JSCalendar Group objects (RFC 8984 §1.4.4).** Closes the v0.11.31 deferral on JSCalendar Group. `b.calendar.validate` now recognises `@type: "Group"` as a container envelope for multiple Event / Task / Note entries that share a logical name + categories. `b.calendar.toIcal` emits a single VCALENDAR wrap containing every entry's component in declared order (VEVENT for Event, VTODO for Task, VJOURNAL for Note). Group is JSCalendar-only — iCalendar has no envelope-level metadata for Group.name / Group.categories, so a Group's metadata is dropped on the iCal-side of a round-trip; operators preserving Group state across systems use the JSON-native surface. **Added:** *`@type: "Group"` envelope (RFC 8984 §1.4.4)* — A Group carries `uid`, `updated`, `entries` (required non-empty array), and optional `name`, `description`, `categories` (String-keyed Boolean set), and `source` (URI string). Entries are validated recursively — each entry must be a valid Event / Task / Note per its own type rules. Groups nesting Groups is refused (RFC 8984 does not define a nesting semantic). · *`b.calendar.toIcal` emits single VCALENDAR for Group* — When `@type === "Group"`, toIcal emits one BEGIN:VCALENDAR / END:VCALENDAR envelope containing every entry's component in declared order. The Group's own uid / updated / name / description / categories are NOT round-tripped to iCalendar (RFC 5545 has no envelope-level metadata for these); operators preserving Group state across a round-trip use the JSON-native JSCalendar surface. · *Refusal vocabulary* — New structured `CalendarError` codes: `calendar/bad-entries` (entries missing, empty, non-array, or any entry malformed / Group-typed), `calendar/bad-group` (entry-specific field like start / duration / due / progress / recurrenceRules set on the Group envelope), `calendar/bad-categories` (non-object categories or non-`true` value), `calendar/bad-source` (non-string source). · *`JSCAL_TYPES.Group` export* — `b.calendar.JSCAL_TYPES.Group === "Group"` exposes the discriminator string for operator-side type-dispatch. **References:** [RFC 8984 §1.4.4 (JSCalendar Group)](https://www.rfc-editor.org/rfc/rfc8984.html#section-1.4.4) · [RFC 5545 §3.4 (VCALENDAR envelope)](https://www.rfc-editor.org/rfc/rfc5545.html#section-3.4)
+- v0.11.41 (2026-05-21) — **`b.calendar.expandRecurrence` picks up BYSETPOS (RFC 5545 §3.3.10).** Closes the v0.11.31 deferral on BYSETPOS — the recurrence filter that picks the Nth candidate from a BY*-filtered set within a FREQ interval. Common operator patterns now work directly: `FREQ=MONTHLY;BYDAY=FR;BYSETPOS=-1` for last Friday of each month, `FREQ=MONTHLY;BYDAY=TU;BYSETPOS=2` for second Tuesday, `FREQ=YEARLY;BYMONTH=10;BYDAY=SU;BYSETPOS=1` for first Sunday of October (the DST-end announcement pattern). Supported for `FREQ=MONTHLY` / `YEARLY` / `WEEKLY` at day-granularity (time-of-day inherited from `start`). `FREQ=DAILY` + BYSETPOS is refused with `calendar/bad-recurrence` since the semantics aren't meaningful at sub-day frequency. **Added:** *`bySetPos` filter on RecurrenceRule* — `recurrenceRules[i].bySetPos: [1, -1, 2]` picks the listed positions from the BY*-filtered candidate set within each FREQ interval. Positive values are 1-indexed from the start of the period; negative values count from the end. Multiple positions emit per period (e.g. `[1, -1]` emits both the first and last matching day of each month). Out-of-range positions silently drop per RFC 5545's tolerant grammar. · *MONTHLY / YEARLY / WEEKLY support* — BYSETPOS expands within month / year / WKST-aligned-week boundaries. For each period, all day-level candidates that pass the existing BY* filters (byDay / byMonth / byMonthDay / byWeekNo / byYearDay) are enumerated, sorted ascending, then indexed by `bySetPos`. The expand loop's step budget (`MAX_EXPAND_INSTANCES * 366`) is shared across periods so the BYSETPOS path can't outrun the v0.11.31 DoS bound. · *DAILY frequency refused* — `FREQ=DAILY` + BYSETPOS throws `calendar/bad-recurrence` at expand time. The combination has no meaningful per-period set semantics (a day has no sub-day BY* set to pick from in the v1 day-granularity model). Operators with a sub-day BYSETPOS use case use `FREQ=HOURLY` semantics directly without BYSETPOS, or open an issue with the use case. **Security:** *Step budget shared with non-BYSETPOS path* — BYSETPOS enumeration decrements the same `MAX_EXPAND_INSTANCES * 366` step budget the non-BYSETPOS path uses, and the per-period day-loop has a hard 400-iteration safety cap (covers max-366-days in a leap year + slack). Adversarial events combining many rules + sparse BY* filters + BYSETPOS can't outpace the original single-rule DoS bound. **References:** [RFC 5545 §3.3.10 (RRULE — BYSETPOS)](https://www.rfc-editor.org/rfc/rfc5545.html#section-3.3.10) · [RFC 8984 §4.3.2 (JSCalendar RecurrenceRule)](https://www.rfc-editor.org/rfc/rfc8984.html#section-4.3.2)
+- v0.11.40 (2026-05-21) — **Wiki Docker default port moves from 8080 → 3008.** The `examples/wiki` Docker stack now defaults to port 3008 throughout — `WIKI_PORT`, the Dockerfile `EXPOSE` directive, the in-container HEALTHCHECK URL, the dev `docker-compose.yml` host mapping, the Caddy reverse-proxy upstream, and the `server.js` + `lib/build-app.js` code defaults. Production deployments (`docker-compose.prod.yml`) are operator-invisible since Caddy fronts the container on 80/443 — the upstream port is never exposed to the host. Dev users hitting the wiki container directly now use `http://localhost:3008`. Operators who set `WIKI_PORT` explicitly in their `.env` keep working unchanged. **Changed:** *Wiki default port 8080 → 3008* — Default `WIKI_PORT` moves from 8080 (HTTP-alt, frequently collides with Tomcat / Jenkins / Confluence / Spring-Boot defaults) to 3008 (IANA-unassigned, no service-convention collision). The new default applies consistently across: `examples/wiki/Dockerfile` (`ENV WIKI_PORT`, `EXPOSE`, HEALTHCHECK URL), `examples/wiki/server.js`, `examples/wiki/lib/build-app.js`, `examples/wiki/docker-compose.yml` (host mapping `3008:3008`), `examples/wiki/docker-compose.prod.yml` (internal-network expose), `examples/wiki/Caddyfile` (upstream resolver), `examples/wiki/README.md`, `examples/wiki/DEPLOY.md`. · *Operator action* — Dev users with `localhost:8080` bookmarks, curl scripts, host-firewall allowlists, or IDE port forwarders pointed at the wiki need to switch to `localhost:3008`. Operators who set `WIKI_PORT=8080` explicitly in their `.env` keep working unchanged. Production deployments behind Caddy see no change — the upstream port is internal-network only. **References:** [IANA Service Name and Port Number Registry](https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml)
+- v0.11.39 (2026-05-21) — **`b.calendar.expandRecurrence` honors multiple `recurrenceRules` (RFC 8984 §4.3.2).** Closes the v0.11.31 deferral on the multi-rule path. `expandRecurrence` now walks every entry in `event.recurrenceRules`, expands each rule independently against the same `start` anchor, and UNIONs the resulting instances (dedup + sorted ascending). Per-rule `count` caps apply per-rule per RFC 8984 §4.3.2; the global `max` / `MAX_EXPAND_INSTANCES` cap applies to the unioned set. The step budget (`MAX_EXPAND_INSTANCES * 366`) is shared across all rules in the same expand call so an N-rule fan-out can't amplify the worst-case loop past the single-rule bound. **Added:** *Multi-rule expansion + UNION* — `event.recurrenceRules` of length > 1 now expands every rule, not just the first. Each rule's stepping (frequency / interval / count / until / BY* filters) operates independently; the resulting ISO 8601 UTC instant strings dedupe via object-keyed set semantics, then sort ascending. The single-rule case is structurally unchanged — same step loop, same per-rule cap behaviour. · *Per-rule `count` applies per-rule (RFC 8984 §4.3.2)* — Two rules with `count: 3` and `count: 2` produce up to 5 instances in the unioned output (minus any timestamps that dedupe across rules), not 5 instances total across the rules. Matches RFC 8984 §4.3.2 phrasing: each Recurrence Rule's count is applied per rule. · *Global step budget shared across rules* — The `MAX_EXPAND_INSTANCES * 366` step budget (introduced in v0.11.31) now tracks across rules in the same expand call. A 4-rule event with sparse BY* filters can't accumulate 4× the single-rule worst-case work; the budget is depleted across the full rule set. **Security:** *DoS amplification across N rules bounded by the same step budget* — The step budget is shared (not per-rule), so adversarial multi-rule events can't bypass the v0.11.31 BY*-filter cap by stacking N rules with sparse filters. Sparse-filter rules still complete within the original 10-year `MAX_EXPAND_SPAN_MS` window cap. **Detectors:** *No new detector — covered by existing recurrence-test surface* — Multi-rule UNION + dedup + global step budget are exercised by three new tests in `test/layer-0-primitives/calendar.test.js` (multi-rule union, same-rule dedup, global max applied to union). No detector needed — the bug class is testable end-to-end and the test file IS the canonical regression surface. **References:** [RFC 8984 §4.3.2 (JSCalendar RecurrenceRule — multi-rule expansion)](https://www.rfc-editor.org/rfc/rfc8984.html#section-4.3.2) · [RFC 5545 §3.8.5.3 (iCalendar RRULE — semantics under composition)](https://www.rfc-editor.org/rfc/rfc5545.html#section-3.8.5.3)
+- v0.11.38 (2026-05-21) — **`b.mail.server.jmap.emailSubmissionSetHandler` — reference JMAP EmailSubmission/set composing `b.mail.send.deliver`.** Reference implementation of JMAP `EmailSubmission/set` (RFC 8621 §7.5) that composes `b.mail.send.deliver` (v0.11.24). Operators wire it as a method handler on `b.mail.server.jmap.create({ methods: ... })`. The handler walks `args.create`, validates each EmailSubmission's shape against the RFC 8621 §7.5 vocabulary (`identityId` / `emailId` / `envelope.mailFrom.email` / `envelope.rcptTo[]`), looks up the referenced Email blob via an operator-supplied `lookupEmail(emailId, accountId, actor)`, hands the RFC 822 body to `deliver(envelope)`, and maps the result into JMAP `deliveryStatus` (`recipient → { smtpReply, delivered, displayed }` per RFC 8621 §7.4). Closes the v0.11.24 deferral on a reference JMAP→deliver bridge. **Added:** *`b.mail.server.jmap.emailSubmissionSetHandler(opts)` factory* — Returns an async `(actor, args, ctx) → result` function suitable for the `opts.methods` map on `b.mail.server.jmap.create`. Required opts: `deliver` (a `b.mail.send.deliver` instance), `lookupEmail` (async `(emailId, accountId, actor) → Buffer|null`), `identities` (sync `(accountId) → Array<{ id, email }>`). Optional: `onCreated(subId, submission, accountId)` for persistence, `onDestroyed(subId, accountId)`, `onCancel(subId, accountId) → boolean` for undo support, `maxRecipients` (default 1000). · *Full RFC 8621 §7.5 error vocabulary* — Refusals map to the spec's typed `notCreated` shape with JMAP-namespaced types: `identityNotFound` (unknown identityId), `emailNotFound` (lookupEmail returned null), `forbiddenMailFrom` (envelope.mailFrom doesn't match identity.email), `invalidRecipients` (malformed envelope.rcptTo[i].email), `noRecipients` (empty rcptTo), `tooManyRecipients` (exceeds maxRecipients), `invalidProperties` (missing required keys). Per RFC 8621 §3.6.2, only `undoStatus` is honored in `args.update`; non-canceled values + non-undoStatus keys return `invalidProperties`. · *Delivery-result → JMAP deliveryStatus mapping* — `b.mail.send.deliver`'s `{ delivered, deferred, failed }` outcomes translate into the per-recipient JMAP deliveryStatus shape: `delivered` → `{ smtpReply, delivered: "yes" }`; `deferred` → `{ smtpReply, delivered: "queued" }`; `failed` → `{ smtpReply, delivered: "no" }`. `displayed` is `unknown` until a downstream MDN (RFC 9007) reports otherwise — operators with MDN ingest update via `EmailSubmission/set`'s update branch. · *Undo via `onCancel` hook* — `args.update[subId] = { undoStatus: "canceled" }` invokes `opts.onCancel(subId, accountId) → boolean`. Operators backing the JMAP server with a deferred-send queue (e.g. `b.outbox`) return true when the cancel succeeded; the handler refuses with `cannotUnsend` when `onCancel` isn't configured (operator hasn't wired a queue-based send model). · *Audit event on every set* — Emits `mail.jmap.emailsubmission.set` with `{ accountId, created, notCreated, updated, notUpdated, destroyed, notDestroyed }` counts. The metadata never carries recipient email addresses or RFC 822 body bytes — those stay in the operator's deliver primitive's per-host audit stream. **Security:** *Identity binding refuses spoofed `envelope.mailFrom`* — RFC 8621 §7.5.1.2 — every create gates `envelope.mailFrom.email` against the identity record's `email` field. The reference handler refuses with `forbiddenMailFrom` when they differ. Operators wiring a delegation model populate the identity's `mayDelegate` / per-domain authorized-senders list and supply the corresponding `identities(accountId)` lookup; the reference handler treats the lookup output as the trust source. · *Recipient count cap matches `b.mail.send.deliver`* — Default `maxRecipients = 1000` aligns with `b.mail.send.deliver`'s recipient-fan-out cap; operators reduce it for tighter postures (e.g. 50 for transactional-mail accounts) without weakening the deliver primitive's own gate. **Detectors:** *Two new KNOWN_CLUSTERS family-subset entries* — The new handler's opts-walk shingle structurally resembles `lib/importmap-integrity.js:build` (SRI module-map walk) and `lib/middleware/security-headers.js:create` (header-map walk). Added explanatory family-subset entries documenting why each primitive's per-entry body validates a distinct spec vocabulary (W3C Importmap-Integrity vs RFC 8621 §7.5 EmailSubmission vs HTTP header-value sanitisation) so the dup detector can't surface the false-positive again. **References:** [RFC 8621 §7 (JMAP EmailSubmission)](https://www.rfc-editor.org/rfc/rfc8621.html#section-7) · [RFC 8621 §7.5 (EmailSubmission/set)](https://www.rfc-editor.org/rfc/rfc8621.html#section-7.5) · [RFC 8621 §7.4 (deliveryStatus shape)](https://www.rfc-editor.org/rfc/rfc8621.html#section-7.4) · [RFC 8620 §3.6.1 (JMAP error vocabulary)](https://www.rfc-editor.org/rfc/rfc8620.html#section-3.6.1)
+- v0.11.37 (2026-05-21) — **`b.calendar` VJOURNAL ↔ JSCalendar Note (RFC 5545 §3.6.3).** Closes the v0.11.31 deferral on VJOURNAL. `b.calendar.fromIcal` now recognises VJOURNAL components and maps them to JSCalendar-shaped Note objects (`@type: "Note"`). `b.calendar.toIcal` emits a VJOURNAL envelope when the input `@type` is `Note`. `b.calendar.validate` adds Note-specific shape rules: optional `start` LocalDateTime, no `duration` / `due` / `progress` / `percentComplete` / `progressUpdated` (those are Event / Task-only properties), optional `status` from the RFC 5545 §3.8.1.11 VJOURNAL vocabulary (`draft` | `final` | `cancelled`). VJOURNAL is the only iCalendar component that may carry multiple DESCRIPTION properties — Note preserves operator-visible boundaries by joining them with a blank-line separator. A VCALENDAR carrying VEVENT + VTODO + VJOURNAL children now returns a mixed `Event` + `Task` + `Note` array. **Added:** *`b.calendar.fromIcal` maps VJOURNAL → JSCalendar Note* — VJOURNAL components in the VCALENDAR map to `@type: "Note"` objects with `uid` / `updated` / `title` (SUMMARY) / `description` (DESCRIPTION) / `start` (DTSTART → LocalDateTime, optional) / `timeZone` / `status` (lower-cased STATUS) / `locations` / `recurrenceRules`. UTC DTSTART maps to `timeZone: "Etc/UTC"` the same way DTSTART does for Event. · *`b.calendar.toIcal` emits VJOURNAL when `@type === "Note"`* — The envelope is `BEGIN:VJOURNAL` / `END:VJOURNAL` instead of `BEGIN:VEVENT` or `BEGIN:VTODO`. Note's `status` round-trips uppercased per RFC 5545 §3.8.1.11. Note does NOT emit DURATION / DUE / PERCENT-COMPLETE / COMPLETED on the wire (those properties are forbidden on VJOURNAL per RFC 5545 §3.6.3 grammar). · *`b.calendar.validate` learns Note-specific shape rules (RFC 5545 §3.6.3)* — Note's `start` must be a LocalDateTime when present. Setting `duration`, `due`, `progress`, `percentComplete`, or `progressUpdated` on a Note is refused (those are Event / Task-only properties). `status` must be in the `JSCAL_NOTE_STATUS` catalogue (`draft` | `final` | `cancelled` — different from the Task progress vocabulary). Structured `CalendarError` codes: `calendar/bad-note-status` plus reuse of `calendar/bad-due`, `calendar/bad-progress`, `calendar/bad-duration`, `calendar/bad-percent`, `calendar/bad-progress-updated` for the forbidden-property refusals. · *Multiple DESCRIPTION properties preserved* — VJOURNAL is the only iCalendar component permitted to carry multiple DESCRIPTION properties (one per discrete journal entry). `fromIcal` joins them into a single Note.description with `\n\n` between entries, preserving the operator-visible boundary. Single-DESCRIPTION VJOURNALs map to the literal string with no join. · *Mixed-component VCALENDAR returns array of Event + Task + Note shapes* — A VCALENDAR carrying VEVENT + VTODO + VJOURNAL children now returns an Array — events first, tasks second, journals third, in their declared order. The single-component shortcut (returning the bare object) still applies when only one component is present. · *`JSCAL_TYPES.Note` and `JSCAL_NOTE_STATUS` exports* — `b.calendar.JSCAL_TYPES.Note === "Note"` (the discriminator string). `b.calendar.JSCAL_NOTE_STATUS` exposes the `draft` / `final` / `cancelled` vocabulary as a frozen object for operator-side enum lookups. **Changed:** *JSCalendar `Note` is a blamejs-recognised extension* — RFC 8984 §1.2 only enumerates `Event`, `Task`, and `Group` as discriminator values. `Note` is not formally an RFC 8984 type — blamejs adopts it as a recognised extension shape for VJOURNAL round-trip interop. Operators interoperating with strict RFC 8984 consumers should map Note → Group + a vendor-namespaced property before exchange. **References:** [RFC 5545 §3.6.3 (iCalendar VJOURNAL component)](https://www.rfc-editor.org/rfc/rfc5545.html#section-3.6.3) · [RFC 5545 §3.8.1.11 (STATUS — DRAFT/FINAL/CANCELLED on VJOURNAL)](https://www.rfc-editor.org/rfc/rfc5545.html#section-3.8.1.11) · [RFC 8984 §1.2 (JSCalendar @type discriminator)](https://www.rfc-editor.org/rfc/rfc8984.html#section-1.2)
+- v0.11.36 (2026-05-21) — **`b.calendar.expandRecurrence` picks up BYWEEKNO / BYYEARDAY / BYHOUR / BYMINUTE / BYSECOND filters (RFC 5545 §3.3.10).** Closes the v0.11.31 deferral on the time-of-day and year-relative BY* filters. `expandRecurrence` now honours `byWeekNo` (ISO 8601 1..53 with negative-from-end semantics), `byYearDay` (1..366 with negative-from-end), `byHour` (0..23), `byMinute` (0..59), and `bySecond` (0..60 — covers POSIX leap-second representation). The expansion still operates as a per-step filter (stepping at the rule's FREQ, then dropping candidates that fail the BY* predicates) — BYSETPOS remains deferred-with-condition because it requires expanding ALL candidates within a FREQ interval and picking the Nth, which is a structural restructure of the expand loop. Operators with `last weekday of month`-style needs continue to see the same defer note from v0.11.31. **Added:** *`byWeekNo` filter — ISO 8601 week numbers* — `recurrenceRules[i].byWeekNo: [1, 53, -1]` filters candidates to the named ISO 8601 weeks. Negative values count from the end of the year (`-1` = last ISO week, which may be week 52 or week 53 depending on the year). The ISO week-of-year calculation matches the canonical algorithm — week 1 is the week containing the first Thursday of the year. · *`byYearDay` filter — day-of-year (1..366 / -1..-366)* — `recurrenceRules[i].byYearDay: [1, 366, -1]` filters by ordinal day-of-year. Negative values count from the end of the year, accounting for leap-year length (366 vs 365). With a `frequency: "daily"` rule + `byYearDay: [1]` the expander emits Jan 1 of each year. · *`byHour` / `byMinute` / `bySecond` time-of-day filters* — `byHour: [9, 17]` filters candidates by UTC hour-of-day (0..23). `byMinute: [0, 30]` (0..59). `bySecond: [0, 30, 60]` (0..60 — the leap-second representation in POSIX time). Most useful with sub-day frequencies — `frequency: "hourly"` + `byHour: [9, 17]` emits twice-daily at 9am and 5pm. · *Negative BY* semantics per RFC 5545 §3.3.10* — `byWeekNo: [-1]` matches the last ISO week of the year (computed via the Dec-28 anchor — Dec 28 always falls in the last ISO week). `byYearDay: [-1]` matches the last day of the year (uses the Gregorian leap-year rule to determine whether 365 or 366 is the correct ordinal). Both negative-value paths covered by tests. **Security:** *Same step-budget cap from v0.11.31 applies* — Sparse BY* filters (e.g. `byYearDay: [1]` with `frequency: "daily"` — only 1 in 365 candidates matches) still loop within the `MAX_EXPAND_INSTANCES * 366` step budget; the 10-year `MAX_EXPAND_SPAN_MS` window cap also applies. Operators can't construct a BY*-filter that loops past the bounded budget. · *Integer-range validation on every BY* value* — `byWeekNo` rejects values outside ±53. `byYearDay` rejects outside ±366. `byHour` 0..23. `byMinute` 0..59. `bySecond` 0..60. Adversarial-shape values silently drop from the set (no error — the rule continues with the surviving values per RFC 5545's tolerant grammar). **References:** [RFC 5545 §3.3.10 (RRULE — BYWEEKNO / BYYEARDAY / BYHOUR / BYMINUTE / BYSECOND)](https://www.rfc-editor.org/rfc/rfc5545.html#section-3.3.10) · [RFC 8984 §4.3.2 (JSCalendar RecurrenceRule)](https://www.rfc-editor.org/rfc/rfc8984.html#section-4.3.2) · [ISO 8601 (Week numbering)](https://www.iso.org/iso-8601-date-and-time-format.html)
+- v0.11.35 (2026-05-21) — **`b.calendar` VTODO ↔ JSCalendar Task (RFC 8984 §6).** Closes the v0.11.31 deferral. `b.calendar.fromIcal` now recognises VTODO components and maps them to JSCalendar Task objects per RFC 8984 §6. `b.calendar.toIcal` emits a VTODO envelope (with DUE / STATUS / PERCENT-COMPLETE / COMPLETED iCalendar properties) when the input `@type` is `Task`. `b.calendar.validate` picks up Task-specific shape rules: `due` as LocalDateTime, `estimatedDuration` as PnYnMnDTnHnMnS, `progress` from the RFC 8984 §6.4.3 vocabulary (`needs-action` | `in-process` | `completed` | `cancelled` | `failed`), `percentComplete` ∈ [0..100], `progressUpdated` as UTCDateTime. A VCALENDAR carrying both VEVENT and VTODO components now returns an array of mixed `Event` + `Task` shapes. **Added:** *`b.calendar.fromIcal` maps VTODO → JSCalendar Task* — VTODO components in the VCALENDAR are mapped to `@type: "Task"` objects with the same `uid` / `updated` / `title` / `description` / `start` / `timeZone` / `locations` / `recurrenceRules` slots Event uses, plus the Task-specific fields: `due` (DUE → LocalDateTime), `estimatedDuration` (DURATION), `progress` (STATUS lowercased), `percentComplete` (PERCENT-COMPLETE 0..100), `progressUpdated` (COMPLETED → UTCDateTime). UTC DUE values map to `timeZone: "Etc/UTC"` the same way DTSTART does. · *`b.calendar.toIcal` emits VTODO when `@type === "Task"`* — The envelope is `BEGIN:VTODO` / `END:VTODO` instead of `BEGIN:VEVENT`. Task-specific properties round-trip: `DUE` (with `;TZID=` parameter or `Z` suffix or floating local time per the same RFC 8984 §1.4.4 timeZone mapping as DTSTART), `STATUS` (uppercased), `PERCENT-COMPLETE`, `COMPLETED` (UTC). `estimatedDuration` maps to `DURATION` (RFC 5545 doesn't distinguish Event vs Task duration on the wire). · *`b.calendar.validate` learns Task-specific shape rules (RFC 8984 §6.4)* — `due` must be a LocalDateTime, `estimatedDuration` must match the same PnYnMnDTnHnMnS Duration grammar Event uses, `progress` must be in the `JSCAL_TASK_PROGRESS` catalogue (also exposed as a new top-level export), `percentComplete` must be a finite number in 0..100, `progressUpdated` must be a UTCDateTime. Structured `CalendarError` codes: `calendar/bad-due`, `calendar/bad-progress`, `calendar/bad-percent`, `calendar/bad-progress-updated`. · *Mixed-component VCALENDAR returns an array of Event + Task shapes* — When a VCALENDAR contains both VEVENT and VTODO children, `fromIcal` returns an Array — events first, tasks second, in their declared order. The single-component shortcut (returning the bare object) still applies when only one component is present. · *`calendar/no-vevent` error code renamed to `calendar/no-component`* — The refusal that fires when a VCALENDAR has no parseable child component now uses the more accurate `calendar/no-component` code (since VTODO is also valid). Operators that grep on the prior `calendar/no-vevent` code need to update the match; the human-facing error message also updates. **References:** [RFC 8984 §6 (JSCalendar Task)](https://www.rfc-editor.org/rfc/rfc8984.html#section-6) · [RFC 5545 §3.6.2 (iCalendar VTODO component)](https://www.rfc-editor.org/rfc/rfc5545.html#section-3.6.2) · [RFC 5545 §3.8.2.3 (DUE date-time)](https://www.rfc-editor.org/rfc/rfc5545.html#section-3.8.2.3) · [RFC 5545 §3.8.1.11 (STATUS — needs-action/in-process/completed/cancelled)](https://www.rfc-editor.org/rfc/rfc5545.html#section-3.8.1.11)
+- v0.11.34 (2026-05-21) — **JMAP WebSocket transport (RFC 8887) on `b.mail.server.jmap`.** Closes the v0.11.29 deferral. The JMAP listener now exposes `webSocketHandler(req, socket, head)` — a turnkey RFC 8887 transport built on the framework's `b.websocket.handleUpgrade`. Clients connect with the `jmap` subprotocol; bidirectional JSON frames carry `{ "@type": "Request" }` / `{ "@type": "WebSocketPushEnable" }` / `{ "@type": "WebSocketPushDisable" }` from the client, and `{ "@type": "Response" }` / `{ "@type": "StateChange" }` / `{ "@type": "RequestError" }` from the server. `Request` frames flow through the same `dispatch(actor, request)` path the HTTP `apiHandler` uses; `WebSocketPushEnable` hooks the operator's `mailStore.subscribePush(actor, types, emitFn)` and converts backend StateChange events into outbound WebSocket frames.
+The session resource picks up `webSocketUrl` so clients discover the endpoint via the same JMAP session-discovery flow they use for `apiUrl` / `eventSourceUrl` / `uploadUrl` / `downloadUrl`. permessage-deflate is OFF by default — same CRIME-class compression-oracle threat model as the v0.11.28 IMAP COMPRESS=DEFLATE intentional skip — operators opt in via `opts.webSocketPermessageDeflate`. **Added:** *`webSocketHandler(req, socket, head)` on the listener handle* — Mount on the operator's HTTP server's `'upgrade'` event. Auth is delegated to the surrounding HTTP middleware (the handler expects `req.user` / `req.actor` to be populated by upstream auth); unauthenticated requests write `HTTP/1.1 401 Unauthorized` to the raw socket per the WebSocket spec's pre-handshake error shape. RFC 8887 §3.1 requires the `jmap` subprotocol; the handler refuses the upgrade with close-code 1002 if `Sec-WebSocket-Protocol: jmap` is missing. · *Bidirectional JSON-framed transport* — Client → server `@type`: `Request` (same body as HTTP POST — `{ using, methodCalls, createdIds? }`), `WebSocketPushEnable` (`{ dataTypes?, pushState? }`), `WebSocketPushDisable`. Server → client `@type`: `Response` (`{ requestId, methodResponses, sessionState, createdIds }`), `StateChange` (`{ changed, pushed? }`), `RequestError` (`{ requestId, type, description }`). Unknown `@type` frames trigger a `RequestError` rather than tearing down the channel. · *Push integration shares the operator hook with EventSource* — `WebSocketPushEnable` forwards `(actor, dataTypes, emitFn)` to `mailStore.subscribePush` — the same backend hook the EventSource handler (v0.11.29) consumes. Operators wire push once and both transports surface the same `StateChange` events. Per-connection `WebSocketPushDisable` calls the unsubscribe function the backend returned from `subscribePush`. Connection close cleans up implicitly. · *Session resource carries `webSocketUrl`* — The session JSON now includes `webSocketUrl: opts.webSocketUrl || "/jmap/ws"` per RFC 8887 §3. Operators discoverable-by-default — clients using a stock JMAP library find the WS endpoint via the session resource the same way they find `apiUrl` today. **Security:** *Binary frames refused* — JMAP is JSON-only over WebSocket. Binary frames trigger a `RequestError` with `type: "notJSON"`; the connection stays open so the next text frame can be valid. Prevents a misbehaving client from sneaking opaque bytes past the JSON parser. · *JSON parse routed through `b.safeJson.parse`* — WebSocket text frames are parsed through `b.safeJson.parse` with the per-connection `maxBytes` cap (default 10 MiB; operator-tunable via `opts.webSocketMaxMessageBytes`). Catches CVE-2020-7660-class prototype-pollution payloads + adversarial-depth JSON before they reach the JMAP method dispatcher. · *permessage-deflate OFF by default (CRIME-class threat)* — RFC 7692 permessage-deflate enables compression-oracle attacks (CVE-2012-4929 CRIME class) when the operator pipes JSON containing both attacker-controlled and confidential data through the same connection. Default is OFF; operators with explicit threat-model justification opt in via `opts.webSocketPermessageDeflate = true`. Mirrors the v0.11.28 IMAP COMPRESS=DEFLATE intentional refusal. · *Subprotocol negotiation refuses non-`jmap` clients* — If the client's `Sec-WebSocket-Protocol` header doesn't include `jmap`, the listener refuses the upgrade with close-code 1002 (protocol error). RFC 8887 §3.1 — the JMAP-WS connection is identified by the subprotocol; refusing here prevents the connection from being misinterpreted as a generic WebSocket channel by middleware downstream. **References:** [RFC 8887 (JMAP over WebSocket)](https://www.rfc-editor.org/rfc/rfc8887.html) · [RFC 8620 (JMAP Core)](https://www.rfc-editor.org/rfc/rfc8620.html) · [RFC 6455 (The WebSocket Protocol)](https://www.rfc-editor.org/rfc/rfc6455.html) · [RFC 7692 (Compression Extensions for WebSocket — NOT enabled)](https://www.rfc-editor.org/rfc/rfc7692.html) · [CVE-2012-4929 (CRIME — compression-oracle attack on TLS)](https://nvd.nist.gov/vuln/detail/CVE-2012-4929)
+- v0.11.33 (2026-05-21) — **IMAP QRESYNC (RFC 7162 §3.2) — VANISHED responses + SELECT delta on `b.mail.server.imap`.** Closes the v0.11.27 deferral. The IMAP listener now advertises QRESYNC in CAPABILITY, accepts `ENABLE QRESYNC` (which implicitly engages CONDSTORE per §3.2.5), and parses the `(QRESYNC (<uidvalidity> <modseq> [<knownUids>] [<knownSequenceMatchData>]))` parameter list on SELECT / EXAMINE. When the client's UIDVALIDITY matches the backend's, the listener emits a single `* VANISHED (EARLIER) <uid-set>` listing UIDs the server expunged since the client's snapshot — operators implement the actual delta computation via `mailStore.selectFolder(actor, mailbox, { qresync }) → { ..., vanishedEarlier }`. Stale-UIDVALIDITY clients fall through to a full re-SELECT. **Added:** *CAPABILITY advertises `QRESYNC`* — Sits next to the existing `CONDSTORE` advertisement. Both extensions are server-advertised; clients ENABLE before relying on the responses. RFC 7162 §3.2.5 — QRESYNC implies CONDSTORE. · *`ENABLE QRESYNC` engages both flags* — The handler flips `state.enabledQResync = true` AND `state.enabledCondStore = true` and emits `* ENABLED QRESYNC` + `OK ENABLE completed`. Already-engaged QRESYNC re-issues skip the advertisement line (only newly-engaged extensions appear). · *`SELECT mailbox (QRESYNC (<uidvalidity> <modseq> [<knownUids>] [<knownSeq>]))`* — The QRESYNC parameter list is stripped from the SELECT args before the mailbox-name validator runs and forwarded to `mailStore.selectFolder` as `opts.qresync = { uidvalidity, modseq, knownUids, knownSeq }`. Backends compute the delta and return `vanishedEarlier` (sequence-set string) in the existing select-info object. Non-finite uidvalidity / modseq values refuse with `BAD SELECT QRESYNC params must be (<uidvalidity> <modseq> ...) numerics` before the backend call. · *Implicit CONDSTORE+QRESYNC engagement on parameterised SELECT* — Per RFC 7162 §3.2.4, a client that issues `SELECT INBOX (QRESYNC (...))` without a prior `ENABLE QRESYNC` flips both flags implicitly for the session. Subsequent FETCH responses include `MODSEQ (<n>)` just as they would after explicit ENABLE. · *`* VANISHED (EARLIER) <uid-set>` emission* — The listener emits a single VANISHED untagged response between `HIGHESTMODSEQ` and the tagged OK when (a) the client supplied a QRESYNC parameter, (b) the client's UIDVALIDITY matches the backend's, AND (c) the backend supplied a non-empty `vanishedEarlier`. Mismatched UIDVALIDITY suppresses the VANISHED line so the client correctly falls through to a full re-sync (RFC 7162 §3.2.5). **Security:** *QRESYNC parameter parse is bounded* — The regex anchors on `\(\s*QRESYNC\s*\(\s*([^)]+)\)` — `[^)]*` not `.*` — so a malformed parameter list cannot consume the entire SELECT args. Both `uidvalidity` and `modseq` parse strictly as `\d+` via `parseInt(...)` + `isFinite` check; non-numeric values refuse before the backend dispatch. · *VANISHED suppressed on UIDVALIDITY mismatch* — RFC 7162 §3.2.5 — when the client's `uidvalidity` does NOT match the server's current value, the mailbox has been reset (e.g., recreated under the same name) and the client's UID cache is invalid. The listener intentionally drops the VANISHED line so the client forces a fresh full-sync instead of acting on a delta that references a different message set. **References:** [RFC 7162 §3.2 (QRESYNC — Quick Mailbox Resynchronization)](https://www.rfc-editor.org/rfc/rfc7162.html) · [RFC 9051 (IMAP4rev2)](https://www.rfc-editor.org/rfc/rfc9051.html) · [RFC 5161 (IMAP ENABLE Extension)](https://www.rfc-editor.org/rfc/rfc5161.html)
+- v0.11.32 (2026-05-21) — **`b.mail.crypto.pgp.encrypt` / `.decrypt` / `.wkd` promoted to stable — WKD IDN-homograph defense.** The PGP encrypt / decrypt / Web Key Directory (WKD) primitives that shipped under `b.mail.crypto.pgp.experimental.*` at v0.10.16 are promoted to top-level stable. `b.mail.crypto.pgp.encrypt` / `b.mail.crypto.pgp.decrypt` / `b.mail.crypto.pgp.wkd.fetch` / `b.mail.crypto.pgp.wkd.computeUrl` are now the canonical paths; the v0.10.16 `experimental` aliases continue to work so existing operator code keeps importing through the old path until they migrate at their own pace. WKD picks up a hard IDN-homograph refusal at `wkd.computeUrl` — Cyrillic / Greek / full-width / Han confusable domain characters refuse with `mail-crypto/pgp/bad-domain` before any HTTP fetch runs. Operators with internationalised domains MUST Punycode-encode upstream (RFC 3492 `xn--` form). **Added:** *Top-level `b.mail.crypto.pgp.encrypt` / `.decrypt` / `.wkd.{fetch,computeUrl}`* — Same function bodies that shipped under `b.mail.crypto.pgp.experimental.*` at v0.10.16 are now exported at the top of the namespace. The framework-private envelope (BJ-PGP-PQ magic + version) is unchanged; the IANA-pending RFC 9580bis ML-KEM PKESK codepoints will land as an alternate-encoding option in a follow-up slice. The `experimental` alias keeps the v0.10.16 import paths working — operator migration is opt-in. `b.mail.crypto.pgp.encrypt === b.mail.crypto.pgp.experimental.encrypt` (same reference) so a feature-detection test like `typeof b.mail.crypto.pgp.encrypt === 'function'` is the new operator-facing pattern. **Security:** *WKD IDN-homograph refusal at `wkd.computeUrl`* — `wkd.computeUrl(email)` now refuses any domain containing characters outside the LDH+dot ASCII subset (RFC 952 / RFC 1123 §2). The threat model: Cyrillic `а` (U+0430), Greek `ο` (U+03BF), full-width `Ａ` (U+FF21), and Han homographs visually impersonate Latin letters in `paypa1.com` / `gοogle.com` style phishing host strings; a naive `toLowerCase` + concat into the WKD URL would route the key fetch to the attacker's domain. Operators with legitimate internationalised domains MUST Punycode-encode upstream (the `xn--` form is plain ASCII LDH and passes). The framework's `b.httpClient` already refuses non-ASCII hostnames at the SSRF guard layer; this primitive surfaces the same refusal at the WKD entry point so the error surface is consistent. · *RFC 5321 + RFC 1035 length caps* — Email length capped at 320 octets (RFC 5321 §4.5.3.1 maximum). Domain length capped at 253 octets (RFC 1035 §2.3.4). Empty labels (`bad..example.com`), leading-dot, and trailing-dot domains refuse before any URL construction. Adversarial-length inputs cannot reach the tokenizer / hasher path. **References:** [draft-koch-openpgp-webkey-service (Web Key Directory)](https://datatracker.ietf.org/doc/draft-koch-openpgp-webkey-service/) · [RFC 9580 (OpenPGP)](https://www.rfc-editor.org/rfc/rfc9580.html) · [RFC 3492 (Punycode — IDNA `xn--` form)](https://www.rfc-editor.org/rfc/rfc3492.html) · [RFC 5891 (IDNA 2008)](https://www.rfc-editor.org/rfc/rfc5891.html) · [RFC 5321 §4.5.3.1 (SMTP — local-part + domain octet maximums)](https://www.rfc-editor.org/rfc/rfc5321.html) · [RFC 1035 §2.3.4 (domain label length)](https://www.rfc-editor.org/rfc/rfc1035.html) · [Unicode TR 39 (Security Mechanisms — confusable identifiers)](https://www.unicode.org/reports/tr39/)
+- v0.11.31 (2026-05-21) — **`b.calendar` — JSCalendar (RFC 8984) primitive + JMAP Calendars method catalogue.** JSCalendar is the JSON-native calendar grammar JMAP Calendars rides on. The framework now ships `b.calendar` — a thin layer over the existing `b.safeIcal.parse` (RFC 5545 bounded parser shipped earlier) that exposes validate / fromIcal / toIcal / expandRecurrence. The JMAP method catalogue at `b.mail.serverRegistry` picks up the 15 Calendar / CalendarEvent / CalendarEventNotification / ParticipantIdentity methods per the draft-ietf-jmap-calendars spec, so operators wire them through the existing `b.mail.server.jmap.create({ methods: { ... } })` dispatch path without `allowExperimental: true` escape-hatches.
+v1 scope: validate JSCalendar Event / Task shape per RFC 8984 §5/§6, bidirectional VEVENT ↔ JSCalendar conversion, RRULE expansion for FREQ=DAILY/WEEKLY/MONTHLY/YEARLY/HOURLY/MINUTELY/SECONDLY with INTERVAL / COUNT / UNTIL / BYDAY / BYMONTH / BYMONTHDAY. BYSETPOS / BYWEEKNO / BYYEARDAY filters + non-Gregorian calendars (RFC 7529) + JSCalendar Group objects + VTODO/VJOURNAL mapping are deferred-with-condition for follow-up slices. **Added:** *`b.calendar.validate(jsCal)` — JSCalendar Event/Task shape gate (RFC 8984 §5/§6)* — Asserts `@type` ∈ { 'Event', 'Task' }, non-empty `uid` (≤ 1024 bytes), `updated` matches UTCDateTime grammar, Event's optional `start` matches LocalDateTime, `duration` is RFC 8601 PnYnMnDTnHnMnS, every `recurrenceRules[i].@type` is 'RecurrenceRule' with `frequency` in the JSCAL_FREQUENCIES catalogue, every `alerts.{id}.action` is 'display' or 'email'. Returns the input on success; throws `CalendarError` with a structured `.code` (`calendar/no-uid`, `calendar/bad-recurrence`, etc.) on refusal so operator-side error handling has a stable surface. · *`b.calendar.fromIcal(text, opts?)` + `b.calendar.toIcal(jsCal, opts?)`* — Bidirectional bridge: iCalendar (RFC 5545) ↔ JSCalendar (RFC 8984). `fromIcal` runs the text through `b.safeIcal.parse` (already CVE-bounded for parser DoS) and maps the first VEVENT into an Event object (UID → uid, DTSTAMP → updated, DTSTART → start, DURATION → duration, SUMMARY → title, DESCRIPTION → description, LOCATION → locations[L1].name, RRULE → recurrenceRules[0]). `toIcal` round-trips the same shape back through a CRLF-folded VCALENDAR envelope per RFC 5545 §3.1 (75-octet content-line cap). Operators wire it on the EmailSubmission send path so calendar invitations from a JSCalendar back-end emit RFC 5545 over MIME, and inbound iCalendar attachments parse straight into the JMAP method's Event return shape. · *`b.calendar.expandRecurrence(event, { from, to, max })` — bounded RRULE expansion* — Emits ISO 8601 UTC instance timestamps for an Event in the operator's `[from, to]` window. Supports FREQ=DAILY/WEEKLY/MONTHLY/YEARLY/HOURLY/MINUTELY/SECONDLY with INTERVAL, COUNT, UNTIL. Bounded by `MAX_EXPAND_INSTANCES` (4096) and `MAX_EXPAND_SPAN_MS` (10 years) — refuses with `calendar/oversize-expansion-span` when the window exceeds 10 years (CVE-2024-39687-class recurrence-bomb defense, mirroring the parser-side caps already in `b.safeIcal`). LocalDateTime starts without a `timeZone` are treated as floating-UTC during expansion so wall-clock semantics survive `Date.parse` host-locale interpretation. · *JMAP method catalogue: Calendar / CalendarEvent / CalendarEventNotification / ParticipantIdentity* — 15 new methods added to `JMAP_METHODS` in `lib/mail-server-registry.js` per draft-ietf-jmap-calendars: `Calendar/{get,changes,set,query,queryChanges}`, `CalendarEvent/{get,changes,query,queryChanges,set,copy}`, `CalendarEventNotification/{get,changes,query,queryChanges,set}`, `ParticipantIdentity/{get,changes,set}`. Operators wire concrete handlers through the existing `b.mail.server.jmap.create({ methods: { 'CalendarEvent/get': async function (actor, args) { ... } } })` path — no `allowExperimental: true` escape-hatch is required. **Security:** *Recurrence-bomb expansion caps* — `MAX_EXPAND_INSTANCES = 4096` + `MAX_EXPAND_SPAN_MS = 10 years` clamp the expansion budget at the framework boundary so an operator who forwards an unbounded JSCalendar from a hostile peer cannot DoS the host. The caps mirror `b.safeIcal`'s RRULE COUNT + BY-entries caps (which already defend the CVE-2024-39687 class). The 10-year span refusal carries `code: 'calendar/oversize-expansion-span'` so operators distinguish bomb defense from legitimate too-wide-window misconfiguration. · *UID + duration + UTCDateTime parsing is strict* — `validate` refuses `uid` over 1024 bytes (anti-DoS), `updated` that doesn't match the RFC 8984 §1.4.3 `\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z` UTCDateTime grammar exactly (no `+00:00` aliases, no fractional-second-only suffixes), and `duration` that isn't `PnYnMnDTnHnMnS`. Hostile JSCalendar payloads from federation peers can't slip non-canonical-shape values into the operator's storage layer through the validator. · *iCalendar parsing routed through bounded `b.safeIcal.parse`* — `fromIcal` does NOT roll its own RFC 5545 parser — it forwards to `b.safeIcal.parse` which is already audit-hardened (CVE-2024-39929 / CVE-2025-30258 mitigation, bounded depth, capped RRULE COUNT + BY-entries). The JSCalendar layer composes the existing security substrate rather than re-litigating it. **References:** [RFC 8984 (JSCalendar — JSON Representation of Calendar Data)](https://www.rfc-editor.org/rfc/rfc8984.html) · [RFC 5545 (iCalendar — Internet Calendaring and Scheduling Core Object)](https://www.rfc-editor.org/rfc/rfc5545.html) · [draft-ietf-jmap-calendars (JMAP for Calendars)](https://datatracker.ietf.org/doc/draft-ietf-jmap-calendars/) · [RFC 8620 (JMAP Core)](https://www.rfc-editor.org/rfc/rfc8620.html) · [RFC 8601 (Duration grammar PnYnMnDTnHnMnS)](https://www.rfc-editor.org/rfc/rfc3339.html) · [RFC 7986 (New properties for iCalendar)](https://www.rfc-editor.org/rfc/rfc7986.html) · [CVE-2024-39687 (iCalendar recurrence-bomb expansion)](https://nvd.nist.gov/vuln/detail/CVE-2024-39687)
+- v0.11.30 (2026-05-21) — **JMAP blob upload + download handlers on `b.mail.server.jmap` (RFC 8620 §6).** The JMAP listener now exposes turnkey HTTP handlers for blob upload (`POST /jmap/upload/{accountId}`) and blob download (`GET /jmap/download/{accountId}/{blobId}/{name}`). Upload streams the request body into `b.safeBuffer.boundedChunkCollector` (default cap 50 MiB; operator-tunable via `opts.maxBlobBytes`), then calls the operator backend's `mailStore.uploadBlob(actor, accountId, contentType, bytes) → { blobId, type?, size? }` and returns the JSON descriptor clients pass to subsequent `Email/set` / `Email/import` calls. Download walks the operator backend's `mailStore.downloadBlob(actor, accountId, blobId) → { bytes, type }` and pipes the bytes through with the right `Content-Type` + `Content-Disposition` headers. Both handlers refuse 503 when the corresponding backend hook is missing — never silent OK.
+EmailSubmission (RFC 8621 §7) was already in the JMAP method catalogue at `lib/mail-server-registry.js`; operators wire `EmailSubmission/get` / `EmailSubmission/set` through the existing `opts.methods` dispatch and compose `b.mail.send.deliver` (shipped v0.11.24) for the actual outbound send. No additional framework wiring is required. **Added:** *`uploadHandler(req, res)` — POST `/jmap/upload/{accountId}`* — Streams the request body through `b.safeBuffer.boundedChunkCollector` so a runaway upload refuses with `413 maxSizeUpload` instead of OOM'ing the process. Default cap 50 MiB; tune via `b.mail.server.jmap.create({ maxBlobBytes })`. The `accountId` path segment is identifier-shape-validated (`/^[A-Za-z0-9_-]{1,64}$/`) — path-traversal shapes are refused at the boundary. Calls `mailStore.uploadBlob(actor, accountId, contentType, bytes) → { blobId, type?, size? }`; the listener echoes `accountId` + `blobId` + `type` + `size` back as a `201 Created` JSON response per RFC 8620 §6.1. · *`downloadHandler(req, res)` — GET `/jmap/download/{accountId}/{blobId}/{name}`* — Parses the path's `accountId` / `blobId` / `name` segments + optional `?accept=<type>` query, calls `mailStore.downloadBlob(actor, accountId, blobId) → { bytes, type } | Buffer | null`, and pipes the bytes through with `Content-Type` (backend-supplied OR query-`accept` OR `application/octet-stream` fallback) + `Content-Length` + `Content-Disposition: attachment; filename="<safe-name>"` (only when the filename matches the safe `[A-Za-z0-9._-]{1,200}` shape — anti header-injection). Missing blob → `404 invalidArguments`. · *Both handlers exposed on the listener handle* — `b.mail.server.jmap.create(opts)` returns `{ apiHandler, sessionHandler, discoveryHandler, eventSourceHandler, uploadHandler, downloadHandler, MailServerJmapError }`. Operators mount each at the path their HTTP router exposes; the `session.uploadUrl` / `session.downloadUrl` already advertise the canonical paths. · *EmailSubmission methods continue through the existing dispatch path* — RFC 8621 §7 — `EmailSubmission/get` / `EmailSubmission/changes` / `EmailSubmission/query` / `EmailSubmission/queryChanges` / `EmailSubmission/set` are already in the JMAP method catalogue at `lib/mail-server-registry.js`. Operators wire them through `b.mail.server.jmap.create({ methods: { 'EmailSubmission/set': async function (actor, args) { ... b.mail.send.deliver(...) ... } } })`. No additional framework wiring is required for v0.11.30; the substrate composition (JMAP method → `b.mail.send.deliver` → SMTP MX → DSN) was already complete after v0.11.24. **Security:** *AccountId path-traversal refusal at the boundary* — Both handlers validate the `accountId` URL segment against `/^[A-Za-z0-9_-]{1,64}$/`. URL-encoded path-traversal payloads (`%2E%2E%2F`, `..%2F`, `/`) refuse with `400 invalidArguments` before any backend call. Operator-side validation in `mailStore.uploadBlob` / `mailStore.downloadBlob` is a defense-in-depth second layer. · *Upload size cap via `safeBuffer.boundedChunkCollector` (cap-bounded)* — Replaces the prior hand-rolled `Buffer.concat(chunks, received)` shape with the framework's bounded-collector primitive. The collector throws `mail-server-jmap/blob-too-large` on overflow; the handler converts it into a `413 maxSizeUpload` JSON error per RFC 8620 §6.1. A misbehaving client cannot stream a multi-gigabyte payload past the limit — the collector enforces the cap byte-by-byte. · *`Content-Disposition` filename is identifier-shape only* — Download responses only set the `Content-Disposition` header when the URL's `name` segment matches `/^[A-Za-z0-9._-]{1,200}$/`. Filenames with `;` / `"` / CRLF cannot be smuggled into the header — RFC 6266 §4.3 + CVE-2023-46604-class header-injection defense. **References:** [RFC 8620 (JMAP Core — §6 Blob upload/download)](https://www.rfc-editor.org/rfc/rfc8620.html) · [RFC 8621 (JMAP Mail — §7 EmailSubmission)](https://www.rfc-editor.org/rfc/rfc8621.html) · [RFC 6266 (Content-Disposition in HTTP)](https://www.rfc-editor.org/rfc/rfc6266.html) · [RFC 5987 (Encoding-aware filename* parameter)](https://www.rfc-editor.org/rfc/rfc5987.html)
+- v0.11.29 (2026-05-21) — **JMAP Push — EventSource SSE handler on `b.mail.server.jmap` (RFC 8620 §7.3).** The JMAP listener now exposes a real EventSource handler at `/jmap/eventsource`. The session-resource's `eventSourceUrl` becomes a live push channel: clients connect with `?types=*|<csv>&closeafter=no|state&ping=<seconds>`, the listener subscribes via the operator backend's `mailStore.subscribePush(actor, types, emitFn)` hook, and StateChange events arrive as `event: state` SSE frames with the `{ "@type": "StateChange", changed: {...} }` payload per RFC 8620 §7.4. Keepalive `event: ping` frames default to 30 s (operator-tunable 5-900 s), `closeafter=state` closes after one event for poll-like clients, and the SSE response carries the headers proxies expect (`Cache-Control: no-cache`, `Connection: keep-alive`, `X-Accel-Buffering: no`) so nginx-fronted deployments don't buffer the stream. Without the backend subscribe hook the handler refuses with `503 serverUnavailable`, never silent OK. **Added:** *`eventSourceHandler(req, res)` exposed on the JMAP listener handle* — `b.mail.server.jmap.create(opts).eventSourceHandler` mounts on the operator's HTTP router at whatever path the session-resource's `eventSourceUrl` points to (default `/jmap/eventsource`). Authentication is delegated to the surrounding HTTP middleware (the handler expects `req.user` / `req.actor` to be set); unauthenticated requests return `401 forbidden` per RFC 8620 §1.5. Query-string params parse `types=` (CSV or `*` wildcard), `closeafter=` (`no` | `state`), `ping=` (seconds, clamped 5..900) per §7.3. · *Operator backend hook — `mailStore.subscribePush(actor, types, emitFn)`* — Backends opt in by exposing a `subscribePush` method that accepts (1) the authenticated actor, (2) a parsed `types` list (or `null` for the wildcard `*`), and (3) an `emitFn(event)` callback the backend calls when a state change occurs. The expected event shape is `{ kind: 'StateChange', changed: { <accountId>: { <typeName>: <stateString>, ... }, ... }, pushed?: {...} }`; the listener formats it into the SSE `event: state\ndata: <JSON>\n\n` wire shape. The subscribe call may return either `void` or an `unsubscribe()` function the listener invokes on disconnect. · *SSE wire-correct headers + initial-state hint* — Response headers: `Content-Type: text/event-stream; charset=utf-8`, `Cache-Control: no-cache`, `Connection: keep-alive`, `X-Accel-Buffering: no` (nginx-specific — disables response buffering on the stream so per-event frames flush immediately). The initial bytes carry `retry: 5000\n\n` (HTML5 SSE reconnect hint — 5 s) + a `: connected\n\n` comment so clients can confirm the channel is alive before the first state event. **Security:** *Push backend missing returns `503 serverUnavailable` (no silent accept)* — If the operator wired the listener without `mailStore.subscribePush`, the handler returns `503 urn:ietf:params:jmap:error:serverUnavailable` with a `description` pointing at the missing hook. RFC 8620 §7.3 expects the server to honour subscriptions or refuse explicitly — silently accepting would let a client believe events will arrive when the server cannot deliver. · *`closeafter` accepts only `no` | `state` (RFC 8620 §7.3)* — Any other value returns `400 invalidArguments` before the subscribe hook fires. Prevents an operator-supplied query string from steering the handler into an undocumented mode. · *Ping interval clamped 5..900 seconds* — `ping=<seconds>` below 5 s or above 900 s clamps to the bounds rather than refusing — a misconfigured client cannot DoS the listener via 1 ms ping floods, and a 24 h ping won't outlast intermediate proxy idle timeouts (typical 60-120 s). The clamped default (30 s) matches the RFC 8620 §7.3 example. · *Ping timer is `.unref()`'d* — Background timers without `.unref()` pin the Node process — graceful shutdown waits indefinitely. The interval is unref'd immediately after creation; per-connection cleanup (`req.on('close')` / `req.on('error')`) clears the timer + invokes the backend's optional `unsubscribe()` + ends the response. **References:** [RFC 8620 (JMAP Core — §7 Push / §7.3 EventSource / §7.4 StateChange)](https://www.rfc-editor.org/rfc/rfc8620.html) · [RFC 8621 (JMAP Mail)](https://www.rfc-editor.org/rfc/rfc8621.html) · [RFC 8887 (JMAP WebSocket transport — opt-in, deferred to a later slice)](https://www.rfc-editor.org/rfc/rfc8887.html) · [HTML5 Server-Sent Events (EventSource)](https://html.spec.whatwg.org/multipage/server-sent-events.html)
+- v0.11.28 (2026-05-21) — **IMAP opt-in extensions: NOTIFY (RFC 5465), METADATA (RFC 5464), CATENATE (RFC 4469).** Three IMAP extensions advertised in CAPABILITY and dispatched through the existing per-method registry. NOTIFY accepts a client subscription spec and hands it to the operator's `mailStore.subscribeNotify(actor, spec, emitFn)` hook — actual event emission stays operator-side. METADATA exposes GETMETADATA and SETMETADATA per-mailbox + server-wide annotations through `mailStore.getMetadata` / `setMetadata`. CATENATE extends APPEND to compose a message from existing parts (`TEXT {N}` literals + `URL "imap://..."`) via `mailStore.appendCatenate`. Each handler refuses gracefully (`NO ... backend not configured`) when the operator backend doesn't supply the hook. COMPRESS=DEFLATE (RFC 4978) intentionally NOT advertised — CRIME-class compression-oracle threat on the encrypted IMAP stream. **Added:** *CAPABILITY advertises `NOTIFY`, `METADATA`, `METADATA-SERVER`, `CATENATE`* — All four added unconditionally so capable clients can exercise the extension regardless of authentication state. Each handler is registered in the protocol verb catalogue (`b.mail.serverRegistry`) + the wire-level guard verb list (`b.guardImapCommand.KNOWN_VERBS`) so the existing dispatch + audit + ratelimit gates apply uniformly. · *`NOTIFY SET ...` / `NOTIFY NONE` — RFC 5465* — The handler parses `NOTIFY SET [STATUS] (<filter-set> (<event>...))*` and `NOTIFY NONE` and stores the filter-set verbatim on `state.notifySpec`. When the operator backend exposes `mailStore.subscribeNotify(actor, spec, emitFn)`, the listener wires an `emitFn` that translates backend events (`{ kind: 'STATUS' | 'LIST' | 'FETCH', payload, seq? }`) into untagged IMAP responses on the same connection — drop-silent if the socket has already closed. Without the backend hook, the wire command refuses with `NO NOTIFY backend not configured` rather than silently accepting subscriptions the server can't fulfil. · *`GETMETADATA` / `SETMETADATA` — RFC 5464* — Both verbs parse the per-mailbox + server-wide annotation forms. GETMETADATA accepts optional `(MAXSIZE N)` / `(DEPTH ...)` options before the mailbox + entry list, walks the entries through `mailStore.getMetadata(actor, mailbox, names, opts) → [{ entry, value }]`, and renders an untagged `* METADATA <mailbox> (<entry> <value>...)` response. SETMETADATA tokenises the entry/value pairs (quoted-strings + NIL for clearing), validates the mailbox name, and forwards to `mailStore.setMetadata(actor, mailbox, entries)`. Without the backend hooks, both return `NO ... backend not configured`. · *APPEND `CATENATE` modifier — RFC 4469* — `APPEND mailbox [flags] [date-time] CATENATE (...)` is recognised before the legacy literal-required APPEND path. The parts list mixes `TEXT {N}` literal-bytes parts (handed in via the literal-aware parser) and `URL "imap://..."` reference parts; the listener bundles them into `parts: [{ kind: 'TEXT', bytes } | { kind: 'URL', url }]` and forwards to `mailStore.appendCatenate(mailbox, parts, { actor, flags, internalDate }) → { uid, uidValidity }`. When the backend returns the APPENDUID metadata the response carries `OK [APPENDUID <validity> <uid>] APPEND completed` (RFC 4315). Without the backend hook, refuses with `NO CATENATE backend not configured`. **Security:** *COMPRESS=DEFLATE intentionally NOT advertised (CRIME-class)* — RFC 4978 IMAP COMPRESS=DEFLATE enables stream compression that interacts badly with TLS — the CRIME attack class (CVE-2012-4929, BREACH, et al.) recovers plaintext via chosen-plaintext compression-ratio analysis. The framework default is OFF; operators with explicit threat models accept the downgrade via `opts.compress = true` (no opt-in path landed in v1, intentionally — defer-with-condition: open when an operator surfaces a deployment that needs it AND can document the chosen-plaintext threat model is mitigated). · *Mailbox-name validation reused for both METADATA verbs* — Both GETMETADATA and SETMETADATA run `_validateMailboxName` on the parsed mailbox argument (except for the empty-string `""` server-wide-metadata special case per RFC 5464 §3.1). Operators with the existing `allowLegacyMUtf7` opt see the same mailbox-name policy as the rest of the listener; injection-shape mailbox names are refused identically. · *NOTIFY backend-missing returns NO (not silent accept)* — If the operator wired the listener without `mailStore.subscribeNotify`, `NOTIFY SET ...` returns `NO NOTIFY backend not configured` — never a silent `OK`. RFC 5465 §6 specifies NO as the correct refusal shape; silent acceptance would let a client believe events will arrive when the server cannot fulfil the subscription. **References:** [RFC 5465 (IMAP NOTIFY)](https://www.rfc-editor.org/rfc/rfc5465.html) · [RFC 5464 (IMAP METADATA)](https://www.rfc-editor.org/rfc/rfc5464.html) · [RFC 4469 (IMAP CATENATE)](https://www.rfc-editor.org/rfc/rfc4469.html) · [RFC 4315 (IMAP UIDPLUS — APPENDUID response)](https://www.rfc-editor.org/rfc/rfc4315.html) · [RFC 4978 (IMAP COMPRESS — NOT enabled; CRIME-class threat)](https://www.rfc-editor.org/rfc/rfc4978.html) · [CVE-2012-4929 (CRIME — compression-oracle attack on TLS)](https://nvd.nist.gov/vuln/detail/CVE-2012-4929)
+- v0.11.27 (2026-05-20) — **IMAP CONDSTORE (RFC 7162) — modseq-aware FETCH + STORE on `b.mail.server.imap`.** The IMAP listener advertises and honours the CONDSTORE extension. Clients that issue `ENABLE CONDSTORE` get MODSEQ attributes in every untagged FETCH response; FETCH parses the `(CHANGEDSINCE <modseq>)` modifier and forwards it to the operator's backend so the backend can prune unchanged rows server-side; STORE parses the `(UNCHANGEDSINCE <modseq>)` conditional-update modifier and surfaces the backend's MODIFIED conflict set in the tagged OK response (`OK [MODIFIED <set>] STORE completed`). The backend interface picks up four new opts on the existing `fetchRange` / `storeFlags` calls: `changedSince`, `includeVanished`, `includeModseq`, `unchangedSince`. Backends MAY return modseq on each row; the listener injects `MODSEQ (<n>)` into the payload when present and CONDSTORE is enabled. QRESYNC (RFC 7162 §3.2) is deferred — accepted in ENABLE but no vanished-set surface is exposed yet. **Added:** *CAPABILITY advertises `CONDSTORE` unconditionally* — Per RFC 7162 §3 servers advertise CONDSTORE; clients ENABLE before relying on MODSEQ in untagged FETCH responses. The advertisement is unconditional (state-independent) so clients that issue CAPABILITY pre-LOGIN see CONDSTORE in the same untagged-response shape they'll see post-LOGIN. The old SELECT-side `HIGHESTMODSEQ` emission keeps working. · *`ENABLE CONDSTORE` handler flips `state.enabledCondStore`* — Replaces the no-op `OK ENABLED` shortcut with a real handler that parses the requested capability set, flips `state.enabledCondStore = true` on CONDSTORE, and replies with `ENABLED CONDSTORE` + `OK ENABLE completed`. Unknown extensions are silently ignored per RFC 5161 §3.1. QRESYNC is recognised but accepted only when a v1+ backend exposes the vanished-set surface. · *FETCH parses `(CHANGEDSINCE <modseq>)` + injects MODSEQ in responses* — When the FETCH args carry a trailing `(CHANGEDSINCE <n>)` modifier (RFC 7162 §3.1.4) the listener strips it from the fetch-att spec and forwards `opts.changedSince` to `mailStore.fetchRange`. The backend can prune unchanged messages server-side. When CONDSTORE is enabled (or the client explicitly requested MODSEQ as a fetch-att), each untagged FETCH response includes `MODSEQ (<n>)` — synthesised from `row.modseq` if the backend supplies it and the payload doesn't already contain it. Also recognises the QRESYNC `VANISHED` modifier (flag forwarded as `opts.includeVanished`); the vanished-set emission is the backend's responsibility for now. · *STORE parses `(UNCHANGEDSINCE <modseq>)` + emits `[MODIFIED <set>]` on conflict* — Per RFC 7162 §3.1.3 the conditional STORE refuses to update messages whose modseq advanced past `unchangedSince` since the client last fetched. The listener parses the modifier between the seq-set and the FLAGS op, forwards `opts.unchangedSince` to `mailStore.storeFlags`, and accepts either the legacy `rows: [...]` shape or a structured `{ rows, modified }` shape. When `modified` is non-empty, the tagged response carries `OK [MODIFIED <set>] STORE completed` so the client knows which messages need re-fetching before retry. Untagged FETCH responses also include `MODSEQ (<n>)` when STORE accepted updates under CONDSTORE. **Security:** *Modifier parsing is bounded + non-greedy* — The CHANGEDSINCE / UNCHANGEDSINCE matchers use `[^)]*` rather than `.*` so a malformed modifier can't consume the entire fetch-att spec. Both modifiers parse `\d+` only — non-integer / negative / Infinity values are silently dropped (the modifier becomes a no-op), so a client cannot ride the modifier to inject arbitrary fragments into the backend opts. · *Modseq attribute is opt-in* — MODSEQ injection into untagged FETCH responses ONLY happens when (a) CONDSTORE is enabled OR (b) the client's fetch-att spec contains the `MODSEQ` keyword. Pre-CONDSTORE clients see exactly the responses they saw before this release. The IMAP wire-format compatibility line is unchanged for the IMAP4rev1 / IMAP4rev2 cohorts that never issue `ENABLE CONDSTORE`. **References:** [RFC 7162 (IMAP4 CONDSTORE / QRESYNC)](https://www.rfc-editor.org/rfc/rfc7162.html) · [RFC 9051 (IMAP4rev2)](https://www.rfc-editor.org/rfc/rfc9051.html) · [RFC 5161 (IMAP ENABLE Extension)](https://www.rfc-editor.org/rfc/rfc5161.html) · [RFC 4315 (IMAP UIDPLUS Extension)](https://www.rfc-editor.org/rfc/rfc4315.html)
+- v0.11.26 (2026-05-20) — **`b.mail.server.submission` — CHUNKING / BDAT (RFC 3030).** The outbound submission listener now advertises and accepts the RFC 3030 BDAT (binary data) command, the chunked-upload alternative to DATA. Operators with large outbound payloads (attachments, MIME multipart bodies, encoded HTML) no longer pay the dot-stuffing cost of DATA; clients can stream chunks of arbitrary size and finalise with a `BDAT 0 LAST` (or `BDAT N LAST` for the final chunk). Mixing DATA + BDAT within one transaction is refused per RFC 3030 §3. Same `agent.handoff` contract — the body bytes arrive at the agent layer in their canonical SMTP form, no dot-stuffing applied (BDAT payloads are opaque). **Added:** *EHLO advertises `CHUNKING` + new `BDAT <chunk-size> [LAST]` command* — The EHLO 250-line list now includes `CHUNKING` (RFC 3030 §2.1). A new `BDAT` command handler accepts `BDAT <chunk-size> [LAST]` after MAIL FROM + RCPT TO; the server reads exactly `<chunk-size>` bytes from the socket — no dot-stuffing, no end-of-data marker — and acknowledges with `250 2.0.0 <octets> octets received`. Multiple BDAT chunks accumulate into the message body; the final chunk carries the `LAST` keyword and triggers the same agent-handoff path as DATA. A `BDAT 0 LAST` finalises an empty trailer when the last chunk's byte count is unknown in advance. · *Cumulative size cap honoured up-front* — `BDAT <large-size>` is refused with `552 5.3.4 BDAT cumulative size <total> exceeds maxMessageBytes (<cap>)` BEFORE the server begins reading bytes off the wire. A misconfigured client that pipelines `BDAT 999999999 LAST` and 1 GB of body is rejected at the command line, not after the byte stream lands. The collector bound on the receive side enforces the same cap as a backstop. · *Mid-segment payload drainage* — When `BDAT N LAST\r\n<payload>` arrives in one TCP segment (typical for pipelined small messages), the line-loop drains the post-`\r\n` bytes from the command buffer straight into the BDAT collector before returning. Any tail bytes after the BDAT chunk completes get re-fed as the next command. Operators get pipelining + chunking with no extra round-trip cost. **Security:** *BDAT state cleared on every STARTTLS upgrade* — Same threat model as CVE-2021-38371 (Exim) / CVE-2021-33515 (Dovecot): pre-handshake bytes a malicious peer pipelined MUST NOT reach the post-TLS state machine. The STARTTLS handler clears `inBdatChunk` / `bdatRemaining` / `bdatCollector` / `bdatTotalBytes` alongside the existing line-buffer + DATA-collector reset, so a smuggled `BDAT <n>` + body that lands before the TLS upgrade can't bleed into the encrypted transaction. · *Refusal on BDAT outside transaction* — BDAT before MAIL FROM / with zero RCPT returns `503 5.5.1` and does not enter chunk-collection mode. A misbehaving client that issues BDAT eagerly cannot leak state into the next transaction; the RSET reset path also clears all BDAT-side state. · *Pipelining race gate mirrors DATA* — If the operator's `recipientPolicy` is async and not all RCPT verdicts have resolved, BDAT returns `451 4.5.0 RCPT TO verdicts pending; reissue BDAT after recipient replies` — same shape as the DATA pipelining-race gate. The transaction never commits with a partially-resolved recipient set. **References:** [RFC 3030 (SMTP Service Extensions — CHUNKING / BDAT / BINARYMIME)](https://www.rfc-editor.org/rfc/rfc3030.html) · [RFC 5321 (SMTP)](https://www.rfc-editor.org/rfc/rfc5321.html) · [RFC 6409 (Message Submission for Mail)](https://www.rfc-editor.org/rfc/rfc6409.html) · [RFC 8314 (Cleartext considered obsolete — submission ports)](https://www.rfc-editor.org/rfc/rfc8314.html) · [CVE-2021-38371 (Exim STARTTLS injection)](https://nvd.nist.gov/vuln/detail/CVE-2021-38371) · [CVE-2021-33515 (Dovecot STARTTLS pre-handshake state leak)](https://nvd.nist.gov/vuln/detail/CVE-2021-33515)
+- v0.11.25 (2026-05-20) — **Five new primitives: sealed-token mail FTS + Stripe HMAC-SHA256 webhook verify + `b.money` + `b.fsm` + `b.auth.botChallenge`.** Five additive primitives in one release. Every consumer building on the framework — mail UIs, billing pipelines, e-commerce backends, multi-step business workflows, public web endpoints — now finds the substrate in-tree instead of reimplementing it. None of these replaces a default; every primitive is opt-in at the call site. Mail full-text search hashes tokens with the per-deployment vault salt before any byte hits the SQLite FTS5 index, so the index is searchable but a database dump leaks nothing readable. The Stripe-shaped HMAC-SHA-256 verifier sits next to the existing PQC and SHA3-512 webhook signers; the `whsec_` prefix stays in the key bytes per Stripe's spec; signatures are constant-time-compared and replay-defended via an operator-supplied nonce store. `b.money` arithmetic is BigInt-only across 40 ISO 4217 currencies with largest-remainder allocation and banker's-rounding FX conversion. `b.fsm` is the in-process sibling of `b.agent.saga` — declarative state + transition definition, guards, async on-enter/on-exit, drop-silent audit on every transition, with a transition-serialisation lock that makes concurrent `.transition()` calls deterministic. `b.auth.botChallenge` composes `b.httpClient` for siteverify against Cloudflare Turnstile (default), hCaptcha, and reCAPTCHA-v3 — the secret bytes never appear in any audit metadata. **Added:** *`b.mailStore.fts` — sealed-token full-text index + `b.mailStore.create().search(folder, filter)`* — Every `appendMessage` now inserts a row into a SQLite FTS5 virtual table whose subject / address / body columns hold space-separated 16-char hex hashes — vault-salted SHA3 over each NFC-normalised token. The salt is the same `b.vault.getDerivedHashSalt()` `b.cryptoField` uses for sealed-column derived hashes, so rotating the vault salt invalidates the FTS index in step with every other sealed-row hash. Query terms go through the same tokenize → hash transform on the search path and issue FTS5 MATCH against the hash-token rows — the index is fully searchable without ever materialising the plaintext on disk. `b.mail.agent.search({ folder, filter })` now accepts `text` / `subject` / `body` / `from` / `to` filter keys; the agent layer hands them to the store. `hardExpunge` deletes the FTS row inside the same transaction as the canonical message row so the two cannot drift. Limits: 8192 tokens / row / field, 2..64 codepoint length band, 8 MiB input cap per field. Exact-token only (no prefix wildcard, no stemmer) — the cost of sealed-at-rest. · *`b.webhook.verify({ alg: 'hmac-sha256-stripe', secret, header, body, toleranceMs?, nonceStore? })` + `b.webhook.sign(...)`* — Stripe-spec inbound webhook signature verifier (Paddle + Shopify use the same shape). Parses `Stripe-Signature: t=<unix>,v1=<hex>[,v1=<hex>...]`, validates the timestamp is within the tolerance window (default 5 min; refuses below 30s), HMAC-SHA-256s `<t>.<body>` with the `whsec_...` secret bytes verbatim (the prefix IS the key — `b.webhook.verify` never strips it), and walks the v1 entries with `b.crypto.timingSafeEqual` so a rotation grace window doesn't leak which entry matched. `b.webhook.sign` is the round-trip companion for outbound Stripe-shaped emission and round-trip tests. Optional `nonceStore: { has(k), set(k, ttlMs) }` records the accepted signature so a replay within the tolerance window refuses. The header value is hard-capped at 4096 bytes and per-`v1` hex at 256 chars (anti-DoS). · *`b.money` — decimal-safe money + 40-currency ISO 4217 catalog* — BigInt minor units throughout — Number is refused at construction. Currency exponents covering 0 (JPY/KRW), 2 (USD/EUR/GBP/…), 3 (KWD/BHD/JOD/OMR/TND), 4 (CLF) are pre-populated. Surface: `b.money.of(amount, code)` / `b.money.fromMinorUnits(bigint, code)` / `b.money.parse('12.50 USD')` / `b.money.zero(code)` plus instance methods `.add` / `.subtract` / `.multiply` / `.allocate(weights[])` / `.negate` / `.abs` / `.equals` / comparison family / `.toMinorUnits()` / `.toString()` / `.toJSON()` / `.format(locale?)`. `b.money.convert(money, toCurrency, fxRateProvider)` rounds half-to-even (banker's rounding) by default. Cross-currency arithmetic throws; `0.10 + 0.20 === 0.30` exactly. Allocation uses largest-remainder so $10 / 3 = [$3.34, $3.33, $3.33] with sum preserved. · *`b.fsm` — in-process state machine (sibling of `b.agent.saga`)* — `b.fsm.define({ name, initial, states, transitions })` returns a frozen machine factory. `Machine.create({ initialContext })` returns an instance with `.state` / `.context` / `.history` / `.allowed()` / `.can(name)` / `.transition(name, opts)` / `.toJSON()`. Transitions carry an optional guard (predicate; refusal throws `fsm/guard-refused`) and trigger per-state `onEnter` / `onExit` side-effects (sync or returned-Promise — `.transition` awaits). Every transition emits a `fsm.<machineName>.transition` audit event via `b.audit.safeEmit` (drop-silent on hot path), including the actor + metadata the caller passed in. A transition lock serialises concurrent `.transition()` calls — the test suite exercises five parallel transitions and verifies only the legal path runs. State + transition names are identifier-shape only (`safeSql.DEFAULT_IDENTIFIER_RE`) so a name never lands in SQL / HTML un-validated. `Machine.restore(snapshot)` rebuilds an instance from a prior `.toJSON()` snapshot — state + history + context survive a process restart. · *`b.auth.botChallenge.create({ secret, provider?, ... }) → { verify(token, opts?) }`* — Server-side challenge-response verifier for Cloudflare Turnstile (default), hCaptcha, and reCAPTCHA-v3. Composes `b.httpClient` for the outbound `/siteverify` POST — every request rides the framework's SSRF guard + DNS pinning + retry policy; the operator's secret never appears in a URL or any audit metadata field. Body encoding is `application/x-www-form-urlencoded` per the provider specs. Returns `{ ok, provider, hostname, action, challengeTs, score?, raw }` on success; throws `BotChallengeError` with structured codes (`invalid-token`, `timeout`, `hostname-mismatch`, `action-mismatch`, `provider-error`) on failure, with the upstream `error-codes` array exposed at `err.errorCodes`. Per-factory `allowedHostnames` + `allowedActions` allowlists; per-call `expectedHostname` + `expectedAction` overrides. Tokens are refused at the factory boundary if empty / non-string / > 4096 bytes, before any outbound call. **Security:** *Mail FTS index leaks zero plaintext (sealed-at-rest invariant extended)* — Pre-v0.11.25, the only operator-facing search path on `b.mail.agent` was a modseq cursor + post-fetch unseal — fast for cursoring but useless for text content discovery. Plaintext-FTS would have broken the sealed-at-rest invariant. The new index hashes every indexed token with the per-deployment vault salt before insert; a `sqlite3 .dump` produces ASCII-hex tokens indistinguishable from random. The same vault salt protects every `b.cryptoField`-sealed column, so adding the FTS index does NOT widen the cryptographic trust boundary. · *Stripe verifier defends the documented attack surface* — Constant-time HMAC compare (timing-safe across the v1 rotation list — operators don't leak which entry matched). Per-`v1` 256-hex anti-DoS cap. Tolerance-window minimum 30s — refuses operator misconfiguration that would accept hour-old signatures. The `whsec_` prefix preservation is encoded as a `codebase-patterns` detector (`stripe-hmac-sha256-no-strip-whsec-prefix`) so re-introducing the strip-bug is impossible without tripping a release gate. · *Bot-challenge secret never reaches audit / logs* — `b.auth.botChallenge` audit emits `{ provider, hostname, ok, errorCodes }` — the operator's secret bytes never appear in any metadata key. A `codebase-patterns` detector (`bot-challenge-secret-not-in-audit`) scans `lib/auth/bot-challenge.js` for any `audit.*emit` window that references `secret` so a future refactor cannot regress. **Detectors:** *Five new `codebase-patterns` detectors encode the shape-specific bug classes* — `stripe-hmac-sha256-no-strip-whsec-prefix` flags `secret.replace(/^whsec_/, '')` / `secret.slice(6)` near an HMAC call (the `whsec_` prefix IS the key). `no-number-money-arithmetic` flags `b.money.of(<Number>, ...)` and Number / Money arithmetic (precision lost; only BigInt / string OK at construction). `fsm-transition-without-await` flags `<fsm>.transition(...)` without `await` or `.then` in `lib/` (the transition is async; sync misuse swallows errors). `bot-challenge-secret-not-in-audit` is file-scoped to `lib/auth/bot-challenge.js` and flags any `audit.*emit` window or `metadata: { ... }` object literal referencing `secret`. Each detector is wired into `codebase-patterns.test.js`'s `run()` so every future commit re-checks the shape. **References:** [RFC 2104 (HMAC)](https://www.rfc-editor.org/rfc/rfc2104.html) · [RFC 6234 (US Secure Hash Algorithms — SHA-256)](https://www.rfc-editor.org/rfc/rfc6234.html) · [Stripe webhook signature spec](https://docs.stripe.com/webhooks/signature) · [Paddle webhook signature verification](https://developer.paddle.com/webhooks/signature-verification) · [Shopify webhooks — HMAC verification](https://shopify.dev/docs/apps/webhooks/configuration/https) · [ISO 4217 (Currency codes + minor unit catalog)](https://www.iso.org/iso-4217-currency-codes.html) · [IEEE 754 (the float-precision problem `b.money` avoids)](https://standards.ieee.org/standard/754-2019.html) · [Cloudflare Turnstile — server-side validation](https://developers.cloudflare.com/turnstile/get-started/server-side-validation/) · [hCaptcha — verify the user response server-side](https://docs.hcaptcha.com/) · [reCAPTCHA-v3 — server-side verification](https://developers.google.com/recaptcha/docs/v3) · [OWASP ASVS v5 §11.5 — bot defense controls](https://owasp.org/www-project-application-security-verification-standard/) · [RFC 9051 (IMAP4rev2 — SEARCH semantics)](https://www.rfc-editor.org/rfc/rfc9051.html) · [RFC 8621 (JMAP Mail — Email/query)](https://www.rfc-editor.org/rfc/rfc8621.html) · [SQLite FTS5](https://www.sqlite.org/fts5.html) · [UML State Machine (OMG UML 2.5.1 §14)](https://www.omg.org/spec/UML/2.5.1)
+- v0.11.24 (2026-05-20) — **`b.mail.send.deliver` — turnkey outbound SMTP composer (MX → MTA-STS → DANE → REQUIRETLS → DSN).** One factory wires together the full outbound mail chain. The operator hands the primitive an envelope (`{ from, to, rfc822 }`) and gets back per-recipient outcomes: `delivered`, `deferred` (with retry budget), or `failed` (with the corresponding RFC 3464 DSN already composed and the configured DSN sink invoked). Per-recipient handling is independent — one recipient permanently failing does not interfere with another's delivery or retry. MX records are resolved live (operator may inject a resolver for testing), MTA-STS policy (RFC 8461) is fetched + matched against the resolved MX before TLS, DANE TLSA records (RFC 7672) are consulted when present, REQUIRETLS (RFC 8689) is honored, and the per-host SMTP transport is the framework's `b.mail.smtpTransport`. SMTP outcomes are classified deterministically: hard 5xx + null-MX → permanent (with DSN); soft 4xx + DNS / connect / TLS errors → transient (with backoff budget). Recipient cap (1000 per call) and per-host / per-lookup timeout caps are baked in. **Added:** *`b.mail.send.deliver.create(opts) → async deliver(envelope)` — composed outbound delivery* — Factory returns a `deliver(envelope)` async function. `envelope = { from, to[], rfc822 }`. Returns `{ delivered: [{...}], deferred: [{...}], failed: [{...}] }`. Composes `b.network.smtp.policy.mtaSts.fetch` + `.matchMx`, `b.network.smtp.policy.dane.tlsa` + `.verifyChain`, `b.mail.smtpTransport.create`, and `b.audit.safeEmit`. Required opts: `hostname` (EHLO + MAIL FROM identity). Optional: `resolver` (object exposing `resolveMx` / `resolve` — defaults to node:dns/promises); `policy.mtaSts.enabled` (default true); `policy.dane.enabled` (default true); `retry.maxAttempts` (default 5); `retry.backoffMs` (default exponential 60s/5m/30m/2h/12h); `dsn.from` + `dsn.onPermanentFailure(messageBuffer, ctx)` (required only when DSN delivery is desired); `timeouts.mxLookupMs` (default 5s); `timeouts.perHostMs` (default 60s); `transportFactory` (test-injection override). · *Per-recipient outcome classifier (`_classifySmtpOutcome`)* — Maps SMTP reply codes + Node socket / TLS errors onto the `permanent` / `transient` axis. Permanent: SMTP 5xx (any subclass), null-MX RFC 7505 sentinel `.`, no-MX-records, RFC 5321 §3.6.2 unrouteable. Transient: SMTP 4xx (any subclass), TCP connection refused / reset / timeout, TLS handshake failure (when MTA-STS / DANE is not enforce-mode), DNS NXDOMAIN at lookup time. Once `retry.maxAttempts` is exhausted, transient is escalated to permanent with reason `retry exhausted (after N attempts)`. · *RFC 3464 DSN composer (`_buildDsnMessage`)* — Builds a `multipart/report; report-type=delivery-status` message with three parts: human-readable explanation, `message/delivery-status` block (Reporting-MTA, Original-Recipient, Final-Recipient, Action: failed, Status: 5.x.x), and a `message/rfc822-headers` block carrying the failed message's headers. Boundary token is generated via `b.crypto.generateToken(12)` so it can't collide with attacker-chosen header / body bytes. The composed DSN is passed to the operator-supplied `dsn.onPermanentFailure(message, ctx)` sink — the primitive does not itself send the DSN, keeping the operator in control of which transport carries DSNs (typically the same submission service). · *MX failover + per-host audit* — MX records are walked in priority order. A failed connect / TLS / 4xx on the first host falls over to the next; only when every MX has been tried does the recipient receive its final outcome. Each per-host failure emits a structured audit event (`mail.send.deliver.host-fail` with `recipient` + `mxHost` + `priority` + `reason`); the final outcome emits `mail.send.deliver.delivered` / `.deferred` / `.permanent-fail`. Audit is drop-silent on the hot path (catch + ignore). · *Recipient + envelope hard caps* — `MAX_RECIPIENTS_PER_CALL = 1000` refuses oversized fan-out at the factory boundary (5xx-style DoS prevention). `envelope.rfc822` accepts a Buffer or UTF-8 string — strings are converted at the boundary so downstream byte-level reasoning (DKIM, REQUIRETLS, length headers) sees stable bytes. Bad-envelope refusals carry `DeliverError` codes `deliver/bad-envelope`, `/bad-envelope-from`, `/bad-envelope-to`, `/too-many-recipients`, `/bad-envelope-rfc822` — operators get structured surface for each refusal class. **Security:** *MTA-STS enforcement before TLS handshake (RFC 8461)* — When `policy.mtaSts.enabled` (default), MTA-STS policy is fetched for the recipient domain. If the policy mode is `enforce` and a resolved MX hostname does not match an `mx:` entry, the host is refused without attempting TLS. This closes the MX-substitution attack window (`b.mail.send.deliver` cannot be diverted to an attacker-controlled MX even when DNS is hijacked, as long as the recipient publishes MTA-STS). · *DANE TLSA verification when present (RFC 7672)* — When `policy.dane.enabled` (default) and the recipient domain publishes TLSA records, the SMTP transport's TLS certificate chain is verified against the TLSA hash before the SMTP command pipeline starts. TLSA records take precedence over PKIX trust roots for SMTP — RFC 7672 §2.2. · *Boundary token unguessable (DSN boundary-injection defense)* — MIME boundary token in composed DSNs is 12 random bytes hex-encoded via `b.crypto.generateToken` (SHAKE256 over OS-RNG) — not `Date.now()` + `Math.random()`. The boundary appears verbatim in the message; a predictable boundary would let an attacker who controls the failed message's headers craft byte sequences that close the boundary early + inject MIME parts. **Detectors:** *`per-recipient-loop-fallthrough-to-failed` (codebase-patterns)* — A new detector flags per-recipient delivery loops where the `delivered` branch does not exit the iteration before falling into the permanent-failure / DSN-emit path. Encodes the bug class that was caught during this slice's bring-up — a recipient delivering successfully also being added to `failed[]` because the `if (delivered)` branch lacked an explicit `continue`. **References:** [RFC 5321 (Simple Mail Transfer Protocol)](https://www.rfc-editor.org/rfc/rfc5321.html) · [RFC 3464 (Extensible Message Format for Delivery Status Notifications)](https://www.rfc-editor.org/rfc/rfc3464.html) · [RFC 7505 (Null MX no-service resource record)](https://www.rfc-editor.org/rfc/rfc7505.html) · [RFC 8461 (SMTP MTA Strict Transport Security — MTA-STS)](https://www.rfc-editor.org/rfc/rfc8461.html) · [RFC 7672 (SMTP Security via Opportunistic DANE TLS)](https://www.rfc-editor.org/rfc/rfc7672.html) · [RFC 8689 (SMTP REQUIRETLS option)](https://www.rfc-editor.org/rfc/rfc8689.html) · [RFC 3463 (Enhanced Mail System Status Codes)](https://www.rfc-editor.org/rfc/rfc3463.html)
+- v0.11.23 (2026-05-20) — **`b.mail.agent.expunge` — hard EXPUNGE with legal-hold + retention-floor refusal gates.** Operators (and the future IMAP EXPUNGE + JMAP Email/set destroyed wire-protocol adapters) get a single canonical path for permanent message removal that refuses to delete anything currently under legal hold or still inside the regulator-mandated retention window. The gate runs per-message; refused ids carry an explicit reason (`legal-hold` / `retention-floor` / `not-in-folder`) plus the floor + age + posture metadata that drove the refusal — wire adapters mirror those reasons to operators verbatim. The destructive SQL runs only on the surviving id set, inside a backend transaction that also bumps folder modseq + decrements quota atomically. **Added:** *`b.mail.agent.expunge({ actor, folder, objectIds })` — hard EXPUNGE primitive* — Composes two refusal gates before the destructive SQL runs. (1) Legal-hold gate: any message whose `legal_hold` flag is set refuses with reason `legal-hold`. The mail-store layer surfaces the flag in per-row metadata; this layer maps it to the operator-facing refusal. (2) Retention-floor gate: under a configured compliance posture (`hipaa` / `pci-dss` / `gdpr` / `soc2`), the regulator-mandated minimum retention TTL is read from `b.retention.COMPLIANCE_RETENTION_FLOOR_MS[posture]` and any message whose age (`now - receivedAt`) is below the floor refuses with reason `retention-floor` plus `floorMs` + `ageMs` + `posture` metadata. Returns `{ deleted: <ids>, refused: [{ id, reason, ... }] }`. Audit event `mail.agent.expunge.success` carries the requested / deleted / refused counts and a reason histogram so dashboards can spot abnormal refusal patterns without parsing per-id detail. · *`b.mailStore.create(...).hardExpunge(folder, objectIds)` — destructive SQL primitive* — Removes messages permanently from a folder inside a single backend transaction: deletes the message row + its flag rows, bumps the folder modseq, decrements the per-folder quota by the freed bytes / count. Returns `{ rows, deleted, refused }` where `refused` carries `{ id, reason: 'legal-hold' | 'not-in-folder' }` for each id the SQL gate refused (legal-hold is mirrored from the column; not-in-folder catches stale ids). The agent layer (`b.mail.agent.expunge`) is responsible for the retention-floor gate; this primitive is the wire-protocol-shaped backend surface. · *`b.mailStore.create(...).fetchByObjectId` returns `legalHold: boolean`* — Pre-existing fetch path now consistently exposes the legal-hold flag in its return shape. Previously the field existed in the returned object via a separate path; this commit consolidates the duplicate exports into a single canonical `legalHold` boolean derived from the SQLite `legal_hold` INTEGER column. **References:** [RFC 9051 (IMAP4rev2 — EXPUNGE semantics, §6.4.3)](https://www.rfc-editor.org/rfc/rfc9051.html) · [RFC 8621 (JMAP Mail — Email/set destroyed)](https://www.rfc-editor.org/rfc/rfc8621.html) · [45 CFR §164.316 (HIPAA — retention of records)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.316) · [PCI-DSS v4.0.1 §3.5.1.1 (retention of cardholder data)](https://www.pcisecuritystandards.org/document_library) · [GDPR Art. 17 (right to erasure — operator-side accountability)](https://gdpr-info.eu/art-17-gdpr/)
+- v0.11.22 (2026-05-20) — **`b.cert.create` — turnkey TLS-certificate manager composing ACME + sealed persistence + renewal scheduler + SNI + key escrow.** Operators wiring TLS no longer have to glue ACME + key generation + cert persistence + renewal scheduling + SNI dispatch + escrow by hand. `b.cert.create({ storage, acme, certs, renew, ocsp, audit, compliance })` accepts a declarative manifest of certificates plus the operator's choice of ACME challenge solver, and the manager owns the rest of the lifecycle: ACME RFC 8555 order + RFC 9773 ARI-aware renewal, leaf key rotation on renew, OCSP refresh scheduling, sealed-disk persistence via `b.vault.seal`, optional break-glass key escrow encrypted to an operator-supplied recipient via `b.crypto.encryptEnvelope`, and SNI dispatch for `https.createServer({ SNICallback })`. Composes existing primitives — `b.acme.create` (extended this release with per-challenge methods), `b.vault.seal`, `b.safeAsync.repeating`, `b.network.tls`, `b.audit` — so the operator-facing surface is one factory call. **Added:** *`b.cert.create(opts)` — turnkey certificate manager* — New top-level primitive. Storage backend: `sealed-disk` (default; sealed via `b.vault.seal`). ACME: directory URL + contact + auto-generated account key (sealed on disk; operator can override with explicit key material). Certs manifest: per-cert name + domains + keyAlg (ecdsa-p256 / ecdsa-p384 / rsa-2048 / rsa-3072 / rsa-4096) + challenge `{ type, provision, cleanup }` callbacks (http-01 / dns-01 / tls-alpn-01). Renewal: ARI-respecting scheduler with configurable `intervalMs` + `minDaysBeforeExpiry` thresholds. OCSP: `stapling: true` schedules periodic OCSP refresh via `b.network.tls.ocsp`. Key escrow: optional `keyEscrow: { recipient }` encrypts each renewed private key to the recipient public key via `b.crypto.encryptEnvelope` and persists alongside the sealed key — break-glass-only recovery path, NOT routine access. Surface: `start()` / `stop()` / `getContext(name)` / `sniCallback` / `refresh(name)` / event-emitter `on('cert.issued' | 'cert.renewed' | 'cert.renew-failed', handler)`. · *`b.acme.create.fetchAuthorization(authUrl)` — RFC 8555 §7.5 authorization GET* — POST-as-GET an authorization URL; returns the parsed authorization object with the challenge array. The challenge entries carry `{ type, url, token, status }` for each offered challenge type. Required by the cert manager's per-challenge flow but useful to operators implementing custom ACME wrappers. · *`b.acme.create.notifyChallengeReady(challengeUrl)` — RFC 8555 §7.5.1 ready-notification* — POST an empty JSON object to a challenge URL to signal the operator has provisioned the response. Returns the updated challenge object; the CA's validation runs asynchronously and the operator polls via `waitForAuthorization` afterwards. · *`b.acme.create.waitForAuthorization(authUrl, opts?)` — authorization status polling* — Polls an authorization until `status === 'valid'` (success) or `status === 'invalid'` (CA refused). Honors the client's `pollIntervalMs` + `pollMaxMs` defaults; per-call `opts.intervalMs` + `opts.timeoutMs` override available. Throws typed `acme/auth-invalid` on CA refusal and `acme/auth-timeout` on poll-budget exhaustion. · *`b.acme.create.buildCsr({ privateKey, publicKey, domains })` — RFC 2986 PKCS#10 CSR builder* — Builds a CertificationRequest signed with the leaf private key. Subject `CN=<first domain>`, all domains as `dNSName` entries in the SubjectAltName extension. Supports ECDSA P-256 (signed sha256), ECDSA P-384 (signed sha384), RSA 2048 / 3072 / 4096 (signed sha256). Ed25519 is rejected at the CSR layer because CA support is uneven — operators wanting Ed25519 certs build the CSR externally. PEM-encoded output ready to feed to `finalize(order, csrPem)`. · *`b.asn1Der` write primitives — `writeBitString` / `writeSet` / `writeUtf8String` / `writePrintableString` / `writeIa5String` / `writeBoolean` / `writeContextImplicit`* — ASN.1 DER encoder extensions needed for PKCS#10 CSR construction. PrintableString refuses input outside the RFC 5280 character set; IA5String refuses non-ASCII; UTF8String refuses non-string input. SET-OF encoding sorts children by their encoded bytes per DER. Internal-only today (consumed by `b.acme.create.buildCsr`); operators with their own ASN.1 needs can compose them. **Changed:** *`b.audit.FRAMEWORK_NAMESPACES` adds `cert`* — The cert-manager lifecycle emits `cert.account.generated` / `cert.issued` / `cert.renewed` / `cert.renew-failed` / `cert.challenge-cleanup` audit events; the audit-namespace coverage check at smoke-time now recognizes the `cert` namespace. **References:** [RFC 8555 (ACME)](https://www.rfc-editor.org/rfc/rfc8555.html) · [RFC 9773 (ACME Renewal Information / ARI)](https://www.rfc-editor.org/rfc/rfc9773.html) · [RFC 2986 (PKCS#10 Certification Request Syntax)](https://www.rfc-editor.org/rfc/rfc2986.html) · [RFC 5280 (X.509 Internet PKI)](https://www.rfc-editor.org/rfc/rfc5280.html) · [RFC 8737 (TLS-ALPN-01 challenge)](https://www.rfc-editor.org/rfc/rfc8737.html) · [OpenSSL CSR roundtrip — local OpenSSL validation](https://www.openssl.org/docs/man3.5/man1/openssl-req.html)
+- v0.11.21 (2026-05-20) — **Supply-chain hardening — pinact + zizmor + actionlint gate, sha-to-tag tag-integrity verifier, GOVERNANCE.md.** Closes the input + tag-integrity halves of the supply-chain trust boundary. `pinact` refuses any `uses:` reference that isn't pinned to a 40-char SHA with a verified version-comment (defense against the CVE-2025-30066 retroactive-tag-rewrite class). `zizmor` audits every workflow for the documented security anti-pattern catalog (template-injection / excessive-permissions / cache-poisoning / impostor-commit / unredacted-secrets / etc.). The new `sha-to-tag-verify` workflow refuses to let the publish workflow proceed if a release tag's commit SHA isn't on `main`'s first-parent history OR wasn't the result of a merged PR — the source-side gate that TanStack's 2026-05-11 attack (84 malicious `@tanstack/*` versions published with valid SLSA L3 provenance) demonstrated as a structural defense alongside provenance verification. SECURITY.md gains operator-facing `slsa-verifier` and tag-SHA-integrity recipes. New top-level `GOVERNANCE.md` documents the solo-maintainer governance model, succession plan, key-loss recovery, and dependent-notification protocol. **Added:** *`.github/workflows/actions-lint.yml` — pinact + zizmor + actionlint gate* — Three tools, three layers per the arxiv.org "Unpacking Security Scanners for GitHub Actions Workflows" taxonomy. `pinact run --check` refuses any `uses:` reference that isn't SHA-pinned with a matching version-comment; `pinact run --verify` re-resolves each pinned SHA's registered tag at check time and refuses if the workflow's version-comment disagrees (catches retroactive tag rewrites). `zizmor` audits at `--min-severity low` across every documented rule class (template-injection, excessive-permissions, dangerous-triggers, unpinned-uses, cache-poisoning, github-env, hardcoded-container-credentials, impostor-commit, known-vulnerable-actions, obfuscation, ref-confusion, secrets-inherit, self-hosted-runner, unredacted-secrets, unsound-contains, use-trusted-publishing); SARIF emitted to GitHub Code Scanning. `actionlint` runs YAML + expression validation + shellcheck on every `run:` block. Single documented exception in `.pinact.yaml` — the SLSA reusable workflow MUST be tag-pinned because its internal builder-fetch step refuses non-tag refs. · *`.github/workflows/sha-to-tag-verify.yml` — tag-SHA integrity gate* — Runs on every `v*` tag push and refuses to let the publish workflow start if the tag's commit SHA isn't on `main`'s first-parent history OR wasn't the result of a merged PR. Defends against the tag-mutation class (CVE-2025-30066: 23,000+ affected repos in March 2025) and the source-side-malicious-publish class (TanStack 2026-05-11: 84 valid-SLSA-L3-provenance malicious versions). The same chain is documented for operator-side re-verification in SECURITY.md's new "Verifying release-commit integrity" subsection. · *`GOVERNANCE.md` — solo-maintainer governance, succession, key-loss recovery, dependent-notification* — New top-level document covering: (a) current governance model (solo maintainer pre-1.0, maintainer-final on technical direction); (b) succession plan with TBD-successor-with-documented-re-open-trigger, repository ownership, npm publish credentials, SSH signing key rotation procedure, Sigstore identity rotation; (c) key-loss recovery for every asset (npm publish, GitHub org, SSH signing key, Sigstore, domain); (d) dependent-notification protocol via `security@blamejs.com` with 30-day no-activity escalation. Bus-factor-1 is the largest non-technical risk pre-1.0; this document makes the recovery path defensible. · *SECURITY.md — `slsa-verifier` and tag-SHA-integrity operator-verification recipes* — "Verifying release authenticity" gains a `slsa-verifier verify-artifact` recipe (pinned to v2.7.1) for offline / API-independent provenance verification — `gh attestation verify` walks the chain via the GitHub API; `slsa-verifier` does it from disk. The recipe explicitly states the limit: SLSA provenance binds the tarball bytes to a workflow+commit+tag, but does NOT prove the source is clean (the TanStack incident shipped valid-provenance malicious versions because the source side was compromised). A new "Verifying release-commit integrity" subsection documents the sha-to-tag chain operators run alongside provenance verification — the source-side gate. · *`.pinact.yaml` — pinact configuration with documented SLSA exception* — Defines a single tag-pin exception for `slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml`. The SLSA reusable workflow's internal builder-fetch step refuses non-tag `BUILDER_REF` values, so the call MUST be tag-pinned; mitigated by slsa-framework's upstream tag-protection + immutable-release rules. The same exception also appears as a per-line `# allow:slsa-framework-action-not-sha-pinned` marker in `npm-publish.yml` for the framework's own codebase-patterns gate. **Changed:** *Workflow version-comment integrity — every pinned action's `# vX.Y.Z` comment now matches the registered tag for that SHA* — Pre-existing pins carried stale version-comments (`actions/checkout@de0fac2e... # v6.0.0` where that SHA is actually `v6.0.2`, `actions/setup-node@48b55a01... # v6.0.0` where the SHA is `v6.4.0`, `actions/download-artifact@3e5f45b2... # v7.0.1` where the SHA is `v8.0.1`, `github/codeql-action@9e0d7b8d... # v3.30.9` where the SHA is `v4.35.5`). The SHAs themselves stay (they're the actual-released versions); the comments now match. This is what pinact's `--verify` check enforces structurally going forward — a stale version-comment is the early-warning signal that a retroactive tag rewrite landed without operator notice. **References:** [CVE-2025-30066 (tj-actions/changed-files retroactive tag rewrite)](https://nvd.nist.gov/vuln/detail/CVE-2025-30066) · [TanStack npm publish incident 2025-05-11](https://blog.tanstack.com/the-tanstack-may-2025-supply-chain-attack/) · [pinact](https://github.com/suzuki-shunsuke/pinact) · [zizmor](https://github.com/woodruffw/zizmor) · [actionlint](https://github.com/rhysd/actionlint) · [slsa-verifier](https://github.com/slsa-framework/slsa-verifier)
+- v0.11.20 (2026-05-20) — **`b.backup.localStorage` legacy alias removed + test-discipline backlog fully drained.** Two pieces bundled into one patch. (1) The `b.backup.localStorage` legacy alias introduced in v0.11.2 as a deprecation cycle for the rename to `b.backup.diskStorage` is removed entirely — pre-v1 the project's stated policy is no backwards-compat shims, and the cleanup no longer needs to wait for the Node 26 floor-bump. (2) Every test file in the `test-promise-settimeout-sleep` detector's 49-file migration backlog is converted from `await new Promise(r => setTimeout(r, N))` sleeps to `helpers.waitUntil(predicate, opts)` (condition-waits) or the new `helpers.passiveObserve(ms, label)` (verify-absence-of-event windows). The previously-split `test-codebase-patterns.test.js` catalog is folded into the main `codebase-patterns.test.js` `KNOWN_ANTIPATTERNS` array with `scanScope: "test"`. **Added:** *`helpers.passiveObserve(ms, label)` — real-time observation budget* — Distinct from `helpers.waitUntil`: the goal is NOT to poll until a condition is truthy, but to let real time elapse so the test can verify ABSENCE of an event over a window. Required `label` (string) surfaces in audit logs / future flake diagnostics so a grep through a CI log immediately identifies which observation budget was consumed. Throws TypeError on non-positive `ms` or missing label. Use sparingly — if there IS an observable predicate, `waitUntil` is the right primitive (faster on fast platforms; passive observation always burns the full budget). **Changed:** *Test-discipline catalog unified — `codebase-patterns.test.js` is now the single source of truth* — The previously-split `test-codebase-patterns.test.js` runner is merged into the main `codebase-patterns.test.js` catalog. Six test-side detectors are now inline `KNOWN_ANTIPATTERNS` entries with `scanScope: "test"`: `test-promise-settimeout-sleep` (broadened regex catches block-bodied arrows + multi-arg arrows + function bodies with leading statements), `test-uses-stream-pipeline-without-withtesttimeout` (per-test wall-clock ceiling for node:stream.pipeline tests), `release-named-test-file` (basename-mode; refuses `v0-8-41-additions.test.js` / `slot-19-enhancements.test.js` / `batch-N.test.js`), `test-hardcoded-server-bind-port` (`.listen(0)` + `server.address().port`), `test-fs-watch-direct-call` (`helpers.backdateFile` + `helpers.waitForWatcher` instead), `test-future-utimes-without-backdated-baseline` (pair future-mtime writes with `backdateFile`), `test-creates-db-handle-without-isolation` (`b.db.create()` must compose `setupTestDb` / `setupVaultOnly` / `mkdtempSync`). The test-scope walker now also includes `examples/*/test/` so wiki integration tests share the same discipline. Single catalog means a single allowlist per detector, single migration backlog, and one runner to invoke from CI. · *Test-discipline migration — `setTimeout(r, N)` backlog fully drained (49 → 0 migration entries)* — Converted every test file in the migration backlog to `helpers.waitUntil` / `helpers.passiveObserve`: `a2a`, `a2a-tasks`, `agent-event-bus`, `agent-idempotency`, `agent-orchestrator`, `agent-snapshot`, `api-encrypt`, `app-shutdown`, `audit-segregation`, `break-glass`, `config`, `cors`, `daily-byte-quota`, `dsr`, `external-db-routing`, `guard-csv`, `http-client-cache`, `log-stream-cloudwatch`, `log-stream-otlp` (dead `_sleep` helper removed), `log-stream-otlp-grpc`, `mail-greylist`, `middleware-compose-pipeline`, `network`, `network-dns-resolver`, `network-heartbeat-passive`, `notify`, `observability-tracing`, `promise-pool`, `pubsub`, `queue-dlq-extend-lease`, `queue-flow-repeat`, `queue-priority-rate-progress`, `require-auth-cache-control`, `retry`, `safe-async-loops`, `safe-async-parallel`, `scim-server`, `sse`, `vault-seal-pem-file`, `watcher` (3 fs.watchFile poll-event waits), `webhook`, `websocket-channels`, `ws-client`, `api-key` (layer-1), and integration tests `cache`, `cluster-provider-mysql`, `log-stream`, `network-heartbeat`, `object-store-sigv4`, `pubsub`, `queue-redis`, `websocket-permessage-deflate`, `ws-client-roundtrip`. Each condition-wait now has a grep'able label and an automatic 5000ms ceiling. Two files are permanent structural FPs (not migration backlog): `test/helpers/services.js` (TCP/TLS/UDP probe primitives — race-with-socket-event pattern, not condition-wait) and `examples/wiki/test/integration.js` (consumes `@blamejs/core` via npm symlink, doesn't have access to the framework's internal test helpers; single 100ms post-shutdown flush window). **Removed:** *`b.backup.localStorage` — the legacy alias is gone* — The property no longer resolves on `b.backup` and the one-time deprecation warning is no longer emitted. Migration is a literal-name find-and-replace: `b.backup.localStorage({ root: ... })` becomes `b.backup.diskStorage({ root: ... })`. The returned storage backend object, its options shape, and its wire contract with `b.backupBundle.create` are unchanged. See SECURITY.md's Node 26 compatibility section for the original rename rationale. **References:** [Node.js 26 release notes (localStorage global)](https://nodejs.org/en/blog/release/v26.0.0)
+- v0.11.18 (2026-05-20) — **ML-DSA-65 release-signing key onboarded — `.mldsa.sig` sidecar lights up.** v0.11.17 was the first release the new pipeline published end-to-end, but the `.mldsa.sig` PQC sidecar was missing because the operator-side `RELEASE_PQC_SIGNING_KEY` setup hadn't been done yet. v0.11.18 onboards the keypair: `keys/release-pqc-pub.json` is committed in-tree, the matching private key lives only in the `npm-publish` environment's `RELEASE_PQC_SIGNING_KEY` secret, and `SECURITY.md` documents the SHA3-512 fingerprint + the operator-side verification recipe (no external verifier binary required — verifies via the framework's own vendored noble-post-quantum primitive). **Added:** *`keys/release-pqc-pub.json` — ML-DSA-65 release-signing public key committed in-tree* — Generated locally via `node scripts/generate-release-signing-key.js`; the matching private key was set as the `RELEASE_PQC_SIGNING_KEY` secret in the `npm-publish` GitHub Actions environment (same scope as `NPM_TOKEN`). The publish workflow's PQC sidecar step now finds both pieces present and computes a `<tarball>.mldsa.sig` for every release tarball. Self-verify-before-write inside `sign-release-artifact.js` catches a stale env-secret-vs-in-tree-pubkey mismatch — refuses to write a non-verifiable sig. · *`SECURITY.md` — `PQC release-signing key` fingerprint + verification recipe* — New SECURITY.md table records the algorithm (ML-DSA-65, FIPS 204), the in-tree public-key file path, and the SHA3-512 fingerprint (`ad6bee96…2ede`). Verification recipe uses the framework's own `b.pqcSoftware.ml_dsa_65.verify` — no external verifier binary required, no dependency on Sigstore's classical-crypto chain. Operators with a PQC-only verification posture have a self-contained path: `gh release download`, then `node -e` against the vendored noble-post-quantum primitive. **Changed:** *`Verifying release authenticity` — four trust roots, not three* — SECURITY.md's closing summary updated to count the ML-DSA-65 release-signing sidecar as the fourth independently-verifiable trust root, alongside SLSA L3 npm provenance + Sigstore-keyless SBOM signing + SSH-signed tags. Each remains verifiable without trusting any of the others; tampering with one is detected by the others. **References:** [FIPS 204 — ML-DSA](https://csrc.nist.gov/pubs/fips/204/final) · [FIPS 202 — SHA-3 + SHAKE](https://csrc.nist.gov/pubs/fips/202/final) · [RFC 9909 — ML-DSA in X.509 + CMS](https://www.rfc-editor.org/rfc/rfc9909.html) · [noble-post-quantum (vendored under lib/vendor)](https://github.com/paulmillr/noble-post-quantum)
+- v0.11.17 (2026-05-20) — **SLSA reusable workflow tag-pinned (the call requires a tag ref internally).** v0.11.7 through v0.11.16 each ship'd with the SLSA `generator_generic_slsa3` reusable workflow SHA-pinned and the publish workflow failed identically every time — masked by the SLSA workflow's cascading `continue-on-error: true` on each step until v0.11.16's diagnostic finally surfaced the real error: `Invalid ref: <40-hex>. Expected ref of the form refs/tags/vX.Y.Z`. The SLSA workflow's internal builder-fetch step refuses anything other than a tag ref for `BUILDER_REF`. Tag-pinned the callsite to `@v2.1.0`; updated the codebase-patterns `slsa-framework-action-not-sha-pinned` detector to allowlist this one callsite with the upstream-mitigation reasoning documented inline. **Fixed:** *SLSA reusable workflow callsite pinned to `@v2.1.0` (tag) instead of `@<sha>`* — The SLSA `generate-builder` action's builder-fetch step refuses non-tag refs for `BUILDER_REF` — the SHA we'd been pinning to since v0.11.7 was always failing here, hidden behind the SLSA workflow's step-level + workflow-level `continue-on-error: true` cascades. v0.11.16's diagnostic finally surfaced the actual error message. Switched to `@v2.1.0`. The repo-level `sha_pinning_required` actions policy was relaxed earlier so the tag pin is permitted. The `slsa-action-not-sha-pinned` codebase-patterns detector allowlists this one callsite — slsa-framework's tag-protection + immutable-release rules at their own org level mitigate the upstream-mutation risk the detector was originally guarding against. · *`slsa-action-not-sha-pinned` detector allowlists the npm-publish workflow callsite* — The detector continues to enforce SHA-pinning on every OTHER `slsa-framework/*` reusable-workflow callout repository-wide. Only the npm-publish workflow's `provenance` job is allowlisted, with the upstream tag-protection mitigation documented at the allowlist entry. New callsites still trip the detector. **References:** [SLSA `generate-builder` action — `Invalid ref` refusal](https://github.com/slsa-framework/slsa-github-generator/blob/v2.1.0/.github/actions/generate-builder/action.yml) · [slsa-framework `generator_generic_slsa3.yml` v2.1.0](https://github.com/slsa-framework/slsa-github-generator/blob/v2.1.0/.github/workflows/generator_generic_slsa3.yml)
+- v0.11.16 (2026-05-20) — **SLSA generator `private-repository: true` to override the false-positive privacy halt.** v0.11.15 cleared the SLSA outcome-AND chain via `continue-on-error: true`, then the underlying provenance generation FAILED with `Repository is private. The workflow has halted in order to keep the repository name from being exposed in the public transparency log. Set 'private-repository' to override.` — but `continue-on-error: true` masked it, the SLSA workflow reported success, no artifact was actually uploaded, and the downstream `publish-and-release` job's `Download SLSA provenance` step then failed. github.com/blamejs/blamejs is in fact public (gh api confirms `private: false, visibility: public`); SLSA's detection appears to walk workflow permissions rather than the repo's actual visibility. Passing `private-repository: true` overrides the detection and lets the workflow proceed to the Sigstore transparency-log write — which is the operator-desired behavior for a public-repo release. **Added:** *`SECURITY.md` — `Supply-chain transparency posture` subsection* — New SECURITY.md subsection documenting the Sigstore Rekor transparency-log writes (SLSA L3 attestation + cosign SBOM signatures), the operator-side rationale for the `private-repository: true` override, and the fork-operator escape hatch (set the input to `false` to halt transparency-log writes for private mirrors). Also calls out the framework's no-telemetry posture: every external endpoint primitive (DoH / ACME / OCSP / NTP / OSV-Scanner) runs through operator-supplied infrastructure; there is no framework-owned ingest channel. **Fixed:** *Pass `private-repository: true` to the SLSA reusable workflow* — The SLSA generic generator halts when its internal privacy detection thinks the repo is private. github.com/blamejs/blamejs is public per gh api repos/blamejs/blamejs's `visibility: public`, but SLSA's detection halts anyway (likely walking workflow permissions). Setting `private-repository: true` acknowledges the operator-side decision to write the transparency log entry regardless of detection. v0.11.15 cleared the outcome-AND chain but the upstream attest step was failing for this reason — `continue-on-error: true` masked it, the artifact never uploaded, and the downstream download failed. **References:** [SLSA generic generator inputs](https://github.com/slsa-framework/slsa-github-generator/blob/v2.1.0/.github/workflows/generator_generic_slsa3.yml) · [Sigstore Rekor transparency log](https://docs.sigstore.dev/logging/overview/)
+- v0.11.15 (2026-05-20) — **SLSA reusable workflow `continue-on-error: true` so `upload-assets: false` doesn't fail the workflow.** v0.11.14 finally reached the SLSA provenance generation step end-to-end — the `validate` and `generator` jobs both succeeded, the provenance artifact uploaded — but the SLSA workflow's `final` step exited 27 because its outcome-AND chain evaluates `needs.upload-assets.outputs.outcome != 'failure'` against an empty value (the `upload-assets` job's `if:` short-circuited via `upload-assets: false`). The empty value evaluates falsy in the AND chain, the SLSA workflow marks itself failed, and the dependent `publish-and-release` job skips. `continue-on-error: true` on the SLSA reusable workflow call tells it to report success regardless of the final-step outcome computation; the `publish-and-release` job's `Download SLSA provenance` step catches a real missing-artifact failure independently. **Fixed:** *Pass `continue-on-error: true` to the SLSA reusable workflow* — The SLSA `generator_generic_slsa3.yml` workflow has four nested jobs (`detect-env`, `generator`, `upload-assets`, `final`). When the caller passes `upload-assets: false`, the `upload-assets` job's `if:` short-circuits to skip — but its outputs evaluate empty, and the `final` job's outcome-AND chain treats that empty value as falsy, exits 27, and marks the entire SLSA workflow failed even though `generator` produced the provenance artifact successfully. `continue-on-error: true` is the documented escape hatch — the SLSA workflow now reports success when the underlying provenance generation succeeded regardless of the `final` step's strict-AND outcome computation. The `publish-and-release` job's `Download SLSA provenance` step is the real safety check — a missing artifact would surface there with an `actions/download-artifact` not-found error rather than being hidden behind the SLSA workflow's overly-strict `final` outcome. **References:** [SLSA generic generator v2.1.0 `continue-on-error` input](https://github.com/slsa-framework/slsa-github-generator/blob/v2.1.0/.github/workflows/generator_generic_slsa3.yml)
+- v0.11.14 (2026-05-20) — **`helpers.backdateFile` + `helpers.waitForWatcher` — shared test primitives for `fs.watch` / `fs.watchFile`-driven tests.** v0.11.13 inlined the backdate + widened-wait fix in `vault-seal-pem-file.test.js` directly; v0.11.14 lifts the discipline into `test/helpers/fs-watch.js` so every existing + future fs.watch-driven test composes it the same way. Two test-side codebase-patterns detectors enforce the composition: `test-fs-watch-direct-call` (no raw `fs.watch*` calls in tests) and `test-future-utimes-without-backdated-baseline` (future-mtime via fs.utimesSync MUST pair with a prior `helpers.backdateFile` call). The existing `watcher.test.js` migrates off three fixed-budget `setTimeout(r, N)` sleeps to `helpers.waitForWatcher(predicate)`. **Added:** *`helpers.backdateFile(path, msAgo?)` — shift a file's mtime/atime into the past* — Use immediately before starting an fs.watchFile-based watcher so the watcher's first-poll baseline is unambiguously older than any subsequent mutation. Default backdate is one hour (`3_600_000` ms), which dwarfs any clock-skew or poll-cadence drift the runner might exhibit. Solves the recurring class of flakes where the watcher's first poll lands AFTER the test mutates the source — recording the post-mutation mtime as `prev` and never seeing the transition. · *`helpers.waitForWatcher(predicate, opts?)` — polling wait helper for fs.watch / fs.watchFile observations* — Same predicate shape as `helpers.waitUntil` but widens the default timeout from 5s to 15s for fs.watch's known cross-platform event-delivery cadence drift (macOS FSEvents + Linux inotify both occasionally deliver 2-3s late under CI runner contention). Use `helpers.waitUntil` directly for tests that don't involve a filesystem watcher; the wider budget here is specifically for the fs-watch class. **Changed:** *`vault-seal-pem-file.test.js` migrates from inline backdate to `helpers.backdateFile`* — v0.11.13's inline fix is replaced with a single `backdateFile(src)` call. The local `_waitForGen` helper composes `helpers.waitForWatcher` with the watcher-generation predicate. Same behavior, but the discipline now lives at the helper instead of duplicated per-test. · *`watcher.test.js` drops three fixed-budget `setTimeout(r, N)` sleeps for `helpers.waitForWatcher`* — The pre-write 200ms prime sleep, the 1500ms post-unlink sleep, and the 1500ms post-write sleep are all replaced with `helpers.waitForWatcher(predicate)` calls. Fast platforms (Linux/Windows) finish in milliseconds; macOS FSEvents under load gets the full 15s budget; the test no longer flakes on either end of the spectrum. The symlink-skip assertion uses a tight 2s window because it asserts the ABSENCE of an event, which requires a finite wait before checking. **Detectors:** *`test-fs-watch-direct-call` (test-side catalog)* — Refuses direct `fs.watchFile(` or `fs.watch(` calls in test files. The framework exposes `b.watcher` (kernel-event-based) and `b.vault.sealPemFile` (poll-based) as the operator-facing watchers; tests of those primitives compose the helpers instead of re-deriving the fs.watch surface. Allowlists `test/helpers/fs-watch.js` (the helper itself documents the shape) and the catalog file (self-allowlist for the regex source). · *`test-future-utimes-without-backdated-baseline` (test-side catalog)* — Pairs the `fs.utimesSync(path, new Date(Date.now() + N), ...)` future-mtime idiom with a required companion `backdateFile(` call somewhere in the same file. Without the backdate, the watcher's first poll can record the future-mtime as `prev` and miss the transition. The `requires` companion-check passes the file when both shapes appear together; flags it as a violation when only the future-utimes is present. **References:** [Node.js fs.watchFile docs](https://nodejs.org/api/fs.html#fswatchfilefilename-options-listener) · [Node.js fs.watch docs](https://nodejs.org/api/fs.html#fswatchfilename-options-listener)
+- v0.11.13 (2026-05-20) — **`vault.sealPemFile` auto-reseal test now tolerant of contended runners.** v0.11.12's smoke flaked on the publish workflow with `vault-seal-pem-file.test.js: FAIL: sealPemFile auto: gen incremented after source change`. Root cause: on contended `ubuntu-latest` CI runners, `fs.watchFile`'s initial poll could land AFTER the test's V2 + utimesSync calls, recording the post-change mtime as `prev` and missing the transition. Fix backdates V1's mtime by an hour before starting the watcher so any subsequent mtime change is detectable from any baseline the watcher might capture, and widens the wait budget from 5s to 15s for runner drift. **Fixed:** *`sealPemFile` auto-reseal test backdates V1 mtime + widens wait budget* — The test relied on writing V1, starting the watcher, then writing V2 with a future mtime — assuming the watcher's first poll would record V1's mtime as `prev`. On contended `ubuntu-latest` CI runners the first poll could land after both writes, recording the post-change mtime as `prev` and missing the transition. Backdating V1 by an hour via `fs.utimesSync` before watcher start makes the V2 mtime change unambiguous regardless of poll timing. The wait budget for the `gen >= 2` poll widens from 5s to 15s to absorb runner-cadence drift under load. **References:** [Node.js fs.watchFile docs](https://nodejs.org/api/fs.html#fswatchfilefilename-options-listener)
+- v0.11.12 (2026-05-19) — **SBOM step omits devDependencies so the zero-runtime-dep check stays accurate.** v0.11.11's SBOM step wired in `npm sbom` correctly but didn't pass `--omit=dev`. The smoke gate installs `esbuild` + `postject` as devDependencies (needed for the bundler-output smoke check), and `npm sbom` reported them as components. The runtime-deps-greater-than-zero guard refused the publish with `SBOM lists 3 runtime dependency component(s)`. Adding `--omit=dev` to the `npm sbom` invocation gives the guard a clean view of just the runtime tree (which stays empty per the framework's zero-runtime-dep contract). **Fixed:** *`npm sbom` invocation now passes `--omit=dev`* — The smoke gate's devDependency install step (esbuild + postject) showed up in the SBOM's `components` array because the npm-tree walk includes the installed devDependencies by default. `--omit=dev` filters them out so the runtime-deps guard sees the same zero-component view it's intended to enforce. The vendored SBOM (`sbom.vendored.cdx.json`) is unaffected — it's generated from `lib/vendor/MANIFEST.json`, never from the npm tree. **References:** [npm sbom command](https://docs.npmjs.com/cli/commands/npm-sbom)
+- v0.11.11 (2026-05-19) — **Release-workflow SBOM step calls the right script + cleanup script-path drift.** v0.11.10 finally cleared the workflow-parse barrier (after the org allowlist gained `slsa-framework/slsa-github-generator/.github/{actions,workflows}/*` patterns and the SHA-pinning policy was relaxed to accept the SLSA reusable workflow's transitive `@v2.1.0` references), and then failed at the SBOM step because the workflow called `node scripts/generate-sbom.js` — a script that doesn't exist in the repo. The actual scripts are `npm sbom` (npm-tree CycloneDX, built into npm 10+) and `scripts/build-vendored-sbom.js` (the higher-value vendored-deps SBOM). v0.11.11 wires both into the workflow's SBOM step. **Fixed:** *Workflow SBOM step now calls the existing scripts* — Replaced the missing `node scripts/generate-sbom.js` invocation with `npm sbom --sbom-format=cyclonedx --sbom-type=application > sbom.cdx.json` (the npm-tree SBOM, built into npm 10+) plus `node scripts/build-vendored-sbom.js > sbom.vendored.cdx.json` (the vendored-deps SBOM that's been in `scripts/` all along). The runtime-deps-greater-than-zero guard still runs after both SBOMs are produced so the framework's zero-npm-deps contract stays enforced at publish time. **References:** [CycloneDX SBOM 1.6 spec](https://cyclonedx.org/specification/overview/) · [npm sbom command](https://docs.npmjs.com/cli/commands/npm-sbom)
+- v0.11.10 (2026-05-19) — **Release-workflow allowlist root cause + comment correction.** v0.11.7, v0.11.8, and v0.11.9 each shipped with a hypothetical fix for the publish-workflow `startup_failure`, and each one failed for the same actual reason: the GitHub organization's actions allowlist did not include `slsa-framework/slsa-github-generator/*` (the SLSA L3 provenance reusable workflow) or `aquasecurity/setup-trivy/*` (a transitive of the `aquasecurity/trivy-action` we already allow). GitHub Actions surfaces this as `startup_failure` before any job runs, with no log file. Adding both patterns to the organization-level allowlist at https://github.com/organizations/blamejs/settings/actions is the operator-side prerequisite — the workflow file itself never had a parse-time defect. **Changed:** *`provenance` job comment rewritten to reflect the real root cause* — The earlier comment claimed GitHub Actions evaluates every called-workflow job's permissions at parse time (so `contents: read` would short-circuit even the skipped `upload-assets` job). That theory was wrong; the actual cause was the organization actions allowlist. The comment now points at the SLSA documented caller example as the authoritative reference and names the two allowlist patterns operators must add to the org settings. The `contents: write` permission stays in place — it matches the SLSA caller example default and future-proofs an `upload-assets: true` flip without a permissions-only patch. **Migration:** *Operator-side: add two patterns to the org actions allowlist* — Navigate to https://github.com/organizations/blamejs/settings/actions and add `slsa-framework/slsa-github-generator/*` AND `aquasecurity/setup-trivy/*` to the allowed-actions list. Both still SHA-pin at their call sites per the org policy. Without these, every release after v0.11.6 startup_failed at workflow parse with no log file. v0.11.7, v0.11.8, and v0.11.9 are tombstone tags — the git history records them but no GitHub Release pages exist and no npm registry entries shipped. v0.11.10 carries the same surface those tags would have shipped; `npm install @blamejs/core@latest` lands you on v0.11.10. **References:** [GitHub Actions — managing allowed actions and reusable workflows](https://docs.github.com/en/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization) · [SLSA generic generator v2.1.0 caller example](https://github.com/slsa-framework/slsa-github-generator/tree/v2.1.0/internal/builders/generic)
+- v0.11.9 (2026-05-19) — **Release-workflow `contents: write` — actually fixes the startup_failure that blocked v0.11.7 and v0.11.8.** v0.11.8 carried the wrong permission for the SLSA reusable workflow caller. GitHub Actions evaluates the entire reusable-workflow permission surface at workflow startup — including jobs that won't run because their `if:` short-circuits. The SLSA `upload-assets` job declares `permissions: contents: write`; `contents: read` in the caller failed the parse-time superset check before any job started, surfacing as `startup_failure` with no log file. Raising the caller to `contents: write` makes the caller's permission set a superset of every job the reusable workflow declares, regardless of which jobs end up running. **Fixed:** *Caller-level `contents: write` for the SLSA reusable workflow* — `.github/workflows/npm-publish.yml`'s `provenance` job now grants `contents: write` instead of `contents: read`. The change is parse-time-only — at runtime, `upload-assets: false` still skips the actual upload step, so the release-create flow remains the atomic-create-with-all-assets pattern v0.11.7 introduced. v0.11.7 and v0.11.8 are both `startup_failure` tags on the git history (no GH release, no npm publish); operators upgrading from `<= v0.11.6` should land directly on v0.11.9 — `npm install @blamejs/core@latest` lands you on v0.11.9. **Migration:** *v0.11.7 and v0.11.8 are tombstone tags* — The git tags for v0.11.7 and v0.11.8 exist in the repository but the publish workflow rejected at startup, so there are no corresponding GitHub Release pages and no npm registry entries. v0.11.9 carries everything those tags would have shipped: the workflow-driven release creation with SLSA L3 + Sigstore-keyless SBOM signatures + PQC sidecars (graceful-skip until the operator completes the one-time release-signing-key setup), the structured release-notes pipeline, and the CHANGELOG.md rebuild discipline. **References:** [GitHub Actions — reusable-workflow permissions](https://docs.github.com/en/actions/sharing-automations/reusing-workflows#supported-keywords-for-jobs-that-call-a-reusable-workflow) · [SLSA generic generator v2.1.0 example caller](https://github.com/slsa-framework/slsa-github-generator/tree/v2.1.0/internal/builders/generic)
+- v0.11.8 (2026-05-19) — **Release-workflow startup-failure fix + graceful PQC sidecar skip + CHANGELOG.md becomes a derived artifact.** The v0.11.7 npm-publish workflow rejected with `startup_failure` before any job ran because the `provenance` job's permissions block was a subset of what the called SLSA reusable workflow requires. The ML-DSA-65 sidecar step ALSO blocked when the operator hadn't yet generated the release-signing keypair. v0.11.8 fixes both — the workflow now passes parse-time validation, and the PQC sig step gracefully skips with a clear operator warning when the key/secret aren't set up yet. CHANGELOG.md is now generated end-to-end from `release-notes/*.json` (the single source of truth); the old hand-edit splice path is removed. **Changed:** *Release-asset list built dynamically from per-step outputs* — The `gh release create` step builds its asset bundle from a bash array driven by the prior PQC-sig step's `outputs.available` flag. When PQC is skipped, the `.mldsa.sig` asset isn't referenced (otherwise `gh release create` would fail trying to attach a non-existent file). · *`CHANGELOG.md` is now a derived artifact rebuilt from `release-notes/*.json`* — `scripts/generate-changelog-entry.js` gains `--rebuild` (regenerate the whole `CHANGELOG.md` from the JSON tree) and `--check` (in-memory rebuild + diff against on-disk; non-mutating). The hand-edit `--write` / splice path is removed entirely — operators edit the JSON, run `--rebuild`, commit both. Smoke wires the `--check` gate so any release-notes change without a matching rebuild fails pre-push. The `version → new RegExp` data flow that CodeQL kept flagging is gone (the splice that needed it no longer exists), and so is the `existsSync → readFileSync` window the lookup used to traverse — the single rebuild path reads every JSON via `readFileSync` directly and lets `ENOENT` distinguish missing from malformed. **Fixed:** *`provenance` job carries the full permission superset the SLSA reusable workflow requires* — GitHub Actions refuses to start a workflow when the caller's job-level `permissions:` block is a subset of the called reusable workflow's job permissions, and the only diagnostic is `startup_failure` with no log file. The SLSA `generator_generic_slsa3.yml` workflow's `generator` job declares `id-token: write`, `contents: read`, `actions: read`; our `provenance` job declared the first and third but not `contents: read`. Added `contents: read` to the provenance job permissions. · *PQC sidecar step skips gracefully when the release-signing key isn't yet set up* — The `RELEASE_PQC_SIGNING_KEY` environment secret and the committed `keys/release-pqc-pub.json` public-key file are an operator-side one-time setup. When either piece is missing, the workflow now logs a `::warning::` with the setup recipe and skips the ML-DSA-65 sig step; the release still ships with the SLSA L3 attestation, both Sigstore-keyless SBOM signatures, and the SHA-256 + SHA3-512 byte digests. The PQC sidecar lights up on the first release after the operator completes the setup. **References:** [GitHub Actions — permissions for reusable workflows](https://docs.github.com/en/actions/sharing-automations/reusing-workflows#supported-keywords-for-jobs-that-call-a-reusable-workflow) · [SLSA generic generator v2.1.0](https://github.com/slsa-framework/slsa-github-generator/releases/tag/v2.1.0)
+- v0.11.7 (2026-05-19) — **Workflow-driven release creation with SLSA L3 attestation + PQC sidecar signatures.** The release pipeline now creates the GitHub release atomically with the full asset bundle attached at creation time — operators no longer run a manual `gh release create` step. Every release ships with SLSA L3 provenance (verifiable via `slsa-verifier`), Sigstore-keyless SBOM signatures, AND framework-native PQC sidecars: a SHA3-512 byte digest and an ML-DSA-65 signature over the tarball, verifiable with the framework's own vendored noble-post-quantum primitives. **Added:** *SLSA L3 provenance attached to every GitHub release* — The `npm-publish.yml` workflow now invokes `slsa-framework/slsa-github-generator` (pinned to a commit SHA) to produce a signed `*.intoto.jsonl` attestation describing the tarball + SBOM hashes, the workflow that built them, and the OIDC identity that signed them. The attestation is attached as a GitHub Release asset under the name `blamejs-X.Y.Z.intoto.jsonl`. Operators verify via `slsa-verifier verify-artifact <tarball> --provenance-path <jsonl> --source-uri github.com/blamejs/blamejs --source-tag vX.Y.Z`. · *Byte-digest sidecars (SHA-256 + SHA3-512)* — Every release tarball ships with two checksum sidecars attached to the GitHub Release: `<tarball>.sha256` (the conventional `sha256sum`-compatible format operators expect — verify via `sha256sum -c`) and `<tarball>.sha3-512` (the framework's PQC-first hash, matching the audit chain and CMS-signing posture — verify via `openssl dgst -sha3-512`). Both digests cover the exact bytes the tarball ships. · *PQC signature sidecar (ML-DSA-65)* — Every release tarball gets a `<tarball>.mldsa.sig` sidecar — an ML-DSA-65 signature over the tarball bytes, computed with the framework's vendored noble-post-quantum primitive. The signing key is stored as an environment secret in the `npm-publish` GitHub Actions environment; the matching public key is committed at `keys/release-pqc-pub.json` with a SHA3-512 fingerprint published in `SECURITY.md` for out-of-band verification. Operators with a PQC-only verification posture verify via the framework's own `b.pqcSoftware.ml_dsa_65.verify(sig, msg, pubKey)` — no dependency on Sigstore's classical-crypto chain. Three new helper scripts (`scripts/generate-release-signing-key.js` for one-time setup, `scripts/sign-release-artifact.js` for the workflow signer with self-verify-before-write defense, `scripts/sha3-digest.js` for the byte-digest sidecars) compose the existing `b.pqcSoftware` primitive. · *Structured release-notes source* — Release notes are now generated from a structured JSON file at `release-notes/v<version>.json`. The generator (`scripts/generate-changelog-entry.js`) validates each field against an operator-facing-vocabulary check before emitting the `CHANGELOG.md` entry — internal-process narrative is refused at validation time so the discipline holds by construction. Operators edit the JSON, run the generator, commit both files. **Changed:** *Manual `gh release create` removed from the release workflow* — Operators previously ran `gh release create vX.Y.Z --notes "..."` after pushing the tag, then the workflow tried to attach assets via `gh release upload`. With the immutable-releases setting on, the upload would fail with HTTP 422 (the release locks at creation time, before the workflow finishes), so the framework's last 5 releases shipped with zero assets. The workflow now creates the release atomically with all assets attached at creation; the immutable-release setting stays on for the post-publish-swap protection it provides. Operators just push the tag and wait for the workflow. · *Release notes extracted from CHANGELOG.md by the workflow* — The release-create step extracts the current version's CHANGELOG section using an awk script and passes it via `--notes-file`. Single source of truth — no separate heredoc duplicating the CHANGELOG content. The local static gate `scripts/check-changelog-extract.js` exercises the same extract pre-push so format drift fails fast. **Fixed:** *Code-comment references to an internal configuration file removed* — Source comments across `lib/`, `scripts/`, `.github/workflows/`, the codebase-patterns catalog, and historical `CHANGELOG.md` entries used to point at an internal maintainer-side configuration file. Operators reading those files saw pointers at an artifact they don't have. Every such reference is rewritten to carry the discipline inline (the comment describes what the rule says, not where to read it). A new codebase-patterns detector prevents re-introduction; its match pattern is constructed at runtime so the literal token strings don't appear in the catalog's prose either. **Detectors:** *slsa-framework-action-not-sha-pinned* — Catches any `slsa-framework/*` reusable workflow callout whose `@<ref>` is not exactly 40 hex characters. Tag-pinned references to the SLSA builder are mutable — the upstream maintainer can re-publish the tag — which silently rotates the builder root of trust. The new `scanScope: "workflows"` extends the codebase-patterns scanner to walk `.github/workflows/`. · *internal-rulebook-vocabulary-in-source* — Catches the four leak shapes (the framework's internal config-file name plus three rule-shorthand variants) across `lib/`, `scripts/`, `test/`, and `.github/workflows/`. The catalog file allowlists itself since the runtime regex construction inevitably involves the patterns being detected. **References:** [SLSA v1.0 spec](https://slsa.dev/spec/v1.0/) · [slsa-github-generator v2.1.0 release](https://github.com/slsa-framework/slsa-github-generator/releases/tag/v2.1.0) · [FIPS 204 ML-DSA](https://csrc.nist.gov/pubs/fips/204/final) · [RFC 9909 ML-DSA in X.509 / CMS](https://www.rfc-editor.org/rfc/rfc9909.html) · [NIST FIPS 202 SHA-3 / SHAKE](https://csrc.nist.gov/pubs/fips/202/final) · [OpenSSF Scorecard Signed-Releases check](https://github.com/ossf/scorecard/blob/main/docs/checks.md#signed-releases)
+- v0.11.6 (2026-05-19) — **`b.safeMountInfo` — canonical `/proc/self/mountinfo` parser.** New operator-facing primitive at `lib/safe-mount-info.js` that centralizes the field-4 parse discipline bind-mount detection requires. Existing inline parsers in `lib/watcher.js` are migrated; a new codebase-patterns detector blocks future direct reads of `/proc/self/mountinfo` outside the primitive. **Added:** *`b.safeMountInfo.parse` / `read` / `bestMatch` / `isBindMount`* — The new primitive exposes `parse(text)` for line-oriented decoding, `read(opts)` for sandbox-safe filesystem access, `bestMatch(entries, path)` for longest-prefix selection, and `isBindMount(entry)` for the canonical bind-mount predicate. `isBindMount` consults field 4 (root within source FS) only — NOT the options string, which the kernel never emits as `bind` per Linux Documentation/filesystems/proc.rst §3.5. Ad-hoc parsers that scan options for the word `bind` miss every real bind-mount. · *Typed refusal codes with audit emission* — Refusals surface as `safe-mount-info/read-failed` (non-Linux / restricted sandbox; returns `opts.fallback`, default `null`), `safe-mount-info/parse-failed` (single malformed line — silent-skip by default, `opts.strict: true` upgrades to throw), `safe-mount-info/too-many-lines` (line cap, default 4096), and `safe-mount-info/bad-input` (non-string / non-positive-integer arg). Every refusal emits `system.safe_mount_info.refused` drop-silent — hot-path observability sinks must not crash or stall the request that emitted them. · *Fuzz harness at `fuzz/safe-mount-info.fuzz.js`* — Probes `parse` with adversarial bytes: malformed lines, oversize input, Unicode garbage, truncated headers. Catches any uncaught error class outside the documented refusal surface. **Changed:** *`lib/watcher.js` filesystem auto-probe routes through `b.safeMountInfo`* — The watcher's bind-mount detection now calls `b.safeMountInfo.read() + bestMatch() + isBindMount()` instead of parsing `/proc/self/mountinfo` inline. The single canonical parser means future container-escape detection, sealed-store path validation, and sandbox auto-probe call sites inherit the discipline automatically. **Detectors:** *`mountinfo-not-via-safemountinfo`* — Flags direct `fs.readFileSync("/proc/self/mountinfo", ...)` in `lib/` as a migration target. Only `lib/safe-mount-info.js` itself reaches the kernel surface; every other call site routes through the primitive. **References:** [Linux Documentation/filesystems/proc.rst §3.5](https://www.kernel.org/doc/Documentation/filesystems/proc.txt) · [CVE-2024-21626 runc leaky-vessels](https://nvd.nist.gov/vuln/detail/CVE-2024-21626) · [CVE-2022-0185 fsconfig](https://nvd.nist.gov/vuln/detail/CVE-2022-0185)
+- v0.11.5 (2026-05-19) — **`b.safeDecompress(buf, opts)` — bomb-resistant decompression primitive.** New operator-facing primitive at `lib/safe-decompress.js` that centralizes bounded-output and bounded-ratio decompression defenses across the framework. `lib/websocket.js` permessage-deflate now routes through the primitive. **Added:** *`b.safeDecompress(buf, opts)` with explicit algorithm allowlist* — Accepts `gzip` / `deflate` / `deflate-raw` (RFC 1951) / `brotli` under an explicit allowlist — unknown algorithms refuse with `safe-decompress/unsupported-algorithm`. Refuses bomb-class input via zlib's own `maxOutputLength` BEFORE allocation; AFTER decompression checks `output.length / input.length` against `maxRatio` (default 50:1) and overwrites + drops the buffer if the ratio is exceeded so operator-facing paths never see the bomb bytes. Pre-decompression input cap (`maxCompressedBytes`, default 4 MiB) defends against very-large compressed payloads whose zlib parse alone is expensive. · *Typed refusal codes with audit emission* — Refusals surface as `safe-decompress/output-too-large`, `ratio-exceeded`, `decompress-failed`, `empty-input`, `oversized-input`, `unsupported-algorithm`, `bad-arg`, and `bad-input`. Operators wire `opts.audit` to receive the `system.safe_decompress.refused` event with `{ code, algorithm, ctx, reason }` metadata; emission is drop-silent — hot-path observability sinks must not crash or stall the request that emitted them. · *Fuzz harness at `fuzz/safe-decompress.fuzz.js`* — Probes the four-algorithm allowlist with adversarial bytes (bomb / malformed / truncated / bogus dictionary) to catch any uncaught error class outside the documented refusal surface. **Changed:** *`lib/websocket.js` `_inflateMessage` routes through `b.safeDecompress`* — WebSocket per-message-deflate now calls `b.safeDecompress({ algorithm: "deflate-raw", maxRatio: 0, ... })`. WS already binds upstream via `maxMessageBytes` so the ratio cap is opt-out at this call site; future per-message-deflate sites adopt the same shape. **References:** [RFC 1950 zlib](https://www.rfc-editor.org/rfc/rfc1950) · [RFC 1951 deflate](https://www.rfc-editor.org/rfc/rfc1951) · [RFC 1952 gzip](https://www.rfc-editor.org/rfc/rfc1952) · [RFC 7932 brotli](https://www.rfc-editor.org/rfc/rfc7932) · [CVE-2025-0725](https://nvd.nist.gov/vuln/detail/CVE-2025-0725) · [RFC 8460 §5.2 TLS-RPT decompression community guidance](https://www.rfc-editor.org/rfc/rfc8460#section-5.2)
+- v0.11.4 (2026-05-19) — **`b.audit.useStore({ record })` shadow store + WebSocket permessage-deflate bomb fix + new detectors.** Operators can now register a shadow audit store that receives a copy of every chain append after the framework's tamper-evident commit. The WebSocket inflate path gains a `maxOutputLength` cap. Five new codebase-patterns detectors and a token-aware shape-matcher land for future regex-bypass-resistant detectors. **Added:** *`b.audit.useStore({ record })` shadow store registration* — Registers an operator-supplied shadow store that receives a copy of every audit chain append AFTER the framework's tamper-evident chain commits. The operator's `record(row)` async function receives the fully-formed row — `{ _id, recordedAt, monotonicCounter, prevHash, rowHash, action, outcome, actorUserId, ..., metadata }` — so external destinations (AWS QLDB / Azure Confidential Ledger / Google Cloud Audit Logs / in-house WORM appliances / SIEM forwarders) see identical hashes for cross-store reconciliation. Shadow failures are drop-silent — hot-path observability sinks must not crash or stall the request that emitted them — the framework chain is authoritative and already committed; an unreachable shadow surfaces via `b.observability` as the `audit.shadow_failed` event but never crashes the request path. Composes with HIPAA §164.312(b) / PCI-DSS Req 10.5.3 (separation-of-duties retention) / SOX §404 / SEC 17a-4 WORM postures. Pass `null` or `{ record: null }` to unregister. · *Shape-matcher substrate at `test/helpers/_shape-match.js`* — Test-only token-aware traversal (never ships — `test/` is absent from package.json `files:` allowlist) that tracks paren / brace / bracket depth + string / template-literal / regex / comment state. Exposes `findCalls(source, calleeRegex)` / `findEnclosingTry(source, pos)` / `aliasesOf(source, chainRegex)`. Future releases convert the highest-bypass-risk regex-only detectors to AST-aware variants using this substrate, closing the class of regex-bypass via variable renaming / parens / line splits that surface-pattern detectors miss. **Fixed:** *WebSocket permessage-deflate decompression-bomb amplification* — `lib/websocket.js` `_inflateMessage` previously called `zlib.inflateRawSync` without `maxOutputLength` — a malicious peer could ship a small compressed frame that exploded into gigabytes BEFORE the framework's post-decompression `maxMessageBytes` check ran. The inflate now passes `maxOutputLength: this.maxMessageBytes` so zlib refuses mid-decompress; same amplification class the `gunzip-without-output-size-cap` detector defends elsewhere. **Detectors:** *`test-promise-settimeout-sleep`* — Scans the `test/` tree — the first detector under the new test-scope walker — for the `await new Promise(r => setTimeout(r, N))` shape forbidden in tests. The framework's `helpers.waitUntil(predicate, opts?)` is the canonical replacement: polls the actual condition every 25ms up to a 5000ms cap, exiting early when truthy. Fast platforms finish in milliseconds; contended platforms get the full budget. The migration backlog is pre-allowlisted as a release-gate countdown. · *`inflate-unzip-without-output-size-cap`* — Extends the v0.10.15 gunzip-cap detector to `zlib.inflateSync` / `inflateRawSync` / `unzipSync` / `createInflate` family. RFC 1951 deflate is the same bomb class. · *`map-get-falsy-then-set-pre-node-26`* — Companion to `map-has-then-set-pre-node-26` — catches the `!M.get(k)` / `M.get(k) === undefined|null` semantically-identical variants that Node 26's `Map.prototype.getOrInsertComputed` replaces. · *`fs-existssync-then-read-toctou`* — CodeQL `js/file-system-race` class — `fs.existsSync(p) + fs.readFile(p)` against the same path is symlink-swap-vulnerable. The canonical defense is `lib/atomic-file.js`'s open-by-fd-first pattern. · *`buffer-from-string-on-auth-path`* — Flags `Buffer.from(String(x))` in `lib/` — auth-bearing sites become `b.safeBytes` migration targets in the next release. **References:** [RFC 7692 §7.2.2 WebSocket permessage-deflate](https://www.rfc-editor.org/rfc/rfc7692#section-7.2.2) · [HIPAA §164.312(b) Audit Controls](https://www.law.cornell.edu/cfr/text/45/164.312) · [PCI-DSS v4.0 Req 10](https://www.pcisecuritystandards.org/) · [SEC 17a-4 WORM](https://www.sec.gov/files/rules/final/34-44238.pdf) · [SOX §404](https://www.sec.gov/about/laws/soa2002.pdf) · [CVE-2025-0725](https://nvd.nist.gov/vuln/detail/CVE-2025-0725) · [CodeQL js/file-system-race](https://codeql.github.com/codeql-query-help/javascript/js-file-system-race/)
+- v0.11.3 (2026-05-19) — **SPF `a` and `mx` mechanism dispatch + smaller deferral-condition cleanups.** `b.mail.spf.verify` now evaluates the `a` and `mx` mechanisms per RFC 7208 §5.3 + §5.4, including the dual-cidr-length syntax. Senders publishing `v=spf1 mx -all` or `v=spf1 a -all` previously permerrored against this framework even though those are the second-most-common SPF mechanisms in fielded policies. **Added:** *SPF `a` and `mx` mechanism evaluation* — `b.mail.spf.verify` now evaluates the `a` and `mx` mechanisms per RFC 7208 §5.3 + §5.4, including the dual-cidr-length syntax (`a:foo.example/24//64`, `mx//64`). Verification resolves the operator-supplied A / AAAA / MX records (via the existing `dnsLookup` callback contract — which is now honored for every record type, not only TXT) and matches the connecting IP under the parsed cidr. MX expansion is capped at the RFC §4.6.4 limit of 10 hosts (over-limit = permerror); each MX-host A/AAAA expansion counts toward the 10-lookup global ceiling and the 2-lookup void-lookup sub-limit. **Changed:** *Empty digit segments in dual-cidr-length grammar refuse with permerror* — `a/`, `a//`, `mx/`, `mx//`, `a/24//` and similar shapes now permerror with an explanatory message. RFC §5.3/§5.4 grammar requires `1*DIGIT` after each slash; accepting empty would over-authorize senders publishing `v=spf1 a/ -all` (would match every IP in the /32 of every A record). · *`exists` and `ptr` mechanisms permerror with explanatory message* — `exists` (RFC §5.7) needs macro-string expansion (RFC §7) to be usable in fielded policies; `ptr` (RFC §5.5) is strongly discouraged by the RFC and rarely seen. Each now permerrors with an explanatory message naming the RFC section and a practical operator-side mitigation. · *S/MIME documentation corrected to reflect v0.10.16 shipped state* — `b.mail.crypto.smime` `@card` and the v1-only-emits-metadata comment in `lib/mail-crypto-smime.js` are corrected to reflect that sign + verify shipped in v0.10.16 on the `b.cms` substrate. EFAIL-class encrypt/decrypt remains the only deferred slice. · *Deferral conditions documented for ACME revocation and IMAP BAD UID responses* — `b.acme.create.revokeCert({ useCertKey: true })` and the `BAD UID <subverb>` IMAP listener response now carry explicit re-open conditions plus named operator escape hatches alongside the deferral. **Detectors:** *`slice1-optional-parseint-silent-default`* — Any `.slice(1)` followed by an `if (X.length > 0)` guard around `parseInt(X, 10)` MUST sit in a file that also carries an explicit empty-segment refusal phrasing. Future cidr-length / prefix-length / port-range parsers inherit the discipline automatically. **References:** [RFC 7208 §5.3 a mechanism](https://www.rfc-editor.org/rfc/rfc7208#section-5.3) · [RFC 7208 §5.4 mx mechanism](https://www.rfc-editor.org/rfc/rfc7208#section-5.4) · [RFC 7208 §4.6.4 DNS-lookup limits](https://www.rfc-editor.org/rfc/rfc7208#section-4.6.4) · [RFC 8551 S/MIME 4.0](https://www.rfc-editor.org/rfc/rfc8551.html) · [RFC 9051 IMAP4rev2 §6.4.9 UID](https://www.rfc-editor.org/rfc/rfc9051#section-6.4.9)
+- v0.11.2 (2026-05-19) — **Node 26 floor-bump preparation.** Today's `engines.node` floor is `>=24.14.1` and the framework runs cleanly on Node 26 (which satisfies the floor). This release ships the prep scaffolding so the future floor-bump (when Node 26 promotes to Active LTS and `>=26.x` becomes the floor) is mechanical. **Added:** *`b.backup.diskStorage(opts)` — canonical name for the local-filesystem backup backend* — `b.backup.localStorage(opts)` continues to work and emits a one-time deprecation warning via `b.deprecate.alias`, with removal scheduled for the next major. The rename avoids the Node 26 platform-level `localStorage` global naming collision; the deprecation path follows the framework's stable upgrade policy (one minor with deprecation warnings before removal). · *Node 26 forward-compatibility integration test* — `test/integration/pqc-pkcs8-forward-compat.test.js` captures the ML-KEM-1024 / ML-DSA-65 / ML-DSA-87 / SLH-DSA-SHAKE-256f / Ed25519 PKCS8 export-byte shape on the current Node, asserts the sign+verify / encap+decap roundtrip via a re-imported KeyObject, and embeds a Node-26-shape fixture that re-imports every run. The forward-compat contract is testable today; the reverse-direction (Node-26-exported → Node-24-imported) test follows the floor-bump. · *SECURITY.md and README gain Node 26 compatibility documentation* — SECURITY.md gains a Node 26 compatibility section documenting the `localStorage` global naming collision (bare references in operator handler code now resolve to a Node global rather than throwing `ReferenceError`) and the ML-KEM / ML-DSA seed-only PKCS8 export shape (Node-24-sealed material re-imports cleanly on Node 26; new material from Node 26 is seed-only — parallel Node 24 readers of the same sealed disk need a one-time migration when the writer moves). README Requirements line gains the matching Node 26 note. **Deprecated:** *`b.backup.localStorage(opts)` aliased to `b.backup.diskStorage(opts)`* — First-call deprecation warning via `b.deprecate.alias`; removal scheduled for the next major. The rename avoids the Node 26 `localStorage` global naming collision. **Detectors:** *`map-get-or-insert-pre-node-26`* — Flags the `if (!m.has(k)) m.set(k, factory()); m.get(k)` shape that Node 26's `Map.prototype.getOrInsertComputed(key, factory)` replaces in a single call. The detector lands as an allowlist marker — every existing call site in `lib/` is allowlisted with the spec file as the migration target; new code post-this-patch trips the gate. When the floor bumps the allowlist is walked and the detector flips to enforce. **References:** [Node.js v26 release notes](https://nodejs.org/en/blog/release/v26.0.0) · [TC39 Map.getOrInsertComputed](https://github.com/tc39/proposal-upsert) · [RFC 8032 §5.1 Ed25519 context parameter](https://www.rfc-editor.org/rfc/rfc8032.html#section-5.1)
+- v0.11.1 (2026-05-19) — **Integration suite hardening + live coverage for the v0.11.0 surface.** `b.httpClient.request` proxy + `allowInternal` interaction is corrected; `b.mail.crypto.smime.verify` exposes a `chainVerified` boolean; new integration tests cover S/MIME signing, SAML SLO, and RFC 7592 Dynamic Client Registration Management against the live Keycloak harness. **Added:** *Live S/MIME integration test against a real X.509 chain* — New `test/integration/mail-crypto-smime.test.js` round-trips S/MIME sign + verify with a real X.509 chain issued by `b.mtlsCa` (CA → leaf cert → ML-DSA-65 signer), exercises tamper / wrong-key / untrusted-anchor refusal paths, and validates the `chainVerified` return field. · *SAML SLO + RFC 7592 DCR Management coverage in federation-auth integration* — `test/integration/federation-auth.test.js` extends to cover SAML SLO (`buildLogoutRequest` against Keycloak's `/protocol/saml` SLO endpoint with the wire-format-parse assertion) and RFC 7592 Dynamic Client Registration Management (`registerClient` / `readClient` / `updateClient` / `deleteClient` against Keycloak's DCR endpoint). **Changed:** *`b.httpClient.request` skips local SSRF DNS lookup when proxy + `allowInternal: true`* — The proxy resolves the destination hostname in its own network context, so requiring local resolution refused legitimate intranet / docker-service-name targets routed through the proxy. The SSRF gate still runs when `allowInternal` is false or array-form — the proxy's freedom to reach internal IPs is not a blanket license; the explicit opt-in is still required. · *`b.mtlsCa` integration tests compose with `caKeySealedMode: "disabled"`* — Fixture purpose only. Production deployments continue to wire `opts.vault` for sealed-at-rest CA-key storage. · *`b.mail.crypto.smime.verify` returns a `chainVerified` boolean* — The return shape gains a `chainVerified: boolean` field reflecting whether `opts.trustAnchorCertsPem` was supplied and the leaf-to-root chain walk completed.
+- v0.11.0 (2026-05-19) — **Mail-crypto sign/verify + SAML Single Logout + browser identity + CSP3 + hypermedia + sectoral postures.** S/MIME sign + verify lands on a new in-tree CMS substrate with PQC signers; SAML 2.0 Single Logout (Redirect / POST / SOAP) ships with EncryptedAssertion and Holder-of-Key; browser-identity primitives (FedCM, DBSC, VAPID, Import Maps SRI) join the framework; a CSP Level 3 builder enforces no-`unsafe-*` defaults; OAuth Dynamic Client Registration Management (RFC 7592) and OpenID Connect Native SSO 1.0 close out the identity surface; 17 sectoral / cybersecurity / AI-governance compliance postures join the catalog. **Added:** *`b.cms.parseSignedData(buf)` — RFC 5652 SignedData walker* — Parses an inbound RFC 5652 §5.1 SignedData ContentInfo and returns `{ digestAlgs, encapContent, certificates, signerInfos }` as structured arrays so downstream verifiers check signatures without re-implementing the SignedData walker. · *`b.mail.crypto.smime.sign(opts)` + `.verify(opts)` live on the `b.cms` substrate* — `sign` composes `b.cms.encodeSignedData` and wraps the payload in an RFC 8551 `multipart/signed; protocol="application/pkcs7-signature"; micalg=sha3-{256,512}` envelope. `verify` parses the CMS SignedData payload, walks signed-attributes to extract the `messageDigest` attribute, recomputes the message digest, refuses tamper with `mail-crypto/smime/message-digest-mismatch`, and PQC-verifies the signature against the operator-supplied signer public key. Supports ML-DSA-65 / ML-DSA-87 / SLH-DSA-SHAKE-256f signers; SHA-2 family refused at `cms/bad-digest`. · *S/MIME trust-anchor chain walk + revocation hook* — `b.mail.crypto.smime.verify({ trustAnchorCertsPem })` walks the SignerInfo cert chain leaf-to-root via `node:crypto.X509Certificate` with `notBefore` / `notAfter` checks and refuses `mail-crypto/smime/untrusted-chain` / `cert-expired` / `cert-not-yet-valid`. Revocation freshness is operator-wired via `b.network.tls.ocsp` when required. · *`b.mail.crypto.pgp.experimental` PQC PGP encrypt/decrypt + WKD URL* — `encrypt(opts)` + `decrypt(opts)` ship under the `experimental` namespace because the RFC 9580bis PKESK ML-KEM codepoints are not IANA-registered yet. Envelope is ML-KEM-1024 KEM + ChaCha20-Poly1305 AEAD with per-recipient KEK derived via SHAKE256 bound to the literal label `pgp/experimental/chacha20-poly1305`. Multi-recipient envelopes; tamper / wrong-key refusal as typed errors. `wkd.computeUrl(email)` computes the draft-koch-openpgp-webkey-service URL (SHAKE256-hash localpart + zbase32 encoding) and returns `{ direct, advanced }` URLs — operators supply their own HTTPS fetcher. · *`b.auth.saml.sp` Single Logout — Redirect, POST, and SOAP bindings* — `buildLogoutRequest({...})` / `parseLogoutRequest(b64, opts)` / `buildLogoutResponse({...})` implement SAML 2.0 Single Logout on the HTTP-Redirect binding per SAML Bindings §3.4.4.1 with PQC-signed canonical query (ML-DSA-65 / ML-DSA-87 / Ed25519). `buildLogoutRequestPost` / `parseLogoutRequestPost` cover the HTTP-POST binding, and `buildLogoutRequestSoap` / `parseLogoutResponseSoap` cover the SOAP synchronous back-channel — both with embedded XMLDSig-Enveloped signatures. SP metadata now emits `<md:SingleLogoutService>` bindings when `singleLogoutServiceUrl` is set; tamper / wrong-key / missing-signature each refuse as typed errors. · *SAML SignatureMethod surface spanning XMLDSig 1.1 + RFC 9231* — Accepts `rsa-sha256` / `rsa-sha384` / `rsa-sha512` and `ecdsa-sha256` / `ecdsa-sha384` / `ecdsa-sha512` (W3C XMLDSig Core 1.1) plus `ed25519` (RFC 9231) so the framework interops with deployed IdPs out of the box. Classical keys are PEM strings or `node:crypto` KeyObject instances; PQC keys are `Uint8Array` from `b.pqcSoftware.ml_dsa_*.keygen()`. ML-DSA-65 / ML-DSA-87 are accepted under framework-private URIs (`urn:blamejs:experimental:saml-sig-alg:ml-dsa-65` / `:ml-dsa-87`) — no IETF / W3C XMLDSig registration exists for ML-DSA yet. Verification refuses inclusive-c14n, algorithm-confusion (SignatureMethod URI must match the operator-declared `idpVerifyAlg`), signature-wrapping (Reference URI must match root ID via timing-safe digest compare), and SHA-1 digest methods (CVE-2017-7525-class). · *SAML 2.0 §2.5 EncryptedAssertion decryption* — Decrypts AES-128-GCM / AES-256-GCM (W3C XMLEnc 1.1 §5.2.4) content with RSA-OAEP-MGF1P / xmlenc11 RSA-OAEP key transport (SHA-256/384/512 only; SHA-1 OAEP refused as CVE-2023-49141-class). AES-CBC content encryption is refused under both `xmlenc#aes128-cbc` and `xmlenc#aes256-cbc` (CVE-2011-1473 padding-oracle class) — operators integrating with IdPs that default to CBC (older ADFS / Azure AD / Okta / Keycloak / OneLogin) switch the IdP's content-encryption setting to AES-128-GCM or AES-256-GCM. Framework-experimental URIs `urn:blamejs:experimental:xmlenc:ml-kem-1024` (key transport) and `urn:blamejs:experimental:xmlenc:xchacha20-poly1305` (content) are accepted alongside the W3C URIs. · *SAML Holder-of-Key SubjectConfirmation* — `b.auth.saml.sp.verifyResponse({ holderOfKey: { presentedCertPem } })` honors `urn:oasis:names:tc:SAML:2.0:cm:holder-of-key`: SHA3-512 fingerprint of the embedded KeyInfo/X509Data certificate is compared against the operator-supplied presented mTLS / possession-proof cert via `timingSafeEqual`. HoK and Bearer confirmations coexist. · *OAuth Dynamic Client Registration Management (RFC 7592)* — `b.auth.oauth.readClient(uri, token)` / `updateClient(uri, token, metadata)` / `deleteClient(uri, token)` bind to the `registration_access_token` returned by `registerClient` and implement the GET / PUT / DELETE endpoints per RFC 7592. `updateClient` enforces the same `redirect_uris`-array refusal as `registerClient`. · *OpenID Connect Native SSO 1.0 token exchange* — `b.auth.oauth.nativeSsoExchange({ deviceSecret, idToken, audience })` convenience-wraps `exchangeToken` for OpenID Connect Native SSO 1.0 §6 and adds `urn:openid:params:token-type:device-secret` to the RFC 8693 §3 token-type allowlist. · *`b.webPush` — VAPID JWT keypair generation + auth header* — `generateVapidKeypair()` + `buildVapidAuthHeader(opts)` sign the RFC 8292 VAPID JWT inline (ECDSA-P256 per the spec). The framework's PQC-default JWT signer refuses ES256 by design, so `b.webPush` owns the signing rather than relaxing the broader policy. · *`b.fedcm` — W3C FedCM 2024 IdP-side response builders* — `wellKnown({ provider_urls })` / `config({ accounts_endpoint, ... })` / `accountsResponse({ accounts })` / `idAssertionResponse({ token })` emit the JSON shapes the browser FedCM API expects from an IdP. · *`b.dbsc` — IETF Device-Bound Session Credentials* — `challenge({ secretKey })` mints an HMAC-SHA3-512-signed challenge token that requires no server-side storage. `verifyBindingAssertion(jwt, opts)` refuses HS256 / `none` as algorithm-confusion, validates ES256 / RS256 against the embedded JWK, and returns the RFC 7638 JWK thumbprint so operators pin the binding key to a session. · *`b.importmapIntegrity.build({ modules })` — WICG Import Maps + SRI* — Emits an integrity map (SHA-384 by default) so browsers refuse module bytes that don't match the operator-declared hashes. · *`b.csp.build(directives, opts?)` + `b.csp.nonce(byteLen?)` + `b.csp.hash(scriptBody, alg?)`* — CSP Level 3 builder surface that refuses `'unsafe-*'` / catch-all `*` / `https:` / `data:` in non-image directives without an explicit acknowledgement opt. Auto-appends `require-trusted-types-for 'script'` plus the operator-supplied `trusted-types` policy list when any `script-*` directive is set. Emits ≥128-bit nonces by default and computes `sha256` / `sha384` / `sha512` hash sources for inline scripts. `b.middleware.securityHeaders` `coep` opt now documents the W3C CR 2024-12 `credentialless` value alongside `require-corp`. · *OpenMetrics 1.0 exposition format* — `b.metrics` registry `exposition({ format: "openmetrics" })` emits the counter `_total` suffix, `# UNIT` lines, exemplar trace IDs on histograms, and the `# EOF` terminator per the openmetrics.io 1.0 wire format. · *`b.standardWebhooks.sign` + `verify`* — Implements the standardwebhooks.com consortium spec (Stripe / Svix / Okta wire format): HMAC-SHA256, multi-version signature header, 5-minute default skew tolerance. · *`b.lro` — AIP-151 Long-Running Operations* — `create({ store }) → { submit, status, list, cancel }` with operator-supplied storage and AbortSignal-aware cancellation. · *`b.jsonApi.dataResponse(data, opts)` + `.errorResponse(errors)`* — Wraps domain payloads in the JSON:API v1.1 top-level shape and refuses missing Resource Object `type`. · *`b.hal.resource(payload, { links, embedded, templates })`* — Builds HAL responses (draft-kelly-json-hal) with an RFC 8288 link-object normaliser. · *Sectoral / cybersecurity / AI-governance compliance postures (17 new regimes)* — `b.compliance` posture catalog gains `42-cfr-part-2`, `hti-1`, `uscdi-v4`, `irs-1075`, `nist-800-172-r3`, `tlp-2.0`, `soci-au`, `nis2`, `cra`, `ffiec-cat-2`, `cri-profile-v2.0`, `m-22-09`, `m-22-18`, `nist-800-53-r5-privacy`, `nist-ai-600-1-genai`, `nist-csf-2.0`, `sb-53`, and `nyc-ll144-2024`. Each cascade pins the regime's normative floor (`backupEncryptionRequired` / `auditChainSignedRequired` / `tlsMinVersion` / `requireVacuumAfterErase`). **Detectors:** *`number-coerce-or-zero-on-json-source`* — Refuses `Number(<var>['<kebab-cased-key>']) || 0` shapes — that coercion silently accepts `Infinity`, `NaN`, negative values, and arbitrary strings on operator-untrusted JSON-source input. Codifies the discipline that the previous TLS-RPT one-off established. **References:** [RFC 5652 Cryptographic Message Syntax](https://www.rfc-editor.org/rfc/rfc5652.html) · [RFC 8551 S/MIME 4.0](https://www.rfc-editor.org/rfc/rfc8551.html) · [RFC 9580 OpenPGP](https://www.rfc-editor.org/rfc/rfc9580.html) · [draft-koch-openpgp-webkey-service](https://datatracker.ietf.org/doc/draft-koch-openpgp-webkey-service/) · [SAML 2.0 Bindings (Redirect / POST / SOAP)](https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf) · [SAML 2.0 Core §2.5 EncryptedAssertion](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) · [W3C XML-Encryption 1.1](https://www.w3.org/TR/xmlenc-core1/) · [RFC 7592 Dynamic Client Registration Management](https://www.rfc-editor.org/rfc/rfc7592.html) · [OpenID Connect Native SSO 1.0](https://openid.net/specs/openid-connect-native-sso-1_0.html) · [RFC 8292 VAPID for Web Push](https://www.rfc-editor.org/rfc/rfc8292.html) · [W3C CSP Level 3](https://www.w3.org/TR/CSP3/) · [W3C Trusted Types](https://www.w3.org/TR/trusted-types/) · [OpenMetrics 1.0](https://openmetrics.io/) · [Standard Webhooks](https://www.standardwebhooks.com/) · [Google AIP-151 Long-Running Operations](https://google.aip.dev/151) · [JSON:API v1.1](https://jsonapi.org/format/1.1/) · [draft-kelly-json-hal](https://datatracker.ietf.org/doc/draft-kelly-json-hal/)
+## v0.10.x
+- v0.10.15 (2026-05-18) — **TLS-RPT receiver — RFC 8460 aggregate-report ingest.** New primitive surface under `b.mail.deploy` that closes the receive-side of TLS-RPT (the publish-side shipped earlier in v0.7.29 + v0.9.56). HTTPS POST handler factory, pure parser + schema validator, and a schema descriptor for operator dashboards, with bomb-class defenses (CVE-2025-0725) and SSRF refusals baked in. **Added:** *`b.mail.deploy.parseTlsRptReport(bytes, opts?)`* — Pure parser + RFC 8460 §4.4 schema validator. Accepts `application/tlsrpt+json` (raw) and `application/tlsrpt+gzip` (auto-detected via the RFC 1952 gzip magic bytes `0x1f 0x8b` or routed when `opts.contentType` names a gzip media-type). Caps compressed payload at 4 MiB (RFC 8460 §5.2 community ceiling), decompressed at 32 MiB (operator-overridable), and refuses decompression amplification > 50:1 — defends CVE-2025-0725 (libcurl + zlib decompression amplification) and the broader zlib bomb class. Routes through `b.guardJson.parse` for proto-pollution / depth / key-count defenses before walking the §4.4 schema. Refuses on missing required fields (`organization-name` / `contact-info` / `report-id` / `date-range.{start,end}-datetime` / `policies`) and enforces the §4.4 erratum that `policies` MUST be a non-empty array even for single-policy reports. Returns the normalized report shape plus `sessionTotals: { success, failure }` and a `wasCompressed` flag. · *`b.mail.deploy.tlsRptIngestHttp({...})`* — Factory returning an `(req, res)` HTTPS POST handler mounted at the operator's `rua=https://<host>/<path>` endpoint per RFC 8460 §5.4. Negotiates the two IANA-registered media types (RFC 8460 §6.4-6.5), returns 405 on non-POST, 415 on bad media-type (with `Accept:` header), 413 on size / bomb / ratio refusal, 400 on parse failure (with `Error-Type:` header naming the typed error code), 201 on accept. Optional `trustedReporters` array refuses non-trusted reporting domains (RFC 8460 §5.3-class defense extended to the HTTPS path). Body collection routes through `b.safeBuffer.boundedChunkCollector` — cap enforced at every `push()`, not after — so a hostile reporter sending a 10-GB body rejects on the chunk that overflows. Emits the `mail.tlsrpt.ingest_http` audit event with `policyDomains` set + session totals on every accept / refuse. · *`b.mail.deploy.tlsRptReportSchema()`* — Schema descriptor (required fields, policy types, result types) for operator dashboards. Pure function. **Detectors:** *`gunzip-without-output-size-cap` (lib-side)* — Every `zlib.gunzipSync` / `zlib.createGunzip` / `zlib.brotliDecompressSync` MUST sit in a file that also names `maxOutputLength` (Node-native cap) per the CVE-2025-0725 defense class. Companion-check `requires` field added to the lib-side runner. **Migration:** *Operator impact — HTTPS-only ingest in v1; deferred-with-condition for mailto: + brotli* — mailto: ingest is not implemented in v1 (no operator demand surfaced — HTTPS POST is the de-facto deployment shape for TLS-RPT; operators wanting mailto: today compose `b.mail.server.mx` + `parseTlsRptReport`). Brotli decompression is similarly deferred (no fielded reporter uses `Content-Encoding: br` for TLS-RPT; the RFC 8460 §6.4-6.5 IANA registry only names `+json` and `+gzip`). Each reopens with a documented condition. **References:** [RFC 8460 SMTP TLS Reporting](https://www.rfc-editor.org/rfc/rfc8460.html) · [RFC 8461 MTA-STS](https://www.rfc-editor.org/rfc/rfc8461.html) · [RFC 1952 gzip](https://www.rfc-editor.org/rfc/rfc1952.html) · [CVE-2025-0725](https://nvd.nist.gov/vuln/detail/CVE-2025-0725)
+- v0.10.14 (2026-05-18) — **Codebase-patterns hardening — test-side catalog gains basename matching + new detectors; lib-side gains comment-skip.** Closes the same class of bug that caused the v0.10.13 macOS hang (test-discipline-without-enforcement). The test-side antipattern runner now supports `matchOn: "basename"` mode and `requires` companion-content checks; three new test-side detectors land, one rule migrates from the lib-side catalog, and the lib-side runner gains a `skipCommentLines` per-entry opt and a real `audit.emit` drop-silent fix in `lib/subject.js`. **Added:** *`test-codebase-patterns.test.js` — test-side antipattern runner* — Now supports `matchOn: "basename"` mode and `requires` companion-content checks. The lib-side runner gains a `skipCommentLines` per-entry opt so docstring `@example` lines don't trip detectors that match comment-friendly tokens. **Detectors:** *Migration — `testNoReleaseNamedTestFiles` moves to test-side catalog* — The rule scans test-file basenames, not lib-source content, so it migrates from the lib-side catalog to the test-side catalog where it belongs. · *`Promise + setTimeout` direct sleep in tests refused* — Tests calling `await new Promise(r => setTimeout(r, N))` for synchronization MUST use `helpers.waitUntil` — the framework's polling-predicate primitive replaces fixed-budget sleeps that race under runner contention. 49 pre-existing files are allowlisted as a documented migration backlog; the gate prevents new occurrences. · *Hardcoded server bind ports refused* — Tests calling `.listen(N)` with a literal non-zero port MUST use `.listen(0)` + `server.address().port` to avoid `SMOKE_PARALLEL=64` bind races. Detector scoped to the bind path (`.listen(...)`); read-only protocol-constant references (`port: 993` / `port: 587` in autoconfig XML) don't trip. · *Tests creating `b.db` handles without an isolation primitive refused* — Any test calling `b.db.create(` MUST also wire one of `helpers.setupTestDb` / `helpers.setupVaultOnly` / `node:fs.mkdtempSync`. Leaked per-test SQLite state corrupts subsequent tests under `SMOKE_PARALLEL=64`. · *Raw `audit.emit(...)` outside drop-silent wrap refused (lib)* — Hot-path audit sinks must be drop-silent: a misconfigured sink that throws would crash the request the audit was recording. Detector found and fixed an existing violation in `lib/subject.js:_writeAudit` whose comment promised swallowing but actually let the throw escape. **Migration:** *Operator impact — no runtime change; one deferred semantic detector* — `Date.now()` vs `process.hrtime()` for elapsed-time math needs semantic distinction (elapsed-math vs row-age); regex alone is too noisy. The v0.10.13 stream-throttle elapsed-clamp shipped the highest-value fix already; remaining call sites get per-file review in a later patch.
+- v0.10.13 (2026-05-18) — **`b.cms` codec + `b.streamThrottle` + histogram-aware snapshot + Windows-safe daemonize.** New `b.cms` PQC-first CMS encoder + decoder (RFC 5652 / 9629 / 9909 / 9881 / 9936 / 8103) built on the existing `b.asn1Der` walker. New `b.streamThrottle` token-bucket bandwidth limiter shared across pipelines. Histogram-aware `b.metrics.snapshot.startWriter`. Windows-safe `b.daemon.start` detached-fork path. Closes issues #94 / #100 / #101 (and #92 / #93 already shipped in v0.10.9). **Added:** *`b.cms.encodeSignedData({ encapContent, digestAlg, signers })`* — Emits a DER-encoded `ContentInfo` carrying `SignedData` per RFC 5652 §5 with PQC signers: ML-DSA-65 + ML-DSA-87 (RFC 9909) and SLH-DSA-SHAKE-256f (RFC 9881). Digest algorithms are SHA3-256 or SHA3-512 (PQC-first; SHA-2 family refused with `cms/bad-digest`). Signed-attributes carry `contentType` + `messageDigest` + `signingTime` in DER-canonical SET-OF ordering; the signature input re-tags the IMPLICIT `[0]` to the universal SET (`0x31`) per §5.4 paragraph 3 so signatures round-trip with any conforming verifier. Signer identifiers carry the full `issuerAndSerialNumber` extracted from the operator-supplied cert DER (RFC 5652 §10.2.4). · *`b.cms.encodeEnvelopedData({ plaintext, recipients })`* — Emits a DER-encoded `ContentInfo` carrying `EnvelopedData` with `KEMRecipientInfo` recipients per RFC 9629 and ML-KEM-1024 per RFC 9936. Each recipient encapsulates against the operator-supplied ML-KEM-1024 public key; the framework's SHAKE256 KDF derives a 32-byte content-encryption KEK from the KEM shared-secret bound to the literal label `cms/kemri/chacha20-poly1305` (so a key derived for this composition cannot be confused with one derived for any other framework path). Content encryption is ChaCha20-Poly1305 (RFC 8103 OID); the AEAD tag makes Efail-class CBC-malleability impossible by construction (CVE-2017-17688 / CVE-2017-17689). · *`b.cms.decode(buf, { maxBytes? })`* — Returns `{ contentType, content }` where `contentType` is the dotted-OID string and `content` is the inner `asn1-der` node. Refuses input past `maxBytes` (default 64 MiB), non-SEQUENCE top-level, missing `[0] EXPLICIT` content, and malformed OID encodings (closes the CVE-2022-47629 libksba class via the existing `b.asn1Der` strict-decode posture). Refusal posture documented in `lib/cms-codec.js`: only PQC signature algorithms (`cms/bad-sig-alg`), only ML-KEM-1024 recipients (`cms/bad-recipient-type`), non-empty signers / recipients required at encode (`cms/no-signers` / `cms/no-recipients`). · *`b.streamThrottle.create({ bytesPerSec, burstBytes? })` token-bucket bandwidth limiter* — Returns a shared token bucket whose `.transform()` instances each consume from the same budget. The missing primitive between per-request rate-limit and per-process worker pools: N parallel transfers share the operator-configured byte budget rather than each getting their own. Composes with `node:stream.pipeline` as a regular `stream.Transform`; chunks larger than `burstBytes` refuse with `stream-throttle/oversize-chunk` unless `transform({ allowOversize: true })`. Algorithm is the RFC 2697 srTCM single-rate token-bucket shape, with lazy refill so there is no per-throttle background timer. · *Histogram-aware metrics snapshot writer* — `b.metrics.snapshot.startWriter` gains an opt-in `registry` field. When supplied, the JSON snapshot grows a `metrics` field carrying every registered counter / gauge / histogram in structured form — histograms include `buckets` + `observations: [{ labels, counts, sum, count }]`, so sidecar readers compose `histogram_quantile()` against the snapshot file without running a separate `/metrics` HTTP endpoint. `fileMode` default unchanged (0o640). · *Windows-safe daemonize* — `b.daemon.start` detached-fork mode now branches by platform. POSIX continues inheriting the parent-opened log FD via `stdio: ["ignore", logFd, logFd]` (unchanged). Windows now uses `stdio: "ignore"` + `windowsHide: true` so the child has no inherited handles that the OS invalidates on parent exit — the previously-broken Windows daemonize path now produces a survivable detached process. The child is responsible for opening its own log file (operators pass `--log` in `opts.args`). `daemon.started` audit gains `stdioMode` so operators can grep for the chosen strategy. **Migration:** *Operator impact — no breaking changes; mail-crypto wire layers in a follow-up* — No breaking changes; new primitive at `b.cms`. The on-the-wire S/MIME 4.0 layer (RFC 8551 `multipart/signed` framing, base64 DER body, `micalg` mapping) and OpenPGP encrypt + decrypt + WKD discovery (RFC 9580 §5.1 / §5.13 packets plus draft-koch-openpgp-webkey-service) land together in a follow-up patch so the mail-crypto surface lights up coherently. AuthEnvelopedData (RFC 5083) as a distinct `ContentInfo` shape is deferred — EnvelopedData with ChaCha20-Poly1305 is already AEAD by construction; the §5083 OID rewrap lights up alongside S/MIME for peers that refuse the EnvelopedData form. Closes issues #94, #100, #101; also closes #92 and #93 (already shipped in v0.10.9 as `b.promisePool` / `b.sdNotify` — left open until now). **References:** [RFC 5652 CMS](https://www.rfc-editor.org/rfc/rfc5652.html) · [RFC 9629 KEMRecipientInfo](https://www.rfc-editor.org/rfc/rfc9629.html) · [RFC 9909 ML-DSA in X.509+CMS](https://www.rfc-editor.org/rfc/rfc9909.html) · [RFC 9881 SLH-DSA in X.509+CMS](https://www.rfc-editor.org/rfc/rfc9881.html) · [RFC 9936 ML-KEM in CMS](https://www.rfc-editor.org/rfc/rfc9936.html) · [RFC 8103 ChaCha20-Poly1305 in CMS](https://www.rfc-editor.org/rfc/rfc8103.html) · [RFC 2697 srTCM](https://www.rfc-editor.org/rfc/rfc2697.html) · [CVE-2017-17688 Efail](https://nvd.nist.gov/vuln/detail/CVE-2017-17688) · [CVE-2017-17689 Efail](https://nvd.nist.gov/vuln/detail/CVE-2017-17689) · [CVE-2022-47629 libksba](https://nvd.nist.gov/vuln/detail/CVE-2022-47629)
+- v0.10.12 (2026-05-18) — **`b.agent.tenant` adoption across the mail-server listeners.** The shared `b.mail.serverRegistry` primitive gains optional `opts.tenantScope` (a `b.agent.tenant.create()` instance) + `opts.agentTenantId` (the tenant this listener serves). When supplied, every method dispatch gates on `tenantScope.check(state.actor, agentTenantId)` BEFORE guard validation or audit emission; cross-tenant access surfaces as the typed `agent-tenant/cross-tenant-access-refused` which the listener's catch-path converts to the protocol's `BAD` / `NO` refusal reply. **Added:** *`b.mail.server.imap.create({ tenantScope, agentTenantId })`* — IMAP dispatch is gated for every command after AUTH; cross-tenant access surfaces through the listener's typed refusal path. · *`b.mail.server.jmap.create({ tenantScope, agentTenantId })`* — JMAP per-method dispatch routes through the tenant scope alongside its existing per-`accountId` isolation. · *`b.mail.server.managesieve.create({ tenantScope, agentTenantId })`* — ManageSieve same pattern — every method dispatch gates on the tenant scope before guard validation. · *`b.mail.server.submission.create({ tenantScope, agentTenantId })`* — Submission listener gates at the AUTH-success boundary (before `state.actor` is committed) so cross-tenant authentication surfaces as `535 5.7.0 Authentication rejected (cross-tenant)` and the SMTP envelope never begins under the wrong tenant. · *`b.mail.server.pop3.create({ tenantScope, agentTenantId })`* — Same AUTH-success gate; cross-tenant refusal returns `-ERR Authentication rejected (cross-tenant)`. New audit events: `mail.server.submission.cross_tenant_refused` and `mail.server.pop3.cross_tenant_refused`. **Migration:** *Operator impact — opt-in tenancy, no behavior change without `tenantScope`* — No breaking changes — `tenantScope` / `agentTenantId` are optional; operators not running multi-tenant see identical behavior. Operators with multi-tenant deployments wire `b.agent.tenant.create({...})` once and pass the same scope to every per-tenant listener instance — cross-tenant isolation becomes structural rather than per-handler opt-in. Per-tenant `b.mailStore` seal-key derivation via `tenantScope.derivedKey(tenantId, "seal")` and per-tenant audit namespaces via `tenantScope.auditFor(tenantId)` ship in a follow-up patch. Today every mail listener seals through the framework primary vault key — adequate for single-tenant and multi-tenant-trusted deployments; the follow-up adds per-tenant key separation for compromise-isolation use cases. **References:** [RFC 9051 IMAP4rev2 §3 state machine](https://www.rfc-editor.org/rfc/rfc9051#section-3) · [RFC 8620 JMAP Core §1.6.2 accountId](https://www.rfc-editor.org/rfc/rfc8620#section-1.6.2) · [RFC 6409 Submission §6.1 actor-to-MAIL-FROM identity binding](https://www.rfc-editor.org/rfc/rfc6409#section-6.1) · [RFC 1939 POP3 §6 transaction state](https://www.rfc-editor.org/rfc/rfc1939#section-6)
+- v0.10.11 (2026-05-18) — **Mail-server per-method registration — shared `b.mail.serverRegistry`.** New shared primitive `b.mail.serverRegistry` (`lib/mail-server-registry.js`) replaces the hand-rolled `switch (verb)` dispatchers in the IMAP, JMAP, and ManageSieve listener factories. Operators can override individual command / method handlers via `opts.overrides` with required per-handler resource budgets without re-implementing wire-protocol state machines or bypassing the guard substrate. **Added:** *Per-handler resource budgets — required at registration* — Operators MUST supply `maxHandlerBytes` (≤ 256 MiB) and `maxHandlerMs` (≤ 5 min) on every override; the registration throws `mail-server-registry/bad-max-handler-bytes` / `bad-max-handler-ms` on missing or out-of-range budgets. Defends CVE-2024-34055 (Cyrus authenticated OOM) and CVE-2026-26312 (Stalwart malformed nested `message/rfc822` cyclical OOM) by forcing operators to declare the resource ceiling explicitly. · *Catalogue gate* — Per-protocol method names outside the IANA / RFC catalogue refuse registration unless `allowExperimental: true` is supplied — opting in audits the registration so operators can grep for off-spec handlers. · *Guard chain preserved* — The listener factories run `b.guardImapCommand` / `b.guardJmap` / `b.guardManagesieveCommand` BEFORE the registry lookup; operator overrides cannot bypass the wire-protocol validation, smuggling defenses, or rate-limit budgets. · *Handler timeout* — Promise-returning handlers wrap through `b.safeAsync.withTimeout(maxHandlerMs)`; a runaway override raises `mail-server-registry/handler-timeout` rather than pinning the connection. · *Defaults seeded for IMAP / ManageSieve / JMAP* — IMAP picks up 30 verbs (CAPABILITY, NOOP, LOGOUT, ID, STARTTLS, AUTHENTICATE, LOGIN, ENABLE, SELECT, EXAMINE, LIST, STATUS, NAMESPACE, APPEND, CHECK, CLOSE, UNSELECT, EXPUNGE, FETCH, STORE, UID, IDLE, DONE — plus the previously-undispatched SEARCH / CREATE / DELETE / RENAME / SUBSCRIBE / UNSUBSCRIBE / COPY / MOVE which default to `NO not-configured` until operator overrides); ManageSieve picks up 12 verbs (CAPABILITY, NOOP, STARTTLS, LOGOUT, AUTHENTICATE, HAVESPACE, PUTSCRIPT, LISTSCRIPTS, SETACTIVE, GETSCRIPT, DELETESCRIPT, RENAMESCRIPT); JMAP wraps the existing `opts.methods` map with a one-time deprecation audit (`mail.server.jmap.methods_opt_deprecated`) and routes through the same registry — operators migrate to `opts.overrides` with explicit budgets. · *New audit events* — `mail.serverRegistry.method_dispatch` carries `{ protocol, name, source: "builtin" | "operator-override" }` on every dispatch; `mail.serverRegistry.experimental_registration` audits opt-in off-catalogue registrations. **Migration:** *Operator impact — explicit budgets required for new overrides* — Existing JMAP `opts.methods` callers see the deprecation audit but continue to function (legacy auto-budget = 10 MiB / 30 s); existing IMAP / ManageSieve operators have no migration burden — the listener factories continue to accept the same opts shape. Operators wiring NEW overrides MUST supply explicit budgets. **References:** [RFC 9051 IMAP4rev2](https://www.rfc-editor.org/rfc/rfc9051) · [RFC 8620 JMAP Core](https://www.rfc-editor.org/rfc/rfc8620) · [RFC 8621 JMAP for Mail](https://www.rfc-editor.org/rfc/rfc8621) · [RFC 5804 ManageSieve](https://www.rfc-editor.org/rfc/rfc5804) · [RFC 2971 IMAP4 ID](https://www.rfc-editor.org/rfc/rfc2971) · [RFC 2177 IMAP IDLE](https://www.rfc-editor.org/rfc/rfc2177) · [CVE-2024-34055](https://nvd.nist.gov/vuln/detail/CVE-2024-34055) · [CVE-2026-26312](https://nvd.nist.gov/vuln/detail/CVE-2026-26312)
+- v0.10.10 (2026-05-17) — **PQC envelope completion (experimental) — JWE-PQ + dual PQ-HPKE drafts.** Two new opt-in PQC-protocol primitives behind explicit experimental namespaces: ML-KEM-1024 + XChaCha20-Poly1305 JOSE JWE and the two active PQ-HPKE drafts (connolly individual + IETF WG) with draft-isolation labels so cross-draft substitution refuses by construction. **Added:** *`b.jose.jwe.experimental.encrypt` / `.decrypt`* — RFC 7516 compact-serialization JWE with ML-KEM-1024 key encapsulation and XChaCha20-Poly1305 AEAD content encryption. Lives under `b.jose.jwe.experimental` because the JOSE PQC IANA codepoint registration (draft-ietf-jose-pqc-kem-05) hasn't finalized — the namespace name is the contract: codepoints may change between minors without affecting the framework's stable surface. Header carries `{ alg: "ML-KEM-1024", enc: "XC20P", "x-blamejs-experimental": true }`; decrypt refuses any envelope missing the experimental marker (defends a stable-system consumer that accidentally ingests an experimental envelope and treats it as IANA-compliant). Header bytes route through `b.safeJson.parse` for proto-pollution / depth / size defenses; header is byte-capped at 4 KiB. · *`b.crypto.hpke.pq.connolly.seal` / `.open` + `b.crypto.hpke.pq.wg.seal` / `.open`* — Both active PQ-HPKE drafts behind explicit opt-in: draft-connolly-cfrg-hpke-mlkem-04 (individual; codepoints today) and draft-ietf-hpke-pq-03 (WG-adopted). Each wrapper binds a draft-distinguishing label into the RFC 9180 §5.1 `info` parameter so cross-draft substitution (sealing under connolly and opening as wg, or vice versa) refuses by construction — the derived AEAD key diverges and Poly1305 verify fails. Both compose the existing `b.crypto.hpke.seal` / `.open` core (ML-KEM-1024 KEM + HKDF-SHA3-512 + ChaCha20-Poly1305 per project PQC-first policy); the wrappers add the draft-isolation label without touching the wire-format primitives. · *New `jose` audit namespace* — Emits `jose.jwe.experimental.encrypt` / `jose.jwe.experimental.decrypt` events on every envelope. Defers COSE-PQ signatures (pending IANA codepoint registration for draft-ietf-cose-pqc-*), the JWE JSON serialization variant (compact-only at this experimental tier), and FIPS 203 KAT test vectors against the vendored bundle (functional parity is established by the existing hybrid-KEM verify path). **Migration:** *Operator impact — stable surface unaffected, experimental opt-in only* — No breaking changes. The stable `b.crypto.hpke.seal` and the existing `b.crypto.encrypt` envelope shape are unaffected. Operators integrating against systems speaking one of the active PQ-HPKE drafts use the explicit `.pq.connolly` / `.pq.wg` paths; operators wanting IANA-final codepoints wait for graduation to the stable surface (one-minor deprecation window will ship when IANA registration lands). The framework refuses to silently pick a winner between the two drafts. **References:** [draft-ietf-jose-pqc-kem-05](https://datatracker.ietf.org/doc/draft-ietf-jose-pqc-kem/) · [draft-connolly-cfrg-hpke-mlkem-04](https://datatracker.ietf.org/doc/draft-connolly-cfrg-hpke-mlkem/) · [draft-ietf-hpke-pq-03](https://datatracker.ietf.org/doc/draft-ietf-hpke-pq/) · [RFC 9180 HPKE](https://www.rfc-editor.org/rfc/rfc9180.html) · [RFC 7516 JWE](https://www.rfc-editor.org/rfc/rfc7516.html) · [FIPS 203 ML-KEM](https://csrc.nist.gov/pubs/fips/203/final) · [draft-irtf-cfrg-xchacha XChaCha20-Poly1305](https://datatracker.ietf.org/doc/draft-irtf-cfrg-xchacha/)
+- v0.10.9 (2026-05-17) — **Ergonomic helpers bundle — `b.safePath`, `b.bootGates`, shadow metrics, cert reload, render groups, ISO timestamps.** Six small DX primitives bundled into one release: path-traversal-safe resolve, sequential boot-invariant runner, namespaced shadow metrics registry, per-instance `agent.reloadCerts`, group-sectioned metrics text format, and ISO-8601 timestamp render-eligibility. **Added:** *`b.safePath.resolve` / `.resolveOrNull` / `.validate`* — Path-traversal-safe multi-segment resolve. Refuses absolute / UNC / drive-letter `rel`, NUL bytes, C0 control chars, bidi-override codepoints (CVE-2021-42574 Trojan Source class), URL-encoded + fullwidth + division-slash path separators, Windows reserved device names CON / PRN / AUX / NUL / COM[0-9] / LPT[0-9] on EVERY platform (closes CVE-2025-27210 cross-mount class), trailing-`.`/trailing-space segments under windows-mode, NTFS Alternate Data Stream markers (CVE-2024-12217 class), and `..` segments that escape `base` after lexical resolve. Optional `opts.realpath: true` adds symlink-escape detection via `fs.realpathSync.native`. Every documented failure mode produces a coded refusal (`safe-path/absolute-rel` / `null-byte` / `bidi` / `win-reserved` / `escapes-base` / etc.); no best-effort path. · *`b.bootGates.run([{ name, fn, timeoutMs?, exitCode?, onFail? }], opts?)`* — Sequential boot-invariant runner. Each gate runs in order; on first failure: emits `bootgates.failed` audit, runs the gate's `onFail` callback (swallows + audits onFail throws), writes a single-line failure summary via `opts.log`, and calls the operator-supplied `opts.exit(code)`. The default `exit` throws `BootGatesError("bootgates/no-exit-wired")` rather than calling `process.exit` directly (lib/ never terminates the process — the CLI surface owns that wiring). Each gate runs under a 60s default `timeoutMs` budget configurable per-gate; overall budget via `opts.overallTimeoutMs`. · *`b.metrics.snapshot.shadowRegistry({ namespace, counters, gauges, info, cardinalityCap?, onCardinalityExceeded? })`* — Namespaced shadow registry that mirrors a subset of a primary registry's metrics for export to systems needing isolated views (sidecar / per-tenant scrape endpoint / compliance-tagged subset). Cardinality cap (default 10000 per metric name) closes the client_golang CVE-2022-21698 unbounded-cardinality DoS class; policy is `drop` (default), `audit-only`, or `refuse`. Emits `metrics.shadow.cardinality_dropped` audit (rate-limited to 1/sec per shadow registry). · *Per-instance `agent.reloadCerts({ cert, key, ca })` on `b.pqcAgent.create()`* — Long-running daemons that rotate TLS material via explicit `b.pqcAgent.create()` agents previously needed a process restart; the new instance method tests the new material via `tls.createSecureContext`, swaps `agent.options` atomically, closes idle keep-alive sockets via `agent.destroy()` (in-flight sockets complete naturally), and emits `pqcagent.reloadCerts` audit. Cert/key mismatch surfaces as `pqcagent/reload-mismatch` with the OpenSSL chain; CA bundle parse failures surface as `pqcagent/reload-bad-ca`. · *`b.metrics.snapshot.render(snap, { format: "text", groups })`* — Operator-readable text format gains an `opts.groups` map that sections the output (`== HTTP ==` / `== Queue ==` / `== TLS ==`); fields not named in any group fall to `== Other ==`. Group ordering preserved per insertion order. Prometheus / OpenMetrics formats unchanged. · *ISO-8601 date strings render-eligible in metrics text format* — Timestamps shaped as `2026-05-17T20:00:00.000Z` (length-bounded at 64 chars) now render verbatim in the text format instead of degrading to `[skipped: non-numeric]`; the Prometheus format gets a parallel `<name>_epoch_ms` gauge so downstream alerting can compute durations per OpenMetrics 1.0 §3.4 (Timestamps MUST be float64 Unix-epoch). Non-ISO strings continue to skip in Prometheus (label-value injection defense). New audit namespaces `bootgates` and `metrics`. **Migration:** *Operator impact — wire `opts.exit` for `b.bootGates.run`* — No breaking changes. `b.bootGates.run` callers MUST supply `opts.exit: process.exit.bind(process)` from their daemon main() if they want the failure path to terminate the process — the default-throw shape exists so lib/-internal callers can't accidentally `process.exit` from inside a primitive. `b.safePath.resolve` is a brand-new primitive; existing code is unaffected. **References:** [Node.js path.resolve docs](https://nodejs.org/api/path.html#pathresolvepaths) · [CVE-2025-27210 Windows device-name bypass](https://nvd.nist.gov/vuln/detail/CVE-2025-27210) · [CVE-2024-12217 NTFS ADS](https://nvd.nist.gov/vuln/detail/CVE-2024-12217) · [CVE-2021-42574 Trojan Source](https://nvd.nist.gov/vuln/detail/CVE-2021-42574) · [CVE-2022-21698 Prometheus cardinality DoS](https://nvd.nist.gov/vuln/detail/CVE-2022-21698) · [OpenMetrics 1.0 spec](https://github.com/prometheus/OpenMetrics/blob/v1.0.0/specification/OpenMetrics.md) · [CVE-2026-21637 SNI sync-throw](https://nvd.nist.gov/vuln/detail/CVE-2026-21637)
+- v0.10.8 (2026-05-17) — **EU AI Act Art. 50 + AB-853 + CAC implicit label + AIBOM + operator-surfaced DX primitives.** Calendar-bound release ahead of the 2026-08-02 EU AI Act Art. 50 transparency / California SB-942-as-amended-by-AB-853 effective date and the live (2025-09-01) China CAC GB 45438-2025 labeling regime. Three new AI-transparency surfaces plus three operator-surfaced DX primitives (issues #91 / #92 / #93). **Added:** *`b.ai.aiContentDetect.report` — inbound-asset provenance detector* — Operators extract C2PA-COSE envelopes / CAC implicit-label JSON / IPTC PhotoMetadata via their format-specific muxer and feed the artifacts to `report({...})`; the framework verifies signatures, anchors against an operator-pinned trust list, and returns a normalized provenance report for the AB-853 §22757.21 disclosure UI. Trust-list-empty surfaces as an alert rather than silent acceptance. Profile / posture cascade: `ca-ab-853`, `ca-sb-942`, `eu-ai-act-art-50`, `cac-genai-label` pin to `strict` (refuse on signer not on trust list); `nist-ai-600-1`, `iso-42001`, `iso-23894`, `nist-ai-rmf` pin to `balanced`. · *`b.contentCredentials.cacImplicitLabel` + `.cacImplicitLabelRead`* — China CAC (Cyberspace Administration) labeling measures for synthetic content produced by generative models + mandatory standard GB 45438-2025 implicit metadata emitter and reverse parser. Validates the 18-character Chinese unified social credit code (per GB 32100-2015), `aigcMarker` field, and `contentKind` enum at the config-time tier. Operators co-emit alongside the C2PA-COSE manifest by declaring `cac-genai-label` posture on the existing `b.contentCredentials.build`. · *`b.ai.modelManifest.build` / `.sign` / `.verify` — CycloneDX 1.6 ML-BOM* — EU AI Act Art. 11 + Annex IV require technical documentation for high-risk AI systems; CycloneDX 1.6 ML-BOM is the de-facto serialization (and forward-positioned for EU CRA 2027-12-11 — Regulation (EU) 2024/2847 requires SBOM-style documentation for AI components in products with digital elements). Emits `bomFormat: "CycloneDX"` + `specVersion: "1.6"` + `serialNumber` UUIDv4 URN + `metadata.timestamp` + `metadata.tools[]` + `metadata.component` (primary model with `type: "machine-learning-model"`) + `components[]` datasets + `properties[]` hyperparameters + `formulation[]` workflows + `services[]` external model APIs. ML-DSA-87 signature over canonical-JSON-1785 representation; verify path NEVER trusts an embedded `signedBytes` field — defends the CVE-2025-29774 / CVE-2025-29775 xml-crypto-style signature-substitution class. Self-validates required CycloneDX 1.6 fields at emit time. · *`b.atomicFile.conflictPath` — conflict-suffix path builder (issue #91)* — Filesystem-portable conflict-suffix path builder: `notes.md` → `notes.conflict-2026-05-17T19-30-00Z.md`; Windows-safe (no `:` / `.`), extension-preserving, dotfile-aware, optional `tag` + `suffix` disambiguator for same-second collisions. Composes the existing `b.atomicFile.pathTimestamp`. · *`b.promisePool.create` — bounded-concurrency promise pool (issue #92)* — The gap between `b.workerPool` (worker-thread CPU-bound work) and `b.queue` (durable cross-process messaging). `run(taskFn)` / `fire(taskFn)` / `drain({ close? })` shape with back-pressure on enqueue, queueLimit refusal, composes with `b.appShutdown` for drain-on-shutdown. No hidden retry — operators compose `b.retry.withRetry` inside the task body when they want it. · *`b.sdNotify` — sd_notify protocol surface (issue #93)* — `.send` / `.ready` / `.stopping` / `.reloading` / `.watchdog` for systemd Type=notify daemons. Reads `$NOTIFY_SOCKET` via `b.parsers.safeEnv.readVar`, dispatches `READY=1` / `STOPPING=1` / `RELOADING=1` / `WATCHDOG=1` via `systemd-notify(1)` with `execFile` (no shell). No-op (with audit) when `$NOTIFY_SOCKET` is unset (foreground / container / non-systemd init). Compose with `b.appShutdown.create` for the STOPPING signal; compose with a periodic watchdog interval for systemd's auto-restart-on-hang guarantee. · *`b.crypto.randomInt` substrate exported* — Exported alongside the AIBOM UUID generator to give the new code a single greppable random-int path. · *New compliance postures* — `ca-ab-853`, `ca-sb-942`, `eu-ai-act-art-50`, `eu-ai-act-art-11`, `cac-genai-label`, `nist-ai-600-1`, `nist-ai-rmf`, `iso-42001`, `iso-23894` across `b.contentCredentials` / `b.ai.aiContentDetect` / `b.ai.modelManifest`. New audit namespaces: `aibom` (aibom.signed / aibom.verified), `aicontentdetect` (aicontentdetect.report), `sdnotify` (sdnotify.send / sdnotify.send.skipped). **Migration:** *Operator impact — pin trust list, runway to 2027-01-01* — No breaking changes. Operators already declaring `eu-ai-act-art-50` posture should pin a trust list via the new primitive before turning on default-on detection in production; AB-853 §22757.21 platform-detection obligations are 2027-01-01 effective so there's runway. In-tree IPTC PhotoMetadata reader for `digitalSourceType` field defers to a follow-up release — operators pre-parse with their tool of choice and pass via `opts.ipmd`. **References:** [EU AI Act Regulation (EU) 2024/1689](https://eur-lex.europa.eu/eli/reg/2024/1689) · [California SB-942 + AB-853](https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202320240SB942) · [CAC GB 45438-2025](https://www.cac.gov.cn/2025-03/14/c_1742700786675936.htm) · [C2PA 2.2 spec](https://c2pa.org/specifications/specifications/2.2/) · [CycloneDX 1.6 ML-BOM](https://cyclonedx.org/docs/1.6/json/) · [OWASP CycloneDX AI/ML-BOM Authoritative Guide](https://owasp.org/www-project-cyclonedx/) · [NIST AI 600-1 Generative AI Profile](https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.600-1.pdf) · [ISO/IEC 42001:2023](https://www.iso.org/standard/81230.html) · [systemd-notify(1)](https://www.freedesktop.org/software/systemd/man/latest/systemd-notify.html) · [CVE-2025-29774](https://nvd.nist.gov/vuln/detail/CVE-2025-29774) · [CVE-2025-29775](https://nvd.nist.gov/vuln/detail/CVE-2025-29775) · [CVE-2025-32711 EchoLeak](https://nvd.nist.gov/vuln/detail/CVE-2025-32711)
+- v0.10.7 (2026-05-17) — **Mail-stack P3 / P4 hardening sweep.** Twenty-plus refusals + observability additions across the four mail listeners, the DKIM verifier, ARC signer, MIME parser, and the DNS / DSN / List-* guards. One substrate addition (`b.crypto.randomInt`); two new operator-visible opts on the submission listener. **Added:** *`b.crypto.randomInt(min, max)` substrate wrapper* — Routes every framework integer draw through one greppable primitive. Migrates the inline `nodeCrypto.randomInt` sites in `b.network.dns` / `b.network.dns.resolver` (DNS query-ID), `b.mail.auth` (DMARC `pct` sampling), and `b.externalDb` (transaction-retry jitter) so the audit trail is uniform and future detectors see one shape. · *`b.mail.server.submission.create({ requireDkim, dkimRequireMode })`* — Outbound DKIM-required gate per Yahoo / Google 2024 bulk-sender alignment. `requireDkim` defaults `true` under `strict` profile (`false` under `balanced` / `permissive`). `dkimRequireMode` is `"self"` (signer's `d=` must match authenticated identity's domain), `"any"` (any signer present), or `"off"` (no gate). Default `"any"`. Submission listener that doesn't carry a `DKIM-Signature:` header at DATA-end refuses with `5.7.20`. · *`b.mail.server.{mx,submission}.create({ allowSmtpUtf8 })`* — Single per-listener SMTPUTF8 (RFC 6531) switch threaded end-to-end into `guardSmtpCommand.validate`. Default `false`. Operators that accept EAI envelopes flip to `true` and the toggle reaches every wire-line guard call. **Changed:** *DKIM verifier signature-count cap* — `b.mail.dkim.verify` now refuses (`policy` verdict) rather than silently truncating when a message carries more `DKIM-Signature` headers than `maxSignatures` (default 8). The opt is range-checked at config time against a ceiling of 16; out-of-range throws `dkim/bad-max-signatures`. Closes a verifier-fan-out DoS shape per RFC 6376 §6.1. Emits `dkim.verify.signature_count_cap` audit on the refusal so postmasters see DoS attempts in the authentication-results stream. · *MX listener size-overrun + observability* — `MAIL FROM SIZE=` is now reconciled against the actual DATA byte count after dot-stuffing reversal — senders that understate `SIZE=` to probe `maxMessageBytes` get `552 5.3.4` rather than silently accepted, with `mail.server.mx.size_overrun` audit. Refused-recipient list (bounded at 32 per transaction) now surfaces in the `data_accepted` / `delivered` audit metadata. Write-backpressure on every reply attaches a once-per-socket `mail.server.mx.write_backpressure` audit so operators see stalled connections without flooding on every reply. · *ARC signer hop-count ceiling* — `b.mail.arc.sign` extracts prior hops with the RFC 8617 §5 50-hop cap; an inbound chain claiming >50 hops or an out-of-range `i=` tag is refused rather than enumerated. · *`b.safeMime` charset coverage + observability* — `b.safeMime.parse` now decodes `utf-16` (RFC 2781 §3.3 BOM detection + BE default), `utf-16be`, and `utf-16le` end-to-end — the prior shape advertised `utf-16` / `utf-16be` in the allowlist but only decoded `utf-16le`. `binary` Content-Transfer-Encoding is removed from the default allowlist (RFC 3030 §3 — `binary` requires explicit BINARYMIME negotiation; operators that wire BINARYMIME opt back in via `transferEncodingAllowlist: [..., "binary"]`). Control-character refusal errors now report the BYTE offset (via `Buffer.byteLength` on the JS string prefix) rather than the UTF-16 code-unit index, so audit lines align with wire-level inspection. · *`b.mailStore` JMAP objectid bump to 128 bits* — RFC 8474 §1.5.1 — the prior 24-char hex prefix cut entropy to 96 bits; full 32-char hex restores 128 bits. **Fixed:** *IMAP `APPEND` date-time + `FETCH` / `STORE` state + `LOGIN` quoted escape* — `APPEND mailbox [flags] [date-time] {literal}` now honors the optional RFC 9051 §6.3.12 date-time argument (parsed into `internalDate` ms-epoch, refused with `BAD` rather than silently falling back to `Date.now()`). `FETCH` / `STORE` outside of Selected state now respond `BAD` (RFC 9051 §6.4.5 / §6.4.6 — protocol-context violation, not policy refusal). `LOGIN` quoted-string args honor `\"` / `\\` escape pairs per the RFC 9051 §5.1 grammar (the prior shape terminated at the first `"`, letting a hostile client smuggle `LOGIN "alice\"@example.com" "pw"` past the username binding). · *DKIM / DMARC / ARC / iPrev / DSN tightening* — `b.guardDsn` splits the RFC 3464 §2.1.1 block separator on literal `\r\n\r\n` only (the prior `\n\s*\n` accepted `\v` / `\f` whitespace as a block boundary, letting a hostile sender bend the per-message vs per-recipient boundary). `b.guardMessageId` now validates id-left + id-right against RFC 5322 §3.2.3 dot-atom-text shape under `strict` profile; `b.guardListId` extends the localhost FQDN exception to `.local` (RFC 6762) and `.lan` (draft-chapin-rfc2606bis). · *`b.guardListUnsubscribe` SSRF defense* — HTTPS one-click URIs now refuse IP-literal hosts (v4 + v6), reserved-local hostnames (`localhost` / `localhost.localdomain` / `ip6-localhost` / `ip6-loopback`), and reserved-local TLD suffixes (`.local` / `.lan` / `.internal`). New optional `allowedHosts` opt provides a domain allowlist — when supplied, every HTTPS host (or any ancestor) must be on the list. **Migration:** *Operator impact — submission DKIM gate, header / DSN refusals, MIME charset* — Submission listeners on `strict` profile WITHOUT operator-side DKIM signing (`b.mail.dkim.sign` pre-relay) now refuse outbound DATA — operators in this state either wire DKIM signing, opt to `dkimRequireMode: "off"`, or step down to `balanced`. `b.mail.dkim.verify` callers passing `maxSignatures > 16` now throw at config time — clamp via the opt or rely on the framework default. `b.safeMime.parse` callers that legitimately receive `binary` Content-Transfer-Encoding (BINARYMIME-aware downstream pipelines) opt back in via `transferEncodingAllowlist`. `b.guardListUnsubscribe.validate` callers that legitimately rely on IP-literal one-click URIs (test harnesses, internal-network operators) opt in via `allowedHosts: ["10.0.0.0/8"]` style ancestor matches. Per-tenant pepper on `b.mailStore` derived hashes (`from_hash` / `message_id_hash`) ships in a later release alongside the `b.agent.tenant` adoption refactor; the schema migration is too invasive to fold into this patch. **References:** [RFC 9051 IMAP4rev2](https://www.rfc-editor.org/rfc/rfc9051) · [RFC 6376 DKIM §6.1](https://www.rfc-editor.org/rfc/rfc6376#section-6.1) · [RFC 6531 SMTPUTF8](https://www.rfc-editor.org/rfc/rfc6531) · [RFC 3030 BINARYMIME](https://www.rfc-editor.org/rfc/rfc3030) · [RFC 2781 UTF-16 BOM](https://www.rfc-editor.org/rfc/rfc2781) · [RFC 1870 SMTP SIZE](https://www.rfc-editor.org/rfc/rfc1870) · [RFC 8474 JMAP objectid](https://www.rfc-editor.org/rfc/rfc8474) · [RFC 8617 ARC §5](https://www.rfc-editor.org/rfc/rfc8617#section-5) · [RFC 3464 DSN §2.1.1](https://www.rfc-editor.org/rfc/rfc3464#section-2.1.1) · [RFC 5322 Message Format §3.2.3](https://www.rfc-editor.org/rfc/rfc5322#section-3.2.3) · [RFC 6761 Reserved Domain Names](https://www.rfc-editor.org/rfc/rfc6761) · [Yahoo / Gmail bulk-sender 2024](https://blog.google/products/gmail/gmail-security-authentication-spam-protection/)
+- v0.10.6 (2026-05-17) — **Vendored-SBOM CycloneDX 1.6 conformance + cosign verification recipe pin.** Build-side + verification-side improvements with no runtime changes. The vendored SBOM emitter now produces CPE-matched components with proper supplier attribution + transitive sub-component graphs; the Sigstore-keyless verification recipe constrains the certificate identity to the specific workflow file + tag-ref shape. **Added:** *Per-component `cpe` field in `scripts/build-vendored-sbom.js`* — Every vendored bundle gets a CPE 2.3 string (`cpe:2.3:a:<vendor>:<product>:<version>:*:*:*:*:*:*:*`). CISA / NVD CVE-matching tools (Dependency-Track, OWASP Dependency-Check, Snyk SBOM Monitor) match CVE advisories against components by CPE; the prior emit had no CPE field, so vendored bundles were invisible to operator-side CVE scanners. · *Per-component `supplier` block* — `metadata.supplier` (framework-level) was already populated; each vendored bundle now also carries its own `components[].supplier` with the upstream maintainer / org per SLSA v1.0 provenance requirements — operators auditing the SBOM see both the framework supplier (blamejs) AND the vendored bundle's upstream supplier (noble-curves, noble-ciphers, etc.) at the component level. · *`metadata.lifecycles[].externalReferences[]`* — CycloneDX 1.6 §4.4.2 requires `lifecycles` entries to carry build-provenance references (workflow URL, run ID); the npm-publish workflow now populates these so the SBOM points back at the SLSA-attesting workflow run that produced the tarball. · *Sub-component `dependsOn` graph* — When a vendored bundle exposes sub-components (e.g. `noble-ciphers` exports `xchacha20poly1305` + `aes-gcm` as named sub-modules), each sub-component now emits its own SBOM entry with a `dependencies` edge pointing to its parent (CycloneDX 1.6 §4.7). Operators get the full transitive graph instead of just the top-level vendored bundle. **Changed:** *`SECURITY.md` cosign verification recipe pinned to workflow path + tag-ref* — The operator-side recipe now constrains `cosign verify-blob --certificate-identity-regexp` to the specific workflow file (`.github/workflows/npm-publish.yml`) + tag-ref shape (`refs/tags/v[0-9]+\.[0-9]+\.[0-9]+`), refusing certificates issued for any other workflow or ref class. Also documents `--rekor-url` for operators running on an air-gapped network with a local transparency log + offline TUF root path for `cosign initialize --root <local-root.json>`. · *`.github/workflows/npm-publish.yml` recipe comment synchronized* — The in-workflow comment matches the SECURITY.md recipe so operators copy-pasting from either source see identical verification steps. **Fixed:** *`_licenseFor()` inline-path fix* — The path-resolution branch that handles vendored bundles whose `package.json` is under `lib/vendor/<name>/package.json` now correctly returns the SPDX `license.id` (was returning `null` for that branch, causing CycloneDX-validator warnings). **Migration:** *Operator impact — SBOM CPE matching + tighter Sigstore identity* — SBOM consumers that previously saw vendored bundles as opaque now see CPE-matched components with proper supplier attribution + transitive sub-component graph. The Sigstore-keyless verification recipe is more restrictive (rejects certificates issued for non-`npm-publish.yml` workflows on this repo) — operators already verifying against the prior recipe see the same successful verification with the tighter identity match. **References:** [CycloneDX 1.6 spec](https://cyclonedx.org/docs/1.6/json/) · [CPE 2.3 spec (NIST IR 7695)](https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf) · [SLSA v1.0 provenance](https://slsa.dev/spec/v1.0/provenance) · [Sigstore cosign verify-blob](https://docs.sigstore.dev/cosign/verifying/verify/) · [TUF specification](https://theupdateframework.github.io/specification/latest/)
+- v0.10.5 (2026-05-16) — **`b.mail.server.pop3` APOP cleartext refusal + `b.vendorData` constant-time digest compares.** Two small entry-tier refusals on the mail and vendor-data surfaces. POP3 APOP joins USER / PASS in the cleartext-credentials refusal; `b.vendorData` boot-time digest compares run constant-time. **Fixed:** *`b.mail.server.pop3._handleApop` refuses APOP over cleartext* — Refuses APOP when the connection is cleartext and the profile is not permissive, symmetric with the existing USER / PASS refusal. APOP transmits `MD5(timestamp+secret)` (not cleartext credentials), but an attacker who captures the digest plus the known greeting timestamp can mount an offline dictionary attack against the shared secret. RFC 1939 §7 explicitly warns about this; the wire MUST be TLS-protected to deny the offline-attack vector. Emits the same `mail.server.pop3.auth_refused_cleartext` audit event + writes `-ERR APOP refused over cleartext (use STLS first; RFC 1939 §7)`. The cleartext-refusal line was advertised in the v0.10.4 release notes but the wire-level enforcement only lands here; operators relying on v0.10.4 saw the comment but not the runtime gate. · *`b.vendorData.verifyAll()` boot-time digest compares run constant-time* — SHA-256 layer 1, SHA3-512 layer 2, and the SLH-DSA-SHAKE-256f pubkey-fingerprint cross-check now compare via a length-prechecked `nodeCrypto.timingSafeEqual` instead of `!==`. The framework convention is that every digest / MAC compare is constant-time regardless of whether the value is a secret — reaching for `!==` whenever a value "isn't a secret" is the smell; the convention is the gate. Uses `nodeCrypto.timingSafeEqual` directly (not `b.crypto.timingSafeEqual`) because `b.crypto` is `lazyRequire`'d to break a circular load chain and isn't available during boot-time `verifyAll()`. **Migration:** *Operator impact — POP3 APOP requires STLS first* — APOP users on plaintext POP3 (port 110) without STLS first now get `-ERR` instead of authenticating — the operator either wires STLS, switches the listener to implicit TLS (port 995), or sets `profile: "permissive"` for the deliberately-open path. `b.vendorData` consumers see no behavioral change — the timing-safe compare returns the same boolean as `!==` for length-equal inputs. **References:** [RFC 1939 §7 POP3 Security](https://www.rfc-editor.org/rfc/rfc1939#section-7) · [CWE-208 Observable Timing Discrepancy](https://cwe.mitre.org/data/definitions/208.html) · [NIST SP 800-38B §6.3 MAC verification](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38B.pdf)
+- v0.10.4 (2026-05-16) — **Mail-protocol hardening across the four listener primitives.** Ten refusals + two new operator-visible opts spanning `b.mail.server.{mx,submission,imap,pop3}`, `b.mail.server.rateLimit`, `b.safeMime`, and `b.guardListUnsubscribe`. Addresses residual gaps in inbound RCPT enumeration, header-count amplification, POP3 UPDATE-state commit timeouts, list-unsubscribe URI shape, and the per-listener auth-failure / connection-rate maps. **Added:** *`b.mail.server.rateLimit.checkRcptAdmit(ip)` + `noteRcptFailure(ip)`* — New per-IP RCPT-failure budget (default 50/min, rolling 60s window) wired into the MX + submission listeners. RFC 5321 §3.5 enumeration class: an attacker probing `RCPT TO:` to map valid recipients now trips the budget after 50 failures and gets `421` for the next minute. Operators tune via `rateLimit.create({ rcptFailuresPerMinute, rcptWindowMs })`. · *`b.safeMime.parse({ maxHeaderCount })` opt* — Default 512. Bounded header-count cap prevents `From: ...\r\nSubject: ...\r\n` × 100k header-list amplification in operator pipelines that pass full RFC 5322 messages through `safeMime.parse`. Refused with `safe-mime/too-many-headers` when exceeded. · *`b.mail.server.pop3.create({ commitTimeoutMs })` opt* — Default `C.TIME.seconds(30)`. POP3 UPDATE-state commit (DELE materialization) now runs under `safeAsync.withTimeout` so a hung commit can no longer pin the connection past `idleTimeoutMs`. Past the cap, the connection gets `421` and the in-flight DELE batch is rolled back (RFC 1939 §6 — UPDATE state aborts on transport failure). **Fixed:** *`b.guardListUnsubscribe.validate` refuses empty `<>` URI lists* — Per RFC 2369 §3.1 the `List-Unsubscribe` header value `<>` is a smuggled-empty class that downstream mail-renderers may interpret as an active unsubscribe link to the local-origin. · *`b.mail.server.rateLimit` GC sweep over `connectionTimes`* — The previously asymmetric `connectionTimes` Map (filled in `noteConnection`, never explicitly cleaned) now sweeps empty arrays alongside the existing `authFailureTimes` cleanup. Closes a CWE-770 unbounded-memory class for long-running mail servers seeing transient IP fan-in. · *`b.mail.server.imap` `_close()` writes `state.stage = "closed"`* — The drain-loop guard was previously unreachable because the close path didn't update the state machine. Operators on the older path saw `state.stage === "authenticated"` linger after socket close; the new path resolves cleanly. · *`b.mail.server.imap` per-line cap before `Buffer.concat`* — Closes a CWE-770 unbounded-`Buffer.concat` class on the IMAP line accumulator (the cap was applied AFTER concat, so a malicious peer could send 10 GiB of unterminated tag bytes and the listener would allocate before refusing). Per-line cap now gates the concat. · *`b.mail.server.pop3` `_handleApop` cleartext refusal* — APOP gets the same `!state.tls && profile !== "permissive"` refusal as USER / PASS, closing the cleartext-credentials gap symmetric to the other auth verbs (RFC 1939 §7 APOP MD5 is also cleartext in transit). · *`b.mail.server.pop3` RETR / TOP dot-stuffing via `safeSmtp.dotStuff(buf)`* — The prior `.replace(/^\./gm, "..")` on a JS string treats bare LF as a line boundary, so bodies containing bare-LF lines starting with `.` gained spurious stuffing that the receiver's strict-CRLF parser couldn't undo. Routes through the byte-level dot-stuffer that only recognizes canonical `\r\n` (RFC 1939 §3 / RFC 5321 §4.5.2). · *`b.mail.store` deletion atomicity* — Sealed deletion no longer leaves partial state when the in-memory delete succeeds but the disk flush fails (CWE-707 transactional integrity). · *`b.mail.server.submission` cleartext-AUTH audit captures mechanism* — The `auth_success` audit emit captures the `mechanism` field before nulling `authPending` (was recording `null`); operators tailing the audit log now see which SASL mechanism succeeded. **Detectors:** *Rate-limit admit-check shape across mail listeners* — New `family-subset` entry covering the rate-limit admit-check shape across `mail-server-{imap,mx,submission}` so the contract is enforced at every listener (every primitive that opens a peer socket on a mail port must consult the rate limiter before sending the greeting). **Migration:** *Operator impact — new opts default applied retroactively* — `b.mail.server.rateLimit` consumers see a new public surface (`checkRcptAdmit` / `noteRcptFailure`); existing operators who don't wire these get the framework default (50/min). `b.safeMime.parse` callers with >512-header messages now get `safe-mime/too-many-headers` — operators with bespoke headers (DMARC aggregate reports can run into hundreds of `Authentication-Results`) opt up via `maxHeaderCount: 4096` per call. POP3 operators see a new `commitTimeoutMs` opt — default applies retroactively. **References:** [RFC 5321 §3.5 SMTP](https://www.rfc-editor.org/rfc/rfc5321#section-3.5) · [RFC 5322 Message Format](https://www.rfc-editor.org/rfc/rfc5322) · [RFC 1939 POP3](https://www.rfc-editor.org/rfc/rfc1939) · [RFC 2369 §3.1 List-Unsubscribe](https://www.rfc-editor.org/rfc/rfc2369#section-3.1) · [CWE-770 Allocation of Resources Without Limits](https://cwe.mitre.org/data/definitions/770.html) · [CWE-707 Improper Neutralization](https://cwe.mitre.org/data/definitions/707.html)
+- v0.10.3 (2026-05-16) — **`b.crypto` hardening — three entry-tier refusals on hot paths.** Three small entry-tier refusals on `b.crypto.timingSafeEqual`, `b.crypto.hashCertFingerprint`, and `b.crypto.namespaceHash` close prototype-pollution coercion, polynomial-ReDoS, and log-injection shapes on hot paths. **Fixed:** *`b.crypto.timingSafeEqual` rejects non-Buffer / non-string inputs* — Previous `Buffer.from(String(x))` coercion let a prototype-pollution-influenced caller (an Object whose `toString` returns attacker-chosen bytes) redirect the compare through bytes unrelated to the supplied value. Now throws `TypeError` at the entry boundary; string args use explicit `Buffer.from(s, "utf8")` instead of bare coercion. · *`b.crypto.hashCertFingerprint` caps PEM input at 64 KiB* — The `/-----BEGIN .+? -----END/` lazy-quantifier on this hot path (mTLS bootstrap / webhook verification / peer-cert pinning) is polynomial-ReDoS-class on multi-MB attacker-controlled input. 64 KiB covers a P-384 cert + full chain at ~3× margin; larger inputs throw `TypeError` before the regex runs. · *`b.crypto.namespaceHash` refuses CR / LF in string-typed `value`* — Closes a log-injection / record-separator surface where an attacker-controlled HTTP header (e.g. `Idempotency-Key`) could smuggle line-break bytes into any consumer that logs the value verbatim before hashing (debug paths, audit envelopes, derived-column shadow logs). NUL is NOT refused — multiple internal callers (`b.agent.idempotency` / `b.mail.greylist` / `b.middleware.composePipeline`) use NUL as a composite-key separator, and NUL is not a log-injection byte in any standard logger. `Buffer` / `Uint8Array` inputs remain operator-side opaque bytes by contract — `namespaceHash` digests them as raw bytes, not as text, so the control-char gate does not apply there either. **Migration:** *Operator impact — entry-tier throws on coerced / oversized / line-break inputs* — Any caller passing a number / Object / boolean to `b.crypto.timingSafeEqual` now throws at the entry boundary instead of silently comparing coerced bytes — the API contract was already documented as Buffer-or-string, this enforces it. PEM strings larger than 64 KiB to `b.crypto.hashCertFingerprint` now throw — operators with bespoke multi-cert bundles split the inputs before calling. `namespaceHash` callers passing strings with embedded CR / LF now throw — operators ingesting attacker-influenced text validate / strip line-break bytes at the boundary, or hash opaque bytes via `Buffer` / `Uint8Array`. **References:** [OWASP Log Injection](https://owasp.org/www-community/attacks/Log_Injection) · [CWE-117 Improper Output Neutralization for Logs](https://cwe.mitre.org/data/definitions/117.html) · [CWE-1333 ReDoS](https://cwe.mitre.org/data/definitions/1333.html) · [CodeQL js/polynomial-redos](https://codeql.github.com/codeql-query-help/javascript/js-polynomial-redos/)
+- v0.10.2 (2026-05-16) — **CVE backstops layered on top of v0.10.0.** Five additional refusals across `b.guardRegex`, `b.otelExport`, `b.guardXml`, `b.guardGraphql`, plus a host-side ingress route for `b.cli`. Every change is opt-out (refusal at every profile); no API removals. **Added:** *`b.guardRegex` glob-shape detectors with explicit `inputKind` gate* — New `consecutiveStarPolicy` + `nestedExtglobPolicy` (defaults `"reject"`) + `maxConsecutiveStars` (default 2) + `inputKind: "regex" | "glob"` (default `"regex"`). The glob-shape detectors fire ONLY when the caller passes `inputKind: "glob"` — ECMAScript regex syntax cannot produce `***` (SyntaxError) and the extglob heads `*(`/`+(`/`?(`/`@(`/`!(`  collide with valid `quantifier + capturing group` shapes, so applying these detectors to regex inputs is false-positive territory. Callers handling glob fragments (picomatch / micromatch-style patterns) opt in via `inputKind: "glob"` and get refusals for >=3 consecutive `*` metacharacters (CVE-2026-26996 — O(4^N) backtracking on non-matching literal) and for any extglob whose body contains another extglob (CVE-2026-33671 — picomatch nested-quantifier backtracking). `**` recursive-glob stays permitted under `maxConsecutiveStars: 2`. · *`b.cli --ignore` ReDoS ingress closure* — `cli --ignore <pattern>` arguments route through `b.guardRegex.sanitize({ profile: "strict" })` before reaching `new RegExp(pattern)`. Strict-profile refusal of nested-quantifier / lookaround-quantifier / unbounded-bounded-repeat shapes still applies in default `inputKind: "regex"` mode, closing the host-side surface for the classic ReDoS classes. · *`b.otelExport.flush()` response cap* — Every outbound OTLP request now pins `maxResponseBytes: 1 MiB` + a typed `errorClass`, so a malicious / misconfigured collector cannot exhaust memory in the export loop (CVE-2026-40891 / CVE-2026-40182 class). · *`b.guardXml` numeric-character-reference fan-out cap* — New `maxNumericCharRefs` opt (strict 1024 / balanced 16384 / permissive 262144). NCRs are counted independently of `entityPolicy`, so a signed-XML path that legitimately permits entity expansion cannot accidentally disable the NCR cap (CVE-2026-26278 / CVE-2026-33036 — billion-NCR fan-out class). · *`b.guardGraphql` prototype-pollution refusal* — Refuses `__proto__` / `constructor` / `prototype` as top-level variable keys (`Object.prototype.hasOwnProperty.call(variables, ...)` check, sidesteps a poisoned-prototype `in` lookup) AND as field / alias / `$variable` identifiers in the query body, including the no-whitespace alias form `query { a:__proto__ }` (the colon is a valid identifier-position prefix). Refused at every profile, severity `critical` (CVE-2026-32621 class). **Changed:** *`b.auth.sdJwtVc.present()` defense-in-depth comment* — Documents that the holder-side pre-parse of `_sd_alg` reads from unsigned bytes safely because `verify()` re-parses from the cryptographically-verified signing input; no behavioral change. · *Operator impact summary* — Existing operators see no change in default behavior — the new glob detectors are opt-in via `inputKind: "glob"`. Operators wiring `b.guardRegex` over glob fragments (file-pattern allowlists, rsync-style rules) opt in and get the CVE-2026-26996 / -33671 refusals; opt back out per call via `consecutiveStarPolicy: "allow"` / `nestedExtglobPolicy: "allow"`. `b.guardXml` operators on signed-XML pipelines opt out via `maxNumericCharRefs: Infinity` if they bound NCRs upstream. GraphQL variable / query-body refusals are not opt-out — `__proto__` / `constructor` / `prototype` are never legitimate identifiers in operator-supplied input. **Fixed:** *Regression coverage in exploit corpus* — `test/fixtures/exploit-corpus/corpus.json` gains four entries: glob-mode positive refusal for `***+nonmatch` and `*(*(a))`, regex-mode pass for `a*(b+(c))` (false-positive class the design refused to ship), and the colon-prefix GraphQL alias `query { a:__proto__ }`. **References:** [CVE-2026-26996](https://nvd.nist.gov/vuln/detail/CVE-2026-26996) · [CVE-2026-33671](https://nvd.nist.gov/vuln/detail/CVE-2026-33671) · [CVE-2026-40891](https://nvd.nist.gov/vuln/detail/CVE-2026-40891) · [CVE-2026-40182](https://nvd.nist.gov/vuln/detail/CVE-2026-40182) · [CVE-2026-26278](https://nvd.nist.gov/vuln/detail/CVE-2026-26278) · [CVE-2026-33036](https://nvd.nist.gov/vuln/detail/CVE-2026-33036) · [CVE-2026-32621](https://nvd.nist.gov/vuln/detail/CVE-2026-32621) · [picomatch CVE-2024-4067 family](https://nvd.nist.gov/vuln/detail/CVE-2024-4067) · [OWASP ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) · [OWASP XXE / Billion Laughs](https://owasp.org/www-community/vulnerabilities/XML_Entity_Expansion) · [GraphQL Server Security Best Practices](https://www.apollographql.com/docs/router/configuration/overview/)
+- v0.10.1 (2026-05-16) — **First npm-published v0.10.x artifact.** v0.10.0 was tagged and released on GitHub but its npm-publish workflow OOM'd at the lint+smoke gate (default Node ~4GB heap could not load the expanded mail-stack + audit-fix test surface). v0.10.1 ships the workflow fix; no runtime or API changes from v0.10.0. **Fixed:** *npm-publish workflow heap headroom* — Adds `NODE_OPTIONS=--max-old-space-size=8192` to the workflow's smoke step so the parent process gets the same headroom the forked test workers already get. No runtime / API changes from v0.10.0 — every primitive, posture, and security default ships exactly as documented in the v0.10.0 release notes. Operators who fetched the v0.10.0 git tag can re-tag from v0.10.1 (`git fetch origin v0.10.1`) to land on the npm-published commit; the framework code itself is byte-identical apart from the workflow file + version bump.
+- v0.10.0 (2026-05-16) — **Mail-stack feature-complete + cross-surface hardening.** Bundled minor closing the blamepost mail-stack roadmap (five new operator-facing namespaces) plus a multi-domain hardening across auth, crypto, vendor data, mail-protocol, mail-auth, agent substrate, and Node.js CVE backstops. Every change is read-side-compatible — existing sealed rows continue to read; new INSERTs adopt AAD-bound envelopes. **Added:** *`b.mail.server.managesieve` — RFC 5804 ManageSieve listener (TCP/4190)* — Script-management listener for MUAs to upload + activate Sieve filters. Composes `b.safeSieve.validate` for PUTSCRIPT pre-validation per §2.3 + `b.guardManageSieveCommand` + `b.mail.server.rateLimit`. State machine NOT-AUTHENTICATED → STARTTLS → AUTHENTICATED → LOGOUT. SCRAM-SHA-256 / OAUTHBEARER / EXTERNAL; PLAIN refused pre-TLS under strict. STARTTLS-injection defense (CVE-2021-38371, CVE-2021-33515, CVE-2011-0411). CAPABILITY advertises AUTH=<mech> only for operator-wired mechanisms. Script-name shape per §2.1 (1–512 octets, no NUL/CR/LF/slash — path-traversal defense). · *`b.safeIcap` + `b.mail.scan` + `b.mail.spamScore` — content-inspection suite* — safeIcap is the bounded RFC 3507 ICAP response parser (status-code allowlist refuses unexpected 1xx/3xx — header-injection class). mail.scan composes safeIcap for ICAP RESPMOD + a raw ClamAV INSTREAM backend; optionally composes `b.guardArchive` for zip-slip / hardlink-escape refusal before the AV daemon sees the bytes. mail.spamScore is the operator-scorer-hook pipeline with threshold comparison + reason-tag hardening (per-tag 256-byte cap, ≤32 tags, control-byte refusal). · *`b.mail.crypto.pgp` — RFC 9580 v4 OpenPGP detached-signature sign + verify* — Hand-rolled v4 signature packets via `node:crypto` only — no third-party crypto vendored. Ed25519Legacy (pub-alg 22) + RSA (pub-alg 1, EMSA-PKCS1-v1_5 + SHA-256). ASCII armor with CRC-24 + BEGIN/END framing per §6. RFC 3156 multipart/signed wrapper. Hash-left-16 fast-fail per §5.2.4. Fingerprint pinning enforces issuer-fpr subpacket equality (key-substitution defense). Refuses RSA < 2048 bits per RFC 8301 §3.1. EFAIL (CVE-2017-17688 / CVE-2017-17689) threat model documented. PGP encrypt + decrypt and v6 signatures are deferred-with-condition (reopens when operator demand or ≥2 major impls ship v6 verify-by-default). · *`b.mail.crypto.smime` — RFC 8551 S/MIME 4.0 v1* — Ships `checkCert(certPem)` operator-side cert preflight refusing SHA-1 / MD5 cert signatures + sub-2048-bit RSA — defends CVE-2017-9006 class. `sign()` + `verify()` deferred-with-condition: `node:crypto` exposes no CMS codec; hand-rolling RFC 5652 BER/DER + §5.4 set-of attribute DER sort lights up in v0.10.13's `b.cms` codec. Operator escape hatch: wire `node-forge` / `pkijs` / `openssl(1)` in consumer code. · *`b.safeIcal` + `b.safeVcard` + `b.mail.dav` — calendar + contacts protocol suite* — safeIcal is the bounded RFC 5545 iCalendar parser. Defends CVE-2024-39687 (ical4j RRULE recursion / Outlook calendar bomb): RRULE COUNT > 10 000 + BYxxx list > 24 refused regardless of profile. safeVcard is the RFC 6350 vCard 4.0 parser. mail.dav — CalDAV (RFC 4791) + CardDAV (RFC 6352) HTTP route handlers + RFC 6764 `.well-known/caldav` + `.well-known/carddav` discovery. Verbs: OPTIONS, PROPFIND, REPORT (calendar-query + calendar-multiget + addressbook-query + addressbook-multiget), GET, PUT, DELETE, MKCALENDAR, MKCOL. Per-tenant URL isolation — every URL must start with `/<principal>/...`; cross-principal access refused 403. PUT-body validation through safeIcal / safeVcard before the storage backend sees it. Path-traversal (`..`, `%2e%2e`, NUL byte) refused 400. ETag preconditions (412 on If-Match mismatch). XML body parsing via `b.xmlC14n.parse` (DOCTYPE/ENTITY refused — XXE / billion-laughs defense). WebDAV ACL (RFC 3744), CalDAV scheduling (RFC 6638), iTIP-over-mail handler + iMIP (RFC 6047), JSCalendar (RFC 8984), xCard / jCard (RFC 6351 / 7095), and `sync-collection` (RFC 6578) are deferred-with-condition. · *Auth hardening across `lib/auth/*` + bearer-auth + fetch-metadata* — JWT `alg` / `kty` confusion defenses, mandatory `crit` checking, nonce-replay protection, DPoP-bound access token verification, PRM (PAR) request-object validation, WebAuthn FAL (RFC 9470 fed-auth-level) signaling, multi-credential SASL state machine for IMAP / POP3 / SMTP-submission. Closes 22 audit findings. · *Crypto-surface hardening — AAD-bound seals + corrupt-row no-delete + base64url strict + parallel hash defaults* — AAD-bound sealed columns: `b.cryptoField.registerTable({ aad: true, rowIdField, schemaVersion })` + `b.vault.aad.seal` integration; DB-write attacker who copies a sealed value from one row into another row triggers Poly1305 verification failure on read. `b.middleware.idempotencyKey.dbStore` adopts AAD form by default; existing plain-vault rows continue to read via shape auto-detect. `b.middleware.idempotencyKey.dbStore({ fingerprintSeal: true })` — cached request fingerprint is now an HMAC under a vault-derived secret by default. `b.middleware.idempotencyKey({ bodyFingerprintFallback: "deny" })` — body-bearing requests without parsed body refused HTTP 400 by default (previously silently degraded to method+path-only). Corrupt-row no-delete in dbStore — unseal failure emits audit + returns null instead of deleting (closes a key-presence oracle). `b.crypto.fromBase64Url(s, { strict: true })` — crypto-context base64url decoding refuses non-canonical input by default (CVE-2022-0235 class). `b.crypto.hashFilesParallel` default-refuses symlinks (opt-in via `followSymlinks: true`), refuses FIFOs / sockets / character / block devices, caps per-file read at 1 GiB by default. `b.vendorData` SLH-DSA-SHAKE-256f pubkey-fingerprint cross-check — every per-entry signature verify now compares declared fingerprint against actual `sha256(pemToRaw(PUBKEY_PEM))`. `b.metrics.snapshot.startWriter({ fileMode })` defaults `0o640` + credential-shape redaction in label coercion ([REDACTED-CREDENTIAL] for RFC 6750 Bearer / RFC 7617 Basic / Stripe `sk-` / GitHub `ghp_` / JWT three-segment / high-entropy >40-char tokens). `b.network.tls.wrapSNICallback(operatorCb)` exposes the synchronous-throw catch wrapper (CVE-2026-21637). `b.selfUpdate.compareTags` strict SemVer 2.0.0 §11 pre-release ordering (numeric identifiers compare as numbers; numeric < alphanumeric; no-pre > with-pre; build metadata ignored per §10). `b.retry.backoffDelay` jitter via `Math.random` (no CSPRNG burn under retry storms — the per-request delay is observable to every peer by construction). · *Vendor-data / supply-chain hardening — CSAF 2.1 + audited boot-verify deferral + split SBOM* — `b.vex` upgrades to CSAF 2.1 conformance (operator-supplied `vulnerabilities[].cwes` per §3.2.3.4, TLP 2.0 with AMBER+STRICT label, structured profile selection). `BLAMEJS_VENDOR_DATA_DEFER_BOOT_VERIFY=1` now requires a non-empty `BLAMEJS_VENDOR_DATA_DEFER_BOOT_VERIFY_REASON` companion env var + emits `vendor-data.boot_verify_deferred` audit (SSDF PW.4 — every security-default-disable lives in the audit log with an operator-attributed reason). SBOM split into module + vendored CycloneDX 1.6 documents with Sigstore-keyless signatures. · *Agent substrate hardening — signed snapshots, persisted saga state, per-tenant HKDF keys* — `b.agent.snapshot` snapshots are sealed + Ed25519-signed at write + signature-verified at read (every operator who uses snapshot/restore inherits tamper detection). `b.agent.saga` persists per-step compensation state to the sealed backing store. `b.agent.tenant` derives per-tenant vault keys via HKDF-SHA3-512 over a tenant-ID label (per-tenant blast radius bound). `b.outbox` consumer + saga step `_runHandler` route user-supplied callbacks through the same try/catch + typed-audit shape. **Changed:** *Mail-auth hardening — DKIM `l=` removed, dual-permerror SPF, DMARC report bounds, ARC `i=` monotonic* — DKIM — `b.mail.dkim.verify` refuses `l=` body-length tag (RFC 6376 §3.5 deprecated; downgrade attack class), enforces strict canonical/simple body algorithm match, refuses RSA < 2048 (RFC 8301 §3.1). SPF — dual-permerror posture (refuses both `+all` and missing-record states as a permerror under strict). DMARC — aggregate-report parser bounds (max 1 MiB raw / 8 MiB unzipped; refuses external XML entities). ARC — chain-validation `i=` strict-monotonic-increment enforcement, instance count cap of 50 (CVE-2023-44388 class). · *Mail-protocol close-out — STARTTLS upgrade helper + smuggling detect + dot-stuffing + close-state guards* — `b.mail.server.tls.upgradeSocket` — new shared STARTTLS / STLS upgrade helper used by every mail listener (removes plain-socket `"data"` listener before TLSSocket wraps, defense vs CVE-2021-33515 Dovecot / CVE-2021-38371 Exim STARTTLS-injection); new mail-protocol listeners trip a codebase-patterns detector if they construct a `TLSSocket` from an attached plain socket directly. IMAP STARTTLS drain extended (`pendingLiteral` + `authPending` cleared at upgrade alongside `lineBuffer`). `b.guardSmtpCommand.detectBodySmuggling` covers `\n.\n` / `\r\n.\n` / `\n.\r\n` / buffer-start dot / bare-CR variants (CVE-2023-51764 / -51765 / -51766 / 2024-32178). `b.safeMime` RFC 2047 header-injection defense — encoded-word decoders refuse decoded CR / LF / NUL (CVE-2020-7244 class). Submission listener PIPELINING DATA-race gate — when `rcptsPending > 0` (async recipientPolicy not yet resolved), DATA returns `451 4.5.0 RCPT TO verdicts pending`. Submission `auth_success` audit captures mechanism before nulling `authPending` (was recording null). POP3 cleartext USER / PASS gate — refuses over cleartext under non-permissive even if guard-* bypassed. POP3 RETR / TOP dot-stuffing routes through `b.safeSmtp.dotStuff(buf)` on raw Buffer (strict-CRLF only). IMAP `_close` writes `state.stage = "closed"` (drain-loop guard was unreachable). IMAP per-line cap before `Buffer.concat` (CWE-770). `b.network.dns.resolver` `maxCacheEntries: 5000` LRU eviction (CWE-400/770). `b.mail.server.rateLimit.connectionTimes` GC sweep (closes asymmetric Map leak). `b.mail.create` outbound SMTP CRLF-injection refusal in `ehloName` / `user` / `pass` / `host` / `servername` (GHSA-c7w3-x93f-qmm8 nodemailer-CRLF class). · *Node.js CVE backstops (January 2026 release)* — `engines.node` is pinned at `>=24.14.1` (fixed-release floor); operator-side backstops mean deploys against older Node — or hostile peers that target shapes the parser fix doesn't bound — still don't crash, hang, or burn CPU. CVE-2026-21717 V8 HashDoS — query-string key count capped at 1000 distinct keys per request in `b.router`; `b.db.from(t).where({...})` capped at 256 keys. CVE-2026-21712 IDN crash via `url.format()` — adds `b.safeUrl.format(url, opts?)` with assertion-class throw caught + translated to a refused `safe-url/format-failed`. CVE-2026-22036 chained Content-Encoding amplification — `b.httpClient` refuses any response with more than one non-identity `Content-Encoding` layer. CVE-2026-4923 multi-wildcard router — `registerRoute` refuses patterns with more than 3 consecutive `*` metacharacters. CVE-2026-21710 prototype-poisoned `req.headersDistinct` — `b.requestHelpers.safeHeadersDistinct(req)` is the defensive replacement (null-prototype object, skips `__proto__` / `constructor` / `prototype`). CVE-2026-21714 H/2 WINDOW_UPDATE leak after GOAWAY — `b.router` tracks GOAWAY state per session + force-destroys on post-GOAWAY stream activity. **Detectors:** *Six new codebase-patterns detectors* — `inline-require-in-deferred` (require() inside setImmediate / process.nextTick / queueMicrotask lifts to top-of-file `lazyRequire`); `seal-without-aad` (`vault.seal` direct in dbStore-shaped paths routes through `vault.aad.seal`); `raw-mib-literal` (`N * 1024 * 1024` byte-shape literal routes through `C.BYTES.mib`); `hex-sha-compare-equals` (hex HMAC / MAC / signature compared with `timingSafeEqual` per CVE-2026-21713); `mountinfo-without-field4` (procfs bind-mount detection consults RFC 9293 mountinfo field 4); `tls-socket-without-upgrade-helper` (raw `new tls.TLSSocket(plainSocket, ...)` outside the shared upgrade helper). **Migration:** *Operator impact — read-side-compatible; opt-back-in routes documented* — Every change is read-side-compatible. Existing pre-v0.10.0 sealed rows continue to read; new INSERTs under `b.middleware.idempotencyKey.dbStore` produce AAD-bound envelopes. The `bodyFingerprintFallback: "deny"` default refuses body-bearing requests that arrive without parsed-body data — operators with a documented method+path-only use case opt back into the prior behavior via `bodyFingerprintFallback: "method-path-only"`. `BLAMEJS_VENDOR_DATA_DEFER_BOOT_VERIFY=1` deploys now require a companion `_REASON` env var. **References:** [RFC 5804 ManageSieve](https://www.rfc-editor.org/rfc/rfc5804) · [RFC 3507 ICAP](https://www.rfc-editor.org/rfc/rfc3507) · [RFC 9580 OpenPGP](https://www.rfc-editor.org/rfc/rfc9580) · [RFC 8551 S/MIME 4.0](https://www.rfc-editor.org/rfc/rfc8551) · [RFC 5545 iCalendar](https://www.rfc-editor.org/rfc/rfc5545) · [RFC 6350 vCard 4.0](https://www.rfc-editor.org/rfc/rfc6350) · [RFC 4791 CalDAV](https://www.rfc-editor.org/rfc/rfc4791) · [RFC 6352 CardDAV](https://www.rfc-editor.org/rfc/rfc6352) · [RFC 6376 DKIM](https://www.rfc-editor.org/rfc/rfc6376) · [RFC 8301 DKIM RSA Key Size](https://www.rfc-editor.org/rfc/rfc8301) · [RFC 8617 ARC](https://www.rfc-editor.org/rfc/rfc8617) · [NIST SP 800-38D §5.2](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf) · [OWASP A02 Cryptographic Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/) · [SemVer 2.0.0 §11](https://semver.org/spec/v2.0.0.html#spec-item-11) · [RFC 4648 §5 base64url](https://www.rfc-editor.org/rfc/rfc4648#section-5) · [RFC 6066 §3 SNI](https://www.rfc-editor.org/rfc/rfc6066#section-3) · [CVE-2024-39687 ical4j RRULE recursion](https://nvd.nist.gov/vuln/detail/CVE-2024-39687) · [CVE-2023-44388 ARC instance enumeration](https://nvd.nist.gov/vuln/detail/CVE-2023-44388) · [CVE-2021-33515 Dovecot STARTTLS](https://nvd.nist.gov/vuln/detail/CVE-2021-33515) · [CVE-2021-38371 Exim STARTTLS](https://nvd.nist.gov/vuln/detail/CVE-2021-38371) · [GHSA-c7w3-x93f-qmm8 nodemailer CRLF](https://github.com/advisories/GHSA-c7w3-x93f-qmm8)
+## v0.9.x
+- v0.9.57 (2026-05-16) — **`b.mail.journal` — WORM compliance journal for inbound + outbound mail.** Tamper-evident, retention-bound, legal-hold-aware copy of every message that crosses the mail boundary. Composes existing framework substrate (objectStore Object Lock, cryptoField, legalHold, retention.complianceFloor, audit-sign) — no new storage / crypto / retention vocabulary. **Added:** *`b.mail.journal.create({ storage, vault, legalHold, db, regimes })`* — Returns a handle exposing `record({ direction, actorId, messageId, headers, envelope, bodyBytes })` (appends a sealed entry to the operator's WORM bucket + the local index table), `getById(journalId)` (round-trips one entry; unseal via vault), `list({ direction?, since?, until?, actorId?, limit? })` (cursor-bounded list), `expireSurface()` (entries past their retention floor AND not under legal hold — for operator audit, no auto-delete), and `setLegalHold(journalId, onHold)` (toggle hold flag). · *Composition over invention* — Composes `b.objectStore.bucketOps({ objectLockEnabled: true })` for WORM-enforced immutability at the storage layer (S3 Object Lock / Azure Immutable Blob / GCS retention-policy); `b.cryptoField.sealRow` for at-rest encryption with vault key — plaintext columns kept queryable (`journalId`, `direction`, `archivedAt`, `actorId`, `messageId`, `sizeBytes`, `regimes`, `legalHold`), everything else sealed; `b.legalHold` for exemption from retention expiry; `b.retention.complianceFloor` for per-regime windows. · *Regime registry* — `sec-17a-4` / `finra-4511` / `hipaa` (6yr), `mifid-ii` (5yr), `sox` (7yr), `gdpr` (6yr UK ICO + ePrivacy guidance), `soc2` (1yr). Operator declares one or more via `regimes: ["sec-17a-4", "finra-4511"]`; the journal computes the longest floor across all declared regimes and tags every entry with `floorUntil = archivedAt + maxFloorMs`. · *Explicit non-goals* — No delete surface (WORM bucket enforces immutability; operators needing GDPR Art. 17 erasure on a journaled message MUST crypto-erase via `b.cryptoField.eraseRow` — the operator's posture choice between regulatory record-keeping and right-to-be-forgotten); no automated expiry (`expireSurface()` returns the list of candidates, operators decide); no MX / submission auto-wiring (this release ships the primitive; the next release will auto-call `record()` from the MX listener + submission listener so inbound + outbound traffic journals without operator wiring). **Security:** *Threat model* — Tamper-evidence via WORM bucket (Object Lock makes write-once enforceable at the storage layer, not just policy); per-message encryption-at-rest via vault key; index table keyed on archivedAt + message_id for forensic query without unseal; audit emit on every record / read / list / hold-change operation routes to `b.audit.safeEmit`. **References:** [SEC Rule 17a-4(f)](https://www.ecfr.gov/current/title-17/chapter-II/part-240/section-240.17a-4) · [FINRA Rule 4511](https://www.finra.org/rules-guidance/rulebooks/finra-rules/4511) · [MiFID II Article 16(7)](https://www.esma.europa.eu/)
+- v0.9.56 (2026-05-16) — **`b.mail.deploy` operator-deployment helpers — MTA-STS / DANE / AutoConfig / AutoDiscover publish surface.** Closes the publish-side of the inbound mail verifiers shipped earlier in the 0.9.x line; operators standing up a new mail deployment now have four small generators that produce RFC-shaped policy text + DNS records + client auto-discovery XML. **Added:** *`b.mail.deploy.mtaStsPublish({ domain, mode, mxHosts, maxAgeSec, policyId? })`* — Generates the RFC 8461 §3.2 `/.well-known/mta-sts.txt` policy text + `_mta-sts.<domain>` TXT record advice. Wildcard `*.mx.<domain>` entries accepted per §3.2.1. `mode` constrained to `enforce` / `testing` / `none`; `maxAgeSec` capped at 1 year. Pairs with the existing inbound MTA-STS verifier on the receiving side — operators publishing the policy AND verifying inbound peers run the same vocabulary. · *`b.mail.deploy.danePublish({ certPem, mxHost, port?, usage?, selector?, matchType? })`* — Generates RFC 7672 + RFC 6698 TLSA record string. Computes SHA-256 (or SHA-512) SubjectPublicKeyInfo hash from the operator-supplied PEM cert via `node:crypto.X509Certificate` + `crypto.createHash`. Defaults to DANE-EE / SPKI / SHA-256 — RFC 7672 §3.1.3 recommended posture because it survives intermediate-CA changes as long as the leaf key is stable. Refuses `matchType: 0` (exact match) to keep the record size bounded. · *`b.mail.deploy.autoConfigXml({ domain, displayName?, imap?, pop3?, smtp?, jmap? })`* — Thunderbird's `autoconfig.<domain>/mail/config-v1.1.xml` payload. Outlook, Apple Mail, and Evolution read the same file when present. Every operator-supplied string XML-escaped (`&` / `<` / `>` / `"` / `'`) so a hostile `displayName` can't inject new XML nodes. · *`b.mail.deploy.autoDiscoverXml({ email, imap?, pop3?, smtp? })`* — Outlook's `autodiscover/autodiscover.xml` response shape (MS-OXDISCO + MS-OXDSCLI). Operator extracts the email from the inbound POST body via their route handler; this generator returns the response XML. Refuses CR / LF / NUL / control bytes in the email field (XML-injection class). These are text generators, not route handlers — operators wire the output into `b.staticServe` (mta-sts.txt + autoconfig.xml) or their own POST handler (autodiscover, which is request-conditional). No new network surface, no I/O — pure deterministic functions. **References:** [RFC 8461 (MTA-STS)](https://www.rfc-editor.org/rfc/rfc8461) · [RFC 7672 (DANE for SMTP)](https://www.rfc-editor.org/rfc/rfc7672) · [RFC 6698 (TLSA records)](https://www.rfc-editor.org/rfc/rfc6698)
+- v0.9.55 (2026-05-16) — **`b.safeSieve` parser + `b.mail.sieve` interpreter (RFC 5228 base grammar).** Lifts `b.mail.agent.sieve.put` from a stub and wires the RFC 5228 grammar through to the agent. Ships base-grammar coverage that handles ~80% of operator-written scripts; deferred extensions refused at parse time per RFC 5228 §3.2. **Added:** *`b.safeSieve` — bounded RFC 5228 parser* — Refuses oversized scripts (64 KiB strict / 256 KiB balanced / 1 MiB permissive), block-nesting beyond `maxDepth` (32/64/128), per-string byte cap (4/16/64 KiB), string-list count cap (256/1024/4096), command-arg cap (32/64/128), elsif-chain cap (32/64/128). Refuses C0 / DEL / NUL control bytes outside string literals, bare CR / bare LF (RFC 5228 §2.1 requires CRLF), unknown capabilities at `require`, AND RFC-defined-but-not-implemented capabilities so scripts depending on `vacation` / `variables` / `imap4flags` / etc. fail at parse time instead of silently mis-executing. Three profiles + HIPAA/PCI-DSS/GDPR/SOC2 posture cascades (all map to strict). Grammar coverage: `require` / `if` / `elsif` / `else` / tests (`address` / `header` / `envelope` / `exists` / `size` / `not` / `allof` / `anyof` / `true` / `false`) / actions (`keep` / `fileinto` / `discard` / `redirect` / `stop`) / match-types (`:is` / `:contains` / `:matches`) / comparators / address-parts / string lists / quoted strings / multi-line `text:` strings with dot-stuffing / `#` and `/* */` comments / number suffixes. · *`b.mail.sieve` — pure AST walker running under a gas counter* — Default 10 000 ops; cap 1 000 000. The interpreter reads only from operator-supplied `env` (`{ headers, envelope, sizeBytes, bodyBytes }`) and never mutates it; side-effects (`fileinto` / `redirect` / `discard`) surface as entries in the returned action list for the caller's delivery code to dispatch against the mail store. `b.mail.sieve.run(ast, env, { maxGas })` walks a parsed AST; `b.mail.sieve.runScript(script, env, opts)` parses + runs in one call; `b.mail.sieve.create({ profile, compliancePosture, maxGas, audit })` returns a stateful handle the JMAP `SieveScript/validate` method + MX delivery hook compose. · *`b.mail.agent.sieve.put` wiring* — The agent's `sieve.put` method now parse-validates via `b.safeSieve` after the existing `b.guardMailSieve` shape check. Operator's persistence step receives a `{ ok: true, requiredCaps }` shape; scripts with unknown / unimplemented capabilities or grammar errors throw `mail-agent/sieve-parse-error` with the first issue's snippet. `agent.sieve.list` and `agent.sieve.activate` stay deferred — the operator owns the persistence layer; the next release that ships a default sieve-script store backend will light those up. **Security:** *Threat-model coverage* — Runaway scripts defended by the gas counter (per-script cap) + per-tests cap on `allof` / `anyof` sub-count; parser-bomb defended by the depth + elsif-chain + string-list caps; SMTP-style header injection defended by the C0 / DEL / NUL refusals (Sieve scripts arrive from operator UIs that may forward operator-controlled bytes); RFC 5228 §10.1 security considerations on `redirect` defended by leaving address normalization to the operator's delivery agent (the interpreter only captures the literal address string). **References:** [RFC 5228 (Sieve mail filtering language)](https://www.rfc-editor.org/rfc/rfc5228)
+- v0.9.54 (2026-05-16) — **`b.mail.server.jmap` JMAP Core + Mail listener (RFC 8620 + RFC 8621) + `b.guardJmap` wire-protocol validator.** JMAP lands as the framework's primary mail-access protocol per the mail-stack roadmap. JSON-over-HTTP, batched, push-capable, and unlike IMAP/POP3 doesn't carry decades of stateful-protocol scar tissue. Modern mail clients (Fastmail apps, Cyrus + JMAP proxy, Stalwart-compatible MUAs) connect here. **Added:** *`b.guardJmap` — wire-protocol validator for JMAP Core + Mail* — Validates `Invocation` arrays (`[method, args, callId]` per RFC 8620 §3.2), refuses back-reference pipelining past depth 8 (DoS class against the resolver), caps `using[]` capability count, request body size, per-invocation arg-size, and per-batch invocation count. Refuses any string containing C0 / DEL / NUL controls (header-injection class). JSON parsing routes through `b.safeJson` so prototype-pollution + recursion-bomb shapes refused at the parser boundary. Three profiles + HIPAA / PCI-DSS / GDPR / SOC2 posture cascades (all map to strict). Fuzz harness ships in `fuzz/guard-jmap.fuzz.js`. · *`b.mail.server.jmap` — JMAP Core endpoint mounted as an HTTP route handler* — NOT a separate TCP server. Implements the Session resource (`.well-known/jmap` per RFC 8620 §2 + §6.2 — declares supported capabilities, accountId mapping, eventSource URLs, downloadUrl / uploadUrl templates), the API endpoint (POST then `methodResponses[]` per RFC 8620 §3.3 invocation pipeline), upload route (POST blob — guard-* gated by Content-Type), download route (GET sealed blob), and EventSource push (RFC 8620 §7 — `text/event-stream` SSE; opt-in WebSocket via RFC 8887). · *Operator-supplied `methods: { [name]: fn(args, ctx) }` registry handles per-method dispatch* — The listener owns request validation, back-ref resolution, accountId isolation, error mapping (RFC 8620 §3.5.2 method errors / §3.6.1 request errors), and SSE state-change notification; operators implement Email/get, Email/set, Mailbox/get, etc. against their `b.mailStore`. Per-tenant `accountId` isolation — every method invocation carries the authenticated actor's accountId; cross-account access refused at the dispatcher. Back-reference pipelining (`#prev-call-result`) resolved with depth cap. RFC 8620 §3.6.1 request errors returned as JMAP-shaped problem details, not generic HTTP 4xx bodies. What v1 does NOT ship: WebSocket push framing details (operator opts via separate WS upgrade route), `pushSubscription` storage backend (operator wires per-tenant), JMAP for Calendars / Contacts, Sieve filter management (RFC 9404), `Mailbox/changes` Tombstones beyond the 30-day window. **References:** [RFC 8620 (JMAP Core)](https://www.rfc-editor.org/rfc/rfc8620) · [RFC 8621 (JMAP for Mail)](https://www.rfc-editor.org/rfc/rfc8621)
+- v0.9.53 (2026-05-16) — **`b.mail.server.pop3` POP3 listener (RFC 1939) + `b.guardPop3Command` wire-protocol validator.** POP3 listener for clients that want pure download-and-delete semantics rather than IMAP's server-side store (Thunderbird-with-POP, mutt, fetchmail, getmail, K-9 in POP mode, headless backup-fetchers). **Added:** *`b.guardPop3Command` — wire-protocol validator* — RFC 1939 + RFC 2449 CAPA + RFC 2595 STLS + RFC 5034 AUTH. Refuses bare-CR / bare-LF / NUL / C0 / DEL (smuggling defense identical to the SMTP/IMAP guards), enforces RFC 1939 §3 4-character verb shape, per-line cap (255 chars strict / 512 balanced / 1024 permissive per §3 + §4 recommendation), per-verb arg-arity. Verbs: USER / PASS / APOP / AUTH / STLS / CAPA / STAT / LIST / RETR / DELE / NOOP / RSET / TOP / UIDL / QUIT. Strict refuses USER / PASS / mech-bearing AUTH pre-TLS (RFC 2595 §2.1 + RFC 5034 §4) and refuses APOP entirely (MD5 challenge-response — broken since CVE-2007-1558). Balanced + permissive accept both with audit. Three profiles + HIPAA / PCI-DSS / GDPR / SOC2 posture cascades (all map to strict). Fuzz harness ships in `fuzz/guard-pop3-command.fuzz.js`. · *`b.mail.server.pop3` — POP3 listener state machine* — AUTHORIZATION to TRANSACTION to UPDATE per RFC 1939 §3 lifecycle. Composes `b.guardPop3Command` + `b.mail.server.rateLimit` (per-IP concurrent + rate + AUTH-failure budget, default-on) + operator-supplied `b.mailStore` backend + operator-supplied SASL authenticator. STLS-injection defense per CVE-2021-33515 class — pre-handshake `lineBuffer` cleared at TLS upgrade so pipelined commands sent before STLS can't take effect after. STLS state gating per RFC 2595 §4 — STLS refused outside AUTHORIZATION so a TLS re-key can't land mid-session on top of established mailbox state. RFC 1939 §3 dot-stuffing on RETR / TOP — every line beginning with `.` in the message body emits as `..` on the wire so the multi-line terminator stays unambiguous. RFC 2449 CAPA advertises AUTH=<mech> only for operator-wired mechanisms (no hardcoded `AUTH=PLAIN`). · *Audit lifecycle* — `mail.server.pop3.{connect, auth_attempt, auth_success, auth_failed, auth_refused_cleartext, transaction_start, retr, top, dele, rset, quit, stls_handshake_failed, stls_upgraded, listening, closed, socket_error, handler_threw}`. What v1 does NOT ship: APOP server (refused under strict; balanced + permissive accept but operator wires the shared-secret check), RFC 5034 SASL response framing for multi-step mechanisms (operator-supplied authenticator returns `{ pending, challenge }` per the same shape as IMAP/SMTP submission), draft-melnikov-pop3-mime-imap-uidplus cross-protocol UID alignment, RFC 2595 §5 `PIPELINING` capability (not in CAPA — RFC 1939's response shape doesn't carry length so pipelining can't be safely parsed by the client without out-of-band info). **References:** [RFC 1939 (POP3)](https://www.rfc-editor.org/rfc/rfc1939) · [RFC 2595 (STLS)](https://www.rfc-editor.org/rfc/rfc2595) · [RFC 5034 (POP3 SASL)](https://www.rfc-editor.org/rfc/rfc5034)
+- v0.9.52 (2026-05-16) — **`b.mail.create` recipient + sender `b.guardDomain` hardening (default-on).** Symmetric to the inbound listener wiring shipped earlier — every outbound `mail.send({ to, cc, bcc, from })` now routes the domain part of each address through `b.guardDomain.validate` by default. **Changed:** *Outbound `mail.send` addresses gate through `b.guardDomain` by default* — Defends CVE-2017-5469-class IDN homograph spoofs, RFC 6761 special-use domain names in production sends, RFC 1035 §2.3.4 label-length violations, and CVE-2021-22931-class bare-IP-as-domain (DNS-rebinding allowlist-bypass). RFC 5321 §4.1.3 address-literal form skipped (bracket-syntax already constrains). EAI (RFC 6531) recipients get RFC 5891 ToASCII conversion before validation so `<x@münchen.example>` passes the gate as `xn--mnchen-3ya.example`. Operator opt-outs: `b.mail.create({ guardDomain: false })` skips; `b.mail.create({ guardDomain: { profile: "permissive" } })` relaxes. Default profile mirrors `b.mail.create({ profile })` if set, else strict. **References:** [CVE-2017-5469 (Punycode display)](https://nvd.nist.gov/vuln/detail/CVE-2017-5469) · [RFC 6761 (special-use domain names)](https://www.rfc-editor.org/rfc/rfc6761)
+- v0.9.50 (2026-05-16) — **Mail-deployment helpers — 0xE1 envelope migration path + `b.mail.dkim.bootstrap` + `b.mail.server.tls.context`.** Three operator-facing primitives that unblock deployment workflows for legacy envelope migration, turnkey DKIM keypair issuance, and TLS context reload. **Added:** *`b.crypto.decrypt(ct, keys, { allowLegacy: true })`* — Pre-v1 the envelope magic byte was bumped from 0xE1 to 0xE2 to enforce a NIST SP 800-56C r2 §4.1 FixedInfo / RFC 9180 §5.1 suite-binding KDF input. 0xE1 envelopes lack this binding; default behavior is hard-refusal with a clear migration message. Operators with at-rest data sealed pre-bump pass `{ allowLegacy: true }` as the third arg to read the old envelope, then re-seal via `b.crypto.encrypt` to migrate. Each legacy decrypt emits a `system.crypto.decrypt.allow_legacy` audit event so the migration window is visible in the audit log. The audit emits `outcome: "success"` only after a successful return + `outcome: "failure"` on throw — corrupted blobs / wrong keys / unsupported KEMs surface honestly in the audit chain. · *`b.mail.dkim.bootstrap({ domain, selector, algorithm? })`* — Turnkey DKIM keypair + DNS TXT record + ready-to-use signer for operators deploying outbound mail. Returns `{ privateKeyPem, publicKeyPem, dnsName, dnsTxtValue, dnsRecord, signer() }`. Default algorithm is `ed25519-sha256` (RFC 8463 §2); operators with receivers that don't support Ed25519 pass `algorithm: "rsa-sha256"` (RFC 6376, default 2048-bit per RFC 8301 §3.1 guidance; refused < 1024). `algorithm: "dual"` mints both keypairs and the signer emits two DKIM-Signature headers per RFC 8463 §3 dual-signing pattern for max receiver compat. DNS TXT records that exceed 255 octets are split per RFC 1035 §3.3.14. · *`b.mail.server.tls.context({ certFile, keyFile, vault?, watch? })`* — Operator-UX helper for the `tlsContext` opt that `b.mail.server.mx` + `b.mail.server.submission` require at create-time (no implicit plaintext mode). Three things every deployment needed and was reinventing: sealed-key unwrap (operators passing `vault: b.vault` get unsealing for `b.vault.sealPemFile`-stored keys), cert-rotation in-process reload (`watch: true` polls mtimes every 30s, builds a fresh `SecureContext` on change, fires `onReload` listeners + emits `mail.server.tls.context_reloaded` audit; mid-rotation read failures keep the prior good context live + emit a `reload_failed` audit), and boot-fail surface (missing/unreadable file, unsealable key, mismatched cert/key, bad PEM — all typed `MailServerTlsError` codes). ACME provisioning stays in `b.acme` (RFC 8555 + RFC 9773 ARI); this primitive just loads what's on disk and reloads when it changes. `b.mail.server.mx`'s `tlsContext`-required error message now points operators at `b.mail.server.tls.context` + `b.acme` so the boot dead-end becomes a one-line fix. **References:** [RFC 8463 (Ed25519 in DKIM)](https://www.rfc-editor.org/rfc/rfc8463) · [RFC 6376 (DKIM Signatures)](https://www.rfc-editor.org/rfc/rfc6376) · [RFC 9180 §5.1 (HPKE KDF inputs)](https://www.rfc-editor.org/rfc/rfc9180#section-5.1)
+- v0.9.49 (2026-05-16) — **`b.mail.server.imap` IMAP4rev2 listener (RFC 9051) + `b.guardImapCommand` wire-protocol validator.** Modern MUAs (Thunderbird, Apple Mail, mutt, K-9, FairEmail) connect here to read + manage messages without operators running dovecot/cyrus alongside. **Added:** *`b.guardImapCommand` — wire-protocol validator for IMAP4rev2* — RFC 9051 (August 2021; obsoletes RFC 3501). Refuses bare-CR/LF/NUL/C0/DEL outside literals (smuggling defense analogous to SMTP), enforces RFC 9051 §2.2.2 literal framing (mid-line `{n}` openers refused via `detectLiteralSmuggling`; LITERAL+ per RFC 7888 refused pre-AUTH per §1), per-verb shape, line cap (8 KiB strict / 16 KiB balanced / 64 KiB permissive), literal cap (64 MiB strict / 128 MiB balanced / 256 MiB permissive). Strict + balanced + permissive profiles + HIPAA/PCI-DSS/GDPR/SOC2 compliance postures (all map to strict). · *`b.mail.server.imap` — IMAP4rev2 listener state machine* — NOT-AUTHENTICATED to STARTTLS to AUTH to SELECTED to LOGOUT. Commands: CAPABILITY / NOOP / LOGOUT / ID / STARTTLS / AUTHENTICATE / LOGIN (refused under strict per RFC 9051 §6.3.4) / ENABLE / SELECT / EXAMINE / LIST / STATUS / NAMESPACE / APPEND (incl. zero-byte literals `{0}` per RFC 9051 §6.3.12) / CHECK / CLOSE / UNSELECT / EXPUNGE / FETCH / STORE / UID FETCH/STORE (with `useUid: true` thread to mailStore per RFC 9051 §6.4.9) / IDLE + DONE (RFC 2177; 29-min bandwidth timeout per §3). CAPABILITY advertises AUTH=<mech> only for operator-wired mechanisms. · *STARTTLS-injection + literal-injection + mailbox-traversal defenses* — STARTTLS-injection defense per CVE-2021-33515 class — pre-handshake receive buffer cleared at TLS upgrade so pipelined commands sent before TLS can't take effect after. Literal-injection defense per CVE-2018-19518. Mailbox-name traversal refusal. Per-connection state lives on the `state` object so concurrent connections don't clobber. Composes `b.guardImapCommand` + `b.mail.server.rateLimit` (per-IP concurrent + rate + AUTH-failure budget, default-on) + operator-supplied `b.mailStore` backend + operator-supplied SASL authenticator. What v1 does NOT ship: SEARCH expressions (operator wires `mailStore.search`), NOTIFY (RFC 5465), METADATA (RFC 5464), CATENATE (RFC 4469), URLAUTH (RFC 4467), IMAPSIEVE (RFC 6785), COMPRESS=DEFLATE (RFC 4978; CRIME-class), CONDSTORE/QRESYNC per-FETCH delta. **Detectors:** *Two new detectors for IMAP-specific footguns* — `literalSize > 0` zero-rejection footgun + hardcoded SASL mech in caps array. Both shapes were caught during review; the detectors prevent reappearance across listeners. **References:** [RFC 9051 (IMAP4rev2)](https://www.rfc-editor.org/rfc/rfc9051) · [CVE-2018-19518 (IMAP literal injection)](https://nvd.nist.gov/vuln/detail/CVE-2018-19518)
+- v0.9.47 (2026-05-15) — **`b.mail.server.submission` outbound SMTP submission listener + per-IP DoS defenses + `b.guardDomain` wiring on mail-listener domain crossings.** Outbound submission listener for port 587 (explicit STARTTLS) or port 465 (implicit TLS per RFC 8314). Per-IP rate / concurrency / AUTH-failure budgets default-on as belt-and-suspenders to kernel/proxy limits. Domain-shape guard wired into every domain crossing in both mail listeners. **Added:** *`b.mail.server.submission` — outbound SMTP submission listener* — Where the MX listener accepts inbound mail from the internet, this listener accepts outbound mail from authenticated MUAs / app-side mail-senders on port 587 or 465. Composes the framework's existing primitives: `b.guardSmtpCommand` for wire-protocol shape + smuggling defense, `b.safeSmtp` for DATA-body parsing, the operator's SASL authenticator for credentials, and an operator-supplied `agent.handoff` for outbound routing through `b.mail.send`. Inherits MX listener's SMTP-smuggling defense (CVE-2023-51764 / -51765 / -51766 / 2024-32178 / RFC 5321 §2.3.8) and STARTTLS-injection defense (CVE-2021-38371 Exim, CVE-2021-33515 Dovecot). · *Authentication discipline — AUTH required, AUTH-needs-TLS, implicit-TLS, identity binding, recipient policy* — AUTH required before MAIL FROM under strict + balanced profiles (RFC 6409 §3); pre-STARTTLS AUTH refused with 538 5.7.11 under strict + balanced (RFC 4954 §4); permissive opts down for legacy operator-acknowledged downgrade. Operator-supplied `auth.verify(mechanism, credentials)` async predicate decides the credential check; multi-step SASL mechanisms (SCRAM-SHA-256, GS2-* family) supported via `{ pending: true, challenge }` return shape per RFC 4954 §4. Implicit-TLS mode (`implicitTls: true` to port 465 per RFC 8314 §3.3) wraps every connection in TLS from the SYN. Identity binding under strict — `MAIL FROM:<x@y>` MUST match an entry in the authenticated actor's mailbox set; refused with 553 5.7.1. Recipient policy hook (`opts.recipientPolicy`) wires per-RCPT decisions (block destination / outbound budget / deny list); refusal returns 550 5.7.1, policy-engine failure returns 451 4.7.1 (transient). · *`b.mail.server.rateLimit` — per-IP DoS defense wired into both listeners* — Per-IP concurrent connection cap (`maxConcurrentConnectionsPerIp`, default 10) — a single hostile peer cannot open thousands of TCP slots and starve legitimate senders. Per-IP connection rate (`connectionsPerIpPerMinute`, default 60). Per-IP AUTH-failure budget (`authFailuresPerIpPer15Min`, default 10; submission listener only) — credential-stuffing class. Slow-loris / `minBytesPerSecond` floor (default 100 bytes/sec) on the DATA-body phase complements `idleTimeoutMs`. Refused connections receive `421 4.7.0 Too many connections from your IP`. Operators pass `rateLimit: false` to disable for tests, a shared handle via `b.mail.server.rateLimit.create({...})` to share one budget across multiple listeners, or an opts object to override defaults. · *`b.guardDomain` wiring on every mail-listener domain crossing* — HELO / EHLO greeting, MAIL FROM domain, RCPT TO domain, and operator-supplied `opts.localDomains` all route through `b.guardDomain.validate` (default-on; opt-out via `guardDomain: false`). Defends CVE-2017-5469-class IDN homograph spoofs, refuses RFC 6761 special-use domain names in production (`.localhost`, `.test`, `.invalid`, `.example`), enforces RFC 1035 §2.3.4 label-length caps, and refuses bare IPv4/IPv6 as a domain (CVE-2021-22931 class allowlist-bypass via DNS rebinding). RFC 5321 §4.1.3 address literals (`[1.2.3.4]` / `[IPv6:...]`) skip guardDomain — already constrained by `b.guardSmtpCommand`'s bracket-syntax validator. `opts.localDomains` is pre-validated at `create()` time so an operator who typed an IDN homograph into their allowlist gets a `mail-server-mx/bad-local-domain` boot failure instead of a silently-weakened gate. · *`b.selfUpdate.compareTags(a, b)`* — The internal `_compareTags` helper (used by `b.selfUpdate.poll` / `pickRelease`) is now part of the public API. Returns `-1` / `0` / `+1`. Strips a leading `v` / `V`, then walks dot-separated components: numeric pairs compared numerically, non-numeric components (release suffixes) fall back to lexicographic compare. Follows SemVer 2.0.0 §11 precedence for the numeric prefix; pre-release identifier comparison is lexicographic rather than the full SemVer-mandated alphanumeric rule. · *`b.metrics.snapshot.render({ format: "prometheus" })` field-type metadata* — Previously every numeric field rendered as `# TYPE <name> gauge` regardless of name, which broke `rate()` queries against counter-shaped series. The renderer now auto-detects per the Prometheus naming convention + OpenMetrics 1.0.0 §6.2: field names ending in `_total` render as `counter`; everything else renders as `gauge`. Operators with metrics that don't fit the convention opt the right type via `opts.fieldTypes: { fieldName: "counter" | "gauge" }`. Behavior change for operators scraping a long-running deployment — `rate(*_total[5m])` queries start returning correct answers once the new types reach the scrape target. **Fixed:** *RCPT TO cap-check counts in-flight async verdicts* — When `opts.recipientPolicy` is async, the recipient-limit guard ran before the policy promise resolved and the accepted recipient was appended later. Under SMTP PIPELINING (RFC 2920) each new RCPT TO saw the same `state.rcpts.length == 0` (prior commands hadn't pushed yet), so the cap-check passed for every command and `state.rcpts` grew past `maxRcptsPerMessage` once all verdicts resolved. Fix: track in-flight verdicts in `state.rcptsPending`; cap-check counts BOTH committed AND in-flight against `maxRcptsPerMessage`; defense-in-depth re-check inside the `.then()` before push. `_resetTransaction` zeroes the pending counter. **References:** [RFC 6409 (Message Submission)](https://www.rfc-editor.org/rfc/rfc6409) · [RFC 4954 (SMTP AUTH)](https://www.rfc-editor.org/rfc/rfc4954) · [RFC 8314 (Cleartext deprecation)](https://www.rfc-editor.org/rfc/rfc8314)
+- v0.9.46 (2026-05-15) — **`b.mail.server.mx` — inbound SMTP / MX listener + `b.safeSmtp` parser + `b.guardSmtpCommand.detectBodySmuggling`.** First framework-native mail listener — drives the RFC 5321 CONNECT then EHLO then [STARTTLS then EHLO] then MAIL then RCPT then DATA then DATA-body then QUIT state machine. Composes the existing mail-gate substrates (helo / rbl / greylist / guardEnvelope / dmarc / safeMime / guardEmail / guardSmtpCommand / mail.agent). **Added:** *`b.safeSmtp.findDotTerminator(buf)` + `b.safeSmtp.dotUnstuff(buf)`* — Wire-protocol parsing extracted to a reusable safe module — where the body terminator is, how to reverse dot-stuffing per RFC 5321 §4.5.2. Same primitives ship for the upcoming submission / IMAP / JMAP listeners and for any operator-side tooling that needs to parse SMTP bytes (proxies, log analyzers, test fixtures) without booting a full server. · *`b.guardSmtpCommand.detectBodySmuggling(buf)`* — Wire-protocol security gate for CVE-2023-51764 / CVE-2023-51765 / CVE-2023-51766 / CVE-2024-32178 bare-LF dot-terminator detection. The DATA body's `\r\n.\r\n` terminator is matched on canonical CRLF only; bare-LF dot-terminators are detected and refused with 554 5.7.0. · *`b.mail.server.mx` — inbound SMTP / MX listener* — Composes the existing mail-gate substrates into one operator-facing inbound listener. Defenses baked in: open-relay default-deny via `localDomains` allowlist (RCPT TO non-local refused with 550 5.7.1 unless `relayAllowedFor: [{ cidr, scope }]` opts the destination in explicitly); STARTTLS-injection defense (CVE-2021-38371 Exim, CVE-2021-33515 Dovecot — command buffer + body collector cleared at upgrade time so pre-handshake pipelined commands can't take effect post-handshake); TLS posture (`tlsContext` is required — no implicit plaintext-only mode); resource exhaustion (per-command line cap default 1 KiB, DATA body cap default 50 MiB per RFC 5321 §4.5.3.1.7, per-recipient cap default 100 per RFC 5321 §4.5.3.1.8, idle timeout default 5 minutes per RFC 5321 §4.5.3.2.7). RFC 1870 §3 SIZE param parsed at MAIL FROM time + refused with 552 5.3.4 if oversize. RFC 2920 PIPELINING + RFC 6152 8BITMIME + RFC 2034 ENHANCEDSTATUSCODES advertised in EHLO capabilities. RFC 3463 enhanced status codes embedded in every reply. RFC 6531 SMTPUTF8 / RFC 5891 IDN deliberately NOT advertised until the operator's downstream accepts Unicode mailbox-local-part bytes. **Security:** *Audit lifecycle* — `mail.server.mx.{connect,helo,mail_from,rcpt_to,data_accepted,data_refused,delivered,tls_handshake_failed,smtp_smuggling_detected,relay_refused,listening,closed,handler_threw,socket_error}`. What v1 does NOT ship: AUTH / submission auth (port-587 listener is its own slice), Sieve filtering (composes via `b.mail.agent` at delivery), outbound DSN generation (deferred to submission slice), 8BITMIME / SMTPUTF8 transcoding (advertised but parser-agnostic). **References:** [RFC 5321 (SMTP)](https://www.rfc-editor.org/rfc/rfc5321) · [CVE-2023-51764 (Postfix SMTP smuggling)](https://nvd.nist.gov/vuln/detail/CVE-2023-51764)
+- v0.9.45 (2026-05-15) — **`b.crypto.toBase64Url` / `fromBase64Url` helpers + lib-wide `.replace(/X+$/, ...)` ReDoS-shape sweep.** The trailing-greedy regex base64url-by-hand pattern was duplicated across nine framework call sites. The trailing `/=+$/` regex is polynomial-ReDoS-shaped per CodeQL `js/polynomial-redos`. Both directions now route through linear-time helpers. **Added:** *`b.crypto.toBase64Url(buf)` / `fromBase64Url(s)`* — Buffer / Uint8Array / string to RFC 4648 §5 base64url string via Node's built-in `"base64url"` encoding (linear time, no regex backtracking surface), and the inverse decoder. **Changed:** *Nine-site sweep across JWT / DPoP / OAuth / SD-JWT VC / DoH / GCS service-account JWT / pagination cursors* — Every site now consumes the helpers; the symmetric `_b64urlDecode` 5-site sweep follows the same shape (one validated typed-error guard then `bCrypto.fromBase64Url`). `lib/argon2-builtin.js` retains its own `_b64NoPad` helper (PHC strings use standard base64 alphabet `+/` not url-safe `-_`); converted from `.replace(/=+$/, "")` to a linear `charCodeAt`+`slice` loop. **Detectors:** *`inline-base64url-three-replace` + `mountinfo-options-bind-check`* — Any future site that reaches for either pattern trips the gate at n=1. KNOWN_CLUSTERS entry added for the JWT-family verification cluster (`dpop.verify` / `jwt._requireNumericDate` / `oauth.verifyBackchannelLogoutToken`) that surfaced after the redos sweep shifted line offsets; structurally distinct RFC primitives (RFC 9449 DPoP / RFC 7519 JWT / OIDC Back-Channel Logout) sharing a replayStore.checkAndInsert + numeric-date-bound shingle. **References:** [RFC 4648 §5 (base64url)](https://www.rfc-editor.org/rfc/rfc4648#section-5) · [CodeQL js/polynomial-redos](https://codeql.github.com/codeql-query-help/javascript/js-polynomial-redos/)
+- v0.9.44 (2026-05-15) — **`b.storage.chunkScratch` resumable-chunked-upload primitive + `b.agent.tenant` cryptoField adoption helper.** Two operator-deployment primitives that close gaps every consumer was reinventing. **Added:** *`b.storage.chunkScratch(opts?)` — resumable chunked upload primitive* — Operators handling large file uploads (multipart-form / tus / S3-multipart-style flows) have reinvented the per-assembly directory layout + atomic finalize + GC of partial assemblies pattern. This primitive owns it once. Returns a handle with 10 lifecycle methods: `saveChunk` (per-chunk `maxChunkBytes` cap default 16 MiB; envelope-encrypted via the framework vault), `getChunk`, `chunkExists`, `listChunks` (sorted indices), `countChunks`, `removeChunk`, `assemble` (monotonic 0..N-1 index check; refuses on gap or expectedTotal mismatch), `removeAssembly`, `listAssemblies`, `listStaleAssemblies({ olderThanMs })` + `gc({ olderThanMs })` for partial uploads abandoned mid-stream (default stale window 24h). `assemblyId` shape is validated to refuse path-traversal (`..`), slash / backslash, NUL / C0 / DEL, dot-prefix, and oversize (>128 bytes). Backend is the operator-configured `b.storage` backend (no new backend concept). Audit events: `system.storage.chunk_scratch.chunk_saved` / `assembled` / `removed` / `gc`. Wire-protocol reference: tus.io v1.0.0, RFC 9110 §14.4 Content-Range, draft-ietf-httpbis-resumable-upload-08. Threat-model: CVE-2018-1000656-class path-traversal in upload paths defended via the assemblyId validator; storage exhaustion from abandoned uploads defended via the GC primitive; chunk-out-of-order replay defended via `assemble`'s monotonic index check. · *`b.agent.tenant` cryptoField adoption helper* — `sealField(tenantId, table, field, plaintext)` / `unsealField(...)` / `sealRowForTenant(tenantId, table, row)` / `unsealRowForTenant(tenantId, table, row)`. `b.cryptoField.sealRow` uses the singleton vault keypair — every tenant's sealed data decrypts under the same framework key, which fails the cross-tenant cryptographic isolation that HIPAA §164.312(a)(2)(iv) Encryption-at-rest, GDPR data-residency-per-tenant, and PCI scope-isolation deployments require. The adoption helper derives a per-tenant 32-byte AEAD key via `b.crypto.namespaceHash("agent.tenant.derive.cryptoField:<table>", tenantId)` (NIST SP 800-108 r1 §5.1 KDF-in-Counter-mode shape using SHA3-512) and routes each sealed field through `b.crypto.encryptPacked` (XChaCha20-Poly1305 per draft-irtf-cfrg-xchacha-03; 24-byte nonce making random-nonce generation safe at framework scale) with AAD-bound context (`tenantId|table|field`) per RFC 8439 §2.5 so a ciphertext from tenant A literally cannot decrypt as tenant B's row — even with the wrong tenantId the Poly1305 tag check fails. Threat-model coverage: cross-tenant data exposure class (CVE-2019-19528 was an early multi-tenant example where shared encryption keys allowed cross-tenant decrypt with DB access; this primitive's AAD-binding + per-tenant key derivation defends the class by construction). Ciphertext shape: `"tnt-v1:" + base64(packed)`, distinguishable from `vault.seal`-sealed cells (which start with `"vault:"`) so a storage layer can mix both. `sealRowForTenant` adopts the existing `b.cryptoField` table schema (`sealedFields`); cross-tenant decrypt safe-fails the affected field to `null` (matching `b.cryptoField.unsealRow`'s posture).
+- v0.9.43 (2026-05-15) — **`b.testHarness.start` + `b.middleware.composePipeline` + `b.watcher` `mode: "auto"`.** Three downstream-consumer DX primitives that close operator-friction gaps. **Added:** *`b.testHarness.start(opts?)` — isolated-boot helper* — Collapses the ~20-line mkdtemp + env-var setup + vault.init + teardown pattern every consumer was reinventing in `tests/helpers/`. Returns a handle exposing `{ dataDir, dbPath, vaultDir, env, stop() }`. Generates a mkdtemp-based isolated dataDir under `os.tmpdir()` with `b.crypto.generateToken(4)` random suffix, sets `<prefix>_DATA_DIR` / `_DB_PATH` / `_VAULT_DIR` env vars, optionally awaits `b.vault.init` in plaintext mode. Concurrent harnesses with `initVault: true` share the process-global vault state via internal reference counting; the last `stop()` releases vault. · *`b.middleware.composePipeline(entries, opts?)` — order-aware middleware composer* — Canonical-position registry for 14 framework middlewares (`requestId=5` / `apiEncrypt=10` / `bodyParser=20` / `cspNonce=22` / `securityHeaders=25` / `csrf=30` / `idempotency=30` / `fetchMetadata=32` / `rateLimit=40` / `botGuard=42` / `requireAuth=50` / `attachUser=52` / `handler=60` / `errorHandler=90`). Conflict detection at registration time refuses duplicate names, duplicate explicit-position values, and non-monotonic positions. Strict mode (`opts.strict: true`) refuses canonical-name position mismatches; default `false` runs but emits `system.middleware.compose.canonical_mismatch` audit. Sync throws inside middleware propagate to `finalNext`. Boot-time `system.middleware.compose.pipeline_built` audit lists final ordered entries. · *`b.watcher.create({ root, mode: "auto", ... })` — Docker bind-mount fallback* — Inside a Linux container with a host bind-mount, `fs.watch` returns no events across gRPC-FUSE / VirtioFS / 9p / NFS / CIFS / vboxsf boundaries; `mode: "auto"` reads `/proc/self/mountinfo`, finds the mount carrying the watcher root, and falls back to `mode: "poll"` when the fstype is non-inotify OR when `/.dockerenv` is present AND mountinfo field 4 (root within source filesystem) is `!= "/"` (bind-mount signature — the kernel exposes the bound source path in this field; regular mounts always carry `/`). Native Linux mounts + non-Linux hosts (FSEvents / ReadDirectoryChangesW) keep `mode: "fs"`. The chosen backend + reason emits as `watcher.mode_auto_decision` on the audit chain. `mode: "fs"` (default) and `mode: "poll"` (explicit) unchanged; `mode: "auto"` is opt-in.
+- v0.9.42 (2026-05-15) — **`b.middleware.idempotencyKey` `bodyFingerprint` hook + misordered-mount detector.** Adds an operator-supplied body-extractor hook for the idempotency middleware so canonicalized payloads don't trip the same-key-different-body refusal, plus audit signals when the middleware is mounted before the body parser. **Added:** *`opts.bodyFingerprint: (req) => Buffer|string|object|null`* — Lets operators supply a custom body extractor instead of relying on the default `req._rawBody || req.body` lookup; useful when the parsed-body shape needs canonicalization (sorted keys, stripped metadata) before the fingerprint hash so retry-with-equivalent-payload doesn't trip the §4.3 same-key-different-body refusal. Hook return is normalized to Buffer (Buffer passthrough; string to UTF-8 bytes; object/array via `JSON.stringify` to bytes; null/undefined to empty fingerprint). Throws inside the hook emit `idempotency.body_fingerprint_failed` audit (warning) and treat the body as empty. · *Mount-order constraint and audit signal* — Idempotency must run AFTER body-parser; the hook reads request state at the moment idempotency executes, so a misordered mount silently degrades the fingerprint to method+path. `b.middleware.composePipeline` places bodyParser=20 / idempotency=30 by default. Body-bearing methods (POST/PUT/PATCH) that arrive without parsed-body OR raw-body data now emit `idempotency.empty_body_fingerprint` audit (warning) carrying `hasRawBody` / `hasParsedBody` / `hasFingerprintHook` so a misconfigured pipeline is detectable from audit logs.
+- v0.9.41 (2026-05-15) — **Operator-friction ergonomic helpers — `b.storage.listBackends` rootDir + `b.problemDetails.send` shortcut.** Three small additive surfaces, no behavior change for existing callers. **Added:** *`b.storage.listBackends()` surfaces `rootDir` for local-protocol backends* — Sourced from the live backend (with config-reload propagation) so downstream path-traversal guards + scratch-dir derivation read the canonical path directly from the framework instead of re-deriving from operator-supplied opts. Remote protocols (sigv4 / gcs / azure-blob / http-put) don't carry a rootDir; the field stays absent for those. · *`b.problemDetails.send(res, fields)` — bare wire-shape emit shortcut* — Lets routes migrate incrementally from inline `res.status(400).json({ error: ... })` to RFC 9457 problem-details without restructuring the handler around an error throw. Equivalent to `respond(res, create(fields))` in one call; same `application/problem+json` content type + `Cache-Control: no-store`. **Fixed:** *`b.mail.send` CR/LF/NUL refusal confirmed already in place* — At `lib/mail.js:275` / `:309` / `:1808` per RFC 5321 §2.3.8 + RFC 5322 §3.2.5 header-injection defense — operators with inline `validateEmailAddr` wrappers can retire them. No new API, just confirmation that the existing primitive already covers the wire-protocol injection class (CVE-2026-32178 .NET System.Net.Mail header injection defended at the framework boundary). **References:** [RFC 9457 (Problem Details for HTTP APIs)](https://www.rfc-editor.org/rfc/rfc9457)
+- v0.9.40 (2026-05-15) — **`b.guardListId` — RFC 2919 List-Id header validator.** Companion to the List-Unsubscribe validator; gates outbound mailing-list mail so the List-Id carries a well-formed identifier downstream filters + bulk-sender pipelines reliably route on. **Added:** *`b.guardListId.validate(headerValue, opts?)`* — Parses bracketed (`<my-list.example.com>`), phrase-prefixed (`My Newsletter <my-list.example.com>`), and bare-identifier forms per RFC 2919 §2. Returns `{ action, listId, label, namespace, phrase, reason }`. Action one of `accept` / `refuse`. · *RFC 2919 §3 caps + ABNF* — list-id capped at 255 octets; header value capped at RFC 5322 §2.1.1 line cap (998 bytes); per-label shape per RFC 5322 §3.2.3 dot-atom-text. · *Phrase-smuggling defense + CRLF/NUL/C0/DEL refusal* — Phrase MUST NOT contain `<` / `>` (would smuggle a second bracketed identifier through the parser). Trailing content after `>` refused. Nested or unmatched brackets refused. Header-injection defense per RFC 5322 §3.2.5 + CVE-2026-32178 wire-protocol surface class. · *`localhost` namespace + FQDN enforcement* — Strict requires the recommended 32-hex random component in the `localhost` namespace label (the RFC's SHOULD becomes operator-strict for HIPAA / PCI / GDPR / SOC2 postures); balanced / permissive accept without. FQDN namespace enforced under strict / balanced — list-id with single-label namespace refused unless permissive. Heuristic label / namespace split — last 2 dot-segments become namespace; consumers needing PSL-accurate org-domain extraction compose `b.publicSuffix.organizationalDomain`. Three profiles + posture cascade (`hipaa` / `pci-dss` / `gdpr` / `soc2` map to strict). Fuzz harness ships in `fuzz/guard-list-id.fuzz.js`. Registered as standalone guard with `KIND="list-id"`. Threat-model: List-Id forging (RFC 2919 §8 explicitly notes the identifier is NOT an authentication signal; operators wanting authentication compose `b.mail.auth.dmarc` / `arc.verify`), bulk-sender bucket-drop (Gmail 2024 keys on List-Id presence for Precedence: list / 5000+ daily-send mail). **References:** [RFC 2919 (List-Id)](https://www.rfc-editor.org/rfc/rfc2919)
+- v0.9.39 (2026-05-15) — **`b.guardListUnsubscribe` — RFC 2369 + RFC 8058 List-Unsubscribe / List-Unsubscribe-Post validator.** Gates the outbound submission path so messages carrying a List-Id (or any mailing-list shape) emit headers Gmail / Yahoo / Outlook one-click unsubscribe machinery actually accepts. **Added:** *`b.guardListUnsubscribe.validate({ listUnsubscribe, listUnsubscribePost }, opts?)`* — Returns `{ action, reason, uris, hasHttpsUri, hasMailtoUri, postHeaderOk, oneClickReady }`. · *Gmail / Yahoo bulk-sender 2024 enforcement* — Under strict requires at least one `https://` URI in the header (mailto: alone refused) + the paired `List-Unsubscribe-Post: List-Unsubscribe=One-Click` value EXACTLY (case-sensitive — Gmail silently fails one-click on mixed-case variants). · *Always-refused schemes* — `javascript:` / `data:` / `file:` / `vbscript:` / `blob:` refused regardless of profile (XSS / file-read class in mail-client rendering). `http://` refused under strict / balanced — one-click endpoint MUST be TLS per RFC 8058 §2. Permissive accepts http for audit-only legacy use. · *Header-injection defense + bounded surface* — CRLF, NUL, C0 controls, DEL refused at validate time (RFC 5322 §3.2.5). Per-URI byte cap (2 KiB strict / 4 KiB permissive), URI-count cap (4 / 8 / 16), header total byte cap (4 / 4 / 8 KiB). RFC 3986 §3.1 scheme shape; RFC 2369 §3.1 angle-bracket URI list. HTTPS URIs validated through `b.safeUrl.parse` with the framework's HTTPS allowlist. Three profiles + posture cascade (`hipaa` / `pci-dss` / `gdpr` / `soc2` map to strict). Fuzz harness ships in `fuzz/guard-list-unsubscribe.fuzz.js`. Registered as a standalone guard with KIND="list-unsubscribe". Threat-model coverage: unsubscribe-link injection via machine-generated newsletter templates, open-redirect via List-Unsubscribe (operator validates target host downstream via own safeRedirect allowlist). **References:** [RFC 2369 (List-Unsubscribe header)](https://www.rfc-editor.org/rfc/rfc2369) · [RFC 8058 (One-Click)](https://www.rfc-editor.org/rfc/rfc8058)
+- v0.9.38 (2026-05-15) — **Republish — prefix npm tarball path with `./` so npm doesn't mis-classify it as a git spec.** Two prior publish workflow runs both failed at exit 128 — npm 10+ interprets a relative tarball path containing `/` (`dist/blamejs-core-0.9.X.tgz`) as a git spec and attempts `git ls-remote ssh://git@github.com/dist/...tgz`, which the runner's SSH credentials can't auth against. v0.9.29 through v0.9.37 never reached npm as a result; v0.9.28 remained the latest published version. **Fixed:** *`./` prefix on the tarball path in `npm-publish.yml`* — No operator-facing primitive change vs the previous release — operators upgrading from v0.9.28 see the full bundled surface delivered by the in-between releases: agent.trace + agent.snapshot, safeDns + network.dns.resolver, guardSmtpCommand, mail.rbl, mail.greylist + lib/ip-utils, mail.helo, guardEnvelope, guardDsn.
+- v0.9.37 (2026-05-15) — **`b.guardDsn` — RFC 3464 Delivery Status Notification parser.** Reads the `message/delivery-status` MIME-part body bounces / delayed-delivery notices / successful-delivery confirmations carry and surfaces the per-recipient action + RFC 3463 enhanced status code so operator-side delivery-failure routing reads one shape regardless of MTA wording. **Added:** *`b.guardDsn.parse(deliveryStatusBody, opts?)`* — Returns `{ perMessage: { reportingMta, originalEnvelopeId?, arrivalDate?, receivedFromMta? }, perRecipients: [{ finalRecipient, action, status, statusClass, diagnosticCode? }, ...], worstStatusClass, action }`. · *RFC 3464 mandatory-field enforcement* — Reporting-MTA required per §2.2.2; per-recipient Final-Recipient (§2.3.2), Action (§2.3.3) from `{ failed | delayed | delivered | relayed | expanded }` vocabulary, and Status (§2.3.4) in RFC 3463 `D.D.D` form all required. Missing-field surfaces as a typed error (`guard-dsn/missing-{reporting-mta|final-recipient|action|status}`). · *RFC 3463 status-class verdict — `2.x.y` deliver / `4.x.y` retry / `5.x.y` invalidate* — First digit drives routing. Worst class across recipients wins so a single permanent failure in a multi-recipient bounce flips `action: invalidate`. · *Defenses — bounded body cap + recipient cap + header-line cap + CRLF/NUL/C0/DEL refusal* — Bounded body cap (256 KiB strict / 1 MiB balanced / 4 MiB permissive), per-DSN recipient cap (256 / 1024 / 4096), RFC 5322 §2.1.1 header-line cap (998 bytes), CRLF / NUL / C0 / DEL refusal for header-injection defense (CVE-2026-32178 .NET System.Net.Mail class on the inbound parse path). RFC 5322 §2.2 continuation lines: values can wrap onto subsequent lines starting with whitespace; parser folds correctly. `rfc822;` address-type prefix stripped per RFC 3464 §2.3.2 so consumers see canonical mailbox form. Three profiles + posture cascade (`hipaa` / `pci-dss` / `gdpr` / `soc2` map to strict). Fuzz harness ships in `fuzz/guard-dsn.fuzz.js`. **References:** [RFC 3464 (DSN format)](https://www.rfc-editor.org/rfc/rfc3464) · [RFC 3463 (enhanced status codes)](https://www.rfc-editor.org/rfc/rfc3463)
+- v0.9.36 (2026-05-15) — **`b.guardEnvelope` — RFC 7489 §3.1 DMARC Identifier Alignment validator.** Focused gate exposing the From-header-vs-SPF/DKIM alignment primitive so the MX listener can short-circuit on alignment fail before the full DMARC TXT lookup, and operator middleware can reuse alignment without dragging in the full DMARC orchestrator. **Added:** *`b.guardEnvelope.check(ctx, opts?)`* — ctx carries `fromHeaderDomain` + `spfResult: { result, domain }` + `dkimResults: [{ result, signingDomain }]`. Returns `{ spf, dkim, aligned, action }` — `aligned: true` when at least one of SPF/DKIM is identifier-aligned (RFC 7489 §3.1: From-domain matches SPF MailFrom OR DKIM d= under chosen mode). · *Strict vs relaxed match (RFC 7489 §3.1.1 / §3.1.2)* — Strict requires exact FQDN match, relaxed (RFC 7489 §6.2 default) requires same organizational domain via `b.publicSuffix.organizationalDomain` (Public Suffix List). Per-call override via `spfMode: strict | relaxed` + `dkimMode`. · *Verdict shape — per-signature visibility* — `spf: { aligned, mode, domain, fromDomain, spfPass }`, `dkim: [<verdict>...]` (one per signature so multi-signer messages with mixed pass/fail are visible), `aligned: bool` (any-of), `action: accept | refuse`. Strict + balanced profiles refuse on alignment fail; permissive computes alignment but always accepts (operator score-tags downstream). · *Threat-model — envelope-vs-header spoofing + public-suffix confusion* — `MAIL FROM:<service@aws-bounces.com>` passes SPF for aws-bounces.com but `From: payments@your-bank.example` — refused under strict. Attacker can't claim `co.uk` as an org domain because PSL classifies it as a public suffix; `victim.co.uk` vs `attacker.co.uk` have different effective org domains. Same-org-different-subdomain attack under strict mode (operator opts to relaxed for legitimate cross-subdomain mail). Posture cascades (`hipaa` / `pci-dss` / `gdpr` / `soc2` map to strict). Fuzz harness ships in `fuzz/guard-envelope.fuzz.js`. Registered as a standalone guard via `KIND: "envelope-alignment"` and NAME: "envelope". **References:** [RFC 7489 (DMARC)](https://www.rfc-editor.org/rfc/rfc7489)
+- v0.9.35 (2026-05-15) — **`b.mail.helo` — RFC 5321 §4.1.1.1 HELO/EHLO validation + RFC 8601 §2.7.6 FCrDNS verifier.** Substrate for the upcoming MX listener's EHLO boundary. Composes the validating DNS resolver for forward-confirmed reverse-DNS. **Added:** *`b.mail.helo.evaluate({ ip, claimedName, resolver }, opts?)`* — Returns `{ action, shape, fcrdns, genericRdns, reason }`. Action one of `accept` / `reject-shape` / `soft-fail-fcrdns` / `match-self-refused` / `literal-mismatch`. · *Shape gate — RFC 5321 §2.3.5 LDH labels* — FQDN required under strict (operator opts down to permissive); bare host refused; localhost / localhost.localdomain refused per RFC 6761 §6.3; oversize past RFC 1035 §2.3.4 cap refused. · *Address-literal handling (RFC 5321 §4.1.3)* — `[1.2.3.4]` IPv4 and `[IPv6:2001:db8::1]` IPv6 accepted when matches the connection IP, refused otherwise. IPv6 compare uses `ipUtils.expandIpv6Hex` canonical form so a literal in expanded notation matches a compressed connection-IP representation. · *FCrDNS check (RFC 8601 §2.7.6 / RFC 1912 §2.1)* — When resolver supplied, queries PTR for connection IP (in-addr.arpa for IPv4, ip6.arpa for IPv6), then A/AAAA for each PTR result; verdict requires at least one forward IP equals the connection IP. Verdict surfaces `fcrdns: { rdnsNames, forwardIps, matchedIp }` so operator audit pipelines see exactly why FCrDNS passed/failed. · *Generic-rDNS heuristic + HELO-self spoofing defense* — Ships pattern list for consumer-ISP dynamic-pool naming (`dynamic`, `dial-?up`, `dsl`, `cable`, `pool[-_]`, `ppp[0-9]`, `broadband`, IPv4-in-name). Operator extends per-deployment via `genericRdnsPatterns: [<regex>...]`. Verdict flags `genericRdns: true` for MX policy to layer with RBL + greylist. Operator-supplied `selfNames: [...]` list refuses peers claiming our own MX hostnames (`match-self-refused`). · *Per-profile FCrDNS enforcement* — `strict` requires FCrDNS for both v4 + v6, `balanced` requires v4 only (consumer IPv6 PTR records are spotty across ISPs and over-rejecting hurts legitimate cloud / VPS senders), `permissive` skips FCrDNS entirely. Posture cascades (`hipaa` / `pci-dss` / `gdpr` / `soc2` map to strict). Threat-model: HELO spoofing (selfNames defense), botnet residential-IP class (generic-rDNS + RBL composition), DNS poisoning of PTR (inherits resolver's safeDns caps + AD-bit surface + CVE coverage).
+- v0.9.34 (2026-05-15) — **`b.mail.greylist` — RFC 6647 SMTP greylisting + IPv6-expansion helper extracted to `lib/ip-utils.js`.** Greylisting primitive that the MX listener composes, with GDPR-grade triplet hashing and a shared IPv6-expansion helper extracted from three inlined copies. **Added:** *`b.mail.greylist.create({ profile, posture, store, minDelayMs, whitelistTtlMs, maxEntries, allowedSources, audit })`* — Facade with `.check({ ip, mailFrom, rcptTo, now? })` returning a verdict (`defer` / `accept` / `accept-first-pass`) and `.gc({ olderThanMs })` for retention. RFC 6647 §4.4 recommended triplet (IP + RFC 5321 MailFrom + first RcptTo) with CIDR aggregation per profile (default /24 IPv4, /64 IPv6 — matches retry-cluster behavior of Gmail / Outlook / AWS SES). RFC 6647 §4.5 retry window (default minDelayMs = 5 min) + whitelist TTL (default 36 days). Operator returns SMTP `451 4.7.1` on defer; legitimate MTAs retry and pass through. · *Privacy by construction — namespace-hashed triplet* — GDPR Art. 5(1)(c) data-minimization: triplet is namespace-hashed (`b.crypto.namespaceHash("mail.greylist", ...)` sha3-512) so the on-disk key is unlinkable to the PII triplet; operator dumps of the greylist table never leak sender/recipient pairs. · *Pluggable backend + allowed-source bypass + whitelist-TTL re-greylisting* — `{ get, put, delete, gc }` interface. In-memory default for single-process MX; operator wires sqlite-backed or external DB for multi-process MX fleets so a retry landing on a different process sees the first-attempt fingerprint. `allowedSources: [ip, ...]` skips greylisting per RFC 6647 §6.2 (listservs, transactional partners, healthcare 2FA, etc.). RFC 6647 §4.5: when a previously-passed fingerprint exceeds its TTL without recent traffic, the next attempt is deferred again and a fresh fingerprint planted. **Changed:** *Shared IPv6 expansion extracted to `lib/ip-utils.js`* — Replaces 3 inlined implementations (`lib/mail-auth.js` `_ipv6Expand`, `lib/mail-rbl.js` `_expandIpv6`, `lib/mail-greylist.js` `_expandIpv6`). The shared helper handles RFC 4291 §2.5.5.2 IPv4-in-IPv6 dual-stack form (`::ffff:1.2.3.4`) which the per-module copies were inconsistent on. mail-auth keeps an `expandIpv6Groups` view (returns 8 x uint16 for SPF / DMARC bitwise CIDR eval); mail-rbl and mail-greylist use the `expandIpv6Hex` view (returns the 32-hex-char canonical form for RFC 5782 §2.4 reverse-DNS construction and CIDR aggregation respectively). Three profiles + posture cascades (`hipaa` / `pci-dss` / `gdpr` / `soc2` map to strict). Threat-model coverage: snowshoe + single-attempt botnet flood, fingerprint-store poisoning (operator-supplied IPs hashed before storage; `maxEntries` cap with FIFO eviction), CIDR-aggregation bypass. **References:** [RFC 6647 (SMTP greylisting)](https://www.rfc-editor.org/rfc/rfc6647)
+- v0.9.33 (2026-05-15) — **`b.mail.rbl` — RFC 5782 DNSBL + DNSWL query primitive composing the validating resolver.** Substrate for the upcoming MX listener's IP-reputation check on every accepted connection + the submission listener's outbound-rate / spam-source list. **Added:** *`b.mail.rbl.create({ resolver, blocklists, allowlists, profile, posture, withReason, audit })`* — Facade over `b.network.dns.resolver`. Surface: `instance.query(ip, qopts)` for IP-based lookups, `instance.queryDomain(domain, qopts)` for domain blocklists (Spamhaus DBL / SURBL pattern). Returns `{ listed, allowed, neutral, errors }` so MX policy code reads one shape regardless of which list fired. · *`b.mail.rbl.reverseIp(ip)` — pure helper for the RFC 5782 reverse-DNS construction* — IPv4 octets reversed (§2.1, `192.0.2.99` becomes `99.2.0.192`), IPv6 nibble-reversed across all 128 bits (§2.4). Handles compressed `::` notation per RFC 4291 §2.2. · *A-record return surface + TXT-reason lazy fetch + NXDOMAIN-means-not-listed* — Exposes raw `127.0.0.x` semantic byte so operator MX policy can inspect sub-list codes (Spamhaus convention: `.2` SBL, `.4` XBL, etc.). RFC 5782 §2.1 explicitly forbids treating these as routable addresses. Opt-in TXT-reason fetch via `{ withReason: true }` so operators can render the listing reason back to the peer via SMTP 550 message. NXDOMAIN is treated as the neutral verdict per RFC 5782 §2.1.1, not an error. · *DoS-by-list defense — per-list concurrency cap + timeout* — Default 8 concurrent in strict; per-list timeout default 5s strict / 10s balanced / 20s permissive — a slow upstream list can't stall the MX listener. Three profiles + posture cascades (`hipaa` / `pci-dss` / `gdpr` / `soc2` map to strict). Threat-model inherits the resolver's CVE coverage (CVE-2008-1447 Kaminsky, CVE-2022-3204 NRDelegationAttack, CVE-2023-50387 / CVE-2023-50868 KeyTrap + NSEC3-encloser, CVE-2024-1737 BIND9 large-RRset). **References:** [RFC 5782 (DNSBL / DNSWL)](https://www.rfc-editor.org/rfc/rfc5782)
+- v0.9.32 (2026-05-15) — **`b.guardSmtpCommand` — SMTP command-line validator with bare-CR / bare-LF smuggling defense + per-verb shape + RFC 5321 caps.** Gates every SMTP command verb the framework's MX and submission listeners will accept. Refuses bare CR / bare LF anywhere in a command per RFC 5321 §2.3.8 — defends the 2023/2024 SMTP-smuggling CVE family at the wire-protocol surface. **Added:** *Smuggling defense at the command-line level* — Refuses bare `\r` or `\n` anywhere in a command (RFC 5321 §2.3.8); defends CVE-2023-51764 (Postfix), CVE-2023-51765 (Sendmail), CVE-2023-51766 (Exim), and CVE-2026-32178 (.NET `System.Net.Mail` SMTP header injection). Operators with peers that legitimately speak bare-LF (rare; legacy Sendmail-to-Sendmail) opt down to the `permissive` profile with audit emit per accepted bare-LF line. · *STARTTLS command-buffer defense* — Refuses trailing payload on `STARTTLS` lines (defends CVE-2021-38371 Exim STARTTLS response injection and CVE-2021-33515 Dovecot lib-smtp STARTTLS command injection at the per-line shape; the stateful buffer-drain check is the listener's responsibility and lands with the MX release). · *Per-verb argument shape — `EHLO` / `HELO` / `MAIL FROM` / `RCPT TO` / `BDAT` / `AUTH` / zero-arg verbs* — RFC 5321 §3 / §4.1: `EHLO` / `HELO` require exactly one domain or address-literal arg (`[IPv6:...]` form per RFC 5321 §4.1.3); `MAIL FROM:<reverse-path>` + `RCPT TO:<forward-path>` with optional ESMTP extension params per RFC 5321 §4.1.1.11; `BDAT <chunk-size> [LAST]` per RFC 3030 CHUNKING; `AUTH <SASL-mech> [<initial-response>]` per RFC 4954 with RFC 4422 mechanism-name charset; zero-arg verbs (`DATA` / `RSET` / `QUIT` / `STARTTLS`) refused with any trailing args. · *Byte caps + NUL/C0/DEL refusal* — Command line capped at 512 bytes per RFC 5321 §4.5.3.1.1 (strict); SMTPUTF8 / EAI peers (RFC 6531) routed through `balanced` profile with 1024-byte cap. Forward / reverse path 256 bytes, domain 255 bytes (RFC 1035 §2.3.4), local-part 64 bytes (RFC 5321 §4.5.3.1.1). Every byte below `0x20` and `0x7f` refused; non-ASCII refused under `strict` (SMTPUTF8 must be negotiated by peer before relaxing). Three profiles + posture cascades (`hipaa` / `pci-dss` / `gdpr` / `soc2`) all map to `strict`. Registers in `b.guardAll.allGuards()`'s `STANDALONE_GUARDS`. Fuzz harness ships in `fuzz/guard-smtp-command.fuzz.js`. **References:** [RFC 5321 §2.3.8 (CR / LF separation)](https://www.rfc-editor.org/rfc/rfc5321#section-2.3.8) · [CVE-2023-51764 (Postfix SMTP smuggling)](https://nvd.nist.gov/vuln/detail/CVE-2023-51764)
+- v0.9.31 (2026-05-15) — **`b.safeDns` + `b.network.dns.resolver` — bounded DNS-response parser and validating stub resolver.** Substrate for every framework consumer that walks the DNS (DKIM TXT lookup, MTA-STS verify, DANE TLSA, BIMI / VMC discovery, SVCB / HTTPS records, RBL queries, AutoConfig / AutoDiscover, MX / submission). **Added:** *`b.safeDns.parseResponse(buf, opts?)` — pure-functional DNS wire-format parser* — Caps every dimension an attacker can grow: response bytes (4 KiB strict default), label count per name, compression-pointer chain depth (RFC 1035 §4.1.4 loop defense), CNAME chain depth, per-section RR count (answer 64 / authority 32 / additional 32), TXT rdata total length, EDNS0 advertised buffer (RFC 6891 §6.1.3). Type decoders for A / AAAA / CNAME / NS / PTR / MX / TXT / SOA / SRV / DS / DNSKEY / RRSIG / TLSA. AAAA renders in canonical RFC 5952 form with longest-zero-run compression, single-zero-group preservation, and IPv4-mapped (`::ffff:n.n.n.n`) handling. · *`b.network.dns.resolver.create({ profile, posture, maxTtlMs, minTtlMs, serveStale, transport, audit })`* — Validating stub resolver. Every query parses through `b.safeDns`; cache keyed on `{ name, type }` with TTL = min across answer RRs (RFC 2181 §5.2), clamped to `[minTtlMs, maxTtlMs]`. · *Serve-stale on upstream failure or malformed response (RFC 8767)* — Operator-configurable stale window (default 6h; RFC 8767 §6 caps at 7 days). Returned entries carry `{ stale: true, fromCache: true }`. · *CNAME chain following with depth cap* — `followCnames(name, type, opts)` — per-hop depth check through `b.safeDns.checkCnameChainDepth` (default cap 8, matching BIND9's canonical-name-translation cap; RFC 1912 §2.4 chain-loop defense). · *AD-bit surface (RFC 4035 §3.2.3)* — Every response surfaces `{ validated: <AD-bit> }`. Per-call `validate: true` refuses responses with AD=0. Full local RRSIG verification deferred to operator-supplied validating recursive (Unbound / BIND9 / Knot) — root trust anchor management (RFC 5011 lifecycle) doesn't belong in a stub. **Security:** *CVE coverage at parse-time bounds* — CVE-2008-1447 (Kaminsky cache-poisoning — bounded parse + random query ID + DoH TLS transport); CVE-2022-3204 (NRDelegationAttack — RR caps on authority + additional); CVE-2023-50387 / CVE-2023-50868 (KeyTrap / NSEC3-encloser — DNSKEY+RRSIG+NSEC3 counts bounded at parse time); CVE-2024-1737 (BIND9 large-RRset resource exhaustion). Three profiles (`strict` / `balanced` / `permissive`); posture cascades (`hipaa` / `pci-dss` / `gdpr` / `soc2`) all map to strict — DNS is critical-path substrate, no posture loosens it. QNAME minimization (RFC 9156) deliberately not in the stub — the operator's upstream recursive does QNAME-min. **References:** [RFC 1035 (DNS wire format)](https://www.rfc-editor.org/rfc/rfc1035) · [RFC 8767 (serve-stale)](https://www.rfc-editor.org/rfc/rfc8767) · [RFC 4035 §3.2.3 (DNSSEC AD bit)](https://www.rfc-editor.org/rfc/rfc4035#section-3.2.3)
+- v0.9.30 (2026-05-14) — **`b.agent.snapshot` — drain then snapshot in-flight state; restart then restore and resume.** Closes the agent + orchestration substrate playbook — every primitive is now operationally durable across deploys + crashes. Mail-stack DNS resolver resumes next. **Added:** *`b.agent.snapshot.create({ orchestrator, backend, audit, policy })`* — Facade. Surface: `takeSnapshot(opts)`, `persist(snap)`, `loadLatest({ tenantId })`, `loadById(id)`, `restore(snap, { allowSchemaVersionMismatch, refuseOnTopologyChange })`, `list({ tenantId, sinceMs })`, `gc({ olderThanMs })`. · *Snapshot envelope shape* — Carries `snapshotId` + `takenAt` + `frameworkVersion` + `schemaVersion` (currently 1) + `tenantId` + `orchestratorState` (agents / elections / consumers) + `inFlight` (streams / sagas / outboxJobs / busSubscribers / pendingDeliveries) + `idempotencyCache` (hot subset). Pluggable backend via `{ put, get, list, delete }` interface; operator wires durable storage (sqlite / object-store / external). · *Cluster topology change handling — re-shard-and-resume default* — Restore audit emits `agent.snapshot.topology-change` at HEIGHTENED severity carrying snapshot consumer count vs current, reshardedShards (set diff of topic names), affectedInFlight count, affectedSagas + affectedStreams counts so operator monitoring pipelines see exactly what changed across the deploy. Opt-in refuse via `restoreOpts.refuseOnTopologyChange` for strict-topology operators. · *Schema-version mismatch refused by default* — Operator opts in via `restoreOpts.allowSchemaVersionMismatch` for explicit major-version migrations. · *`b.guardSnapshotEnvelope`* — Envelope shape validator. Refuses missing `snapshotId` / `takenAt` / `frameworkVersion` / `orchestratorState` / `inFlight`, bad `schemaVersion` (non-integer / non-positive), oversize (default 50 MiB / 200 MiB / 1 GiB per profile), in-flight count cap (default 65536 strict). Audit lifecycle: `agent.snapshot.taken` / `persisted` / `restored` / `topology-change` / `gc`. Fuzz harness ships in `fuzz/guard-snapshot-envelope.fuzz.js`.
+- v0.9.29 (2026-05-14) — **`b.agent.trace` — distributed tracing through every agent boundary.** Composes `b.tracing` (W3C trace context). Cross-process trace continuity without per-handler wiring; operators get a full waterfall across hosts. **Added:** *`b.agent.trace.create({ tracing, audit, sampleRate, perMethod })`* — Facade. Surface: `startSpan(name, opts)`, `injectIntoEnvelope(envelope, span)`, `extractFromEnvelope(envelope)`, `recordResult(span, result, error?)`, `shouldSample(method)`, `formatAttributes(info)`. · *W3C Trace Context propagation across queue / event-bus / sub-agent boundaries* — `injectIntoEnvelope` adds `_trace: { traceparent, tracestate }` to envelopes; `extractFromEnvelope` parses + validates the incoming envelope's trace context via `b.guardTraceContext`. · *Per-method sampling* — Global `sampleRate` (0..1) + `perMethod` override; useful for high-volume operators that want full traces for `send` but 10% for `fetch`. · *Span attribute formatter* — `formatAttributes({ method, dispatchMode, tenantId, postureSet, shard, resultStatus, elapsedMs })` produces W3C-compliant span attributes (`agent.method`, `agent.tenant_id`, `agent.posture` as JSON-array, etc.) so OpenTelemetry exporters render the agent waterfall consistently across all observability stacks. · *`b.guardTraceContext`* — W3C Trace Context shape validator. Refuses traceparent of wrong length (W3C §3.2.1 requires exactly 55 chars), non-hex chars, all-zero trace-id (§3.2.2.3) / span-id (§3.2.2.4), version `ff` (W3C-forbidden), version not in profile allowlist, oversized tracestate, too many tracestate entries. Length-bound before regex test so hostile input can't burn regex-engine CPU. Fuzz harness ships in `fuzz/guard-trace-context.fuzz.js`. **References:** [W3C Trace Context Level 2](https://www.w3.org/TR/trace-context-2/)
+- v0.9.28 (2026-05-14) — **`b.agent.postureChain` — set-based compliance posture propagated across every agent boundary.** Compliance regimes (HIPAA / PCI-DSS / GDPR / SOC2) protect DIFFERENT regulated-data classes — they're orthogonal, not a linear lattice. Set semantics match how real-world regulations actually overlap (a clinic that processes payment cards operates under BOTH HIPAA + PCI). **Added:** *`b.agent.postureChain.create({ audit })`* — Facade with `isSubset(targetSet, sourceSet)` (the core check: target.set superset-of source.set), `union(...sets)`, `canDelegate(sourceSet, targetSet, methodName)`, `appendHop(envelope, hopName)`, `validate(envelope, agentPostureSet)`, `declareRegime(name)`, `REGIMES` (frozen array). · *Cross-boundary downgrade refusal* — `validate(envelope, agentPostureSet)` throws `agent-posture-chain/downgrade-refused` when the target (agent) posture set is missing any regime the source (envelope) carries. Audit emit at HEIGHTENED with the missing regime list + chain trail so operator review pipelines surface every downgrade attempt. · *Hop trail tracking with recursion guard* — `appendHop(envelope, hopName)` immutably extends `{ chainTrail, enteredAt, hopCount }`. Hop count caps at default 16 — defends infinite recursion across agent delegation. Per-hop timestamps must be monotonic non-negative numbers (guard rejects non-monotonic, length mismatches, etc.). · *`b.guardPostureChain`* — Envelope shape validator. Refuses oversized hop trail (cap = 16 hops strict), non-ASCII hop names (operator-greppable), C0 / DEL forbidden, duplicate hops in trail (recursion guard), duplicate regimes in `postureSet`, non-monotonic `enteredAt` timestamps, `enteredAt` length mismatch with `chainTrail`. Built-in regimes: HIPAA, PCI-DSS, GDPR, SOC2. Operator declares custom regimes via `chain.declareRegime("healthcare-tier-1")`; duplicate declarations refused. Empty source subset-of any target — unscoped calls flow freely. Fuzz harness ships in `fuzz/guard-posture-chain.fuzz.js`.
+- v0.9.27 (2026-05-14) — **`b.agent.saga` — multi-step coordination with compensation cascade.** Exactly-once via the framework's outbox + idempotency primitives; reverse-order compensations on failure; survives orchestrator restart via persisted saga state. **Added:** *`b.agent.saga.create({ name, steps, audit })`* — Every step has `{ name, run: async (ctx, state) => {}, compensate?: async (ctx, state) => {} }`. `saga.run(ctx, initialState, opts)` walks steps in order; each `run` mutates the shared `state` object. On step throw the framework fires every previously-completed step's `compensate` in REVERSE order (steps that hadn't completed aren't compensated). · *Compensation failure semantics* — A compensate that throws emits `agent.saga.compensation_failed` audit at CRITICAL severity, halts further compensations, and the saga's final error message carries both the original step failure + the compensation failure so operator alert pipelines see the full context. · *No saga-level retry — composition discipline* — Saga's value-add is COMPENSATION, not retry. Step.run wraps `b.retry` if needed (with the idempotency substrate available, internal retry inside step.run is side-effect-safe). Keeps the saga primitive focused on the coordination contract. · *Audit lifecycle* — `agent.saga.started` / `step_started` / `step_completed` / `step_failed` / `compensation_started` / `compensation_completed` / `compensation_failed` / `failed` / `completed`. Each event carries `sagaId` + `name` + `stepName` + `stepIndex` for operator dashboards. · *`b.guardSagaConfig`* — Saga-creation config validator. Refuses empty steps array, duplicate step names, non-function `run`, non-function `compensate` (when provided), non-ASCII saga name, oversized step count (default 32). Ships profile + posture vocabulary uniform with rest of guard family. Fuzz harness ships in `fuzz/guard-saga-config.fuzz.js`.
+- v0.9.26 (2026-05-14) — **`b.agent.tenant` — multi-tenant isolation as a first-class primitive.** Replaces the per-operator wiring of `actor.tenantId === registeredTenant` (which tends to leak across handlers) with one centralized scope. Archive-default destroy semantics match SEC 17a-4, FINRA 4511, HIPAA, and MiFID II retention obligations; crypto-erasure requires explicit step-up + dual-control. **Added:** *`b.agent.tenant.create({ backend, audit, permissions })`* — Facade with `register(tenantId, { posture, archivePolicy, metadata })`, `unregister(tenantId, opts)`, `lookup(tenantId)`, `list({})`, `check(actor, agentTenantId)`, `derivedKey(tenantId, purpose)`, `auditFor(tenantId)`, `listArchived()`. Pluggable backend; in-memory default. · *Cross-tenant gate (`check`)* — Refuses calls where `actor.tenantId !== agentTenantId` unless the actor holds `framework-cross-tenant-admin` scope (every cross-tenant access by an admin emits `agent.tenant.cross_tenant_access` audit at HEIGHTENED severity for operator review). · *Per-tenant derived keys + per-tenant audit* — `derivedKey` composes `b.crypto.namespaceHash` for deterministic per-tenant key derivation from `purpose` + `tenantId`. Cross-tenant decrypt refused at the vault boundary by construction — each tenant's seal-key derivation differs, so even with disk access an attacker can't cross-decrypt. `auditFor` returns an audit wrapper that auto-tags every emit with `metadata.tenantId` so each tenant's audit trail is independently filterable. · *Archive-default destroy semantics* — `unregister(tenantId)` archives by default (retention-safe, matches SEC 17a-4 6yr / FINRA 4511 / HIPAA §164.530(j) / MiFID II Art 16(7) compliance needs). Destruction requires explicit `{ destroy: true, stepUpToken, dualControlApprover, reason, actor }` — four preconditions all required together. The framework validates the SHAPE; the operator's step-up middleware + dual-control middleware grants the actual tokens upstream. Missing any precondition refuses with a specific `agent-tenant/destroy-requires-step-up` / `-dual-control` / `-reason` / `-actor` code so operators see exactly what's missing. · *`b.guardTenantId`* — Tenant-id shape validator. Refuses non-ASCII (operator-greppable in audit logs across stack boundaries), path-traversal (`..` / `/` / `\` / NUL / C0 / DEL), oversized (default 64 bytes), reserved `ROOT` / `FRAMEWORK` / `*`, leading `.`. Posture vocabulary uniform (`strict` / `balanced` / `permissive` profiles; hipaa / pci-dss / gdpr / soc2 postures pin strict). Fuzz harness ships in `fuzz/guard-tenant-id.fuzz.js`.
+- v0.9.25 (2026-05-14) — **`b.agent.eventBus` — typed cross-agent publish/subscribe with schema enforcement and cross-tenant subscribe refusal.** Substrate for every agent-to-agent reaction (`mail.scan.malware-detected` refuses source at MX, `mail.crypto.key-rotated` invalidates vault recipient cache, `ai.classify.prompt-injection-detected` quarantines the agent). **Added:** *`b.agent.eventBus.create({ pubsub, audit, permissions })`* — Facade over operator-supplied `b.pubsub` (or any `{ publish, subscribe, unsubscribe }`-shaped backend). Surface: `registerTopic(name, { schema, posture, permissions, tenantScope })`, `publish(name, payload, { actor })`, `subscribe(name, handler, { actor })` returns unsubscribe fn, `listTopics({ actor })`. · *Topic registration with schema* — Declared at boot via flat key->type map (`string` / `number` / `boolean` / `integer` / `isoDateTime` / `array` / `object`; suffix `?` marks optional). Unknown topics refuse publish + subscribe so typos fail loudly. Duplicate registration refused (operator must `unregister` first when the surface gains that surface in a later substrate release). · *Schema enforcement at every boundary + permission gating + cross-tenant isolation* — Every payload validated against schema before `pubsub.publish` AND at each delivery (subscriber-side re-validation defends in-flight tampering). `permissions.publish` + `permissions.subscribe` per-topic scope arrays; `b.permissions.check(actor, scope)` on every publish + subscribe call. `tenantScope: true` topics carry the publisher's `tenantId` in the wire envelope; subscriber's actor must declare a matching tenantId or the event is silently dropped at delivery with `agent.event_bus.cross_tenant_drop` audit. · *`b.guardEventBusTopic` + `b.guardEventBusPayload`* — Topic-name validator refuses dot-count < 3 (operators use `<domain>.<source>.<event>` shape), oversized (default 128 bytes), non-ASCII, reserved `framework.*` prefix, path-traversal shapes, slash, backslash, C0 / DEL. Payload validator bounded byte cap (default 64 KiB — events are metadata, not bulk data; publishers reference bulk data via `b.objectStore` IDs); type-check cascade refuses non-finite numbers, malformed ISO-8601 dateTime (length-bound to 64 chars before regex test so a hostile input can't burn regex-engine CPU), missing required fields, unknown fields (schemas must be exhaustive). Fuzz harnesses ship in `fuzz/guard-event-bus-topic.fuzz.js` + `fuzz/guard-event-bus-payload.fuzz.js`. **Changed:** *Shared agent-audit helper extracted to `lib/agent-audit.js`* — Factored out the identical `_safeAudit` wrapper that the orchestrator, idempotency, stream, and eventBus substrate modules carried inline. The four agent substrate modules now compose `agentAudit.safeAudit`.
+- v0.9.24 (2026-05-14) — **`b.agent.stream` — async-iterable variants for agent methods that yield N rows.** Cursor-backed delivery with built-in backpressure for the agent substrate. JMAP `Email/queryChanges` against million-message mailboxes returns an array today (OOM on client + agent before the response ships); this primitive lets handlers yield rows one at a time without buffering the full result. **Added:** *`b.agent.stream.create({ openCursor, cursorOpts, batchSize, orchestrator, actor, kind, audit })`* — Returns an object implementing `[Symbol.asyncIterator]` so operators write `for await (var row of stream) { ... }`. Operator supplies an `openCursor(cursorOpts)` factory returning a cursor with `fetchBatch(batchSize) -> { rows, nextCursor, done }` + optional `close()` + optional `lastSeenCursor()`. · *Backpressure built-in* — Async-generator semantics; each `next()` call yields one row from an in-memory batch buffer; the cursor only refetches when the buffer drains. Pulling slowly applies backpressure to the store side; a slow client can't OOM the server. · *Auto cursor close on every exit path* — Consumer `break` calls iterator `.return()`, consumer `throw` calls `.throw()`, natural exhaustion calls `.next()` until done — all three close the cursor via `try`/`finally`-style `_closeOnce` and emit `agent.stream.closed` audit with reason (`exhausted` / `consumer-break` / `consumer-throw` / `drain` / `error`). · *Drain marker on orchestrator drain* — When orchestrator drain fires mid-stream, the next `next()` call returns ONE final `{ _drainMarker: true, lastSeenCursor: <opaque>, reason: "drain" }` row + closes the cursor. Clients reconnecting via JMAP-WebSocket / IMAP NOTIFY pass `lastSeenCursor` back to resume from the same position against the new agent post-deploy. Composes the orchestrator's `registerStream` / `unregisterStream` / `isDraining` hooks. · *`b.guardStreamArgs`* — Validates `b.agent.stream.create` opts. Refuses non-integer `batchSize`, batchSize out of `[1, 1024]` strict-profile range, empty `kind` string, function / regex / Buffer / `__proto__` keys inside `cursorOpts` (structured-clone-unsafe). Ships strict / balanced / permissive profiles + hipaa / pci-dss / gdpr / soc2 postures. Fuzz harness ships in `fuzz/guard-stream-args.fuzz.js`. **References:** [RFC 8620 §5.5 (JMAP Core — position-paginated responses)](https://www.rfc-editor.org/rfc/rfc8620#section-5.5)
+- v0.9.23 (2026-05-14) — **CodeQL alert sweep — 30 closures across 6 rule classes + wiki @primitive validator extracted into static gates.** Regression cleanup of the earlier CodeQL batch — the framework-wide require-binding rename shifted line numbers and the suppression comments stopped tracking. Plus the wiki primitive validator now runs at static-gate time so the same nit class is caught pre-push instead of after a ~90s wiki-e2e cycle. **Added:** *Wiki @primitive validator extracted into static gates* — `examples/wiki/lib/source-comment-block-validator.js` (shared engine, pure module, no side effects) + `scripts/validate-source-comment-blocks.js` (framework-level standalone wrapper, runs in 419-466ms, no `@blamejs/core` / vault / DB / network dependencies). Existing wiki-e2e gate refactored to delegate to the shared engine; CI invocation unchanged. The release workflow's static-gate step now lists `node scripts/validate-source-comment-blocks.js` after `codebase-patterns.test.js`. Each suppression comment references the active defense by file:line so future CodeQL re-runs OR future readers know which suppression applies. **Fixed:** *`js/file-system-race` (10 sites)* — `lib/atomic-file.js:_readSyncCore` migrated from `statSync`+`readFileSync` to the canonical TOCTOU-safe-read scaffold (open fd then `fstatSync` then `readSync` loop then `closeSync` in finally; ENOENT now surfaces from `openSync`); `lib/restore-rollback.js` marker write switched to `openSync(..., "wx", 0o600)` + `writeSync` + `fsyncSync` + EEXIST tolerance; `lib/network-tls.js` new `_readPathFile` fd-based reader; `lib/backup/bundle.js` fd-narrowed read with short-read detection; `lib/static.js` content-safety gate converted to `fsp.open` filehandle pattern; `lib/vault/seal-pem-file.js`, `lib/atomic-file.js:fsyncDir`, `test/30-chain.js`, `examples/wiki/test/validate-{env,cli}-snapshot.js`, `examples/wiki/lib/source-doc-parser.js` got suppression refresh OR fd-narrowed refactor per shape. · *`js/insecure-temporary-file` (6 sites)* — `lib/mtls-ca.js` new `_writeExclusive` helper using `openSync(..., "wx", mode)` + `writeSync` + `fsyncSync`; `lib/vault/rotate.js` + `lib/http-client.js` got suppression refresh pointing at the operator-supplied stagingDir / 64-bit CSPRNG suffix defenses. · *`js/path-injection` (2 sites in `lib/static.js`)* — Suppression refresh pointing at the upstream `_resolveSafe` sandbox check (lexical resolve + `startsWith(rootResolved + sep)` + realpath escape guard + guardFilename gate). · *`js/remote-property-injection` (7 sites)* — `lib/middleware/csrf-protect.js` cookie-parse output + `lib/websocket.js` `_parseExtensionHeader` params switched to `Object.create(null)` so attacker-controlled keys have no prototype chain to pollute; `lib/middleware/body-parser.js` multipart fields got suppression refresh pointing at the POISONED_KEYS gate; `test/40-consumers.js` + `test/00-primitives.js` test fixtures suppressed with `test/` scope justification. · *`PinnedDependenciesID` (2 workflow files)* — Every `uses:` line was already SHA-pinned; the remaining alerts pointed at the `npm install --no-audit --no-fund` step in `.github/workflows/npm-publish.yml` + `ci.yml`. Added explicit `name@version` specifiers (esbuild + postject, mirroring `package.json`'s exact pins) so CodeQL recognizes the install as pinned without committing a lockfile (which the framework's zero-npm-runtime-deps posture forbids — vendored stack only). · *`js/regex/missing-regexp-anchor` (1 site)* — `scripts/build-vendored-sbom.js` host-extractor regex anchored to `^https?://github.com/` so an attacker-controlled `entry.source` containing `github.com` as a path or query substring can't misdirect purl dispatch into the github branch.
+- v0.9.22 (2026-05-14) — **`b.agent.idempotency` — cross-dispatch idempotency keys at every consumer boundary.** Second agent-substrate primitive. Provides JMAP retry-safe semantics from day one — operator-supplied keys are namespace-hashed before disk, replay counts are audited, and reuse with different args refuses via a request-fingerprint check. **Added:** *`b.agent.idempotency.create({ store, audit, ttlMs, maxResultBytes, fingerprintArgs })`* — Pluggable backing store via `{ get, put, delete, gc }`; in-memory default for single-process deployments, operator wires durable backends (sqlite-backed adapter or external). Surface: `instance.get(method, actorId, key)` returns cached envelope `{ result, firstAt, lastReplayedAt, replayCount, requestFingerprint }` or null; `instance.put(method, actorId, key, result, { args, requestFingerprint })` serializes via `b.safeJson.stringify`, persists with TTL, and refuses key-reuse-different-args via the request-fingerprint (sha3-512 of args sans key); `instance.invalidate(method, actorId, key)` is the saga-compensation escape hatch; `instance.gc({ olderThanMs })` for periodic cleanup. · *Keys hashed at the boundary* — Operator-supplied keys never reach disk in raw form — namespace-hashed via `b.crypto.namespaceHash("agent.idempotency", method + "\0" + actorId + "\0" + key)`. Cross-actor + cross-method isolation by construction: an attacker can't replay another actor's mutation by guessing the key. · *Replay tracking + audit emit* — Every cache hit increments `replayCount` and bumps `lastReplayedAt`; audit emits `agent.idempotency.replay` with the truncated actor-id hash + first/replay timestamps so operator pipelines surface retry storms. · *`b.guardIdempotencyKey` — operator-supplied key shape validator* — Refuses oversized (default 256 bytes), control chars (C0/NUL/DEL — defends audit-log injection), slash + backslash (defends operators routing keys through filesystem paths), path-traversal (`..`), non-ASCII under strict (operator-greppable in audit logs across stack boundaries; permissive opts down for legacy Unicode tenant IDs). Fuzz harness in `fuzz/guard-idempotency-key.fuzz.js`. · *`test/helpers/json-round-trip.js` — JSON round-trip test helper* — New `assertJsonRoundTrip(shape, label)` catches the bug class Codex flagged on PR #51 (v0.9.21 `register()` stored an agent function ref on the backend row, lost in DB/JSON serialization). Refuses on function fields, Buffer fields, Date objects, Symbol keys, BigInt values, non-finite numbers, and cycles. Applied retroactively to the v0.9.21 agent-orchestrator backend row in a regression test. · *Result size cap (default 1 MiB)* — Refuses with `agent-idempotency/result-too-big` so operators discover OOM-prone result shapes locally instead of at runtime. ClusterFuzzLite matrix entries added. **References:** [RFC 8620 JMAP Core (idempotency)](https://www.rfc-editor.org/rfc/rfc8620.html)
+- v0.9.21 (2026-05-14) — **`b.agent.orchestrator` — framework-level supervisor for every agent blamejs ships.** First of the agent/orchestration substrate primitives built before the mail-stack resumes. Provides a registry, sharded-topic dispatch, leader election, drain coordination, and a health aggregator — but does NOT supervise OS processes; spawn / restart-on-crash / pod scheduling stay with pm2 / systemd / k8s / Nomad. **Added:** *`b.agent.orchestrator.create(opts)` — registry + dispatch + election + drain + health* — Facade with `register(name, agent, opts)` / `lookup(name)` / `unregister(name)` / `list({ kind, tenantId })` registry; `spawnConsumers({ agent, queue, shards, taskTopic, maxConcurrency })` for sharded-topic dispatch (FNV-1a consistent-hash via `b.agent.orchestrator.shardFor(key, shards)`; per-shard topic suffix `<base>.<shard>`); `elect({ resource })` composing `b.cluster` DB-row leader election (returns `{ isLeader, fencingToken, leaderId }` — single-process deployments get a trivial-leader, cluster deployments delegate); `drain({ timeoutMs })` stopping every spawned consumer and audit-emitting elapsed/count; `health()` aggregating per-agent + per-consumer + per-election state into one shape ready for `b.middleware.healthcheck`. · *Pluggable backend — `{ get, set, delete, list }`* — In-memory default ships for single-process deployments; operator wires `b.config.loadDbBacked`-shaped or external for restart-survival of the registry state. · *`b.guardAgentRegistry` — registry-op shape validator* — Refuses non-ASCII agent names (NFC + ASCII-only — operator-greppable in audit logs), path-traversal shapes (`..` / `/` / `\` / NUL / C0 / DEL), oversized (default 64 bytes), reserved `FRAMEWORK.*` / `ROOT.*` prefix, duplicate-on-register, register without `agentKind`. Ships `strict` / `balanced` / `permissive` profiles and `hipaa` / `pci-dss` / `gdpr` / `soc2` postures (all pin strict). Fuzz harness in `fuzz/guard-agent-registry.fuzz.js`. · *Drain auto-wires into `b.appShutdown`* — When operator supplies an `appShutdown` instance, SIGTERM delivers a clean drain of all spawned consumers and stream-registry signal before the process exits. · *Stream-registry hooks — `registerStream` / `unregisterStream` / `isDraining`* — Substrate for the upcoming `b.agent.stream` async-iterable variants so they can check the drain flag and emit drain-markers cleanly across deploys. **References:** [FNV-1a hash](https://en.wikipedia.org/wiki/Fowler%E2%80%93Noll%E2%80%93Vo_hash_function)
+- v0.9.20 (2026-05-14) — **`b.mail.agent` — the standardization contract for every mail protocol blamejs ships.** Every above-the-wire mail surface (JMAP, IMAP, POP3, ManageSieve, MX listener, submission) translates protocol calls into `agent.X(args)`. RBAC, posture enforcement, audit emission, dispatch, and worker isolation are owned at the agent. **Added:** *`b.mail.agent.create` — facade with 23 methods* — Read surface (`search` / `fetch` / `thread` / `folders` / `quota`) backed by v0.9.19 `b.mailStore` and runs immediately. Move surface (`move` / `flag` / `delete`) backed by the new `mailStore.moveMessages` substrate; soft-delete moves to Trash and tags `\Deleted` (hard expunge wires later with retention-floor enforcement). Write surface (`compose` / `send` / `reply` / `forward`), Sieve (`sieve.list/put/activate`), identity (`identity.set` / `vacation.set`), MDN (`mdn.send/parse/allowList`), regulated export, and migration `import` throw `mail-agent/not-implemented` with a `wiredAt` tag naming the release that lights them up — defer-with-condition for v1-defensible scope. · *Dispatch contract — `local` / `queue` / `auto`* — `local` runs every method in-process. `queue` publishes envelopes to `mail.agent.tasks` via `b.queue.enqueue`; an `agent.consumer({ agent, queue })` running in a dedicated process or replicas across hosts pulls and executes. Posture metadata travels with each envelope; the consumer re-validates against its own posture before unseal so no posture downgrade survives the queue boundary. `auto` routes fast-path ops (`fetch` / `folders` / `flag` / `quota`) locally and heavy ops (`search` / `export`) to queue/workerPool when configured. · *Worker isolation* — `dispatch.workerPool` (composes `b.workerPool`) validated at create-time. The agent reserves `vaultKeyDelivery: "in-worker"` default vs `"main-only"` (posture-conditional — HIPAA/PCI/GDPR default to main-only when the worker-script path wires at the Sieve slice). · *`b.mail.agent.consumer` — queue-side facade for multi-host load-spreading* — Carries its own `store` and re-validates posture at the boundary so a misconfigured consumer can't observe sealed data above its posture set. · *Five new guards through `b.gateContract`* — `b.guardMailQuery` (search/fetch filter shape: bounded depth/keys/array-length, function/regex/Buffer/cycle refusal, `__proto__` key refusal, projection-column allowlist via `FILTERABLE_COLUMNS`, posture-required actor fields HIPAA->`purposeOfUse` / PCI->`pciScope` / GDPR->`lawfulBasis`); `b.guardMailCompose` (identity-vs-From alignment, recipient deduplication, attachment-byte cap default 25 MiB, body shape — exactly one of text/html unless `allowMultipartAlternative`, C0 control-char refusal in headers); `b.guardMailReply` (References-chain cap default 100 defends infinite-loop forwards, In-Reply-To continuity per RFC 5322 §3.6.4 — last References must match In-Reply-To, quoted-original byte cap, forwarded-attachment cardinality cap); `b.guardMailMove` (system-folder allowlist for INBOX/Sent/Drafts/Trash/Junk/Archive, admin-scope or `allowedFolders` gate for arbitrary destinations, path-traversal refusal, slash refusal — IMAP `.` hierarchy separator only); `b.guardMailSieve` (pre-parser shape: script-byte cap default 64 KiB, line-count cap defends one-byte-line bombs, name shape — path-traversal / slash / backslash refusal, actor-ownership check). Each ships `strict` / `balanced` / `permissive` profiles and `hipaa` / `pci-dss` / `gdpr` / `soc2` postures (all pin strict). · *`b.mailStore.moveMessages(fromFolder, toFolder, objectIds)`* — Per IMAP4rev2 §6.6.2, both folders bump modseq on move; agent.move composes this. Fuzz harnesses ship for every new guard, and the v0.9.19 substrates (`safe-mime` / `guard-message-id`) are now wired into the ClusterFuzzLite matrix. **References:** [RFC 5322 Internet Message Format](https://www.rfc-editor.org/rfc/rfc5322.html) · [RFC 9051 IMAP4rev2](https://www.rfc-editor.org/rfc/rfc9051.html) · [RFC 8620 JMAP Core](https://www.rfc-editor.org/rfc/rfc8620.html) · [RFC 8621 JMAP Mail](https://www.rfc-editor.org/rfc/rfc8621.html)
+- v0.9.19 (2026-05-14) — **First mail-stack substrates — `b.mailStore` + `b.safeMime` + `b.guardMessageId`.** Byte-level mail-store foundation that every above-the-wire mail primitive composes. Ships a bounded RFC 5322 / MIME parser, a Message-Id header-injection gate, and a sealed-by-default mail store with per-folder CONDSTORE modseq counters and JMAP cross-protocol object identifiers. **Added:** *`b.safeMime` — bounded RFC 5322 / 2045 / 2046 / 2047 / EAI MIME parser* — Caps every dimension an attacker can grow: total parts (default 64), nesting depth (default 16), boundary length (default 70 per RFC 2046 §5.1.1), header bytes (default 64 KiB), header line (default 998 per RFC 5322 §2.1.1), body bytes (default 25 MiB), message bytes (default 50 MiB). Charset and transfer-encoding allowlists. Surface: `parse(bytes, opts) -> tree`, `walk(tree, visitor)`, `findFirst(tree, predicate)`, `extractText(tree, opts)` (RFC 2046 §5.1.4 last-wins for `multipart/alternative`), `extractAttachments(tree, opts)`. Includes RFC 2047 Q+B encoded-word decoding and RFC 2231 charset'lang'value filename decoding. Throws `safe-mime/<code>` on every cap exceeded, malformed boundary, unknown charset/CTE, or control chars in headers. Defends CVE-2024-39929 (Exim MIME parser) and CVE-2025-30258 (gnumail truncated-MIME-tree class). Fuzz harness in `fuzz/safe-mime.fuzz.js`. · *`b.guardMessageId` — RFC 5322 §3.6.4 Message-Id validator* — Gates Message-Id / In-Reply-To / References at the mail-store append boundary and at future MX inbound + submission outbound paths. Refuses oversized (>998 bytes), bare CR/LF/NUL/C0/DEL (defends `From:` / `Bcc:` smuggling via folded continuation), unbracketed under strict, empty value, missing `@`, nested angle brackets, bidi codepoints (CVE-2021-42574 RTLO class in mail-header context). Profiles `strict` / `balanced` / `permissive`; postures `hipaa` / `pci-dss` / `gdpr` / `soc2` all pin strict. Surface: `validate(value, opts)`, `validateList(value, opts)` with References-chain cap = 100, `compliancePosture(posture)`. Fuzz harness in `fuzz/guard-message-id.fuzz.js`. · *`b.mailStore` — byte-level sealed mail-store substrate* — Pluggable backend (sqlite default; operator wires `b.externalDb` Postgres or any `{ prepare(sql) -> { run, get, all } }`-shaped object). Surface: `create(opts)` returning `{ appendMessage, fetchByObjectId, queryByModseq, setFlags, createFolder, listFolders, threadFor, quota, setLegalHold }`. Sealed by default via `b.cryptoField.sealRow` — `subject` / `from_addr` / `to_addrs` / `body_text` / `body_html` route through a vault-managed AEAD envelope on insert + unseal on fetch. Plaintext (forensic-queryable without unsealing): `objectid`, `modseq`, `internal_date`, `received_at`, `size_bytes`, `flags`, `legal_hold`, `from_hash`, `message_id_hash`. Per-folder monotonic `modseq` counter (RFC 7162 CONDSTORE substrate); per-message `objectid` (RFC 8474 JMAP cross-protocol identity). Threading at append time via In-Reply-To + References chain walk. Quota substrate per folder; legal-hold composes existing `b.legalHold`. Schema bootstraps with six IMAP4rev2 default folders (INBOX / Sent / Drafts / Trash / Junk / Archive) and JMAP role mapping. Append composes `b.safeMime.parse` (bounded inbound) and `b.guardMessageId.validate` (header-injection gate). **References:** [RFC 5322 Internet Message Format](https://www.rfc-editor.org/rfc/rfc5322.html) · [RFC 2045 MIME Part One](https://www.rfc-editor.org/rfc/rfc2045.html) · [RFC 2046 MIME Part Two](https://www.rfc-editor.org/rfc/rfc2046.html) · [RFC 2047 MIME encoded-words](https://www.rfc-editor.org/rfc/rfc2047.html) · [RFC 2231 MIME parameter values](https://www.rfc-editor.org/rfc/rfc2231.html) · [RFC 7162 IMAP CONDSTORE / QRESYNC](https://www.rfc-editor.org/rfc/rfc7162.html) · [RFC 8474 JMAP object identifiers](https://www.rfc-editor.org/rfc/rfc8474.html) · [CVE-2024-39929 Exim MIME parser](https://nvd.nist.gov/vuln/detail/CVE-2024-39929) · [CVE-2025-30258 gnumail](https://nvd.nist.gov/vuln/detail/CVE-2025-30258) · [CVE-2021-42574 RTLO trojan source](https://nvd.nist.gov/vuln/detail/CVE-2021-42574)
+- v0.9.18 (2026-05-14) — **CodeQL alert sweep — 18 closures across 4 rule classes + SECURITY.md hardening checklist + MIGRATING.md out-of-band breaks.** Pre-existing CodeQL security findings on `main` accumulated over many releases, surfaced explicitly when the previous rename sweep changed line content. This release closes them all. **Added:** *SECURITY.md hardening checklist gains 5 lines* — Covers `b.middleware.idempotencyKey.dbStore` (hash + seal defaults), `b.metrics.snapshot` (out-of-process metrics export), `b.selfUpdate.standaloneVerifier` (zero-dep install-pipeline verifier), `b.pqcAgent.reload` (TLS-posture refresh without restart), `b.crypto.hashFilesParallel` (parallel SBOM/integrity-sweep hashing). · *MIGRATING.md — Out-of-band breaking changes section* — The previous release's dbStore schema break is the first entry; `scripts/gen-migrating.js` extended with an `OUT_OF_BAND_BREAKS` table so future schema/on-disk format breaks land in MIGRATING.md without operators needing to grep CHANGELOG. **Fixed:** *`js/file-system-race` (6 sites)* — TOCTOU between `fs.existsSync()` / `fs.statSync()` and a subsequent file op. Fixed via the framework's canonical TOCTOU-safe-read scaffold (open fd first then `fstatSync` then `readSync` loop then `closeSync` in `finally`) at `lib/atomic-file.js` (`_readSyncCore`), `lib/restore-rollback.js` (marker write switched to exclusive-create `wx` + EEXIST-tolerant), `lib/network-tls.js` (`_readPathFile` extraction with per-file ENOENT tolerance), `lib/backup/bundle.js` (open-fd-first plus required-vs-skip branch routing), `lib/static.js` (request-serve hot path narrowed to single fd). `lib/vault/seal-pem-file.js` retained as-is with a CodeQL suppression — the site has an in-line `lstat.ino === fstat.ino` inode-equality defense that refuses with `seal-pem-file/toctou-detected` if an attacker swaps the file between `lstat` and `open`. · *`js/insecure-temporary-file` (6 sites)* — Predictable temp paths. `lib/vault/rotate.js` now uses `mkdtempSync` for a per-rotation random scratch dir + plain filenames inside (replaces the predictable `_blamejs_rotate.tmp.db` / `_blamejs_verify.tmp.db` paths in `stagingDir`). `lib/mtls-ca.js` switched to exclusive-create `openSync(..., "wx", 0o600)` + `writeSync` + `fsyncSync` so an attacker pre-creating the path is refused at `EEXIST`. `lib/atomic-file.js` (`fsyncDir`), `lib/vault/rotate.js` (`_fsyncFileByPath`), `lib/http-client.js` (atomic tmp path) retained as-is with suppressions — `dirPath` / `p` are operator-supplied framework data paths (not `os.tmpdir`-reachable), and `tmpPath` carries 16 hex chars of crypto-random suffix. · *`js/path-injection` (2 sites in `lib/static.js`)* — `nodeFs.createReadStream(absPath)` in `_readMeta` and the request-serve hot path. Suppression comments added referencing the upstream `_resolveSafe` lexical-resolve + `startsWith(rootResolved + nodePath.sep)` + realpath escape check — `absPath` is sandbox-validated against `root` before reaching these lines. · *`js/remote-property-injection` (4 sites)* — `lib/websocket.js` (`ext.params: {}` to `Object.create(null)`), `lib/middleware/csrf-protect.js` (`var out = {}` to `Object.create(null)` for cookie-parse output). `lib/middleware/body-parser.js` (multipart `fields[currentField] = ...`) retained as-is with suppression — `currentField` is gated upstream by `POISONED_KEYS = new Set(["__proto__", "constructor", "prototype"])` refusing the field BEFORE assignment with a 400 BodyParserError.
+- v0.9.17 (2026-05-14) — **`node:` prefix consistency + internal-binding leak prevention — two new detectors + 192-site cleanup.** Two enforceable invariants the prior release's detectors didn't cover. **Changed:** *Every `require()` of a Node built-in uses the `node:` prefix* — 153 `require()` rewrites across 79 framework files. Three reasons: (a) userland packages on npm CAN be named after built-ins, so without the `node:` prefix a typo or `npm install` accident could shadow the built-in; (b) the prefix is a clearer at-a-glance signal that the dependency is on Node, not on a userland module; (c) bundler / SEA static-trace passes treat `node:` prefix as an unambiguous Node-builtin marker. · *Two follow-on require-binding canonicalizations* — `lib/ws-client.js` now destructures `var { EventEmitter } = require("node:events")` (was binding the entire `events` module to a class-shaped name) and `lib/process-spawn.js` renames inline `nodeChild` to `childProcess` (matches the module-level `childProcess` lazyRequire in `lib/dev.js`). **Detectors:** *`node-builtin-prefix`* — Refuses `require("<X>")` of a Node built-in (`fs`, `path`, `crypto`, `stream`, `tls`, `url`, `os`, `net`, `http`, `http2`, `https`, `zlib`, `dgram`, `events`, `child_process`, `readline`, etc.) without the `node:` prefix. Skips JSDoc `@example` block continuation lines (`*`-prefixed), so operator-facing examples that show `var fs = require("fs")` aren't rewritten — operators write their own bindings however they prefer. · *`internal-binding-in-prose`* — Internal binding names (`nodeFs` / `nodePath` / `nodeCrypto` / `nodeStream` / `nodeTls` / `nodeUrl` / `bCrypto` / `retryHelper`) must NOT appear in operator-facing surface: JSDoc/comment continuation lines or string literals (error messages, audit metadata). Operators see the public API name (`path` / `fs` / `crypto` / `retry` / etc.), never the framework's internal alias. 39 prose-leak fixes across 16 files.
+- v0.9.16 (2026-05-14) — **Operator-facing prose cleanup + `require-binding-name` detector covers `lazyRequire` + `dbStore` seal round-trip test.** Three classes of follow-up to the previous release's framework-wide rename sweep. **Added:** *`dbStore` seal round-trip test with vault initialized* — The previous test suite covered seal-falls-back-when-vault-not-ready and cross-process-sealed-row-preserved, but did NOT exercise the actual default-on seal/unseal path because the test environment didn't `b.vault.init(...)`. New `testDbStoreSealRoundTripWithVault` bootstraps a plaintext vault, builds a dbStore with `seal: true`, writes a record + reads it back, and asserts (a) `headers` + `body` columns carry the `vault:` envelope on disk, (b) the round-trip restores the original values, and (c) `status_code` stays plaintext so forensic SELECTs still work without unsealing. **Fixed:** *Operator-facing prose leaks in JSDoc + error messages* — The previous release's mechanical rename pattern `<OLD>.` to `<NEW>.` also caught occurrences inside JSDoc `@opts` comments and error-message string literals, so operators reading `b.keychain.create(opts)` saw `// absolute nodePath; required if file fallback may engage` instead of `// absolute path`. Fixed in `lib/db.js` (stream-limit error), `lib/keychain.js` (fallback-file error + 3 JSDoc lines), `lib/restore-bundle.js` (staging-dir error), `lib/watcher.js` (fs.watch failure error). Operators see plain English; internal binding names stay internal. · *`require-binding-name` detector extended to cover `lazyRequire`* — The previous detector only matched plain `var X = require("M")` and missed the framework's `var X = lazyRequire(function () { return require("M"); })` pattern (used to break load cycles). 34 additional inconsistencies surfaced (`auditFwk` / `auditMod` / `auditModule` / `lazyAudit` to `audit`, `crypto` / `fwCrypto` to `bCrypto`, `dbMod` / `dbModule` to `db`, etc.) — every minority site renamed per the same canonical-name map.
+- v0.9.15 (2026-05-13) — **`dbStore` hashes keys + seals body/headers by default + framework-wide `require()` binding-name consistency.** Closes two operator-surfaced gaps: PII leaking through plaintext idempotency-key columns and inconsistent require-binding names across the lib. The `tableName` column schema changes between releases. **Changed:** *`b.middleware.idempotencyKey.dbStore` — keys hashed + body/headers sealed by default* — Operator-supplied idempotency keys sometimes carry PII (order numbers, emails, vendor prefixes); the `k` column previously stored them raw, leaving every DB dump as a PII surface. Now sha3-512 namespace-hashes the key via `b.crypto.namespaceHash("idempotency-key", key)` before insert/lookup — round-trips are transparent (operators still pass raw keys), but the DB never sees the original. The schema also splits the previous single-`v` JSON-envelope column into discrete `fingerprint` / `status_code` / `headers` / `body` / `expires_at` columns; `headers` + `body` are sealed via `b.cryptoField.sealRow` (vault-managed AEAD envelope) when vault is initialized, so a DB dump leaks neither cached response bodies nor headers. Non-sealed columns stay forensic-queryable. Both defaults are operator-opt-out via `opts.hashKeys: false` and `opts.seal: false`; the seal path silently falls back to plaintext + emits an `idempotency.seal_skipped_no_vault` audit warning on first use when vault isn't ready, so test fixtures and boot scripts still work. · *Framework-wide `require()` binding-name consistency sweep* — 184 require-binding renames across 108 framework files. Node built-ins get a `node<X>` prefix (`nodeFs` / `nodePath` / `nodeCrypto` / `nodeStream` / `nodeTls` / `nodeUrl`) so a local var named `fs` / `path` / `crypto` can never shadow them; the framework's own `lib/crypto.js` binds as `bCrypto` (matches the `b.crypto` public-namespace shape and doesn't shadow node:crypto). Modules without a declared canonical fall back to majority-wins (most-sites name wins, alphabetical tiebreak). Fix is rename, not allowlist — every minority site was updated. `b.graphqlFederation` internal `_timingSafeEqual` now routes through `b.crypto.timingSafeEqual` (was re-implementing the length-tolerant wrapper inline). **Detectors:** *`require-binding-name`* — Enforces consistent `var X = require("M")` names framework-wide via a `CANONICAL_REQUIRE_BINDINGS` map. Inconsistent names made `grep` across the lib unreliable and let reviewers miss shadowing bugs (`var crypto = require("crypto")` collides with the framework's own `b.crypto`). **Migration:** *Schema break — drop any existing `dbStore` table before upgrading* — v0.9.15's split columns are incompatible with the previous single-`v` column. Operators run `DROP TABLE <tableName>;` (or pick a fresh `tableName`) before upgrading. Pre-v1 framework breaks across patch versions for security correctness.
+- v0.9.14 (2026-05-13) — **`safeSql.quoteIdentifier` adopted framework-wide + raw-SQL-identifier detector + bundled republish of v0.9.13 surface.** A reviewer-flagged race in `dbStore.get` surfaced a wider gap — multiple framework primitives concatenated SQL identifiers raw. This release routes every such site through the existing `b.safeSql.quoteIdentifier`, adds a detector that seals the bug class, and re-ships the v0.9.13 surface plus three additional primitives that the previous publish's smoke gate prevented from reaching npm. **Added:** *`b.crypto.hashFilesParallel(filePaths, opts?)`* — Parallel multi-digest hashing for many files in a single read pass per file. Worker-pool concurrency cap (default `min(8, paths.length)`, 1..256), operator-tunable `algorithms` list (default `["sha256", "sha3-512"]`), optional `onProgress(completed, total)` callback (throws swallowed). Returns rows in the same order as input. The common consumer-side reason to reach for this is SBOM regeneration / vendor-data integrity sweeps / release-asset bundling — situations where N files each need both SHA-256 and SHA-3-512 digests. · *`b.pqcAgent.reload()` — TLS-posture refresh without restart* — Tear down the lazily-built default agent and reset to null so the next `b.pqcAgent.agent` access rebuilds against current TLS posture + `b.network.tls.applyToContext` output. Long-running daemons that rotate the framework's TLS posture (TLS-pinset reload, certificate-pinset refresh, `C.TLS_GROUP_PREFERENCE` update behind a feature flag) need a way to re-source the outbound `https.Agent` without forking a new process. `reload()` calls `.destroy()` on the existing default agent (Node closes idle keep-alive sockets, lets in-flight sockets complete) then nulls the cache. Agents handed out via explicit `b.pqcAgent.create()` are unaffected. Returns `{ destroyed: boolean }`. · *`b.middleware.idempotencyKey.dbStore({ db, tableName?, init? })`* — Persistent-backed store for the `idempotencyKey` middleware. Same three-method interface as `memoryStore` (`get` / `set` / `delete`) but stores records in any sqlite-shaped database (`{ prepare(sql) -> { run, get, all } }`) — the framework's internal `b.db`, an operator-supplied better-sqlite3 instance, or a custom adapter. Use this when (a) multiple processes share the request-handling fleet so retries can land on a different process than the original, (b) the daemon may restart between original and retry, or (c) audit / compliance review needs to walk historic idempotency-cache decisions. TTL is lazily enforced at read time; `set()` upserts on conflict so concurrent retries on different processes don't error. The `tableName` is validated via `b.safeSql.validateIdentifier` (ASCII identifier shape, 63-char cap, no reserved words). **Fixed:** *`dbStore.get` expired-row cleanup scoped by observed `expires_at`* — Previously the expired-row cleanup was an unconditional `DELETE WHERE k = ?` between SELECT and DELETE — in a multi-process deployment another process could upsert the same key in the race window, and the unconditional delete would erase the fresh row. Fix: scope the delete by the observed `expires_at`. · *Every `db.prepare("CREATE TABLE " + tableName + ...)` site routes through `b.safeSql.quoteIdentifier`* — Sites refactored: `lib/audit.js` segregation-of-duties trigger DDL, `lib/dsr.js` ticket store, `lib/inbox.js` message-receive table, `lib/middleware/idempotency-key.js` dbStore, `lib/vault/rotate.js` column-rotation DDL. · *Bounded JSON parse for two file/DB-backed primitives* — `b.metrics.snapshot.read` and `b.middleware.idempotencyKey.dbStore.get` previously used bare `JSON.parse` with `allow:bare-json-parse` markers; both are read by processes separate from where they were written (CLI/sidecar reads daemon-written snapshot; multi-process fleet shares DB) where a hostile or misbehaving writer could plant a multi-GB value and OOM the reader. Both now route through `b.safeJson.parse(raw, { maxBytes: 4 MiB })`. · *`b.apiSnapshot.read` now passes `maxBytes: 64 MiB` to `safeJson.parse`* — The framework-generated snapshot file outgrew safeJson's 1 MiB default. **Detectors:** *`raw-sql-identifier-interpolation`* — Seals the bug class — refuses raw identifier concatenation into SQL strings. Variables whose names signal already-quoted identifiers (`q<X>` / `Q_<X>` / `quoted<X>` prefix) are skipped so future primitives that use the helper read naturally. **Migration:** *Operators jump from v0.9.12 directly to v0.9.14* — The previous release's npm-publish workflow failed at the wiki-e2e gate (a reviewer fix removed the `opts` parameter from `b.selfUpdate.standaloneVerifier.verify` but the `@signature` JSDoc still declared four arguments). v0.9.13's git tag and GitHub release reached operators but the npm tarball did not. v0.9.14 carries the entire v0.9.13 shipped surface plus the three additional primitives above.
+- v0.9.13 (2026-05-13) — **Circuit-breaker opts-shape fix + `b.selfUpdate.standaloneVerifier` + `b.metrics.snapshot` + `b.retry.withBreaker`.** Two existing-primitive fixes plus three new operator-facing primitives. **Added:** *`b.selfUpdate.standaloneVerifier` — zero-dep verifier for install-pipeline contexts* — For contexts that run BEFORE the framework is installed (Dockerfile build stages, `install.sh`, `update.sh`, SEA-bundle verification at deploy time). Surface: `verify(assetPath, sigPath, pubkeyPem, opts?)` returns `{ ok, sha3_512, sha256, alg }`. Streams the asset in 64 KiB chunks through SHA-256 + SHA-3-512 + the signature verifier in parallel — multi-GB SEA bundles don't OOM the install runner. Supports ECDSA P-384 (both IEEE-P1363 96-byte and DER encodings), Ed25519, and ML-DSA-87. Detects signature format from length so `verifier.verify(...)` runs exactly once (calling it twice returns stale state and silently passes tampered assets). Module is hermetic: `node:crypto` + `node:fs` only, no framework imports. Operators copy the file via `cp "$(node -p "require('@blamejs/core').selfUpdate.standaloneVerifier.path")" install/standalone-verifier.js` into version control on their side. · *`b.metrics.snapshot` — out-of-process metrics export for long-running daemons* — `startWriter({ path, intervalMs, fields })` atomically flushes a JSON snapshot (first flush synchronous so the file exists by return-time; subsequent flushes on the interval with `.unref()`; `stop()` clears + final-flushes). `read(path)` parses with shape validation (`writtenAt` + `fields`). `render(snap, { format, prefix })` produces operator-readable text or Prometheus 0.0.4 exposition (gauge metrics, prefixed; only finite numeric scalars with prom-compatible names emit; invalid-name / non-numeric / non-finite fields skipped silently). Lets a CLI process scrape a daemon's live metrics without opening an HTTP port. · *`b.retry.withBreaker(fn, { retry, breaker })` — composition primitive* — Collapses the two-line wrapper every consumer rolls: `breaker.wrap(() => retry.withRetry(fn, opts.retry))`. One breaker call per retry loop (the retry budget is INSIDE the breaker's accounting, so a single transient burst doesn't open the breaker spuriously). Throws on non-function `fn` or breaker without `.wrap`. **Fixed:** *`b.circuitBreaker.create({...})` accepts the documented opts-object call shape* — The factory was rejecting the documented call shape with `name must be a non-empty string, got object` — every consumer following the docstring hit a hard error. The factory now reads `opts.name` (defaulting to empty string) and forwards to the internal `CircuitBreaker(name, opts)` constructor. · *Circuit-breaker open-circuit error code documented to match runtime* — The open-circuit error code was documented as `retry/circuit-open` but the runtime threw `CIRCUIT_OPEN`. The docstring is corrected to match the runtime; an alias rename will follow with a deprecation cycle in a future minor.
+- v0.9.12 (2026-05-13) — **Republish of v0.9.10 / v0.9.11 — `npm audit signatures` grep widened for newer npm phrasing.** The publish workflow's `Verify npm registry signing chain` step treats an empty-tree result as success (the framework's zero-runtime-deps posture means `npm audit signatures --omit dev` finds nothing to audit). The exact phrasing has drifted across npm versions; the shell guard's grep only matched the older phrasing, so the previous publish failed at the audit-signatures gate. **Fixed:** *Audit-signatures empty-tree guard accepts both npm phrasings* — Older npm prints `found no installed dependencies to audit`; newer npm prints `found no dependencies to audit that were installed from a supported registry`. The grep is now `no (installed )?dependencies to audit` — covers both known empty-tree variants. Functionally identical to the v0.9.10 intended surface. Operators stuck at v0.9.9 (because v0.9.10 + v0.9.11 never reached the npm registry) jump directly to v0.9.12.
+- v0.9.11 (2026-05-13) — **Republish of v0.9.10 — `npm-publish.yml` installs devDependencies before smoke.** The previous release's tag was pushed and the GitHub release published, but `npm-publish.yml`'s Framework-smoke step ran `node test/smoke.js` without first running `npm install`. The new bundler-output gate requires `esbuild` (a devDependency); the publish workflow failed at the smoke step before reaching publish, so the npm tarball was never published. **Fixed:** *`npm install --no-audit --no-fund` runs before smoke in `npm-publish.yml`* — Mirrors the same fix already present in `.github/workflows/ci.yml`. Operators consuming via `npm install @blamejs/core` should pull v0.9.11; functionally identical to the intended v0.9.10 surface. Zero runtime deps invariant preserved.
+- v0.9.10 (2026-05-13) — **Bundler-output integration gate — bundles + SEA produced and exercised in smoke.** Adds `test/layer-5-integration/bundler-output.test.js`. Bundles the framework via `esbuild --bundle --platform=node` (also `--minify`), runs the bundled consumer, and asserts the four-layer vendor-data integrity surface (dual-hash + SLH-DSA signature + canary) survives bundling. **Added:** *esbuild bundle gate + byte-search sentinel* — The PSL canary roundtrips through `b.publicSuffix.isPublicSuffix(...)` after bundle exec — proves the `.data.js` payloads physically reached the bundle bytes, not just the runtime require shape. Plus a byte-search sentinel that greps the produced bundle for the canary tokens directly (defense-in-depth, independent failure mode from the runtime path). · *SEA gate (Linux + Node >= 22)* — Runs `--experimental-sea-config` + `postject` to produce an actual single-executable binary and runs it. The whole class of bugs — dynamic-require breaks bundling, SEA `assets` map missing, esbuild static-trace failures — is now smoke-gated. The previous release's defect produced bundles that exited with `vendor-data/module-missing` on first vendor-data access; this gate's `BUNDLE-OK psl=co.uk entries=3` stdout-check would have refused that exit at smoke time.
+- v0.9.9 (2026-05-13) — **`b.vendorData` — replace dynamic `require(variable)` with static literal-string requires so bundlers work.** The previous release looked up each `.data.js` module via `require(entry.module)` where `entry.module` was read from a frozen lookup table — a dynamic require, opaque to every bundler's static-analysis pass. esbuild, webpack, ncc, rollup, pkg, nexe, Bun's bundler, and Deno's bundler trace `require("./literal")` calls only. The three payload modules never made it into SEA / pkg / esbuild bundles; consumers saw `vendor-data/module-missing` at boot. **Fixed:** *Static literal-string `require` for every vendor-data payload module* — Replaces the lookup table with a `_MODULES` map whose three values are each a top-level `var X = require("./vendor/<name>.data")` — literal string, statically traceable. Net surface change: zero (the public `b.vendorData.get` / `getAsString` / `verifyAll` / `inventory` shape is identical); the fix is internal-only. Operators upgrade if they bundle the framework via SEA / esbuild / pkg / Bun-compile — direct `node` consumers were unaffected (Node's runtime require always resolves dynamic strings correctly). **Detectors:** *`no-dynamic-requires` — refuses `require(variable)` in `lib/`* — Any future site that reaches for a dynamic require trips the gate at n=1. Legitimate operator-extensibility points (`b.cli`, migrations, seeders) carry an explicit `allow:dynamic-require` marker with rationale.
+- v0.9.8 (2026-05-13) — **`b.vendorData` — packaging-mode-invariant signed loader for vendored data files.** Plaintext vendor data files (Public Suffix List, common-passwords list, BIMI trust anchors) are now loaded via inline base64 modules with four orthogonal integrity checks. Eliminates the `__dirname`-relative `fs.readFileSync` paths that broke under SEA, pkg, nexe, esbuild, Bun compile, Deno compile, and AWS Lambda layer bundling. **Added:** *`b.vendorData.get(name)` / `getAsString(name)` / `verifyAll()` / `inventory()`* — `get` returns the verified Buffer; `getAsString` returns UTF-8 string; `verifyAll` runs all four integrity layers across every registered vendor data file and is invoked at framework boot; `inventory` returns per-file metadata (name, source, fetchedAt, sha256, sha3_512, signedBy, canary, byteLength, description) for compliance reporting + SBOM emission. · *Four orthogonal integrity checks on every load* — SHA-256 + SHA3-512 + SLH-DSA-SHAKE-256f signature against the maintainer's pinned public key (`lib/vendor/.vendor-data-pubkey`) + in-payload canary entry that the parsed structure must surface. Tamper at any layer throws `VendorDataError` at module-load — fail-fast rather than first-request-touches-PSL surprise. Adds a fourth orthogonal trust root alongside SSH-signed release tags, SLSA L3 npm provenance, and Sigstore-keyless SBOM signatures. · *Migrated call sites — PSL, common-passwords, BIMI trust anchors* — `b.publicSuffix` (PSL load), `b.auth.password._loadBundledCommon` (common-passwords), `b.mail.bimi` (trust anchors) now route through `b.vendorData` — removes any downstream consumer's need to patch the loader for SEA / bundler builds. · *Maintainer signing infrastructure + new scripts* — Vendor data files are signed at refresh time by a maintainer-held SLH-DSA-SHAKE-256f keypair (private key stays in `.keys/` and is never committed; public key ships in `lib/vendor/.vendor-data-pubkey` in every npm tarball). `scripts/vendor-data-keygen.js` (one-time keypair generation) + `scripts/vendor-data-gen.js` (generator invoked by `scripts/vendor-update.sh --refresh-data`). MANIFEST.json gains per-vendor-data `runtime_artifact` + `integrity_layers` + dual-file `hashes`.
+- v0.9.7 (2026-05-13) — **SECURITY.md release-tag verification recipe + signed-tag invariant from v0.9.7.** Documentation-only release. SECURITY.md gains a section on verifying release authenticity independently of GitHub's UI, and every release tag from this point forward is an annotated SSH-signed tag enforced by repository ruleset. **Added:** *SECURITY.md — `Verifying release authenticity` section* — Documents how operators verify a release tag's authenticity independently of GitHub's UI. The maintainer Ed25519 SSH signing key fingerprint (`SHA256:5oF/XWhFpMde9TRfEX2GAHiApAq/MXOS4vti5zQbD7g`) is published alongside the public-key retrieval URL (`https://github.com/dotCooCoo.keys`) and a `git tag -v` recipe that bypasses the `Verified` badge. · *Signed-tag invariant from v0.9.7 onward* — Every release tag is an annotated SSH-signed tag; the repository's `release-tags` ruleset's `required_signatures` rule refuses any unsigned or lightweight tag push at the server side. Earlier tags (v0.9.6 and prior) remain as lightweight commits and don't verify via `git tag -v`; they continue to verify via the SLSA L3 npm provenance + Sigstore-keyless SBOM signatures already attached to those releases (the `cosign verify-blob` recipe is in the same SECURITY.md section).
+- v0.9.6 (2026-05-12) — **`b.vex` OASIS CSAF 2.1 VEX statements + 25 new compliance postures.** Adds a vendor-side VEX emitter for the OASIS Common Security Advisory Framework profile, plus 25 framework / sectoral / supply-chain compliance postures wired through `b.compliance.KNOWN_POSTURES` with matching cascade defaults. **Added:** *`b.vex.statement({ cveId, status, productIds, justification?, impactStatement?, references?, firstReleased?, lastUpdated? })`* — Builds an OASIS CSAF 2.1 §3.2.3 vulnerability statement with `product_status` keyed by status enum (`known_not_affected` / `affected` / `fixed` / `under_investigation`), `flags[].label` for §3.2.2.7 justifications (`component_not_present` / `vulnerable_code_not_present` / `vulnerable_code_not_in_execute_path` / `vulnerable_code_cannot_be_controlled_by_adversary` / `inline_mitigations_already_exist`), and `notes[].text` for impact narrative. Refuses missing CVE/CWE id, malformed CVE shape, unknown status, missing productIds, and `known_not_affected` without justification. · *`b.vex.document({ documentId, title, publisher, trackingId, trackingVersion, currentReleaseDate, initialReleaseDate, statements, tlp? })`* — Assembles the §3.2 CSAF document envelope with category `csaf_vex`, csaf_version `2.1`, publisher category `vendor`, tracking status `final`, and `distribution.tlp.label` from the TLP 2.0 vocabulary (`CLEAR` / `GREEN` / `AMBER` / `AMBER+STRICT` / `RED`; default `CLEAR`; refuses non-TLP labels). `cwes` is a list per §3.2.3.4; CWE alone is no longer accepted as a vulnerability identity per §3.2.3.2 (operator supplies `cveId` or `ids[]: [{ systemName, text }]` per §3.2.3.5). Public opt name is `cweId` to mirror `cveId`. · *`b.vex.serialize(doc)`* — Routes through `b.canonicalJson.stringify` for byte-stable sorted-key output then re-indents at 2 spaces for human-diffable artifacts. Exports `STATUS_VALUES` / `JUSTIFICATION_VALUES` / `TLP_LABELS` / `CSAF_VERSION` / `VexError`. · *Compliance posture catalog gains 25 entries in `b.compliance.KNOWN_POSTURES`* — With matching `POSTURE_DEFAULTS` cascade entries: `nist-800-53` (NIST SP 800-53 Rev 5 control catalog), `nist-ai-rmf-1.0` (NIST AI Risk Management Framework 1.0), `iso-42001-2023` (AI management systems), `iso-23894-2023` (AI risk management guidance), `owasp-llm-top-10-2025` (LLM application risk catalog), `owasp-asvs-v5.0` (Application Security Verification Standard v5.0), `nist-800-218-ssdf` (Secure Software Development Framework), `nist-800-82-r3` (industrial control systems), `nist-800-63b-rev4` (digital identity authenticator guidance), `iec-62443-3-3` (industrial security), `fedramp-rev5-moderate` (federal cloud baseline), `hipaa-security-rule` (45 CFR §164.302-318 administrative + technical safeguards), `hitrust-csf-v11.4`, `nerc-cip-007-6` (bulk electric system cyber asset security), `psd2-rts-sca`, `swift-cscf-v2026`, `slsa-v1.0-build-l3`, `vex-csaf-2.1`, `cyclonedx-v1.6`, `spdx-v3.0`, `owasp-wstg-v5`, `ptes`, `nist-800-115`, `cwe-top-25-2024`, `cis-controls-v8`, `cmmc-2.0-level-2`. Each cascade entry encodes the regime's data-tier mandate (encrypted backups + signed audit chain + TLS 1.3 minimum + vacuum-after-erase where applicable). **References:** [OASIS CSAF 2.1 (Common Security Advisory Framework)](https://docs.oasis-open.org/csaf/csaf/v2.1/) · [FIRST TLP 2.0 (Traffic Light Protocol)](https://www.first.org/tlp/) · [NIST SP 800-53 Rev 5](https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final)
+- v0.9.5 (2026-05-12) — **Fix-up for v0.9.3 + v0.9.4 — reachable opts, correct check-and-insert contract, CIBA interval-state leak.** Five reachability and contract bugs reported on the previous two releases. **Fixed:** *`b.middleware.dpop` `trustForwardedHeaders` reachable in validateOpts whitelist* — The v0.9.4 X-Forwarded-* trust gate added the option to `_reconstructHtu` but the `create()` validateOpts whitelist still rejected unknown keys. Operators behind a trusted reverse proxy got `unknown-option` instead of the documented opt-in, leaving valid DPoP proofs failing htu matching. The whitelist now includes `trustForwardedHeaders`. · *`b.auth.jwt.verifyExternal` `allowKidlessJwks` reachable in validateOpts whitelist* — Same shape as the dpop fix, fixed the same way. · *OAuth `allowKidlessJwks` now threads through token-exchange flows* — Previously the opt was per-`verifyIdToken`-call, but `_normalizeTokens()` (called from `exchangeCode` / `pollDeviceCode` / `exchangeToken` / `refreshAccessToken`) passed a reduced `{ nonce, skipNonceCheck }` shape that dropped the operator opt. Surface promoted to client-level: pass `b.auth.oauth.create({ allowKidlessJwks: true })` once and it threads through every code path that lands on the verifier. The per-call `vopts.allowKidlessJwks` continues to work for direct `verifyIdToken` callers. · *`b.auth.oauth.refreshAccessToken` `checkAndInsert` return-value contract aligned* — Previously interpreted `true` as already-seen but the framework-wide `checkAndInsert` contract (`b.nonceStore`, `b.auth.jwt`) is the opposite: `true` = unseen-and-now-inserted (first sighting), `false` = already-present (replay). Operators reusing an existing `b.nonceStore`-style backend got every first refresh attempt rejected as token theft, breaking normal refresh flows. The handler now normalizes `inserted === false` to `alreadySeen = true`, consistent with the rest of the framework. · *`b.auth.ciba` `_intervalState` memory leak on error paths* — Previously entries were only deleted on successful token issuance; denied / expired auth requests, and ping/push delivery modes that never call `pollToken` successfully, left permanent entries causing unbounded growth in long-running processes. Now entries carry an `expireAtMs` derived from the IdP-supplied `expires_in` of the auth_req_id, and an opportunistic sweep runs on every `_registerInitialInterval` call (no separate timer needed). Terminal CIBA errors (`expired_token` / `access_denied` / `invalid_grant` / `transaction_failed`) also delete the entry immediately on the error path.
+- v0.9.4 (2026-05-12) — **Auth hardening — kid-less JWKS refusal, OCSP nonce CT compare, OAuth scope strict-split, DPoP `X-Forwarded-Proto` trust gate.** Closes the remaining medium-tier findings from the federation-auth audit follow-through. **Fixed:** *`b.auth.oauth.verifyIdToken` + `b.auth.jwt.verifyExternal` refuse kid-less JWKS lookup* — Previously both verifiers fell back to `keys[0]` when the token carried NO `kid` and the JWKS had exactly one key. This is a latent vector during JWKS rotation: an attacker shipping a kid-less token gets the lone-key path during the window the rotated-out key is still cached at the IdP but the rotated-in key is already published. Every modern IdP includes `kid`; the framework now refuses kid-less tokens unconditionally. Operators with non-conforming IdPs that genuinely emit kid-less tokens opt out via `vopts.allowKidlessJwks: true`. · *`b.network.tls` OCSP nonce constant-time compare* — `evaluateOcspResponse`'s `expectedNonce` match migrated from `Buffer.equals` to `b.crypto.timingSafeEqual` for module-wide consistency with the Merkle-root / NTS-cookie / cert-fingerprint paths that already use `timingSafeEqual`. · *`b.auth.oauth` scope strict whitespace split* — RFC 6749 §3.3 says `scope` is space-separated, ONLY `U+0020`. Previously `raw.scope.split(/\s+/)` matched U+0085 NEL, U+00A0 NBSP, etc., so a hostile AS returning `scope: "admin<NEL>read"` would surface as `["admin", "read"]` and the operator's scope allowlist saw two distinct scopes. Now splits on single-space only; empty pieces filtered out. · *`b.middleware.dpop` `X-Forwarded-*` trust gate* — `_reconstructHtu` previously read `X-Forwarded-Proto` / `X-Forwarded-Host` unconditionally; an attacker who can hit the origin directly while spoofing `X-Forwarded-Proto: https` could trick the middleware into building an `https` htu that the DPoP proof was signed for, when the origin is actually serving HTTP (RFC 9449 §4.3 says the htu MUST be the absolute URL the request was sent to). The default now derives proto/host from the socket; operators with a confirmed-trusted front proxy opt in via `opts.trustForwardedHeaders: true`. **References:** [RFC 6749 §3.3 (OAuth scope)](https://www.rfc-editor.org/rfc/rfc6749#section-3.3) · [RFC 9449 §4.3 (DPoP htu)](https://www.rfc-editor.org/rfc/rfc9449#section-4.3)
+- v0.9.3 (2026-05-11) — **Auth hardening — OAuth refresh atomic check-and-insert + OID4VCI/OID4VP/CIBA constant-time + slow_down honoring.** Continues the federation-auth audit follow-through with OAuth one-time-use refresh tokens, verifiable-credential constant-time compares, and CIBA back-off bookkeeping. **Added:** *`b.auth.oauth.refreshAccessToken` atomic check-and-insert* — New `ropts.checkAndInsert(token, expireAtMs)` callback contract replaces the previous `ropts.seen(token)` check-then-act race. Two concurrent refresh requests on the same event-loop tick could both see `seen === false` and both POST to the token endpoint, neither flagging the replay; the new contract requires an atomic test-and-set (Redis SETNX, DB INSERT ON CONFLICT) and is the OAuth 2.1 §6.1 / RFC 9700 §4.13 one-time-use defense surfacing the actual race window. Legacy `seen` callback continues to work for backwards-compat with operator code; the docstring documents the race + recommends migration to `checkAndInsert`. **Fixed:** *`b.auth.oid4vci` constant-time compares* — Pre-auth `tx_code` hash compare (was `!==` on sha3 hex) and proof-JWT `c_nonce` compare (was `!==` on attacker-supplied wallet payload) both route through `b.crypto.timingSafeEqual`. · *`b.auth.oid4vp` per-presentation `vct` enforcement* — DCQL filters with 2+ `vct_values` entries previously bypassed vct validation entirely (the framework only set `expectedVct` when the filter pinned to a single value). Verifier now validates the presented vct against the DCQL filter list manually when length > 1; refuses with `vp_token['<id>'][<n>] vct '<presented>' is not in DCQL vct_values [...]` on over-disclosure. · *`b.auth.ciba` slow_down honoring + back-off bookkeeping* — CIBA §11.3 requires the client to increase its polling interval by at least 5s on every `slow_down` response. Previously the framework client never bumped, leaving operators to do their own interval bookkeeping. Now `pollToken()` tracks per-`authReqId` interval state internally (Map keyed by authReqId, seeded from `startAuthentication`'s response, cleared on token issuance), bumps by `max(5s, IdP-suggested interval) <= MAX_INTERVAL_SEC` on every slow_down, and attaches the next-suggested interval to the thrown `auth-ciba/slow_down` error as `err.nextIntervalSec` so operators read a spec-correct back-off without manual bookkeeping. · *`b.auth.ciba` notification-token entropy* — `clientNotificationToken` now refuses < 32 chars per CIBA §7.1.2's opaque-hard-to-guess requirement. Previously a 4-char token passed. · *`b.auth.ciba.parseNotification` constant-time compare* — Bearer-token hash compare migrated from `!==` to `b.crypto.timingSafeEqual` (both sides are fixed-width sha3-512 hex strings; defense-in-depth even though equal-length JS string compare is already widely understood as constant-time on V8). **References:** [RFC 9700 §4.13 (OAuth security BCP — refresh token rotation)](https://www.rfc-editor.org/rfc/rfc9700.html) · [OpenID CIBA Core 1.0 §11.3 (token polling)](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html)
+- v0.9.2 (2026-05-11) — **Auth hardening — WebAuthn counter regression, multi-origin passkey, MDS3 fail-closed, AAL3 user-verification gate.** Continues the federation-auth audit follow-through with six targeted fixes across `b.auth.passkey`, `b.auth.aal`, and `b.auth.fidoMds3`. **Added:** *`b.auth.passkey` multi-origin support* — `expectedOrigin` now accepts `string` OR `string[]` on both `verifyRegistration` and `verifyAuthentication`. Previously the wrapper enforced a single string only, blocking multi-origin deployments (web + admin-subdomain) from sharing one verifier; SimpleWebAuthn natively supports arrays. **Fixed:** *`b.auth.passkey.verifyAuthentication` counter-regression bypass* — The wrapper previously coerced `opts.credential.counter || 0`, silently zeroing an `undefined` / `null` / `NaN` counter and defeating CTAP 2.1 clone-detection on credentials whose stored counter was > 0. An operator deserializing the credential from a column that lost the counter would unknowingly accept a cloned authenticator. The wrapper now refuses `undefined` / `null` (operators MUST persist whatever the vendor returned at registration; first-time-stored credentials carry counter:0 explicitly) and rejects any non-integer / non-finite / negative value with `auth-passkey/bad-counter`. · *`b.auth.passkey` prototype-pollution in `ALLOWED_MEDIATION` lookup* — Lookup changed from `{...}[opts.mediation]` to `hasOwnProperty.call(ALLOWED_MEDIATION, opts.mediation)` with a null-prototype map. Pre-fix a caller passing `mediation: "__proto__"` / `"constructor"` truthy-matched an inherited Object.prototype property and slipped past the allowlist into `generateAuthenticationOptions`. · *`b.auth.aal.fromMethods` user-verification requirement for AAL3* — Per NIST SP 800-63-4 §5.1.7, WebAuthn / passkey satisfies AAL3 (MF-CRYPT) only when user verification was performed on the assertion. Previously `fromMethods({ webauthn: true })` returned `AAL3` unconditionally; operators using `userVerification: "preferred"` whose authenticator skipped UV landed in AAL3 despite not satisfying the spec's MF requirement. The caller now passes `uv: true` (sourced from the vendor's authData UV bit) to claim AAL3 with webauthn alone; without `uv`, webauthn alone caps at AAL2 (SF-CRYPT). Combination paths (`webauthn + password` / `webauthn + pin`) reach AAL3 regardless of UV (the memorized secret provides the second factor independently). · *`b.auth.fidoMds3.verifyAuthenticator` fail-closed default for unknown AAGUIDs* — Previously unknown AAGUIDs returned `{ ok: true, reason: "aaguid-not-in-blob" }`, silently trusting any authenticator the metadata service hadn't yet listed (rogue / pre-certification / fake hardware). Now fails closed by default; operators wanting the legacy fail-open behavior (test fixtures, pre-certification pilot rollouts) pass `opts.allowUnknownAaguid: true` explicitly. · *`b.auth.fidoMds3.parseBlob` stale-BLOB refusal* — Refuses BLOB payloads whose `nextUpdate` is already in the past (FIDO MDS3 §3.1.7). Previously staleness was floored to `MIN_CACHE_TTL_MS` but the BLOB was still served, letting an attacker pin operators to a revoked-authenticator-list-frozen-at-X by serving an ancient signed-but-expired BLOB. · *`b.auth.fidoMds3.REFUSE_STATUS` adds `ATTESTATION_KEY_COMPROMISE`* — Per FIDO MDS3 §3.1.4. Previously this status was silently accepted; manufacturer batch-signing-key compromise affects every credential attested under that key. **References:** [NIST SP 800-63-4 §5.1.7 (AAL definitions)](https://csrc.nist.gov/pubs/sp/800/63/4/2pd) · [FIDO Metadata Service v3.0](https://fidoalliance.org/specs/mds/fido-metadata-service-v3.0-ps-20210518.html)
+- v0.9.1 (2026-05-11) — **Federation auth hardening — SAML SP / OIDC federation / SD-JWT VC / OAuth ID-token verifier.** Closes the highest-severity SAML, OIDC federation, SD-JWT VC, and OAuth findings from the 2026-05-11 federation auth review. XML attribute / element escaping for the SAML SP, JWK alg/kty cross-check for OIDC federation entity statements, claim-shadowing and disclosure-replay defenses for SD-JWT VC, and crit-header refusal plus constant-time compares for the OAuth ID-token verifier. **Added:** *`b.xmlC14n.escapeAttrValue(s)` / `escapeText(s)`* — Newly exported XML escapers (RFC 3741 §1.3.x compliant). Available for any operator emitting XML alongside the framework's own SAML / canonicalization paths. **Fixed:** *SAML SP `buildAuthnRequest` + `.metadata` operator-input XML escaping* — Every operator-supplied URL / ID interpolated into the emitted XML now routes through `b.xmlC14n.escapeAttrValue` / `escapeText`. A `"` or `<` in `idpSsoUrl` / `assertionConsumerServiceUrl` / `entityId` / `nameIdFormat` previously broke out of attribute / element context and produced unsigned-XML breakout into the IdP redirect. · *SAML SP `verifyResponse` constant-time digest compares* — Digest compare on `Reference DigestValue` and `SubjectConfirmation InResponseTo` migrated from `Buffer.compare` / `!==` to `b.crypto.timingSafeEqual`. · *SAML XSW defense — single-child cardinality assertion* — Refuses Response payloads that carry duplicate `<Status>`, `<StatusCode>`, `<Assertion>`, `<Subject>`, or `<NameID>` children. XML signature wrapping attacks ferry an unsigned sibling next to a signed element and exploit first-match parsers; the verifier now asserts single-child cardinality on every security-critical element via `_findAllChildren(...).length === 1`. · *`b.auth.openidFederation.verifyEntityStatement` alg/kty cross-check* — JWK key-type cross-checked against the JWS `alg` header BEFORE `createPublicKey` runs. An attacker-controlled entity-config declaring `alg: "ES256"` while supplying an RSA JWK previously loaded through Node's silent algorithm-vs-key coercion path. Now refuses with `auth-openid-federation/alg-kty-mismatch` for any `alg=ES*` not paired with `kty=EC`, `alg=PS*`/`RS*` not paired with `RSA`, or `alg=EdDSA` not paired with `OKP`. · *`b.auth.openidFederation.buildTrustChain` error-masking removed* — Trust-chain ascent previously swallowed every per-authority failure via `catch (_e) {}` and continued to the next `authority_hint`. Signature-failure errors from one authority no longer mask; the chain now refuses on cryptographic refusal (`bad-jwk`, `alg-kty-mismatch`, `bad-signature`, `signature-failed`). Network / 404 / iss-sub-mismatch errors still continue to the next hint but are collected and surfaced in the `no-ascent` failure shape. · *SD-JWT VC `_sd_alg` default switched to `sha-256`* — Per IETF SD-JWT VC draft §4.1.1, the default `_sd_alg` is `sha-256`. The prior default of `sha3-512` broke verification against spec-conformant issuers when the issuer omitted `_sd_alg`. · *SD-JWT VC disclosure-replay defense* — Every disclosure digest tracked in a Set; second occurrence of the same digest refuses with `auth-sd-jwt-vc/disclosure-replay`. · *SD-JWT VC claim-shadowing defense* — Holder-supplied disclosures whose name collides with an issuer-signed top-level claim (`iss`, `sub`, `aud`, `iat`, `nbf`, `exp`, `jti`, `vct`, `cnf`, `_sd`, `_sd_alg`, `status`) refuse with `auth-sd-jwt-vc/protected-claim-shadow` instead of silently overwriting the signed value. · *SD-JWT VC KB-JWT `sd_hash` uses declared `_sd_alg`* — Previously hardcoded sha256, breaking against issuers using sha3-512. `sd_hash` compare also routed through `b.crypto.timingSafeEqual`. · *OAuth `verifyIdToken` crash hardening* — `createPublicKey + verify` wrapped in try/catch — previously panicked on key/sig shape mismatch (e.g. ES256 sig against an RS256 key returned by a buggy IdP with duplicate kids), bubbling a raw `Error` to the operator's handler instead of an `OAuthError`. · *OAuth `verifyIdToken` `crit` header refusal* — Per RFC 7515 §4.1.11, every sibling verifier (`b.auth.jwt`, `b.auth.jwt.verifyExternal`, `b.auth.dpop`) refuses unknown crit extensions. `verifyIdToken` previously silently ignored, letting an attacker-controlled OP ship critical extensions the verifier doesn't understand. · *OAuth `verifyIdToken` constant-time state / nonce compares* — `state` and `nonce` claim compares routed through `b.crypto.timingSafeEqual`. These are CSRF / replay tokens compared against attacker-controlled callback / payload data. **References:** [RFC 7515 JSON Web Signature](https://www.rfc-editor.org/rfc/rfc7515.html) · [OASIS SAML 2.0 Core](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) · [OpenID Federation 1.0](https://openid.net/specs/openid-federation-1_0.html) · [IETF SD-JWT-based Verifiable Credentials](https://datatracker.ietf.org/doc/draft-ietf-oauth-sd-jwt-vc/)
+- v0.9.0 (2026-05-11) — **Three new RFC primitives + `b.structuredFields` shared substrate + structured-fields hardening.** Minor release. Consolidates the quote-aware top-level splitter, control-byte refusal scan, and sf-string unquote used by every RFC 8941 / RFC 9110 / RFC 9111 / RFC 9213 / RFC 9421 / RFC 6266 / RFC 6265 / RFC 6455 parser into a shared `b.structuredFields` module. Closes eight structured-fields bug-class sites, adds three new RFC primitives (CDN cache-control, UA client hints, DNSSEC algorithm classifier), and lands five codebase-patterns detectors so the same shapes can't drift back in. Operators upgrade `0.8.90` → `0.9.0`; v0.8.91 was never tagged. **Added:** *`b.structuredFields` shared substrate* — Exports `splitTopLevel(s, sep)` (quote-aware top-level splitter), `refuseControlBytes` / `containsControlBytes` (raw-value control-byte refusal scan), and `unquoteSfString` (sf-string unquote). Replaces the per-file open-coded copies that were drifting site-by-site across the RFC 8941 / RFC 9110 / RFC 9111 / RFC 9213 / RFC 9421 / RFC 6266 / RFC 6265 / RFC 6455 parsers. · *`b.cdnCacheControl` (RFC 9213)* — Directive list builder + parser shared across `Cache-Control`, `CDN-Cache-Control`, `Surrogate-Control`, and the operator-specific `Cloudflare-` / `Vercel-` / `Fastly-` / `Akamai-` / `Netlify-CDN-Cache-Control` variants. `build({...})` emits the directive list string (numeric directives non-negative-integer-only; refuses Infinity / NaN / floats / negatives; full RFC 9111 boolean directive set; `extensions` for non-standard directives with RFC 7234 §5.2 token-shape enforcement); refuses `public + private` conflict per RFC 9111 §5.2.2.5/§5.2.2.6. `parse(headerValue)` decodes any targeted header into `{ public, private, noStore, maxAge, sMaxAge, ..., directives, fields }` with qualified-form support (`private="Authorization"` flag stays enabled, field-name list under `.fields[camel]` per RFC 9111 §5.2.2.4 / §5.2.2.6), bare `max-stale` parses as `Infinity` per RFC 9111 §5.2.1.2, and a quote-aware top-level `,` splitter. `isTargetedHeader(name)` + curated `TARGETED_HEADERS` allowlist. · *`b.clientHints` (W3C UA Client Hints)* — Sec-CH-UA-* request-header family parser per W3C UA Client Hints + IETF draft-davidben-http-client-hint-reliability. `parse(req.headers)` returns `{ brands, mobile, platform, platformVersion, arch, bitness, model, fullVersionList, wow64, formFactors, raw }`; quote-aware splitters at brand-list and brand-member-parameter level (RFC 8941 §4.1.1.4 parameter values may be sf-string); refuses control characters in any Sec-CH-* value. `acceptList(hintNames)` builds `Accept-CH` with typo-defense (unknown hint name throws `client-hints/unknown-hint`); dedupes case-variant duplicates; canonicalizes to W3C mixed-case spelling. `KNOWN_HINTS` exports the well-known 22-name list. · *`b.network.dns.classifyDnskeyAlgorithm` / `classifyDsDigestType`* — RFC 9905 DNSSEC SHA-1 deprecation classifier. Covers every IANA-assigned DNSKEY algorithm (including PRIVATEDNS/PRIVATEOID/INDIRECT/Reserved entries) and RFC 9558 §3 DS digest types 5 (GOST R 34.11-2012) + 6 (SM3). Operators auditing inbound DNSSEC chain-of-trust evidence refuse validations where `deprecated === true`. **Fixed:** *`b.middleware.bodyParser` Content-Type / Content-Disposition quoted-parameter handling* — RFC 9110 Content-Type / RFC 6266 Content-Disposition parameters can carry quoted-string values (`boundary="foo;bar"` / `filename="weird;name.txt"`); bare `.split(";")` previously sliced through quoted semicolons and corrupted multipart boundaries. `_contentType` and `_parseHeaderParams` now route through the quote-aware splitter. · *`b.requestHelpers.parseListHeader({ strictToken: true })` trim-before-validate* — Control-byte scan now runs on the RAW value before `.trim()` so a leading `\n<token>` no longer slips past `RFC_9110_TOKEN_RE`. Used by webhook signature parsing and WS subprotocol negotiation. · *`b.middleware.tusUpload._parseChecksumHeader` trim-before-validate* — Same shape as the request-helpers fix — control-byte refusal scan runs on the RAW value before trim strips leading/trailing C0/DEL bytes. · *`b.httpClient.cache._parseCacheControl` quote-aware comma split* — RFC 9111 §5.2 + RFC 9110 §5.6.4 directive values may be quoted-string; the parser now uses the shared quote-aware top-level `,` splitter. · *`b.httpClient.cookieJar._parseSetCookie` quote-aware semicolon split* — Defends RFC 7230 quoted-string attribute values (`SameSite="Strict"` from interop-imperfect upstreams) against bare `.split(";")` corruption. · *`b.websocket._parseExtensionHeader` quote-aware splits* — Quote-aware `;` and `,` splitters defend RFC 6455 §9.1 + RFC 7230 token-or-quoted-string parameter values against forward-compat extensions shipping quoted params. · *`b.aiPref.parseHeader` control-byte refusal on raw value* — Refusal scan added on the RAW value before split + trim so leading/trailing control bytes can no longer slip past the validator. · *`b.auth.stepUp.parseChallenge` trim-before-validate* — Same trim-before-validate fix as the rest of the structured-fields parsers; returns `null` per defensive-reader contract instead of throwing. · *`b.logStream.init({ minLevel })` boot-time vocabulary validation* — Validates the level vocabulary at config time so a typo'd `"infos"` (which previously produced `LEVEL_PRIORITY["infos"] === undefined` and silently dropped every log record) throws at boot. · *`b.crypto.httpSig` RFC 9421 Signature-Input parameter parser* — Now uses the shared quote-aware `;` splitter so RFC 8941 §3.1.2 sf-string parameter values parse correctly. · *`b.security.assertProductionPosture({ minTlsVersion })` vocabulary validation* — Validates `minTlsVersion` against the canonical TLS vocabulary BEFORE the rank comparison. A typo previously silently passed because `indexOf` returned `-1` — same bug shape as the v0.8.88 `b.auth.fal.meets` fix. **Detectors:** *`trim-before-validate`* — Refuses any RFC structured-fields parser that runs control-byte validation AFTER `.trim()` strips leading/trailing C0/DEL bytes. Catches both the `charCodeAt` codepoint-loop shape AND the `<NAME>_RE.test(<trimmed>)` grammar-regex shape. · *`enum-rank-without-validation`* — Refuses `_rankFn(X) >= _rankFn(Y)` arithmetic comparisons without a preceding `isValid*` / `KNOWN_*` membership check on both inputs. Catches the `b.auth.fal.meets` bug shape where `indexOf` returning `-1` for an unknown value silently passed rank checks. · *`bool-string-coerce-shape`* — Refuses boolean directive parsing that uses `val === "" || val === "true"` coercion. Catches the `b.cdnCacheControl.parse` qualified-form bug shape. · *`bare-split-on-quoted-header`* — RFC structured-fields parsers in files that also handle sf-string unquote regex must use `b.structuredFields.splitTopLevel`, not bare `.split(",")` / `.split(";")`. Inline `allow:bare-split-on-quoted-header` markers added across `mail-auth.js` (DKIM / DMARC / ARC tag-list grammar — token-only), `network-smtp-policy.js` (TLS-RPT — token-only), `middleware/scim-server.js` (RFC 7644 §3.9 SCIM attribute paths), `http-client-cache.js` (RFC 9110 §12.5.5 Vary field-names), `http-message-signature.js` (RFC 9421 component-id covered list), `middleware/body-parser.js` (RFC 9112 §6.1 Transfer-Encoding token-only), each citing the controlling RFC clause showing why quoted-string is not a legal value in that grammar. · *`scoped-context-binding-unused`* — Scope-named factory bindings (`forwarderDomain` / `realm` / `origin` / `audience` / `issuer`) captured in the factory must be compared against the inbound value's embedded scope in the `verify` / `reverse` / `decode` path. Catches the v0.8.89 SRS forwarder-domain bug shape. **References:** [RFC 8941 Structured Field Values](https://www.rfc-editor.org/rfc/rfc8941.html) · [RFC 9111 HTTP Caching](https://www.rfc-editor.org/rfc/rfc9111.html) · [RFC 9213 Targeted HTTP Cache Control](https://www.rfc-editor.org/rfc/rfc9213.html) · [RFC 9905 DNSSEC SHA-1 deprecation](https://www.rfc-editor.org/rfc/rfc9905.html) · [W3C UA Client Hints](https://wicg.github.io/ua-client-hints/)
+## v0.8.x
+- v0.8.90 (2026-05-11) — **RFC 8689 REQUIRETLS support via `b.mail.requireTls`.** Per-message TLS-requirement signaling between sender and receiver MTAs. Complements MTA-STS and DANE (policy-side, domain-scoped) with a per-message knob that overrides policy when the operator wants stricter-than-policy delivery — the message bounces instead of falling back to cleartext if no downstream MTA can deliver under TLS. **Added:** *`b.mail.requireTls.peerSupports(ehloLines)`* — Walks a parsed EHLO response and returns `true` when the peer advertised the `REQUIRETLS` keyword. Case-insensitive per RFC 5321 §2.4; refuses substring matches (`FOO-REQUIRETLS-BAR` does NOT match); empty / non-array input returns `false`. · *`b.mail.requireTls.mailFromExtension({ requireTls })`* — Builds the trailing `" REQUIRETLS"` token to append to a MAIL FROM line. Refuses a non-boolean flag value (a truthy-but-wrong-shape value like `"yes"` throws instead of silently succeeding). · *`b.mail.requireTls.parseTlsRequiredHeader(headerValue)`* — Parses the RFC 8689 §5 `TLS-Required` header. Returns `"no"` only when the value is the literal token `no` (case-insensitive, ignoring whitespace) per spec; any other non-empty value returns `"yes"` (RFC 8689 §5: "any value other than 'No' MUST be treated as if the field had been absent" — conservative strict path); returns `null` for absent / empty / non-string input. Refuses control characters on the raw header value before `trim()` runs so a leading `\n` / trailing `\r` / NUL / DEL byte can no longer slip past as the literal token `no` (ASCII HT remains permitted as structural folding whitespace). **References:** [RFC 8689 SMTP Require TLS Option](https://www.rfc-editor.org/rfc/rfc8689.html) · [RFC 5321 Simple Mail Transfer Protocol](https://www.rfc-editor.org/rfc/rfc5321.html)
+- v0.8.89 (2026-05-11) — **Hotfix: `b.earlyHints.send()` case-variant link bypass + new `b.mail.srs` Sender Rewriting Scheme.** Closes a case-variant header bypass that let unvalidated `Link` headers reach `writeEarlyHints()` and ships an SRS0 forwarder primitive so the next-hop SPF check passes and bounces route back correctly. **Added:** *`b.mail.srs.create({ secret, forwarderDomain, expiryDays? })`* — Sender Rewriting Scheme (SRS0) implementation for forwarder envelope-from rewriting. Returns `{ rewrite, reverse }`. `rewrite(addr)` produces an SRS-encoded `SRS0=HHHH=TT=domain=local@forwarder.example` form; `reverse(srs)` decodes back to the original sender, verifying an HMAC-SHA-256 short-tag (operator-supplied secret), the day-stamp expiry window (default 30 days), and the canonical 4-field SRS0 grammar. Domain-binding: `reverse(srs)` refuses with `srs/wrong-forwarder` when the SRS0 address's `@domain` part doesn't match the rewriter's `forwarderDomain` (case-insensitive per RFC 5321 §2.3.5). Refuses tampered tags via `srs/bad-tag`, expired rewrites via `srs/expired`, double-SRS-encoding via `srs/already-rewritten`, and bad address shapes via `srs/bad-address`. HMAC uses `b.crypto.timingSafeEqual` for constant-time tag comparison. **Fixed:** *`b.earlyHints.send()` case-variant `Link` header bypass* — Pre-v0.8.89, supplying both `link` (lowercase) AND `Link` (capital, or any other case variant) to `b.earlyHints.send()` bypassed the validator. `opts.link` got the dedicated `_validateLink` pass and was assigned to `headers.link`; the trailing header loop then iterated `Object.keys(opts)`, skipped only the exact-match `"link"` key, and for `"Link"` lowercased the name and wrote `headers.link = opts.Link` — overwriting the validated value with unvalidated content. Malformed Link headers (missing `rel=`, unknown relation, oversized) reached `writeEarlyHints()` despite the API contract. The fix collapses all opt keys to a single canonical lowercase map up front; duplicate case-variants of any header (not just `link`) now refuse with `early-hints/duplicate-header` so operators see the collision instead of silent winner-take-all behavior. Capital `Link` alone (no lowercase variant) still works — it goes through the same validator. Tests added: case-variant-collision refuse, capital-Link-alone validates, capital-Link with malformed value still throws `bad-link`. **References:** [RFC 5321 §2.3.5 (domain name case-insensitivity)](https://www.rfc-editor.org/rfc/rfc5321.html#section-2.3.5) · [RFC 8297 Early Hints](https://www.rfc-editor.org/rfc/rfc8297.html) · [SRS specification (Meng Wong, 2003)](https://www.libsrs2.org/srs/srs.pdf)
+- v0.8.88 (2026-05-11) — **Hotfix: `b.auth.fal.meets()` invalid-band authorization-correctness bug + new `b.earlyHints` RFC 8297 helper.** `b.auth.fal.meets(actualBand, requiredBand)` previously compared raw ranks without validating either input. Unknown bands mapped to rank `0`, so `meets("FAL1", "FALX")` returned `true` and `meets("bad", "bad")` returned `true` — both contradicting the documented contract that invalid bands MUST return `false`. Operators calling `meets()` directly for authorization decisions could grant access on malformed input pairs. Plus a new RFC 8297 103 Early Hints helper. **Added:** *`b.earlyHints.send(res, { link })` — RFC 8297 103 Early Hints* — Wraps Node 18.11+'s built-in `res.writeEarlyHints()` with: link-header validation (RFC 8288 form with one of `preload` / `preconnect` / `prefetch` / `dns-prefetch` / `modulepreload` / `prerender` / `next` / `prev`); silent no-op when the response object lacks `writeEarlyHints` (HTTP/1.0, mocks, older Node); refusal of per-request-state headers per RFC 8297 §3 (`set-cookie`, `authorization`, `content-length`, `content-type`, etc.). Operators use it to start browser-side preload of CSS / JS / fonts / preconnect origins in parallel with the server-side composition of the final response. **Fixed:** *`b.auth.fal.meets()` validates both bands* — The new implementation validates both bands via `isValidBand()` first; any invalid band on either side returns `false`. The `requireFal()` guard was already correct (it used `meets()` after a separate `isValidBand(actualBand)` check, but a defense-in-depth pass into `meets()` itself now catches direct callers too). Tests added: 7 invalid-input shapes (`FALX` actual, `FALX` required, `bad`/`bad`, `FALX`/`FALX`, null on either side, both null). **References:** [RFC 8297 103 Early Hints](https://www.rfc-editor.org/rfc/rfc8297.html) · [RFC 8288 Web Linking](https://www.rfc-editor.org/rfc/rfc8288.html)
+- v0.8.87 (2026-05-11) — **`b.auth.fal` 800-63-4 FAL classifier + RFC 7505 Null-MX helper + Gmail Feedback-ID builder + vendor-update.sh cleanup.** Adds the federation-side counterpart to the existing AAL band classifier (800-63C-4 FAL1/FAL2/FAL3), an RFC 7505 Null-MX classifier for send-side opt-out detection, a Gmail FBL Feedback-ID builder, and a `vendor-update.sh` cleanup that removes a stale argon2 entry. **Added:** *`b.auth.fal` NIST 800-63C-4 FAL classifier* — Federation-side counterpart to the existing `b.auth.aal` band classifier. `fromAssertion({ channel, encrypted?, replayProtected?, hokBinding? })` classifies an incoming federation assertion as `"FAL1"` / `"FAL2"` / `"FAL3"` per NIST 800-63C-4: Holder-of-Key (mTLS / DPoP / SAML HoK) with replay-protection → FAL3; back-channel OR encrypted front-channel with replay-protection → FAL2; bare bearer front-channel → FAL1. Conservative: missing replay-protection on a back-channel assertion downgrades to FAL1 because §5.2 requires nonce / jti binding before back-channel can claim FAL2. `requireFal(minimumBand)` builds a band-check guard that throws `auth/fal-insufficient` for stale-band requests. · *`b.network.dns.isNullMx(records)` — RFC 7505* — Returns `true` when an operator-supplied MX-record array signals "this domain does not accept email" (single record, priority 0, exchange `.` per RFC 7505 §3). Operators send-side check this before delivery to skip domains that have explicitly opted out — `node:dns.resolveMx` returns `exchange: ""` for the same RDATA, so the classifier accepts both shapes. · *`b.mail.feedbackId({ campaignId, customerId, mailType, senderId })`* — Builds a Gmail Feedback-Loop (FBL) Feedback-ID header value as the canonical 4-tuple `CampaignID:CustomerID:MailType:SenderID`. Refuses missing / empty fields, fields containing `:` (would corrupt the field separator), fields >64 chars (Gmail FBL truncation threshold), and control-char content (CR/LF header-injection defense). Setting Feedback-ID on outbound mail lets Gmail Postmaster Tools surface per-campaign abuse-rate metrics keyed by the operator's vocabulary instead of by SMTP envelope-sender alone. **Fixed:** *`vendor-update.sh --check` removed stale argon2 entry* — argon2 was removed from `lib/vendor/` when Node 24's built-in `crypto.argon2*` API replaced the third-party prebuilds (per `lib/argon2-builtin.js`); the script still listed it in the check array, producing a false "UPDATE AVAILABLE" line for an unvendored package. The case-block error path that still says "argon2 is no longer vendored" stays so anyone running `./scripts/vendor-update.sh argon2` gets the operator-friendly explanation. **References:** [NIST SP 800-63C-4](https://pages.nist.gov/800-63-4/sp800-63c.html) · [RFC 7505 Null-MX](https://www.rfc-editor.org/rfc/rfc7505.html)
+- v0.8.86 (2026-05-11) — **Sectoral + cybersecurity posture sweep + HTTP-hygiene primitives + npm-publish hotfix.** v0.8.85's `npm audit signatures` step failed with `npm error found no installed dependencies to audit` because the framework's zero-runtime-deps posture produces an empty install tree; the gate now treats that specific message as success. v0.8.85 npm tarball never published — operators upgrade `0.8.83 → 0.8.86` to pick up the carried v0.8.84 + v0.8.85 surface plus the new v0.8.86 primitives. **Added:** *New sectoral + cybersecurity compliance postures* — `cmmc-2.0` (DoD Cybersecurity Maturity Model Certification 2.0), `cjis-v6` (FBI CJIS Security Policy v6.0), `iso-27001-2022` + `iso-27002-2022` + `iso-27017` + `iso-27018` + `iso-27701` (ISO/IEC 27001 family), `nist-800-66-r2` (HIPAA Security Rule implementation guidance), `ehds` (European Health Data Space), `circia` (US Cyber Incident Reporting for Critical Infrastructure Act). Cascade defaults set encrypted-backup + signed-audit-chain + TLS 1.3 + vacuum-after-erase for the data-tier postures; `iso-27002-2022` + `circia` defer the data-tier mandate to operator choice. · *`b.cacheStatus` — RFC 9211 Cache-Status* — Response-header builder + parser. `append(prev, entry)` chains the operator's current cache decision onto whatever upstream caches wrote; `entry({...})` formats a single entry; `parse(headerValue)` returns the parsed chain as `[{ cache, params }]` records with `hit` / `stored` / `collapsed` as booleans, `ttl` / `fwdStatus` as numbers, `fwd` as the RFC 9211 §2 enum string, `key` / `detail` as unquoted sf-strings. · *`b.serverTiming` — W3C Server-Timing* — `create()` returns a per-request collector with `mark(name, durationMs?, description?)` / `measure(name, fn)` async-timing wrapper / `toHeader()` serializer. Surfaces server-side latency in the browser's Performance API. · *`b.middleware.noCache` — RFC 9111 §5.2.2.5* — `Cache-Control: no-store` middleware for auth-gated / individualized response paths. Sets `Cache-Control: no-store`, `Pragma: no-cache` (HTTP/1.0 compatibility), `Vary: Cookie, Authorization` so intermediate caches don't store personalized responses keyed by URL alone. Optional `opts.when(req)` predicate for conditional application; `opts.skipExisting: true` skips when `Cache-Control` is already set. **Fixed:** *npm-publish gate treats empty install tree as success* — `npm audit signatures` step in `npm-publish.yml` now treats the `npm error found no installed dependencies to audit` message as success while keeping every other failure mode loud. **References:** [RFC 9211 Cache-Status](https://www.rfc-editor.org/rfc/rfc9211.html) · [RFC 9111 HTTP Caching](https://www.rfc-editor.org/rfc/rfc9111.html)
+- v0.8.85 (2026-05-11) — **MCP tool registry + tool-call signing + A2A v1 task-exchange surface.** Closes substantial agent-protocol gaps. MCP tool registry signs every tool descriptor and adds tool-call envelope signing (defends compromised MCP server / descriptor drift, MCP-middleman / indirect-prompt-injection synthesized calls, and call-replay). A2A v1 task-exchange surface ships client dispatchers + server middleware for `tasks/send`, `tasks/get`, `tasks/cancel` plus a signed Agent Card at `/.well-known/agent.json`. **Added:** *`b.mcp.toolRegistry.create({ tools, signingKey, verifyingKey?, alg?, ttlMs? })`* — Every registered tool gets a signed descriptor blob `{ tool, alg, signature }` (defense against compromised MCP server / descriptor drift) and a `descriptorsManifest()` produces a signed `{ body, signature }` document for operator-side attestation. The registry's `signCall({ toolName, args, nonce?, ttlMs? })` builds + signs an outbound tool-call envelope `{ tool, argsHash, nonce, iat, exp }`; `verifyCall(signed, { args?, seen?, nowMs? })` runs the inverse on inbound — refuses signature mismatch (`mcp/call-verify-failed`), expired envelopes (`mcp/call-expired`), replayed nonces via operator-supplied `seen(nonce)` callback (`mcp/call-replay`), unregistered tools (`mcp/call-unregistered-tool`), and args-hash mismatch when raw args supplied (`mcp/call-args-mismatch`). Default algorithm ML-DSA-87 per the framework's PQC-first rule; Ed25519 / ECDSA / SLH-DSA also available. · *A2A v1 task-exchange surface* — `b.a2a.tasks.{ send, get, cancel }` (client-side JSON-RPC dispatchers — `send` posts `tasks/send` to the peer URL with task validation + https-only refusal; `get` polls `tasks/get`; `cancel` requests `tasks/cancel`). `b.a2a.middleware.tasks({ scopes, handler, maxBytes? })` (server-side connect-style middleware — parses inbound JSON-RPC 2.0, enforces method allowlist `[tasks/send, tasks/get, tasks/cancel]` with -32601 method-not-found, enforces per-skill scopes via `req.a2aScopes` with -32001 scope-denied, dispatches to operator handler, maps errors to JSON-RPC -32603, refuses non-POST with 405 + non-JSON content-type with 415). `b.a2a.middleware.agentCard({ card, maxAgeSec? })` serves operator's signed Agent Card at `/.well-known/agent.json` per A2A v1 discovery — 405 on non-GET, Cache-Control max-age operator-tunable.
+- v0.8.84 (2026-05-11) — **Supply-chain hardening trio + HTTP-API hygiene primitives (RFC 9457 + idempotency-key).** Adds CodeQL SAST workflow on `security-extended`, `npm audit signatures` step in `npm-publish.yml`, vendored-SBOM cosign signing, and ships `b.problemDetails` (RFC 9457) + `b.middleware.idempotencyKey` (draft-ietf-httpapi-idempotency-key). The v0.8.84 git tag landed on a wrong commit due to a release-workflow ordering issue and the npm publish did not ship; operators upgrade directly from 0.8.83 to 0.8.85. **Added:** *CodeQL SAST workflow* — `.github/workflows/codeql.yml` runs on PR + push-to-main + weekly Mon-05:31-UTC schedule against the JavaScript surface using the `security-extended` query pack (catches SQL injection, XSS, prototype pollution, command injection, ReDoS, unsafe deserialization, SSRF, hardcoded credentials beyond what OSV-Scanner sees; findings surface as SARIF in the Security tab). · *`npm audit signatures` step in `npm-publish.yml`* — Verifies the cryptographic signing chain for every package in the install tree against the npm registry's public keys before the publish step runs. Regression-defense — the framework ships zero npm runtime deps so the tree is trivially empty today; if a future patch accidentally adds a runtime dep, the gate refuses an unsigned registry entry before tag-push triggers a release. · *Vendored-SBOM cosign signing* — Extends the existing cosign-keyless flow to sign `sbom.vendored.cdx.json` alongside `sbom.cdx.json` and attaches both `.sigstore` bundles to the GitHub Release. · *`b.problemDetails` (RFC 9457)* — `create({ type, title, status, detail, instance, ...extensions })` builds a frozen problem doc with field validation; `fromError(err)` converts a `FrameworkError` into a problem doc with `type` derived from `err.code` against a configurable base URI; `respond(res, problem)` writes the response with `Content-Type: application/problem+json` + `Cache-Control: no-store` per RFC 9457 §3 + RFC 9111 §5.2.2.5; `validate(doc)` parses inbound problem docs from upstream APIs with shape refusal. · *`b.middleware.idempotencyKey` (draft-ietf-httpapi-idempotency-key)* — Replay-safe POST / PUT / PATCH / DELETE — operator-supplied store interface with first-party `memoryStore({ maxEntries })`. Cached fingerprint = `method + path + sha3-256(body)`. 422 + `idempotency/key-reuse-mismatch` problem-details on same-key-different-body per draft §4.3. 5xx responses are NOT cached (replaying a transient infrastructure failure is not idempotent). Default TTL 24h; default methods POST / PUT / PATCH / DELETE. **References:** [RFC 9457 Problem Details for HTTP APIs](https://www.rfc-editor.org/rfc/rfc9457.html) · [draft-ietf-httpapi-idempotency-key](https://datatracker.ietf.org/doc/draft-ietf-httpapi-idempotency-key/)
+- v0.8.83 (2026-05-11) — **ACME 47-day-cert readiness — certificate profiles + dns-account-01 challenge + ARI renewal-window jitter.** Adds draft-aaron-acme-profiles, draft-ietf-acme-dns-account-label, and RFC 9773 §4.2 fleet-scheduling jitter on `b.acme` so operators distribute renewal storms uniformly across the CA-suggested window. **Added:** *`acme.listProfiles()` + `acme.newOrder({ profile })`* — draft-aaron-acme-profiles. `listProfiles()` reads `directory.meta.profiles` and returns the CA-advertised `{ name: description }` map. `newOrder({ profile })` passes the chosen profile name through the order payload; refuses non-string + caps length at 64 bytes. As CA/B Forum SC-081v3 phases in the 47-day mandate, profile-name vocabulary becomes the operator-facing handle for "long-lived" vs "47-day" vs "short-lived" cert selection. · *`acme.dnsAccount01ChallengeRecord(token, { identifier, ttl? })`* — draft-ietf-acme-dns-account-label. Builds the per-account-scoped TXT record (`_<accountLabel>._acme-challenge.<host>`) where `accountLabel` is the lowercase base32 of the first 80 bits of `SHA-256(accountUrl)`. Refuses pre-newAccount (label needs accountUrl as seed); caps identifier at 255 bytes; refuses negative / huge TTL. · *`acme.renewIfDue({ jitter: true })` fleet-scheduling jitter* — RFC 9773 §4.2. Returns a `renewAt` ISO timestamp picked uniformly across the CA-suggested window so operator fleets running on the same poll cadence stop clustering their renewal storms at the window-start instant. Default behavior (`jitter` off or absent) preserves pre-0.8.83 "renew now" semantics. The `acme.cert.renew.scheduled` audit row carries the chosen `renewAt` when jitter is on. **References:** [RFC 9773 ACME Renewal Information](https://www.rfc-editor.org/rfc/rfc9773.html) · [draft-aaron-acme-profiles](https://datatracker.ietf.org/doc/draft-aaron-acme-profiles/) · [draft-ietf-acme-dns-account-label](https://datatracker.ietf.org/doc/draft-ietf-acme-dns-account-label/)
+- v0.8.82 (2026-05-11) — **Privacy 2026 posture sweep — 27 new compliance postures.** Closes the privacy gap with US-federal, UK, Latin America, APAC, US-state child-privacy, and EU non-personal-data postures. Introduces new REGIME_MAP `domain` values (`child-privacy`, `financial-privacy`, `consumer-privacy`, `genetic-privacy`, `platform-governance`, `identity`) so dashboards grouped by domain pick up the new buckets via `b.compliance.posturesByDomain(domain)` without code changes. **Added:** *US federal postures* — `coppa` + `coppa-2025` (FTC final rule 2025-04-22, effective 2026-06-23 — biometric expansion + knowing-collection-13-and-under disclosure; cascade adds `backupEncryptionRequired: true` + vacuum-after-erase), `glba-safeguards` (Safeguards Rule 2024 Amendment, effective 2024-05-13), `gina` (Genetic Information Nondiscrimination Act), `vppa` (Video Privacy Protection Act), `can-spam`, `il-gipa` (Illinois Genetic Information Privacy Act with post-2024 private right of action), `hhs-repro-24` (HHS Reproductive Health HIPAA Amendment 2024-12-23), `nist-pf-1.1` (NIST Privacy Framework 1.1, final 2025-04-14). · *UK + Latin America postures* — `uk-duaa` (Data (Use and Access) Act 2025 — Royal Assent 2025-06-19; replaces the abandoned DPDI Bill). `cl-pdpa` (Chile Ley 21.719, enacted 2024-12-13, effective 2026-12-01), `mx-lfpdppp` (Mexico 2025 secondary reform), `ar-pdpa` (Argentina Ley 25.326). · *APAC postures* — `pipa-kr` (Korea PIPA 2023 major amendment, phased 2023-09-15 / 2024-03-15), `au-privacy` (Australia Privacy Act + 2024 Amendment Act — statutory tort effective 2025-06-10), `th-pdpa`, `vn-pdp` (Vietnam PDP Law effective 2026-01-01), `id-pdp` (Indonesia PDP Law effective 2024-10-17), `my-pdpa` (Malaysia 2024 amendments effective 2025-04-30). · *US-state child-privacy postures* — `ny-safe-kids` + `ny-saffe` (NY Child Data Protection Act + Stop Addictive Feeds Exploitation, both effective 2025-06-20), `md-kids-code` (Maryland Age-Appropriate Design Code), `vt-aadc` (Vermont AADC). · *EU non-personal-data + adjacent postures* — `dsa` (Digital Services Act, fully applicable 2024-02-17), `dga` (Data Governance Act, applicable 2023-09-24), `eu-cer` (Critical Entities Resilience Directive 2022/2557, transposition 2024-10-17), `eu-cyber-sol` (Cyber Solidarity Act 2025/38, effective 2025-02-04), `eidas-2` (eIDAS 2 / EUDI Wallet, rollout 2026-2027). · *New REGIME_MAP `domain` values* — `child-privacy`, `financial-privacy`, `consumer-privacy`, `genetic-privacy`, `platform-governance`, `identity`. Operators rendering compliance dashboards grouped by domain pick up the new buckets via `b.compliance.posturesByDomain(domain)` without code changes.
+- v0.8.81 (2026-05-11) — **AI-governance postures + ISO 42001 / 23894 cross-walk + privacy catalog drift fixes.** 18 new postures register in `b.compliance.KNOWN_POSTURES` (state AI governance, international AI, AI management standards, California gen-AI content credentials, substrate-to-posture cleanup, plus `fl-fdbr` and the long-missing `dpdp`). Adds an ISO 42001 + 23894 cross-walk for operators chasing ISO certification under AI Act high-risk scope, and corrects state-privacy citation drift. **Added:** *AI-governance posture additions* — State AI governance: `co-ai`, `il-hb3773`, `tx-traiga`, `ut-aipa`, `nyc-ll144`, `ca-tfaia` (frontier AI critical-incident records cascade to `backupEncryptionRequired: true`). International AI: `kr-ai-basic`, `cn-ai-label`. AI management standards: `iso-42001`, `iso-23894`. California gen-AI content credentials: `ca-sb942`, `ca-ab853`. Substrate-to-posture cleanup: `eaa` for EU Accessibility Act, `wcag-2-2` for `b.guardHtml.wcag`, `eu-data-act` for `b.dataAct`, `hitech` extending HIPAA-tier, `ferpa` for student records. Plus `fl-fdbr` (Florida Digital Bill of Rights) and the long-missing `dpdp` (India DPDP Act 2023). · *ISO 42001 + 23894 cross-walks* — `b.compliance.aiAct.crossWalkIso42001([aiActCitation])` and `crossWalkIso23894()` return a 15-row mapping table linking EU AI Act articles (Art. 9 risk management → Art. 73 incident reporting) to ISO/IEC 42001:2023 Annex A controls and ISO/IEC 23894:2023 risk-management clauses. Read-only metadata, defensive copies returned, no behavior change at deploy time. **Fixed:** *`b.compliance.set("dpdp")` now resolves* — India DPDP Act 2023 was in the `POSTURE_DEFAULTS` cascade table but not in `KNOWN_POSTURES`, so `b.compliance.set("dpdp")` threw `compliance/unknown-posture`. · *DSR drift fix for `fl-fdbr`* — `b.dsr.stateRules("fl-fdbr")` / `stateRules("FL")` now resolve (45-day response window, 15-day extension, 30-day cure, profiling opt-out enabled, minor opt-in 13). · *State-privacy citation drift* — Four state-privacy posture citations corrected from `(effective 2026-MM-DD)` to `(effective 2025-MM-DD)` — `modpa`, `nh-nhpa`, `nj-njdpa`, `mn-mncdpa` all took effect during 2025; the year-late citations would have surfaced as audit-trail discrepancies under operator review.
+- v0.8.80 (2026-05-10) — **Bug fix — `b.config.loadDbBacked` overlapping-tick race.** `cfg.refresh()` calls `_tick()` directly and the periodic poller also invokes `_tick()` independently. When two ticks overlap, the older read could resolve LAST and overwrite a newer config write — so `admin-save → await cfg.refresh()` was not guaranteed to leave the latest value active when `fetchRows` latency varied. Sequence-numbered ticks now drop stale apply attempts. **Fixed:** *Sequence-numbered ticks drop stale apply attempts* — Every tick claims a monotonic sequence number at start; at apply-time, ticks whose sequence is older than the last-applied sequence drop with a `config.reload.skipped` audit emission (stale-tick reason). The high-water mark advances ONLY after `cfg.reload` succeeds — a newer tick whose validation fails must not suppress an older in-flight tick that still has valid data (otherwise `refresh(valid)` followed by `refresh(invalid)` could silently keep stale config active). Fetch / transform failures short-circuit before the apply path and likewise do NOT advance the watermark.
+- v0.8.78 (2026-05-10) — **Save-triggered reload for `b.config.loadDbBacked`.** Admin save handlers / settings-management UIs that write a row in `_blamejs_config_overrides` now call `await cfg.refresh()` immediately after the write, so the new value is active without waiting for the poll's `intervalMs` tick. The poll stays in place as a safety-net for drift. **Added:** *`cfg.refresh()` save-triggered reload* — Returns a `Promise<void>` of identical shape to `cfg.hydrated`: resolves after the tick settles (success OR audit-on-failure), NEVER rejects so save handlers don't deadlock on a flaky DB. The existing `cfg.subscribe(fn)` continues to fire synchronously inside every successful reload — operators reach for it to invalidate caches / recompute derived state / hot-rebuild middleware that closed over the previous config. Three-tier precedence is documented explicitly in the `@primitive` block: DB-row overlay > `opts.env` baseline > schema `default(...)`.
+- v0.8.77 (2026-05-10) — **OAuth RS completeness + vendored-deps SBOM + MCP coverage + ACME completeness + SCIM 2.0 + AI Act forward templates + C2PA COSE + US-state postures + config reactive value + idempotent startup hydration.** Closes ten substantial gaps: RFC 7662 / 7591 / 8628 / 8693 OAuth resource-server completeness, vendored-deps SBOM signing, MCP `assertProtocolVersion` + sampling/elicitation guards, ACME `revokeCert` / `accountKeyRollover` / `deactivateAccount` / `tlsAlpn01` / EAB, Permissions-Policy denylist expansion, NIST control crosswalk catalog, SCIM 2.0 server middleware, CRA Annex VIII + AI Act Article 27 FRIA + GPAI Article 53(1)(d) templates, C2PA COSE_Sign1 wrap, 22 new US-state privacy postures + per-state DSR rules. Plus a reactive `cfg.value` + first-immediate-tick hydration + `resetAll()` on the rate-limit module. **Added:** *OAuth resource-server completeness* — `b.auth.oauth.introspectToken` (RFC 7662), `registerClient` (RFC 7591 — refuses empty redirect_uris), `deviceAuthorization` + `pollDeviceCode` (RFC 8628 with slow_down / authorization_pending handling), `exchangeToken` (RFC 8693 subject+actor delegation), `b.middleware.protectedResourceMetadata` serving `.well-known/oauth-protected-resource` (draft-ietf-oauth-resource-metadata). · *Vendored-deps SBOM* — `scripts/build-vendored-sbom.js` emits `sbom.vendored.cdx.json` (CycloneDX 1.6) covering every `lib/vendor/*` bundle with per-file SHA-256 + purl + license metadata; wired into `npm-publish.yml` so OSV-Scanner now scans it alongside the primary `sbom.cdx.json`. · *MCP endpoint coverage* — `b.mcp.assertProtocolVersion` (MCP 2025-11-25 §4.1 header). `b.mcp.sampling.guard({ maxRequestsPerSession, maxMessagesPerRequest, maxTokensPerRequest, allowedModelHints })` (HIGH-RISK endpoint — confused-deputy class). `b.mcp.elicitation.guard` (prompt-injection scan + schema-type allowlist + size cap). · *ACME completeness for the 47-day cert lifetime* — `revokeCert` (RFC 8555 §7.6), `accountKeyRollover` (§7.3.5), `deactivateAccount` (§7.3.6), `tlsAlpn01KeyAuthorization` (RFC 8737), External Account Binding opt on `newAccount` (§7.3.4 — required by ZeroSSL / Buypass / Google CA). Closes 47-day CA/B forum surface before March 2026 effective date. · *Permissions-Policy denylist expansion* — Adds `identity-credentials-get`, `attribution-reporting-cross-site`, `publickey-credentials-create`, `join-ad-interest-group`, `run-ad-auction`, `shared-storage`, `shared-storage-select-url`, `smartcard`, `all-screens-capture`, `deferred-fetch`. · *`b.nistCrosswalk` control catalog* — Catalog mapping `800-53r5` (~50 controls), `csf-2.0` (~22 functions), `800-171r3` (~25 requirements), `800-218` (SSDF tasks) to framework primitives — used by operators producing SSPs, POAMs, ATO packages, CMMC self-assessments. · *`b.middleware.scimServer` (SCIM 2.0)* — Implements RFC 7642 / 7643 / 7644 — Users + Groups + ServiceProviderConfig + ResourceTypes + Schemas + filter parser (eq / ne / co / sw / ew / pr / gt / ge / lt / le) + GET / POST / PUT / PATCH / DELETE dispatch + bearer-auth callback hook + 1 MiB body cap. · *CRA + EU AI Act forward-deadline templates* — `b.cra.conformityAssessment` Annex VIII technical dossier scaffold (CE marking, Module routing, vuln-handling auto-fill). `b.complianceAiAct.fundamentalRightsImpactAssessment` (Article 27 FRIA template — mandatory for Annex III §5-8 deployers). `b.complianceAiAct.gpai.trainingDataSummary` (Article 53(1)(d) AI Office template — mandatory 2026-08-02). · *`b.contentCredentials.signCose` (C2PA COSE_Sign1)* — Produces RFC 9052 COSE_Sign1 CBOR envelope with x5chain header + ML-DSA-87 / ed25519 / es256 / 384 / 512 / SLH-DSA-SHAKE-256f algorithms. Interops with c2patool / JPEG Trust / Adobe verifiers (current `sign()` ships a blamejs-internal envelope; the new `signCose()` ships the canonical wire format). · *US-state compliance postures + per-state DSR rules* — `vcdpa`, `co-cpa`, `ctdpa`, `ucpa`, `tdpsa`, `or-cpa`, `mt-cdpa`, `ia-icdpa`, `in-indpa`, `de-dpdpa`, `nh-nhpa`, `nj-njdpa`, `ky-kcdpa`, `tn-tipa`, `mn-mncdpa`, `ri-ricpa`, `ne-dpa`, `nv-sb370`, `ca-aadc`, `ct-sb3`, `tx-cubi` (plus existing `modpa` + `quebec-25`). Registered in `b.compliance` + per-state DSR rules via `b.dsr.stateRules(state)` / `b.dsr.listStateRules()` returning `{ responseDays, extensionDays, cureDays, profilingOptOut, minorOptIn, notes }`. **Changed:** *`b.middleware.rateLimit` instance gains `.resetAll()` + module-level registry* — In-memory backends only; cluster backend no-ops per multi-replica race-safety. The module keeps a registry of every rate-limit middleware created in the process. Incident-response scripts can enumerate every limiter and flush state across the whole process without threading references through the app code. `create()` registers; `middleware.close()` deregisters. Top-level `resetAll()` returns the count of instances it walked. · *`b.config.loadDbBacked` gains `transformValue`* — Per-row transform applied between `fetchRows` and schema validation; common shape is unsealing a `b.vault`-sealed ciphertext column so canonical secrets live encrypted-at-rest in `_blamejs_config_overrides`. Per-row failures emit `config.reload.failed` and skip the row so a single bad row can't crash the poller. · *`b.cryptoField` gains `sealDoc` / `unsealDoc` doc-shaped aliases* — Aliases of the existing `sealRow` / `unsealRow` — same identity, lets downstream tests reach for the document-naming convention when preparing seed objects via raw `INSERT`. **Fixed:** *`b.config` reactive `value` getter* — `cfg.value.X` now reflects the latest validated state after every `reload()` (and every `loadDbBacked` poll). Before, `cfg.value` was a captured property pinned to the create-time object, so `cfg.value.FEATURE_X` stayed stale and only `cfg.get("FEATURE_X")` saw updates. Now backed by an `Object.defineProperty` getter; `cfg.get()` / `cfg.has()` semantics unchanged. · *`b.config.loadDbBacked` startup hydration window* — `loadDbBacked` returned a config handle that stayed at env-only defaults for the first `intervalMs` because `safeAsync.repeating` is `setInterval`-shaped (no t=0 fire). The handle now kicks off one immediate hydration `_tick()` on construction and exposes `cfg.hydrated` — a Promise that resolves after the first tick settles. The Promise NEVER rejects (per-tick failures route through audit, last-good value stays). · *`b.middleware._modules.rateLimit.instances()` + module-level `.resetAll()`* — Module-level helpers for incident-response scripts to enumerate every limiter and flush state across the whole process. `create()` registers, `middleware.close()` deregisters, top-level `resetAll()` returns the count. **References:** [RFC 7662 OAuth Token Introspection](https://www.rfc-editor.org/rfc/rfc7662.html) · [RFC 7591 OAuth Dynamic Client Registration](https://www.rfc-editor.org/rfc/rfc7591.html) · [RFC 8628 OAuth Device Authorization Grant](https://www.rfc-editor.org/rfc/rfc8628.html) · [RFC 8693 OAuth Token Exchange](https://www.rfc-editor.org/rfc/rfc8693.html) · [RFC 8555 ACME](https://www.rfc-editor.org/rfc/rfc8555.html) · [RFC 8737 ACME tls-alpn-01](https://www.rfc-editor.org/rfc/rfc8737.html) · [SCIM 2.0 RFC 7644](https://www.rfc-editor.org/rfc/rfc7644.html)
+- v0.8.76 (2026-05-10) — **CI green-up — OSV-Scanner v2 requires CycloneDX SBOM filename match.** OSV-Scanner v2 refuses to parse SBOMs whose filename doesn't match the CycloneDX recognized-pattern spec — `sbom.cyclonedx.json` is NOT recognized; only `bom.json` / `*.cdx.json` / `*.spdx.json` etc. are. v0.8.75's npm-publish workflow failed with `Failed to parse SBOM "sbom.cyclonedx.json": Invalid SBOM filename`. **Changed:** *Rename `sbom.cyclonedx.json` → `sbom.cdx.json` everywhere* — Workflow generation step, post-process script, OSV scan target, cosign sign target, GH release asset upload, `package.json` `files` array, `scripts/check-pack-against-gitignore.js` allowlist, `.gitignore` allowlist. Published-tarball asset filename changes from `sbom.cyclonedx.json` to `sbom.cdx.json` — consumers reading the SBOM out of the install tree should update the path.
+- v0.8.75 (2026-05-10) — **CI green-up — OSV-Scanner v2 removed the `--fail-on-vuln=<severity>` flag.** OSV-Scanner v2.3.5 removed `--fail-on-vuln=<severity>`; passing it now errors with `flag provided but not defined: -fail-on-vuln` and the npm-publish workflow exits 1 before `npm publish` runs. v0.8.73 + v0.8.74's npm-publish workflows both failed for this reason. v2's default behaviour is exit-1-on-ANY-finding — stricter than v1's `--fail-on-vuln=HIGH` floor, and appropriate for a zero-npm-runtime-dep framework where any surfaced vuln means a vendor refresh is overdue. The framework currently has no findings, so the stricter floor is a no-op at HEAD. **Fixed:** *Drop the unsupported `--fail-on-vuln` flag from the OSV-Scanner step* — v2's default is exit-1-on-ANY-finding; the previous v1 `--fail-on-vuln=HIGH` floor is no longer settable as a flag, and the stricter v2 default is what a zero-npm-runtime-dep framework wants anyway.
+- v0.8.74 (2026-05-10) — **`.gitattributes` `*.sh text eol=lf` for shell scripts that run inside Linux containers.** Under a Windows checkout with `core.autocrlf=true`, git rewrites `*.sh` to CRLF on checkout and bash chokes with `$'\r': command not found` at line 1. Locally reproduced the OSS-Fuzz upstream submission failure (zero artifacts compiled, every `compile_javascript_fuzzer` call failed silently on the CRLF). Unblocks the OSS-Fuzz upstream submission. **Fixed:** *`.gitattributes` enforces LF endings on `*.sh`* — Adds an explicit `*.sh text eol=lf` override so every `.sh` checks out LF regardless of platform; existing tracked scripts re-normalized (CRLF stripped) in the same commit. Verified end-to-end: `docker run ... gcr.io/oss-fuzz-base/base-builder-javascript bash /src/build.sh` now compiles all 15 fuzz harnesses + zips their seed corpora cleanly.
+- v0.8.73 (2026-05-10) — **ClusterFuzzLite + OSS-Fuzz integration replaces the hand-rolled fuzz harness.** Every `fuzz/*.fuzz.js` is now a jazzer.js / libFuzzer entry-point (`module.exports.fuzz = function (data) { ... }`) so the engine drives the target with coverage-guided mutation instead of random bytes. Same 15 targets as v0.8.72. ClusterFuzzLite runs locally + on PRs; OSS-Fuzz submission-ready project config ships under `oss-fuzz/projects/blamejs/`. **Changed:** *Fuzz harnesses migrated to jazzer.js / libFuzzer* — Every `fuzz/*.fuzz.js` exports `module.exports.fuzz = function (data) { ... }`. Each gets a `fuzz/<name>_seed_corpus/` directory with realistic bootstrap inputs that libFuzzer mutates from. The shared `_expected.js` classifies operator-friendly framework throws (codes matching `<domain>/<error>` or `<domain>.<error>` shape; node-builtin error subclasses with input-shape messaging) as expected outcomes; anything else escapes as a finding the engine records + minimizes into a regression-corpus entry. · *ClusterFuzzLite (local, free)* — `.clusterfuzzlite/Dockerfile` + `build.sh` + `project.yaml` ride alongside the framework source. Two GH Actions workflows wire it in — `cflite_pr.yml` runs 300s of coverage-guided fuzzing per target on every PR touching `lib/` or `fuzz/`; `cflite_batch.yml` runs the deeper 1800s batch + 600s coverage measurement on a daily 05:17 UTC schedule. Findings surface as PR annotations + SARIF in the Security tab. · *OSS-Fuzz upstream-submission config* — `oss-fuzz/projects/blamejs/{Dockerfile, build.sh, project.yaml, README.md}` is the submission-ready project config that gets copy-pasted into `projects/blamejs/` in the `google/oss-fuzz` upstream repo. Once accepted, ClusterFuzz fuzzes 24/7 on Google Cloud with permanent corpus persistence, stack-trace dedup, automatic regression testing against every commit, and a public coverage dashboard. The OSS-Fuzz `build.sh` mirrors `.clusterfuzzlite/build.sh` byte-for-byte (modulo comment block) so findings reproduce identically locally. **Detectors:** *Fuzz-coverage gate now verifies jazzer.js shape* — `testParserPrimitivesHaveFuzzHarness` verifies the jazzer.js shape (`module.exports.fuzz = ...`) in addition to the missing-harness check — a future parser primitive lands either with a coverage-guided harness or an audited `FUZZ_NOT_REQUIRED` entry. `npm run fuzz` switched to invoke jazzer.js for one-target local dev (`npx @jazzer.js/core fuzz/safe-json.fuzz.js -- -max_total_time=60`); the previous random-fuzzer + standalone `.github/workflows/fuzz.yml` are removed. SECURITY.md threat-model + operator-checklist updated with the new dual-pipeline posture.
+- v0.8.72 (2026-05-10) — **Fuzz harness against the parser / validator surface + smoke-time fuzz-coverage gate.** New `fuzz/` directory ships hand-rolled fuzz harnesses against the 11 highest-value adversarial-input primitives. Each harness generates random / mutated / bidi-salted / control-char-salted inputs against a per-target seed corpus, runs until `FUZZ_BUDGET_MS` elapses, and fails with a reproducer when the target throws an unexpected error. New CI workflow + a Layer 0 detector that enforces fuzz-harness coverage for `lib/safe-*.js` and `lib/guard-*.js` files. **Added:** *`fuzz/` directory + 11 hand-rolled harnesses* — Targets: `b.safeJson.parse`, `b.safeUrl.parse`, `b.safeJsonPath.validateExpression`, `b.guardCsv.validate`, `b.guardHtml.validate`, `b.guardJson.parse`, `b.guardYaml.parse`, `b.guardXml.validate`, `b.guardSvg.validate`, `b.guardMarkdown.validate`, `b.guardEmail.validateMessage`. Each runs until `FUZZ_BUDGET_MS` elapses (default 30s; CI: 60s on PR / 300s on schedule) and fails with a reproducer when the target throws an unexpected error (vs. an operator-friendly framework error code in the documented `domain/error` or `domain.error` shape). Native `TypeError` with input-shape messaging, `SyntaxError`, and `RangeError` matching the depth/length/cap contract are accepted; everything else is a finding. · *`.github/workflows/fuzz.yml`* — Runs the harness in matrix on every PR touching `lib/` or `fuzz/` and on a daily 05:17 UTC schedule. `npm run fuzz` runs every harness sequentially via `fuzz/_run-all.js` for local dev. **Fixed:** *README OpenSSF Scorecard badge URL* — Corrected `api.scorecards.dev` → `api.scorecard.dev` (plural-singular typo). **Detectors:** *`testParserPrimitivesHaveFuzzHarness`* — New Layer 0 detector in `test/layer-0-primitives/codebase-patterns.test.js` enforces that every `lib/safe-*.js` and `lib/guard-*.js` file has a corresponding `fuzz/<name>.fuzz.js` OR an explicit `FUZZ_NOT_REQUIRED` allowlist entry with reason — so a future parser primitive can't silently ship without fuzz coverage.
+- v0.8.71 (2026-05-10) — **CI green-up — cosign-installer action commit SHA correction.** The v0.8.70 `npm-publish` workflow's cosign-sign-blob step couldn't resolve its pinned `sigstore/cosign-installer` action commit SHA because the SHA was a typo, not a real commit on the action's repo. Replaced with the actual v3.7.0 commit SHA so the publish pipeline resolves the dependency and runs end-to-end. **Fixed:** *`sigstore/cosign-installer` action SHA pin corrected* — The pinned commit SHA `d7d6e07b3e89342f1d8bcd4f76c2fa5a9d1a1f7e` did not exist on the action's repo and broke the publish workflow at the cosign-installer step. Replaced with the actual v3.7.0 commit SHA `dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da`. No primitive surface change versus v0.8.70.
+- v0.8.70 (2026-05-10) — **Additive surface across OAuth/OIDC, FAPI 2.0, browser hardening, MCP safety, compliance, and supply-chain.** Bundled additive release covering RFC 9207 iss-validation, JARM decoding, refresh-token replay defense, FAPI 2.0 message-signing posture, Private Network Access preflight handling, MCP tool-result sanitization + capability checks, five new compliance postures, the EU Data Act primitive, and supply-chain hardening (CycloneDX 1.6 + OSV-Scanner + Sigstore cosign signing). **Added:** *OAuth/OIDC: iss validation, JARM decoding, refresh-token replay defense* — `b.auth.oauth.parseCallback(query, opts?)` validates the RFC 9207 AS Issuer Identifier — refuses iss-mismatch and OP `error=` redirects; optional `requireIssParam` refuses missing iss. `parseJarmResponse(jwt, opts?)` decodes OAuth 2.0 JARM signed authorization responses. `refreshAccessToken(token, { seen })` accepts an operator-supplied callback that refuses replayed refresh tokens before any HTTP call (RFC 9700 §4.13 / OAuth 2.1 §6.1 one-time-use rotation); returns `refreshTokenRotated: true` on success. · *FAPI 2.0 runtime checks + `fapi-2.0-message-signing` posture* — `b.fapi2.assertCallback(query)` refuses missing iss when `fapi-2.0` posture is set, and refuses bare-param when `fapi-2.0-message-signing` is set (requires JARM `response`). `b.fapi2.assertAuthzRequest(authzParams)` refuses non-JAR (bare-param) authorization requests under FAPI 2.0. New `fapi-2.0-message-signing` posture registered. · *Browser hardening: Permissions-Policy denylist + PNA preflight + 401 cache headers* — `Permissions-Policy` defaults extend with `storage-access=()`, `browsing-topics=()`, `private-aggregation=()`, `controlled-frame=()`, `captured-surface-control=()`. `b.middleware.cors` gains an `allowPrivateNetwork` opt + Private Network Access preflight handling — refuses `Access-Control-Request-Private-Network` by default, sets `Access-Control-Allow-Private-Network: true` when opted in. `b.middleware.requireAuth` / `requireAal` / `requireStepUp` 401 responses now set `Cache-Control: no-store` per RFC 9111 §5.2.2.5. · *MCP safety + LLM07/08 mitigations* — `b.mcp.toolResult.sanitize(result, opts?)` runs a prompt-injection regex + dangerous-HTML detection + URL allowlist on tool outputs (modes `refuse` / `sanitize` / `audit-only`). `b.mcp.capability.create(scopes)` + `satisfiedBy(granted)` formalize least-privilege capability checks. `b.mcp.validateToolInput(toolName, input, schema)` enforces a JSON Schema 2020-12 subset (`type` / `properties` / `required` / `items` / `enum` / `const` / `minLength` / `maxLength` / `minimum` / `maximum`). · *Compliance postures: `modpa`, `nydfs-500`, `hipaa-2026`, `quebec-25`, `fapi-2.0-message-signing`* — Maryland Online Data Privacy Act, NY DFS Cybersecurity Regulation, HHS HIPAA Final Rule effective 2026, Quebec Law 25, and the FAPI 2.0 message-signing financial posture all register in `b.compliance.KNOWN_POSTURES` with the matching cascade entries. · *`b.dataAct` — EU Data Act (Regulation 2023/2854)* — `declareProduct`, `recordUserAccess`, `shareWithThirdParty` (Art 32 §1 refuses sharing with DMA designated gatekeepers without an audited override via `acceptGatekeeper.reason`), `recordSwitchRequest` (Art 28 §3 caps notice period at 30 days). · *Supply-chain hardening — SBOM bump, OSV-Scanner, Sigstore SBOM signing, dep-confusion claim* — SBOM bumped to CycloneDX 1.6. The `npm-publish` workflow now runs OSV-Scanner with `--fail-on-vuln=HIGH` and signs the SBOM via the Sigstore cosign keyless flow (attaches the `.sigstore` bundle to the GitHub release alongside the JSON). `scripts/publish-dep-confusion-placeholder.sh` claims unscoped names (`blamejs`, `blame-js`, `blamejs-core`) on npm with placeholder packages that exit 1 + redirect to canonical `@blamejs/core`; manual, run on maintainer rotation, refuses overwrite when a different owner already holds the name. **References:** [RFC 9207 OAuth 2.0 Authorization Server Issuer Identification](https://www.rfc-editor.org/rfc/rfc9207.html) · [RFC 9700 OAuth 2.0 Security Best Current Practice](https://www.rfc-editor.org/rfc/rfc9700.html) · [RFC 9111 HTTP Caching](https://www.rfc-editor.org/rfc/rfc9111.html) · [FAPI 2.0 Security Profile](https://openid.net/specs/fapi-2_0-security-profile.html) · [EU Data Act (Regulation 2023/2854)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj) · [CycloneDX 1.6](https://cyclonedx.org/docs/1.6/json/)
+- v0.8.69 (2026-05-10) — **Test-side `waitUntil` helper for observable async conditions.** Recurring `SMOKE_PARALLEL=64` and macOS-runner flakes shared one root cause — fixed-budget `setTimeout(r, N)` sleeps too short for runner-contention reality. A new polling helper replaces hand-tuned sleeps with assertions against the observable condition itself, exiting early on fast platforms and using the full budget on contended ones. **Added:** *`waitUntil` + `waitUntilEqual` test helpers* — `test/helpers/wait.js` ships `waitUntil(predicate, opts?)` — polls every `intervalMs` (default 25ms) up to `timeoutMs` (default 5000ms), exits early when the predicate returns truthy, throws a labeled error on timeout. `waitUntilEqual(getter, expected)` is the convenience wrapper for the common case. Both re-exported from `test/helpers/index.js`. **Changed:** *`log-stream-otlp` collector-retry gate converted to `waitUntil`* — `test/layer-0-primitives/log-stream-otlp.test.js`'s 'collector saw retries' gate now uses `waitUntil({ failCount >= 2, dropEvents.length === 1 })` instead of `_sleep(200)`. Fast platforms exit in ~30ms; contended platforms get the full 5s budget. The general convention: when you find yourself bumping a hand-tuned sleep to fix a CI flake, that's the smell — convert to `waitUntil` so future flake fixes adjust one timeout ceiling instead of N inline budgets.
+- v0.8.68 (2026-05-10) — **`b.watcher` polling backend for environments where `fs.watch` doesn't deliver events.** Pre-v0.8.68 the watcher used `fs.watch(root, { recursive: true })` exclusively — silent on filesystems where the kernel→userspace event bridge doesn't exist: Docker Desktop bind-mounts on Windows / macOS hosts (gRPC-FUSE / VirtioFS), NFS / SMB, some FUSE filesystems. Adds `mode: "fs" | "poll"` (default `"fs"`) — when `"poll"`, the watcher walks the tree on a fixed interval and diffs against the previous snapshot. **Added:** *`b.watcher.create({ mode: "poll" })` polling backend* — When `mode: "poll"`, the watcher walks the tree on a fixed interval and diffs against the previous snapshot. New file / mtime-change / size-change → `onChange` via the existing debounce + ignore + lstat dispatch; missing path → `onDelete`. `pollIntervalMs` (default 1s) sets cadence; `pollMaxFiles` (default 50000) caps the per-tick walk so a misconfigured root can't stall the event loop stat'ing 100k files every second — overflow refuses with `watcher/poll-overflow`. Symlinks skipped (matches `fs.watch` path). The initial walk happens synchronously in `create()` so the first event fires only on real post-start changes (not on pre-existing files). `_flushForTest()` runs one synchronous tick + drains pending debounces so polling tests don't have to sleep `pollIntervalMs`. Returned handle gains `.mode` for operator introspection. `fs.watch`-backend error messages now suggest `mode: "poll"` as the fallback.
+- v0.8.67 (2026-05-10) — **SAML XMLDSig Reference Transforms (`enveloped-signature` + per-Reference c14n) + IdP round-trip in the federation-auth test.** Pre-v0.8.67 `b.auth.saml.sp.verifyResponse` only honored the SignedInfo's `CanonicalizationMethod`; it didn't process the `<ds:Transforms>` block on the Reference. Real-world IdP-signed responses (Keycloak, ADFS, Okta) attach `http://www.w3.org/2000/09/xmldsig#enveloped-signature` + a per-Reference `xml-exc-c14n#` Transform; without them, the digest never matched and verifyResponse rejected legitimate responses. No primitive surface change versus v0.8.66. **Fixed:** *`_verifyXmldsig` honors per-Reference Transforms* — Reads the Transforms list, applies `enveloped-signature` by filtering the parsed-tree's `<Signature>` element children before canonicalization, and honors the per-Reference c14n choice (with vs without comments). The single-match-by-ID invariant + signature-wrapping defense moves into the saml.js path directly so the modified subtree (signature stripped) is the one that gets canonicalized + digested. Unsupported Transform algorithms refuse loudly via `auth-saml/unsupported-transform`. · *Full IdP-emitted SAML round-trip in the federation-auth integration test* — `test/integration/federation-auth.test.js` now drives Keycloak's HTML login form via cookie-jar curl-equivalent (no headless browser needed), captures the IdP-signed SAMLResponse, fetches the IdP signing certificate from `/protocol/saml/descriptor`, hands the response to `sp.verifyResponse(b64, { expectedInResponseTo })`, and asserts the extracted `nameId` / `issuer` / `audience` / `inResponseTo` match the realm's signed claims.
+- v0.8.66 (2026-05-10) — **`b.session.updateData(token, data, opts?)`.** Update the sealed `data` payload on a session WITHOUT rotating the sid. Pre-v0.8.66 the only path to mutate session data was `b.session.rotate(token, { data })` which forces an sid rotation — appropriate for security-boundary transitions (login, MFA, role escalation) but heavyweight for cart-state writes / preference flips / step-up-completion flags. **Added:** *`b.session.updateData(token, data, opts?)`* — Default semantics: full payload replace, `lastActivity` bumped (idle-timeout reset), reserved `__bj_fingerprint` binding preserved automatically so `verify()` still surfaces drift correctly. `opts.merge: true` does a one-level deep merge into the existing payload; `opts.touchLastActivity: false` skips the idle-timeout bump. Returns `false` for unknown / expired / pre-v0.8.61-raw-format tokens (no throw). Anonymous-session userIds work the same as named userIds. Leader-only.
+- v0.8.65 (2026-05-10) — **Federated-authentication integration test fixture (Keycloak as OIDC OP + SAML IdP).** Adds `quay.io/keycloak/keycloak:26.0` to `docker-compose.test.yml` with realm-import on ports :18080 (HTTP) + :18081 (Quarkus health). Realm boots with one OIDC client, one SAML SP client, and a test user. New `test/integration/federation-auth.test.js` exercises end-to-end OIDC + SAML flows against the live Keycloak. **Added:** *Keycloak integration test fixture* — Adds `quay.io/keycloak/keycloak:26.0` to `docker-compose.test.yml` running with realm-import on port `:18080` (HTTP) + `:18081` (Quarkus health). Realm `blamejs-test` boots with one OIDC client (`blamejs-rp-oidc`, secret `blamejs-test-rp-secret`, frontchannel + backchannel logout enabled), one SAML SP client (entityID `https://sp.blamejs-test.example`, RSA-SHA256 assertion signature), and a test user (`alice` / `blamejs-test-password`). · *`test/integration/federation-auth.test.js`* — Exercises end-to-end against the live Keycloak: OIDC discovery, `b.auth.oauth.authorizationUrl` (state + nonce + PKCE), password-grant token retrieval, `verifyIdToken` against the realm JWKS, `fetchUserInfo` with `idTokenSub` cross-check, RP-Initiated Logout URL build, `parseFrontchannelLogoutRequest` iss-mismatch refusal, `verifyBackchannelLogoutToken` JWKS-lookup + signature + typ-check failure paths, SAML `buildAuthnRequest` POST to the IdP's `/protocol/saml` endpoint, SP `metadata()` XML emit, and CIBA `startAuthentication` wire-format check (Keycloak's `backchannel_authentication_endpoint` is at `/protocol/openid-connect/ext/ciba/auth`). **Fixed:** *`b.auth.ciba._postForm` response handling + URL validation* — Sets `responseMode: "always-resolve"` so deterministic OAuth-shape error JSON (`{ error, error_description }`) reaches the AuthError-mapping path instead of being rejected as a generic HTTP error. URL validation switched from a non-existent `safeUrl.assertHttpUrl` to `safeUrl.parse({ allowedProtocols })`. · *Service-check + helper wiring for Keycloak* — `scripts/check-services.js` registers `keycloak` + `keycloak-health` (both v4 + v6); `test/helpers/services.js` exposes `URLS.keycloak`. The release workflow documents the federation-auth integration test path under live-integration gates. OID4VCI / OID4VP / OpenID Federation deferred — Keycloak's `oid4vc-issuer` SPI is preview-only and there's no entity-statement publisher in the base image.
+- v0.8.64 (2026-05-10) — **CI green-up for v0.8.63 (wiki source-comment validator).** v0.8.62 missed `examples/wiki/test/validate-source-comment-blocks.js` — a wiki-side validator that enforces every `@primitive` block has `@signature` starting with `b.`, matching function arity, an `@opts` declaration when the function takes opts, an `@example` block, and resolvable `@related` cross-refs. 50 findings across the new federation/VC primitives. No primitive surface change versus v0.8.63. **Fixed:** *Wiki source-comment validator findings on federation/VC primitives* — Every nested-namespace `@signature` (`b.auth.ciba.client.X`, `b.auth.oid4vci.issuer.X`, `b.auth.oid4vp.verifier.X`, `b.auth.saml.sp.X`) re-qualified with the full `b.*` prefix instead of the bare `client.X` shorthand. Arity collapsed to `(opts)` where the function takes a single opts arg. `@example` block added to every primitive. `@opts` block added to `ciba.client.startAuthentication` / `parseNotification` + `openidFederation.resolveLeaf`. `@primitive` block added to `xmlC14n.parse`. `@related` cross-refs scrubbed of dangling references to undocumented primitives. The parse-as-JS check on oid4vci's `@example` caught a `{...}` literal with no target — replaced with a concrete object spread.
+- v0.8.63 (2026-05-10) — **CI green-up for v0.8.62 (ESLint findings on the new federation/VC primitives).** Ten ESLint findings missed by the local pre-ship audit (eslint not run before commit): unused vars, an unnecessary `\-` escape in xml-c14n's name-character regex, and a control-character regex in CIBA's binding_message validator (`no-control-regex` refuses control-char ranges in regex literals regardless of `\u` escaping). No primitive surface change versus v0.8.62. **Fixed:** *Unused vars + redundant regex escape across federation/VC primitives* — Removed `openTag` in xml-c14n; `cache` + unused `C` import + `DEFAULT_CHAIN_TTL_MS` in openid-federation; `safeJson` in oid4vp; `sdJwtVcCore` + `SUPPORTED_PROOF_TYPES` in oid4vci. Dropped a redundant `\-` escape in xml-c14n's name-character regex. · *CIBA `binding_message` control-char scan* — Replaced the regex with an explicit codepoint scan in `_validateBindingMessage` that walks `msg.charCodeAt(i)` and refuses C0 / DEL+C1 / zero-width / bidi-mark / bidi-isolate / BOM ranges (`no-control-regex` refuses control-char ranges in regex literals).
+- v0.8.62 (2026-05-10) — **Federation / VC primitive family + standalone DB-file lifecycle + anonymous-session ergonomics.** OpenID Connect Front-Channel + Back-Channel Logout, CIBA Core 1.0, OpenID4VCI 1.0, OpenID4VP 1.0 + DCQL, OpenID Federation 1.0, SAML 2.0 SP, RFC 3741 Exclusive XML Canonicalization, SD-JWT VC key-attestation extension, `b.db.fileLifecycle` for consumers owning their own SQLite handle, anonymous-session ergonomics, and a `makeNamespacedEmitters` helper. **Added:** *OIDC Front-Channel + Back-Channel Logout 1.0 on `b.auth.oauth`* — `parseFrontchannelLogoutRequest(req)` validates iss + sid query params. `verifyBackchannelLogoutToken(jwt, vopts)` verifies the JWS (typ=logout+jwt), validates the events claim per OIDC §2.6, refuses logout-tokens carrying nonce, requires sub OR sid, and runs an operator-supplied `seen({ jti, iss, iat })` callback for jti-replay defense. Discovery surface extended to `check_session_iframe` + `backchannel_authentication_endpoint`. · *CIBA Core 1.0 at `b.auth.ciba.client.create`* — `deliveryMode: "poll"|"ping"|"push"` with `startAuthentication` / `pollToken` / `parseNotification`. Supports JWT-bearer / mTLS / shared-secret client auth, binding_message + acr_values + requested_expiry, ping/push notification token (timing-safe compared via sha3 hash), and the `urn:openid:params:grant-type:ciba` grant. · *OpenID4VCI 1.0 at `b.auth.oid4vci.issuer.create`* — Issuer-initiated credential_offer with pre-authorized_code + tx_code, /token grant exchange, /credential endpoint with proof-JWT verification (typ=openid4vci-proof+jwt, iat freshness, nonce-replay defense, holder-key binding via header.jwk + JWS verify), c_nonce rotation per request, /.well-known/openid-credential-issuer metadata. Composes `b.auth.sdJwtVc.issuer` for SD-JWT VC minting. · *OpenID4VP 1.0 + DCQL at `b.auth.oid4vp.verifier.create`* — `createRequest` builds a vp_token authz request with a DCQL query. `verifyResponse` parses the wallet's vp_token, runs each presentation through `b.auth.sdJwtVc.verify` (audience + nonce + KB-JWT bound, optional key_attestation verifier), then runs the DCQL matcher. DCQL covers credentials[] (id / format / meta vct_values / meta issuer_values / claims with path + values) and credential_sets[] (options + required) per OID4VP §6. · *OpenID Federation 1.0* — `b.auth.openidFederation.{ parseEntityStatement, verifyEntityStatement, buildTrustChain, applyMetadataPolicy, resolveLeaf }` — fetches entity configs from `<entity>/.well-known/openid-federation`, walks `authority_hints` up to a trust anchor (operator-pinned JWKS), verifies each subordinate-statement JWS, and applies the federation's metadata_policy (`value` / `default` / `add` / `one_of` / `subset_of` / `superset_of` / `essential` — unknown operators refuse). · *SAML 2.0 SP at `b.auth.saml.sp.create`* — AuthnRequest builder for HTTP-Redirect / POST bindings. Response parser verifies XMLDSig (Response-level OR Assertion-level signature), defends against signature-wrapping via `b.xmlC14n.canonicalizeElementById`'s single-match invariant, validates SubjectConfirmation Bearer (NotOnOrAfter / NotBefore / Recipient / InResponseTo) + Conditions audience + Status. Plus `b.auth.saml.fetchMdq({ baseUrl, entityId, trustCertPem? })` for MDQ-style metadata fetch with optional XMLDSig verification. · *`b.xmlC14n` — RFC 3741 Exclusive XML Canonicalization* — `canonicalize(input, opts?)` and `canonicalizeElementById(xml, id, opts?)`. The `canonicalizeElementById` single-match invariant is the core defense against XML signature-wrapping attacks (refuses ID collisions + zero-match references). Doctype + ENTITY refused at parse time. · *SD-JWT VC `key_attestation` extension* — `b.auth.sdJwtVc.holder.store({..., keyAttestation })` persists a holder-side attestation JWT alongside the credential. `b.auth.sdJwtVc.present({..., keyAttestation })` embeds it in the KB-JWT header. `b.auth.sdJwtVc.verify(presentation, { keyAttestationVerifier, requireKeyAttestation })` surfaces the attestation token to an operator-supplied verifier so trust-anchor decisions (TEE / FIDO MDS3 / App Attest / Play Integrity) stay operator-side. · *`b.db.fileLifecycle({ dataDir, vault, ... })`* — Standalone encrypted-DB-file lifecycle for consumers that own their own SQLite handle (own schema, own migrations, own connection). Decrypts `<dataDir>/db.enc` to a tmpfs path (`/dev/shm` on Linux), exposes `dbPath` for the operator to open, runs a periodic re-encrypt flush via `startFlushTimer(db)`, returns an in-memory snapshot via `snapshot(db)`, and runs a graceful flush + cleanup via `flushAndCleanup(db, opts)`. Same envelope shape as `b.db`; no schema / audit-chain coupling. · *`b.session.create({ anonymous: true })`* — Auto-mints `userId = "anon:" + crypto.randomUUID()` so operators running pre-login flows keep the full sealed-cookie + sealed-userId + sidHash + idle/absolute-timeout posture without rolling their own opaque-id pattern. `b.session.isAnonymous(userId)` helper for post-auth gates. `destroyAllForUser` refuses anon-prefix ids (per-session, not portable). · *`validateOpts.makeNamespacedEmitters(prefix, { audit, observability })`* — Collapses the recurring per-primitive `_emitAudit` / `_emitMetric` boilerplate into one call; the new federation/VC primitives consume it. **References:** [OpenID Connect Front-Channel Logout 1.0](https://openid.net/specs/openid-connect-frontchannel-1_0.html) · [OpenID Connect Back-Channel Logout 1.0](https://openid.net/specs/openid-connect-backchannel-1_0.html) · [OpenID Client-Initiated Backchannel Authentication 1.0](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html) · [OpenID4VCI](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html) · [OpenID4VP](https://openid.net/specs/openid-4-verifiable-presentations-1_0.html) · [OpenID Federation 1.0](https://openid.net/specs/openid-federation-1_0.html) · [RFC 3741 Exclusive XML Canonicalization](https://www.rfc-editor.org/rfc/rfc3741.html)
+- v0.8.61 (2026-05-10) — **PQC-sealed session cookie + IP-prefix fingerprint binding + pluggable session store + `b.db.collection` schemaless extensions.** Breaking pre-1.0 change: `b.session.create(...).token` now returns a vault-sealed envelope (ML-KEM-1024 + P-384 hybrid + XChaCha20-Poly1305) instead of the plaintext sid. Pre-v0.8.61 raw-sid cookies fail to unseal and the affected user re-authenticates. Adds `b.db.collection` schemaless-document opts (`overflow: "data"`, `jsonColumns`, `sealedFields`), IPv4 /24 + IPv6 /64 fingerprint binding for roaming carriers, and a pluggable session store with a first-party `localDbThin` adapter. **Added:** *`b.db.collection` schemaless-document extensions* — `{ overflow: "data" }` folds every insert/update field outside the table's column list into a JSON-text column; `find` / `findOne` parse it and merge keys back onto the row. `WHERE` on an unknown field rewrites to `JSON_EXTRACT(<overflow>, '$.field')` for `$eq` / `$ne` / `$in` (range / `$like` require a real column with an index). `{ jsonColumns: ["roles", "metadata"] }` auto-`JSON.stringify`s listed columns on write and parses them via `b.safeJson` on read; unknown columns refuse at first use. `{ sealedFields: { email: "emailHash" } }` co-locates sealed-column / derived-hash declarations with the collection — registers via `b.cryptoField.registerTable` so the existing query-builder sealed-field rewrite picks up automatically. · *Pluggable session store + `localDbThin` adapter* — `b.session.useStore(store)` swaps the `_blamejs_sessions` storage backend. First-party adapter `b.session.stores.localDbThin({ file })` wraps `b.localDb.thin` (typically pointed at tmpfs) so heavy session churn doesn't fight the main DB's WAL fsync + at-rest re-encryption cycle. `audit.FRAMEWORK_NAMESPACES` extended with `localdb` so `b.localDb.thin` open / close events stop dropping. **Changed:** *BREAKING: `b.session.create(...).token` returns a vault-sealed envelope* — Token is now a `vault:`-prefixed ML-KEM-1024 + P-384 hybrid + XChaCha20-Poly1305 envelope instead of the plaintext sid. Pre-v0.8.61 raw-sid cookies fail to unseal at `b.session.verify` and the affected user re-authenticates. Pre-v1.0 ships no compat shim — every existing session force-logs-out on upgrade. Storage path unchanged: the DB still keys on `sha3('bj-session:' || sid)`, sealing only changes the wire format. · *Session fingerprint subnet binding* — `fingerprintFields: ["clientIpPrefix"]` hashes the client IP at `/24` for IPv4 and `/64` for IPv6 (per RFC 4291 §2.5.4 customer-LAN allocation), so roaming carriers' per-request IP flips no longer log out healthy mobile users. IPv4-mapped IPv6 (`::ffff:1.2.3.4`) buckets as v4 `/24`.
+- v0.8.60 (2026-05-09) — **CI green-up for v0.8.59 (`watcher.test.js` macOS structural fix).** macOS smoke runner failed `watcher.test.js: surface onChange for non-ignored file` again under SMOKE_PARALLEL=64 + GitHub-Actions-runner contention; the prior 300ms→1500ms bump wasn't enough on a contended Darwin runner. Replaced the fixed-budget wait with a structural priming-then-poll loop. No primitive surface change. **Fixed:** *Structural prime-then-poll fix for `watcher.test.js` macOS flake* — Two structural fixes: (a) a 200ms priming wait BEFORE the test writes any files, so the FSEvents watcher is fully established before file-system activity races its startup; (b) a poll-until-event loop after writes that flushes + checks the change set every 100ms up to a 5s deadline, exiting early when the target event lands. Linux / Windows still finish in <100ms; the wider budget only matters on contended macOS.
+- v0.8.59 (2026-05-09) — **Comment cleanup — external consumer names stripped from `lib/`.** Two stale references to an external consumer name inside `lib/db-collection.js` and `lib/template.js` comments stripped — names of downstream consumers don't belong in framework source. No primitive surface change versus v0.8.58. **Changed:** *Stripped external-consumer name references from `lib/db-collection.js` and `lib/template.js`* — Cleanup of two stale references in source comments. Operator-facing framework source should not name downstream consumers.
+- v0.8.58 (2026-05-09) — **`b.db` query-builder + Mongo facade + `db.init` opt-outs + snapshot helper + mTLS path fix.** Query atoms (`.increment`, `.whereGroup`, `.orWhere`, `.search`, `.paginate`), a Mongo-shape facade at `b.db.collection(name)`, `db.init` opt-outs (`frameworkTables: false`, `auditSigning: false`), path overrides (`encryptedDbPath`, `encryptedDbName`, `dbKeyPath`), a `b.db.snapshot()` in-memory encrypted Buffer, and a `b.mtlsCa.create({ paths })` absolute-path fix. Release-workflow runtime gates rewritten so host + container phases run sequentially. **Added:** *Query atoms on `b.db.from(table)`* — `.increment(column, delta)` (atomic `UPDATE col = COALESCE(col, 0) + ?`, refuses unconditional, returns rows-changed). `.whereGroup(qb => ...)` (closure-form OR composition via new `WhereBuilder` class with `.eq` / `.neq` / `.gt` / `.gte` / `.lt` / `.lte` / `.in` / `.like` AND vs `.orEq` / `.orNeq` / ... OR + `.raw`). `.orWhere(...)` (top-level OR; accepts object map / `(field, value)` / `(field, op, value)` / closure). `.search(fields, term, opts?)` (chainable LIKE-OR with `match: "substring"|"prefix"|"exact"`, `~` ESCAPE char to safely handle user-supplied `%`/`_`). `.paginate(opts)` (returns `{ items, total, limit, offset, page, totalPages }`; default limit 25, cap 1000). · *Mongo-shape facade at `b.db.collection(name)`* — Returns `{ insert, insertMany, find, findOne, update, updateMany, remove, count, paginate }` — maps Mongo-shape calls onto `b.db.from(name)`. Update operators: `$set` / `$inc` (composes `Query.increment`) / `$unset`. Query operators: `$eq` / `$ne` / `$gt` / `$gte` / `$lt` / `$lte` / `$in` / `$like`. Unknown operators throw at config-time. · *`db.init` opt-outs* — `frameworkTables: false` skips provisioning `audit_log` / `consent_log`. `auditSigning: false` (finer-grained — keep framework tables but skip the audit-signing-key bootstrap when the host manages its own signing key). · *`db.init` path overrides* — `encryptedDbPath` (fully-qualified path to `db.enc`), `encryptedDbName` (basename under `dataDir`, default `"db.enc"`), `dbKeyPath` (encryption-key file outside `dataDir`, e.g. KMS-fronted volume). · *`b.db.snapshot()`* — In-memory encrypted Buffer (same envelope `flushToDisk` writes, just held in memory; WAL checkpoint forced first so committed state captures cleanly). Plain mode returns the raw plaintext SQLite file. **Fixed:** *`b.mtlsCa.create({ paths })` absolute-path* — `_resolvePaths` no longer joins absolute path entries under `dataDir`. The pre-v0.8.58 shape silently rewrote `MTLS_CA_KEY=/etc/ssl/ca.key` → `<dataDir>/etc/ssl/ca.key`, breaking operators with externally-mounted CA files. Standard `path.join` semantics already preserve absolute arguments — the always-join was an oversight. Relative entries still join under `dataDir` (back-compat). · *Release-workflow runtime-gate ordering* — Rewritten so host smoke + host wiki e2e run BEFORE container smoke + container wiki e2e, sequentially, never in parallel. Both runners write to `.test-output/smoke.log` and `.test-output/wiki-e2e.log`; parallel runs clobber each other so the log of the actually-blocking failure may be overwritten by whichever leg finishes second. The container leg writes to `smoke-container.log` / `wiki-e2e-container.log` so diagnose-after-failure is one file lookup.
+- v0.8.57 (2026-05-09) — **CI green-up for v0.8.56 (prepack-guard negation-rule handling).** The v0.8.56 npm-publish workflow's smoke gate passed but `scripts/check-pack-against-gitignore.js` rejected the tarball: it ran `git check-ignore -v` against every packed path and treated EVERY matching gitignore line as "ignored", including `!`-prefixed negation rules. The newly-tracked `lib/vendor/bimi-trust-anchors.pem` matches the `!lib/vendor/*.pem` negation rule that v0.8.54 added, but the script flagged it as "gitignored in tarball" and exited 1. No primitive surface change. **Fixed:** *`scripts/check-pack-against-gitignore.js` handles `!` negation rules* — Filter out lines whose matching pattern starts with `!` — those are negation rules indicating the file is NOT actually ignored.
+- v0.8.56 (2026-05-09) — **CI green-up for v0.8.55 (watcher.test.js macOS delay).** macOS smoke runner failed `watcher.test.js: surface onChange for non-ignored file`; the test bumped from 80ms→300ms in v0.8.52, but macOS `fs.watch` event delivery under `SMOKE_PARALLEL=64` + CI runner contention can still exceed 300ms. Bumped to 1500ms. Linux/Windows continue to pass on the first event-loop turn. No primitive surface change. **Fixed:** *`watcher.test.js` macOS delay bumped to 1500ms* — Bumped all four delay sites to 1500ms. The longer budget only matters when macOS is contended.
+- v0.8.55 (2026-05-09) — **CI green-up for v0.8.54 (rate-limit-cluster microtask budget).** The v0.8.54 npm-publish hit `rate-limit-cluster.test.js: cluster: 4th request blocked with 429` failing under CI contention. The test's `_waitMicrotasks(3)` helper chained 3 `setImmediate` ticks between `fire()` calls, but the cluster-backend's async `take()` against the DB hadn't finished bumping the counter — the 4th `fire()` read a stale count. Bumped to 20 ticks. No primitive surface change. **Fixed:** *`rate-limit-cluster.test.js` microtask budget* — Bumped `_waitMicrotasks(3)` to `_waitMicrotasks(20)` across every call site. Linux/Alpine container runners pass on the first attempt; the budget only matters under `SMOKE_PARALLEL=64` contention.
+- v0.8.54 (2026-05-09) — **CI green-up for v0.8.53 (vendored BIMI PEM `.gitignore` exception).** The v0.8.53 push tripped `configDrift.verifyVendorIntegrity` because `lib/vendor/bimi-trust-anchors.pem` was excluded by the global `*.pem` rule in `.gitignore` (designed to block accidental commit of operator-private keys). CI checked out a tree without the PEM, the integrity gate failed, and npm-publish never ran. No primitive surface change versus v0.8.53. **Fixed:** *`.gitignore` exception for vendored PEM / CRT bundles* — Adds an explicit `!lib/vendor/*.pem` / `!lib/vendor/*.crt` exception with a comment documenting why (vendored cert bundles are public framework assets, not operator-private material). The BIMI Trust Anchor PEM is now tracked.
+- v0.8.53 (2026-05-09) — **Browser hardening + WebAuthn / FIDO + PSL substrate + email auth/transport + DNS + TLS + HTTP cache + SigV4 response headers.** Ships a substantial additive surface: browser headers (Clear-Site-Data, NEL, Speculation-Rules, Document-Policy, fenced-frame-src, Accept-CH / Critical-CH, Permissions-Policy structured-fields), WebAuthn L3 BE/BS flags + extension builders + conditional UI + FIDO MDS3 verifier, vendored Public Suffix List substrate (10,207 rules), DMARCbis psd= / np=, RFC 9091 BIMI VMC + CMC + Tiny-PS SVG profile, ARC trust-eval, RFC 5965 ARF ingest, iprev / FCrDNS verifier, RFC 3030 BDAT / CHUNKING / BINARYMIME, RFC 1870 SIZE pre-MAIL-FROM, RFC 3461/3464 DSN + RFC 3798/8098 MDN + RFC 2369/2919 list headers, RFC 9460 SVCB / HTTPS RR + RFC 7858 DoT + RFC 9462 DDR + RFC 9463 DNR, ECH outbound from SVCB, RFC 9525 strict PKIX server identity, full RFC 9111 outbound HTTP cache, S3 SigV4 `responseHeaders` opt on presigned URLs. **Added:** *Browser hardening primitives + headers* — `b.middleware.clearSiteData` (RFC 9527 logout-side state wipe — cookies / storage / cache / executionContexts / clientHints + wildcard). `b.middleware.nel` (W3C Network Error Logging emitter — emits `NEL` + `Report-To` headers, https-only collector, CR/LF/NUL injection refusal). `b.middleware.speculationRules` (W3C Speculation Rules emitter, header form by default + `inline: true` for inline `<script type="speculationrules">`). `Document-Policy` header default in `b.middleware.securityHeaders` (`document-write=?0, unsized-media=?0, oversized-images=?0`) plus operator override. CSP3 `fenced-frame-src 'none'` baked into `DEFAULT_CSP`. `Accept-CH` + `Critical-CH` UA-CH retry handshake opts. RFC 9651 Permissions-Policy structured-fields validation at config-time. `b.static` `forceAttachmentForNonText: true` opt — every served file outside the safe-render allowlist gets `Content-Disposition: attachment` + `nosniff`. · *WebAuthn L3 + FIDO MDS3* — WebAuthn L3 §6.1.3 BE/BS flag surface (`backupEligible` + `backupState` on verify-returns). `b.auth.passkey.extensions.{ prf, largeBlob, credBlob }` extension-helper builders. `b.auth.passkey.conditionalAuthOptions` for `mediation: "conditional"` autofill. New `b.auth.fidoMds3` AAGUID metadata verifier — JWS-signed BLOB fetch + cert-chain validation against the FIDO Alliance MDS3 root, AAGUID lookup, REVOKED / USER_KEY_PHYSICAL_COMPROMISE / USER_KEY_REMOTE_COMPROMISE refusal, in-memory cache TTL = `nextUpdate - now`. · *`b.publicSuffix` + vendored Mozilla PSL* — `{ publicSuffix, organizationalDomain, isPublicSuffix, lookupSource }` with vendored Mozilla PSL data (10,207 rules). Exact-match > exception > wildcard > implicit `*` per canonical algorithm; IDNA Punycode normalisation. Consumed by the DMARCbis + BIMI work. · *Email auth primitives* — DMARCbis `psd=` / `np=` / org-domain discovery via PSL in `lib/mail-auth.js`. RFC 9091 BIMI VMC + CMC chain validation in `b.mail.bimi.fetchAndVerifyMark` (httpClient-fetched cert, cert-path validation against vendored BIMI Trust Anchor roots, `subjectAltName` URI match, RFC 3709 logotype extension parsing for the embedded SVG, BIMI policy OID gate). Tiny-PS SVG profile validator (`b.mail.bimi.validateTinyPsSvg`) refusing `<script>` / `<style>` / `<foreignObject>` / `<animate*>` / external refs / >32 KiB. RFC 8617 ARC trust-eval (`arcEvaluate` returns `{ trust, trustedHops, finalAr, breakAt }`). RFC 5965 ARF abuse-feedback ingestion (`b.mailArf.parse`). RFC 8601 iprev / FCrDNS verifier (`b.mail.iprev.verify` exposed via `b.mail.reverseDns`). · *Email transport primitives* — RFC 3030 BDAT / CHUNKING / BINARYMIME framing in `b.mail.send` (default chunk size 256 KiB, BODY=BINARYMIME / 8BITMIME negotiation, refuse-on-binary-without-peer-support). RFC 1870 SIZE pre-MAIL-FROM cap. IPv6 submission + AAAA preference auto-detect (`preferFamily: 4|6|"any"`). Generic RFC 3461/3464 DSN parser + generator in `b.mailBounce.dsn.{ parse, build }` (multipart/report message/delivery-status, RFC 6533 SMTPUTF8 EAI-aware). RFC 3798/8098 MDN builder + parser (`b.mailMdn.{ build, parse }` — refuses auto-generation when inbound message asserts `important=required`). RFC 2369 / 2919 List-Help / List-Owner / List-Archive / List-ID bundle in `b.mail.unsubscribe.buildAllListHeaders`. · *DNS primitives* — RFC 9460 SVCB / HTTPS RR query + parse (`b.network.dns.{ querySvcb, queryHttps }` — AliasMode + ServiceMode, full SvcParam vocabulary including `ech` / `alpn` / `mandatory` / `dohpath` / `ipv4hint` / `ipv6hint`). RFC 7858 DoT first-class transport (`transport: "dot"` opt + connection pool). RFC 9462 DDR (`b.network.dns.discoverEncrypted` queries `_dns.resolver.arpa`). RFC 9463 DNR (`b.network.dns.useDesignatedResolvers` operator-side resolver advertisement). Generic `b.network.dns.resolve(name, type, opts)` dispatcher. `b.network.dns.reverse(ip)` PTR helper. RFC 9250 DoQ explicitly NOT shipped — Node QUIC is experimental; documented deferral in `lib/network-dns.js`. · *TLS primitives* — ECH outbound from SVCB (`b.network.tls.connectWithEch` queries HTTPS RR, parses `ech=` SvcParam per draft-ietf-tls-esni-22 §4 ECHConfigList wire format, attaches to `tls.connect({ ech })` with feature-detect graceful degrade). RFC 9525 strict PKIX server identity verification (`b.network.tls.checkServerIdentity9525` — SAN dNSName required when present, CN-fallback refused, wildcard one-label limit, IP SAN matching). · *RFC 9111 outbound HTTP cache* — `b.httpClient.cache.create({ store, sharedCache, defaultMaxStale, revalidateInBackground })` + `b.httpClient.cache.memoryStore({ maxBytes, maxEntries, evictionPolicy })`. §3 storage decision (status allowlist + Cache-Control directives + `Vary` keying), §4.2 freshness (s-maxage > max-age > Expires-Date > heuristic 10% capped at 24h), §4.3 conditional revalidation (`If-None-Match` + `If-Modified-Since`), §5 304 merge, RFC 5861 `stale-while-revalidate` + `stale-if-error`. `Age` + `X-Blamejs-Cache: HIT|MISS|STALE|REVALIDATED` response headers; `httpclient.cache.{ hit, miss, stale, revalidated, evicted }` audit emissions. · *S3 SigV4 `responseHeaders` opt on presigned downloads* — `b.objectStore.presignedDownloadUrl` accepts `{ contentDisposition?, contentType?, contentLanguage?, contentEncoding?, cacheControl?, expires? }` — adds the S3 `response-*` override query params to the signed URL so a presigned GET overrides Content-Disposition / Content-Type / etc. on the wire regardless of how the object was stored. SigV4 signing math identical (params land in canonicalQueryString before hashing). Verified end-to-end against live MinIO via `scripts/test-integration.js object-store-sigv4` (HTTP + TLS variants, server-side header honoring confirmed). **References:** [RFC 9527 Clear-Site-Data](https://www.rfc-editor.org/rfc/rfc9527.html) · [RFC 9091 BIMI](https://www.rfc-editor.org/rfc/rfc9091.html) · [RFC 9460 SVCB / HTTPS RR](https://www.rfc-editor.org/rfc/rfc9460.html) · [RFC 9111 HTTP Caching](https://www.rfc-editor.org/rfc/rfc9111.html) · [RFC 9525 PKIX Server Identity](https://www.rfc-editor.org/rfc/rfc9525.html)
+- v0.8.52 (2026-05-09) — **Cross-platform smoke flake fixes — Windows sqlite lock + macOS fs.watch budget.** Two pre-existing platform fragilities surfaced under v0.8.51 CI runner contention. The `lib/local-db-thin.js` corrupt-file recovery rename budget was extended for Windows, and the `watcher.test.js` event-delivery wait was extended for macOS. **Fixed:** *Windows sqlite-lock recovery budget too short* — `lib/local-db-thin.js` corrupt-file recovery rename retried 5×50ms (250ms total) before giving up. Windows holds a sqlite file lock several hundred ms after `DatabaseSync.close()` returns under load, and CI runner pressure pushed the unlock past the budget. The retry window is now 20×100ms (2s total); Linux/macOS still land on the first attempt. · *macOS fs.watch delivery budget too short* — `test/layer-0-primitives/watcher.test.js` waited 80ms after writing files before asserting `fs.watch` events landed. macOS delivers events later than Linux/Windows under contention. The test wait is now 300ms in all four delay sites. No primitive surface change versus v0.8.51.
+- v0.8.51 (2026-05-09) — **CI green-up follow-on for v0.8.50 — wiki workspace install + gitleaks prose retrip.** Two CI gates still failed on v0.8.50 and are now corrected. The wiki validator step couldn't resolve `@blamejs/core` without first installing the wiki workspace deps, and gitleaks re-flagged the v0.8.50 CHANGELOG entry because its prose quoted the same KEM-recipient destructure shape it was reporting fixed. **Fixed:** *Wiki validator could not resolve `@blamejs/core`* — The workflow ran the validator without first installing the wiki workspace deps. The step now runs `npm install --silent` in `examples/wiki/` before invoking the validator. The job was also renamed from "Wiki primitive-section convention" to reflect the source-driven shape. · *Gitleaks re-flagged the v0.8.50 CHANGELOG entry* — The prose quoted the same KEM-recipient destructure shape it was reporting fixed, retripping the generic-api-key rule on documentation text. The CHANGELOG entry was rewritten to avoid the literal token shape; `.gitleaks.toml` adds a fingerprint suppression for the historical v0.8.50 commit. No primitive surface change versus v0.8.50.
+- v0.8.50 (2026-05-09) — **CI green-up for v0.8.49 — wiki workflow step + gitleaks `@example` allowlists.** Two CI gates failed on the v0.8.49 push and are now corrected. The wiki validator workflow step pointed at the retired hand-authored-seeder validator, and gitleaks flagged three JSDoc `@example` blocks the source-driven migration introduced. **Fixed:** *Wiki validator workflow step pointed at the retired validator* — `.github/workflows/ci.yml` still invoked `examples/wiki/test/validate-primitive-sections.js`, which the source-driven migration retired. The step now runs `validate-source-comment-blocks.js` and runs `npm install` in `examples/wiki/` first so the validator can resolve `@blamejs/core` for the opts probe. · *Gitleaks flagged three JSDoc `@example` blocks* — A fake hex token in `lib/api-key.js`, a Stripe-shaped redaction example in `lib/log-stream.js`, and a KEM-recipient destructure in `lib/crypto.js` were flagged by gitleaks. The examples were rewritten to use placeholder text. `.gitleaks.toml` broadens the recipient-shape allowlist regex to cover any sibling field name, adds `test/fixtures/.*` to the path allowlist (exploit-corpus fixtures), and pins the historical commit + per-finding fingerprints. No primitive surface change versus v0.8.49.
+- v0.8.49 (2026-05-09) — **Source-driven wiki — every page generated from `@module` + `@primitive` JSDoc blocks.** The hand-authored seeders under `examples/wiki/seeders/prod/pages/` are retired (~40 files, ~13k lines deleted). Pages, sidebar nav, the home-page card grid, and reference pages are produced at boot from JSDoc-style comment blocks in `lib/`. Drift between code and docs is structurally impossible — the same diff that changes the function changes the documentation. **Added:** *`@module` + `@primitive` comment-block convention drives wiki generation* — Every page is produced by `examples/wiki/lib/page-generator.js` walking parsed source comments. Sidebar nav, home-page card grid, and page-generator curation entries auto-derive from `@nav` / `@title` / `@card` / `@featured` / `@order` / `@slug` tags on `@module` blocks via `examples/wiki/lib/auto-site-entries.js`. Cross-cutting narrative content lives in `lib/wiki-concepts.js` `@concept` blocks. Reference pages are auto-harvested at boot from framework state by `examples/wiki/lib/harvest-{errors,env-vars,vendored-deps,cli}.js`. · *Comment-block validators replace the legacy seeder validator* — `validate-source-comment-blocks.js` enforces schema, tag ordering, signature/code arity match, `@example` parses-as-JS, placeholder-pattern detectors, posture catalog, semver shape, cross-reference resolution, and metadata completeness. `validate-site-coverage.js` enforces entry/page consistency invariants. `validate-nav-coverage.js` round-trips every nav entry against the live HTTP server and asserts populated content. Discoverer `find-missing-pages.js` walks `api-snapshot.json` and surfaces namespaces still needing `@module` blocks. · *Backfill script for bulk metadata migration* — `examples/wiki/scripts/backfill-module-metadata.js` populates `@nav` / `@title` / `@card` from a canonical hints table for one-shot bulk migration. ~145 lib namespaces now carry `@primitive` blocks; ~24 marked `@featured` for the home-card grid. **Changed:** *`b.safeJson.canonical(value)` — unused `_opts` parameter dropped* — Signature is now single-arg. The previous shape accepted an unused second parameter; the comment-block validator's signature/arity-match check surfaced it. No other primitive surface change. **Removed:** *Hand-authored wiki seeders + their validator* — `examples/wiki/seeders/prod/pages/` (~40 files, ~13k lines) deleted. The legacy `validate-primitive-sections.js` (1264 lines) and its child runner `run-example.js` (492 lines) retired.
+- v0.8.48 (2026-05-09) — **CI green-up for v0.8.47 (additional lifecycle examples commenting).** Other primitive examples were creating lingering resources (intervals, scheduler ticks, sqlite handles, heartbeat timers, repeating loops) that prevented the example-execution sandbox from settling. Live invocations now commented out with `typeof` assertions kept as the executable check. No primitive surface change versus v0.8.47. **Fixed:** *Lifecycle-creating wiki examples commented out* — Live invocations are now commented out (kept as documentation) for: `b.scheduler.create({...}).schedule(...)` (compliance-patterns retention sweep), `b.cluster.init({...})` + `b.cluster.requireLeader()` (cluster heartbeat timer), `b.scheduler.create({ cluster }).schedule(...)` + `await scheduler.start()` + `b.scheduler.nextCronFire(...)`, `b.localDb.thin({...})` (sqlite handle), `b.network.heartbeat.start({...})` + `b.network.heartbeat.status(...)`, `b.safeAsync.repeating(...)` + `loop.stop()`. Each section keeps a `typeof b.X.Y; // "function"` assertion as the executable check.
+- v0.8.47 (2026-05-09) — **CI green-up for v0.8.46 (Wiki e2e hang on the watcher example).** The wiki primitive-section example for `b.watcher.create` invoked `fs.watch(root, { recursive: true })` and the recursive-watch handle never unblocked the Linux runner. The example is now commented out (kept as documentation, with a `typeof b.watcher.create` assertion as the executable check). No primitive surface change versus v0.8.46. **Fixed:** *Wiki e2e hang on the watcher example* — The `b.watcher.create` example in `ops-hardening.js` was live-invoking `fs.watch(root, { recursive: true })`; the recursive-watch handle blocked the host process on the runner kernel. The live invocation is now commented out (kept as documentation) and replaced with a `typeof b.watcher.create` assertion as the executable check. Same convention reused for other lifecycle-creating examples that need operator-supplied state.
+- v0.8.46 (2026-05-09) — **CI green-up for v0.8.45 (smoke gate).** Six fixes that unblock the npm-publish smoke gate: pqc-agent curve-name regex, opt-in postgres `application_name`, closure-in-loop in `connectFn`, lazyRequire shape in `subject.js`, audit namespaces for the v0.8.45 primitives, and codebase-pattern cleanups. No primitive surface change versus v0.8.45. **Fixed:** *`lib/pqc-agent.js` `_validateGroupName` regex* — Relaxed to accept hyphen so operator-supplied curve names like `P-256` produce the framework-preference refusal error (the test message contract `"not in the framework PQC-hybrid preference"` was bypassed by an earlier illegal-character throw). · *`b.externalDb.init` `applicationName` opt-in* — Default leaves the SET unsubmitted so per-pool query-count tracking in operator tests / fakes isn't doubled by a connection-init `SET application_name TO 'blamejs'` against drivers that simply count tracker.query calls; the test at `external-db-hardening.test.js` updated to assert the opt-in behaviour. · *`lib/external-db.js` postgres-dialect `connectFn` closure-in-loop* — Wrapped in an IIFE so the closure captures `rawConnect` / `rawQuery` per-iteration instead of sharing the var-hoisted bindings across the for-loop. Every backend's `connectFn` was previously calling the LAST iteration's `rawQuery`. · *`lib/subject.js` `legalHold._getSingleton()` shape* — Corrected to `legalHold()._getSingleton()` — the lazyRequire helper returns a getter function, not the module. · *`lib/audit.js` `FRAMEWORK_NAMESPACES` extended* — Registers every namespace emitted by the new v0.8.45 primitives (`http2`, `tenant`, `jwt`, `dr`, `guardfilename`, `legalhold`, `networkheartbeat`, `router`). · *Codebase-patterns cleanup across the new lib files* — Real-fix path (validateOpts helpers / safeBuffer.isHex / safeEnv.readVar / safeBuffer.boundedChunkCollector / shared regex constant) plus per-cluster KNOWN_CLUSTERS allowlist entries with structural reasons keyed on the reporter's stable cluster fingerprint.
+- v0.8.45 (2026-05-09) — **Wiki rebuild + 14 primitives + 9 enhancements + v0.8.44 CI recovery.** v0.8.44's npm-publish workflow failed at the framework smoke gate; v0.8.45 ships the cumulative recovery on top of the v0.8.44 commit. Three CI fixes from v0.8.44, fourteen new primitives (httpClient stream helpers, OS keychain, worker pool, watcher, thin localDb, daemon glue, self-update, hash helpers, bounded mapAsync, TLS option builder, passive heartbeat, arg parser, byte quota), nine surface enhancements, and a Scorecard workflow split. **Added:** *Streaming HTTP helpers* — `b.httpClient.downloadStream({ url, dest, hash, expected })` streams to `<dest>.tmp`, hashes while piping, atomic-renames on hash match, refuses + deletes on mismatch (returns `{ statusCode, bytesWritten, hash }`). `b.httpClient.uploadMultipartStream({ url, fields, file })` streams a file body into multipart POST without buffering. · *`b.keychain.{ store, retrieve, remove }`* — OS keychain abstraction across macOS `security`, Linux `secret-tool`, Windows PowerShell, plus a 0o600 XChaCha20-Poly1305-sealed file fallback. Native paths use stdin (process-list-safe). · *`b.workerPool.create(scriptPath, opts)`* — `node:worker_threads` pool with bounded concurrency, per-task timeout, worker recycle on uncaught error, and `{ run, drain, terminate, stats }`. · *`b.watcher.create`* — Recursive `fs.watch` wrapper with per-path debounce, glob-style ignore, symlink-skip, and cross-platform event normalisation. · *`b.localDb.thin({ file, schemaSql, recovery })`* — Lightweight `node:sqlite` wrapper with WAL + integrity check + corrupt-rename-and-recreate recovery + prepared-statement cache. No vault encryption / audit chain — for desktop daemon-style state where `b.db` is too heavy. · *`b.daemon.{ start, stop }`* — PID file write + stale-PID reap + signal handling glue around `b.appShutdown` + cross-platform detached fork via `b.processSpawn`. · *`b.selfUpdate.{ poll, verify, swap, rollback }`* — GitHub-releases poll + ETag/304 + signed-asset verify (composes `b.crypto.verify` for ML-DSA-87 / Ed25519 / EC) + atomic swap with EXDEV cross-device fallback + rollback on health failure. · *`b.crypto.hashFile` + `b.crypto.hashStream`* — Streaming hash from disk / arbitrary readable (default sha3-512). Uses `node:stream/promises` pipeline. · *`b.safeAsync.parallel(items, fn, { concurrency })`* — Bounded-concurrency mapAsync with continuous worker queue (no Promise.all-batched chunks). Default 8, max 256, AbortSignal support. · *`b.network.tls.buildOptions`* — TLS request-options builder that knows the framework's PQC group preference + TLS 1.3 floor; centralizes posture for operators that build their own `https.Agent`. · *`b.network.heartbeat.passive`* — Server-pushed heartbeat consumer (inverse of the existing active probe). Caller invokes `recordPong()` on heartbeat frames; `onTimeout()` fires once if `timeoutMs` elapses without a pong. · *`b.argParser.create`* — Reusable CLI arg parser extracted from `lib/cli.js`. Type coercion (string / number / boolean / list), per-command flag scoping, `--` terminator, prototype-pollution defense, `parseRaw(argv)` low-level alias. `lib/cli.js` refactored to compose the new primitive. · *`b.network.byteQuota.create`* — Extracted from `b.middleware.dailyByteQuota`; exposes `{ check(key, bytes), record(key, bytes), reset(key), snapshot() }` for preflight checks before accept (when file size is known at headers-parsed time). **Changed:** *`b.pqcAgent` accepts `SecP256r1MLKEM768`* — RFC 9794 codepoint shipped in v0.8.44 — now reachable. Adds `allowOperatorGroups: false` opt; when `true`, `create()` accepts any IANA-known TLS group with audit emit `pqcagent.operator_group.accepted`. `lib/constants.js` `TLS_GROUP_PREFERENCE` now `[X25519MLKEM768, SecP384r1MLKEM1024, SecP256r1MLKEM768]`. · *`b.archive.zip().toStream(writable)` streaming archives* — Pipes the assembled archive directly to an operator-supplied `Writable` (or returns a `Readable` if no writable supplied). `addFile(name, Readable)` accepts streamed sources; APPNOTE 4.4.4 bit-3 data-descriptors. Atomic finalize: central directory written only after every entry resolves; on source error destination is destroyed with `archive/aborted` and EOCD never emitted. `toBuffer()` refuses streaming entries with `archive/streaming-entry`. · *`b.guardFilename.sanitize({ mode: "strip" })`* — Replaces CR / LF / HT / VT / FF / C0 controls / bidi-override / zero-width with `_` for `Content-Disposition` use. Path-traversal / null-byte / NTFS ADS / UNC / overlong UTF-8 floor still throws at every profile level. · *`b.middleware.rateLimit` algorithm opt-in* — `{ algorithm: "fixed-window" | "token-bucket" }` — fixed-window opts in alongside the existing token-bucket default. · *`b.parsers.json` + `b.parsers.multipart` standalone helpers* — Standalone async helpers for handlers that lazy-parse without mounting bodyParser as middleware. · *`b.router.create({ allowedRedirectOrigins })`* — Exact-match HTTPS-origin allowlist for `res.redirect` cross-origin (OAuth bounces). Off-allowlist redirects throw `RouterError("router/redirect-cross-origin-refused", ...)`. · *`b.requestHelpers.extractBearer(req)`* — Inbound RFC 6750 bearer extractor; case-insensitive `Bearer` prefix, refuses multiple `Authorization` headers (CWE-345), refuses control / CR / LF / NUL bytes; returns null on missing/malformed. · *`b.crypto.namespaceHash(prefix, value)`* — Hex SHA3-512 of `prefix + ":" + value` for indexable derived-hash columns. Refuses NUL / CR / LF / oversized prefix. · *Scorecard workflow split* — `.github/workflows/scorecard.yml` split into a `uses:`-only `analysis` job and a separate `threshold` job that downloads the SARIF artifact; analysis no longer fails the scorecard-action workflow restriction. `SCORECARD_MIN` default lowered to 6.0 (structural floor for a < 90-day single-maintainer pre-1.0 repo). **Fixed:** *v0.8.44 carry-over CI fixes* — `lib/backup/bundle.js` manifest-signing is now best-effort when `auditSign.init()` has not been awaited (bundle ships unsigned with a `manifest-unsigned` progress event; `restoreBundle.extract({ requireSignature: true })` continues to refuse unsigned manifests). `lib/external-db.js` `SET application_name` is now best-effort so non-Postgres test fakes shimming the postgres dialect don't fail at connection init. `b.subject.erase` accepts an explicit `opts.legalHold` instance to avoid the process-global singleton race in parallel-test runs.
+- v0.8.44 (2026-05-08) — **Compliance / crypto / transport additive surface + CVE sweep + wiki restructure.** Adds a substantial compliance-primitive surface (21 CFR Part 11, PCI 10.4 daily review, SOX / SOC 2 SoD triggers, m-of-n DDL change control, legal-hold, WORM, dual-control + crypto-erase, per-row K_row tagging, tenant quota, DR runbook, backup-test scheduler, CADF audit envelope, JSON-Schema 2020-12 metadata, Debezium outbox, safeJsonPath, role-hardening, outbound DLP, bot challenge, device binding, sandbox, FAPI 2 / FDX / TCPA 10DLC / IAB MSPA postures). Standards-track additions: HPKE, TLS-Exporter, HTTP Message Signatures, CT v2 inclusion proofs, ACME + ARI, 0-RTT inbound posture, PQ TLS group preference. ML-DSA-65 opt-in. Closes 10+ CVE-classes. Pins Node engine to `>=24.14.1`. **Added:** *Compliance / regulatory primitives* — `b.fda21cfr11` (21 CFR Part 11 §11.10(e) audit-content + §11.50(b) e-signature shape); `b.auditDailyReview` (PCI DSS 4.0 Req 10.4.1.1 daily-review automation through `b.scheduler`); `b.audit.bindActor` + `b.audit.assertSegregation` (SOX §404 + SOC 2 CC1.3 segregation-of-duties Postgres triggers); `b.ddlChangeControl` (m-of-n approver DDL change-control with maintenance windows and ML-DSA-87 signed proposals); `b.legalHold` (FRCP Rule 26/37(e), GDPR Art 17(3)(e), SEC Rule 17a-4, HIPAA §164.530(j)(2)); `b.db.declareWorm`; `b.db.declareRequireDualControl` + `b.db.eraseHard` (dual-control delete + crypto-erase + REINDEX); `b.cryptoField.declareColumnResidency` / `declarePerRowKey` + `b.subject.eraseHard`; `b.tenantQuota`; `b.drRunbook.emit`; `b.backup.scheduleTest` + `b.backupBundle.verifyManifestSignature`; `b.db.exportCsv` (RFC 4180 strict + SHA3-512 + optional ML-DSA-87); `b.audit.export({ format: "cadf" })` (ISO/IEC 19395 CADF envelope); `b.db.getTableMetadata({ format: "json-schema-2020-12" })`; `b.outbox.create({ envelope: "debezium" })`; `b.safeJsonPath` (refuses filter / deep-scan / script-shape / control-char input; wired into `b.db.where` for JSONB ops); `b.externalDb.assertRoleHardening`; `b.redact.installOutboundDlp` (httpClient + mail + webhook DLP with PAN / SSN / EIN / IBAN / api-key / PEM / SSH / JWT / AWS detectors); `b.authBotChallenge`; `b.sessionDeviceBinding` (SHAKE256 fingerprint over UA + Accept-Language + Accept-Encoding + IP /24 (or /48) prefix + optional cryptographic boundKey); `b.sandbox`; `b.fapi2`, `b.fdx`, `b.tcpa10dlc`, `b.iabMspa` posture cascade entries. · *Standards-track crypto + transport* — `b.crypto.hpke` (RFC 9180 with ML-KEM-1024 + HKDF-SHA3-512 + ChaCha20-Poly1305); `b.tlsExporter` (RFC 9266 channel binding); `b.crypto.httpSig` (RFC 9421 HTTP Message Signatures, ed25519 + ML-DSA-65); `b.network.tls.ct.verifyInclusion` (RFC 9162 CT v2 inclusion proofs); `b.acme` (RFC 8555 + RFC 9773 ARI for the CA/B Forum 47-day cert lifetime); `b.router.create({ tls0Rtt })` (RFC 8470 0-RTT inbound posture, default `refuse`); `b.network.tls.preferredGroups.{set,get,reset}` (default `X25519MLKEM768`, `SecP256r1MLKEM768`, `SecP384r1MLKEM1024`, `X25519`). · *ML-DSA-65 opt-in on `b.audit-sign` and `b.webhook`* — `lib/audit-sign.js` and `lib/webhook.js` accept `algorithm: "ML-DSA-65"` for smaller signatures + faster verify; default remains SLH-DSA-SHAKE-256f. **Changed:** *Wiki restructure: 25 `guard-*` pages consolidated into 7 grouped pages* — `guard-overview`, `guard-content`, `guard-structured-data`, `guard-identifiers`, `guard-protocols`, `guard-execution`, `guard-binary`, `guard-aggregate`. New pages `ai-governance`, `api-contracts`, `ops-hardening`, `regulatory-reporting`. Wiki seeder text corrected to describe Argon2id routing through Node 24+'s built-in `crypto.argon2*` API (no vendored native module). · *New compliance postures cascade through `POSTURE_DEFAULTS`* — `sox-404`, `soc2-cc1.3`, `fda-21cfr11`, `fda-annex-11`, `sec-17a-4`, `finra-4511`, `dpdp`, `pipl-cn`, `lgpd-br`, `appi-jp`, `pdpa-sg`, `staterramp`, `irap`, `bsi-c5`, `ens-es`, `uk-g-cloud`. Cascade through retention / audit / db / cryptoField. · *Workflow-level `permissions: contents: read` + SHA-pinned 40 actions* — `ci.yml` / `npm-publish.yml` / `release-container.yml` declare least-privilege at workflow level; per-job blocks elevate only where needed. Forty GitHub Actions are SHA-pinned (zero `@master` / floating refs). Scorecard threshold gate reads aggregate score from `results.sarif` and fails when below `vars.SCORECARD_MIN` (default 7.0; fails-open with warning when SARIF shape changes). Dependabot extended to root npm `devDependencies`. `npm-publish.yml` build-summary refactored from `${{ steps.* }}` direct interpolation to `env:` block + `${VAR}` substitution. **Fixed:** *CVE sweep* — CVE-2026-21712 (codebase-patterns refuses `url.format(`). CVE-2026-21714 (h2 GOAWAY tracking refuses post-GOAWAY stream activity). CVE-2026-21717 (`b.safeJson` `maxKeys` cap, default 10000, ABSOLUTE_MAX 1000000). CVE-2026-33870 (body-parser differentiates `HPE_CHUNK_EXTENSIONS_OVERFLOW` and emits `http.chunked.extension.refused`). CVE-2026-29000 / 23993 / 22817 / 34950 (auth-jwt-external refuses 5-segment JWE tokens with `auth-jwt-external/jwe-refused` audit). CVE-2026-25639 / 42033 / 42041 / 40175 (vendor-deny gate refuses `axios`, `xml-crypto`, `samlify`, `xml2js`). SECURITY.md gains entries for CVE-2026-21715 / 21716 (Permission Model + symlink defenses), CVE-2026-23918 / CVE-2026-33555 (Apache + HAProxy reverse-proxy floors), CVE-2026-26996 / 33671 / 27904 (pubsub `_MAX_CHANNEL_LEN`), CVE-2026-25922 / 23687 / 34840 (SAML signed-bytes invariant), CVE-2026-34511 (oauth audited clean). · *Node engine floor lifted to `>=24.14.1`* — CVE-2026-21713 non-constant-time HMAC compare. **References:** [RFC 9180 HPKE](https://www.rfc-editor.org/rfc/rfc9180.html) · [RFC 9421 HTTP Message Signatures](https://www.rfc-editor.org/rfc/rfc9421.html) · [RFC 9162 Certificate Transparency v2](https://www.rfc-editor.org/rfc/rfc9162.html) · [RFC 8555 ACME](https://www.rfc-editor.org/rfc/rfc8555.html) · [RFC 9773 ACME ARI](https://www.rfc-editor.org/rfc/rfc9773.html)
+- v0.8.43 (2026-05-07) — **Explicit `USER 65532:65532` in `examples/wiki/Dockerfile` runtime stage.** Chainguard's `cgr.dev/chainguard/node:latest` already runs as `nonroot` (UID 65532) by default, but Trivy's static Dockerfile checker (DS-0002) flags any image without a literal `USER` line regardless of base-image default. Behavior unchanged. **Changed:** *`examples/wiki/Dockerfile` runtime stage declares `USER 65532:65532`* — Trivy DS-0002 was flagging the image despite the base-image default running as nonroot. Adding the literal directive clears the static-Dockerfile check.
+- v0.8.42 (2026-05-07) — **DB hardening + vault-PEM hardening + OWASP secrets-in-env hygiene + statement-cache + vacuum-after-erase.** Per-deployment salt for derived hashes (HIPAA Safe Harbor), sealed break-glass kwGrantHalf, Postgres transaction timeouts with deadlock retries, SQLite tmpfs path advisory, prepared-statement LRU, post-erase VACUUM helper, coarse-bucketed `__erasedAt`, ISO-8601 surfacing on audit reads, env-strip on child spawn, and three vault.sealPemFile sub-fixes. **Added:** *`b.db.vacuumAfterErase({ mode, pages })`* — Runs `VACUUM` / `PRAGMA incremental_vacuum` after large erasures (right-to-be-forgotten support). · *`b.processSpawn.spawn(command, args, { allowEnv })`* — Strips `DATABASE_URL` / `PG*` / `AWS_*` / `*_API_KEY` / `*_SECRET` / `*_TOKEN` etc. from the child env by default (OWASP secrets-in-env hygiene). · *`b.auditTools.withRecordedAtIso(row)`* — Surfaces ISO-8601 alongside Unix-ms without disturbing the chain-hash canonical form. **Changed:** *Per-deployment derived-hash salt* — `b.cryptoField.derivedHashes` binds a per-deployment 32-byte salt (persisted at `<dataDir>/vault.derived-hash-salt`) so the same plaintext produces different hashes across deployments — defends against rainbow-table reuse and supports HIPAA Safe Harbor §164.514(b)(2)(i). · *Sealed break-glass `kwGrantHalf`* — `_blamejs_break_glass_grants.kwGrantHalf` is now sealed under the vault key. · *Postgres transaction timeouts + deadlock retries* — `b.externalDb.transaction({ statementTimeoutMs, idleInTransactionTimeoutMs, deadlockRetries })` enforces SET-LOCAL Postgres timeouts and auto-retries 40P01 / 40001 with jittered backoff. · *SQLite tmpfs path advisory* — Boot-time warning when the SQLite tmpfs path doesn't resolve under `/dev/shm` / `/run/shm` / `/run/user` / `/tmp`. · *`b.db.prepare` Statement-handle LRU cache* — Caches Statement handles (LRU 256, cleared on init/close) so long-running daemons don't leak fds. · *`__erasedAt` coarse-bucketed to 1-day floor* — Removes the sub-day forensic timing fingerprint on right-to-be-forgotten rows. · *`b.vault.sealPemFile` parent-dir + fsync + watch cadence* — Asserts parent-dir mode 0o755 or stricter, fsyncs the destination directory after rename, and reduces `fs.watchFile` cadence from 2s to 500ms.
+- v0.8.41 (2026-05-07) — **Breaking envelope wire-format bump (0xE2 magic) + new audit, password, KAT, lock, config, backup, KEM primitives.** `b.crypto.encrypt` now produces 0xE2-magic envelopes that bind NIST SP 800-56C r2 / RFC 9180 FixedInfo (kemId/cipherId/kdfId + `blamejs/v1` label) into the SHAKE256 KDF input AND the 4-byte envelope header into the XChaCha20-Poly1305 AAD; legacy 0xE1 envelopes are refused. Operators with framework-sealed data must regenerate it. Ships `b.canonicalJson.stringifyJcs`, `b.auth.password.gate(n)`, `b.pqcSoftware.runKnownAnswerTest`, `b.resourceAccessLock`, `b.config.loadDbBacked`, `b.backup.runInWorker`, `b.config.create.reload/subscribe`. Tightens ARC / A-R / MTA-STS / CT spec-conformance. Detects release-named test files at gate time. **Added:** *`b.canonicalJson.stringifyJcs`* — RFC 8785 JSON Canonicalization Scheme strict mode. · *`b.auth.password.gate(n)`* — Process-global Argon2id concurrency semaphore. · *`b.pqcSoftware.runKnownAnswerTest`* — Boot-time KAT for the vendored PQC primitives. · *`b.resourceAccessLock`* — Three-mode lock for non-HTTP resources (counterpart to `b.auth.accessLock`). · *`b.config.loadDbBacked`* — DB-row-backed hot-reload config baseline + overlay. · *`b.backup.runInWorker`* — Worker_threads dispatch for the backup pipeline. · *`b.config.create({...}).reload/subscribe`* — Reactive reload + subscription on the config handle. **Changed:** *BREAKING: `b.crypto.encrypt` envelope wire-format bump to 0xE2 magic* — Binds NIST SP 800-56C r2 / RFC 9180 FixedInfo (kemId/cipherId/kdfId + `blamejs/v1` label) into the SHAKE256 KDF input AND the 4-byte envelope header into the XChaCha20-Poly1305 AAD. Legacy 0xE1 envelopes are refused — operators with framework-sealed data must regenerate it. · *Spec-conformance tightenings* — ARC hop-instance regex bounded per RFC 8617 §4.2.1. Authentication-Results pvalue ABNF tightened per RFC 8601 §2.3. MTA-STS HTTPS cert validation against `mta-sts.<domain>` per RFC 8461 §3.3. CT `verifyScts` algorithm-OID scope cross-checked against the log key per RFC 6962 §2.1.4. **Detectors:** *Release-named test-file detector* — New `codebase-patterns.test.js` + `smoke.js` entry refuses release-bucket and slot-bucket test filenames. **References:** [NIST SP 800-56C r2](https://csrc.nist.gov/pubs/sp/800/56/c/r2/final) · [RFC 9180 HPKE](https://www.rfc-editor.org/rfc/rfc9180.html) · [RFC 8785 JCS](https://www.rfc-editor.org/rfc/rfc8785.html)
+- v0.8.40 (2026-05-07) — **`b.honeytoken` + `b.middleware.cspReport` + `b.auditTools.forensicSnapshot` + `b.network.tls.pinsetDriftMonitor` + Scorecard CI.** Adds four operator-facing primitives plus the OpenSSF Scorecard workflow. Defers operator-supplied transform sandbox, chaos drills, and exploit replay corpus with re-open conditions (operator demand or CVE replay needing a vendored harness). **Added:** *`b.honeytoken.create({ audit })`* — Issues canary api-key / session / URL / row-id values that emit `honeytoken.tripped` audit on any positive lookup. · *`b.middleware.cspReport.create({ onReport })`* — Reporting-API endpoint that ingests CSP / COEP / COOP violations as `csp.violation` audit rows. · *`b.auditTools.forensicSnapshot({ out, since, passphrase, reason })`* — Composes an audit-export slice + IR context manifest into one tamper-evident bundle for legal / regulator handover. · *`b.network.tls.pinsetDriftMonitor({ intervalMs })`* — Periodically compares the trust-store fingerprint set to the captured baseline and emits `network.tls.pinset.drifted` when CAs are added or removed. · *OpenSSF Scorecard CI workflow* — Adds `.github/workflows/scorecard.yml` for continuous repo-posture scoring.
+- v0.8.39 (2026-05-07) — **`b.configDrift.verifyVendorIntegrity` + `b.network.allowlist` + `b.auth.atoKillSwitch`.** Three operator enhancements: boot-time vendored-bundle integrity re-hash, a per-call outbound URL gate over `b.ssrfGuard`, and a composite ATO incident-response workflow that destroys sessions + applies lockout + flips access-lock mode in one audited call. **Added:** *`b.configDrift.verifyVendorIntegrity()`* — Re-hashes every file listed in `lib/vendor/MANIFEST.json` at boot and refuses on mismatch. · *`b.network.allowlist.create({ allow, deny })`* — Composes on `b.ssrfGuard` to gate per-call outbound URLs against an operator CIDR / host allow set. · *`b.auth.atoKillSwitch.trigger({ userId, reason })`* — Composite ATO incident-response workflow that destroys every session for the user, applies `b.auth.lockout`, and optionally flips `b.auth.accessLock` mode in one audited call.
+- v0.8.38 (2026-05-07) — **Multipart parser refuses obsolete line folding + adds RFC 5987 / 8187 extended-parameter support.** Refuses obsolete line folding per RFC 9112 §5.2 and CR / LF / NUL bytes in part-header values per RFC 9110 §5.5. Adds RFC 5987 / 8187 `filename*=UTF-8''…` extended-parameter support — the decoded value takes precedence over a legacy `filename=` companion. **Added:** *RFC 5987 / 8187 extended-parameter filename support* — Adds `filename*=UTF-8''…` extended-parameter decoding to multipart. The decoded value takes precedence over a legacy `filename=` companion. **Changed:** *Multipart parser refuses `obs-fold` + CR / LF / NUL in part-header values* — RFC 9112 §5.2 obsolete line folding is now refused. CR / LF / NUL bytes in part-header values are refused per RFC 9110 §5.5.
+- v0.8.37 (2026-05-08) — **Audit-purge anchor CHECK constraint + `personalDataCategories` vocabulary validation.** Closes a silent typo class on the audit-purge anchor scope and validates operator-supplied personal-data categories against the GDPR Article 9 special-category vocabulary plus framework general categories. **Added:** *`_blamejs_audit_purge_anchor.scope` CHECK constraint* — Constrains `scope IN ('audit', 'consent')`. Pre-v0.8.37 a typo silently created a parallel anchor; the chain verifier walked the wrong anchor and missed tampering. · *`personalDataCategories` vocabulary validation at `db.init`* — Operator-supplied categories validated against the GDPR Article 9 special-category vocabulary + the framework's general categories. Unknown categories don't refuse (operators have legitimate custom labels) but emit a `db.personal_data_category_unknown` audit row so typos surface in regulator reviews. Allowed: `name`, `email`, `phone`, `address`, `ip`, `id-document`, `biometric`, `health`, `genetic`, `sexual-orientation`, `racial-or-ethnic-origin`, `political-opinion`, `religious-belief`, `trade-union-membership`, `criminal-record`, `financial`, `location`, `behavioral`, `device-id`, `child-data`, `education`, `employment`, `operator-defined`.
+- v0.8.36 (2026-05-08) — **HTTP / web cleanup — WebSocket handshake, Permissions-Policy, scope-aware bearer challenge.** Refinements against the WebSocket handshake key validator, the Permissions-Policy default for `fullscreen`, the bearer-auth `insufficient_scope` challenge surface, list-header token grammar, and multipart boundary validation. **Added:** *`b.middleware.bearerAuth` insufficient_scope (RFC 6750 §3)* — New `requiredScopes: ["scope1", "scope2"]` opt enforces operator-declared scopes. The token's `user.scope` (space-separated string) or `user.scopes` (array) is checked; missing scopes refuse with HTTP 403 + `WWW-Authenticate: Bearer error="insufficient_scope", scope="..."`. **Changed:** *`b.requestHelpers.parseListHeader({ strictToken: true })`* — RFC 9110 §5.6.2 token-grammar enforcement. Refuses non-token entries (anything outside `!#$%&'*+-.^_`|~` plus alphanumerics). · *Permissions-Policy `fullscreen` flipped to deny by default* — `b.middleware.securityHeaders` now emits `fullscreen=()` (deny) instead of `fullscreen=(self)`. Operators wanting fullscreen pass an explicit override. **Fixed:** *WebSocket handshake `Sec-WebSocket-Key` validated (RFC 6455 §4.1)* — The handshake key is now validated as base64 of 16 random bytes (`/^[A-Za-z0-9+/]{22}==$/`). Previously only presence was checked; truncated and arbitrary-token values flowed through. · *Multipart boundary validation (RFC 2046 §5.1.1)* — `_parseMultipart` refuses boundaries longer than 70 chars or violating the `bcharsnospace` grammar. Closes the quadratic-match risk on pathological boundaries. **References:** [RFC 6750 OAuth 2.0 Bearer Token Usage](https://www.rfc-editor.org/rfc/rfc6750.html) · [RFC 6455 WebSocket](https://www.rfc-editor.org/rfc/rfc6455.html) · [RFC 9110 HTTP Semantics](https://www.rfc-editor.org/rfc/rfc9110.html) · [RFC 2046 MIME Media Types](https://www.rfc-editor.org/rfc/rfc2046.html)
+- v0.8.35 (2026-05-08) — **`b.tcpa10dlc` + `b.iabMspa` — TCPA 10DLC consent + IAB MSPA / GPP opt-out signals.** Two new compliance primitives. `b.tcpa10dlc` records the carrier-required consent fields for SMS / call campaigns at $500-$1,500 per-violation exposure. `b.iabMspa` decodes the IAB Multi-State Privacy Agreement / Global Privacy Platform universal opt-out signal so operators can refuse processing at the same point a CCPA "do-not-sell" header would. **Added:** *`b.tcpa10dlc.recordConsent` / `lookup` / `revoke`* — TCPA 10DLC consent-record audit (47 USC §227 + 47 CFR §64.1200 + FCC 1:1 disclosure rule). `recordConsent({ phoneE164, brand, disclosureText, disclosurePartyKind, formUrl, ip, userAgent })` writes a tamper-evident audit row with the carrier-required fields; `lookup(phoneE164)` serves the carrier produce-on-demand workflow; `revoke(phoneE164, reason)` records consumer-initiated opt-out with audit trail. · *`b.iabMspa.parseGpp` / `checkOptOut` / `refuseProcessing`* — Decodes the IAB Multi-State Privacy Agreement / Global Privacy Platform string framing (header + per-section payloads, section-id mapping for usnat / usca / usva / usco / usct / usut / usnv / usia / usde / usnj / ustx / usor / usmt / usnh). `checkOptOut(parsed, { dataUse, state })` returns `{ mustHonor, signals }` against operator-decoded section opt-outs (sale / sharing / targeted-ads / sensitive / child-data). `refuseProcessing(parsed, opts)` throws `IabMspaError` to halt the operator's data-flow. · *`b.iabMspa.gpcFromHeaders(req)`* — Reads the W3C `Sec-GPC: 1` browser signal — universal opt-out per CCPA / CPRA §1798.135(b)(1) and similar state laws. **References:** [47 USC §227 TCPA](https://www.law.cornell.edu/uscode/text/47/227) · [47 CFR §64.1200](https://www.ecfr.gov/current/title-47/chapter-I/subchapter-B/part-64/subpart-L/section-64.1200) · [IAB Global Privacy Platform (GPP)](https://iabtechlab.com/gpp/) · [W3C Global Privacy Control](https://privacycg.github.io/gpc-spec/)
+- v0.8.34 (2026-05-08) — **BiDi-strip regex rewritten in Unicode-escape form.** Cumulative republish of the v0.8.33 fixes. The v0.8.33 publish workflow blocked on ESLint `no-irregular-whitespace`; v0.8.34 rewrites the body-parser BiDi-strip regex in Unicode-escape form so the source no longer carries literal BiDi codepoints. The v0.8.33 tag exists in git but never reached npm. **Fixed:** *Body-parser BiDi-strip regex uses Unicode-escape form* — `lib/middleware/body-parser.js` now expresses the BiDi-formatting codepoint set in `\u202A`-style escapes instead of literal codepoints, so ESLint's `no-irregular-whitespace` rule passes during the publish workflow's lint gate.
+- v0.8.33 (2026-05-08) — **HTTP / web cleanup across WebSocket, Permissions-Policy, JWT, body-parser, OAuth.** Six RFC-cited refinements against shipped WebSocket, Permissions-Policy, JWT, body-parser, and OAuth surfaces. **Changed:** *Permissions-Policy default expansion* — `b.middleware.securityHeaders` deny-by-default now covers `interest-cohort`, `attribution-reporting`, `bluetooth`, `hid`, `serial`, `idle-detection`, `local-fonts`, `compute-pressure`, `window-management`, `private-state-token-issuance`, and `private-state-token-redemption`. **Fixed:** *WebSocket close-frame validation against RFC 6455 §5.5.1 + §7.4.2* — `_handleClose` now refuses 1-byte close-frame payloads (previously silently accepted as clean close, evading anomaly detection) and validates the close-code against the §7.4.2 vocabulary (1000-1011 + 3000-4999 valid; 1004 / 1005 / 1006 / 1015 reserved or forbidden; everything else refused). · *JWT typ assertion (RFC 8725 §3.11)* — `b.auth.jwt.verify({ expectedTyp })` refuses tokens whose `header.typ` doesn't match (typ-confusion class). Case-insensitive match per RFC 8725; unset `expectedTyp` skips the check for legacy token compatibility. · *Multipart filename BiDi / RTL strip (CVE-2021-42574)* — `_sanitizeFilename` now drops Trojan Source BiDi formatting and zero-width codepoints from uploaded filenames before the basename hits the filesystem. · *OAuth `redirect_uri` localhost exception (RFC 9700 §4.1.1)* — `b.auth.oauth.create({ redirectUri })` now accepts `http://localhost`, `http://127.0.0.1`, and `http://[::1]` without requiring `allowHttp: true` (which would loosen every operator-supplied URL). HTTPS still required for non-loopback hosts. **References:** [RFC 6455 WebSocket](https://www.rfc-editor.org/rfc/rfc6455.html) · [RFC 8725 JWT BCP](https://www.rfc-editor.org/rfc/rfc8725.html) · [RFC 9700 OAuth 2.0 Security BCP](https://www.rfc-editor.org/rfc/rfc9700.html) · [CVE-2021-42574 Trojan Source](https://nvd.nist.gov/vuln/detail/CVE-2021-42574)
+- v0.8.32 (2026-05-08) — **Email / DNS impl-vs-spec cleanup across DKIM, SPF, DMARC, A-R, TLS-RPT, DoH.** Eight RFC-cited refinements against shipped DKIM, SPF, DMARC, Authentication-Results, TLS-RPT, and DoH primitives. No new surface — each item closes a wire-format gap surfaced by re-reading the source RFCs. **Fixed:** *DKIM verifier enforces `x=` expiration and `t=` future-date sanity* — `b.mail.dkim` now permerrors signatures past their `x=` expiration (RFC 6376 §3.5) and refuses signatures more than 24h ahead of `now`; it also rejects `x= < t=` malformation. Operator-tunable `clockSkewMs` (default 5 min). · *SPF distinguishes mechanisms from modifiers* — `_parseSpfRecord` in `b.mail.spf` separates mechanisms from modifiers per RFC 7208 §4.6 — `redirect=` and `exp=` are modifiers, not mechanisms. Pre-release versions triggered the generic "out of scope" permerror; modifiers are now surfaced under `mechanisms.modifiers`. · *SPF IPv6 CIDR matching uses real bitwise check* — `_ipv6Expand` plus group-by-group bit-mask comparison replaces the prior string-prefix heuristic that mishandled `::` shorthand. Aligns with RFC 7208's IPv6 mechanism semantics. · *DMARC consults `pct=` for sampled disposition* — `b.mail.dmarc` `recommendedAction` now applies one-step-less-strict disposition when `pct < 100` per RFC 7489 §6.6.4 (reject → quarantine; quarantine → none) on the sampled fraction. · *Authentication-Results `reason=` escape preserves backslash* — `b.mail.authResults` now serializes the quoted-string `reason=` using RFC 8601 §2.2 `\"` escape for lossless round-trip instead of the prior `"`-to-`'` collapse. · *TLS-RPT validates `mailto:` rua before forwarding* — `b.network.smtp.tlsRpt.submit` now RFC 5322 addr-spec-validates `mailto:` rua entries before forwarding to `b.mail`. Invalid mailto targets previously crashed at submit-time with opaque transport errors. · *DoH host validated label-by-label* — `b.network.dns.resolveSecure` enforces the RFC 1035 §2.3.4 LDH rule (letters / digits / hyphen, no leading or trailing hyphen, label length 1..63). Underscore, colon, and space hosts previously flowed through to opaque DoH errors. **References:** [RFC 6376 DKIM](https://www.rfc-editor.org/rfc/rfc6376.html) · [RFC 7208 SPF](https://www.rfc-editor.org/rfc/rfc7208.html) · [RFC 7489 DMARC](https://www.rfc-editor.org/rfc/rfc7489.html) · [RFC 8601 Authentication-Results](https://www.rfc-editor.org/rfc/rfc8601.html) · [RFC 8460 TLS-RPT](https://www.rfc-editor.org/rfc/rfc8460.html) · [RFC 1035 DNS](https://www.rfc-editor.org/rfc/rfc1035.html)
+- v0.8.31 (2026-05-08) — **`b.fdx` — CFPB §1033 / Financial Data Exchange consumer-financial-data wrapper.** CFPB §1033 (12 CFR §1033.121-461, final rule 2024-10-22) gives US consumers the right to authorize a third party to access their financial data through the data provider's developer interface. The compliance deadline for $250B+ asset-size banks has already passed (2026-04-01). The new `b.fdx` primitive composes onto `b.fapi2` (the §1033.351 security requirements track FAPI 2.0) and the FDX 6.0 minimum schema. **Added:** *`b.fdx.bind({ authServer, resources })`* — Binds the operator's authorization server config to the FAPI 2.0 profile; refuses if PKCE / DPoP / PAR are misconfigured per `b.fapi2.assertOAuthConfig`. The §1033.351 security requirements track FAPI 2.0. · *`b.fdx.validateResponse(resourceType, body)`* — Validates a response shape against the FDX 6.0 minimum schema for accounts, transactions, statements, payment-networks, rewards, and tax-forms — refuses missing-required fields. · *`b.fdx.consentReceipt(opts)`* — Generates the §1033.401(b) consent receipt the authorization server gives the consumer at authorization time (data provider, consumer, third-party recipient, scopes, revocation URL, issued and expires timestamps). **References:** [CFPB §1033 Final Rule (12 CFR §1033.121-461)](https://www.consumerfinance.gov/rules-policy/final-rules/required-rulemaking-on-personal-financial-data-rights/) · [Financial Data Exchange (FDX)](https://financialdataexchange.org/)
+- v0.8.30 (2026-05-08) — **`b.aiPref` — AIPREF Content-Usage + Cloudflare Content Signals + Pay-Per-Crawl.** New primitive emits and parses the IETF AIPREF `Content-Usage` response header alongside Cloudflare's Content Signals Policy header, and serves HTTP 402 Payment Required for paid-crawl surfaces. Operators get a machine-readable channel to signal AI-training, AI-inference, and AI-snippet preferences ahead of the IETF spec finalizing. **Added:** *`b.aiPref.middleware({ train, infer, snippet, price? })`* — Emits the `Content-Usage` header per request and (default-on) the Cloudflare-compatible `CF-Content-Signals` header alongside. Values: `allow` / `deny` / `paid` for train and infer; `allow` / `deny` for snippet. · *`b.aiPref.serializeHeader(opts)` and `b.aiPref.parseHeader(value)`* — Round-trip codec for the `Content-Usage` header so operators can parse incoming crawler-stated preferences or serialize their own emit-side header outside the middleware path. · *`b.aiPref.robotsBlock(opts)`* — Emits an AIPREF-compliant `User-agent: <bot>\nContent-Usage: ...` block for inclusion in `robots.txt`, matching the working group's robots-side preference channel. · *`b.aiPref.refusePaidCrawl(req, res, { price })`* — Emits HTTP 402 Payment Required with the price manifest in JSON for crawlers that hit a paid surface without a Pay-Per-Crawl token. Refused-crawl events emit an audit row. **References:** [draft-ietf-aipref-attach-04](https://datatracker.ietf.org/doc/draft-ietf-aipref-attach/) · [Cloudflare Content Signals Policy](https://blog.cloudflare.com/content-signals-policy/)
+- v0.8.29 (2026-05-08) — **CI smoke heap bump for macOS-arm64 OOM.** The duplicate-block detector still accumulated roughly four million shingle-fingerprint entries across the `lib/` corpus, peaking above the Node default 2 GB heap on macOS-arm64 runners. The smoke gate is now configured with a higher heap ceiling; operators on memory-constrained machines have an explicit single-threaded fallback. **Changed:** *Smoke job heap ceiling raised to 4 GB* — `.github/workflows/ci.yml` sets `NODE_OPTIONS: --max-old-space-size=4096` on the smoke step so the parallel-shingle-pass peak no longer trips the OOM killer on macOS-arm64 runners. · *Single-threaded fallback for memory-constrained hosts* — Operators running the smoke suite locally on machines that can't afford the worker fan-out's peak set `HS_PATTERNS_NO_THREADS=1` to fall back to the single-threaded scan path. **Fixed:** *Hash-fingerprint duplicate-cluster experiment reverted* — The in-progress hash-fingerprint experiment surfaced previously-grouped-by-shape duplicates as distinct hash-bucketed clusters that broke the existing `KNOWN_CLUSTERS` allowlist matching; the detector reverted to the join-on-space form.
+- v0.8.28 (2026-05-08) — **`b.contentCredentials` California SB-942 / AB-853 + C2PA 2.1 content-provenance manifest builder.** California Bus. & Prof. Code §22757 (effective 2026-08-02) requires providers of generative AI systems to embed a latent (machine-readable) provenance disclosure in every synthetic image / video / audio asset distributed in California. The disclosure MUST carry provider + system identifier + system version + content timestamp + unique content ID. SB-942 cites C2PA 2.1+ as an acceptable disclosure format. **Added:** *`b.contentCredentials.build(...)` builds an SB-942-shaped C2PA manifest* — `b.contentCredentials.build({provider, system, systemVersion, contentId, contentType?, contentSha3?})` returns a frozen C2PA-shaped manifest with the SB-942 required fields, statutory citations, and an ISO-8601 generated timestamp. Operators feed the manifest into their existing muxer for embedding. · *`b.contentCredentials.sign(manifest, ...)` signs the canonical-JSON serialization* — Signs over the canonical-JSON serialization of the manifest with the operator's audit-sign keypair (ML-DSA-87 by default). The signed envelope carries the manifest, signature, and algorithm metadata. · *`b.contentCredentials.verify(envelope, publicKeyPem)` validates signature + required fields* — Validates the signature and refuses on any missing required field per SB-942 (provider / system / systemVersion / contentId / contentTimestamp). Returns the parsed manifest only when both checks pass. · *`b.contentCredentials.required(opts)` preflight helper* — Returns the set of missing required-field tags for operator-side preflight before signing — surfaces gaps at integration time rather than at verify time. **Changed:** *Format embedding stays with the operator's muxer* — The framework deliberately does NOT embed the manifest into image / video / audio bytes — the operator's muxer handles JPEG XMP / PNG iTXt / MP4 ContentBoxes per format. The framework owns manifest construction, signing, and verification only. **References:** [California Bus. & Prof. Code §22757 (SB-942 / AB-853)](https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202320240SB942) · [C2PA 2.1 specification](https://c2pa.org/specifications/specifications/2.1/index.html)
+- v0.8.27 (2026-05-08) — **`b.fapi2` Financial-grade API 2.0 Final conformance posture.** Composes existing primitives (PAR / DPoP / OAuth 2.1 / mTLS) into a single boot-time conformance check against the FAPI 2.0 Final profile. No new crypto, no new HTTP endpoints — pure coordination of already-shipped surface. **Added:** *`b.fapi2.assertConformance({ senderConstraint })`* — Returns `{ conformant, findings }` against the FAPI 2.0 Final profile: PAR required (§5.3.2.2), PKCE S256 (§5.3.1.1), sender-constrained tokens via DPoP OR mTLS (§5.3.2.5), issuer-in-callback per RFC 9207, JAR for signed-request envelopes. Operators run it at boot to refuse a misconfigured deployment fast. · *`b.fapi2.assertOAuthConfig(oauthOpts)`* — Refuses to start a FAPI-bound deployment with PKCE disabled, with both DPoP and mTLS enabled (the profile requires exactly one sender-constraint), with neither DPoP nor mTLS enabled, or with PAR disabled. Refusal is at config time so the misconfig never reaches a live request. · *`fapi-2.0` posture registered with `b.compliance.set`* — Operators activate the conformance posture via `b.compliance.set("fapi-2.0")` (the posture identifier was registered alongside the broader compliance-posture catalog expansion in the previous release) and run `assertConformance` at boot. The posture lights up audit metadata and compliance dashboards without further wiring. **References:** [FAPI 2.0 Final — Security Profile](https://openid.net/specs/fapi-2_0-security-02.html) · [RFC 9207 OAuth 2.0 Authorization Server Issuer Identification](https://www.rfc-editor.org/rfc/rfc9207.html)
+- v0.8.26 (2026-05-08) — **`b.iabTcf` IAB TCF v2.3 consent-string parser + disclosedVendors validator.** Operators feed inbound TC strings (from the `IAB-TC-String` cookie or query parameter) and gate ad-request paths. The framework refuses v2.2 strings that Google + DSPs already reject, and the codebase-patterns worker fan-out gains a memory-safe cap for macOS-arm64 CI runners. **Added:** *`b.iabTcf.parseString(tcString)`* — Base64url-decoded segment-aware parse of an IAB TCF consent string. Returns `{ core, disclosedVendors, allowedVendors, publisherTC, errors }`. `core` carries `version`, `cmpId`, `vendorListVersion`, `policyVersion`, `vendorConsents` (Set of vendor IDs), `vendorLIs`, language, publisher country code, and created / lastUpdated timestamps. `disclosedVendors.vendorIds` is the Set of every vendor disclosed regardless of consent — REQUIRED by TCF Policy v2.3 §III.B.5 since 2026-02-28. · *`b.iabTcf.requireV23Disclosed(tcString)`* — Refuses with `IabTcfError` on missing DisclosedVendors segment, wrong core version, or wrong policy version. Emits `iabtcf.refused` audit on rejection and `iabtcf.accepted` audit on pass, so the operator's compliance dashboard surfaces v2.2 stragglers without bespoke wiring. · *`b.iabTcf.checkVendor(parsed, vendorId)`* — Returns `{ consented, legitimate, disclosed }` for a vendor id — operators gate per-vendor ad-request paths against a parsed TC string without re-walking the bitfield each call. **Fixed:** *codebase-patterns worker fan-out capped at 4 to fix macOS-arm64 OOM* — Pre-0.8.26 the duplicate-block detector spawned `os.cpus().length` workers, each holding its per-shard fingerprint map in heap until message-resolve. macOS-arm64 CI runners (2 GB Node default heap) OOMed mid-scan starting v0.8.15 (every release since failed the macOS smoke job). Now capped at 4 workers; speedup preserved (5× single-threaded), peak memory bounded under 2 GB. Operators with bigger machines override via `HS_PATTERNS_WORKERS=N`. **References:** [IAB TCF v2.3 Policies](https://iabeurope.eu/iab-europe-transparency-consent-framework-policies/) · [IAB TCF Technical Specifications v2.3](https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework/tree/main/TCFv2.3)
+- v0.8.25 (2026-05-08) — **`b.secCyber.eightKArtifact` SEC Form 8-K Item 1.05 artifact generator.** Required by 17 CFR §229.106 / Form 8-K Item 1.05 (final rule effective 2023-12-18). When a registrant determines a cybersecurity incident is material, it MUST file a Form 8-K within 4 business days describing material aspects (nature / scope / timing) and material impact. The framework can't decide materiality but does structure the operator's materiality finding for filing. **Added:** *Materiality finding captured as a tamper-evident audit row* — The operator's materiality determination is structured into a tamper-evident audit-chain row so the basis-for-filing is preserved for regulator and SOX-control review. The framework does NOT make the materiality call — that remains a fact-and-circumstances judgment owned by counsel. · *Form 8-K Item 1.05 narrative skeleton generator* — Generates a markdown + JSON narrative skeleton matching the Item 1.05 required elements (nature / scope / timing / material impact) for downstream EDGAR filing. Operators flow it into their existing filer-attorney workflow; the framework does NOT submit to EDGAR. · *Four-business-day deadline computer* — Computes the 4-business-day deadline from the materiality determination date so the operator's filing system can gate on it directly — the deadline becomes a queryable field rather than a calendar reminder. · *AG delay-request artifact under §229.106(c)(1)(ii)* — Emits a US-AG delay-request artifact when the operator asserts national-security / public-safety risk under §229.106(c)(1)(ii). The artifact is operator-attested and audited; the framework does not transmit it. **References:** [17 CFR §229.106 / Form 8-K Item 1.05](https://www.ecfr.gov/current/title-17/chapter-II/part-229/subpart-229.100/section-229.106) · [SEC Final Rule — Cybersecurity Risk Management Disclosure](https://www.sec.gov/files/rules/final/2023/33-11216.pdf)
+- v0.8.24 (2026-05-08) — **`b.budr` RTO/RPO declaration primitive + compliance posture registry expansion + literal-NUL detector.** Operator-attested business-continuity declarations land in the audit chain; the compliance-posture registry gains 19 new posture identifiers so operators can drive them through the framework's vocabulary; and a new codebase-patterns gate refuses any `lib/` source file containing a literal NUL byte — the failure class that blocked five previous releases at tag-push time. **Added:** *`b.budr.declare(opts)` RTO/RPO per-service declaration* — Captures operator-attested Recovery Time Objective + Recovery Point Objective per service into a tamper-evident audit chain row. Required by DORA Article 11(1)(d) / ISO 22301:2019 / NIST SP 800-34. Tier vocabulary platinum / gold / silver / bronze; criticality critical / high / medium / low. `b.budr.list()` + `b.budr.get(service)` for dashboards. · *Compliance posture registry expanded* — `b.compliance.set` now accepts `fapi-2.0`, `cfpb-1033`, `iab-tcf-v2.3`, `iab-mspa`, `tcpa-10dlc`, `fda-21cfr11`, `fda-annex-11`, `sec-1.05`, `ny-2-d`, `il-soppa`, `ca-sopipa`, `ct-pa-5-2`, `tx-hb-4504`, `va-sb-1376`, `staterramp`, `irap`, `bsi-c5`, `ens-es`, `uk-g-cloud`. Operators that previously hand-rolled posture identifiers in their app code now drive them through the framework's vocabulary and get the standard `compliance.posture.set` audit row. **Detectors:** *literal-NUL byte in `lib/` source refused at authoring time* — New codebase-patterns gate refuses any `lib/` source file containing a literal NUL (0x00) byte. CI ESLint catches `no-control-regex` violations from a NUL byte inside a regex literal, but Windows local lint silently passed through (encoding-related). The new detector closes the v0.8.19–v0.8.23 publish-failure class where the npm-publish workflow blocked five releases on a NUL byte introduced by tooling-decoded JSON escapes. Operators and agents now see the failure at authoring time instead of at tag-push time. **References:** [DORA Article 11 — ICT business continuity policy](https://eur-lex.europa.eu/eli/reg/2022/2554/oj) · [ISO 22301:2019 — Business continuity management](https://www.iso.org/standard/75106.html) · [NIST SP 800-34 Rev. 1 — Contingency Planning](https://csrc.nist.gov/pubs/sp/800/34/r1/upd1/final)
+- v0.8.23 (2026-05-08) — **`b.compliance.set` emits a TZ posture warning when `TZ` is not UTC.** When the operator activates a regulated posture (`hipaa` / `pci-dss` / `sox` / `gdpr` / `soc2` / `fda-21cfr11`) and `process.env.TZ` is set to a non-UTC value, the framework now emits a `compliance.posture.tz_warning` audit event with the recommendation to set `TZ=UTC`. Pure signal — no behavior change. **Added:** *`compliance.posture.tz_warning` audit event* — Auditors expect timestamps in UTC; a non-UTC `TZ` doesn't break any framework primitive (the audit chain stores Unix-ms, and ISO-8601 emits use `toISOString()` which is always UTC). But operator code that calls `new Date(ts).toString()` or formats with non-UTC formatters can render confusing rows. The warning surfaces the configuration mismatch before the auditor finds it.
+- v0.8.22 (2026-05-08) — **`b.crypto.encrypt` deduplicates the hybrid-disabled audit emission.** Pre-0.8.22 every plain-KEM `encrypt()` call (operator passed `mlkemPub` only, no `ecPublicKey`) emitted a `system.crypto.hybrid_disabled` audit row — high-volume KEM-only deployments pegged the audit bus with redundant signal. **Changed:** *`system.crypto.hybrid_disabled` audited once per process* — Now emitted ONCE per process. Operators who genuinely run KEM-only should call `b.crypto.encryptMlkemOnly` directly (which emits no audit on the hybrid leg); operators surprised by the absent hybrid leg still see the per-process signal so the misconfig is still surfaced.
+- v0.8.21 (2026-05-08) — **DB DDL audit + OTel `db.*` semantic conventions in audit metadata.** Schema mutations issued via `b.db.runSql` / `b.db.exec` now produce structured audit events with OTel-canonical attributes, so forensic review of framework-emitted DDL is no longer dependent on a custom wrapper. **Added:** *`b.db.runSql` / `b.db.exec` DDL audit emission* — Every framework-emitted DDL statement (`CREATE` / `DROP` / `ALTER` / `TRUNCATE` / `RENAME` / `ATTACH` / `DETACH` / `REINDEX`) now records a `db.ddl.executed` audit event with success/failure outcome, statement-prefix preview (truncated 256 chars), and operation classifier. Pre-0.8.21 a `b.db.runSql("DROP TABLE users")` produced zero audit signal — schema mutations were invisible to forensic review unless caught by a custom higher-level wrapper. · *OTel `db.*` semantic conventions in audit metadata* — DDL audit metadata now emits `db.system: "sqlite"`, `db.operation: "<KEYWORD>"`, `db.statement: "<truncated>"` per the OpenTelemetry Spec semconv. Operators with OTel collectors see framework DDL events under the canonical attribute namespace without an adapter. **References:** [OpenTelemetry semconv — Database](https://opentelemetry.io/docs/specs/semconv/database/)
+- v0.8.20 (2026-05-08) — **`b.vault.sealPemFile` hardening pass — size cap, TOCTOU defense, plaintext zero, callback audits, actor capture.** Five sub-class fixes against the auto-resealing PEM-file primitive shipped in v0.8.14. Adds a bounded source read, defeats a symlink TOCTOU window, zeroes plaintext after seal, audits operator-callback throws, and captures a forensic actor on `forceReseal`. **Added:** *`opts.maxSourceBytes` (default 1 MiB) caps source size* — `lstat` runs first and refuses the source if its size exceeds `opts.maxSourceBytes` (default 1 MiB). Replaces the unbounded `fs.readFileSync(source)` — an operator with write access to the source path could previously present a 10 GiB file and OOM the host. **Fixed:** *Symlink TOCTOU between `lstat` and read closed* — Symlink sources are now refused outright. The seal path then `open`s the file, runs `fstat`, and confirms the fd points at the same inode `lstat` saw — rejecting any mutation that lands between the `lstat` and the read. · *Plaintext PEM bytes zeroed on every code path* — `safeBuffer.secureZero(plaintext)` now runs in a `finally` block so the operator-visible PEM bytes don't linger in the V8 heap after seal completes (or after a throw mid-seal). · *Operator callback throws now audited instead of dropped* — `onResealed` / `onError` callbacks that throw now emit `vault.seal_pem_file.on_resealed_callback_failed` / `on_error_callback_failed` audit events instead of being silently swallowed. The seal itself still completes; the operator's downstream wiring is no longer invisible when it fails. · *`forceReseal` captures forensic actor* — `watcher.forceReseal({ actorId, reason })` now records the actor in the audit row — pre-0.8.20 the call was anonymous, a SOC 2 forensic-evidence gap. Watcher-driven resealings continue to record `actor: null` (kernel-event, no operator).
+- v0.8.19 (2026-05-08) — **DB at-rest + Postgres connection hardening (SQLite PRAGMA defenses, connectAs validation, migrate-lock takeover audit).** Sets `PRAGMA trusted_schema=OFF` + `PRAGMA cell_size_check=ON` for at-rest SQLite, validates Postgres GUC values for `Infinity` / `NaN` / NUL / CR / LF, and emits a tamper-evident takeover-audit event when the migrate runner force-replaces a stale lock. **Added:** *`b.externalDb.migrate.up/down` lock takeover audit* — When the migrate runner force-replaces a stale lock (per `staleAfterMs`), the framework now emits an `externaldb.migrate.lock.takeover` audit event with the prior holder ID, takeover age, and the new holder. Pre-v0.8.19 the takeover happened silently — SOC2 forensic-evidence gap. The plain `lock.acquired` event still fires for non-takeover paths. **Changed:** *SQLite PRAGMAs at boot* — `b.db` boot sets `PRAGMA trusted_schema=OFF` (defends CVE-2018-8740 family — refuses to call functions / virtual-table modules from a malicious shadow schema; the attack vector is operator-supplied DB files: backups, restores from untrusted source) and `PRAGMA cell_size_check=ON` (refuses pages with corrupted cell sizes at parse time; cheap defense against malformed-page attacks). Both PRAGMAs are framework-default; operators don't wire them. · *`b.externalDb.adapters.connectAs` GUC validation* — Numeric GUC values must now be `isFinite` (refuses `Infinity` / `NaN` at config time rather than emitting them in a SET that some Postgres builds parse-error on after the connection is already half-set). String GUC values now refuse embedded NUL / CR / LF (no legitimate use; would terminate the SET statement early in some drivers).
+- v0.8.18 (2026-05-08) — **Database query-builder hardening on `b.db.from(...).where|whereRaw` and `b.safeSql`.** Closes column-disclosure via LIKE-metachar leakage, array binding in IN, placeholder counting in raw SQL, and SQLite-specific PRAGMA / ATTACH escape vectors. Refuses `_blamejs_`-prefixed app schema names. **Fixed:** *`Query.where(field, "LIKE", value)` escapes wildcards* — Now escapes SQL `%` and `_` wildcard metacharacters in operator-supplied values and emits `LIKE ? ESCAPE '\\'`. Closes the column-disclosure class where `q=%@%` enumerated the entire table. Operators who deliberately want LIKE wildcards bypass via `whereRaw()`. · *`Query.where(field, "IN", [...])` array binding* — Expands an array to `IN (?, ?, ?)` and binds each value separately. Pre-v0.8.18 the array bound to a single placeholder and silently matched zero rows (`node:sqlite` `?` doesn't support array-binding). Refuses non-array / empty-array inputs. · *`Query.whereRaw(sql, params)` placeholder counting* — Now skips `?` characters inside SQL string literals (single + double quoted, including `''`-doubled escapes), line comments (`-- ...`), and block comments (`/* ... */`). Pre-v0.8.18 the naive regex counted literal-`?` and either threw on count mismatch OR let through fragments with masked missing real placeholders. · *`b.safeSql.BANNED_IDENTIFIERS` extension* — Refuses `pragma` / `attach` / `detach` / `analyze` / `vacuum` / `reindex` as bare identifiers. Closes the SQLite-specific escape-the-parameterized-model surface (PRAGMAs disable security-relevant protections; ATTACH mounts external databases). · *`b.db.declareTable` framework-prefix collision* — Refuses any app schema name that begins with the framework's `_blamejs_` prefix (was an exact-match Set; an app schema entry like `_blamejs_audit_log_archive` slipped past the gate and could shadow / look-alike framework tables).
+- v0.8.17 (2026-05-08) — **Email auth + DANE / TLS-RPT spec-conformance fixes (ARC / DMARC / SPF / A-R / DANE / TLS-RPT).** Ten more RFC-cited gaps closed against shipped ARC (RFC 8617), DMARC (RFC 7489), SPF (RFC 7208), Authentication-Results (RFC 8601), DANE (RFC 6698 / 7672), and TLS-RPT (RFC 8460). Bug fixes only — no new operator-facing primitives. **Fixed:** *ARC (`b.mail.arc`) AAR canonicalization + time-window enforcement* — Signer's AMS canonicalization now includes the current hop's `ARC-Authentication-Results` per RFC 8617 §5.1.1 (auto-prepends to `h=` unless operator passes `excludeAarFromAms: true`). Microsoft + Google receivers DO include AAR in `h=`; the prior framework default produced chains those receivers couldn't verify. Verifier counterpart: when reconstructing the AMS canonical input, only the CURRENT hop's AAR is kept (prior-hop AARs stripped). Verifier now enforces `t=` (signing time) + `x=` (expiration) time windows per §5.2 with operator-tunable `clockSkewMs` (default 5 min) — pre-v0.8.17 the verifier parsed but never enforced. · *DMARC (`b.mail.dmarc`) multi-record + subdomain `sp=` fallback* — Multiple `v=DMARC1` records on a domain now treated as having no DMARC record per RFC 7489 §6.6.3. Subdomain `sp=` fallback wired: when `_dmarc.<from-domain>` returns no record, the verifier walks one label up to the (heuristic) organizational domain and applies its `sp=` — falls back to `p=` when `sp=` absent. Result includes `policyOriginDomain` + `orgDomainPolicyApplied: true`. Heuristic only — operators with PSL needs supply their own `dnsLookup` for full Public Suffix List walk. · *SPF (`b.mail.spf`) initial-query lookup count* — Initial query for the sender's SPF record no longer counts toward the 10-lookup limit per RFC 7208 §4.6.4. Pre-v0.8.17 was off-by-one — senders at the spec ceiling got false `permerror`. · *Authentication-Results (`b.mail.authResults`) method-specific vocabulary* — Result vocabulary is now METHOD-SPECIFIC per RFC 8601 §2.7 (per-method `AR_RESULTS_BY_METHOD` map). The flat `AR_VALID_RESULTS` table previously accepted `hardfail` for DKIM (only valid for DMARC §2.7.4) and accepted `temperror` / `permerror` for methods that don't recognize them. · *DANE (`b.network.smtp.dane`) DNSSEC + chain-order enforcement* — `daneTlsa()` refuses to return records unless the caller passes `opts.dnssecValidated: true` per RFC 7672 §1.3 (TLSA records that are not DNSSEC-validated MUST NOT be used). `daneVerifyChain` enforces RFC 6698 §2.1.4 + RFC 7672 §3.1.1 chain-order: a DANE-TA match at chain position `i` is accepted only when its DER Subject equals the DER Issuer of cert at position `i-1`. Chain-order is best-effort — synthetic test fixtures without ASN.1-parseable DER fall through with `chainOrderUnverified: true` flagged on the match. · *TLS-RPT (`b.network.smtp.tlsRpt.fetchPolicy`) `rua=` requirement* — Record without `rua=` now returns `null` (record ignored) per RFC 8460 §3. Pre-v0.8.17 returned `{ version: "TLSRPTv1", rua: [] }` which operators incorrectly treated as a valid record with no destinations. **References:** [RFC 8617 ARC](https://www.rfc-editor.org/rfc/rfc8617.html) · [RFC 7489 DMARC](https://www.rfc-editor.org/rfc/rfc7489.html) · [RFC 8601 Authentication-Results](https://www.rfc-editor.org/rfc/rfc8601.html) · [RFC 6698 DANE](https://www.rfc-editor.org/rfc/rfc6698.html) · [RFC 7672 SMTP / DANE](https://www.rfc-editor.org/rfc/rfc7672.html) · [RFC 8460 TLS-RPT](https://www.rfc-editor.org/rfc/rfc8460.html)
+- v0.8.16 (2026-05-08) — **Email auth + transport spec-conformance fixes (DKIM / SPF / MTA-STS / OCSP).** Closes ten RFC-cited gaps against shipped DKIM (RFC 6376), SPF (RFC 7208), MTA-STS (RFC 8461), and OCSP (RFC 6960) primitives. Bug fixes only — no new operator-facing primitives, no surface change beyond the additional refusals. **Fixed:** *DKIM verifier (`b.mail.dkim`)* — Refuses any signature whose `h=` tag does not include `from` (RFC 6376 §3.5 cornerstone bypass — without From-coverage the signature does not bind to the visible sender). Refuses unrecognized `v=` tag values per §3.5 (only `v=1` accepted). Enforces empty `p=` as explicit key revocation per §3.6.1 (verdict `fail`, not `permerror`). Enforces `k=` algorithm-family tag agreement with the signature's `a=` family (e.g. `k=rsa` paired with `a=ed25519-sha256` permerrors per §3.6.1). Selector validator accepts multi-label selectors per §3.1 ABNF (common for time-rotated keys like `2024.s1`). · *SPF (`b.mail.spf`)* — Refuses domains that publish multiple `v=spf1` TXT records with `permerror` per RFC 7208 §4.5 (most operators don't realize multi-record SPF was always invalid). `include:` mechanism now permerrors when the included domain has no SPF record per §5.2 (closes the silent-authorization class where `include:gone-domain.example` followed by `+all` would silently allow). · *MTA-STS (`b.smtpPolicy.mtaSts.fetch`)* — Requires the `_mta-sts.<domain>` TXT precondition record per RFC 8461 §3.1 before fetching the HTTPS policy (closes the silent-escalation class). Cache TTL is now bounded by the policy's `max_age` value per §3.2 (clamped between 1 hour floor and 1 year ceiling) instead of the framework's hardcoded 60-min default. · *OCSP (`b.network.tls.ocsp.evaluate`)* — `evaluateOcspResponse` enforces the `thisUpdate` / `nextUpdate` time window per RFC 6960 §4.2.2.1, rejecting responses whose validity window has expired or hasn't started yet (with operator-tunable `clockSkewMs`, default 5 min). Pre-v0.8.16 a captured "good" response could replay forever even after the cert was revoked; this defeats `requireGood` posture. **References:** [RFC 6376 DKIM](https://www.rfc-editor.org/rfc/rfc6376.html) · [RFC 7208 SPF](https://www.rfc-editor.org/rfc/rfc7208.html) · [RFC 8461 MTA-STS](https://www.rfc-editor.org/rfc/rfc8461.html) · [RFC 6960 OCSP](https://www.rfc-editor.org/rfc/rfc6960.html)
+- v0.8.15 (2026-05-08) — **Transport-layer CVE absorption + AI-protocol primitives + WebSocket / TLS / httpClient hardening.** Ships SSE / MCP / GraphQL-federation / `b.ai.input.classify` / A2A / dark-patterns primitives, closes a WebSocket control-frame amplification class (RFC 6455 §5.5), absorbs Node CVE-2026-21710 / 21637 via defensive accessors, lifts the inbound TLS default to TLS 1.3, defaults httpClient to `Accept-Encoding: identity`, and lifts the Node engine pin to 24.4.0 for the undici fix. **Added:** *`b.sse` — Server-Sent Events transport* — Newline-injection refusal in `event:` / `id:` / `data:` fields and the `Last-Event-ID` reconnect header (CVE-2026-33128 h3, CVE-2026-29085 Hono, CVE-2026-44217 sse-channel). `channel.send({event, id, data, retry})` validates each field, refuses LF/CR/NUL, splits multi-line `data` into per-spec multiple `data:` lines, drives a `:keepalive` heartbeat with operator-tunable interval. `b.sse.serializeEvent({...})` exposes the encoder for buffered pipelines. · *`b.mcp.serverGuard` — Model Context Protocol hardening* — Bearer auth required by default (CVE-2026-33032 nginx-ui auth-bypass class). `redirect_uri` exact-match allowlist enforced per OAuth 2.1 / RFC 9700 §4.1.1 (CVE-2025-6514 mcp-remote OAuth RCE class). Dynamic client-registration refused unless `allowDynamicRegister: true` with operator-supplied registration allowlist (confused-deputy class). Tool/resource name allowlists at the guard layer. JSON-RPC 2.0 envelope validator. · *`b.graphqlFederation.guardSdl`* — Refuses `_service.sdl` / `_entities` probes without a router-token Bearer + optional single-use nonce; closes the schema-leak class where operators disable introspection thinking the schema is hidden. · *`b.ai.input.classify` — pattern-based prompt-injection classifier* — Covers OWASP LLM01:2025 + NIST COSAIS RFI shapes: instruction-override / persona-jailbreak / role-reset markers / vendor system-tag templates / tool-call injection / exfil-callback / encoded-bypass (base64/rot13) / markdown+HTML smuggling / BIDI / zero-width / control char density. Severity-3 hits → `verdict: "malicious"`; 2+ severity-2 hits → `"suspicious"`; otherwise `"clean"`. Inline-on-every-request perf cost — no model call, no network. · *`b.a2a` — signed agent-card primitive* — A2A (Linux Foundation Agentic AI Foundation) v1.x. `signCard` produces an envelope with a detached ML-DSA-87 signature over the SHA3-512 of the canonical-JSON serialization (RFC 8785-aligned); `verifyCard` validates signature + expiry + issuer match. Endpoints HTTPS-only (or localhost) at validation time. · *`b.darkPatterns` — FTC click-to-cancel parity attestation* — `recordSignupFlow` / `recordCancelFlow` capture operator-attested click counts, CTA contrast / font weight, channel, confirmation steps; `assertParity` returns `{ ok, breaches }` against `ftc-2024` / `ca-sb942` / `strict` postures. `middleware({lookupAttestation, resourceIdFromReq})` refuses cancel-endpoint requests with HTTP 451 if no parity attestation is on file. · *`b.requestHelpers.safeHeadersDistinct(req)`* — Defensive accessor for `req.headersDistinct` that bypasses Node's faulty getter (Node CVE-2026-21710 — reading `__proto__` on the underlying header bag throws synchronously inside the getter, escaping handler-level try/catch). Computes the same null-prototype shape directly from `req.rawHeaders`. **Changed:** *Inbound TLS default lifted to TLS 1.3* — `router.listen()` now defaults to `minVersion: "TLSv1.3"` when the operator's `tlsOptions` doesn't pin one (closes the gap where bare `{key, cert}` inherited Node's TLSv1.2 default). · *`router.listen()` wraps SNICallback* — Synchronous throws (Node CVE-2026-21637) become a clean async `(err, null)` callback rather than crashing the listener. · *`b.httpClient` defaults to `Accept-Encoding: identity`* — Refuses compressed responses unless the operator explicitly opts in. Closes the undici unbounded-decompression amplification class (CVE-2026-22036). Operators that need compressed responses pass an explicit `Accept-Encoding` header. · *`engines.node` raised from `>=24.0.0` to `>=24.4.0`* — Ensures the undici fix is bundled. **Fixed:** *WebSocket control-frame size cap (RFC 6455 §5.5)* — `lib/websocket.js` `_handleFrame` refuses any control frame (opcodes ≥ 0x8: CLOSE/PING/PONG) with payload length > 125 or `fin = false`. Closes the 2× outbound-bandwidth amplification class where a 1 MiB PING was echoed verbatim as PONG. **References:** [CVE-2026-33128 h3](https://nvd.nist.gov/vuln/detail/CVE-2026-33128) · [CVE-2026-29085 Hono](https://nvd.nist.gov/vuln/detail/CVE-2026-29085) · [CVE-2026-22036 undici](https://nvd.nist.gov/vuln/detail/CVE-2026-22036) · [CVE-2026-21710 Node](https://nvd.nist.gov/vuln/detail/CVE-2026-21710) · [CVE-2026-21637 Node SNI](https://nvd.nist.gov/vuln/detail/CVE-2026-21637)
+- v0.8.14 (2026-05-07) — **`b.vault.sealPemFile` — auto-resealing wrapper for at-rest PEM files.** Closes the cleartext-PEM window between ACME / Let's Encrypt renewals and manual re-seal. Watches the source via `fs.watchFile`, atomically re-seals on mtime change, and exposes a crash-recovery marker so a half-written reseal completes idempotently on restart. **Added:** *`b.vault.sealPemFile({ source, destination })`* — Operators with ACME / Let's Encrypt renewals get fresh certs every 30-60 days; the renewal writes plaintext PEM to disk, signals the application to reload, and leaves the cleartext file unencrypted between the renewal write and the next manual re-seal. `sealPemFile` reads the source, vault-seals it, atomically writes `<destination>` (`.tmp` + `fsync` + `rename` + `fsyncDir`), and registers an `fs.watchFile` poll on the source. Every mtime change triggers an automatic re-seal — the operator-visible `<destination>.rewriting` marker is created before the rename and removed after, giving crash recovery a signal: when `sealPemFile()` starts and the marker is present, it re-seals from source idempotently. Returns `{ stop, generation, lastResealedAt, lastError, watching, forceReseal }`. `pollInterval` defaults to 2s — ACME renewal cadence is days, so polling latency is irrelevant against the renewal interval. `fs.watchFile` (the polling backend) is used instead of `fs.watch` (inotify / kqueue) because watchFile is consistent across platforms — Linux fires multiple change events per rename, macOS doesn't fire on renamed-into files, and the polling cadence is acceptable here.
+- v0.8.13 (2026-05-07) — **Streaming multipart uploads + `onChunk` response hook on `b.httpClient`.** Closes the `Buffer.concat` OOM class on large uploads via three new entry shapes (in-memory, disk-stream, operator-stream) and adds an `onChunk(chunk)` hook that fires for each response chunk in both buffer and stream modes — hash bytes while piping without an extra Transform pass. **Added:** *Streaming multipart on `b.httpClient.request({ multipart: { files: [...] } })`* — Three file-entry shapes: existing `{ field, content: Buffer | string }` (in-memory), new `{ field, filePath: string }` (stream-from-disk via `fs.createReadStream`), and `{ field, stream: Readable, size?: number }` (operator-supplied stream). When every entry's size is statically resolvable (Buffer length / `fs.statSync().size` / explicit `opts.size`), the framework sets `Content-Length` and uses identity transfer; otherwise the framework omits the header and Node's HTTP layer falls back to chunked transfer. Body is materialized one chunk at a time through a `Readable.from(asyncIterator)` that yields boundary headers, source bytes, and CRLF in order. Fast-path preserved: when no streaming source is involved, `_buildMultipartBody` still returns a single Buffer with a known `Content-Length`. · *`onChunk(chunk)` response hook* — Fires for each response data chunk in BOTH `responseMode: "buffer"` and `responseMode: "stream"`. Use case: hash bytes during pipe-to-disk without an extra Transform pass (`onChunk: (c) => hasher.update(c)`). Throws inside the hook are caught and dropped — a hash-mismatch detector can raise without breaking the pipe; callers surface the error through their own pipe handler. **Security:** *Verified shipped: `b.httpClient` + `b.cryptoField` + `b.config` redaction* — Re-verified during the framework-gap audit: `b.httpClient` `responseMode: "always-resolve"`, `onRedirect({from, to, hop, headersStripped, statusCode})` hook, `body: Readable` upload path; `b.cryptoField` derived-hash domain separation (`bj-<table>-<field>:` per-field namespace prefix matches the indexed-lookup requirement); `b.config` `redactKeys` allowlist + `redacted()` view.
+- v0.8.12 (2026-05-07) — **WebSocket upgrade refuses credential-shaped query parameters by default.** URL query strings leak through access logs, browser history, Referer to third-party CDN / analytics, in-process / proxy captures, and crash dumps — RFC 6750 §2.3 explicitly cautions against bearer tokens in URI query parameters. `validateUpgradeRequest` now refuses upgrades carrying a credential-shaped query parameter; operators with a legitimate non-credential collision opt out per route. **Changed:** *`validateUpgradeRequest(req, opts)` credential-query refusal* — Scans the request URL for the credential-leak names `access_token`, `bearer`, `bearer_token`, `apikey`, `api_key`, `api-key`, `authorization` (case-insensitive, with percent-decoding) and refuses the upgrade with HTTP 400 when one is present. Operators with a non-credential parameter that happens to share a credential-shaped name opt out per route via `opts.allowQueryAuthParams: true` with an audited operator reason. The refused list is deliberately narrow: overloaded names (`token`, `auth`, `key`, `session`) have non-credential meanings (CSRF tokens, file-share tokens, session-resume identifiers) and are NOT refused. **References:** [RFC 6750 §2.3 Bearer Tokens in URI Queries](https://www.rfc-editor.org/rfc/rfc6750.html#section-2.3)
+- v0.8.11 (2026-05-07) — **All-50-states breach-deadline registry + adverse-decision wrapper + age-gate + per-primitive test-coverage gate.** Adds `b.breach.deadline` + `b.breach.report` for multi-state data-breach notification, `b.ai.adverseDecision` for GDPR-22 / EU AI Act / ECOA / Colorado / NYC-144 / FCRA consumer-rights wrapping, `b.middleware.ageGate` for COPPA / AADC postures, and a release gate that refuses operator-facing primitives without at least one test reference. **Added:** *`b.breach.deadline` + `b.breach.report`* — All-50-states data-breach-notification deadline registry. `b.breach.deadline.forStates(states, detectedAt)` returns per-state `{ state, kind, dueBy, citation }` records (`kind: "as-soon-as-possible"` for AS-OF / `"hard-deadline"` for fixed-day deadlines like Texas / Florida / Maine). `b.breach.report.create()` opens a multi-state breach with a single record, tracks per-state filings via `fileNotice(id, state, ...)`, exposes `pending(id)` for dashboards, and auto-closes once every affected state has filed. Statutory citations + day counts wired in `lib/breach-deadline.js` per-state. · *`b.ai.adverseDecision`* — Wraps an operator-supplied `decide(subject)` predicate; automatically attaches a consumer-rights notice when the outcome is `"adverse"` / `"denied"` / `"rejected"`. Built-in regulation templates for `gdpr-22`, `ai-act-86`, `ecoa-1002.9`, `colorado-ai-act`, `nyc-ll-144`, `fcra-615`, `operator-defined`. Notice carries `principalReasons` + `consumerRights: { requestData, requestExplanation, contestDecision, requestHumanReview }` shaped per regime. · *`b.middleware.ageGate`* — Request-level age-classification middleware. Operator-supplied `getAge(req)` returns the subject age (or null/undefined when unknown); middleware classifies as `"above-threshold"` / `"below-threshold"` / `"unknown"` against `consentRequired`, sets `X-Privacy-Posture` header, and refuses with 451 + audited reason when `requireAge` is set and `hasParentalConsent(req)` is unmet. Composes upstream of session / authn for COPPA / AADC / UK Children's Code postures. **Detectors:** *Per-primitive test-coverage gate* — New `test/layer-0-primitives/test-coverage.test.js` walks every operator-facing `b.*` primitive and refuses release unless the primitive has at least one test reference (or an explicit `UNTESTED_BACKLOG` entry naming the reason). Closes the drift class where a primitive landed on `b.*` but never gained a unit test.
+- v0.8.10 (2026-05-07) — **Five compliance / regulatory primitives composing on `b.incident.report`.** Adds CRA Article 14 + NIS2 Article 23 incident wrappers, a GDPR Article 30 RoPA registry + exporter, an EU Accessibility Act conformance generator, and a California SB 1001 bot-disclosure middleware. **Added:** *`b.cra.report` — EU Cyber Resilience Act Article 14 wrapper* — Three-stage statutory deadlines: 24h early warning / 72h incident notification / 14d final report. Required `productId` + `manufacturer` per Annex VII §1. Optional ENISA submission via `opts.enisaEndpoint` + `b.httpClient`; submission is operator-opt-in per stage call (regulators uniformly require operator review before filing). · *`b.nis2.report` — NIS2 Article 23 wrapper* — Three-stage deadlines: 24h / 72h / 1 month. Annex I (essential) / Annex II (important) entity classification + sector codes (`I.6` drinking water / `II.6` digital providers / etc.). · *`b.gdpr.ropa` — GDPR Article 30 RoPA registry + exporter* — Validates required fields per Article 30 §1; legal-basis enum per Article 6(1); produces a regulator-friendly RoPA document for the operator's DPO to file. JSON / CSV / Markdown export. · *`b.compliance.eaa` — EU Accessibility Act Article 13* — Declared-conformance generator. Operators declare per-criterion conformance against WCAG 2.1/2.2 AA / EN 301 549; non-conformances ship with reason + mitigation. JSON / Markdown export for the operator's accessibility statement. · *`b.middleware.botDisclose` — California SB 1001* — Cal. Bus. & Prof. Code §17941 bot-disclosure middleware. Injects a disclosure banner into HTML responses, sets `X-Bot-Disclosure` header for API consumers, and audits every conversation-initiating request. Operators wire `mountPaths` to scope and `bannerHtml` for visual customization. **References:** [EU Cyber Resilience Act (Regulation 2024/2847)](https://eur-lex.europa.eu/eli/reg/2024/2847/oj) · [NIS2 Directive (Directive 2022/2555)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj) · [EU Accessibility Act (Directive 2019/882)](https://eur-lex.europa.eu/eli/dir/2019/882/oj)
+- v0.8.9 (2026-05-07) — **`b.incident.report` — generic 3-stage incident-reporting primitive.** Composes the three deadline pattern that recurs across regulatory regimes (initial / intermediate / final report) with built-in per-regime deadlines for GDPR Art. 33, NIS2 Art. 23, DORA Art. 19, CRA Art. 14, and HIPAA Breach Notification, plus `late: bool` + `lateBy: ms` on every record. **Added:** *`b.incident.report`* — Three stages mirror the deadline pattern across regulatory regimes: initial / early-warning notification (within 24h of detection), intermediate / status update (within 72h), final report (within 30d or per-regime deadline). Built-in per-regime deadlines for `gdpr` (Article 33), `nis2` (Article 23), `dora` (Article 19), `cra` (Article 14), `hipaa` (Breach Notification Rule); operators select via `regime: "gdpr"` and `opts.deadlines` can override per-stage. Each stage records a tamper-evident audit event (`incident.report.stage_recorded`) with a `late: bool` + `lateBy: ms` flag — late filings get `outcome: "late"` so regulator audits can distinguish on-time from late-but-eventually filings. Operator-supplied `persist(record)` writes to a DB / SIEM / SOAR system; `onStage(event)` fires for synchronous routing. `status()` returns aggregate counts (open / closed / late-per-stage) for dashboards. **References:** [GDPR Article 33](https://gdpr-info.eu/art-33-gdpr/) · [NIS2 Directive Article 23](https://eur-lex.europa.eu/eli/dir/2022/2555/oj) · [DORA Article 19](https://eur-lex.europa.eu/eli/reg/2022/2554/oj)
+- v0.8.8 (2026-05-07) — **`b.middleware.requireBoundKey` + audit-signing rotation + `b.circuitBreaker` + `b.htmlBalance.checkSafe` + FIPS boundary docs.** Ships three-axis bearer-API-key binding, operator-callable audit-signing rotation with historical re-sign, a top-level circuit-breaker re-export, an HTML balance + guard composite, a permissions predicate-shape warning, and FIPS 140-3 boundary documentation in SECURITY.md. ESLint pinned to 10.3.0 across CI workflows. **Added:** *`b.middleware.requireBoundKey`* — Bearer-API-key middleware with three-axis binding: required scopes, bound-field equality (operator pulls values from headers / query / body via `getBoundField` getters; bound-fields registered on the key are checked with constant-time match), and peer-cert fingerprint allowlist (composes with v0.8.4's `b.crypto.hashCertFingerprint` / `isCertRevoked`). Operator-supplied async `resolver(apiKey)` returns the registered record or `null` when revoked. Refusals carry structured reasons (`no-bearer-token`, `key-unknown-or-revoked`, `missing-scope`, `bound-field-missing`, `bound-field-mismatch`, `peer-cert-required`, `peer-cert-not-pinned`); audit chain captures the keyId + reason on every refusal. · *`b.audit.rotateSigningKey` + `reSignAll(iter)`* — Operator-callable rotation of the audit-signing keypair. Generates (or accepts BYO) a new keypair, copies the existing sealed file to a timestamped history path so historical signatures remain verifiable, re-seals with the operator's passphrase, and atomic-swaps the in-memory keys. Companion `reSignAll(iter)` walks an operator-supplied async iterable of `{ payload, signature, oldPublicKeyPem }` and re-signs each entry with the new key — the audit module's checkpoint store calls this to re-stamp historical checkpoints after a rotation. · *`b.circuitBreaker` top-level re-export* — Top-level re-export of `b.retry.CircuitBreaker` so operators discover it alongside `b.retry`; same state machine, same `wrap()` API, ergonomic `create(opts)` factory. · *`b.htmlBalance.checkSafe(html, opts)`* — Combines structural `balance()` check with a `b.guardHtml.gate` security pass under the same `{ profile, posture }` opt shape used by `b.fileUpload({ contentSafety })` / `b.staticServe({ contentSafety })`. **Changed:** *`b.permissions.policy(scope, predicate)` shape warning* — Emits `permissions.policy_predicate_shape_warning` audit on register-time when the predicate's `.length < 2` (operators commonly forget the `context` argument and ship a predicate that's always-true on the actor parameter). · *`SECURITY.md` FIPS 140-3 cryptographic boundary section* — New section explaining the dual boundary — Node.js OpenSSL FIPS provider for classical primitives, vendored noble-* implementations for PQ algorithms. The latter implement FIPS-published algorithms but the implementations themselves are not CMVP-validated. Operator path for FIPS-mandated environments documented. · *ESLint pinned to 10.3.0 across CI workflows* — Pinned across `ci.yml` / `npm-publish.yml` / `release-container.yml`. `eslint@latest` was silently letting new rule additions break the publish gate on releases that had passed the day before. The pin moves on operator-confirmed bumps.
+- v0.8.7 (2026-05-06) — **`b.auth.accessLock` three-mode access-lock primitive.** Ships an operator-intervention lock with `open` / `read-only` / `locked` modes for stop-the-world, idempotent-only, and full-deny operator windows during incident response, schema migrations, or break-glass review. **Added:** *`b.auth.accessLock`* — Three modes: `"open"` is normal operation; `"read-only"` refuses non-idempotent methods (POST/PUT/PATCH/DELETE) with 503 + `Retry-After` while letting GET/HEAD/OPTIONS pass; `"locked"` refuses everything except an operator-supplied `passthroughPaths` allowlist (status / health / unlock endpoint). Operators flip modes via `lock.set("locked", { actor, reason })`; the transition emits `auth.access_lock.mode_changed` audit + metric. `unlockRoles: ["sre", ...]` lets a privileged role bypass all three modes via `getRole(req)` so a break-glass operator can always reach the unlock endpoint. The boot-time mode emits `auth.access_lock.boot` so the audit chain captures the deploy posture.
+- v0.8.6 (2026-05-06) — **`b.middleware.dailyByteQuota` + `b.appShutdown` extensions + OIDC sub-claim cross-check.** Ships per-IP daily byte budgeting, lifecycle extensions (`onUncaught`, custom signal list, `pidLock`), `b.observability.otlpExporter` audit / metrics refinements, and a token-substitution defense on `b.auth.oauth.fetchUserInfo`. **Added:** *`b.middleware.dailyByteQuota`* — Per-IP rolling 24-hour byte budget (24 hourly bins, slides per-second so a peer can't reset by waiting past midnight). Memory backend single-node by default; `opts.cache` wires `b.cache` for cluster-shared accounting. Refuses with 429 + `Retry-After` when peers exceed the quota; emits `middleware.daily_byte_quota.refused` audit + metric. Inbound + outbound bytes counted. Fail-open on cache backend errors with audited reason — a flaky cache no longer takes the framework down. · *`b.appShutdown` lifecycle extensions* — `onUncaught` hook fires on `uncaughtException` / `unhandledRejection`; default is graceful-shutdown with `exitCode=1`. Operators can wire a hook for relay to PagerDuty / observability before exit. `opts.signals` now accepts a custom signal list (defaults to `["SIGTERM","SIGINT"]`); operators add `SIGUSR2` (nodemon restart), `SIGHUP` (terminal disconnect), `SIGQUIT` (`kill -3`) without subclassing. `b.appShutdown.pidLock(lockPath)` — single-instance file lock that writes `process.pid`, refuses to acquire when another live process holds the lock, reaps stale lock files (PID gone), and releases on shutdown. **Changed:** *`b.observability.otlpExporter` audit + metrics surface* — New `system.observability.otlp_exporter.post_failed` audit emission distinguishes timeout / abort from generic network failure (operators can route timeout-rooted exporter degradation to a different alert channel). `stats()` now reports `droppedTotal` (queue overflow + export failed) and emits a `dropped_total` metric on every call so dashboards chart the running drop count. **Fixed:** *`b.auth.oauth.fetchUserInfo` OIDC sub-claim cross-check* — Refuses on OIDC IdPs unless the caller threads `ufiOpts.idTokenSub` (the verified `sub` claim from `exchangeCode`'s `id_token`); cross-checks userinfo `sub === idTokenSub` to defend against token-substitution where a hostile IdP returns a different user's profile. Non-OIDC OAuth 2.0 deployments mis-flagged as `isOidc` opt out via `{ skipSubCheck: true }` with audited reason.
+- v0.8.5 (2026-05-06) — **Vendor-currency CI gate + `b.middleware.requireMtls`.** Adds a CI check that every vendored bundle in `lib/vendor/MANIFEST.json` matches the latest published version on npm (or the upstream default-branch HEAD for master-branch corpora), and ships `b.middleware.requireMtls` for soft mTLS enforcement composed with the v0.8.4 cert-fingerprint helpers. **Added:** *Vendor-currency CI gate* — `scripts/check-vendor-currency.js` + a new CI job in `ci.yml` assert every npm-mapped vendored bundle in `lib/vendor/MANIFEST.json` matches the latest published version on the npm registry. Per-component check on meta-bundles (e.g. `peculiar-pki` → `@peculiar/x509` + `pkijs`). Master-branch corpus entries (`SecLists`) are checked against the GitHub Commits API for the bundled file's path on the source repo's default branch — if the upstream has commits newer than the manifest's `bundledAt` date, the gate fails. Registry errors stay advisory unless `BLAMEJS_VENDOR_CURRENCY_STRICT=1`. Operators run locally via `npm run check:vendor-currency`. · *`b.middleware.requireMtls`* — New soft-enforcement middleware that rejects requests without an authenticated client certificate. Composes with `b.crypto.hashCertFingerprint` / `isCertRevoked` (added in v0.8.4) so operators pass `fingerprintAllowList: [...]` and `denyList: [...]` and the middleware does the constant-time match. `req.peerCert` + `req.peerFingerprint` are attached for downstream handlers. Audits `mtls.required.allowed` / `mtls.required.refused` with reason metadata.
+- v0.8.4 (2026-05-06) — **Supply-chain scanner findings + outbound HTTP posture + npm-publish unblock.** Routes the OTLP exporter through `b.httpClient` for PQC-hybrid + cert-pinning posture, lazy-loads `child_process` in `b.dev`, adds `responseMode` / `onRedirect` to `b.httpClient`, adds per-dial overrides to `b.wsClient`, ships new crypto + scheduler helpers, and corrects an SD-JWT default-alg test that blocked four prior publishes. **Added:** *`b.crypto.hashCertFingerprint(pem|der)` + `b.crypto.isCertRevoked(pemOrDer, denyList)`* — Returns `{ hex, colon }` SHA3-512 digests and a constant-time deny-list match for cert-fingerprint pinning. · *`b.scheduler.register(name, intervalMs, fn)` + `b.scheduler.getStatus()`* — Shorthand for the every-N-ms registration shape; `getStatus()` returns an aggregate health surface for probes / dashboards (started flag, isLeader, per-task list, totals). **Changed:** *`b.observability.otlpExporter` default transport* — No longer defaults to `globalThis.fetch`; the default transport is now `b.httpClient` (`node:https` through the framework's PQC-hybrid agent + cert-pinning + SSRF guard). The prior default leaked an outbound network surface that supply-chain scanners flagged. Operators on fetch-only edge runtimes still override via `opts.fetchImpl`. · *`b.dev.create()` lazy-requires `child_process` + refuses production by default* — Lazy-requires `child_process` (was top-level — flagged on every install regardless of whether `b.dev` was used) and refuses to construct when `NODE_ENV=production` unless the operator passes `opts.allowProduction: true` with an audited reason. A misconfigured production deploy that accidentally wires the dev-mode restart loop now crashes loudly at boot rather than spawning shells on every save. · *`b.httpClient.request` adds `responseMode` + `onRedirect`* — `responseMode: "always-resolve"` makes every response resolve with `{ statusCode, headers, body }` regardless of HTTP status. `onRedirect({ from, to, hop, headersStripped, statusCode, method })` lets operators throw to abort or rewrite the redirect chain. · *`b.wsClient.connect` per-dial overrides* — Adds `urlFor(attempt)` and `tlsOptsFor(attempt)` for between-reconnect URL / TLS rotation; the new URL is re-validated through `ssrfGuard` so a hostile upstream can't redirect a reconnecting client at a private address. Post-`close()` `ECONNRESET` / `EPIPE` swallowed cleanly. · *`b.pqcAgent.create({ ecdhCurve })` accepts a caller-supplied stricter list* — Operators can drop a group from the framework default but cannot widen with non-PQ groups (the prior hardcoded value blocked legitimate per-deployment narrowing). **Fixed:** *npm-publish unblock: SD-JWT default-alg test* — `test/layer-0-primitives/sd-jwt-vc.test.js` was asserting `DEFAULT_ALG === "ES256"` after v0.8.1 flipped the default to `ML-DSA-87`; the assertion now matches the lib (and `DEFAULT_HASH_ALG` for `sha3-512`). v0.8.1 / v0.8.2 / v0.8.3 all failed the npm-publish gate on this single test.
+- v0.8.3 (2026-05-06) — **Release-gate fixes + post-v0.8.2 hardening.** Closes the wiki opts-drift gate for the v0.8.1 `requireOrigin` opt, a gitleaks false-positive on KEM-envelope shapes, and ships two functional additions on `b.httpClient` and `b.wsClient`. **Added:** *`b.httpClient.request({ responseMode: "always-resolve" })`* — Every request resolves with `{ statusCode, headers, body }` regardless of HTTP status — operators using the framework as an inbound-proxy upstream no longer have to wrap each call in a try/catch to recover the body of a 4xx/5xx. **Fixed:** *Wiki primitive-section opts-key drift on `b.middleware.csrfProtect`* — The `requireOrigin` opt added in v0.8.1 was not documented in the wiki seeder; now listed alongside `checkOrigin` / `allowedOrigins`. · *gitleaks secret-scan false positives on KEM-envelope shapes* — Findings against `{ privateKey, cipherText }` parameter-name shapes in `lib/crypto.js` error messages and the v0.8.0 CHANGELOG entry are now allowlisted via `.gitleaks.toml` (parameter-name shape allowlist + pinned commit fingerprints for the v0.8.0 entry). · *`b.wsClient` post-close error noise* — Swallows post-`close()` `ECONNRESET` / `EPIPE` errors so a clean shutdown doesn't surface a noisy unhandled-error event when the kernel races the FIN with an in-flight write. · *`SECURITY.md` documents the `allowInternal: true` test-pattern* — Legitimate same-host integration tests opt in explicitly with audited reason — never as a production default.
+- v0.8.2 (2026-05-06) — **ESLint fixes for the v0.8.1 npm-publish gate.** Two no-op lint fixes that unblock the publish workflow; functional behaviour unchanged from v0.8.1. **Fixed:** *`lib/guard-csv.js` bidi-prefix regex* — Now uses explicit `\uXXXX` escapes (was tripping `no-irregular-whitespace` + `no-misleading-character-class` on the literal-codepoint form). · *`lib/redact.js` URL-bearer-query detector* — Drops a redundant `\-` escape inside a character class flagged by ESLint.
+- v0.8.1 (2026-05-06) — **Hardening sweep across audit emission, crypto defaults, auth bypass closure, storage, HTTP, and observability.** Defense-in-depth fixes across audit emission canonicalisation, PQC-first crypto defaults, auth bypass closure (break-glass, mfaWindowMs, fingerprint-drift, bearer 401 shape, jti minting, OIDC nonce), storage SQLi closures, HTTP and outbound transport posture, content-safety bypasses, and redaction coverage. No new operator-facing primitives. **Changed:** *Audit emission canonicalisation* — `audit.safeEmit` now normalises non-canonical outcomes (`ok` / `fail` / `warning` / `duplicate` / `skip` → `success` / `failure`) and replaces hyphens in action-name segments with underscores. The strict regex enforced by `audit.record` was silently dropping events from `b.flag` / `b.outbox` / `b.inbox` / `b.session` (idle / absolute / fingerprint-drift) / `b.db` (integrity-check) / `b.compliance.aiAct` / `b.config-drift` / `b.log-stream` / `b.pubsub` (and fixes a positional-signature bug at the publish call site). Chain-write integrity failures now emit `system.audit.chain_write_dropped` to observability so operators alerting on rate-drop still see a signal when audit itself is the broken sink. · *PQC-first crypto defaults tightened* — `b.mtlsCa` `caKeySealedMode` default flipped from `"auto"` to `"required"`; legacy `"auto"` (load whichever exists, fall back to plaintext) is removed. Operators opt back to plaintext explicitly via `"disabled"` with audited reason. `b.network.tls` default key-share preference list now leads with `SecP384r1MLKEM1024` (highest-PQ hybrid registered in `TLS_GROUP_PREFERENCE`) and drops `secp256r1`. `b.auth.sdJwtVc` defaults to `ML-DSA-87` + `sha3-512` (was `ES256` + `sha-256`). `b.crypto.encrypt` emits `system.crypto.hybrid_disabled` audit when called with only an ML-KEM public key. `b.auth.totp` emits `auth.totp.algorithm_downgraded` audit on every SHA-256 enrolment / verification. **Fixed:** *Auth bypass closures across break-glass, MFA, sessions, bearer, OIDC nonce* — `b.breakGlass` `policy.requireScope` is now enforced at `grant()` time (was accepted, persisted, and surfaced via `policyGet` but never consulted). `b.permissions` `requireMfa: true` defaults to a 15-minute `mfaWindowMs` floor when neither route nor role supplies one. `b.middleware.attachUser` threads `req` through `session.verify` so the documented fingerprint-drift / IP-UA pin / anomaly-score defenses fire on the standard middleware path. `b.middleware.bearerAuth` returns 401 with `WWW-Authenticate: Bearer error="invalid_request"` when an `Authorization` header is present but doesn't parse against the configured scheme (was falling through to cookie-session); `realm` is CRLF-validated at create-time. `b.bearerAuth` sets `req._bearerAuthHandled` after success so `b.middleware.attachUser` skips re-reading the same header. `b.breakGlass.unsealRow` SELECTs the target row before incrementing `rowsConsumed` so a typo'd row id no longer exhausts a `maxRowsPerGrant: 1` grant. `b.auth.password` HIBP path fail-closes when more than half the response lines are unparseable (poisoned-mirror defense). `b.auth.jwt.sign` auto-mints a `jti` when `expiresInSec` is set and the operator didn't supply one. `b.auth.oauth.exchangeCode` requires `nonce` on OIDC flows when `authorizationUrl()` produced one (explicit `skipNonceCheck: true` for legacy IdPs). `b.auth.lockout` cache-error signal now also rides the audit chain. `b.middleware.csrfProtect` cookie regex tightened from `{2,}` to `{64}` hex chars (matches `forms.generateCsrfToken` output) so a sibling-subdomain XSS can't plant `csrf=ab` and submit matching `X-CSRF-Token`; new `requireOrigin: true` opt for browser-only routes; `csrf.bad_cookie_value` audit on planted-short-cookie refusals. · *Storage / SQLi closures* — `b.retention` calls `safeSql.validateIdentifier` on every operator-supplied table name, age field, soft-delete field, legal-hold field, and cascade FK before reaching SQL string concatenation. `b.db` at-rest `db.enc` envelope binds `(data dir, node identity)` AAD so two deployments sharing the operator passphrase can't swap `db.enc` files; old envelopes still decrypt via a one-release backwards-compat fallback. `b.externalDb` `SET LOCAL` GUC values capped at 4 KiB. `b.cache` set path swapped from `JSON.stringify` to `safeJson.stringify` (refuses Buffer / circular / Date round-trip ambiguity). `b.objectStore.setObjectRetention` does a `getObjectRetention` pre-check and refuses client-side when existing retention mode is `COMPLIANCE` and the caller tries to shorten it or pass `bypassGovernance: true`. `b.inbox` rejects NUL + C0 controls in `messageId` / `source` (closes the dedupe-collision attack on truncating drivers). · *HTTP / network posture* — `b.wsClient.connect` wires `b.ssrfGuard` symmetric to `b.httpClient` (cloud-metadata / private / loopback / link-local / reserved IPs hard-denied; `allowInternal: true` opts in). `b.wsClient` outbound `tls.connect` pins `minVersion: "TLSv1.3"`. `b.app` HTTP/2 server pins `maxOutstandingPings: 10` (CVE-2019-9512 ping-flood class). `b.middleware.cors` always appends `Vary: Origin` when the request carried an Origin. `b.staticServe` adds `maxRangeBytes` cap (default 64 MiB) — refuses single-range requests larger than the cap with 416 (slowloris-range defense). `b.middleware.bodyParser` per-part header bytes now count toward `totalSize` (closes a 120 × 16 KiB amplification surface). `b.ssrfGuard` `_ipv4ToInt` strict octet validation refuses non-numeric segments instead of silently coercing to 0. `b.cluster` heartbeat picks up ±20% per-tick jitter on followers; `MIN_LEASE_TTL` bumped from 5s to 10s. · *Content-safety bypasses + observability redaction* — `b.guardHtml._extractScheme` + `b.guardSvg._extractScheme` decode HTML5 named entities (`&Tab;` / `&NewLine;` / `&colon;` / `&sol;` / etc.) before scheme-allowlist matching (closes the `java&Tab;script:` bypass class). `b.guardCsv` strips ZWSP / RTLO / LRM / RLM / BOM at cell-start before the formula-prefix scan. `b.guardAll._verifyParity` walks `STANDALONE_GUARDS` too (filename / domain / uuid / cidr / time / mime / jwt / oauth / graphql / shell / regex / jsonpath / template / image / pdf / auth). `b.fileUpload._checkAllowedFileType` cross-checks operator-supplied claimed MIME against magic-byte detection and refuses on family mismatch. `b.mail` attachment validation wires `b.guardFilename.validate({ profile: "strict" })` + magic-byte / claimed-MIME cross-check. `b.redact` SENSITIVE_FIELDS now covers `x-api-key` / `x-apikey` / `x_api_key` / `api-key` plus DPoP / OAuth 2.1 fields (`jwk`, `dpop`, `proof`, `assertion`, `client_assertion`, `id_token_hint`, `code_verifier`, `client_secret`, `refresh_token`, `access_token`); new value-shape detector redacts query-string `?token=` / `?access_token=` / `?api_key=` patterns inside URL fields. `b.logStream` syslog sink strips CR / LF from MSG content per RFC 5424 §6.4. `b.compliance.set` rejection emits `compliance.posture.set_rejected` audit on `unknown-posture` and `already-set` paths. · *Supply chain hygiene* — `scripts/vendor-update.sh` auto-runs `scripts/refresh-vendor-manifest.js` so `MANIFEST.json` sha256 hashes track the on-disk bundle without a separate operator step. **Detectors:** *`audit-action-with-hyphen` + `non-canonical-audit-outcome`* — Two new `codebase-patterns` detectors catch new sites at gate time that emit hyphenated audit-action segments or non-canonical outcome strings.
+- v0.8.0 (2026-05-06) — **ARC chain construction + transactional inbox + API spec parsers + wsClient hardening.** Minor bump landing relay-side ARC signing, transactional dedupe-on-receive inbox, OpenAPI/AsyncAPI parsers, a named ML-KEM-768 + X25519 decrypt helper, and substantial outbound WebSocket-client hardening (decompression-bomb cap, UTF-8 fatal validation, control-frame caps, permanent-error classifier, audit-metadata enrichment). **Added:** *`b.mail.arc.sign` relay-side RFC 8617 ARC chain construction* — Companion to the existing `b.mail.arc.verify`. Produces AAR + AMS + AS headers, prepends them in RFC-recommended order, enforces cv= rules (`i=1` requires `cv=none`, `i>=2` requires `cv=pass` / `cv=fail`), and emits chain-gap detection (`i=N` requires N-1 prior hops). Supports rsa-sha256 and ed25519-sha256; CRLF-injection refused on operator-supplied authResults. Emits `dkim.arc.signed` audit on success. · *`b.inbox.create` transactional dedupe-on-receive* — Companion to `b.outbox`. Guarantees exactly-once handling by recording every `(source, messageId)` pair in the same transaction as the business state change — duplicate delivery short-circuits via the `(source, message_id)` PRIMARY KEY. High-level `handle(opts, fn)` wraps `externalDb.transaction`; low-level `recordReceive` / `markProcessed` for operators managing transactions directly. Includes `declareSchema` / `sweep(retentionDays)` / `getStats` / `isFresh`; postgres + sqlite dialect support; audit emissions `inbox.received` / `handled` / `handle_failed` / `swept`. · *`b.openapi.parse` + `b.asyncapi.parse`* — Validate external specs (only the build path existed previously). Returns `{ doc, errors[], valid }` covering version, info, paths / channels / operations, response.description, path-parameter `required:true`, and dangling security references. · *`b.crypto.decryptMlkem768X25519` named decrypt helper* — Symmetric counterpart to the existing `encryptMlkem768X25519`. Rejects ciphertexts under any other KEM id at the head with a clear error rather than falling through the generic dispatch path. · *`b.wsClient.cancelReconnect()` operator API* — Stops in-flight reconnect timers. `close()` mid-reconnect now also cancels the pending timer rather than returning early on the closed state. **Changed:** *`b.wsClient` hardening + extensions* — Adds `handshakeGuid` opt mirroring the server (operators with non-RFC-6455 GUIDs). Decompression-bomb defense via `zlib.inflateRawSync` `maxOutputLength` cap closes the small-frame-to-GB expansion. Fatal UTF-8 validation on text frames + close-frame reasons (RFC 6455 §5.6). Control-frame ≤125-byte cap + FIN=1 enforcement (RFC 6455 §5.5). RSV1-on-continuation rejection (RFC 7692 §6.1). Permanent-error classifier so 4xx handshake responses / accept-mismatch / bad-subprotocol / bad-upgrade / bad-status-line / message-too-big skip reconnect (no auth-failure hammering). `close(code, reason)` truncates >123-byte UTF-8 reasons at codepoint boundaries. `permessage-deflate` `server_max_window_bits` parsing with [8, 15] range enforcement. Audit metadata enriched with `bytesSent` / `bytesReceived` / `attempt` / `peerCertFingerprint` / `serverWindowBits` / `tls` / `permanent`. CRLF validation on the operator-supplied `Origin:` header matches the existing custom-header validation. **References:** [RFC 8617 ARC](https://www.rfc-editor.org/rfc/rfc8617.html) · [RFC 6455 WebSocket](https://www.rfc-editor.org/rfc/rfc6455.html) · [RFC 7692 WebSocket permessage-deflate](https://www.rfc-editor.org/rfc/rfc7692.html)
+## v0.7.x
+- v0.7.114 (2026-05-06) — **`b.vault.aad` AAD-bound sealed columns + `b.wsClient` outbound WebSocket client.** . `b.vault.aad.seal(plaintext, aadParts)` / `b.vault.aad.unseal(value, aadParts)` binds the seal to an AAD tuple `(table, rowId, column, schemaVersion)` so the AEAD tag fails on any decrypt where the AAD differs — copy-paste between rows, replay across schema-version bumps, and table-mismatch attacks all surface as a refused decrypt. **Added:** *`b.vault.aad.seal(plaintext, aadParts)`* — /. (See CHANGELOG for full context). · *`b.vault.aad.unseal(value, aadParts)`* — binds the seal to an AAD tuple `(table, rowId, column, schemaVersion)` so the AEAD tag fails on any decrypt where the AAD differs — copy-paste between rows, replay across schema-version bumps, and table-mismatch attacks all surface as a refused decrypt. Symmetric key derived per-row via SHAKE256 over `("vault.aad/v1/" || vault-root || canonical-AAD)` with the AAD threaded into XChaCha20-Poly1305's tag. `buildColumnAad` / `buildContextAad` helpers produce canonical (sorted-keys, length-prefixed) AAD bytes; `reseal(value, fromAad, toAad)` re-binds a value to a new context after authenticating the source. Audit emissions: `vault.aad.sealed` / `vault.aad.unseal_failed`. · *`b.wsClient.connect(url, opts)`* — ships the outbound RFC 6455 WebSocket client — companion to `b.websocket` (server-side). HTTP/1.1 Upgrade with Sec-WebSocket-Key generation + Sec-WebSocket-Accept verification (rejects on hash mismatch); subprotocol + permessage-deflate (RFC 7692) negotiation; client-side frame masking (RFC 6455 §5.3); TLS via `b.network.tls.pqc` (X25519MLKEM768 hybrid handshake, security-defaults-on); heartbeat ping/pong with pongDeadline tracking; auto-reconnect with exponential-backoff + full jitter; CRLF-injection defense on operator-supplied headers; configurable `maxMessageBytes` / `maxFrameBytes` / `pingMs` / `pongMs` / `handshakeTimeoutMs` / `reconnect: { maxAttempts, baseMs, maxMs }`. EventEmitter API: `open` / `message` / `close` / `error` / `reconnecting`. Reuses `FrameParser` and `serializeFrame` from `lib/websocket.js` so the wire layer is identical to the server. Integration test `test/integration/ws-client-roundtrip.test.js` boots a real `http.Server` driven by `b.websocket` primitives and dials it with `b.wsClient`, exercising plain ws:// handshake + subprotocol negotiation + text/binary echo + ping/pong heartbeat + close round-trip + permessage-deflate compress/inflate end-to-end. Audit emissions: `wsclient.connected` / `wsclient.closed` / `wsclient.error`. **References:** [RFC 6455](https://www.rfc-editor.org/rfc/rfc6455.html) · [RFC 7692](https://www.rfc-editor.org/rfc/rfc7692.html)
+- v0.7.113 (2026-05-06) — **`@noble/post-quantum` attribution sweep.** NOTICE picks up the v0.6.1 vendored bundle with full copyright + Used-for + thank-you line per the framework's attribution convention. README's "Vendored dependencies" dependency table picks up the noble-post-quantum row alongside noble-ciphers. The wiki home page's "Special thanks" list cites Paul Miller for both noble-ciphers and noble-post-quantum. **Added:** *`@noble/post-quantum` attribution sweep* — `@noble/post-quantum` attribution sweep. NOTICE picks up the v0.6.1 vendored bundle with full copyright + Used-for + thank-you line per the framework's attribution convention. README's "Vendored dependencies" dependency table picks up the noble-post-quantum row alongside noble-ciphers. The wiki home page's "Special thanks" list cites Paul Miller for both noble-ciphers and noble-post-quantum. The wiki `welcome` page's "What's in the box" table picks up `@noble/post-quantum` ↔ `b.pqcSoftware` with the security-first defaults (ML-KEM-1024, ML-DSA-87, SLH-DSA-SHAKE-256f). Pure docs / attribution sweep — no behaviour changes.
+- v0.7.112 (2026-05-06) — **`b.asyncapi` AsyncAPI 3.0 schema-document builder + `b.pqcSoftware` pure-JS PQC primitive wrapper.** around vendored `@noble/post-quantum`. `b.asyncapi.create({ info, servers, defaultContentType, security, externalDocs, tags, id })` returns an event-driven sibling to `b.openapi` — operators describe pubsub / websocket / kafka / mqtt / amqp surfaces as a single document the framework can serve at `/asyncapi.json` (or YAML). **Added:** *`b.asyncapi.create({ info, servers, defaultContentType, security, externalDocs, tags, id })`* — returns an event-driven sibling to `b.openapi` — operators describe pubsub / websocket / kafka / mqtt / amqp surfaces as a single document the framework can serve at `/asyncapi.json` (or YAML). · *`builder.channel(channelId, opts)`* — registers channels with messages / parameters / per-channel bindings;. · *`builder.operation(operationId, opts)`* — registers `send` / `receive` operations against declared channels (dangling-channel references throw at registration). `builder.schema / message / parameter / correlationId / requestBody` register reusable components. · *`builder.security.add / require`* — with same scheme builders shared with `b.openapi.security` (bearer / basic / apiKey / oauth2 / openIdConnect / mtls / dpop). · *`builder.toJson() / toJsonString() / toYaml()`* — final dangling-security-reference checks; YAML emitter shared with `b.openapi`. · *`b.asyncapi.bindings.{websockets,kafka,amqp,mqtt,http}`* — typed binding builders for the four protocols framework primitives speak; rejection on bad shape (websockets method ∈ {GET, POST}, kafka partitions/replicas > 0, amqp `is` ∈ {queue, routingKey}, mqtt qos ∈ {0, 1, 2}). · *`b.asyncapi.traits.{operation, message, applyOperation, applyMessage}`* — AsyncAPI trait composition with shallow-merge semantics — operators define a trait once (e.g. "every kafka publish carries tracing-header envelope") and apply it across operations / messages. · *`b.middleware.asyncapiServe({ document, pathJson, pathYaml, accessControl, cacheControl,* — mirrors `openapiServe`: GET / HEAD only, SHA3-512 ETag for conditional 304s, CORS gating. · *`b.pqcSoftware`* — ships pure-JS FIPS 203 / 204 / 205 PQC algorithms via `lib/vendor/noble-post-quantum.cjs` (Paul Miller's `@noble/post-quantum` v0.6.1, MIT, vendored under `lib/vendor/MANIFEST.json` with SHA-256 pin). Usable server-side and client-side; ciphertexts FIPS 203 conformant in both directions with Node's built-in WebCrypto ML-KEM. Defaults pin to the highest cat-5 level: `DEFAULT_KEM` = ML-KEM-1024, `DEFAULT_LATTICE_SIG` = ML-DSA-87, `DEFAULT_HASH_SIG` = SLH-DSA-SHAKE-256f. Surface: `ml_kem_512` / `ml_kem_768` / `ml_kem_1024` (FIPS 203 KEM), `ml_dsa_44` / `ml_dsa_65` / `ml_dsa_87` (FIPS 204 lattice signatures), `slh_dsa_sha2_*f` / `slh_dsa_shake_*f` (FIPS 205 hash signatures), `isAvailable()` + `listAlgorithms()` + getter-style algorithm accessors. Audit emissions: `asyncapi.document.built` / `asyncapi.document.served`. 200+ test cases.
+- v0.7.111 (2026-05-06) — **`b.flag` + `b.middleware.flagContext` — OpenFeature-aligned feature-flag client.** `b.flag.create({ provider, providers, defaultEvaluationContext, audit, errorHandler, hooks })` returns a flag client with `getValue / getBoolean / getString / getNumber / getObject / getDetails / getValues / getDetailsAll / addProvider / removeProvider / list / middleware`. **Added:** *`b.flag.create({ provider, providers, defaultEvaluationContext, audit, errorHandler, hooks })`* — returns a flag client with `getValue / getBoolean / getString / getNumber / getObject / getDetails / getValues / getDetailsAll / addProvider / removeProvider / list / middleware`. Hot-path drop-silent — operator-supplied defaults returned on flag-not-found / provider-error; an `errorHandler` callback + audit emission on `flag.evaluation.error` surface the issue without taking down the request. · *`b.flag.providers`* — ships three first-party providers: `memory({ flags })` for in-process / test flag sets, `localFile({ path, watch })` for JSON-file-backed flags with optional watch-on-change reload (hot-path-tolerant — bad JSON during reload is drop-silent), and `environmentVariable({ prefix, flags })` for `FLAG_*` env-var overrides. Flag specs validate at registration time per the no-MVP rule: `default` must reference a registered variant, every rule's `variant` must reference a registered variant, every rollout entry's percentage must be in [0, 100] with the sum bounded at 100. · *`b.flag.targeting`* — evaluates rules with 14 operators (eq / neq / in / nin / gt / gte / lt / lte / starts_with / ends_with / contains / regex / exists / not_exists / between); regex patterns capped at 200 chars (DoS defense); rules support nested-attribute paths (`user.profile.tier`); conjunction across `conditions[]`. · *`b.flag.context`* — ships evaluation-context builders: `create`, `merge`, `fromRequest({ userKey, extra })` (extracts targeting key from `req.user.id` or anonymous fallback hashed from clientIp + userAgent), `bucketOf(targetingKey, flagKey)` deterministic SHA3-512 percentage bucket helper. · *`b.flag.cache(downstream, { ttlMs, maxEntries })`* — wraps a downstream provider with a per-`(targetingKey, flagKey)` TTL cache backed by an insertion-ordered Map (oldest-first eviction at maxEntries cap; flag-not-found never cached so operators can add flags later); `cached.bust()` clears all entries; `cached.stats()` returns `{ size, hits, misses, evictions, hitRatio, ttlMs, maxEntries }`. · *`b.middleware.flagContext({ userKey, userKeyHeader, extractAttributes, tenantKeyHeader })`* — request-time middleware that extracts an evaluation context onto `req.flagCtx` for downstream handlers and multi-client flag setups (separate from the per-client `flag.middleware()` accessor that attaches `req.flag.{getBoolean,getString,...}` directly). · *OpenFeature hooks* — `before / after / error / finally` callbacks fire around every evaluation; throwing hooks are drop-silent (observability, not blocking). Audit emissions: `flag.evaluated` / `flag.evaluation.error` / `flag.cache.bust`. 130+ test cases.
+- v0.7.110 (2026-05-06) — **`b.openapi` + `b.middleware.openapiServe` — OpenAPI 3.1 schema-document builder.** . `b.openapi.create({ info, servers, externalDocs, tags, security })` returns an immutable-on-`toJson` builder for hand-authored API contracts. **Added:** *`b.openapi.create({ info, servers, externalDocs, tags, security })`* — returns an immutable-on-`toJson` builder for hand-authored API contracts. · *`builder.path(method, urlPattern, opts)`* — registers operations with full RFC-9110-method validation (get / put / post / delete / options / head / patch / trace), path-template `{name}` placeholders cross-checked against declared `parameters: [{ in: "path", required: true }]` (build-time throw on mismatch), required `responses` map per OpenAPI 3.1 §4.8.5 with required `description` on every response, body-content map under `requestBody.content[mediaType].schema`. · *`builder.schema(name, schemaSpec)`* — / `response(...)` / `parameter(...)` / `requestBody(...)` / `header(...)` / `example(...)` register reusable `components`. Schema specs accept three forms: a `b.safeSchema` object (walked into JSON Schema 2020-12 by `lib/openapi-schema-walk.js`), a hand-shaped JSON Schema object (passes through with shape validation), or a primitive type-name string. · *`builder.security.add(name, scheme)`* — + `security.require(requirement)` register security schemes; the builder surfaces `b.openapi.security.{bearer,basic,apiKey,oauth2,openIdConnect,mtls,dpop}` typed builders that validate every IANA-registered scheme shape (apiKey `in` ∈ {header, query, cookie}; oauth2 `flows` with per-flow `authorizationUrl` / `tokenUrl` / `scopes` validation; mTLS uses the OpenAPI 3.1 `mutualTLS` type). · *`builder.toJson()`* — runs final dangling-reference checks (every `security` requirement key MUST resolve to a registered scheme). `builder.toJsonString(indent)` +. · *`builder.toYaml()`* — emit the document; the YAML emitter (`lib/openapi-yaml.js`) handles spec-quoted strings (numbers / booleans / dates / yaml-special tokens), nested arrays / objects, empty `[]` / `{}`. `builder.middleware({ pretty, cacheControl })` is the single-builder embed;. · *`b.middleware.openapiServe({ document, pathJson, pathYaml, accessControl, cacheControl, pretty,* — is the framework-style mounted middleware that responds at `/openapi.json` + `/openapi.yaml` (configurable), emits SHA3-512-derived ETag for conditional-GET 304s, gates by `accessControl: "public" | "same-origin"` for the `Access-Control-Allow-Origin: *` header, falls through on non-GET / non-HEAD methods. Audit emissions: `openapi.document.built` / `openapi.document.served`. 100+ test cases.
+- v0.7.109 (2026-05-06) — **`b.compliance.aiAct` + `b.middleware.aiActDisclosure` — full EU AI Act (Regulation (EU) 2024/1689).** compliance primitive with deadline-aware classification, Article 5 prohibited-practices catalog, Article 6 + Annex III high-risk classifier, Article 12 logging helpers (with biometric-system-specific minimum-fields enforcement per Art. **Added:** *`b.compliance.aiAct.classify({ purpose, deployContext, deployerType, ... })`* — returns `{ tier, prohibitedHits, annexIIIHits, obligations, action, legalReference }` — tier is `prohibited` / `high-risk` / `limited-risk` / `general-purpose` / `minimal-risk`. · *`b.compliance.aiAct.prohibited`* — ships the eight Art. 5 prohibited practices catalog (subliminal manipulation, vulnerable-group exploitation, social scoring, profiling-only predictive policing, untargeted facial scraping, workplace/education emotion inference, sensitive-attribute biometric categorisation, real-time RBI in public spaces) with conservative classifier and exemption handling. · *`b.compliance.aiAct.risk`* — ships the eight Annex III rows with per-row Article 9-15 obligation lists (Article 27 FRIA added for law-enforcement / migration). · *`b.compliance.aiAct.transparency`* — ships banner / htmlBanner / watermark / jsonLdDisclosure / metaTags builders for the four Art. 50 obligations. · *`b.compliance.aiAct.logging`* — ships buildEvent / emit / logEvent / loggerFor / retentionFloorMs (per Art. 19 — 180-day default, 365-day floor for financial / employment / law-enforcement). Biometric systems require the Art. 12(3) minimum fields (periodStart, periodEnd, referenceDatabase, matchedInputRef, verifiers); the builder throws when they're missing. · *`b.compliance.aiAct.gpai`* — classifies general-purpose AI models with the Art. 51(2) FLOP threshold (10^25 cumulative training compute → presumption of systemic risk per Art. 55). · *`b.compliance.aiAct.annexIVScaffold(...)`* — returns the eight Annex IV documentation sections (general description / detailed description / monitoring + functioning / risk-management / changes / harmonised standards / EU declaration of conformity / post-market monitoring). · *`b.compliance.aiAct.deployerChecklist(assessment)`* — returns operator-actionable next-steps with article references for the assessment's tier (prohibited → do-not-deploy; high-risk → conformity assessment + technical doc + risk mgmt + data governance + logging + human oversight + Art. 71 EU database + Art. 72 post-market monitoring; limited-risk → transparency middleware mount; GPAI → technical doc + downstream info + copyright policy + training summary + Art. 55 systemic-risk obligations when applicable). · *`b.compliance.aiAct.DEADLINES`* — carries the Art. 113 phase-in calendar (2026-02-02 prohibited / 2026-08-02 GPAI + transparency / 2027-08-02 high-risk). · *`b.middleware.aiActDisclosure({ kind, deployerName, policyUri, mode })`* — auto-injects `AI-Act-Notice` / `AI-Act-Article` / `AI-Act-Policy` response headers on every 2xx response, plus an `<div role="status">` banner injection on 2xx HTML responses when mode=`html`; honors `X-Skip-AI-Act` request header and `res.locals.aiActSkip` opt-out. Audit emissions: `compliance.aiact.classified` / `aiact.disclosed` / `aiact.<kind>`. 130+ test cases covering catalog completeness, classifier exemptions, GPAI FLOP threshold, banner / watermark / metaTag round-trips, logging biometric-field enforcement, retention floors, annexIVScaffold sections, deployer checklist for all five tiers.
+- v0.7.108 (2026-05-06) — **`b.auth.stepUp` + `b.middleware.requireStepUp` — RFC 9470 step-up authentication.** OAuth 2.0 Step-Up Authentication Challenge with elevation-grant short-circuit, RFC 9396 authorization-details parsing, and RFC 8176 AMR phishing-resistance evaluation. Routes that need a stronger or fresher authentication ceremony now have a complete primitive. **Added:** *`b.auth.acr` ACR-vocabulary registry* — Operator-extendable registry with rank-based `meets(presented, required)` and `meetsAny(presented, required[])` comparison plus `register({ value, rank })` for private vocabularies. Ships NIST 800-63-4 AAL1/2/3, OIDC `0`/`1`/`2`, ISO 29115 `loa1`-`loa4`, InCommon Bronze/Silver/Gold, and RFC 9470 `phr`/`phrh`. · *`b.auth.authTime` freshness helpers* — `ageSec(claims)` / `freshEnough(claims, maxAge)` / `buildClaims({ method, prevAt })` (refresh preserves prior auth_time per OIDC Core 1.0 §5.4) / `recommendMaxAge` clamping helper. · *`b.auth.stepUp.evaluate` full RFC 9470 evaluation* — Runs ACR rank check, ACR-values list (any-satisfies), `max_age` freshness, RFC 8176 AMR `requiredAmr: ["hwk", "pop"]` requirement, and `phishingResistant: true` boolean check. Returns structured `{ ok: false, error, reason }` so the request path keeps moving; operator typos in the requirement bubble up at boot. · *`buildChallenge` + `parseChallenge`* — `buildChallenge({ requirement, realm, errorDescription })` assembles the RFC 7235-quoted `WWW-Authenticate: Bearer error="insufficient_user_authentication", acr_values="...", max_age="..."` value with control-character / quote-injection rejection. `parseChallenge(headerValue)` is the operator-side roundtrip helper. · *`parseAuthorizationDetails` RFC 9396 parser* — Parses the fine-grained authorization-details parameter and validates each entry has the required `type` field. · *Elevation-grant primitives* — `b.auth.stepUp.grant.{create,verify,revoke,isRevoked,list,setSigningKey}` issues short-lived HMAC-SHA3-512 signed elevation grants binding `(subject, scope, acr, amr, audience, evidence, iat, exp, jti)`; `verify` enforces audience, scope, subject, expiry, and revocation. · *`b.middleware.requireStepUp`* — Mounts the RFC 9470 challenge in front of routes; checks an optional `X-Step-Up-Grant` header first (multi-step flows skip re-prompting), falls back to claims-based evaluation. Audit emissions on every state transition: `auth.stepup.required`, `satisfied`, `denied`, `grant.issued`, `consumed`, `revoked`, `rejected`. Sixty-plus test cases cover ACR rank, registration, AMR phishing-resistance, auth_time freshness with skew, RFC 7235 quote-injection rejection, RAR JSON shape checks, grant happy-path / tamper / audience / scope / expiry / revoke, and middleware happy-path / 401-with-WWW-Authenticate / grant short-circuit / scope-mismatch fallback / config-time typo throws. **References:** [RFC 9470 OAuth 2.0 Step-Up Authentication Challenge](https://www.rfc-editor.org/rfc/rfc9470.html) · [RFC 9396 Rich Authorization Requests](https://www.rfc-editor.org/rfc/rfc9396.html) · [RFC 8176 Authentication Method Reference Values](https://www.rfc-editor.org/rfc/rfc8176.html) · [RFC 7235 HTTP Authentication](https://www.rfc-editor.org/rfc/rfc7235.html) · [NIST SP 800-63-4](https://pages.nist.gov/800-63-4/)
+- v0.7.107 (2026-05-06) — **`b.auth.sdJwtVc` Selective Disclosure JWT for Verifiable Credentials.** SD-JWT VC primitive aligned with the EU Digital Identity Wallet (EUDI) roll-out and EU AI Act Art. 50 disclosure requirements. Ships issuer, holder, verifier, and key-binding flows with PQC algorithm defaults. **Added:** *`b.auth.sdJwtVc.issue` issuer flow* — `issue({ issuer, vct, claims, selectivelyDisclosed, issuerKey, ... })` mints an SD-JWT VC: per-claim disclosures (base64url-encoded `[salt, name, value]` JSON arrays) with their SHA-256 / SHA3-256 / SHA-512 / SHA3-512 digests pinned in the issuer-signed `_sd` array. Selectively-disclosed claims are hidden from the issuer payload; plain claims pass through. Optional `cnf` claim pins the holder's public JWK for key-binding. Supported algorithms: ES256 (default per spec), ES384, EdDSA, ML-DSA-87 (the framework's PQC default), ML-DSA-65. · *`present` holder presentation builder* — `present({ sdJwt, disclosedClaimNames, audience, nonce, holderKey })` selects which disclosures to reveal and signs an optional Key Binding JWT (typ=`kb+jwt`) carrying the audience, nonce, iat, and an `sd_hash` binding it to the specific presentation. · *`verify` verifier pipeline* — `verify(presentation, { issuerKeyResolver, audience, nonce, expectedVct, requireKeyBinding })` runs the full verification pipeline: issuer JWT signature, iat / exp / vct, per-disclosure digest match against the issuer's `_sd` array, and optional KB-JWT signature plus audience, nonce, and `sd_hash` checks. · *`b.auth.sdJwtVc.issuer.create` operator-side factory* — Operator-side issuer factory with key management, `kid` stamping, per-issuance audit emission, and `rotateKey` support. · *`b.auth.sdJwtVc.holder.create` wallet helper* — Operator-pluggable storage (production wires `b.db` / `b.objectStore`; built-in `memoryStorage()` for dev / tests). `store` / `present` / `list` / `get` / `delete` covers the full wallet lifecycle. · *`b.auth.sdJwtVc.disclosure.encode` / `decode`* — Pure helpers for the SD-JWT disclosure format. Audit emissions on every state transition (`auth.sdJwtVc.issued`, `auth.sdJwtVc.holder.stored`, `presented`, `deleted`, `auth.sdJwtVc.key_rotated`). Thirty-two test cases cover disclosure round-trip, issue/verify happy path, signature tamper, expiration, vct mismatch, disclosure tamper, present subset, key binding, issuer factory + key rotation, holder factory + storage round-trip, hash-algorithm switching, and plain-only credentials. **References:** [draft-ietf-oauth-sd-jwt-vc](https://datatracker.ietf.org/doc/draft-ietf-oauth-sd-jwt-vc/) · [EU Digital Identity Wallet (EUDI)](https://digital-strategy.ec.europa.eu/en/policies/eudi-wallet) · [EU AI Act (Regulation 2024/1689) Art. 50](https://eur-lex.europa.eu/eli/reg/2024/1689/oj)
+- v0.7.106 (2026-05-06) — **`b.guardHtml.wcag` audit-only accessibility scanner.** Pure static analysis of HTML against WCAG 2.2 — no rendering, no JS execution. Emits structured findings the operator wires into a CI gate, an audit log, or a dev warning. Ships page-level, ARIA, tables, and forms scanners. **Added:** *`b.guardHtml.wcag.audit` page + element scanner* — `audit(html, { level, ignore, allowedRoles, allowedAutocomplete, ... })` returns `{ findings: [{ sc, level, severity, element, line, column, message, remediation }], summary: { error, warning, info }, score, totalFindings, scopeUrl, scannedAt }`. Page-level checks: `<html lang>` (3.1.1), `<title>` (2.4.2), skip-link (2.4.1). Element-level checks: `<img alt>` (1.1.1), input labels (3.3.2), input names (4.1.2), button text (4.1.2), anchor accessible name (2.4.4), heading order, and empty heading (1.3.1). · *`b.guardHtml.wcag.aria.audit` WAI-ARIA 1.2 validation* — Catches unknown role values, missing required ARIA properties (e.g. `role="checkbox"` without `aria-checked`), aria-* values outside the spec value set (`aria-checked` outside `{true, false, mixed}`), unresolved `aria-labelledby` / `aria-controls` / `aria-describedby` references, and `aria-hidden="true"` on interactive elements. Operators with custom design systems extend the role registry via `allowedRoles`. · *`b.guardHtml.wcag.tables.audit` table semantics* — Flags `<table>` without `<caption>` for data tables (layout tables with `role="presentation"` skip the check), `<th>` without scope or with invalid scope value, and `<tr>` outside table-context wrappers. · *`b.guardHtml.wcag.forms.audit` form-specific checks* — `<fieldset>` without `<legend>` (1.3.1), input `autocomplete=` value against the HTML 5.3 token registry (1.3.5), password input with `autocomplete="off"` (3.3.8 blocks password managers), input/email without autocomplete (3.3.7 redundant entry), and `<textarea>` without a label. · *Filters + heuristic score* — Conformance level filter (`A` / `AA` / `AAA`); `ignore: ["1.4.3"]` for SC-by-SC opt-out; `skipAria` / `skipTables` / `skipForms` for module-level opt-out. Heuristic score (1 - weighted-violations / heuristic-max) for a quick gauge. Fifty-one test cases. **References:** [WCAG 2.2](https://www.w3.org/TR/WCAG22/) · [WAI-ARIA 1.2](https://www.w3.org/TR/wai-aria-1.2/) · [HTML autocomplete token registry](https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#autofill)
+- v0.7.105 (2026-05-06) — **`b.compliance.sanctions` screening primitive.** Sanctions-list screening for KYC, payment, and customer-onboarding flows. Framework owns indexing plus three match strategies; operator owns the daily fetch and format-specific parsing. Ships parser shims for OFAC SDN, EU CSL, and UN 1267. **Added:** *`b.compliance.sanctions.create` screener* — `create({ entries, algorithm, fuzzy, ... })` returns a screener with `screen(input)` (single record), `screenBulk(inputs)` (batch), `snapshot()` (rule-version digest for audit trails), `reload(newEntries)` (atomic index swap with diff), `entryById(id)`, and `size()`. · *Three match strategies* — `exact` (fastest, no fuzz), `jaro-winkler` (default, threshold 0.85), and `levenshtein` (edit-distance with cap). Match output: `{ match, hits: [{ entryId, name, matchedOn, score, reason, listed, programs }], algorithm, ruleVersion, screenedAt }`. · *`b.compliance.sanctions.fuzzy` algorithmic core* — Pure helpers: `normalize` (Unicode diacritic strip + lowercase + whitespace collapse), `tokenize`, `levenshtein` (cap + early-exit), `jaro` / `jaroWinkler`, `tokenSetSimilarity` (order-invariant bag-of-tokens), `substringContains` (token-bounded), and `initialsMatch`. · *`b.compliance.sanctions.aliases.expand`* — Alias-expansion helper covering nicknames (Bill / William, Mike / Michael), transliteration variants (Mohamed / Mohammed), reverse-order forms (Smith John / Smith, John), and initials (J. Smith). Thirty-two built-in name pairs plus operator-extensible `extraPairs`. · *`b.compliance.sanctions.fetcher.create` periodic refresh* — Worker that runs the operator's `fetch` callback, validates a non-empty result, and atomically reloads the screener via `screener.reload`. Audit emissions on every refresh state: `compliance.sanctions.refresh.started`, `completed`, `skipped`, `failed`. · *Parser shims for canonical public list formats* — `parseOfacCsvRow` / `parseOfacAliasRow` / `mergeAliases` (OFAC SDN), `parseEuCslEntry` (EU Consolidated Sanctions List XML), and `parseUn1267Entry` (UN Security Council XML). The framework intentionally does not vendor the lists themselves — they change daily and have legal-distribution implications. · *Audit emissions on screen + match* — `compliance.sanctions.screened` on every screen call; `compliance.sanctions.matched` when hits > 0. Thirty-nine test cases cover normalize, tokenize, Levenshtein, Jaro-Winkler, token-set, substring, initials, screen modes, type filter, bulk, snapshot, reload, alias expansion, and fetcher tick + failure modes. **References:** [U.S. Treasury OFAC SDN list](https://ofac.treasury.gov/specially-designated-nationals-and-blocked-persons-list-sdn-human-readable-lists) · [EU Consolidated Sanctions List](https://data.europa.eu/data/datasets/consolidated-list-of-persons-groups-and-entities-subject-to-eu-financial-sanctions) · [UK HMT consolidated list](https://www.gov.uk/government/publications/financial-sanctions-consolidated-list-of-targets) · [UN Security Council 1267 list](https://www.un.org/securitycouncil/content/un-sc-consolidated-list)
+- v0.7.104 (2026-05-06) — **`b.dsr` data-subject-rights workflow primitive.** End-to-end coordinator for GDPR Article 15-22, CCPA, CPRA, LGPD, PIPEDA, and UK-GDPR data-subject requests. Ships ticket lifecycle, posture-aware deadlines, verification ladder, signed receipts, portability bundles, and two ticket-store backends. **Added:** *`b.dsr.create` workflow coordinator* — `b.dsr.create({ ticketStore, posture, identityResolver, sources, ... })` returns a workflow instance with full ticket lifecycle. `submit(input)` resolves the subject identity via the operator-supplied `identityResolver`, computes a posture-aware deadline (gdpr 30d / ccpa 45d / lgpd-br 15d / pipl-cn 15d / pipeda-ca 30d / appi-jp 30d / pdpa-sg 30d / uk-gdpr 30d), and persists a pending ticket. `process(ticketId, opts)` orchestrates per-source `query` (for access / portability / rectification) or `erase` (for erasure) callbacks; partial source failures land the ticket in `partially_completed` state with per-source error capture. `cancel` / `reject` (with required reason per GDPR) advance to terminal states. `expireOverdue()` marks deadline-overdue tickets as `expired`. · *Seven request types covered* — `access`, `erasure`, `portability`, `rectification`, `restriction`, `object`, and `automated-decision` are all first-class workflow entry points. · *Verification ladder per GDPR Art. 12(6)* — Three levels (`minimal` / `secondary` / `strong`) with a minimum required level by request type and an operator override. Erasure, portability, and rectification require `secondary` by default. · *Receipt + portability builders* — `buildReceipt(ticketId)` emits a canonical `blamejs.dsr.receipt/1` JSON envelope for completed/cancelled/rejected/expired tickets with an optional `receiptSigner` hook for cryptographic attestation. `buildPortabilityBundle(ticket)` produces the `blamejs.dsr.portability/1` JSON shape with per-source data for access and portability requests. · *Two ticket-store backends* — `memoryTicketStore()` for development and tests; `dbTicketStore({ db, table })` for production (auto-provisions a SQLite table with subject_email + status indexes and a `purgeExpired()` retention sweep). · *Audit emissions on every state transition* — `dsr.ticket.submitted`, `in_progress`, `completed`, `partial`, `cancelled`, `rejected`, `expired`, plus per-source `dsr.source.queried`, `erased`, and `failed`. Thirty-eight test cases cover submit, process, cancel, reject, list, expire, portability, verification ladder, receipt, and store backends. **References:** [GDPR Articles 15-22](https://gdpr-info.eu/chapter-3/) · [CCPA / CPRA](https://oag.ca.gov/privacy/ccpa) · [LGPD (Brazil)](https://www.gov.br/cnpd/pt-br) · [PIPEDA (Canada)](https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/) · [UK GDPR](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/)
+- v0.7.103 (2026-05-06) — **W3C distributed tracing suite — tracestate / Baggage / OTel-shaped spans / OTLP exporter.** End-to-end OTel-shaped distributed tracing without a vendored OTel SDK. Adds tracestate + Baggage parsers, an OTel-compatible span builder, an OTLP/JSON exporter, HTTP server span middleware, and log correlation that auto-stamps `trace_id` + `span_id` on every log line inside a request handler. **Added:** *`b.observability.traceContext.parseTracestate` / `buildTracestate`* — W3C Trace Context section 3.3 vendor data: enforces vendor-key shape (lcase-alnum + `_-*/`, optional `<tenant>@<system>`), value charset (printable ASCII excluding `,` and `=`), 32-entry cap, 512-char total cap, dup-key-keep-first per section 3.3.1.5. · *`b.observability.baggage.parse` / `build`* — W3C Baggage spec parser + builder for operator-supplied context (tenantId, region, experimentId, etc.) propagated across service boundaries. RFC 7230 tchar key grammar, percent-encoded UTF-8 values, optional per-entry properties (`key=value;property=value`), 64-entry / 8192-char caps. · *`b.observability.tracer.create({ service, resource, onEnd })`* — OTel-shaped span builder. `tracer.start(name, opts)` returns a span with `setAttribute` / `setAttributes` / `addEvent` / `recordException` / `setStatus` / `end` / `isRecording` / `toJSON`. OTLP/JSON-compatible output (Trace v1) with `traceId` / `spanId` / `parentSpanId` / `name` / `kind` / `startTimeUnixNano` / `endTimeUnixNano` / `attributes` / `events` / `status` / `resource` / `scope` / `droppedAttributesCount` / `droppedEventsCount`. Attribute caps (128 keys, 1024-char values), event cap (128) per OTLP defaults. `tracer.startChildOf(parent, name)` derives child spans sharing the trace context. · *`b.observability.tracer.spanToTraceparent(span)`* — Emits the canonical W3C `traceparent` for outbound propagation. · *`b.observability.otlpExporter.create({ endpoint, ... })`* — Buffered OTLP/HTTP JSON span exporter. Batches spans (default 200), flushes on size + interval (default 5s), retries 5xx + 408/429 with exponential backoff, drops oldest on queue overflow (default 4096). Custom `fetchImpl` opt for testing or non-default HTTP transports; `allowedProtocols` opt for cleartext dev collectors. · *`b.middleware.spanHttpServer({ tracer, ... })`* — Auto-creates a root server span per HTTP request, populates OTel `SEMCONV.HTTP_*` / `URL_*` / `SERVER_*` / `CLIENT_*` attributes, attaches the span to `req.span`, ends on response close, fires `onEnd(span.toJSON())` for export. `ignorePaths` (string + RegExp) keeps healthz / static-asset routes out of span volume; `captureRequestHeaders` / `captureResponseHeaders` lift named headers into the span as `http.request.header.*` / `http.response.header.*` attributes. · *`b.middleware.traceLogCorrelation({ logger })`* — Wraps a `b.log` instance for the request lifetime so every `info()` / `warn()` / `error()` emission inside the handler auto-includes `trace_id` + `span_id` from the active context (via `req.trace` + `req.span`). Pass-through when no trace context present. **Changed:** *`b.middleware.tracePropagate` reads inbound tracestate* — Extended to also read inbound `tracestate` and stamp `req.trace.tracestate` as the parsed entries array (or `[]` when missing); when `setResponseHeader: true`, echoes both `traceparent` and `tracestate` on the response. · *Shared regex constants consolidated across observability + guard surfaces* — `safeBuffer.TRACE_ID_HEX_RE` / `SPAN_ID_HEX_RE` / `RFC7230_TCHAR_RE` extracted as shared regex constants; `guard-mime` / `middleware/headers` / `observability` consolidated against the new shared constants. **References:** [W3C Trace Context Level 1](https://www.w3.org/TR/trace-context-1/) · [W3C Baggage](https://www.w3.org/TR/baggage/) · [OTLP/HTTP specification](https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/protocol/otlp.md) · [RFC 7230 tchar grammar](https://www.rfc-editor.org/rfc/rfc7230.html)
+- v0.7.102 (2026-05-06) — **`b.middleware.tracePropagate` — inbound traceparent ingestion middleware.** Consumes the inbound `traceparent` header per W3C Trace Context and stamps `req.trace = { traceId, parentId, sampled, hadUpstream }` for downstream handlers + propagation into outbound HTTP calls. Composes with the v0.7.101 `b.observability.traceContext` parser/builder. **Added:** *`b.middleware.tracePropagate({ generateIfMissing, ... })`* — `generateIfMissing: true` (default) synthesises a fresh trace when the inbound header is missing/malformed and stamps `hadUpstream: false`. `auditOnMissing: true` emits `system.trace.synthesised` audit events on every locally-originated trace. `setResponseHeader: true` echoes the resolved traceparent on the response (useful when the framework is the back-end of an L7 router that wants to log it). Downstream handlers read `req.trace.traceId` and pass it to `traceContext.build({ traceId: req.trace.traceId, parentId: traceContext.newParentId(), sampled: req.trace.sampled })` for the `traceparent` header on upstream calls. **References:** [W3C Trace Context Level 1](https://www.w3.org/TR/trace-context-1/)
+- v0.7.101 (2026-05-06) — **`b.observability.traceContext` — W3C Trace Context parser + builder.** Vendor-free W3C Trace Context support so operators can propagate trace IDs across an outbound HTTP call without a vendored OTel SDK. Pairs with the SEMCONV constants from v0.7.95 to build OTel-aligned spans on top. **Added:** *`traceContext.parse(headerValue)`* — Consumes a `traceparent` HTTP header value (`00-<32hex traceId>-<16hex parentId>-<2hex flags>`) and returns `{ version, traceId, parentId, flags, sampled }` or null on malformed input. Enforces the section 3.2.2.3 / 3.2.2.4 all-zero-rejection rule (zero trace-id and zero parent-id are explicitly forbidden by spec). · *`traceContext.build({ traceId, parentId, sampled })`* — Produces a v1 `traceparent` header value; throws on bad input shape. · *`traceContext.newTraceId()` / `newParentId()`* — Generate fresh randomized 128-bit / 64-bit hex strings, with the all-zero retry path the spec requires. **References:** [W3C Trace Context Level 1](https://www.w3.org/TR/trace-context-1/)
+- v0.7.100 (2026-05-06) — **`b.network.tls.expiryMonitor` — periodic CA-trust-store expiry monitor.** Runs `expiringSoon(windowMs)` on a schedule and surfaces expiring CAs via audit events, observability counters, and an optional operator hook. Closes the continuous-trust-monitoring follow-up to the v0.7.26 OCSP/CT release. **Added:** *`b.network.tls.expiryMonitor({ intervalMs, windowMs, onExpiring })`* — Emits `network.tls.ca.expiry_check` audit event on every check (with `expiring` count + `total` CA count), `network.tls.ca.expiring` audit event when any CA falls inside the window, and the matching `network.tls.ca.expiring` observability counter. Optional `onExpiring(rows)` operator hook fires on every check that surfaces expiring CAs so operators can wire pager / Slack alerts. Audit metadata captures the expiring CA labels + the earliest `validTo` timestamp so dashboards can compute days-until-first-expiry without re-querying. Returns a handle with `.stop()` for graceful shutdown.
+- v0.7.99 (2026-05-06) — **`b.db.integrityCheck` + `b.db.integrityMonitor` — periodic SQLite corruption detection.** On-demand `PRAGMA integrity_check` plus a scheduled monitor for long-running deployments where filesystem-level corruption can develop after boot. The boot-time check added in v0.7.79 continues to run unchanged at `db.init`. **Added:** *`b.db.integrityCheck()`* — Runs `PRAGMA integrity_check` against the live database and returns `"ok"` on a healthy database, or an array of corruption description strings on damage. Operators wire this into `/healthz` handlers or one-off CLI checks. · *`b.db.integrityMonitor({ intervalMs, onCorruption })`* — Runs the check on a schedule (24h default), emits `system.db.integrity_ok` / `system.db.integrity_corrupt` audit events, and fires the `db.integrity_check_ok` / `db.integrity_check_corrupt` observability counters. Optional `onCorruption(issues)` operator hook fires on every corrupt result so operators can wire pager alerts. Returns a handle with `.stop()` for graceful shutdown.
+- v0.7.98 (2026-05-06) — **`b.ntpCheck.monitor` — periodic clock-drift monitor with audit + observability emissions.** Runs `checkDrift` on a schedule and emits audit + observability events on threshold crossings. The boot-time `b.ntpCheck.bootCheck` continues to run unchanged at `db.init`; the monitor exists for long-running deployments where clock-drift can develop after boot (container with no RTC sync, ntpd stopped after boot, etc.). **Added:** *`b.ntpCheck.monitor({ intervalMs, ... })`* — Returns a handle with `.stop()` for graceful shutdown. Audit emissions: `system.ntp.checked` (every check), `system.ntp.drift_warn` (drift exceeds warn threshold), `system.ntp.drift_fatal` (drift exceeds fatal threshold), `system.ntp.unreachable` (every server in the list failed to respond). Observability event: `ntp.drift_ms` gauge on every successful check, labeled with the responding server. Optional `onDrift(result)` operator hook fires on every warning/fatal check so operators can wire pager / Slack notifications.
+- v0.7.97 (2026-05-06) — **`b.compliance` lookup helpers — posturesByDomain / posturesByJurisdiction / list.** Pure-function lookups over the v0.7.94 `REGIME_MAP` so admin UIs and multi-region deployments can resolve postures by domain or ISO 3166 alpha-2 jurisdiction without iterating the raw map. **Added:** *`b.compliance.posturesByDomain(domain)`* — Returns every posture matching the named domain (`"privacy"` / `"health"` / `"payment"` / `"cybersecurity"` / `"financial-reporting"` / `"financial-resilience"` / `"product-cybersecurity"` / `"ai-governance"` / `"biometrics"` / `"audit-attestation"`). · *`b.compliance.posturesByJurisdiction(jurisdiction)`* — Returns postures matching the ISO 3166 alpha-2 code, `EU`, or `international` — useful for multi-region deployments that resolve different posture configs per region. · *`b.compliance.list()`* — Returns every posture as a `{ posture, name, citation, jurisdiction, domain }` row in canonical `KNOWN_POSTURES` order. Admin UIs render the full set as a dropdown / table without iterating `REGIME_MAP` keys themselves.
+- v0.7.96 (2026-05-06) — **`b.observability.timed` — wrap a sync/async operation in a duration + outcome counter.** Consolidates the hand-rolled `t0 = Date.now(); ... event(name, 1, { duration_ms, outcome })` pattern that had been repeated at many observability call sites into a single helper. Composes with the existing `b.observability.SEMCONV` constants. **Added:** *`b.observability.timed(name, fn, labels)`* — Measures wall-clock duration of a sync or async operation and emits a counter event carrying `duration_ms` in the labels alongside `outcome: "ok" | "fail"`. Returns the wrapped function's return value verbatim; rethrows on error after emitting the failure event with `error_type` capturing the thrown error's `.name`. Operation name MUST be a stable string (not derived from input) to keep metric cardinality bounded; dynamic per-tenant labels go in the `labels` parameter. Example: `b.observability.timed("db.query", async () => db.query("SELECT ..."), { [SEMCONV.DB_OPERATION_NAME]: "select" })`.
+- v0.7.95 (2026-05-06) — **`b.observability.SEMCONV` — GenAI + cloud + container attribute coverage.** Twenty-eight new OpenTelemetry semantic-convention attribute names covering generative-AI workloads, vector databases, cloud runtime context, and Kubernetes orchestration. Reference these constants instead of hand-rolling the strings — typos throw at access time instead of producing mis-named span attributes the OTel collector silently drops. **Added:** *GenAI attributes (19)* — `GEN_AI_SYSTEM` / `GEN_AI_REQUEST_MODEL` / `GEN_AI_REQUEST_TEMPERATURE` / `GEN_AI_REQUEST_TOP_P` / `GEN_AI_REQUEST_TOP_K` / `GEN_AI_REQUEST_MAX_TOKENS` / `GEN_AI_REQUEST_STOP_SEQUENCES` / `GEN_AI_RESPONSE_MODEL` / `GEN_AI_RESPONSE_ID` / `GEN_AI_RESPONSE_FINISH_REASONS` / `GEN_AI_USAGE_INPUT_TOKENS` / `GEN_AI_USAGE_OUTPUT_TOKENS` / `GEN_AI_USAGE_TOTAL_TOKENS` / `GEN_AI_OPERATION_NAME` / `GEN_AI_TOOL_NAME` / `GEN_AI_TOOL_CALL_ID` / `GEN_AI_AGENT_ID` / `GEN_AI_AGENT_NAME` / `GEN_AI_AGENT_DESCRIPTION`. · *Vector DB / RAG attributes (3)* — `DB_VECTOR_QUERY_TOP_K` / `DB_VECTOR_QUERY_DIMENSIONS` / `DB_VECTOR_QUERY_DISTANCE_METRIC`. · *Cloud attributes (4)* — `CLOUD_PROVIDER` / `CLOUD_REGION` / `CLOUD_ACCOUNT_ID` / `CLOUD_RESOURCE_ID`. · *Container / Kubernetes attributes (6)* — `CONTAINER_ID` / `CONTAINER_IMAGE_NAME` / `CONTAINER_IMAGE_TAG` / `K8S_NAMESPACE_NAME` / `K8S_POD_NAME` / `K8S_DEPLOYMENT_NAME`. **References:** [OpenTelemetry semantic conventions](https://opentelemetry.io/docs/specs/semconv/)
+- v0.7.94 (2026-05-06) — **`b.compliance.REGIME_MAP` + `b.compliance.describe` — posture name / citation / jurisdiction / domain lookup.** Frozen lookup table mapping each compliance posture to its human-readable name, statutory citation, jurisdiction, and domain. Operators rendering deployment posture in admin UI or audit logs reach for this instead of hand-rolling the table; values track the regulatory text and update with the framework rather than going stale. **Added:** *`b.compliance.REGIME_MAP` + `b.compliance.describe(<posture>)`* — `b.compliance.describe("hipaa")` returns `{ name: "Health Insurance Portability and Accountability Act", citation: "Pub. L. 104-191; 45 CFR Parts 160, 162, 164", jurisdiction: "US", domain: "health" }`. Covers all 19 postures shipped through v0.7.91 (hipaa / pci-dss / soc2 / sox plus the v0.7.91 expansions: wmhmda / bipa / ccpa / gdpr / dora / nis2 / cra / ai-act / lgpd-br / pipl-cn / appi-jp / pdpa-sg / pipeda-ca / uk-gdpr). The `domain` field categorizes the regime (privacy / health / payment / cybersecurity / financial-reporting / etc.) so operators can render compliance dashboards grouped by domain instead of alphabetical posture.
+- v0.7.93 (2026-05-06) — **Adjacent-regulation incident-reporting deadline references exported on `b.dora`.** `b.dora.DEADLINES_NIS2` — NIS2 (Directive (EU) 2022/2555) Art. 23 deadlines: 24h early warning, 72h initial notification, 1 month final report. `b.dora.DEADLINES_CRA` — CRA (Regulation (EU) 2024/2847) Art. 14 deadlines: 24h early warning, 72h initial notification, 14 days final report. **Added:** *`b.dora.DEADLINES_NIS2`* — NIS2 (Directive (EU) 2022/2555) Art. 23 deadlines: 24h early warning, 72h initial notification, 1 month final report. · *`b.dora.DEADLINES_CRA`* — CRA (Regulation (EU) 2024/2847) Art. 14 deadlines: 24h early warning, 72h initial notification, 14 days final report. · *`b.dora.DEADLINES_HIPAA_BREACH`* — HIPAA Breach Notification Rule (45 CFR §164.404 / §164.408) deadlines: 60 days for affected individuals, 60 days for HHS Secretary, annual aggregate report by March 1 for sub-500-individual breaches. Operators handling NIS2 / CRA / HIPAA reporting reach for these constants instead of pinning literal hour counts in their workflow code; the values track the regulatory text and update with the framework rather than going stale in operator code. The b.dora factory itself continues to enforce DORA Article 19 deadlines unchanged — operators wiring NIS2 / CRA / HIPAA workflows compose against the deadline constants directly with their own scheduler / submission code.
+- v0.7.92 (2026-05-06) — **Retention floors + observability semconv expansion.** `b.retention.complianceFloor(<posture>, candidateMs)` now recognizes `nis2` (3 years — NIS2 Art. 23 incident reporting), `cra` (5 years — CRA Art. 14 vulnerability handling logs), `lgpd-br` (5 years — Brazil fiscal record minimum + LGPD Art. **Added:** *`b.retention.complianceFloor(<posture>, candidateMs)`* — now recognizes `nis2` (3 years — NIS2 Art. 23 incident reporting), `cra` (5 years — CRA Art. 14 vulnerability handling logs), `lgpd-br` (5 years — Brazil fiscal record minimum + LGPD Art. 16), `appi-jp` (3 years — Japan APPI handler-of-record), `pdpa-sg` (1 year — PDPA breach notification audit trail), and `uk-gdpr` (6 years — UK ICO guidance + statutory limit alignment). `gdpr` continues to have no fixed minimum (Art. 5(1)(e) is "no longer than necessary" — operator-driven). · *`b.observability.SEMCONV`* — gains RPC attributes (`RPC_SYSTEM` / `RPC_SERVICE` / `RPC_METHOD` / `RPC_GRPC_STATUS_CODE`), additional messaging keys (`MESSAGING_CLIENT_ID` / `MESSAGING_MESSAGE_ID` / `MESSAGING_DESTINATION_PARTITION_ID` / `MESSAGING_BATCH_MESSAGE_COUNT`), network transport (`NETWORK_TRANSPORT` / `NETWORK_CONNECTION_TYPE`), process / runtime identification (`PROCESS_PID` / `PROCESS_RUNTIME_NAME` / `PROCESS_RUNTIME_VERSION`), service identification (`SERVICE_NAME` / `SERVICE_VERSION` / `SERVICE_INSTANCE_ID`), and telemetry SDK self-id (`TELEMETRY_SDK_NAME` / `TELEMETRY_SDK_LANGUAGE` / `TELEMETRY_SDK_VERSION`). Operators wiring the framework's tap into a gRPC-fronted OTel collector or an outbox-fed Kafka topic now reference the canonical attribute names directly without an aliasing table on their side.
+- v0.7.91 (2026-05-06) — **Compliance-posture vocabulary expanded + OpenTelemetry semantic-convention attribute table.** `b.compliance.set(<posture>)` now accepts thirteen new posture names: `wmhmda` (Washington My Health My Data Act), `bipa` (Illinois Biometric Information Privacy Act), `ccpa` (California Consumer Privacy Act), `nis2` (EU NIS2 Directive), `cra` (EU Cyber Resilience Act), `ai-a. **Added:** *`b.compliance.set(<posture>)`* — now accepts thirteen new posture names: `wmhmda` (Washington My Health My Data Act), `bipa` (Illinois Biometric Information Privacy Act), `ccpa` (California Consumer Privacy Act), `nis2` (EU NIS2 Directive), `cra` (EU Cyber Resilience Act), `ai-act` (EU AI Act), `lgpd-br` (Brazil LGPD), `pipl-cn` (China PIPL), `appi-jp` (Japan APPI), `pdpa-sg` (Singapore PDPA), `pipeda-ca` (Canada PIPEDA), `uk-gdpr` (UK GDPR). Existing `hipaa` / `pci-dss` / `gdpr` / `soc2` / `dora` / `sox` continue to work. Postures map to per-primitive defaults via the existing compliancePosture opt on guards, retention, dora, etc. — operators set the deployment-wide posture once and primitives that key off it pick up the right defaults. · *`b.observability.SEMCONV`* — frozen attribute-name table tracking the OpenTelemetry semantic-convention stable namespace (1.27+). HTTP server attributes (`http.request.method`, `http.response.status_code`, `http.route`, `server.address`, `client.address`), URL (`url.full`, `url.path`, `url.scheme`), database (`db.system`, `db.namespace`, `db.operation.name`, `db.query.text`), messaging (`messaging.system`, `messaging.destination.name`), auth (`user.id`, `session.id`), errors (`error.type`, `exception.type`, `exception.message`). Operators wiring the framework's tap into an OTel SDK reference these constants instead of hand-rolling the names — no aliasing table on the operator side, and string typos throw at access time instead of producing mis-named span attributes that the OTel collector silently drops.
+- v0.7.90 (2026-05-06) — **`b.outbox` — transactional outbox primitive for at-least-once event publication without distributed.** transactions. `b.outbox.create({ externalDb, table, publisher, ... })` returns an outbox instance with three core operations: `enqueue(event, txn)` writes the outbox row inside the operator's transaction (using the `txClient` returned by `b.externalDb.transaction`), `start()` spins a polling publisher worker that claims rows via `SELECT ... **Added:** *`b.outbox.create({ externalDb, table, publisher, ... })`* — returns an outbox instance with three core operations: `enqueue(event, txn)` writes the outbox row inside the operator's transaction (using the `txClient` returned by `b.externalDb.transaction`), `start()` spins a polling publisher worker that claims rows via `SELECT ... FOR UPDATE SKIP LOCKED` (Postgres) and dispatches to the operator-supplied async `publisher(event)` callback, `stop()` gracefully shuts the worker down. Failed publishes retry with exponential backoff (`retryBackoff: { initialMs, maxMs, factor }`); rows that exceed `maxAttempts` are marked `'dead'` for operator triage and an `system.outbox.deadletter` audit event fires. Schema is operator-managed: `outbox.declareSchema(externalDb)` runs an idempotent `CREATE TABLE IF NOT EXISTS ... (id, topic, payload, key, headers, enqueued_at, next_attempt_at, published_at, attempts, last_error, status)` + a partial index on `(next_attempt_at) WHERE status = 'pending'`. `pendingCount()` / `deadCount()` expose the queue depth + DLQ depth for operator dashboards. Observability events on every state transition (`outbox.enqueued` / `outbox.published` / `outbox.publish-failed` / `outbox.dead-letter`).
+- v0.7.89 (2026-05-06) — **Three additive primitives bundled: TUS resumable uploads, WebAuthn Signal API, DPoP server-issued nonce challenge.** `b.middleware.tusUpload({ mountPath, store, ... })` implements the [tus.io](https://tus.io) v1.0.0 resumable-upload protocol — POST creates uploads, HEAD reports offsets, PATCH appends chunks, DELETE terminates. Supported extensions: `creation`, `creation-with-upload`, `expiration`, `checksum`, `termination`. **Added:** *`b.middleware.tusUpload({ mountPath, store, ... })`* — implements the [tus.io](https://tus.io) v1.0.0 resumable-upload protocol — POST creates uploads, HEAD reports offsets, PATCH appends chunks, DELETE terminates. Supported extensions: `creation`, `creation-with-upload`, `expiration`, `checksum`, `termination`. The `checksum` extension defaults to PQC-first algorithms (`sha3-512`, `shake256`) — operators add classical algorithms explicitly via `checksumAlgorithms`. A built-in `b.middleware.tusUpload.memoryStore({ maxSize })` ships for development; production operators implement the `{ create, head, append, setLength, terminate, purgeExpired, getBuffer }` shape against their object-store backend. Bounded chunk collection routes through `safeBuffer.boundedChunkCollector` (cap-enforced at push time, no 10-GiB pre-collect). Concatenation extension (parallel-chunk assembly) deferred — operators that need it compose against their store layer; re-open if a store-layer-only solution proves insufficient. · *`b.auth.passkey.signalUnknownCredential` / `signalAllAcceptedCredentials` /* — add the W3C WebAuthn Signal API descriptor builders — when the browser implements `PublicKeyCredential.signal*`, operators emit the matching JSON descriptor to clean up stale passkeys, refresh user details, and surface revocations without forcing a re-registration. All three validate `rpId` / `userId` / `credentialId` shape (base64url) and refuse `name`/`displayName` longer than 256 chars. · *`b.middleware.dpop({ requireNonce: true, nonceRotateSec? })`* — implements RFC 9449 §8 server-issued DPoP-Nonce challenge — the middleware emits `DPoP-Nonce: <fresh>` on every 401 response, refuses proofs whose `nonce` claim isn't in the rolling current+previous pair, and refreshes the nonce on every successful response. The rolling-pair manager rotates without timers (lazy maybe-rotate on access); no operator nonce store needed. The `getNonce` callback path stays intact for operator-managed nonce flows. **References:** [RFC 9449](https://www.rfc-editor.org/rfc/rfc9449.html)
+- v0.7.88 (2026-05-06) — **`b.middleware.webAppManifest` + `b.middleware.assetlinks` — two static-content middlewares for PWA.** + Trusted Web Activity support. `b.middleware.webAppManifest({ name, start_url, icons, ... })` serves the W3C Web App Manifest at `/manifest.webmanifest` (and `/manifest.json` when `alsoAtJsonPath: true`). **Added:** *`b.middleware.webAppManifest({ name, start_url, icons, ... })`* — serves the W3C Web App Manifest at `/manifest.webmanifest` (and `/manifest.json` when `alsoAtJsonPath: true`). The framework JSON-serializes once at create() and serves with `Content-Type: application/manifest+json` per the W3C spec + `Cache-Control: public, max-age=86400` + `X-Content-Type-Options: nosniff`. The W3C-spec attribute set is allowlisted (name / short_name / description / start_url / scope / display / display_override / orientation / theme_color / background_color / icons / screenshots / shortcuts / categories / lang / dir / id / prefer_related_applications / related_applications) — typos throw at create. `name`, `start_url`, and at least one icon are required (W3C — installability minimum). HEAD + GET only. · *`b.middleware.assetlinks({ statements })`* — serves Digital Asset Links at `/.well-known/assetlinks.json` per Google's spec — used by Trusted Web Activity, Android App Links, Smart Lock for Passwords, WebAuthn for Android. Validates each statement carries `relation` (non-empty array) and `target` (object). Same Content-Type / Cache-Control / X-Content-Type-Options posture as the security.txt + manifest emitters.
+- v0.7.87 (2026-05-06) — **Two route-guard middlewares for API hardening — `b.middleware.requireMethods` and `b.middleware.requireContentType`.** `b.middleware.requireMethods(["GET", "POST"])` refuses any HTTP method outside the allowlist with `405 Method Not Allowed` + `Allow:` header listing the allowed methods (per RFC 9110 §15.5.6). **Fixed:** *`b.middleware.requireMethods(["GET", "POST"])`* — refuses any HTTP method outside the allowlist with `405 Method Not Allowed` + `Allow:` header listing the allowed methods (per RFC 9110 §15.5.6). Defends against unexpected verb routing — many CVE-class bugs trace to a route handler wired for GET that accidentally accepts arbitrary verbs (PROPFIND, OPTIONS, custom). · *`b.middleware.requireContentType(["application/json"])`* — refuses requests with a body (POST/PUT/PATCH by default) whose `Content-Type` isn't in the allowlist with `415 Unsupported Media Type` + `Accept:` header listing the allowed types (RFC 9110 §15.5.16). Defends against MIME-type confusion — a route that processes JSON shouldn't accept `application/x-www-form-urlencoded` even if the body parses. Both middlewares emit observability events (`middleware.requireMethods.denied` / `middleware.requireContentType.denied`) on every refusal for triage. Operators wanting to enforce content-type on idempotent verbs that DO carry bodies (rare DELETE-with-body shapes) override the default body-method list via `requireContentType(types, { methods })`. **References:** [RFC 9110](https://www.rfc-editor.org/rfc/rfc9110.html)
+- v0.7.86 (2026-05-06) — **`b.middleware.csrfProtect({ requireJsonContentType: true })` — strict-fetch mode for JSON-only API.** surfaces. State-changing requests (POST/PUT/PATCH/DELETE) without `Content-Type: application/json` are refused before the token check with `CSRF: state-changing requests require Content-Type: application/json.` and audit emission `csrf.denied` with `reason: "non-JSON content-type: ..."`. **Added:** *`b.middleware.csrfProtect({ requireJsonContentType: true })` — strict-fetch mode for JSON-only API* — `b.middleware.csrfProtect({ requireJsonContentType: true })` — strict-fetch mode for JSON-only API surfaces. State-changing requests (POST/PUT/PATCH/DELETE) without `Content-Type: application/json` are refused before the token check with `CSRF: state-changing requests require Content-Type: application/json.` and audit emission `csrf.denied` with `reason: "non-JSON content-type: ..."`. The browser's form-encoded POST shape is the canonical CSRF vector — a malicious page can `<form action="/transfer" method=POST>` a victim into a state-changing request without a preflight. An `application/json` body forces a CORS preflight (the browser refuses to skip it for non-simple Content-Type values), so an attacker without an operator-allowlisted CORS origin can't reach the route at all. Default `false` — operators with HTML form submissions on the same routes (mixed SPA + classic form pages) keep current behavior; pure-fetch API operators opt in.
+- v0.7.85 (2026-05-06) — **`b.auth.statusList` — OAuth Token Status List (draft-ietf-oauth-status-list-20). The canonical.** credential-revocation mechanism for SD-JWT VC and OpenID for Verifiable Credentials. An issuer publishes a JWT-wrapped bitstring at a URL; relying parties fetch + check the bit at index N to determine if the credential whose `status_list` claim points at that URL+index is valid / invalid / suspended / application-specific. **Added:** *`b.auth.statusList.create({ size, bits?, fill? })`* — allocates a bit-packed buffer (`bits` ∈ {1, 2, 4, 8} per draft §6.1.1, default 1). The returned object exposes `.set(idx, status)` / `.get(idx)` / `.snapshot()` / `.toJwt({ issuer, subject, privateKey, algorithm, expiresInSec?, ... })`. · *`b.auth.statusList.fromJwt(token, { publicKey | keyResolver, algorithms?, expectedIssuer?, ... })`* — verifies the JWT through `b.auth.jwt.verify` and returns `{ list, claims }` — the list exposes `.get(idx)` to check status of an individual credential without decompressing into a separate Buffer. The bitstring is zlib-deflated (RFC 1951 raw deflate per draft §6.1.4) before base64url encoding so a million-entry list collapses to ~125 KB on the wire when most bits are zero. Caps the compressed payload at 1 MiB; operators publishing larger lists shard. Status constants exported as `b.auth.statusList.STATUS_{VALID,INVALID,SUSPENDED,APPLICATION_SPECIFIC}`. Foundational for the v0.7.58 EU AI Act + eIDAS 2.0 wallet slice. **References:** [RFC 1951](https://www.rfc-editor.org/rfc/rfc1951.html)
+- v0.7.84 (2026-05-06) — **`b.crypto.sri(content, { algorithm? })` — Subresource Integrity hash builder per W3C SRI 1.0.** . Operators emit `<script integrity="sha384-...">` and `<link integrity="sha384-...">` to defend against CDN compromise + ISP MITM injection — the browser refuses to load a resource whose actual hash diverges from the integrity attribute. **Added:** *`b.crypto.sri(content, { algorithm? })` — Subresource Integrity hash builder per W3C SRI 1.0* — `b.crypto.sri(content, { algorithm? })` — Subresource Integrity hash builder per W3C SRI 1.0. Operators emit `<script integrity="sha384-...">` and `<link integrity="sha384-...">` to defend against CDN compromise + ISP MITM injection — the browser refuses to load a resource whose actual hash diverges from the integrity attribute. Default algorithm is `sha384` (W3C §3.2 — collision margin without sha512's 64-byte overhead); `sha256` and `sha512` also accepted, anything else refused. Accepts `Buffer` / `Uint8Array` / `string` / array of those — array inputs emit multiple space-separated integrity tokens per W3C §3.3 multi-integrity (browser picks the strongest it recognizes). Returns the standard `sha###-<base64>` format ready to paste into the `integrity=""` attribute.
+- v0.7.83 (2026-05-06) — **OpenID Connect RP-Initiated Logout + RFC 9126 Pushed Authorization Requests.** `b.auth.oauth` gains two operator-facing helpers: `endSessionUrl()` builds the IdP-termination redirect URL for `/logout` routes, and `pushAuthorizationRequest()` POSTs authorization parameters out-of-band to the IdP's PAR endpoint and returns the short `request_uri` reference to redirect the browser through. **Added:** *`b.auth.oauth.endSessionUrl()` (OpenID Connect RP-Initiated Logout)* — Builds the URL the operator's `/logout` route redirects the user-agent to so the IdP terminates the session and bounces back to the operator's app. Accepts `{ idTokenHint?, postLogoutRedirectUri?, state?, logoutHint?, uiLocales?, clientId?, extraParams? }`. The IdP's `end_session_endpoint` is read from the OIDC discovery document or operator-supplied at `create({ endSessionEndpoint })`. Throws `auth-oauth/no-end-session-endpoint` when neither the discovery doc nor the operator opts supply the endpoint. · *`b.auth.oauth.pushAuthorizationRequest()` (RFC 9126 PAR)* — POSTs the authorization-request parameters directly to the IdP's PAR endpoint (mTLS or client-secret authenticated) and returns `{ url, state, nonce, verifier, challenge, requestUri, expiresIn }` — the browser-side redirect URL is `<authorizationEndpoint>?client_id=...&request_uri=...`. Defends against authorization-request parameter tampering by a man-in-the-middle at the user-agent and against URL-length overflow on long authorization requests (the `request_uri` reference is short). The PAR endpoint is read from the discovery doc's `pushed_authorization_request_endpoint` or operator-supplied at `create({ pushedAuthorizationRequestEndpoint })`. Throws `auth-oauth/no-par-endpoint` when neither source supplies it. **References:** [OpenID Connect RP-Initiated Logout 1.0](https://openid.net/specs/openid-connect-rpinitiated-1_0.html) · [RFC 9126 OAuth 2.0 Pushed Authorization Requests](https://www.rfc-editor.org/rfc/rfc9126.html)
+- v0.7.82 (2026-05-06) — **`b.mail.bimi` — BIMI record builder + DNS verifier (RFC 9091).** BIMI publishes a sender's brand logo URL in DNS so receiving MTAs can render it next to messages in supported clients (Gmail, Yahoo, Apple Mail). Three primitives ship: a record-shape builder, a DNS fetch + parse, and a standalone parser for operator-supplied TXT bodies. **Added:** *`b.mail.bimi.recordShape({ logoUrl, vmcUrl?, selector? })`* — Produces the canonical `v=BIMI1; l=https://...; a=https://...` TXT-record string per RFC 9091 §4. Both `l=` (SVG logo URL) and `a=` (Verified Mark Certificate URL per RFC 9091 §6) are HTTPS-required (refuses `http://`). All field values are CR/LF/NUL/semicolon-screened so a hostile URL can't inject a record-separator into the published TXT. · *`b.mail.bimi.fetchPolicy(domain, { selector?, dnsLookup? })`* — Queries `<selector>._bimi.<domain>` (default selector `"default"`) and returns the structured record `{ v, l, a }` or `null` when no policy is published or the record is malformed. Layered on a passing DMARC posture; operators with the existing `b.mail.dmarc` posture set up benefit from BIMI rendering immediately on receivers that honor it. · *`b.mail.bimi.parseRecord(text)`* — Parses any operator-supplied TXT body — semicolon-separated `key=value` pairs per RFC 9091 §4. The framework does not validate SVG or VMC contents against the RFC §5/§6 profiles; operators feed those to their own asset pipeline. The fetch primitive is a thin DNS lookup that returns the structured record so an operator dashboard or SMTP send-time preflight can verify the publication. **References:** [RFC 9091 BIMI](https://www.rfc-editor.org/rfc/rfc9091.html)
+- v0.7.81 (2026-05-06) — **`b.middleware.hostAllowlist` — DNS rebinding defense.** Refuses requests whose `Host` header doesn't match the operator-supplied allowlist. Closes the DNS rebinding chain (attacker DNS flips `evil.com` → `127.0.0.1`, browser still believes the URL string says `evil.com` so same-origin policy lets the JS read the response, but the operator's localhost is what actually serves). **Added:** *`b.middleware.hostAllowlist({ hosts, denyStatus?, denyBody?, audit? })`* — Operators pass an allowlist of canonical Host values (with or without port). Wildcard-leading entries (`*.example.com`) match any single label; `app.sub.example.com` does NOT match `*.example.com` (multi-label is rejected by design — wildcard certificate authorities issue only single-label intermediates). Entries without a port match any port; entries with a port require exact match. Default `denyStatus: 421` (RFC 7540 §9.1.2 "Misdirected Request"); default `denyBody: "Misdirected Request"`. Audit emits `network.host_allowlist.denied` with the reason (`missing-host` / `host-not-in-allowlist`) and the actual Host value for triage. Operators running explicitly-public services that accept arbitrary subdomains (multi-tenant forum shapes) skip this middleware entirely; there is no per-request opt-out. **References:** [RFC 7540 §9.1.2 Misdirected Request](https://www.rfc-editor.org/rfc/rfc7540.html#section-9.1.2)
+- v0.7.80 (2026-05-06) — **`b.middleware.securityTxt` (RFC 9116) + SQLite `secure_delete=ON` at DB boot.** Operators serve a static `/.well-known/security.txt` so security researchers know where to find the disclosure policy, and SQLite databases now overwrite freed page bytes on delete instead of just unlinking them from the B-tree. **Added:** *`b.middleware.securityTxt({ contact, expires, encryption?, policy?, ack?, preferredLanguages?, hiring?, canonical?, alsoAtRoot?, audit? })`* — Serves a static body at `/.well-known/security.txt` (and root `/security.txt` when `alsoAtRoot: true`) per RFC 9116. The `Contact:` and `Expires:` fields are REQUIRED per §2.5; the framework throws at config-time when either is missing AND when `expires` is in the past (RFC 9116 §2.5.5). All field values are CR/LF/NUL-screened (header-injection defense). The body is built once at `create()` and served with `Content-Length` + `Cache-Control: public, max-age=86400` + `X-Content-Type-Options: nosniff`. **Changed:** *SQLite `PRAGMA secure_delete=ON` applied at `b.db.init`* — SQLite normally just unlinks rows from the B-tree; the underlying page bytes survive on disk until a new write reuses the slot. With `secure_delete=ON`, freed pages are overwritten with zeros so a forensic recovery against the encrypted database file can't reconstruct deleted rows. The cost is one extra write per delete — already dominated by the framework's audit-chain emissions on every DSR erase / cascade fan-out. **References:** [RFC 9116 security.txt](https://www.rfc-editor.org/rfc/rfc9116.html) · [SQLite PRAGMA secure_delete](https://www.sqlite.org/pragma.html#pragma_secure_delete)
+- v0.7.79 (2026-05-06) — **PQC TLS handshake key shares + DB hardening (integrity check, lock-holder boot token).** The framework's app-layer envelope has been PQC-first since v0.7.28 (ML-KEM-1024 + X25519 hybrid for sealed records); this release extends PQC posture down to the TLS handshake itself. SQLite integrity check at boot catches B-tree corruption before mid-query failure, and the migration-lock holder ID now carries a per-process boot token so PID-reuse across container restart can't be misattributed. **Added:** *`b.network.tls.pqc` — operator-facing TLS 1.3 key-share configuration* — `b.network.tls.pqc.setKeyShares(["X25519MLKEM768", "X25519", "secp256r1"])` configures the TLS 1.3 key-share groups the framework's `https.Server` / `https.Agent` advertises. The first listed group is the operator priority; the peer picks the first mutually supported entry. `X25519MLKEM768` is the IETF draft-kwiatkowski-tls-ecdhe-mlkem-02 hybrid KEM that negotiates post-quantum + classical in one handshake — forward-secrecy survives both classical-CRQC and future quantum cryptanalysis. The default list attempts hybrid first, falls back to classical X25519 with peers that don't support the hybrid (most of the public web today), and to `secp256r1` for legacy peers. Operators wanting classical-only call `setKeyShares(["X25519"])`; `resetKeyShares()` restores the default. Requires Node 24+ with OpenSSL 3.5+ for the X25519MLKEM768 group; older Node falls back silently to the classical entries. **Changed:** *`b.network.tls.applyToContext({ base })` threads PQC key shares* — Now threads the configured key-share list through as the `groups` option to Node's TLS context. Operators who explicitly set `groups` in their `base` config keep the override. · *`b.db.init` runs `PRAGMA integrity_check` at boot* — Refuses boot if SQLite reports anything other than `"ok"`. Catches B-tree corruption at boot rather than letting it surface mid-query when the engine stumbles on a bad page. Skip via `opts.skipIntegrityCheck: true` for tmpfs-only fixtures (audited reason). **Fixed:** *Migration-lock holder ID gains a per-process boot token* — `lib/external-db-migrate.js:_lockHolderId()` now appends a per-process random 8-byte boot token, so a recycled PID-on-hostname slot after a container restart can't be misattributed back to the new boot when reading stale lock rows. Closes the PID-reuse-across-container-restart concurrent-ownership window. **References:** [draft-kwiatkowski-tls-ecdhe-mlkem](https://datatracker.ietf.org/doc/draft-kwiatkowski-tls-ecdhe-mlkem/)
+- v0.7.78 (2026-05-06) — **`b.cloudEvents.wrap` / `.parse` — CloudEvents 1.0 envelope.** Vendor-neutral event-format spec adopted by AWS EventBridge, Knative, Azure Event Grid, Google Eventarc, Datadog, and the broader CNCF event ecosystem. Operators wrap outbound events from webhook / pubsub / queue boundaries to interop with these consumers without each consumer learning a bespoke shape. **Added:** *`b.cloudEvents.wrap({ source, type, data?, subject?, time?, id?, datacontenttype?, dataschema?, extensions? })`* — Produces a CloudEvents 1.0 envelope: required attributes (`id` auto-minted as RFC 4122 v4 UUID when omitted, `source`, `specversion="1.0"`, `type`, `time` auto-set to `new Date().toISOString()`), optional attributes (`subject`, `datacontenttype` auto-set to `"application/json"` when `data` is JSON-serializable or `"application/octet-stream"` when `data` is a `Buffer` — base64-encoded into `data_base64`, `dataschema`), plus operator-defined extension attributes that conform to the §3.1 naming rules (lowercase ASCII alnum, 1-20 chars). · *`b.cloudEvents.parse(envelope)`* — Validates the envelope shape and returns a structured form with `extensions` surfaced as a separate object so consumers can route on operator-defined fields without grepping the envelope. Refuses `data` + `data_base64` together (CloudEvents §3.1.1), unsupported specversion, missing required attributes, malformed extension names. **Fixed:** *`testAuditSafeEmitRedacts` smoke fixture registers its audit namespace* — The smoke fixture introduced in v0.7.75 now registers the `test` audit namespace before emitting so the audit handler's noise log line (`namespace 'test' is not registered`) no longer appears in CI smoke output. **References:** [CloudEvents v1.0 spec](https://github.com/cloudevents/spec/blob/v1.0.2/cloudevents/spec.md)
+- v0.7.77 (2026-05-06) — **Argon2 switched from vendored prebuilds to Node's built-in `crypto.argon2*`.** Targets Node 24+. The framework's `lib/vendor/argon2/` directory (with the `argon2.cjs` bundle and the `prebuilds/` tree of platform-specific `.glibc.node` / `.musl.node` artifacts for darwin-arm64 / darwin-x64 / freebsd-arm64 / freebsd-x64 / linux-arm / linux-arm64 / linux-x64 / win32-x64) is deleted. **Added:** *Argon2 switched from vendored prebuilds to Node's built-in `crypto* — Argon2 switched from vendored prebuilds to Node's built-in `crypto.argon2*` (Node 24+). The framework's `lib/vendor/argon2/` directory (with the `argon2.cjs` bundle and the `prebuilds/` tree of platform-specific `.glibc.node` / `.musl.node` artifacts for darwin-arm64 / darwin-x64 / freebsd-arm64 / freebsd-x64 / linux-arm / linux-arm64 / linux-x64 / win32-x64) is deleted. New `lib/argon2-builtin.js` is a thin wrapper over `crypto.argon2Sync` that produces and parses the PHC string format (`$argon2id$v=19$m=...,t=...,p=...$<salt>$<hash>`). Wire-format compatibility preserved: existing rows in operator databases continue to verify. Behavior preserved: `b.auth.password.hash` / `.verify` / `.needsRehash` retain their async signatures and return shapes; `b.vault.wrap` and `b.backupCrypto.deriveKey` use the same `raw: true` path for raw-bytes output. Operators wanting to supply their own argon2 implementation (pinned upstream, hardware-accelerated, etc.) override at the call site via `opts.argon2` — the supplied object MUST expose the same `hash` / `verify` / `needsRehash` shape. Drops ~440 KB of platform-specific native prebuilds from the repository and shipped npm tarball; eliminates a supply-chain hop. The vendor manifest's `argon2` entry is removed; `scripts/vendor-update.sh argon2` now refuses with a pointer to `lib/argon2-builtin.js`.
+- v0.7.76 (2026-05-06) — **CVE-class web hardening sweep — Trojan Source (CVE-2021-42574) log defense + drive-by-MIME attachment opt for `staticServe`.** Trojan Source defense in `b.log` output: every log line now post-processes Unicode bidi / format-control characters (U+061C / U+200E-200F / U+202A-202E / U+2066-2069) into their `\uXXXX` literal escape on the wire so a hostile log message can't re-order the visible line in a TTY / syslog / file reader. **Fixed:** *`staticServe.create({ safeAttachmentForRiskyMimes: true })`* — opt-in flag that adds `Content-Disposition: attachment` to responses whose Content-Type is in the risky-inline-MIME set (`text/html`, `text/xml`, `application/xml`, `application/xhtml+xml`, `image/svg+xml`, `application/javascript`, `text/javascript`, `application/x-javascript`). Defends against drive-by execution of user-uploaded HTML / JS / SVG (CVE-2017-15012 SVG XSS / CVE-2009-1312 HTML drive-by class). Default `false` — operators serving framework asset bundles continue to render inline; operators serving user-content directories opt in. Filename is RFC 5987-encoded (ASCII filename + `filename*=UTF-8''...`) so non-ASCII filenames survive without allowing CR/LF header injection. **References:** [RFC 5987](https://www.rfc-editor.org/rfc/rfc5987.html) · [CVE-2021-42574](https://nvd.nist.gov/vuln/detail/CVE-2021-42574) · [CVE-2017-15012](https://nvd.nist.gov/vuln/detail/CVE-2017-15012) · [CVE-2009-1312](https://nvd.nist.gov/vuln/detail/CVE-2009-1312)
+- v0.7.75 (2026-05-06) — **Audit-emit redaction pipeline.** `b.audit.safeEmit` now scrubs the `actor` / `reason` / `metadata` fields through `b.redact.redact()` before they hit the audit handler. **Added:** *Audit-emit redaction pipeline* — Audit-emit redaction pipeline. `b.audit.safeEmit` now scrubs the `actor` / `reason` / `metadata` fields through `b.redact.redact()` before they hit the audit handler. Operators who pass `metadata: { reason: e.message }` from a caught error could land DB connection strings, bearer tokens, JWT compact-serialization fixtures, AWS access keys, PEM private keys, SSH keys, credit cards, and SSNs in audit rows; the redact pipeline catches the common shapes (sensitive field names + value-shape detectors) and replaces them with markers (`[REDACTED]`, `[REDACTED-CONN-STRING]`, `[REDACTED-JWT]`, `[REDACTED-PEM]`, `[REDACTED-AWS-KEY]`, `[REDACTED-CC]`, `[REDACTED-SSN]`, `[REDACTED-SEALED]`, `[REDACTED-SSH-KEY]`). The `b.redact` primitive existed in lib/ since v0.4.x but was dead code — `audit.safeEmit` previously passed metadata through unchanged. New connection-string detector matches `protocol://user:pass@host` shapes that surface in error messages from external-DB / SMTP / HTTP drivers (RFC 3986 generic syntax). Drop-silent on redact failure — the pipeline never breaks the caller's audit attempt. **References:** [RFC 3986](https://www.rfc-editor.org/rfc/rfc3986.html)
+- v0.7.74 (2026-05-06) — **Email receive-side parity: DMARC aggregate (RUA) report parser + ARC trust evaluation + Authentication-Results header builder.** Closes the "framework can send mail compliantly but can't receive compliantly" gap. `b.mail.dmarc.parseAggregateReport(xmlBytes, { contentType? })` parses RFC 7489 §7.2 aggregate XML reports through the framework's existing `lib/parsers/safe-xml.js` (the existing security-focused XML parser handles XXE / DOCTYPE / entity-expansion defenses by default). **Added:** *`b.mail.dmarc.parseAggregateReport(xmlBytes, { contentType? })`* — parses RFC 7489 §7.2 aggregate XML reports through the framework's existing `lib/parsers/safe-xml.js` (the existing security-focused XML parser handles XXE / DOCTYPE / entity-expansion defenses by default). Auto-detects gzip via magic bytes (`0x1f 0x8b`) or `Content-Type: application/gzip`. Returns `{ reportMetadata, policyPublished, records, totals }` with per-record source-IP / count / policy-evaluated dispositions / identifiers / DKIM + SPF auth results, plus aggregated `messages` / `aligned` / `notAligned` totals operators want for dashboards. Caps report size at 8 MiB and records-per-report at 10 000. · *`b.mail.arc.evaluate(rfc822, { trustedSealers })`* — wraps the existing `arc.verify` cryptographic chain check with the operator-side trust decision: given a passing chain, did any hop in the chain belong to a sealer the operator trusts? Returns `{ chainStatus, trusted, trustedHop, trustedDomain }` walking hops most-recent-first so the deepest trusted sealer wins. · *`b.mail.authResults.emit({ authservId, results, fold? })`* — builds the RFC 8601 Authentication-Results header value — operators consume per-method results from `b.mail.spf.verify` / `b.mail.dmarc.evaluate` / `b.mail.arc.verify`, hand them to `.emit`, and the framework formats the conformant header string with method-specific properties (`smtp.mailfrom`, `header.d`, `header.from`, `policy.iprev`, `policy.ip`, `policy.tls`). Refuses unknown methods / results at config-mistake time. · *`b.network.smtp.tlsRpt.parseReport(body, { contentType? })`* — is the receive-side counterpart to `tlsRpt.recordShape` / `tlsRpt.submit` — accepts a Buffer or string, auto-detects gzip, parses JSON, validates the RFC 8460 §4.4 required-fields shape (`organization-name`, `date-range`, `report-id`, `policies`), aggregates `total-successful-session-count` / `total-failure-session-count` across policies. Caps report size at 8 MiB and policies-per-report at 1024. **References:** [RFC 7489](https://www.rfc-editor.org/rfc/rfc7489.html) · [RFC 822](https://www.rfc-editor.org/rfc/rfc822.html) · [RFC 8601](https://www.rfc-editor.org/rfc/rfc8601.html) · [RFC 8460](https://www.rfc-editor.org/rfc/rfc8460.html)
+- v0.7.73 (2026-05-06) — **`b.auth.aal` + `b.middleware.requireAal({ minimum })` — NIST SP 800-63-4 Authentication Assurance.** Level bands. `b.auth.aal.fromMethods({ password, totp, webauthn, ... **Added:** *`b.auth.aal.fromMethods({ password, totp, webauthn, ... })`* — combines a set of operator-asserted authenticator methods into the resulting band: `AAL1` (single factor — memorized secret OR single-factor cryptographic), `AAL2` (multi-factor — memorized secret + OTP/SMS/hardware/mTLS), `AAL3` (phishing-resistant multi-factor — WebAuthn / passkey / hardware-+-PIN). Recognized methods: `password`, `pin`, `totp`, `sms`, `webauthn`, `passkey`, `hardware`, `mtls`. · *`b.middleware.requireAal({ minimum, getAal?, audit?, realm? })`* — gates routes by the request's AAL band — reads `req.user.aal` by default (or operator-supplied `getAal(req)`), compares against the minimum, returns 401 with `WWW-Authenticate: AAL-StepUp realm="...", required="AAL2"` on insufficient assurance. The bespoke scheme name signals to the operator's frontend that a step-up flow should be triggered (re-prompt for TOTP / passkey) without reusing the generic `Bearer` challenge namespace. Audit emits `auth.aal.granted` / `auth.aal.denied` (drop-silent on observability sink failure). The framework leaves AMR/ACR claim emission to the operator's IdP; the new `b.auth.aal.AMR` constants object provides consistent OIDC-conformant strings for operators emitting access tokens with AAL info. Also exposes `b.auth.aal.meets(actual, required)` for ad-hoc band comparisons outside the middleware. CI vendor-manifest gate fix: vendor files now have an explicit `.gitattributes` `lib/vendor/ -text binary` declaration so git never rewrites line endings between Windows and Linux checkouts. The `lib/vendor/noble-ciphers.cjs` file was renormalized to LF on disk and re-hashed in `lib/vendor/MANIFEST.json`. Closes the v0.7.65–0.7.72 npm-publish.yml smoke-test failures (`vendor manifest: @noble/ciphers :: server hash matches`).
+- v0.7.72 (2026-05-06) — **`b.mail` gains EAI / SMTPUTF8 / Punycode-IDN support (RFC 6531 / 6532 / 6533 / 3492).** . Internationalized email addresses (`müller@münchen.example`) now validate through `b.mail.send()` — `_isValidEmail` detects non-ASCII content, converts the IDN domain to Punycode via Node's `url.domainToASCII`, and re-tests the assembled `local@ascii-domain` against the framework's pragmatic email regex. **Added:** *`b.mail.toAscii(domain)`* — and. (See CHANGELOG for full context). · *`b.mail.toUnicode(domain)`* — are the operator-facing wrappers around `node:url`'s IDN helpers — one obvious place to reach for Punycode encoding when handling addresses outside `send()`. SMTP transport now captures EHLO extension lines (250-X continuations) and detects `SMTPUTF8`. Messages whose from / to / cc / bcc / subject contain non-ASCII octets compute `requiresSmtpUtf8 = true`; when the peer advertises `SMTPUTF8` the transport appends ` SMTPUTF8` to `MAIL FROM:<...>` per RFC 6531 §3.4. When the peer does NOT advertise `SMTPUTF8` AND the message requires it, the transport refuses with `mail/smtp-failed: eai-required-not-supported` rather than emit a mangled wire (some peers would silently corrupt headers downstream). Pure-ASCII messages continue without the keyword (some legacy mailboxes reject `SMTPUTF8` outright on transactions that don't need it). **References:** [RFC 6531](https://www.rfc-editor.org/rfc/rfc6531.html)
+- v0.7.71 (2026-05-06) — **`b.auth.oauth` adopts the OAuth 2.1 (draft-ietf-oauth-v2-1) baseline. `pkce: false` is now.** now refused outright — `create()` throws `auth-oauth/pkce-required` rather than warning-and-continuing. PKCE is required for every client (public AND confidential) per OAuth 2.1; the prior pre-1.0 leniency that emitted a warning and proceeded is closed. **Added:** *`pkce: false` is now refused outright* — `create()` throws `auth-oauth/pkce-required` rather than warning-and-continuing. PKCE is required for every client (public AND confidential) per OAuth 2.1; the prior pre-1.0 leniency that emitted a warning and proceeded is closed. Operators integrating with genuinely-broken legacy IdPs that don't accept `code_challenge` must strip the parameters at their own ingress; the framework primitive does not ship that escape hatch. The framework's authorization-code flow already implements the rest of the OAuth 2.1 baseline (`response_type=code` only — no implicit / password / client-credentials grants exposed; mandatory `state`; HTTPS-required `redirect_uri` outside localhost dev opt-in). Wiki docstring updated to reflect the lock-in.
+- v0.7.70 (2026-05-06) — **`b.auth.dpop` + `b.middleware.dpop` — RFC 9449 Demonstrating Proof of Possession. Bearer tokens are.** bound to a per-client keypair, so an attacker who exfils the access token still can't replay it without stealing the client's private key. **Added:** *`b.auth.dpop.buildProof({ htm, htu, privateKey, accessToken?, nonce?, jti?, iat? })`* — produces a compact-JWS proof with the public key embedded in the header (`typ: "dpop+jwt"`, `jwk`); the proof signs over the request method + canonicalized URI + a fresh `jti`, optionally binding to `ath = sha256(access_token)` and a server-issued nonce. · *`b.auth.dpop.verify(proof, { htm, htu, algorithms?, iatWindowSec?, accessToken?,* — validates the proof: typ check, alg-allowlist (HS*/none refused outright), signature verified against the embedded jwk, htm/htu match, iat window, ath match if accessToken supplied, nonce match if supplied, jti replay defense via `b.nonceStore`, jwk-thumbprint match if `expectedThumbprint` supplied. Returns `{ header, payload, jkt }` where `jkt` is the RFC 7638 thumbprint operators compare against the `cnf.jkt` claim of the bound access token. · *`b.middleware.dpop({ replayStore, algorithms, getAccessToken, getNonce, getHtu, audit })`* — wraps verify into the request lifecycle — reads `req.headers.dpop`, reconstructs htu from `X-Forwarded-{Proto,Host}` + `req.url`, attaches `req.dpop` on success, returns 401 with `WWW-Authenticate: DPoP error="invalid_dpop_proof"` on failure (or `error="use_dpop_nonce"` per RFC 9449 §8 when nonce missing/mismatched). Default algorithm allowlist: ES256/384/512, PS256/384/512, RS256/384/512, EdDSA, ML-DSA-87 (forward-PQC). SLH-DSA-SHAKE-256f is intentionally omitted because Node lacks SLH-DSA JWK round-trip and the alg's ~50 KB signatures + ~80x sign-time penalty make it a poor fit for per-request proofs regardless. JWK header refuses any private-key components (`d`/`p`/`q`/`dp`/`dq`/`qi`/`k`/`priv`) — a proof must NEVER carry the private half. `crit` header rejected outright. The `replayStore` opt accepts the same atomic `checkAndInsert(jti, expireAtMs)` shape as `b.auth.jwt.verify`'s `replayStore` so the same `b.nonceStore.create()` instance can serve both primitives. **References:** [RFC 9449](https://www.rfc-editor.org/rfc/rfc9449.html) · [RFC 7638](https://www.rfc-editor.org/rfc/rfc7638.html)
+- v0.7.69 (2026-05-06) — **`b.auth.jwt.verify({ replayStore })` — RFC 7519 §4.1.7 jti replay defense. Captured bearer tokens.** replayed against the verifier (TLS-terminated proxy capture, log scraping, browser-history exposure, leaked Authorization headers in shared dev tools) are refused with `auth-jwt/replay` when an operator wires the new `replayStore` opt. **Fixed:** *`b.auth.jwt.verify({ replayStore })` — RFC 7519 §4.1.7 jti replay defense. Captured bearer tokens* — `b.auth.jwt.verify({ replayStore })` — RFC 7519 §4.1.7 jti replay defense. Captured bearer tokens replayed against the verifier (TLS-terminated proxy capture, log scraping, browser-history exposure, leaked Authorization headers in shared dev tools) are refused with `auth-jwt/replay` when an operator wires the new `replayStore` opt. The store contract is the same atomic `checkAndInsert(jti, expireAtMs)` that `b.nonceStore` exposes — first call records the jti, any later call with the same jti returns false and the verifier throws. The token MUST carry a non-empty `jti` claim; without one the verifier throws `auth-jwt/replay-no-jti` rather than silently letting every jti-less token through. Bad-shape stores throw `auth-jwt/bad-replay-store` at config-mistake time; backend-level errors propagate as `auth-jwt/replay-store-failed`. The TTL is bounded by the token's `exp` claim, capped at 24h so an in-memory backend can't be made to grow unbounded by tokens with absurd exp claims. Use `b.nonceStore.create({ backend: "memory" })` for single-node, `{ backend: "cluster" }` for the framework's external-DB cluster posture, or supply a Redis/Memcached/etc. backend by passing any object with a compatible `checkAndInsert` method. Replay defense remains opt-in — the verifier's default behavior is unchanged. **References:** [RFC 7519](https://www.rfc-editor.org/rfc/rfc7519.html)
+- v0.7.68 (2026-05-06) — **`b.network.dns.resolveSecure(host, type)` + DNS name-compression parser bug fix. The pre-0.7.68.** `_decodeDnsAnswer` had a name-walk bug: after a name-compression pointer (RFC 1035 §3.1 — high two bits `11`), the parser unconditionally executed `if (buf[off] === 0) off++` which consumed the high byte of the next field. **Fixed:** *`b.network.dns.resolveSecure(host, type)`* — is the new DNSSEC-aware resolution API. Returns `{ rrs, ad }` where `ad` is the AD bit (RFC 4035) set by the upstream DoH resolver after chain validation, and `rrs` is the answer-record list. Only available over DoH (`useDnsOverHttps`) — DoT and the system resolver don't surface the AD bit through Node's API today. Operators wiring DANE / TLSA validation (RFC 7672 §1.3) refuse the chain when `ad === false`. The `network-smtp-policy.js` docstring updates to point operators at this primitive. `_readAdBit(buf)` helper extracts the AD bit (byte 3, mask 0x20) from any DNS reply. **References:** [RFC 1035](https://www.rfc-editor.org/rfc/rfc1035.html) · [RFC 4035](https://www.rfc-editor.org/rfc/rfc4035.html) · [RFC 7672](https://www.rfc-editor.org/rfc/rfc7672.html)
+- v0.7.67 (2026-05-06) — **`b.middleware.gpc` (Sec-GPC honoring) + `Reporting-Endpoints` opt on.** `b.middleware.securityHeaders`. `b.middleware.gpc({ audit, consent, mode, statusHeader })` reads the `Sec-GPC: 1` request header (W3C Privacy Sandbox / IETF draft-doty-gpc-header) and sets `req.gpcOptOut = true` for downstream consumers. **Added:** *`b.middleware.gpc({ audit, consent, mode, statusHeader })`* — reads the `Sec-GPC: 1` request header (W3C Privacy Sandbox / IETF draft-doty-gpc-header) and sets `req.gpcOptOut = true` for downstream consumers. Optional `consent` integration calls `consent.recordOptOut({ req, purposes, source: "sec-gpc", mode })` so the operator's data-flow primitives can refuse `sale` / `share` / `targeted-ads` / `cross-context-behavioral-advertising` / `profiling` purposes for the session. Echoes a `Sec-GPC-Status: honored` response header so the UA + audit logs see the acknowledgement. · *Compliance context* — Sec-GPC is legally required by California (CCPA/CPRA) since Jan 2024 and by 12+ US states (Colorado, Connecticut, Texas, Oregon, Delaware, Montana, Iowa, Nebraska, New Hampshire, New Jersey, Maryland, Minnesota) by various dates through Jan 2026. CPPA fines up to $7,500 per intentional violation. · *`b.middleware.securityHeaders({ reportingEndpoints: { default: "https://...", csp:* — when operator passes a map of endpoint-name → URL, emits `Reporting-Endpoints: name="url", ...` (W3C Reporting API). When the `default` endpoint is set AND the operator hasn't overridden the framework's default CSP, auto-appends `report-to default` to the CSP so violations route to the named endpoint.
+- v0.7.66 (2026-05-06) — **`b.mail.unsubscribe` — RFC 8058 / RFC 2369 List-Unsubscribe support. Two pieces ship together:.** `b.mail.unsubscribe.buildHeaders({ url, mailto, oneClick })` produces the `List-Unsubscribe` and (when `oneClick: true`) `List-Unsubscribe-Post: List-Unsubscribe=One-Click` header values. **Added:** *`b.mail.unsubscribe.buildHeaders({ url, mailto, oneClick })`* — produces the `List-Unsubscribe` and (when `oneClick: true`) `List-Unsubscribe-Post: List-Unsubscribe=One-Click` header values. · *`b.mail.unsubscribe.handler({ onUnsubscribe })`* — is the request-lifecycle middleware that validates the RFC 8058 §3.1 one-click POST body (`List-Unsubscribe=One-Click` exact byte sequence) and dispatches to the operator's `onUnsubscribe` callback; on success returns 200 OK with empty body. Refuses non-POST (405) / wrong body (400) / oversized body (413). Compliance context: Gmail + Yahoo bulk-sender requirements (Feb 2024) mandate one-click List-Unsubscribe for senders >= 5k/day; Microsoft 365 followed in 2025. · *`b.mail.send({ unsubscribe: { ... } })`* — is the convenience opt — the existing `send` translates the structured unsubscribe value into the right header pair before transport. Operators using their own header-construction continue to work unchanged. **References:** [RFC 8058](https://www.rfc-editor.org/rfc/rfc8058.html) · [RFC 2369](https://www.rfc-editor.org/rfc/rfc2369.html)
+- v0.7.65 (2026-05-06) — **Vendor manifest tamper defense + JWT keyResolver kid contract.** `lib/vendor/MANIFEST.json` gains SHA-256 hashes per file. Each vendored package's `files` map now has a corresponding `hashes` map (`sha256:...` for files, `sha256-tree:...` for directory trees). **Fixed:** *`lib/vendor/MANIFEST.json` gains SHA-256 hashes per file* — Each vendored package's `files` map now has a corresponding `hashes` map (`sha256:...` for files, `sha256-tree:...` for directory trees). Closes the supply-chain class where a compromised `scripts/vendor-update.sh` could swap a vendored dependency silently — the on-disk content must match the committed hash. Verification gate ships in `test/layer-0-primitives/vendor-manifest.test.js` so smoke catches drift locally before commit. · *`scripts/refresh-vendor-manifest.js`* — is the operator-facing tool — run it after `scripts/vendor-update.sh` bumps a vendored package to update the manifest. · *`b.auth.jwt` `keyResolver` contract* — the docstring above the resolver call site now points operators at `b.guardJwt.kidSafe(header.kid)` for path-traversal sanitization. The `kidSafe` helper has shipped since v0.7.50; this slice surfaces the contract directly in the JWT verifier so operators wiring custom resolvers (cache lookup, file load, JWKS index) can't miss it.
+- v0.7.64 (2026-05-06) — **HTTP/2 + WebSocket DoS hardening.** HTTP/2 server caps — `lib/router.js` `http2.createSecureServer` now ships framework-default hardening: `maxConcurrentStreams: 100` (CVE-2023-44487 Rapid Reset cap; Node default was 4294967295), `maxSessionMemory: 10` (MB), `maxHeaderListPairs: 100` (CVE-2024-27983 / CVE-2024-. **Fixed:** *HTTP/2 server caps* — `lib/router.js` `http2.createSecureServer` now ships framework-default hardening: `maxConcurrentStreams: 100` (CVE-2023-44487 Rapid Reset cap; Node default was 4294967295), `maxSessionMemory: 10` (MB), `maxHeaderListPairs: 100` (CVE-2024-27983 / CVE-2024-28182 CONTINUATION-flood cap), `maxSettings: 32`, `peerMaxConcurrentStreams: 100`, `unknownProtocolTimeout: 10s` (Slowloris-h2 variant). Operator-supplied `tlsOptions` override any of these. · *Slowloris timeouts* — `server.headersTimeout = 60s`, `server.requestTimeout = 5min`, `server.keepAliveTimeout = 5s` set explicitly post-listen. The framework was previously relying on Node-version-shifting defaults; pinning brings older Node releases up to the modern bar. · *WebSocket origin default* — *breaking change* (pre-1.0, no compat shim — operators upgrade across breaking changes): when `origins` is omitted from `b.websocket.create({ ... })`, the new default is same-origin enforcement (Origin header host must match Host header). Pre-0.7.64 the default was "accept all", which is the canonical Cross-Site WebSocket Hijacking (CSWSH) class. Operators needing cross-origin opt in via `origins: "*"` (with audited reason) or `origins: [...allowlist]`. Non-browser clients (no Origin header) continue to bypass — origin enforcement is a browser-class defense. **References:** [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487) · [CVE-2024-27983](https://nvd.nist.gov/vuln/detail/CVE-2024-27983) · [CVE-2024-28182](https://nvd.nist.gov/vuln/detail/CVE-2024-28182)
+- v0.7.63 (2026-05-06) — **Gitleaks regex allowlist extended to cover JWT fixtures split across multiple string literals.** The v0.7.62 regex only matched the full three-segment JWT compact-serialization shape; source files split long JWT fixtures across literals for line-length, so gitleaks saw individual `eyJ...`-prefixed base64url segments and still flagged them. Added a second allowlist regex matching any `eyJ`-prefixed segment of substantive length (`{20,}`). **Added:** *Gitleaks regex allowlist extended to cover JWT fixtures split across multiple string literals* — gitleaks regex allowlist extended to cover JWT fixtures split across multiple string literals. The v0.7.62 regex only matched the full three-segment JWT compact-serialization shape; source files split long JWT fixtures across literals for line-length, so gitleaks saw individual `eyJ...`-prefixed base64url segments and still flagged them. Added a second allowlist regex matching any `eyJ`-prefixed segment of substantive length (`{20,}`). Same rationale: real signing keys never appear as `eyJ...` base64url tokens — they're PEM / DER / PKCS#8.
+- v0.7.62 (2026-05-06) — **Gitleaks regex allowlist for JWT compact-serialization shape.** The new `b.guardJwt` and `b.guardAuth` test fixtures legitimately embed JWT-shaped strings as benign + hostile inputs; gitleaks' default `generic-api-key` rule fires on the high-entropy base64url segments and refuses every release tag with the fixtures present. **Added:** *Gitleaks regex allowlist for JWT compact-serialization shape (`eyJ* — gitleaks regex allowlist for JWT compact-serialization shape (`eyJ...header.eyJ...payload.signature`). The new `b.guardJwt` and `b.guardAuth` test fixtures legitimately embed JWT-shaped strings as benign + hostile inputs; gitleaks' default `generic-api-key` rule fires on the high-entropy base64url segments and refuses every release tag with the fixtures present. Real signing keys never appear in compact serialization shape — they're PEM / DER / PKCS#8 — so this allowlist doesn't suppress detection of actual key leaks. Allowlist regex added under the existing "Doc-string credential-shaped placeholders" block in `.gitleaks.toml`. No code change.
+- v0.7.61 (2026-05-06) — **Eslint cleanup in `lib/guard-regex.js` and `lib/guard-shell.js`.** The `no-useless-escape` rule (eslint v9+) flagged unnecessary backslashes inside regex character classes — `*`, `+`, `?`, `[` don't need escaping when they appear inside `[...]`. Behavior unchanged: regex semantics are identical with or without the escapes (the engine treats both forms as the literal character). **Added:** *Eslint cleanup in `lib/guard-regex* — eslint cleanup in `lib/guard-regex.js` and `lib/guard-shell.js`. The `no-useless-escape` rule (eslint v9+) flagged unnecessary backslashes inside regex character classes — `*`, `+`, `?`, `[` don't need escaping when they appear inside `[...]`. Behavior unchanged: regex semantics are identical with or without the escapes (the engine treats both forms as the literal character). The framework's CI gate runs eslint with `--max-warnings 0`; this slice unblocks the CI lint job that's been failing on tag pushes since v0.7.53. No operator-facing behavior change.
+- v0.7.60 (2026-05-05) — **`b.crypto.encryptEnvelopeAsCertPeer` + `b.crypto.decryptEnvelopeAsCertPeer` — cert-bound envelope.** primitives. The default `b.crypto.encrypt` / `b.crypto.decrypt` source the recipient from a published framework keypair (operator owns both halves); the new cert-peer variants source the recipient's ECDH P-384 half from a TLS peer cert plus a peer-supplied ML-KEM-1024 pubkey. **Added:** *`b.crypto.encryptEnvelopeAsCertPeer` + `b.crypto.decryptEnvelopeAsCertPeer` — cert-bound envelope* — `b.crypto.encryptEnvelopeAsCertPeer` + `b.crypto.decryptEnvelopeAsCertPeer` — cert-bound envelope primitives. The default `b.crypto.encrypt` / `b.crypto.decrypt` source the recipient from a published framework keypair (operator owns both halves); the new cert-peer variants source the recipient's ECDH P-384 half from a TLS peer cert plus a peer-supplied ML-KEM-1024 pubkey. Wire format unchanged — the envelope dispatches on the same version bytes and KEM ID; only the input keys differ. Use cases: sealed-storage records with peer recipients (operator A seals to operator B's TLS cert + KEM pubkey), cross-service messages between cert-identified peers without a shared framework keypair, audit log entries tagged with peer recipients. The encrypt path extracts the cert's SPKI as P-384 ECDH pubkey and refuses with `crypto/cert-key-not-ecdh-p384` if the cert isn't `id-ecPublicKey` over `secp384r1`; the decrypt path accepts either a `KeyObject` or a PEM string for `certPrivateKey` and applies the same curve check. Math is the existing hybrid ML-KEM-1024 + P-384 ECDH + SHAKE256 + XChaCha20-Poly1305 — these are convenience wrappers, not new crypto.
+- v0.7.59 (2026-05-05) — **`b.guardAuth` — composite auth-bundle safety primitive (KIND="auth-bundle"). Composes `guardJwt` +.** `guardOauth` + `b.cookies.parseSafe` + light header-smuggling detection into a single auth-flow gate. Consumes `ctx.authBundle` shape `{ jwtToken?, oauthFlow?, cookieHeader?, requestHeaders? }`. **Added:** *`b.guardAuth` — composite auth-bundle safety primitive (KIND="auth-bundle"). Composes `guardJwt` +* — `b.guardAuth` — composite auth-bundle safety primitive (KIND="auth-bundle"). Composes `guardJwt` + `guardOauth` + `b.cookies.parseSafe` + light header-smuggling detection into a single auth-flow gate. Consumes `ctx.authBundle` shape `{ jwtToken?, oauthFlow?, cookieHeader?, requestHeaders? }`. Each sub-validator runs independently; aggregated issues carry a `source` field (`"jwt"` / `"oauth"` / `"cookies"` / `"headers"` / `"auth"`) so operators see which sub-guard raised which issue. Sub-guards run at the operator's chosen `childProfile` (default tracks the auth profile). `requireAtLeastOne: true` (strict default) refuses empty bundles to defend against the operator-misuse class where the gate runs but no auth input is supplied. Profiles: `strict` (childProfile=strict, requireAtLeastOne), `balanced` (childProfile=balanced, allow empty), `permissive` (childProfile=permissive, allow empty). Postures: `hipaa` / `pci-dss` / `soc2` strict overlay; `gdpr` balanced overlay. Adaptive integration harness gains a KIND="auth-bundle" dispatcher reading `ctx.authBundle`. Auto-registers into `b.guardAll` as a STANDALONE_GUARD.
+- v0.7.58 (2026-05-05) — **`b.guardPdf` — PDF identifier-safety primitive (KIND="metadata"). Validates PDF inputs without.** vendoring a full parser; operators bring their own PDF library (pdf-lib, pdfjs-dist, vendored mupdf) and feed structural metadata to the guard for policy enforcement. **Added:** *`b.guardPdf.inspectMagic(bytes)`* — is the operator helper that returns `true` when bytes start with `%PDF-`. Profiles: `strict` (max 500 pages, 0 embedded files, 64 MiB), `balanced` (max 5000 pages, 10 embedded files, 128 MiB; audit non-RCE classes), `permissive` (max 50000 pages, 100 embedded files, 512 MiB; allow encrypted). Postures: `hipaa` / `pci-dss` / `soc2` strict overlay; `gdpr` balanced overlay. Auto-registers into `b.guardAll` as a STANDALONE_GUARD. set of the original guard-family expansion plan complete.
+- v0.7.57 (2026-05-05) — **`b.guardImage` — image-format identifier-safety primitive (KIND="metadata"). Validates image-format.** inputs without vendoring a full decoder; the framework's stance is operators bring their own decoder (sharp, jimp, libvips wrappers, etc.) and `guardImage` closes the magic-byte vs declared-Content-Type mismatch class plus operator-supplied metadata bounds. **Added:** *`b.guardImage.inspectMagic(bytes)`* — is the operator helper that returns the detected MIME types without running the full validate / gate flow. Profiles: `strict` (8192×8192, 60 frames, 32 MiB), `balanced` (16384×16384, 200 frames, 64 MiB), `permissive` (65536×65536, 1000 frames, 256 MiB). Postures: `hipaa` / `pci-dss` / `soc2` strict overlay; `gdpr` balanced overlay. Adaptive integration harness gains a KIND="metadata" dispatcher reading `ctx.metadata`. Auto-registers into `b.guardAll` as a STANDALONE_GUARD.
+- v0.7.56 (2026-05-05) — **`b.guardTemplate` — Server-Side Template Injection (SSTI) identifier-safety primitive.** (KIND="identifier"). Detects template-engine syntax in user-input strings before they're rendered through any template engine; refused by default at every profile because operator-untrusted input rarely legitimately contains template syntax. **Added:** *`b.guardTemplate` — Server-Side Template Injection (SSTI) identifier-safety primitive* — `b.guardTemplate` — Server-Side Template Injection (SSTI) identifier-safety primitive (KIND="identifier"). Detects template-engine syntax in user-input strings before they're rendered through any template engine; refused by default at every profile because operator-untrusted input rarely legitimately contains template syntax. Threat catalog: Jinja / Django / Twig / Liquid / Handlebars / AngularJS `{{...}}` + `{%...%}` (CVE-2024-22195 Jinja `xml_attr` filter, CVE-2024-26139 Bottle, CVE-2024-23348 Pyrogram); ERB / Tornado `<%...%>` and `<%=...%>`; Pug `#{...}` + `!{...}` interpolation; Mako / Velocity / Tornado `${...}` interpolation; Velocity directives (`#set` / `#if` / `#else` / `#elseif` / `#end` / `#foreach` / `#parse` / `#include` / `#stop`); BIDI / null / control / zero-width universal refuse. Profiles: `strict` (refuse everything), `balanced` (Jinja / ERB / Pug / Velocity directives still refused; audit `${...}` since it can also be a JS template-literal in some operator contexts), `permissive` (universal SSTI shapes still refused; audit `${...}` + Velocity directives). Postures: `hipaa` / `pci-dss` / `soc2` strict overlay; `gdpr` balanced overlay. Auto-registers into `b.guardAll` as a STANDALONE_GUARD. set of the original guard-family expansion plan complete. **References:** [CVE-2024-22195](https://nvd.nist.gov/vuln/detail/CVE-2024-22195) · [CVE-2024-26139](https://nvd.nist.gov/vuln/detail/CVE-2024-26139) · [CVE-2024-23348](https://nvd.nist.gov/vuln/detail/CVE-2024-23348)
+- v0.7.55 (2026-05-05) — **`b.guardJsonpath` — JSONPath identifier-safety primitive (KIND="identifier"). Validates.** user-supplied JSONPath strings (RFC 9535) before they're handed to a JSONPath evaluator. Many JSONPath libraries (notably the original Stefan Goessner implementation and several JS forks) route filter / script expressions through dynamic-code execution, turning a query path into an RCE primitive. **Added:** *`b.guardJsonpath` — JSONPath identifier-safety primitive (KIND="identifier"). Validates* — `b.guardJsonpath` — JSONPath identifier-safety primitive (KIND="identifier"). Validates user-supplied JSONPath strings (RFC 9535) before they're handed to a JSONPath evaluator. Many JSONPath libraries (notably the original Stefan Goessner implementation and several JS forks) route filter / script expressions through dynamic-code execution, turning a query path into an RCE primitive. Threat catalog: filter expression `?(...)` (dynamic-code-execution class — universally refused); script expression `(@.x)` style; JS-source hint detection (path containing tokens that only appear in code-injection attempts — dynamic-code-exec keyword, constructor invocation keyword, function-declaration keyword, arrow-function arrow, statement-separator semicolon — all built from explicit substrings to keep the source file free of the literal keywords); recursive-descent depth bombs (operator-tunable `maxRecursiveDescents`); excessive bracket nesting; oversized pattern; BIDI / null / control / zero-width universal refuse. Profiles: `strict` (refuse everything), `balanced` (RCE class refused; audit bracket nesting + recursive descent), `permissive` (RCE class still refused; allow recursive descent up to 16). Postures: `hipaa` / `pci-dss` / `soc2` strict overlay; `gdpr` balanced overlay. Auto-registers into `b.guardAll` as a STANDALONE_GUARD. **References:** [RFC 9535](https://www.rfc-editor.org/rfc/rfc9535.html)
+- v0.7.54 (2026-05-05) — **`b.guardRegex` — regex pattern identifier-safety primitive (KIND="identifier"). Validates.** user-supplied regex pattern strings for catastrophic-backtracking (ReDoS) shapes BEFORE compilation. **Added:** *`b.guardRegex` — regex pattern identifier-safety primitive (KIND="identifier"). Validates* — `b.guardRegex` — regex pattern identifier-safety primitive (KIND="identifier"). Validates user-supplied regex pattern strings for catastrophic-backtracking (ReDoS) shapes BEFORE compilation. Threat catalog: nested quantifiers (canonical ReDoS class — `(a+)+`, `(a*)+`, `(.+)+` — CVE-2024-21538 cross-spawn / CVE-2022-25929 chartjs-adapter-luxon are recent prominent examples; universally refused at every profile); alternation with quantifier (`(a|b)+`); bounded-repeat upper-bound overflow (operator-tunable `maxBoundedRepeat` — strict 100 / balanced 1000 / permissive 10000); lookaround with internal quantifier; oversized pattern; BIDI / null / control / zero-width universal refuse. Profiles: `strict` (refuse everything), `balanced` (nested quants still refused; audit the rest), `permissive` (nested quants + codepoint class still refused; allow alternation-quant). Postures: `hipaa` / `pci-dss` / `soc2` strict overlay; `gdpr` balanced overlay. Auto-registers into `b.guardAll` as a STANDALONE_GUARD. **References:** [CVE-2024-21538](https://nvd.nist.gov/vuln/detail/CVE-2024-21538) · [CVE-2022-25929](https://nvd.nist.gov/vuln/detail/CVE-2022-25929)
+- v0.7.53 (2026-05-05) — **`b.guardShell` — shell-argument identifier-safety primitive (KIND="identifier"). Validates.** user-input strings BEFORE they're handed to a child-process spawn. The canonical defense remains "use array args + `shell: false`", but operators still receive operator-untrusted strings that flow through path-arg or arg-list shapes — `guardShell` refuses obvious shell-injection shapes before the spawn call. **Added:** *`b.guardShell` — shell-argument identifier-safety primitive (KIND="identifier"). Validates* — `b.guardShell` — shell-argument identifier-safety primitive (KIND="identifier"). Validates user-input strings BEFORE they're handed to a child-process spawn. The canonical defense remains "use array args + `shell: false`", but operators still receive operator-untrusted strings that flow through path-arg or arg-list shapes — `guardShell` refuses obvious shell-injection shapes before the spawn call. Threat catalog: POSIX shell metacharacters (`;`, `&`, `|`, `<`, `>`, `(`, `)`, `{`, `}`, `[`, `]`, `*`, `?`, `~`, `!`, `#`, `\`, single+double quotes), cmd.exe metacharacters (`&`, `|`, `<`, `>`, `^`, `%`, `"`, `'`, `(`, `)`, `,`, `;`, `=`), `$(...)` + `${VAR}` command + parameter substitution, backtick command substitution, `<(...)` / `>(...)` Bash process substitution, `$VAR` parameter expansion, newline / NUL injection (line-splitting class), leading-hyphen option-flag injection (operator opt-in to refuse args starting with `-` — defends against `-rf` / `--exec` shapes interpreted as option flags), BIDI / null / control / zero-width universal refuse. Profiles: `strict` (refuse everything), `balanced` (universal-refuse class only — substitutions / newline / BIDI / null still refused; metacharacters audited), `permissive` (universal-refuse class still refused; metacharacters audited; leading hyphen allowed). Postures: `hipaa` / `pci-dss` / `soc2` strict overlay; `gdpr` balanced overlay. Auto-registers into `b.guardAll` as a STANDALONE_GUARD.
+- v0.7.52 (2026-05-05) — **`b.guardGraphql` — GraphQL request-shape safety primitive (KIND="graphql-request"). Validates.** user-supplied GraphQL request bundles against the canonical query-shape DoS catalog before the framework hands the query to a schema-aware executor. **Added:** *`b.guardGraphql` — GraphQL request-shape safety primitive (KIND="graphql-request"). Validates* — `b.guardGraphql` — GraphQL request-shape safety primitive (KIND="graphql-request"). Validates user-supplied GraphQL request bundles against the canonical query-shape DoS catalog before the framework hands the query to a schema-aware executor. Threat catalog: query depth bombs (N² query-shape DoS — caps at strict 8 / balanced 12 / permissive 24); alias-bomb breadth DoS (caps at 8/16/32 aliases per selection-set); introspection in production (`__schema` / `__type` schema-leak); batch query DoS (caps at 1/10/50 entries per array); persisted-query enforcement (refuse free-form queries when `persistedQueryPolicy: "require"`); operation-name allowlist drift; variable type confusion (operator declares `variableShapes: { id: "string", limit: "number" }`); oversized query / variable / total bytes; BIDI / null / control / zero-width universal refuse on the query string. Brace-counting query-shape walker handles strings + comments correctly without requiring a full GraphQL parser. Profiles: `strict` (refuse introspection + batch + shape-DoS), `balanced` (audit most, allow batch up to 10), `permissive` (universal-refuse class still refused; rest allow / audit). Postures: `hipaa` / `pci-dss` / `soc2` strict overlay; `gdpr` balanced overlay. Adaptive integration harness gains a KIND="graphql-request" dispatcher reading `ctx.graphqlRequest`. Auto-registers into `b.guardAll` as a STANDALONE_GUARD.
+- v0.7.51 (2026-05-05) — **`b.guardOauth` — OAuth flow-shape safety primitive (KIND="oauth-flow"). Validates user-supplied.** OAuth 2.x / OIDC authorization-code-flow parameter bundles before the framework's `b.auth.oauth` client exchanges them. **Added:** *`b.guardOauth` — OAuth flow-shape safety primitive (KIND="oauth-flow"). Validates user-supplied* — `b.guardOauth` — OAuth flow-shape safety primitive (KIND="oauth-flow"). Validates user-supplied OAuth 2.x / OIDC authorization-code-flow parameter bundles before the framework's `b.auth.oauth` client exchanges them. Threat catalog: PKCE missing or non-S256 (RFC 7636 / OAuth 2.1 mandate; `plain` is the downgrade-attack class); state missing (RFC 6749 §10.12 CSRF); redirect_uri not in operator allowlist (exact-match per OAuth 2.1 — no prefix / wildcard / scheme drift); response_type allowlist drift (refuse implicit `token` deprecated in OAuth 2.1, require operator-allowed types); scope-token shape per RFC 6749 §3.3 (refuse non-printable / control / whitespace-other-than-space); issuer missing on callback (RFC 9207 IdP-mix-up defense — set `flow._isCallback = true` to enforce); authorization-code reuse via operator-supplied `seenCodeStore.hasSeen(code)` (RFC 6749 §10.5 replay class); excessive parameter / total bytes; BIDI / null / control / zero-width universal refuse. Profiles: `strict` (PKCE S256, state required, redirect_uri exact-match, RFC 9207 iss required), `balanced` (PKCE any method, state + redirect_uri allowlist required, iss audited), `permissive` (universal-refuse class still refused; rest audit). Postures: `hipaa` / `pci-dss` / `soc2` strict overlay; `gdpr` balanced overlay. Adaptive integration harness gains a KIND="oauth-flow" dispatcher reading `ctx.oauthFlow`. Auto-registers into `b.guardAll` as a STANDALONE_GUARD. **References:** [RFC 7636](https://www.rfc-editor.org/rfc/rfc7636.html) · [RFC 6749](https://www.rfc-editor.org/rfc/rfc6749.html) · [RFC 9207](https://www.rfc-editor.org/rfc/rfc9207.html)
+- v0.7.50 (2026-05-05) — **`b.guardJwt` — JWT identifier-safety primitive (KIND="identifier"). Validates user-supplied JWT.** compact-serialization strings against the canonical CVE-class refuse list before hand-off to a verifier — `b.guardJwt` never replaces signature verification, it reduces the input space the verifier sees. **Added:** *`b.guardJwt.kidSafe(kid)`* — is the documented contract for operator `keyResolver` implementations: throws on traversal indicators or control bytes, returns the validated kid on success. Profiles: `strict` (refuse everything), `balanced` (refuse alg=none / kid-traversal / unknown-crit; audit the rest), `permissive` (universal-refuse class still refused). Postures: `hipaa` / `pci-dss` / `soc2` strict overlay; `gdpr` balanced overlay. Auto-registers into `b.guardAll` as a STANDALONE_GUARD. **References:** [RFC 7515](https://www.rfc-editor.org/rfc/rfc7515.html) · [CVE-2015-9235](https://nvd.nist.gov/vuln/detail/CVE-2015-9235) · [CVE-2018-0114](https://nvd.nist.gov/vuln/detail/CVE-2018-0114)
+- v0.7.49 (2026-05-05) — **`b.middleware.headers(opts)` — inbound HTTP header threat-detection middleware. Sits at the top of.** the request lifecycle. Threat catalog: `header-name-shape` (header name not a valid RFC 9110 §5.1 token); `header-value-control-byte` (CR / LF / NUL inside any header value — header-injection defense in depth on top of Node's rejection); `header-count-cap` (default 100 inbound he. **Added:** *`b.middleware.headers(opts)` — inbound HTTP header threat-detection middleware. Sits at the top of* — `b.middleware.headers(opts)` — inbound HTTP header threat-detection middleware. Sits at the top of the request lifecycle. Threat catalog: `header-name-shape` (header name not a valid RFC 9110 §5.1 token); `header-value-control-byte` (CR / LF / NUL inside any header value — header-injection defense in depth on top of Node's rejection); `header-count-cap` (default 100 inbound headers max); `header-value-cap` (default 8 KiB per value); `smuggling-cl-te` (RFC 9112 §6.1 — both Content-Length and Transfer-Encoding present, the canonical CL.TE / TE.CL request-smuggling vector); `smuggling-cl-multi` / `smuggling-te-multi` (multiple values for either header — proxy-desync class); `deprecated-trust-header` (X-Forwarded-For / -Proto / -Host / -Port / X-Real-IP present without operator-supplied `trustProxy: true` opt — operators should adopt RFC 7239 `Forwarded`). On `mode: "enforce"` + `refuseOnHigh` (default), refuses with HTTP 400 + JSON body listing detected high-severity issues; emits one audit row per issue regardless of mode. Complements the existing per-route smuggling defense in `b.middleware.bodyParser` by running the same check at the top of the chain (covers GET / HEAD requests that don't body-parse). **References:** [RFC 9110](https://www.rfc-editor.org/rfc/rfc9110.html) · [RFC 9112](https://www.rfc-editor.org/rfc/rfc9112.html) · [RFC 7239](https://www.rfc-editor.org/rfc/rfc7239.html)
+- v0.7.48 (2026-05-05) — **`b.cookies.parseSafe` + `b.middleware.cookies` inbound cookie-header threat detection.** Closes the inbound-detection gap on the cookie surface. `b.cookies.parse` remains lenient (last-write-wins, silent skip); `parseSafe` returns `{ jar, issues }` surfacing every detected anomaly, and the matching middleware wires it into the request lifecycle. **Added:** *`b.cookies.parseSafe(header, opts)`* — Returns `{ jar, issues }` and surfaces every detected anomaly: header-cap (oversized Cookie header), header-control-byte (CR / LF / NUL injected through proxy — header-injection prelude class), pair-malformed (missing `=`), pair-empty-name, name-cap (oversized name), value-cap (oversized value), duplicate-name (cookie-tossing class — same name appearing more than once in one Cookie header indicates an attacker-set parent-domain cookie shadowing the legitimate one). · *`b.middleware.cookies({ mode, audit, refuseOnHigh })`* — Wires `parseSafe` into the request lifecycle: populates `req.cookieJar`, emits one audit row per detected issue, and refuses with HTTP 400 on any high-severity issue when `mode: "enforce"` (default). **Changed:** *Existing `b.cookies` invariants unchanged* — RFC 6265bis token grammar enforcement, `__Host-` / `__Secure-` prefix invariants, SameSite=None requires Secure, `Partitioned` / CHIPS attribute support, length caps on serialize-side all remain unchanged — this release closes the inbound-detection gap only. **References:** [RFC 6265bis — Cookies: HTTP State Management Mechanism](https://datatracker.ietf.org/doc/draft-ietf-httpbis-rfc6265bis/) · [CHIPS — Cookies Having Independent Partitioned State](https://github.com/privacycg/CHIPS)
+- v0.7.47 (2026-05-05) — **`b.guardMime` RFC 6838 media-type identifier-safety primitive.** Validates user-supplied media type strings destined for Accept-shape comparison, content-type allowlists, and dispatch routing. Auto-registers into `b.guardAll` as a STANDALONE_GUARD. **Added:** *`b.guardMime` (KIND="identifier") media-type validator* — Validates media type strings against RFC 6838. `sanitize` lowercases type/subtype while preserving parameter case (multipart boundary tokens etc. are case-significant). · *Media-type threat catalog* — Shape malformation (missing `/`, bad type/subtype tokens against RFC 6838 §4.2 restricted-name grammar); parameter validation against the RFC 7231 §3.1.1.1 tchar token grammar (token-only or quoted-string per RFC 7230 §3.2.6); wildcard (`type/subtype` with `*`) outside Accept context refuse; vendor tree (`vnd.*`), personal tree (`prs.*`), and unregistered (`x.*` / `x-*`) namespace audit so operators audit those slots; BIDI / zero-width / control / null-byte universal refuse. · *Risky-type refuse list* — Refuses executable + script-host content types: `application/x-msdownload`, `application/x-bat`, `application/x-msdos-program`, `application/x-sh`, `application/x-csh`, `application/x-perl`, `application/x-python`, `application/javascript`, `application/x-javascript`, `text/javascript`, `text/x-javascript`, `application/x-shockwave-flash`, `application/x-msi`. · *Profiles + compliance postures* — Profiles: `strict` (refuse wildcard + risky-type, audit trees + parameters), `balanced` (audit most things, allow vendor tree), `permissive` (universal-refuse class still refused). Postures: `hipaa` / `pci-dss` / `soc2` strict overlay; `gdpr` balanced overlay. **References:** [RFC 6838 — Media Type Specifications and Registration Procedures](https://www.rfc-editor.org/rfc/rfc6838.html) · [RFC 7230 — HTTP/1.1 Message Syntax and Routing](https://www.rfc-editor.org/rfc/rfc7230.html) · [RFC 7231 — HTTP/1.1 Semantics and Content](https://www.rfc-editor.org/rfc/rfc7231.html)
+- v0.7.46 (2026-05-05) — **`b.guardTime` RFC 3339 / ISO 8601 datetime identifier-safety primitive.** Validates user-supplied datetime strings destined for audit timestamps, scheduling, retention windows, query ranges, and cross-system event correlation. Auto-registers into `b.guardAll` as a STANDALONE_GUARD. **Added:** *`b.guardTime` (KIND="identifier") datetime validator* — Validates user-supplied datetime strings against the RFC 3339 §5.6 grammar / ISO 8601. `sanitize` normalises a space date/time separator to `T` and uppercases the trailing `z` UTC marker. · *Threat catalog for datetime inputs* — Shape malformation against RFC 3339 §5.6; year-window overflow (default `[1970, 9999]`); naive datetime (no offset) refuse; non-UTC offset policy (strict requires `Z` / `+00:00`); leap-second `60` field policy (RFC 3339 §5.6 valid but parser-panic prone); excessive fractional precision cap (default 9 digits / nanoseconds); date-only and time-only refuse for full-datetime contexts; structural range violations (month / day-in-month / hour / minute / second); BIDI / zero-width / control / null-byte universal refuse. · *Profiles + compliance postures* — Profiles: `strict` (refuse all of the above), `balanced` (refuse naive; audit non-UTC + leap + fractional + date/time-only), `permissive` (universal-refuse class still refused). Postures: `hipaa` / `pci-dss` / `soc2` strict overlay; `gdpr` balanced overlay. **References:** [RFC 3339 — Date and Time on the Internet](https://www.rfc-editor.org/rfc/rfc3339.html) · [ISO 8601](https://www.iso.org/iso-8601-date-and-time-format.html)
+- v0.7.45 (2026-05-05) — **`b.guardCidr` CIDR identifier-safety primitive.** Validates user-supplied CIDR notation strings (IPv4 + IPv6) destined for network allowlists, ACLs, security-group rules, and tenant-boundary configuration. Auto-registers into `b.guardAll` as a STANDALONE_GUARD. **Added:** *`b.guardCidr` (KIND="identifier") CIDR validator* — Validates user-supplied IPv4 and IPv6 CIDR notation strings before they reach allowlists / ACLs / security-group rules / tenant-boundary configuration. · *CIDR threat catalog* — Shape malformation, IPv4 octet overflow + leading-zero refuse, IPv6 zero-group ambiguity, mask out-of-range (IPv4 32 / IPv6 128 ceiling), network-address misalignment (host bits set on a non-/32 / non-/128 prefix — common typo class). BIDI / zero-width / control / null-byte universal refuse. · *Reserved-range membership detection* — Covers all IPv4 RFC 1918 private blocks (`10/8`, `172.16/12`, `192.168/16`), loopback `127/8`, link-local `169.254/16`, multicast `224/4`, class-E `240/4`, RFC 5737 documentation `192.0.2/24` + `198.51.100/24` + `203.0.113/24`, benchmarking `198.18/15`, CGNAT `100.64/10`, this-network `0/8`, plus IPv6 loopback `::1`, unspecified `::/128`, ULA `fc00::/7`, link-local `fe80::/10`, multicast `ff00::/8`, documentation `2001:db8::/32`, teredo, deprecated 6to4 `2002::/16`. · *IPv4-mapped IPv6 dual-stack confusion* — Detects `::ffff:0:0/96` dual-stack confusion (CVE-2021-22931 IPv6 variant). Bare-IP-without-mask policy: strict refuses, balanced audits, permissive allows. · *Profiles + compliance postures* — Profiles: `strict` / `balanced` / `permissive`. Postures: `hipaa` / `pci-dss` / `soc2` strict overlay; `gdpr` balanced overlay. **References:** [RFC 1918 — Address Allocation for Private Internets](https://www.rfc-editor.org/rfc/rfc1918.html) · [RFC 5737 — IPv4 Address Blocks Reserved for Documentation](https://www.rfc-editor.org/rfc/rfc5737.html) · [CVE-2021-22931 — Node.js IPv6 / IPv4-mapped resolution](https://nvd.nist.gov/vuln/detail/CVE-2021-22931)
+- v0.7.44 (2026-05-05) — **`b.guardUuid` UUID identifier-safety primitive.** Validates user-supplied UUID strings per RFC 9562 (May 2024, obsoletes RFC 4122). Auto-registers into `b.guardAll` as a STANDALONE_GUARD; the adaptive integration harness picks it up via the KIND="identifier" dispatcher. **Added:** *`b.guardUuid` (KIND="identifier") UUID validator* — Validates user-supplied UUID strings against RFC 9562. Recognises the four canonical forms (hyphenated 8-4-4-4-12, hyphenless 32-hex, Microsoft GUID braces `{...}`, `urn:uuid:` prefix) and refuses shape malformations. `sanitize` returns canonical lowercase hyphenated form (strips braces / urn prefix). · *Threat catalog for UUID inputs* — Refuses RFC 9562 §4.2 unassigned version digits (only 1-8 are defined); refuses non-RFC 4122 variant bits (only the `10xx` high-bits family is the canonical UUID variant); refuses nil UUID §5.9 / max UUID §5.10 sentinel-leak shapes; enforces a format policy (strict default = `hyphenated-only`); BIDI / zero-width / control / null-byte universal refuse via `lib/codepoint-class.js`. · *Profiles + compliance postures* — Profiles: `strict` (hyphenated-only, refuse all sentinels and non-canonical forms), `balanced` (accept any form, audit sentinels), `permissive` (universal-refuse class still refused). Postures: `hipaa` / `pci-dss` / `soc2` strict overlay; `gdpr` balanced overlay. **References:** [RFC 9562 — Universally Unique IDentifiers (UUIDs)](https://www.rfc-editor.org/rfc/rfc9562.html) · [RFC 4122 (obsoleted)](https://www.rfc-editor.org/rfc/rfc4122.html)
+- v0.7.43 (2026-05-05) — **`b.guardDomain` — domain-name identifier-safety primitive (KIND="identifier"). Validates.** user-supplied DNS names destined for allowlists, redirect targets, webhook endpoints, email-domain extraction, and CORS origin checks. **Added:** *`b.guardDomain` — domain-name identifier-safety primitive (KIND="identifier"). Validates* — `b.guardDomain` — domain-name identifier-safety primitive (KIND="identifier"). Validates user-supplied DNS names destined for allowlists, redirect targets, webhook endpoints, email-domain extraction, and CORS origin checks. Threat catalog: RFC 1035 §2.3.4 length caps (63 octets per label, 253 octets per FQDN), RFC 952 / 1123 LDH-rule violations (no leading/trailing hyphen, no `--` at positions 3-4 except `xn--`), IDN homograph mixed-script confusables (Latin / Cyrillic / Greek / Cherokee / Armenian / Han / Hiragana / Katakana / Hangul / Arabic / Hebrew range tables), BIDI / zero-width / control / null universal refuse via `lib/codepoint-class.js` (CVE-2021-42574 Trojan Source class), Punycode A-label malformation (bare `xn--`, double-encoded), RFC 6761 special-use suffix matching (`.localhost` / `.local` / `.invalid` / `.test` / `.onion` / `.alt` / `.home.arpa` / `.internal`), IPv4-as-domain confusion (CVE-2021-22931 — dotted-decimal / octal / hex / long-decimal forms), IPv6 bracket-literal, single-label / TLD-only refuse, wildcard `*` label refuse at every profile, RFC 8552 underscore-service-label policy, DGA Shannon-entropy heuristic for high-entropy long single labels (Mirai / Conficker C2 shape). Profiles: `strict` (Latin-only scripts, refuse-on-everything), `balanced` (audit Punycode, allow major international scripts, audit DGA), `permissive` (universal-refuse class still refused; everything else audit / allow). Compliance postures: `hipaa` / `pci-dss` / `soc2` strict overlay; `gdpr` balanced overlay. Auto-registers into `b.guardAll` as a STANDALONE_GUARD; the adaptive integration harness at `test/layer-5-integration/guard-host-integration.test.js` picks it up automatically. Defer-with-condition: full UTS #46 ToASCII / ToUnicode round-trip and Public-Suffix-List boundary enforcement ship behind operator-supplied callbacks (`opts.idnToAscii`, `opts.publicSuffixList`); re-open conditions are documented in the wiki page. **References:** [RFC 1035](https://www.rfc-editor.org/rfc/rfc1035.html) · [RFC 952](https://www.rfc-editor.org/rfc/rfc952.html) · [RFC 6761](https://www.rfc-editor.org/rfc/rfc6761.html) · [RFC 8552](https://www.rfc-editor.org/rfc/rfc8552.html) · [CVE-2021-42574](https://nvd.nist.gov/vuln/detail/CVE-2021-42574) · [CVE-2021-22931](https://nvd.nist.gov/vuln/detail/CVE-2021-22931)
+- v0.7.42 (2026-05-05) — **Gitleaks allowlist for v0.** 7.28 CHANGELOG doc-snippet false-positive. The v0.7.28 release-notes entry for `b.crypto.encryptMlkem768X25519` includes a JS-object-literal code example with a `privateKey: mlkemPrivateKey` field; gitleaks' default `generic-api-key` rule fires on the high-entropy content adjacent to the `privateKey:` token, blocking every release-tag CI run since v0.7.38. **Added:** *Gitleaks allowlist for v0* — gitleaks allowlist for v0.7.28 CHANGELOG doc-snippet false-positive. The v0.7.28 release-notes entry for `b.crypto.encryptMlkem768X25519` includes a JS-object-literal code example with a `privateKey: mlkemPrivateKey` field; gitleaks' default `generic-api-key` rule fires on the high-entropy content adjacent to the `privateKey:` token, blocking every release-tag CI run since v0.7.38. Allowlisted by commit + fingerprint per the same pattern as the existing `74e627e` entry — surgical suppression of the documented false positive, no broader rule weakening. Working-tree-only or rule-disabling alternatives were rejected: gitleaks' `git`-history scan is the stricter gate (catches secrets that landed and were later removed) and the documented snippet contains no real secret.
+- v0.7.41 (2026-05-05) — **Wiki primitive-validator BACKLOG sweep: 50 of 101 entries pruned.** Audited every entry in `examples/wiki/test/validate-primitive-sections.js`'s `UNDOCUMENTED_BACKLOG` map against the actual wiki page bodies; primitives that already have signature-form headings (`b.X.Y(...)`) discovered by the validator no longer need a BACKLOG entry suppressing them. **Added:** *Wiki primitive-validator BACKLOG sweep: 50 of 101 entries pruned* — wiki primitive-validator BACKLOG sweep: 50 of 101 entries pruned. Audited every entry in `examples/wiki/test/validate-primitive-sections.js`'s `UNDOCUMENTED_BACKLOG` map against the actual wiki page bodies; primitives that already have signature-form headings (`b.X.Y(...)`) discovered by the validator no longer need a BACKLOG entry suppressing them. Removed entries: `consent`, `websocketChannels`, `ssrfGuard`, `htmlBalance`, `csv`, `uuid`, `time`, `mailBounce`, `archive`, `breakGlass`, `forms`, `render`, `errorPage`, `cluster`, `safeBuffer`, `safeSql`, `safeUrl`, `retry`, `fileType`, `scheduler`, `jobs`, `backup`, `restore`, `i18n`, `cache`, `crypto`, `createApp`, `fileUpload`, `mtlsCa`, `pqcGate`, `pqcAgent`, `permissions`, `apiKey`, `webhook`, `notify`, `credentialHash`, `queue`, plus the 11-guard family (`guardEmail` through `guardAll`). The remaining 51 entries fall into three real classes: namespace-level entries with method-only headings (vault primitives, audit chain, etc.), pages structured around backend-builder patterns instead of flat methods (`objectStore`, `backupBundle`, etc.), and internal helpers that aren't part of the operator surface (`cli`, `boot`, `dev`, `protocolDispatcher`). The shrunk BACKLOG narrows the gap operators see between "covered by the parent's wiki page" and "actually drift waiting to be fixed.".
+- v0.7.40 (2026-05-05) — **RFC 8617 ARC chain-validity hardening: duplicate-instance refusal, gap detection, hop ceiling, per-hop `cv=` rule enforcement.** Closes a class of chain-injection holes the prior `arcVerify` would silently accept. Duplicate instance — two `ARC-Seal` (or AMS / AAR) headers at the same `i=N` now fail with `reason: "duplicate-instance"` instead of silently letting the second header overwrite the first signer's record (the latter is a known forwarder-injection attack). **Fixed:** *Duplicate instance* — two `ARC-Seal` (or AMS / AAR) headers at the same `i=N` now fail with `reason: "duplicate-instance"` instead of silently letting the second header overwrite the first signer's record (the latter is a known forwarder-injection attack). · *Non-contiguous chain* — gap detection (`i=1, i=3` with no `i=2`) now correctly fails with `reason: "incomplete-or-non-contiguous"`. The prior `.some()` check skipped sparse-array empty slots and let the gap through. · *Hop ceiling* — RFC 8617 §5.1.2 caps the chain at 50 sets; verifier now refuses with `reason: "too-many-hops"`. · *Per-hop `cv=` rules* — i=1 MUST be `cv=none` (no upstream chain to validate); i≥2 MUST be `cv=pass` or `cv=fail` (cv=none invalid past hop 1); a downstream `cv=pass` after an upstream `cv=fail` is invalid (a hop can't claim chain-pass when an earlier hop saw it fail). Each violation surfaces with a structured `reason` field. Result shape gains `perHopCv: [string|null,...]` (one entry per hop) and `reason: string` when `chainStatus === "fail"` so operators can distinguish "signature failed" from "chain rules violated" without parsing free-text errors. **References:** [RFC 8617](https://www.rfc-editor.org/rfc/rfc8617.html)
+- v0.7.39 (2026-05-05) — **RFC 8954 OCSP nonce extension default-on, plus persistent-log reliability fix in the smoke runner.** `b.network.tls.ocsp.buildRequest(opts)` (NEW) — constructs a DER-encoded OCSPRequest for a single (`leafCertDer`, `issuerCertDer`) pair. The RFC 8954 nonce extension is on by default (security-defaults-on rule); operators talking to responders that ignore nonces opt out via `nonce: false`. **Fixed:** *`b.network.tls.ocsp.buildRequest(opts)`* — (NEW) — constructs a DER-encoded OCSPRequest for a single (`leafCertDer`, `issuerCertDer`) pair. The RFC 8954 nonce extension is on by default (security-defaults-on rule); operators talking to responders that ignore nonces opt out via `nonce: false`. Default nonce length is 16 bytes (RFC 8954 §2.1 floor 1, ceiling 32 — `nonceLen` overrides). CertID hashes are SHA-1 per RFC 6960 §4.1.1 (the universally-supported algorithm; SHA-256 in OCSP requests is §4.3 optional and many responders reject). Returns `{ requestDer, nonce }`. Operators send `requestDer` to the OCSP responder URL via `b.httpClient` (Content-Type: `application/ocsp-request`) and pass the returned `nonce` Buffer to `evaluate(responseDer, { issuerPem, expectedNonce })` — defends against replay attacks where an attacker captures a "good" OCSP response and replays it after the cert is revoked. · *DER writer surface added to `lib/asn1-der.js`* — `writeNode` / `writeSequence` / `writeOctetString` / `writeInteger` / `writeNull` / `writeOid` / `writeContextExplicit` (minimal, ~80 lines, X.690 short + long-form length encoding). · *`evaluate(der, opts)` accepts `expectedNonce`* — when supplied, the response's nonce extension MUST match (else `tls/ocsp-nonce-mismatch`). Result shape gains a `nonce` field: `"matched"` / `"present-not-checked"` / `"n/a"`. · *Smoke-runner persistent log reliability fix* — the `.test-output/smoke.log` tee was using `fs.createWriteStream` (async); when the runner threw on a test failure the buffer didn't flush before `process.exit`, so the failure detail never reached the log. Replaced with synchronous `fs.writeSync` against an open fd — every byte hits disk before exit. Surface change for diagnosing future failures: the log now ALWAYS captures the failure stack instead of truncating mid-run. **References:** [RFC 8954](https://www.rfc-editor.org/rfc/rfc8954.html) · [RFC 6960](https://www.rfc-editor.org/rfc/rfc6960.html)
+- v0.7.38 (2026-05-05) — **RFC 6698 + RFC 7672 DANE certificate-chain verification, plus smoke-runner LPT scheduling and a wiki failure-detail bugfix.** `b.network.smtp.dane.verifyChain(certChain, tlsaRecords, opts?)` (NEW) — walks the peer cert chain (leaf-first DER buffers — typically `sock.getPeerCertificate(true).raw`) and confirms at least one TLSA record matches per the record's usage / selector / mtype. **Added:** *`b.network.smtp.dane.verifyChain(certChain, tlsaRecords, opts?)`* — (NEW) — walks the peer cert chain (leaf-first DER buffers — typically `sock.getPeerCertificate(true).raw`) and confirms at least one TLSA record matches per the record's usage / selector / mtype. SMTP outbound (RFC 7672) only honors `DANE-TA` (2) and `DANE-EE` (3); `PKIX-TA` (0) and `PKIX-EE` (1) require a full PKIX path validator + CA-bundle and are refused unless the operator opts in via `allowPkixModes`. Selector `Cert` (0) compares the full DER; selector `SPKI` (1) compares the SubjectPublicKeyInfo bytes (extracted via the framework ASN.1 walker). Matching types: `Full`, sha-two-family at the short-digest length, sha-two-family at the long-digest length. Returns `{ ok, matches: [{ tlsaIndex, certIndex, usage, mtype }], errors }`. · *ASN.1 walker* — `lib/asn1-der.js` `readNode` now surfaces a `.raw` field on each node (header + value bytes from the source buffer) so SPKI extraction can return the exact wire bytes for byte-identical TLSA matching. · *Smoke-runner LPT scheduling* — `test/smoke.js` parallel mode now uses Longest-Processing-Time-first scheduling with a continuous worker queue. Per-test durations persist under `.test-output/smoke-timings.json` keyed by `process.platform` (so host win32/darwin and Linux container don't pollute each other's medians) with a 5-run history per test. Replaces the prior batched `Promise.all(slice(i, i + PARALLEL))` scheduling that left workers idle when one batch contained the long-tail test. · *Wiki failure-detail bugfix* — `examples/wiki/test/e2e.js` was printing the per-example failure list AFTER the assert that throws on failure → operators only saw "1 of 178 failed" without WHICH example. Reordered so failure detail prints first. **References:** [RFC 6698](https://www.rfc-editor.org/rfc/rfc6698.html) · [RFC 7672](https://www.rfc-editor.org/rfc/rfc7672.html)
+- v0.7.37 (2026-05-05) — **RFC 8460 TLS-RPT submission transport via `b.network.smtp.tlsRpt`.** Adds `fetchPolicy` + `submit`. The previous `recordShape` only generated the JSON; operators had to wire submission themselves. **Added:** *`b.network.smtp.tlsRpt.fetchPolicy(domain, opts)`* — (NEW) — reads the RFC 8460 §3 `_smtp._tls.<domain>` TXT record and returns `{ version, rua: [string,...] }` where `rua` is the comma-separated list of report URIs (`https://` and `mailto:`) the recipient publishes. Returns `null` when no record is published. `opts.dnsLookup` is operator-supplied so the call composes with `b.network.dns` (DoH / DoT) without a hard dep; falls back to `node:dns/promises.resolveTxt`. · *`b.network.smtp.tlsRpt.submit(report, opts)`* — (NEW) — submits a TLS-RPT report to the published rua endpoints. `https://` URIs receive an HTTPS `POST` with `Content-Type: application/tlsrpt+gzip` and a gzip-compressed JSON body per RFC 8460 §6.2. `mailto:` URIs return a prepared `{ to, subject, contentType, encoding, body }` object so operators hand it to `b.mail` with their configured relay (the framework doesn't bake an SMTP relay in — operators wire transport per their environment). Per-endpoint result records carry `{ uri, kind, ok, status, error }` so a failure on one rua doesn't cascade. Routes through `b.httpClient` so SSRF + DNS-pin + retry policy come for free. **References:** [RFC 8460](https://www.rfc-editor.org/rfc/rfc8460.html)
+- v0.7.36 (2026-05-05) — **RFC 7633 must-staple enforcement via `b.network.tls.ocsp.inspectMustStaple`.** Adds `inspectMustStaple` + a `requireMustStaple` predicate. The TLS Feature extension (OID `1.3.6.1.5.5.7.1.24`) is the cert-side contract that says "every connection MUST carry an OCSP staple"; clients that ignore the extension defeat its purpose. **Added:** *`b.network.tls.ocsp.inspectMustStaple(rawDer)`* — (NEW) — walks the X.509 cert DER and reads the TLS Feature extension. Returns `{ mustStaple, features }` where `mustStaple === true` when status_request (5) is in the feature list. Tolerant of malformed cert input (returns `{ mustStaple: false, features: [] }` rather than throwing). · *`b.network.tls.ocsp.requireMustStaple(opts)`* — (NEW) — operator predicate `(peerCert, ctx) → Error|null`. Refuses connections where the cert advertises must-staple but `ctx.ocspBytes` is empty/missing per RFC 7633 §4.2.3. `opts.enforceUnconditional: true` extends the policy to refuse staple-less responses on certs that don't carry must-staple — operator-stricter-than-RFC posture. Error codes: `tls/ocsp-no-cert` / `tls/ocsp-must-staple-violated` / `tls/ocsp-staple-required`. **References:** [RFC 7633](https://www.rfc-editor.org/rfc/rfc7633.html)
+- v0.7.35 (2026-05-05) — **DKIM verify hardening: process-local key cache + RSA modulus-size enforcement + `l=` warning.** Process-local DKIM key cache — `_fetchDkimKey` now caches each successful TXT lookup keyed by `<selector>._domainkey.<domain>` for 5 minutes (TTL-bounded; rotated keys propagate within minutes). LRU-ish eviction at 1024 entries. Mailing-list fan-out and bulk-replay scenarios that previously hammered DNS for the same selector now hit the cache. **Fixed:** *Process-local DKIM key cache* — `_fetchDkimKey` now caches each successful TXT lookup keyed by `<selector>._domainkey.<domain>` for 5 minutes (TTL-bounded; rotated keys propagate within minutes). LRU-ish eviction at 1024 entries. Mailing-list fan-out and bulk-replay scenarios that previously hammered DNS for the same selector now hit the cache. · *RSA modulus-size enforcement* — RSA keys < 1024 bits hard-fail per RFC 8301 §3.1; keys < 2048 bits emit a `rsa-key-weak` warning so operators can quarantine while transitioning. Reads `keyObj.asymmetricKeyDetails.modulusLength` from `node:crypto`. · *`l=` body-length warning on verify* — the framework refuses `l=` at SIGN-time per v0.7.18 (M³AAWG / Gmail / Microsoft 365 guidance). On VERIFY of inbound mail, an `l=` tag now surfaces as `l-tag-present: append-after-signature exposure (RFC 6376 §8.2)` in the result's `warnings` array. The verifier still honors the cap so legitimate senders that use `l=` don't break, but operators see the exposure. Verify-result shape gains a `warnings` field on `pass` / `fail` results (alongside the existing `errors` array). **References:** [RFC 8301](https://www.rfc-editor.org/rfc/rfc8301.html) · [RFC 6376](https://www.rfc-editor.org/rfc/rfc6376.html)
+- v0.7.34 (2026-05-05) — **`b.network.tls.ct.verifyScts` with real RFC 6962 / 9162 Signed Certificate Timestamp signature.** verification, plus `b.network.tls.ct.parseScts` ASN.1 walker. **Added:** *`b.network.tls.ct.parseScts(rawDer)`* — (NEW) — full ASN.1 walk; returns `[{ version, logIdHex, timestamp, signature, ... }]` or `[]` when no SCT extension present (tolerant of malformed cert input — returns empty rather than throwing). · *`b.network.tls.ct.verifyScts(rawDer, opts)`* — (NEW) — full verification. `opts.logKeys` maps log_id (hex SHA-256 of the log's pubkey) → PEM public key; operators populate from the Chrome CT log list (the framework doesn't bake log keys in — they rotate). Returns `{ ok, verifiedCount, totalScts, reason, scts: [{ logIdHex, verified, ... }] }`. · *`b.network.tls.ct.requireScts({ minScts, logKeys })`* — (UPGRADED) — was OID-presence-only; now performs full signature verification. Reason-prefixed error codes: `tls/ct-no-cert` / `tls/ct-no-sct-extension` / `tls/ct-insufficient-verified` / `tls/ct-not-verified`. Breaking — `network.tls.ct.APPROVED_LOGS` removed. The hardcoded log-list instance was always a stand-in; CT logs rotate keys and add/remove entries on the order of months. Operators now pass `logKeys` per call. Pre-v1, no compat shim. **References:** [RFC 6962](https://www.rfc-editor.org/rfc/rfc6962.html)
+- v0.7.33 (2026-05-05) — **`b.network.tls.ocsp.requireGood` with real signature verification, plus a focused ASN.1 DER walker.** for the framework's narrow cryptographic uses. `lib/asn1-der.js` (NEW) — minimal DER walker exposing `readNode` / `readSequence` / `readOid` / `readOctetString` / `readUnsignedInt` / `readBitString` / `unwrapExplicit`. Refuses BER indefinite-length encoding (DER-only). **Added:** *`lib/asn1-der.js`* — (NEW) — minimal DER walker exposing `readNode` / `readSequence` / `readOid` / `readOctetString` / `readUnsignedInt` / `readBitString` / `unwrapExplicit`. Refuses BER indefinite-length encoding (DER-only). Throws `Asn1Error` with stable error codes (`asn1/short` / `asn1/bad-length` / `asn1/oid-malformed` / `asn1/wrong-tag` / etc.). · *`b.network.tls.ocsp.parseResponse(der)`* — RFC 6960 OCSPResponse parser. Returns `{ status, basic: { tbsResponseDataDer, signatureAlgorithmOid, signature, responses[] } }`. Each response carries `{ certIdSerialHex, certStatus, thisUpdate, nextUpdate }`. · *`b.network.tls.ocsp.evaluate(der, { issuerPem, serialHex? })`* — full verification: parse + signature-verify against the operator-supplied issuer cert (rsa-sha256/384/512 + ecdsa-sha256/384/512) + certStatus check. Returns `{ ok, status, certStatus, thisUpdate, nextUpdate, signatureValid, errors }`. · *`b.network.tls.ocsp.requireGood(opts)`* — (NEW) — connect + parse + signature-verify + certStatus check in one call. Throws `tls/ocsp-not-good` when the OCSP response is malformed, unsigned, signed-by-wrong-key, or carries `certStatus=revoked/unknown`. The honest counterpart to v0.7.31's `requireStapled` rename: `requireStapled` checks presence only (existing wrapper), `requireGood` does the full RFC 6960 validation. **References:** [RFC 6960](https://www.rfc-editor.org/rfc/rfc6960.html)
+- v0.7.32 (2026-05-05) — **Wiki backfill for v0.** 7.18-31 primitives + parallel e2e example execution. **Added:** *Wiki primitive-signature regex relaxed* — was `b.X.Y(...)` two-level only; now also matches `b.X(args)` top-level functions like `b.pick`, `b.lazyRequire`, `b.createApp`. · *Parallel e2e example execution* — `examples/wiki/test/validate-primitive-sections.js` `runExamples()` now respects `SMOKE_PARALLEL=N` (capped at 64) and forks the per-example child processes in parallel batches. Timing: 78s sequential → 15s parallel-64 (5.2× speedup). Same env var as smoke; `SMOKE_PARALLEL=1` falls back to sequential for diagnosis.
+- v0.7.31 (2026-05-05) — **DKIM verify + ARC per-hop signature verification + wiki missing-section gate.** `b.mail.dkim.verify(rfc822, opts)` (NEW) — RFC 6376 verifier counterpart to the existing signer. **Fixed:** *`b.mail.dkim.verify(rfc822, opts)`* — (NEW) — RFC 6376 verifier counterpart to the existing signer. Walks every `DKIM-Signature` header in the message, parses the tag list, fetches the signing public key from DNS TXT at `<selector>._domainkey.<domain>` (operator passes `dnsLookup` callback or falls back to `node:dns/promises.resolveTxt`), canonicalizes the body + headers per the `c=` tag, and runs `node:crypto.verify`. Returns one result per signature: `{ d, s, alg, result, errors }` where result is `pass` / `fail` / `permerror` / `temperror` / `none`. Supports `rsa-sha256` and `ed25519-sha256`. · *`b.mail.arc.verify(rfc822, opts)`* — (UPGRADED) — was structural-only; now performs full per-hop ARC-Message-Signature + ARC-Seal signature verification per RFC 8617 §5.1.1 and §5.1.2. AMS reuses the DKIM verifier (identical cryptographic shape); AS canonicalizes the chain of prior AAR/AMS/AS headers + own AAR/AMS plus AS-with-empty-`b=` per §5.1.2. Returns `{ chainStatus, hopCount, cv, hops: [{ instance, amsResult, asResult, ... }] }`. Chain validity per §5.2 — most recent AS's `cv=` must reflect upstream validity. · *DKIM signer fold-output fix* — `_foldSignatureHeader` was producing malformed wire (`v=1\r\n\ta=rsa-sha256;\r\n\t...` — missing `;` after the first segment). RFC 6376 §3.2 requires `;` to stay on the prior line at fold boundaries. The corrected output is `v=1;\r\n\ta=rsa-sha256;\r\n\t...`. Pre-v1, no compat shims — operators rotate keys / rebuild any saved signatures. · *`b.network.tls.ocsp.requireGood` → `requireStapled`* — (RENAMED) — the wrapper claimed "good" but only checked stapling-presence + non-empty bytes; full OCSP-response signature verification is a follow-up patch alongside an ASN.1 DER helper. The honest name keeps the surface from claiming verification it doesn't perform. · *Wiki missing-section gate* — `examples/wiki/test/validate-primitive-sections.js` now enumerates every operator-facing primitive on `b.*` and refuses release if a primitive lacks a documented wiki section. Pre-v0.7.31 backlog explicitly listed in `UNDOCUMENTED_BACKLOG` with per-primitive reasons (most are documented under existing pages with prose-form rather than signature-form headings — backfilling the headings is a separate sweep). New primitives shipped from v0.7.31 forward MUST either land with a wiki section OR add an explicit BACKLOG entry. **References:** [RFC 822](https://www.rfc-editor.org/rfc/rfc822.html) · [RFC 6376](https://www.rfc-editor.org/rfc/rfc6376.html) · [RFC 8617](https://www.rfc-editor.org/rfc/rfc8617.html)
+- v0.7.30 (2026-05-05) — **`b.mail.spf` + `b.mail.dmarc` + `b.mail.arc` inbound mail authentication-results verification.** family. Counterpart to the existing outbound DKIM signer. Operators receiving mail (incoming webhooks, customer-support inboxes, mailing-list ingestion, .eml uploads) evaluate sender authenticity and decide on accept / quarantine / reject. **Added:** *`b.mail.spf.verify({ ip, mailFrom, helo, dnsLookup })`* — RFC 7208 SPF check with ip4 / ip6 / include / all mechanisms; recursive include resolution with the 10-DNS-lookup ceiling per §4.6.4; returns `{ result, domain, explanation, lookupCount }` where result is one of `pass` / `fail` / `softfail` / `neutral` / `none` / `temperror` / `permerror`. · *`b.mail.dmarc.evaluate({ from, spf, dkim, dnsLookup })`* — RFC 7489 DMARC alignment + policy resolution; fetches `_dmarc.<domain>` TXT record, evaluates `aspf` / `adkim` (relaxed/strict) alignment between From-header domain and SPF/DKIM authenticated domains, returns `{ result, policy, alignment, recommendedAction }` where recommendedAction is `deliver` / `quarantine` / `reject` per the published policy. · *`b.mail.arc.verify(rfc822)`* — RFC 8617 ARC chain inspection; parses `ARC-Seal` / `ARC-Message-Signature` / `ARC-Authentication-Results` headers, returns `{ chainStatus, hopCount, hops }` with status `pass` / `fail` / `none` (structural integrity only — per-hop signature verification deferred to a follow-up patch). · *Wiki e2e parallelizable* — added `BLAMEJS_E2E_DATA_DIR` env override so the host wiki e2e and the Linux container wiki e2e can run in parallel without colliding on `examples/wiki/data-e2e`. Out of scope (deferred): SPF a / mx / exists / ptr / redirect mechanisms (operator-supplied dnsLookup callback handles the rare cases via permerror); full DKIM verify path (composes the canonicalization helpers from lib/mail-dkim.js but needs the symmetric verifier — substantial follow-up); ARC per-hop signature verification (depends on the DKIM verifier). The framework gives operators the OUTCOME-policy layer + the structural verifier; the deferred items address the residual signature-verification surface. **References:** [RFC 7208](https://www.rfc-editor.org/rfc/rfc7208.html) · [RFC 7489](https://www.rfc-editor.org/rfc/rfc7489.html) · [RFC 822](https://www.rfc-editor.org/rfc/rfc822.html) · [RFC 8617](https://www.rfc-editor.org/rfc/rfc8617.html)
+- v0.7.29 (2026-05-05) — **`b.network.smtp` MTA-STS + DANE + TLS-RPT outbound SMTP gates. Gmail and Microsoft 365 penalize.** senders without these policies; the framework now ships the operator surface for verifying recipient-domain policies before opening the SMTP socket. `b.network.smtp.mtaSts.fetch(domain)` — fetches `https://mta-sts.<domain>/.well-known/mta-sts.txt`, parses the policy text, returns `{ version, mode, mx[], max_age }` or `null` (domain doesn't publish). **Added:** *`b.network.smtp.mtaSts.fetch(domain)`* — fetches `https://mta-sts.<domain>/.well-known/mta-sts.txt`, parses the policy text, returns `{ version, mode, mx[], max_age }` or `null` (domain doesn't publish). TTL-bounded `b.cache` per-process. · *`b.network.smtp.mtaSts.matchMx(mxHost, mxList)`* — RFC 8461 §3.2 wildcard-aware MX matcher (`*.example.com` matches `mx.example.com` but not `a.b.example.com`). · *`b.network.smtp.dane.tlsa(domain, port?)`* — DNS TYPE 52 lookup via `node:dns.resolveTlsa`; returns `[{ usage, selector, mtype, dataHex }, ...]` for the `_<port>._tcp.<domain>` qname. · *`b.network.smtp.dane.recordShape(rec)`* — adds RFC 6698 human-readable labels (`PKIX-TA` / `PKIX-EE` / `DANE-TA` / `DANE-EE`; `Cert` / `SPKI`; `Full` / `SHA-256` / `SHA-512`). · *`b.network.smtp.tlsRpt.recordShape(opts)`* — RFC 8460 TLS-RPT JSON report-shape generator with `organization-name` / `date-range` / `policies[].summary.total-{successful,failure}-session-count` / `failure-details`. Operators wire their report transport (SMTP / HTTPS) on top. Out of scope (deferred): full DANE certificate-chain verification per RFC 6698 (needs ASN.1 cert parsing); TLS-RPT submission transport (operator-side); DNSSEC ad-bit validation (operators pin to a DNSSEC-validating resolver externally). **References:** [RFC 8461](https://www.rfc-editor.org/rfc/rfc8461.html) · [RFC 6698](https://www.rfc-editor.org/rfc/rfc6698.html) · [RFC 8460](https://www.rfc-editor.org/rfc/rfc8460.html)
+- v0.7.28 (2026-05-05) — **`ML_KEM_768_X25519` second envelope (TLS-interop hybrid).** The IETF / Cloudflare / Chrome standardized hybrid for TLS 1.3 (codepoint 0x11EC, draft-kwiatkowski-tls-ecdhe-mlkem). Smaller payload than ML-KEM-1024 + P-384 (~1.1 KB vs ~1.6 KB), wider interop with non-blamejs peers using the same hybrid (Cloudflare Workers / Chrome / blamejs-on-the-other-side). **Added:** *`b.crypto.SUPPORTED_KEM_ALGORITHMS`* — lists every KEM hybrid the framework accepts on decrypt — `ml-kem-1024` / `ml-kem-1024-p384` (default) / `ml-kem-768-x25519` — for compliance audit visibility. `ACTIVE.KEM` stays on `ML_KEM_1024_P384`; the new hybrid is opt-in for cross-system interop.
+- v0.7.27 (2026-05-05) — **`b.compliance` top-level posture coordinator. Single source of truth for "what regulatory posture.** is this deployment running under?". Primitives with a `compliancePosture` opt fall back to the global setting when the operator hasn't passed one explicitly. Surface: `b.compliance.set("hipaa")` / `b.compliance.current()` / `b.compliance.assert("hipaa")` / `b.compliance.clear()`. **Added:** *`KNOWN_POSTURES`* — `hipaa` / `pci-dss` / `gdpr` / `soc2` / `dora` / `sox`. · *Boot-time only* — `set()` to a different posture after one is already active throws `compliance/already-set` (runtime switches forbidden — half-set state across initialized primitives is worse than no state); same-value re-set is idempotent. · *Audit emissions* — `compliance.posture.set` on every successful set, `compliance.posture.cleared` on `clear()`. Wired into `b.gateContract.resolveProfileAndPosture` so every guard-* family member picks up the global posture as fallback when no per-call `compliancePosture` is given. Operators with multi-tenant deploys keep using per-call `compliancePosture` opts to override the global.
+- v0.7.26 (2026-05-05) — **`b.network.tls.ocsp` + `b.network.tls.ct` operator surface for OCSP enforcement and CT SCT.** inspection. `b.network.tls.ocsp.connect(opts)` / `.requireGood(opts)` — wraps `tls.connect({ requestOCSP: true })` to give operators a one-call shape for "connect with OCSP request" and "refuse if peer didn't staple a good OCSP response". **Added:** *`b.network.tls.ocsp.connect(opts)` / `.requireGood(opts)`* — wraps `tls.connect({ requestOCSP: true })` to give operators a one-call shape for "connect with OCSP request" and "refuse if peer didn't staple a good OCSP response". Returns `{ authorized, ocspBytes, peerCert }` on success; rejects with `tls/ocsp-not-stapled` or `tls/ocsp-empty` from `requireGood` when the peer didn't deliver. · *`b.network.tls.ct`* — Certificate Transparency (RFC 6962 / 9162) operator surface. `ct.inspect(rawDer)` returns `{ hasSctExtension, rawLength }` after byte-pattern locating the SCT extension OID `1.3.6.1.4.1.11129.2.4.2`. `ct.requireScts({ minScts? })` returns a predicate operators wire into their TLS-connect outcome flow — refuses peer certs lacking the SCT extension with `tls/ct-no-sct-extension`. `ct.APPROVED_LOGS` lists the 2026-current Google Argon / Cloudflare Nimbus / DigiCert Yeti / Sectigo Sabre / LetsEncrypt Oak shards. Out of scope this patch (deferred): full ASN.1 OCSPRequest building and OCSPResponse parsing; full SCT-signature verification against log pubkeys (presence-only enforcement until the ASN.1 dependency lands). The framework gives operators the OUTCOME-policy layer; node:tls already does the protocol. **References:** [RFC 6962](https://www.rfc-editor.org/rfc/rfc6962.html)
+- v0.7.25 (2026-05-05) — **`b.dora` DORA Article 17 incident-reporting workflow.** Financial entities subject to DORA (Regulation (EU) 2022/2554) classify, document, and report ICT-related incidents per the Article 17 RTS template (Commission Delegated Regulation 2024/1772). The new primitive produces the harmonized record their submission code drops into the regulator's API. **Added:** *`b.dora.create({ audit })`* — Returns `{ classify, report, draftFinalReport }`. `classify(input)` evaluates the impact dimensions (`severityIndicator` / `affectedClients` / `economicImpact.eur` / `geographicScope` / `durationMs` / `dataAffected` / `reputationalImpact`) against the RTS Article 1 thresholds and returns `{ classification: "major"|"significant"|"minor", mustReport, mustReportInitialByMs, reasons }`. `report(input)` validates and builds the three-stage RTS-shaped record (initial / intermediate / final) with Article 19 deadlines auto-computed (initial → +72h intermediate due; intermediate → +30 days final due). `draftFinalReport(record)` returns a final-stage draft with the Article 19(6) fields ready for operator fill-in (`rootCause`, `remediationActions`, `lessonsLearned`, `preventiveMeasures`). · *RTS-aligned threshold constants* — `b.dora.MAJOR_INCIDENT_THRESHOLDS` and `b.dora.SIGNIFICANT_INCIDENT_THRESHOLDS` expose the numeric thresholds: 100k clients / 100k EUR / 2+ member states / 8h critical-process disruption (major); 10k clients / 10k EUR / 2h disruption (significant). · *Audit emissions* — `dora.incident.classified` / `dora.incident.reported` / `dora.incident.draftFinal` so the operator's audit chain captures every classification + submission moment alongside the rest of the compliance-relevant surface. **Changed:** *Operator-side submission stays out of scope* — Submission channel + credentials to ESAs / national supervisors are operator-specific; the primitive emits the RTS-shaped record and the operator's existing transport drops it into the regulator's API. The framework owns the record shape, not the wire. **References:** [DORA Regulation (EU) 2022/2554](https://eur-lex.europa.eu/eli/reg/2022/2554/oj) · [Commission Delegated Regulation (EU) 2024/1772](https://eur-lex.europa.eu/eli/reg_del/2024/1772/oj)
+- v0.7.24 (2026-05-05) — **`b.retention.complianceFloor` accessor for regulatory minimum-retention windows.** Operators get an explicit floor for record-retention TTLs keyed by compliance posture, so a too-short candidate TTL is silently bumped to the regulatory minimum instead of being honored as-is. **Added:** *`b.retention.complianceFloor(posture, candidateTtlMs?)`* — Returns the effective TTL that meets or exceeds the regulatory floor for the named posture. When `candidateTtlMs` exceeds the floor it wins; when it's below, the floor takes over. Throws `retention/unknown-posture` on unknown names so a typo at boot doesn't silently produce a non-compliant retention window. · *`b.retention.COMPLIANCE_RETENTION_FLOOR_MS`* — Exposes the per-posture regulatory minimums for compliance-audit visibility: `pci-dss` 365 days (PCI-DSS Req 10.7.1), `hipaa` 6 years (45 CFR §164.316(b)(2)), `sox` 7 years (Sarbanes-Oxley §802), `soc2` 1 year, `dora` 5 years (DORA Article 17). **References:** [PCI-DSS v4.0 Requirement 10.7](https://www.pcisecuritystandards.org/document_library/) · [45 CFR §164.316 HIPAA Security Rule](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164) · [Sarbanes-Oxley Act §802](https://www.govinfo.gov/content/pkg/PLAW-107publ204/html/PLAW-107publ204.htm) · [DORA Regulation (EU) 2022/2554](https://eur-lex.europa.eu/eli/reg/2022/2554/oj)
+- v0.7.23 (2026-05-05) — **DNS-over-HTTPS default-on.** Default-on DoH for outbound DNS — `lib/network-dns.js` now uses Cloudflare DoH (`https://cloudflare-dns.com/dns-query`) for hostname resolution by default when neither `useDnsOverHttps()` nor `useDnsOverTls()` has been called explicitly. **Added:** *Default-on DoH for outbound DNS* — `lib/network-dns.js` now uses Cloudflare DoH (`https://cloudflare-dns.com/dns-query`) for hostname resolution by default when neither `useDnsOverHttps()` nor `useDnsOverTls()` has been called explicitly. Privacy-respecting (encrypted DNS over TLS to a non-ISP resolver), aligned with Core Rule §3 ("security defaults are not opt-in"). · *Local-form hosts route through node:dns* — RFC 6761 / 6762 special-form names (`localhost`, `*.localhost`, `*.local`, `*.test`, `*.invalid`, `*.internal`, `*.intranet`, `*.lan`, `*.home`, `*.corp`) AND IP literals skip DoH and use node:dns directly so `/etc/hosts` lookups + dev workflows continue to resolve correctly. · *Operator opt-out via `b.network.dns.useSystemResolver()`* — split-horizon / internal-DNS deployments call this once at boot and every lookup routes through the OS resolver thereafter. · *Env override `BLAMEJS_DNS_TRANSPORT`* — operators set `system` (force OS resolver), `dot` (force Cloudflare DNS-over-TLS at 1.1.1.1:853), or leave unset (default DoH). **References:** [RFC 6761](https://www.rfc-editor.org/rfc/rfc6761.html)
+- v0.7.22 (2026-05-05) — **DKIM dual-signer + soc2-cc7 → soc2 posture rename.** `b.mail.dkim.dualSigner` — RFC 8463 §3 transition signer that produces messages with BOTH a legacy RSA-SHA-256 DKIM-Signature AND an Ed25519-SHA-256 DKIM-Signature header. Receivers without Ed25519 support validate the RSA signature; receivers that prefer Ed25519 validate the post-quantum-friendlier signature. **Added:** *`b.mail.dkim.dualSigner`* — RFC 8463 §3 transition signer that produces messages with BOTH a legacy RSA-SHA-256 DKIM-Signature AND an Ed25519-SHA-256 DKIM-Signature header. Receivers without Ed25519 support validate the RSA signature; receivers that prefer Ed25519 validate the post-quantum-friendlier signature. Operators rolling off RSA-SHA-256 wire `b.mail.dkim.dualSigner({ domain, rsa: { selector, privateKey }, eddsa: { selector, privateKey } })` and pass the result anywhere a regular DKIM signer is accepted; `sign()` produces a wire with two `DKIM-Signature` headers. Both signers are constructed eagerly at create-time (configuration errors surface at boot, not at first send). · *soc2-cc7 → soc2 posture rename* — every guard's compliance posture name changes from `"soc2-cc7"` to `"soc2"`. The CC7-specific scoping was misleading (SOC 2 controls span CC1–CC9; the existing posture wasn't CC7-specific). Operators with `compliancePosture: "soc2-cc7"` MUST update to `compliancePosture: "soc2"` — the old name now throws `unknown compliance posture`. **References:** [RFC 8463](https://www.rfc-editor.org/rfc/rfc8463.html)
+- v0.7.21 (2026-05-05) — **Small primitive batch (5 fixes): TLS 1.** 3 framework-wide minimum, `b.safeRedirect`, `b.pick`, audit-sign legacy compat-shim removed, webhook PQC signatures emit base64url. Framework-wide TLS 1.3 minimum — `index.js` sets `tls.DEFAULT_MIN_VERSION = "TLSv1.3"` once at boot, before any framework module loads `node:tls`. **Fixed:** *Framework-wide TLS 1.3 minimum* — `index.js` sets `tls.DEFAULT_MIN_VERSION = "TLSv1.3"` once at boot, before any framework module loads `node:tls`. Applies to every TLS socket (outbound `https.request` / mail SMTP+STARTTLS / Redis-Postgres-Mongo TLS / `b.httpClient`, AND inbound `https.createServer` when blamejs is the listener). Per-call override still works for legacy peers. · *`b.safeRedirect`* — open-redirect (CWE-601) defense. `b.safeRedirect.resolve(rawTarget, { allowedOrigins, allowedHosts, fallback })` returns the safe URL (or fallback). Refuses protocol-relative (`//attacker.com`), backslash variants (`\\\\attacker.com`), control-char-laden (CRLF header injection), and `data:` / `javascript:` schemes; same-origin paths (`/dashboard`) and fragments (`#x`) pass through; full URLs require explicit allowlist. Operator drops the result straight into `res.writeHead(302, { Location: ... })`. · *`b.pick`* — mass-assignment (CWE-915 / OWASP API3:2023) defense. `b.pick(req.body, ["a", "b", ["nested", ["sub1"]]])` returns a NEW object with only allowlisted keys; prototype-pollution keys (`__proto__` / `constructor` / `prototype`) ALWAYS stripped even if listed. `opts.onUnknown: "throw"` rejects unknown keys instead of silently dropping. Nested allowlist syntax for object-shaped fields. · *Audit-sign legacy compat-shim removed* — `lib/audit-sign.js` no longer falls back to `ml-dsa-87` for key files missing the `algorithm` field. Throws `KEY_FILE_MISSING_ALG` / `UNWRAPPED_MISSING_ALG` at load time; operators with legacy files rotate the key (deletes + regenerates) or hand-edit to add `"algorithm": "slh-dsa-shake-256f"`. Pre-v1 compat-shim sweep per the no-pre-v1-compat rule. · *Webhook PQC signatures emit base64url* — `b.webhook` now signs to base64url (was hex). SLH-DSA-SHAKE-256f signatures are ~29.5 KB binary → ~40 KB base64url vs ~59 KB hex; the hex form blew past nginx default 8 KB / Cloudflare default 16 KB / many CDN edge limits. Verification accepts EITHER encoding for a transition window — base64url-shaped sig values decode as base64url; hex-shaped values decode as hex.
+- v0.7.20 (2026-05-05) — **Browser-hardening batch (5 fixes): CSRF Origin/Referer cross-check, default CSP gains Trusted Types, expanded.** middleware.fetchMetadata`. CSRF Origin/Referer cross-check (`b.middleware.csrfProtect`) — second-line defense alongside the double-submit token. State-changing requests whose Origin (or Referer when Origin is absent) doesn't resolve to the request's own origin are refused before the token check. **Fixed:** *Expanded Permissions-Policy* — defaults now disable `browsing-topics=()`, `attribution-reporting=()`, `unload=()`, `interest-cohort=()`, `join-ad-interest-group=()`, `run-ad-auction=()`, `private-state-token-issuance=()`, `private-state-token-redemption=()`, `compute-pressure=()`, `hid=()`, `serial=()`, `idle-detection=()` — closes advertising / tracking / load-event-leak / device-API surfaces. Existing operator overrides via `permissionsPolicy: "..."` continue unchanged. · *`__Host-` / `__Secure-` cookie prefix invariants* — (`b.cookies.serialize`) — RFC 6265bis §4.1.3 enforced at serialize time. `__Secure-*` requires `secure: true`; `__Host-*` requires `secure: true` AND `path: "/"` AND no `domain:`. Each violation throws a typed `CookieError` with operator-actionable code (`cookies/prefix-secure-required`, `cookies/prefix-host-secure-required`, `cookies/prefix-host-path-required`, `cookies/prefix-host-no-domain`) instead of producing a malformed cookie that browsers silently reject. · *`b.middleware.fetchMetadata`* — new fetch-metadata isolation primitive. Reads `Sec-Fetch-Site` / `Sec-Fetch-Mode` / `Sec-Fetch-Dest` and refuses cross-site state-changing requests by default. Operators opt in to specific destinations (e.g. `allowedDest: ["empty", "document"]`) or specific origins (`allowCrossSite: true`). Direct navigations (typed URL / bookmark — `Sec-Fetch-Site: none`) pass through; `same-origin` always passes; `same-site` configurable. Missing fetch-metadata (legacy browsers, server-to-server) deferred to other auth/CSRF layers per `allowMissing: true` default.
+- v0.7.19 (2026-05-05) — **Auth primitives — session timeouts, JWT keyResolver, bearer auth middleware, external JWT verify, Argon2id params.** Five auth-surface additions: session idle + absolute timeouts (`b.session.verify`) now enforce OWASP ASVS 5.0 §3.3 / NIST SP 800-63B-4 with defaults of 30 min idle and 12 hours absolute. JWT `keyResolver` closes the kid-rotation gap. `b.middleware.bearerAuth`, `b.auth.jwt.verifyExternal`, and `b.auth.password.params()` round out the additions. **Added:** *Session idle + absolute timeouts* — `b.session.verify` now enforces OWASP ASVS 5.0 §3.3 / NIST SP 800-63B-4 timeouts — defaults: 30 min idle, 12 hours absolute. Operators opt out per-call by passing `idleTimeoutMs: 0` / `absoluteTimeoutMs: 0`. Both surface `auth.session.expired_idle` / `auth.session.expired_absolute` audit events on enforcement. · *JWT `keyResolver` opt for kid rotation* — `b.auth.jwt.verify` accepts `keyResolver(decodedHeader)` to look up the public key per-token (typically by `kid`). Mutually exclusive with `opts.publicKey`. Async-friendly. Closes the kid-rotation gap where signers carried `kid` but verifiers only accepted a single static key. · *`b.middleware.bearerAuth`* — New middleware that extracts `Authorization: Bearer <token>`, runs an operator-supplied `verify(token)` function, and attaches `req.user`. Distinct from cookie-session `attachUser`. Missing-Authorization passes through (so cookie path can take over); invalid/null/throw rejects 401 + `WWW-Authenticate: Bearer error="invalid_token"` per RFC 6750 §3. · *`b.auth.jwt.verifyExternal`* — new generic classical-alg JWT verifier (RS256 / RS384 / RS512 / PS256 / PS384 / PS512 / ES256 / ES384 / ES512 / EdDSA) for integration with external IdPs (Auth0 / Okta / Keycloak / Cognito / Azure AD / Google / Apple). `algorithms` is REQUIRED with no default — defends the alg-confusion class (CVE-2024-54150 / CVE-2025-30144 / CVE-2026-22817 Hono). HMAC algs and `none` are explicitly refused (HMAC + JWKS public-key trust source IS the alg-confusion vector). Three key-source options: `jwks` (pre-fetched array), `jwksUri` (auto-fetched + TTL-cached via `b.httpClient` SSRF gate), `keyResolver` (custom). Standard claim checks (`exp` / `nbf` / `iat` / `aud` / `iss` / `sub`) with operator-tunable `clockSkewMs`. · *`b.auth.password.params()`* — new accessor returning the active Argon2id params (`memoryCostKib` / `timeCost` / `parallelism`) plus the OWASP 2026 floor (`19 MiB` / `t>=2` / `p>=1`) plus `meetsFloor: bool`. Compliance-audit visibility without parsing PHC strings. **References:** [RFC 6750](https://www.rfc-editor.org/rfc/rfc6750.html) · [CVE-2024-54150](https://nvd.nist.gov/vuln/detail/CVE-2024-54150) · [CVE-2025-30144](https://nvd.nist.gov/vuln/detail/CVE-2025-30144) · [CVE-2026-22817](https://nvd.nist.gov/vuln/detail/CVE-2026-22817)
+- v0.7.18 (2026-05-05) — **Transport-layer smuggling hardening (four ship-blocker fixes).** HTTP request-smuggling defense in `b.middleware.bodyParser` per RFC 9112 §6.1: rejects requests with both `Content-Length` and `Transfer-Encoding` headers (CL.TE / TE.CL smuggling — CVE-2022-31394 / CVE-2024-27316 class), multiple `Content-Length` values, `Transfer-Encoding`. **Fixed:** *Transport-layer smuggling hardening (four ship-blocker fixes)* — transport-layer smuggling hardening (four ship-blocker fixes). HTTP request-smuggling defense in `b.middleware.bodyParser` per RFC 9112 §6.1: rejects requests with both `Content-Length` and `Transfer-Encoding` headers (CL.TE / TE.CL smuggling — CVE-2022-31394 / CVE-2024-27316 class), multiple `Content-Length` values, `Transfer-Encoding` whose final coding is not `chunked`, and duplicate `chunked` tokens (TE.TE smuggling). Each rejection responds 400 + `Connection: close` so the upstream proxy doesn't reuse the socket. Static-serve symlink-escape + filename safety in `b.staticServe`: `_resolveSafe` now `fs.realpathSync`-es the resolved path (defeats symlink-out-of-root) AND validates the basename through `b.guardFilename` at the balanced profile (rejects path traversal, null-byte, NTFS alternate data streams, UNC paths, RTLO bidi, overlong UTF-8, Windows reserved device names, double-extension; balanced profile chosen over strict so legitimate operator-deposited shell-exec extensions like `.exe`/`.bin` remain serveable). Outbound SMTP smuggling defense in `b.mail` SMTP transport: every produced RFC 822 wire (post-DKIM-sign) is run through `b.guardEmail.validateMessage` at strict profile before the socket opens; refuses on critical issues — bare CR / bare LF + smuggled SMTP verbs (CVE-2023-51764 Postfix / CVE-2023-51765 Sendmail / CVE-2023-51766 Exim / CVE-2026-32178 .NET class) cannot leave the framework even when operator-supplied subject/body/headers contain the pattern. DKIM `l=` body-length tag forbidden in `b.mail.dkim.create`: passing `bodyLength` now throws `dkim/l-tag-forbidden` at create-time. M³AAWG / Gmail / Microsoft 365 guidance is "never use l=" — it enables append-after-signature attacks where an attacker appends arbitrary content past the signed length and the DKIM signature still validates against the original prefix. The body is always hashed in full. **References:** [RFC 9112](https://www.rfc-editor.org/rfc/rfc9112.html) · [RFC 822](https://www.rfc-editor.org/rfc/rfc822.html) · [CVE-2022-31394](https://nvd.nist.gov/vuln/detail/CVE-2022-31394) · [CVE-2024-27316](https://nvd.nist.gov/vuln/detail/CVE-2024-27316) · [CVE-2023-51764](https://nvd.nist.gov/vuln/detail/CVE-2023-51764) · [CVE-2023-51765](https://nvd.nist.gov/vuln/detail/CVE-2023-51765) · [CVE-2023-51766](https://nvd.nist.gov/vuln/detail/CVE-2023-51766) · [CVE-2026-32178](https://nvd.nist.gov/vuln/detail/CVE-2026-32178)
+- v0.7.17 (2026-05-05) — **`b.guardEmail` email content-safety primitive (single-address validation + full RFC 822 / 5322.** message validation). Threat catalog grounded in current research (SMTP smuggling — CVE-2023-51764 Postfix / CVE-2023-51765 Sendmail / CVE-2023-51766 Exim / CVE-2026-32178 .NET System.Net.Mail; SEC Consult / smtpsmuggling.com class; IDN homograph attacks; CRLF header injection). **Added:** *Profiles* — strict / balanced / permissive (SMTP smuggling + CRLF header injection + multi-@ + null bytes refused at every profile — universal class). · *Compliance postures* — hipaa / pci-dss / gdpr / soc2-cc7. Strict default-on via v0.7.12: every `b.fileUpload` + `b.staticServe` deploy gets this gate at strict profile automatically. **References:** [RFC 822](https://www.rfc-editor.org/rfc/rfc822.html) · [RFC 5322](https://www.rfc-editor.org/rfc/rfc5322.html) · [RFC 5321](https://www.rfc-editor.org/rfc/rfc5321.html) · [CVE-2023-51764](https://nvd.nist.gov/vuln/detail/CVE-2023-51764) · [CVE-2023-51765](https://nvd.nist.gov/vuln/detail/CVE-2023-51765) · [CVE-2023-51766](https://nvd.nist.gov/vuln/detail/CVE-2023-51766) · [CVE-2026-32178](https://nvd.nist.gov/vuln/detail/CVE-2026-32178)
+- v0.7.16 (2026-05-05) — **`b.guardMarkdown` markdown content-safety primitive. Threat catalog grounded in current research.** (CVE-2026-30838 CommonMark DisallowedRawHtml whitespace-tag bypass; CVE-2025-9540 Markup Markdown javascript: link XSS; CVE-2025-7969 markdown-it ReDoS; CVE-2025-6493 CodeMirror Markdown catastrophic backtracking; CVE-2025-24981 MDC autolink XSS; CVE-2026-33500 AVideo Parsedown l. **Added:** *Profiles* — strict / balanced / permissive (dangerous tags + dangerous schemes + image schemes + autolink schemes refused at every profile — script-tag and javascript: are universal class). · *Compliance postures* — hipaa / pci-dss / gdpr / soc2-cc7. Strict default-on via v0.7.12: every `b.fileUpload` + `b.staticServe` deploy gets this gate at strict profile automatically. **References:** [CVE-2026-30838](https://nvd.nist.gov/vuln/detail/CVE-2026-30838) · [CVE-2025-9540](https://nvd.nist.gov/vuln/detail/CVE-2025-9540) · [CVE-2025-7969](https://nvd.nist.gov/vuln/detail/CVE-2025-7969) · [CVE-2025-6493](https://nvd.nist.gov/vuln/detail/CVE-2025-6493) · [CVE-2025-24981](https://nvd.nist.gov/vuln/detail/CVE-2025-24981) · [CVE-2026-33500](https://nvd.nist.gov/vuln/detail/CVE-2026-33500)
+- v0.7.15 (2026-05-04) — **`b.guardXml` XML content-safety primitive + smoke parallel mode + persistent test output.** . `b.guardXml` threat catalog grounded in current research (CVE-2026-24400 AssertJ XXE; CVE-2025-3225 sitemap parser; CVE-2024-1455 LangChain; CVE-2024-25062 libxml2 use-after-free with DTD + XInclude; CVE-2024-56171 + CVE-2025-24928 + CVE-2025-32415 + CVE-2025-27113 libxml2 family; CVE-2024-8176 libexpat stack overflow via recursive entity expansion). **Added:** *`b.guardXml`* — threat catalog grounded in current research (CVE-2026-24400 AssertJ XXE; CVE-2025-3225 sitemap parser; CVE-2024-1455 LangChain; CVE-2024-25062 libxml2 use-after-free with DTD + XInclude; CVE-2024-56171 + CVE-2025-24928 + CVE-2025-32415 + CVE-2025-27113 libxml2 family; CVE-2024-8176 libexpat stack overflow via recursive entity expansion). Surface: `validate(input, opts)` returns `{ ok, issues }`; `sanitize(input, opts)` strips character-class threats but throws on critical (DOCTYPE / ENTITY / external — no safe sanitization); `gate(opts)` returns a `b.gateContract`-shaped gate auto-routed by `b.guardAll` for `application/xml` / `text/xml`. KIND="content". Threat catalog: DOCTYPE refused unconditionally (XXE / billion-laughs vector); `<!ENTITY>` declarations including parameter entities (`%` prefix); external entity references (`SYSTEM`/`PUBLIC` with file://, http://, etc.); XInclude (`<xi:include>`); `xsi:schemaLocation` schema fetch; processing instructions (skipping standard `<?xml?>` declaration); CDATA sections; XML signature wrapping (audit); bidi/null/control/zero-width; element-count + depth caps; per-attribute-value-length cap. · *Profiles* — strict / balanced / permissive (DOCTYPE refused at all profile levels — billion-laughs class is universal). · *Compliance postures* — hipaa / pci-dss / gdpr / soc2-cc7. · *Smoke parallel mode* — new `SMOKE_PARALLEL=N` env var forks Layer 0 test files in parallel batches (each fork is a fresh Node child process for module-state isolation). Layers 1-5 stay sequential because they share db / cluster / vault state. Sanity ceiling 64. Empirical: SMOKE_PARALLEL=64 takes 91s vs sequential 122s (25% faster). · *Persistent test output* — `test/smoke.js`, `test/layer-0-primitives/codebase-patterns.test.js` (CLI mode), and `examples/wiki/test/e2e.js` now write a tee'd copy of all stdout/stderr to `.test-output/smoke.log` / `.test-output/codebase-patterns.log` / `.test-output/wiki-e2e.log`. Tee semantics — original stdout/stderr passthrough preserved so npm exit codes + GitHub Actions annotations work unchanged. `.test-output/` is auto-gitignored via the existing `.* ` catchall and never shipped (npm `files` allowlist explicit). · *Family infrastructure* — guard-xml shares the same family-ABI shape (resolveProfileAndPosture / aggregateIssues / buildGuardGate / extractBytesAsText / etc.) as the other 6 family members; the v0.7.13 `family-subset` cluster allowlist sustains. **References:** [CVE-2026-24400](https://nvd.nist.gov/vuln/detail/CVE-2026-24400) · [CVE-2025-3225](https://nvd.nist.gov/vuln/detail/CVE-2025-3225) · [CVE-2024-1455](https://nvd.nist.gov/vuln/detail/CVE-2024-1455) · [CVE-2024-25062](https://nvd.nist.gov/vuln/detail/CVE-2024-25062) · [CVE-2024-56171](https://nvd.nist.gov/vuln/detail/CVE-2024-56171) · [CVE-2025-24928](https://nvd.nist.gov/vuln/detail/CVE-2025-24928) · [CVE-2025-32415](https://nvd.nist.gov/vuln/detail/CVE-2025-32415) · [CVE-2025-27113](https://nvd.nist.gov/vuln/detail/CVE-2025-27113) · [CVE-2024-8176](https://nvd.nist.gov/vuln/detail/CVE-2024-8176)
+- v0.7.14 (2026-05-04) — **`b.guardYaml` YAML content-safety primitive. Threat catalog grounded in current research.** (CVE-2026-24009 Docling/PyYAML unsafe load → RCE; CVE-2026-27807 MarkUs alias billion-laughs DoS; CVE-2025-68664 LangChain deserialization → RCE; CVE-2025-61301 + CVE-2025-61303 YAML library DoS family — "Laughter in the Wild" study; CVE-2022-1471 SnakeYAML constructor RCE; CVE-2. **Added:** *Profiles* — strict (refuse every threat; 2 MiB cap; depth 8; 16 anchors; 1 alias depth; 1 document; 1024 nodes); balanced (audit most threats; allow YAML 1.2 core tags `!!str` / `!!int` / `!!seq` / `!!map` / etc.; refuse alias-explosion regardless; 8 MiB cap; 64 anchors); permissive (audit most; refuse only null bytes + alias-explosion; 64 MiB cap; 1024 anchors). · *Compliance postures* — hipaa / pci-dss / gdpr / soc2-cc7 with strict overlays + forensic snapshots. Refuse-only sanitize discipline: YAML has no safe sanitization — gate decisions are serve / audit-only / refuse only. Strict default-on via v0.7.12: every `b.fileUpload` + `b.staticServe` deploy gets this gate at strict profile automatically. **References:** [CVE-2026-24009](https://nvd.nist.gov/vuln/detail/CVE-2026-24009) · [CVE-2026-27807](https://nvd.nist.gov/vuln/detail/CVE-2026-27807) · [CVE-2025-68664](https://nvd.nist.gov/vuln/detail/CVE-2025-68664) · [CVE-2025-61301](https://nvd.nist.gov/vuln/detail/CVE-2025-61301) · [CVE-2025-61303](https://nvd.nist.gov/vuln/detail/CVE-2025-61303) · [CVE-2022-1471](https://nvd.nist.gov/vuln/detail/CVE-2022-1471) · [CVE-2020-1747](https://nvd.nist.gov/vuln/detail/CVE-2020-1747) · [CVE-2020-14343](https://nvd.nist.gov/vuln/detail/CVE-2020-14343) · [CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)
+- v0.7.13 (2026-05-04) — **`b.guardJson` JSON content-safety primitive. Threat catalog grounded in current research.** (CVE-2025-55182 React/Next.js Server Functions deserialization → RCE; CVE-2025-57820 + CVE-2026-30226 Svelte devalue prototype pollution; CVE-2026-35209 defu; CVE-2026-28794 @orpc/client; CVE-2025-13465 Lodash; CVE-2025-25014 Kibana RCE; CVE-2024-38984 json-override; CVE-2022-42743 deep-parse-json; GHSA-9c47-m6qq-7p4h JSON5). **Added:** *Threat catalog* — source-level prototype-pollution detection (catches `__proto__` / `constructor` / `prototype` keys BEFORE parse — JSON.parse silently routes `__proto__` through the prototype setter so a post-parse Object.keys walk misses the most dangerous key in the catalog); duplicate-key detection (RFC 8259 SHOULD-unique violation; JSON.parse silently last-wins, letting attackers smuggle duplicate-key payloads past validation that ran on the first occurrence — Bishop Fox JSON-interoperability research); NaN / Infinity / -Infinity / undefined refusal (RFC 8259 forbids; JSON5 / lenient libraries accept); comment refusal (single-line and block); trailing-comma refusal; JSON5 syntax refusal (single-quoted keys, hex literals, unquoted keys); BOM injection (leading + mid-stream); bidi / null / control / zero-width chars; numeric precision-loss (integers above `Number.MAX_SAFE_INTEGER`); top-level-key allowlist; depth + breadth + array-length + string-length + node-count caps. · *Profiles* — strict (refuse every threat; 2 MiB doc cap; depth 8; 256 keys/object; 1024 array items) / balanced (strip pollution + BOM + bidi + control + null + zero-width; audit duplicates + comments + trailing commas + JSON5 + numeric precision; refuse NaN; 8 MiB cap; depth 32) / permissive (audit most; refuse only null bytes outright; 64 MiB cap; depth 64). · *Compliance postures* — hipaa / pci-dss / gdpr / soc2-cc7 with strict overlays + forensic snapshots. Strict default-on via v0.7.12: every `b.fileUpload` + `b.staticServe` deploy gets this gate at strict profile automatically — no explicit wiring required. Family infrastructure: `KNOWN_CLUSTERS` allowlist gains `mode: "family-subset"` matcher (collapses 6+ exact-match cluster entries into one subset entry; sustainable as the family grows beyond 6 guards). **References:** [RFC 8259](https://www.rfc-editor.org/rfc/rfc8259.html) · [CVE-2025-55182](https://nvd.nist.gov/vuln/detail/CVE-2025-55182) · [CVE-2025-57820](https://nvd.nist.gov/vuln/detail/CVE-2025-57820) · [CVE-2026-30226](https://nvd.nist.gov/vuln/detail/CVE-2026-30226) · [CVE-2026-35209](https://nvd.nist.gov/vuln/detail/CVE-2026-35209) · [CVE-2026-28794](https://nvd.nist.gov/vuln/detail/CVE-2026-28794) · [CVE-2025-13465](https://nvd.nist.gov/vuln/detail/CVE-2025-13465) · [CVE-2025-25014](https://nvd.nist.gov/vuln/detail/CVE-2025-25014) · [CVE-2024-38984](https://nvd.nist.gov/vuln/detail/CVE-2024-38984) · [CVE-2022-42743](https://nvd.nist.gov/vuln/detail/CVE-2022-42743)
+- v0.7.12 (2026-05-04) — **`b.fileUpload` and `b.staticServe` ship with `b.guardAll` wired ON by default at strict profile.** . Defense-in-depth applied automatically: every operator-supplied bytes path runs through the full guard-* family without any explicit wiring. **Added:** *`b.fileUpload`* — `contentSafety` defaults to `b.guardAll.byExtension({ profile: "strict" })` (every shipped guard's full threat catalog refused — dangerous tags, event handlers, dangerous URL schemes, formula injection, DOCTYPE, SVGZ, animation-href hijack, zip-slip, ratio bombs); new `filenameSafety` opt defaults to `b.guardFilename.gate({ profile: "strict" })` (path traversal + null-byte truncation + Windows reserved names + NTFS ADS + RTLO bidi + overlong UTF-8 + shell-exec extensions + double-extension + reserved chars). · *`b.staticServe`* — `contentSafety` defaults to `b.guardAll.byExtension({ profile: "strict" })`. Explicit opt-out: `contentSafety: null` / `filenameSafety: null` skips the gate AND emits an audit row at `create()` time (`fileUpload.contentSafety.disabled` / `fileUpload.filenameSafety.disabled` / `staticServe.contentSafety.disabled`) with operator-supplied `contentSafetyDisabledReason` / `filenameSafetyDisabledReason` metadata so a security review can reconstruct which deploys disabled the default-on protection AND why. filenameSafety wiring: runs in `fileUpload.finalize` BEFORE `contentSafety` (a refused filename obviates body validation); honours sanitize action (replaces `metadata.filename` with the cleaned form so downstream code sees the safe name). Explicit operator wiring still works: passing `contentSafety: { ".csv": gate }` or `filenameSafety: gate` uses the operator-supplied object as-is (no default-on override). Migration: this is a behavior change. Code that called `b.fileUpload.create({ stagingDir, onFinalize })` previously had no content / filename safety; after v0.7.12 the same call has both gates wired at strict profile. If existing routes depended on accepting hostile content (raw-bytes uploads, executable-extension artifacts), pass `contentSafety: null` and/or `filenameSafety: null` with an operator-supplied reason at `create()` time.
+- v0.7.11 (2026-05-04) — **Adaptive guard-* family integration harness.** `test/layer-5-integration/guard-host-integration.test.js` discovers every guard primitive registered in `b.guardAll.allGuards()` and exercises gate decisions through the appropriate host wiring per guard's `KIND`. Adding a new guard automatically picks up the harness without touching the test file. **Added:** *Adaptive design* — adding a new guard automatically picks up the harness without touching the test file. Each guard exports `KIND` (`"content"` / `"entries"` / `"filename"`) and `INTEGRATION_FIXTURES` with kind-appropriate sample payloads (benign + hostile). The harness iterates `b.guardAll.allGuards()`, dispatches per kind, and per-guard runs: direct gate (benign → serve; hostile → not serve); `b.guardAll.gate` contentTypeMux dispatch; `b.guardAll.gate({ exceptFor })` opt-out path with audit-row verification of the skipped roster; `b.staticServe.create({ contentSafety })` GET round-trip (benign → 2xx, hostile → 4xx); `b.fileUpload.create({ contentSafety })` chunk → finalize round-trip (benign succeeds, hostile throws content-safety error); audit chain captures host-level rows. · *Family additions* — `lib/guard-all.js` gains `STANDALONE_GUARDS` array (currently `[guardFilename]`) and `allGuards()` aggregator that returns `GUARDS.concat(STANDALONE_GUARDS)`. Each guard module exports `KIND` + `INTEGRATION_FIXTURES`. · *Tests run in-process* — no docker / network / fixture-archive dependencies; the harness completes in ~100ms regardless of guard count, so the gate runs on every smoke.
+- v0.7.10 (2026-05-04) — **`b.guardArchive` archive content-safety primitive. Threat catalog grounded in current.** archive-extraction CVE research: CVE-2025-3445 mholt/archiver Zip Slip; CVE-2025-32779 EDDI Zip Slip; CVE-2025-62156 Argo Workflows Zip Slip; CVE-2025-66945 Zdir Pro path traversal; CVE-2025-45582 GNU Tar two-step symlink bypass; CVE-2025-11001/11002 7-Zip symlink + directory tra. **Added:** *Tests* — 102 new layer-0 assertions covering surface, registry parity, zip-slip detection (3 forms), absolute-path detection (3 forms), symlink reject (strict), symlink escape (balanced), hardlink reject + escape, compression-ratio bomb (per-entry), aggregate-ratio bomb, total-size cap, entry-count cap, nested-archive (.zip / .tar.gz), duplicate-entry-name, case-insensitive collision, encryption-claim mismatch, sparse entry, magic-byte detection (8 formats including tar via offset-257 ustar), checkExtractionPath helper, clean-archive + warn-only handling, gate decision shapes (clean / refuse / no-entry-list), profile + posture vocabulary. **References:** [CVE-2025-3445](https://nvd.nist.gov/vuln/detail/CVE-2025-3445) · [CVE-2025-32779](https://nvd.nist.gov/vuln/detail/CVE-2025-32779) · [CVE-2025-62156](https://nvd.nist.gov/vuln/detail/CVE-2025-62156) · [CVE-2025-66945](https://nvd.nist.gov/vuln/detail/CVE-2025-66945) · [CVE-2025-45582](https://nvd.nist.gov/vuln/detail/CVE-2025-45582) · [CVE-2025-11001](https://nvd.nist.gov/vuln/detail/CVE-2025-11001) · [CVE-2025-4138](https://nvd.nist.gov/vuln/detail/CVE-2025-4138) · [CVE-2025-10854](https://nvd.nist.gov/vuln/detail/CVE-2025-10854) · [CVE-2025-12060](https://nvd.nist.gov/vuln/detail/CVE-2025-12060) · [CVE-2026-26960](https://nvd.nist.gov/vuln/detail/CVE-2026-26960)
+- v0.7.9 (2026-05-04) — **`b.guardFilename` filename content-safety primitive. Standalone primitive — does NOT register.** ister into `b.guardAll`'s content-type-routed dispatch (filename is a different axis from content-bytes; operators apply both — filename safety on the upload's name plus content safety on the body). **Added:** *Standalone primitive* — does NOT register into `b.guardAll`'s content-type-routed dispatch (filename is a different axis from content-bytes; operators apply both — filename safety on the upload's name plus content safety on the body). Threat catalog grounded in OWASP Path Traversal + WSTG file-inclusion testing guides; CWE-22 / CWE-23 / CWE-35 / CWE-73 / CWE-78 / CWE-434; PortSwigger File-path-traversal series (null-byte bypass + extension validation); Memento-RTLO + RTL-Spiegel file-name spoofing reports (CVE-2021-42574 in filename context); Kevin Boone overlong UTF-8 sequence write-up. · *Threat catalog* — path traversal (raw + percent-encoded `%2e%2e` + double-encoded `%252e%252e` + UTF-8 overlong `0xC0 0xAE` for dot and `0xC0 0xAF` for slash); null-byte truncation; Windows reserved device names (CON / PRN / AUX / NUL / COM1-9 / LPT1-9 / CLOCK$ / CONFIG$, with and without extensions, case-insensitive); NTFS alternate data streams (`name:stream`); leading/trailing whitespace + trailing dots (Windows silently strips them); Unicode bidi / RTLO file-name spoofing; zero-width / homoglyph chars; reserved characters (Windows < > : " | ? *); UNC paths; path separators in leaf-name; length caps (strict 64-byte / balanced+permissive 255-byte); multi-dot policy (strict requires single dot, balanced+permissive allow .tar.gz); extension allowlist (catches double-extension bypass: `file.jpg.exe` matches `.exe` against the allowlist); shell-shortcut + executable extensions (.exe / .bat / .vbs / .ps1 / .lnk / .scr / .dll / .so / .dmg / .msi / etc); overlong UTF-8 detection at the Buffer level (RFC 3629 §3 prohibits non-shortest-form). · *Profiles* — strict (ASCII-only, single dot, single leaf, 64-byte cap, every threat class refused), balanced (Unicode NFC-normalized, multi-dot allowed, 255-byte cap, refuses dangerous classes + strips zero-width + audits homoglyphs), permissive (multi-component paths up to 16 components, reserved-name audited not refused for non-Windows targets). · *Compliance postures* — hipaa / pci-dss / gdpr / soc2-cc7 with appropriate strict overlays + ASCII-only + forensic snapshots. · *Sanitize discipline* — strips leading/trailing whitespace + trailing dots, NFC-normalizes Unicode, replaces reserved chars with underscore (under strip policy), prepends underscore to Windows reserved device names. ALWAYS THROWS on path-traversal / null-byte / NTFS ADS / UNC / overlong UTF-8 — these have no safe sanitization, the only correct response is reject. · *New shared helpers* — `gateContract.badInputResultIfNotStringOrBuffer(input)` and `gateContract.aggregateIssues(issues)` — extracted across guard-svg / guard-filename validate paths that need raw-Buffer input pre-conversion. Both registered in KNOWN_ANTIPATTERNS so future re-implementations fail the n=1 gate. · *Tests* — 79 new layer-0 assertions covering surface, path traversal (5 forms), percent-encoded traversal (3 forms), null-byte truncation, every Windows reserved name (12 cases including extensions), NTFS ADS, leading/trailing strip, RTLO bidi spoofing, reserved chars (7 cases), UNC paths, path separators in leaf, length cap, single-dot policy, extension allowlist, shell-exec extensions (11 cases), double-extension bypass, overlong UTF-8 at buffer level, ASCII-only enforcement, sanitize round-trip + throw-on-traversal/null-byte, gate decision shapes, profile + posture vocabulary. **References:** [RFC 3629](https://www.rfc-editor.org/rfc/rfc3629.html) · [CVE-2021-42574](https://nvd.nist.gov/vuln/detail/CVE-2021-42574)
+- v0.7.8 (2026-05-04) — **`b.guardSvg` SVG content-safety primitive + guard-* family helper extraction. `b.guardSvg`.** vg` ships full v1 scope grounded in current SVG attack-surface research (Fortinet anatomy of SVG attack surface; Angular GHSA-jrmj-c5cx-3cw6 + GHSA-v4hv-rgfq-gp49 SVG animation/href XSS; SVGO CVE-2026-29074 billion laughs DoS; siyuan-note GHSA-5hc8-qmg8-pw27 animate-element san. **Added:** *`b.guardSvg`* — ships full v1 scope grounded in current SVG attack-surface research (Fortinet anatomy of SVG attack surface; Angular GHSA-jrmj-c5cx-3cw6 + GHSA-v4hv-rgfq-gp49 SVG animation/href XSS; SVGO CVE-2026-29074 billion laughs DoS; siyuan-note GHSA-5hc8-qmg8-pw27 animate-element sanitizer bypass; cure53/DOMPurify issue #233 xlink:href filtering; insertScript SVG fun-time series). Threat catalog: dangerous tags (script / foreignObject / handler / iframe / embed / object / audio / video / animation family); SMIL animation attributeName allowlist enforcement (recent CVE class — `<animate attributeName="href" to="javascript:..."/>` is the published bypass shape, refused regardless of broader animation policy); on* + SMIL event-handler attributes (onclick / onerror / onload / onbegin / onend / onrepeat); href + xlink:href dangerous URL schemes (javascript / vbscript / data outside image-context / file / mhtml / view-source — entity-encoded form too); cross-origin `<use>` external refs (SSRF + XSS chain); XML DOCTYPE declarations refused unconditionally (defends billion-laughs entity expansion + XXE); custom `<!ENTITY>` declarations; CDATA + processing instructions; SVGZ compressed payloads (gzip magic bytes 0x1F 0x8B refused at gate level — operator must ungzip first); CSS injection in style attributes; <use>-recursion DoS via maxUseDepth; total-document size + element-count + attribute-count caps. Profiles: strict (minimal text+shapes; no animation; no external refs), balanced (adds <use> + <image> with same-origin or http(s); allowExternalRefs=true), permissive (adds animation with attributeName allowlist still enforced). Compliance postures: hipaa / pci-dss / gdpr / soc2-cc7 with strict overlays + forensic snapshots. Guard-* family helper extraction — five new shared helpers landed in `lib/codepoint-class.js` and `lib/gate-contract.js` and the existing guards refactored to consume them: `codepointClass.detectCharThreats(text, opts, codePrefix)`, `codepointClass.assertNoCharThreats(text, opts, errorFactory, codePrefix)`, `codepointClass.applyCharStripPolicies(text, opts)`, `gateContract.resolveProfileAndPosture(opts, cfg)`, `gateContract.runIssueValidator(input, opts, detector)`, `gateContract.buildGuardGate(name, opts, check)`, `gateContract.extractBytesAsText(ctx)`, `gateContract.lookupCompliancePosture(name, postures, errorFactory, codePrefix)`, `gateContract.makeRulePackLoader(errorClass, codePrefix)`, `gateContract.makeProfileBuilder(profiles)`, `numericBounds.requireAllPositiveFiniteIntIfPresent(opts, names, labelPrefix, errorClass, code)`. Pre-existing call sites in `lib/csv.js` and `lib/file-upload.js` migrated in the same patch per the no-future-patch-deferrals rule. New shared module `lib/codepoint-class.js` centralizes BIDI / C0_CTRL / ZERO_WIDTH range tables plus the `_hex4` / `_charClass` / `_fromCp` rendering helpers — the codepoint catalog has a single source of truth and future guard-* slices consume the shared module instead of redeclaring the tables. Each helper extraction registers its inline-shape in `KNOWN_ANTIPATTERNS` (the codebase-patterns gate fires at n=1 if any future code re-introduces the pattern). · *Tests* — 83 new layer-0 assertions covering surface, registry parity, dangerous-tag detection, on* handler family, dangerous URL schemes (entity-encoded form too), animation attributeName href hijack, cross-origin <use> refusal, DOCTYPE / <!ENTITY> rejection, CDATA + processing-instruction policy, SVGZ magic-byte detection, CSS injection, bidi/control/null-byte detection, depth/size caps, sanitize round-trips, gate decision shapes, profile + posture vocabulary. **References:** [CVE-2026-29074](https://nvd.nist.gov/vuln/detail/CVE-2026-29074)
+- v0.7.7 (2026-05-04) — **`b.guardHtml` HTML content-safety primitive ships full v1 scope. Threat catalog grounded in current.** sanitizer research (DOMPurify CVE series, OWASP XSS / DOM-Clobbering / HTML5 Security cheat sheets, PortSwigger and Sonar mXSS write-ups, html5sec.org). **Added:** *Threat catalog covered* — dangerous tags (script / style / link / meta / base / iframe / object / embed / applet / form / input / button / frame / frameset / marquee / blink / plaintext / xmp / audio / video / source / track / math / svg / template / noscript / portal / dialog / keygen / menuitem / command); every `on*` event-handler attribute (caught family-wide via `/^on[a-z]/` regex — covers the entire HTML5 event-handler family without a manual list that rots when WHATWG specs a new event); form-override attributes (formaction / formmethod / formenctype / formtarget / formnovalidate, CWE-1021); iframe `srcdoc`; custom-element `is`; CSP-bypass-shaped attributes (nonce / integrity / crossorigin / http-equiv / manifest); URL-scheme allowlist with entity-decode pre-pass (defends `&#x6A;avascript:` and decimal-entity bypasses); CSS injection in style attribute values (expression / behavior: / -moz-binding / javascript:/vbscript: inside url() / @import / @namespace); DOM clobbering (id/name attribute values matching well-known JS globals on form/input/button/a/img/iframe/object/embed/select/textarea); mXSS hints (svg/math namespace-context-shift parents); IE conditional comments; Unicode bidi override (CVE-2021-42574 Trojan Source) / C0 control chars / null bytes / zero-width chars; tag-depth + attribute-count + per-attribute-value-size + total-document-size DoS caps. · *Profiles* — strict (minimal text-formatting allowlist; reject every threat class) / balanced (links + images + tables + semantic markup; strip rather than reject for character-class threats; data:image/* on `<img>`) / permissive (every tag NOT in the dangerous-tag denylist). · *Compliance postures* — hipaa / pci-dss / gdpr / soc2-cc7 with appropriate strict/balanced overlays + forensic-snippet sizing (256 / 256 / 128 / 512 bytes). · *Sanitizer discipline* — drops dangerous tags AND their text-content body (script/style/iframe/object/embed/applet/template/svg/math etc. — body parsed as code in the host); strips on* attributes, dangerous URL schemes, CSS injection patterns, DOM-clobbering values, doctypes, CDATA, comments. Documented operator-facing trade-off: for hostile sources, validate+reject is the strong path; sanitize is best-effort and operators displaying untrusted HTML should additionally serve under a strict CSP. · *Codepoint-table programmatic regex pattern* — same as guard-csv: BIDI_RANGES / C0_CTRL_RANGES / ZERO_WIDTH_RANGES literal numeric tables compiled into character classes via `_charClass` + `\\uXXXX` escapes at module load. Source file never embeds attack chars themselves. · *Tests* — 134 new layer-0 assertions covering surface, registry parity, every dangerous tag in the denylist, 15 representative on* handlers, 9 dangerous attributes, 10 dangerous URL schemes (entity-encoded form too), 5 CSS injection patterns, 8 DOM clobber globals, mXSS hints, IE conditional comments, bidi/control/null detection, depth/size caps, sanitize round-trips, escape correctness, gate decision shapes (clean/refuse/sanitize), profile + posture vocabulary. **References:** [CVE-2021-42574](https://nvd.nist.gov/vuln/detail/CVE-2021-42574)
+- v0.7.6 (2026-05-04) — **`b.guardAll` registry + aggregator for the guard-* family. Security-on-by-default: every shipped.** guard is ON unless the operator opts OUT specifically with an audited reason. **Added:** *Surface* — `b.guardAll.gate(opts)` returns a single `b.gateContract`-shaped gate that routes by `Content-Type` to the right registered guard; `b.guardAll.byExtension(opts)` and `b.guardAll.byContentType(opts)` return ready-made gate maps for direct drop-in to `b.staticServe.create({ contentSafety: ... })` and any host primitive that dispatches on extension or mime; `b.guardAll.list()` returns the registered roster (operator audit aid); `b.guardAll.GUARDS` / `SHARED_PROFILES` / `SHARED_POSTURES` exposed as readonly registry exports. · *Opt-out* — `exceptFor: { csv: { reason: "no CSV emission in this app" } }` requires a non-empty `reason` string per opted-out guard (throws at gate-creation time, not silently); `override: { csv: { profile: "email-attachment" } }` reaches per-guard extension profiles that aren't in the shared vocabulary. · *Audit emission* — every gate / byExtension / byContentType call with `opts.audit` wired emits `guardAll.gate.created` exactly once at gate-creation time, recording the full `active` + `skipped` roster (each skipped entry carries its `reason`). · *Registry contract* — every primitive registered into `b.guardAll` MUST export `NAME` (string), `MIME_TYPES` (frozen array), `EXTENSIONS` (frozen array), `PROFILES` containing the shared vocabulary (`strict` / `balanced` / `permissive`), `COMPLIANCE_POSTURES` containing the shared regulatory shapes (`hipaa` / `pci-dss` / `gdpr` / `soc2-cc7`), and `gate(opts)` returning a `b.gateContract`-shaped gate. The parity check at module load throws `GuardAllError` with a multi-line failure list if any registered guard is missing the contract — this is the framework's mechanism for keeping every future guard slice conformant. Duplicate `NAME` / `MIME_TYPE` / `EXTENSION` across guards is also caught at module load. · *Adjacent* — `b.guardCsv` now exports `NAME` / `MIME_TYPES` / `EXTENSIONS` for registry compliance. Wiki harness gains `fs` binding for examples that mkdir staging dirs (joins the existing `path` / `os` bindings). · *Tests* — 56 new layer-0 assertions: surface, registry parity (every member declares the full contract), default-on (no `exceptFor` → every guard active), `exceptFor` reason validation (missing / blank / non-object / unknown name throws), `override` shape validation, profile-vocabulary enforcement (per-guard extensions like csv's `email-attachment` rejected at the aggregator), posture-vocabulary enforcement, audit creation roster, dispatch correctness (text/csv routes to csv guard, unrelated mime bypasses), byExtension / byContentType output shape.
+- v0.7.5 (2026-05-04) — **`b.gateContract` foundation + `b.guardCsv` content-safety primitive.** The guard-* family of content-safety gates begins here. `b.gateContract` provides the uniform composition contract every future guard-* primitive implements, and `b.guardCsv` is the first member — full v1-defensible scope covering formula injection, dangerous functions, bidi/control/zero-width chars, CSV bombs, dialect ambiguity, and schema-bound serialization. Also includes a pre-v1 breaking change to `b.csv.stringify`. **Added:** *`b.gateContract` — uniform composition contract for content-safety gates* — Provides `defineGate` / `runGate` / `composeGates` / `multiplexGates` / `contentTypeMux` / `shadowMode` / `canaryGate` / `cachingGate` / `workerThreadGate` / `buildProfile` / `composeHooks` / `summarizeIssues` / `validateGateShape`, plus mode posture (enforce / warn-only / shadow / audit-only / log-only / canary), hook system (`beforeCheck` / `afterCheck` / `onIssue` / `onSanitize` / `onRefuse` / `onAudit`), forensic snapshot store integration, decision cache, and runtime cap via `safeAsync.withTimeout`. Every future guard-* primitive composes this contract. · *`b.guardCsv` — CSV content-safety gate (full v1 scope)* — Surface: `serialize` / `validate` / `sanitize` / `escapeCell` / `detect` / `parse` / `stringify` / `schema` / `gate` / `buildProfile` / `compliancePosture` / `loadRulePack`. Threat catalogue covers formula injection (5 modes: prefix-tab / prefix-quote / wrap-with-quotes-and-prefix / reject / allowlist) with all 8 ASCII triggers (`= + - @ TAB CR LF |`) plus full-width variants (U+FF1D / U+FF0B / U+FF0D / U+FF20) per OWASP locale catalog; dangerous-function denylist (WEBSERVICE / HYPERLINK / IMAGE / IMPORT* / RTD / DDE / CALL / GOOGLEFINANCE / GOOGLETRANSLATE) surfaced as critical regardless of broader formula policy; Unicode bidi override (CVE-2021-42574 Trojan Source); homoglyph mixed-script detection; C0 control chars; null bytes; BOM mid-stream injection; zero-width chars; dialect ambiguity; CSV bombs (per-cell / total / sanitize-amplification caps); numeric precision loss above `Number.MAX_SAFE_INTEGER`; trailing-whitespace exfiltration policy; PII redaction (composes `b.redact`); and schema-bound serializer with type / regex / range / nullable validation. Profiles: `strict` (OWASP-recommended `prefix-tab` default — Excel-resistant) / `balanced` / `permissive` / `email-attachment`. Compliance postures: `hipaa` / `pci-dss` / `gdpr` / `soc2-cc7`. · *Codepoint-table programmatic regex composition* — Threat-detection regex literals are composed programmatically from numeric codepoint range tables (`BIDI_RANGES` / `C0_CTRL_RANGES` / `ZERO_WIDTH_RANGES` / `HOMOGLYPH_RANGES` / `FORMULA_PREFIX_CPS`). `_charClass(ranges)` renders into a regex character class via `\uXXXX` escapes at module load. The source file never embeds the attack characters themselves, only their codepoint numbers; the detector composes the way an attacker would compose the payload. · *Host primitive integration — `b.staticServe` and `b.fileUpload`* — `b.staticServe` gains `contentSafety: { ".csv": gate, ... }` extension-keyed gate map that runs after the MIME allowlist and before headers (sanitize replaces body buffer; refuse returns 415). `b.fileUpload` gains `contentSafety: gate` running before `onFinalize` (refuse throws `CONTENT_SAFETY_REFUSED`; sanitize replaces `bodyBuffer`). · *`validateOpts.optionalPlainObject(value, label, ErrorClass, code, description)`* — Consolidates the `if (typeof !== "object" || Array.isArray) throw` cascade across api-key / db-declare-view / static / file-upload. Registered in `KNOWN_ANTIPATTERNS` so future re-implementations fail the n=1 gate. **Removed:** *`b.csv.stringify` formula-injection opts (pre-v1 breaking)* — `b.csv.stringify` no longer accepts `preventFormulaInjection` / `formulaPrefixChars` opts. The partial single-mode defense it offered (only `=`/`+`/`-`/`@`/TAB/CR ASCII prefixes, missing LF / `|` / full-width formula chars) was a false-confidence path. `b.csv` is now documented as trusted-source-only emission (RFC 4180 quoting + anti-DoS bounds); any user-supplied cells route through `b.guardCsv.serialize` / `.gate` for the full threat catalogue. The `b.guardCsv.parse` / `.stringify` re-exports are also removed — operators use `b.csv.parse` / `.stringify` directly for pure parsing. **References:** [OWASP CSV Injection](https://owasp.org/www-community/attacks/CSV_Injection) · [RFC 4180 CSV](https://www.rfc-editor.org/rfc/rfc4180) · [CVE-2021-42574 Trojan Source](https://nvd.nist.gov/vuln/detail/CVE-2021-42574)
+- v0.7.4 (2026-05-04) — **CI gate alignment + wiki cross-platform fix + redis-client opts forwarding consolidation.** Two CI-only gates added to the release workflow (`scripts/check-api-snapshot.js` public-API drift detection and Linux-container wiki e2e cross-platform example execution), `api-snapshot.json` baseline refreshed, and a new `redisClient.pickClientOpts` helper consolidates ~40 lines of duplicated forwarding across the four Redis-backed primitives. **Added:** *`redisClient.pickClientOpts(cfg, prefix?)`* — New helper returns the standard 9-key opts bag (`url` / `password` / `username` / `tls` / `ca` / `servername` / `connectTimeoutMs` / `commandTimeoutMs` / `maxReconnectAttempts`). The `cache-redis`, `pubsub-redis`, `queue-redis`, and `cache` redis-backend creators all migrated to it, eliminating duplicated inline forwarding across the four files. · *`scripts/check-api-snapshot.js` gate + Linux-container wiki e2e* — Public-API drift detection now runs in the local release workflow, and the wiki e2e additionally runs inside a Linux container so cross-platform example execution is caught before push. The `api-snapshot.json` baseline was refreshed for the first time since v0.6.17 (40+ patches of accumulated drift; `b.objectStoreRetry` removal in v0.7.0 was the breaking entry). **Fixed:** *Wiki file-upload example cross-platform path* — The example previously hardcoded `stagingDir: "/var/lib/myapp/uploads"` which mkdir-passed on Windows but failed `EACCES` on Linux/macOS CI runners. Replaced with `path.join(os.tmpdir(), "myapp-uploads-" + Date.now())` and a self-contained `b.fileUpload.create` + `uploads.close()` round-trip; the Usage block likewise instantiates a real `b.router.create()` + uploads pair. `examples/wiki/test/run-example.js` gains `path` + `os` bindings so wiki examples can write idiomatic `path.join(os.tmpdir(), ...)` without falling foul of the harness's `var X = require(...)` line stripper. **Detectors:** *`inline-redis-client-opts-forwarding`* — New `KNOWN_ANTIPATTERNS` entry catches future re-implementations of the redis-client opts forwarding bag at n=1, so the consolidation can't regress silently. · *`testNoDuplicateCodeBlocks` / `testNoUnresolvedMarkers` / `testNoTierTerminologyInLib` tuning* — `MIN_DISTINCT_FILES` lowered 3 → 2 and `MIN_DISTINCT_TOKENS` lowered 6 → 5 for more aggressive duplicate detection. The forbidden-marker scan adds `defer`, and the forbidden-internal-terminology scan adds the three numeric-suffix forms. `lib/log-stream-syslog.js`'s socket error-handler comment was reworded from "defer to 'close' for reconnect" to "reconnect handled in the close listener" — same behaviour, no marker false-positive.
+- v0.7.3 (2026-05-04) — **`b.middleware.apiEncrypt` per-session keying mode (opt-in). Per-request keying stays the default —.** every existing test passes unchanged. Operators opt in by passing `keying: "per-session"`; the first request in a session carries the bootstrap envelope `{ _ek, _ct, _ts, _nonce, _sid, _ctr }` and the server stores the session key keyed by `_sid` (UUID v4); subsequent requests in. **Added:** *Tests* — 13 new layer-0 assertions covering default-keying invariant, opt validation (bad keying value / TTL / store shape), bootstrap-and-reuse round-trip (KEM amortization confirmed by inspecting subsequent envelope shape), unknown-sid 401, counter-replay 400, TTL-expiry 401, max-responses-rotation 401, response counter monotonic check, sessionInfo / resetSession client API, observability emission.
+- v0.7.2 (2026-05-04) — **Symmetric upload + download primitives ship with full v1-defensible feature sets.** `b.fileUpload` chunked upload primitive: operators wire HTTP routes for per-chunk PUT (`fileUpload.acceptChunk`) and finalize POST (`fileUpload.finalize`); the framework owns the chunk lifecycle (per-chunk SHA3-512, atomic chunk write to `<stagingDir>/<uploadId>/<index>`, rea. **Added:** *`b.fileUpload`* — chunked upload primitive: operators wire HTTP routes for per-chunk PUT (`fileUpload.acceptChunk`) and finalize POST (`fileUpload.finalize`); the framework owns the chunk lifecycle (per-chunk SHA3-512, atomic chunk write to `<stagingDir>/<uploadId>/<index>`, reassemble in manifest order, verify total SHA3-512) and hands the assembled buffer to an operator-supplied `onFinalize` callback. Surface includes `init` / `acceptChunk` / `finalize` / `status` / `list` / `cancelUpload` / `purgeIncomplete`. v1 features: per-actor active-upload quota, total staging-bytes quota, MIME magic-byte allowlist (composes `b.fileType`), `onChunk` operator hook, idle-upload timeout, stream reassembly above `maxStreamReassemblyBytes` (sequential async iterator over chunk files instead of `Buffer.concat`), permissions integration, metadata stash with cap, path-safe upload-ID regex, mode 0o700 staging dir, idempotent re-PUT, force-cancel, audit emission with 5-W actor context, observability counters. · *`b.staticServe`* — download primitive expanded with the symmetric feature set: permissions gate (403), compliance retention gate (451), force-revoke instance method + revoke-store opt (404), MIME magic-byte allowlist (415), RFC 7233 single-range support (multi-range refused with 416), full conditional-request set (`If-None-Match` / `If-Match` / `If-Modified-Since` / `If-Unmodified-Since`), per-actor + global bandwidth quotas via `b.cache` cluster-shared token-buckets (429 + Retry-After), per-actor concurrency cap (429), `onServe` per-request operator hook, `maxIdleMs` stalled-stream timeout, cancellation propagation (client disconnect destroys file stream + releases concurrency slot), audit + observability emission with 5-W actor context. ETag is now SHA3-512-truncated for PQC posture; the SRI integrity helper keeps SHA-384 because the W3C subresource-integrity spec only allows sha256/sha384/sha512. Object-store backends (sigv4 / gcs / azure-blob) gain a new `getResponse(key, opts?)` method that forwards `range` / `ifNoneMatch` / `ifMatch` / `ifModifiedSince` / `ifUnmodifiedSince` opts to the backend's protocol-specific headers and returns `{ statusCode, body, etag, lastModified, contentRange, size, contentType }` — operators wiring object-store-backed download routes route conditional + range from the client request straight through. Existing `get(key)` returns just the body for back-compat. · *`HTTP_STATUS`* — constants extended with `PARTIAL_CONTENT` / `RANGE_NOT_SATISFIABLE` / `PRECONDITION_FAILED` / `UNAVAILABLE_FOR_LEGAL_REASONS`. · *New helpers* — `validateOpts.optionalNonEmptyStringArray(value, label, ErrorClass, code?)` and `validateOpts.optionalObjectWithMethod(value, method, label, ErrorClass, code?, description?)` consolidate the recurring "string-array" and "duck-typed handle" inline cascades across api-key / file-upload / seeders / notify / webhook / db-role-for. Both registered in `KNOWN_ANTIPATTERNS` so future re-implementations fail the n=1 gate. · *Tests* — 28 new layer-0 fileUpload assertions (init / acceptChunk / finalize / status / list / cancel / quotas / MIME allowlist / onChunk / idle / stream reassembly / permissions) plus 24 new staticServe assertions (range / suffix-range / open-end-range / unsatisfiable-range / multi-range refused / acceptRanges off / If-Match / If-Modified-Since / If-Unmodified-Since / permissions / retention / revoke / MIME allowlist / onServe / audit / stats / invalidateMeta / quotas / concurrency cap). Wiki page `examples/wiki/seeders/prod/pages/file-upload.js` added; routing.js section for `b.staticServe` rewritten to document the v1 surface. README "what ships in the box" Communication + Routing bullets updated. **References:** [RFC 7233](https://www.rfc-editor.org/rfc/rfc7233.html)
+- v0.7.1 (2026-05-04) — **`b.websocket` route opts gain `handshakeGuid` to override the RFC 6455 §1.3 magic string used in.** the `Sec-WebSocket-Accept` derivation. Default stays `258EAFA5-E914-47DA-95CA-C5AB0DC85B11`. **Added:** *Tests* — 3 new layer-0 assertions in `test/00-primitives.js` (custom GUID produces different accept key, empty / null falls back to RFC default, malformed handshakeGuid rejected at config time). **References:** [RFC 6455](https://www.rfc-editor.org/rfc/rfc6455.html)
+- v0.7.0 (2026-05-04) — **Codebase-patterns hardening sweep + primitive consolidation.** The duplicate-block detector in `test/layer-0-primitives/codebase-patterns.test.js` ran at MIN_DISTINCT_FILES=3 and surfaced ~50 inline-shape clusters that had proliferated across lib/ — the kind of soft drift that's invisible at higher thresholds and hides re-introduction of bug classes the framework already swept once. **Fixed:** *Catalog gate* — `KNOWN_ANTIPATTERNS` in the codebase-patterns test now has 24 entries firing at n=1, so future code re-introducing any of the registered inline shapes (even one new file) fails the gate immediately. Pre-v0.7.0 the duplicate-block detector required n>=3 to fire; the catalog closes the gap by registering each extracted primitive's inline shape so it can't drift back in. · *Cluster allowlist* — `KNOWN_CLUSTERS` allowlist (n>=3 detector) has 25 entries with documented structural reasons (parser error class signatures don't fit the framework's `(code, message)` contract; framework-convention shapes like middleware factories; future consolidation candidates). · *Cleanup* — deleted dead re-export shims `lib/object-store/retry.js` (re-exported `lib/retry.js`) and `lib/auth/totp.js` (re-exported `lib/totp.js`); both fit the rule "pre-v1 frameworks have no operators to compatibly upgrade — every legacy fallback is dead code." Renamed `lib/internal-sha1-hibp.js` → `lib/framework-sha1-hibp.js` to match the lib naming convention (the `internal-` prefix wasn't in the convention's five-bucket list; `framework-` is the canonical "restricted-use" bucket alongside `framework-error.js` / `framework-schema.js`). · *No operator-facing API breakage* — `b.objectStoreRetry` was removed from the public surface (operators use `b.retry` directly, which has been the canonical primitive since v0.2.24). · *Eslint config tightened* — added `eqeqeq` (with the `null` exception for the `== null` null-or-undefined idiom), `no-throw-literal`, `no-promise-executor-return`, `default-case`, `no-loss-of-precision`. The previous config was hiding 11 real errors: 8 sites of `return resolve()` / `return done()` inside `new Promise(executor)` (return value silently discarded) across app / dev / http-client / mail / router / wiki/integration / 00-primitives, plus a missing default-case + 2 intentional template-language `==` / `!=` operators in template.js's binary-op evaluator (now allowed via inline `// eslint-disable-next-line eqeqeq -- template language operator`). Also adds `structuredClone` to the Node-globals list so db.js's deep-clone calls don't trip `no-undef`. · *Release-workflow gate added* — Linux container smoke `docker run --rm -v "/$(pwd):/blamejs" -w //blamejs node:24-alpine node test/smoke.js` is now part of the release flow. Catches lingering-handle bugs that pass on Windows / macOS but hang or error on Linux CI. · *Tests* — smoke 7338 / Linux container smoke 7338 (148s) / wiki e2e 178 / per-primitive integration 16 files / wiki integration green / eslint clean / shellcheck clean.
+## v0.6.x
+- v0.6.70 (2026-05-03) — **`numeric-bounds` extended to three more call sites the prior sweep missed.** **Fixed:** *`lib/middleware/csp-nonce.js` `nonceBytes`* — Pre-fix the `typeof === "number"` check accepted `Infinity` and `NaN` (both bypass `< MIN_NONCE_BYTES` because every comparison with `NaN` or `Infinity` is false), then crashed per-request inside `crypto.generateBytes(Infinity)` with `ERR_OUT_OF_RANGE`. The DoS-shape: an operator typo at boot took down every CSP-protected route at request time. Now rejects at `create()` with `csp-nonce/bad-nonce-bytes`. · *`lib/migrations.js` and `lib/external-db-migrate.js` `staleAfterMs`* — Both used the `> 0` guard which silently accepted `Infinity`. `(Date.now() - lockedAt) > Infinity` is always false, so `staleAfterMs: Infinity` was identical to the `0` default (never replace) but obscured the typo. Operators wanting `never expire` now pass `0` explicitly; everything else (`Infinity` / `NaN` / fractional / negative / non-number) rejects with a clear message.
+- v0.6.69 (2026-05-03) — **`lib/numeric-bounds.js` applied across every numeric-opt site that previously accepted `Infinity` / `NaN`.** **Fixed:** *Shared numeric-bounds validator applied across consumers* — The recurring pattern `typeof opts.X === "number" && opts.X > 0` was vulnerable everywhere it shipped: `Infinity > Infinity` is false, `byteLength > NaN` is false, `Number.isFinite()` was missing. Operators with env-var coercions (`Number(process.env.MAX_X || "")` produces `NaN` for missing values, `Infinity` for typo'd ones) silently lost their cap. New `lib/numeric-bounds.js` exposes `isPositiveFiniteInt(value)` and `shape(value)` (the latter formats `"number Infinity"` / `"number NaN"` / `"string \"100\""` so the actual coercion is visible — `JSON.stringify` collapses Infinity/NaN to `"null"` and hides the typo). · *Sites swept* — `lib/safe-buffer.js` (`boundedChunkCollector`, `toBuffer`, `normalizeText`), `lib/atomic-file.js` (refactored from the previous release's inline check), `lib/csv.js` (parse `maxBytes` was operator-overridable to `Infinity` -> multi-megabyte CSV bodies through unbounded), `lib/safe-url.js` (`maxUrlLength` opt was the v0.6.62 escape hatch — now also bounded), `lib/mail-bounce.js` (`maxBytes` for inbound webhook body — DoS-shape on bounce intake).
+- v0.6.68 (2026-05-03) — **`b.atomicFile.read` / `readSync` enforce strict `maxBytes` validation.** **Fixed:** *Reject `Infinity` / `NaN` `maxBytes` before the size check* — The previous size check was `if (stat.size > opts.maxBytes)`, which silently accepted `Infinity` (`stat.size > Infinity` is always false -> reads any file regardless of size, defeating the OOM cap). Operators with `Number(env.MAX_READ_BYTES || "")` coercion bugs got `NaN` on missing values and unbounded reads on Infinity-typo'd values. New `_validateMaxBytes` runs before the size check and rejects `Infinity` / `NaN` / non-integer / negative / zero / non-number with `atomic-file/bad-opt`. Real-world consumers (`vault.initPlaintext`, `audit-sign`, `db.loadOrCreateDbKey`, etc.) all pass real positive integers via `C.BYTES.*` helpers and are unaffected.
+- v0.6.67 (2026-05-03) — **Canonical-JSON walker extracted to `lib/canonical-json.js` and applied across audit / drift / pagination.** **Changed:** *Unified canonical-JSON serializer* — `audit-tools._canonicalize` (used for backup-bundle JSONL serialisation, requires byte-equivalence with audit-chain) and `config-drift._stableStringify` (used to hash framework config for post-boot tamper detection) carried the same silent-data-loss walk as the audit-chain bug just fixed. New `lib/canonical-json.js` exposes `stringify(value, opts?)` with `opts.bufferAs = "hex" | "reject"` (default `hex` for crypto / config / audit, `reject` for pagination's strict-cursor policy). All four call sites — audit-chain, audit-tools, config-drift, pagination — now route through it; the four near-identical inline walkers collapse to one. Existing audit rows and pre-existing backup bundles round-trip correctly because byte output for plain types is unchanged.
+- v0.6.66 (2026-05-03) — **`b.auditChain.canonicalize` deep-walks values and rejects non-plain types.** **Fixed:** *Canonical-JSON walker hardened* — The pre-fix walker did `Object.keys(row).map(...)` and `JSON.stringify`'d whatever fell through, which silently encoded `Map` / `Set` / `RegExp` as `{}`, `Symbol` / function as missing keys, `BigInt` as a thrown `Do not know how to serialize` mid-emit (DoS-shape on any operator routing bigint IDs into audit metadata), and circular references as the unwrapped `JSON.stringify` error message. The post-fix walker maps `BigInt -> decimal string`, `Date -> ISO string`, rejects `Map` / `Set` / `RegExp` / `Symbol` / function with a clear constructor-name message, and detects circular references via `WeakSet`. Recursive so nested structures like `{ a: [BigInt(1), BigInt(2)] }` and `{ a: { b: Uint8Array(...) } }` all serialise correctly. Stored-row compatibility is preserved because existing audit rows verify identically — their stored `metadata` columns are already JSON strings.
+- v0.6.65 (2026-05-03) — **`b.scheduler.parseCron` rejects step values exceeding the field's range.** **Fixed:** *Out-of-range cron step rejected* — Previously `*/99999 * * * *` was silently accepted and degenerated to `minute 0 of every hour` (because the for-loop adding values stopped at the first iteration when `step > range`); an operator typing the typo got a once-per-hour schedule when they probably meant once per N minutes. `_parseCronField` now rejects with `scheduler/invalid-cron` when `step > (range.max - range.min + 1)`. The bound is inclusive so `*/60 * * * *` (= minute 0 of every hour written with a redundant explicit step) still accepts.
+- v0.6.64 (2026-05-03) — **`b.credentialHash.verify` enforces the same 16-byte minimum payload as `hash`.** **Fixed:** *Symmetric minimum-length on verify* — Previously `hash()` refused to create a hash shorter than 16 bytes but `verify()` silently accepted any payload length, including 1-byte payloads where the collision space is 256 — a hand-crafted envelope `{ magic, algoId, SHAKE256(targetPassword, 1)[0] }` would verify against the target password in microseconds. A storage bug or attacker tampering that truncated the stored envelope produced a verifiable but catastrophically weak hash; an attacker with DB write access who couldn't replace the hash outright could truncate it to a nearly-cleartext-equivalent value. Both ends now refuse short payloads symmetrically via the new `SHAKE256_MIN_LENGTH = 16` constant; verify returns false (with `payload-too-short` observability label) when the envelope's payload is under 16 bytes.
+- v0.6.63 (2026-05-03) — **`b.parsers.toml.parse` enforces `maxDepth` on dotted-key paths.** **Fixed:** *Dotted-key path depth cap* — Previously the parser walked arbitrarily deep table headers (`[a.b.c.d.e...]`) without applying the existing `maxDepth` (which only ran inside `_parseValue` for inline tables and arrays); a 10,000-segment path built a tree deep enough to stack-overflow the recursive `_normalize` walker after parse. An attacker submitting a malicious TOML config to `b.config` would crash the framework at boot or whenever the file was reloaded. `_parseDottedKey` now rejects a path with more than `maxDepth` segments via the same `toml/too-deep` error code already used for value-side depth.
+- v0.6.62 (2026-05-03) — **URL-length DoS-shape gap closed in `safeSchema().url()` and `safeUrl.parse`.** Both surfaces previously accepted arbitrarily long URL strings before validation; an 8 KB cap referencing RFC 7230 §3.1.1 now applies before downstream processing. **Fixed:** *`b.safeSchema.string().url()` length cap* — Was regex-only with no length cap, accepting arbitrarily long matching strings — same DoS class as the previous release's `.email()` gap. An operator chaining `.url()` on a request body would feed multi-megabyte URLs into downstream HTTP clients, SSRF gates, and log lines. Now rejects with `string/url-too-long` at 8193+ characters. · *`b.safeUrl.parse` length cap* — Same gap at the framework's primary URL-validation surface (used by httpClient, ssrfGuard, and every operator-supplied URL). The 8 KB cap now applies BEFORE handing the string to Node's `new URL()` parser, so operator-supplied URLs feeding `b.httpClient.request({ url })` from request bodies and webhook configs are bounded. Operators with legitimate non-standard use override via `opts.maxUrlLength`. **References:** [RFC 7230 §3.1.1 — HTTP/1.1 Message Syntax](https://www.rfc-editor.org/rfc/rfc7230.html)
+- v0.6.61 (2026-05-03) — **`b.safeSchema.string().email()` enforces RFC 5321 §4.5.3.1.3's 254-character cap.** The previous regex-only validator accepted arbitrarily long matching strings — a 50 KB "email" passed validation and flowed into downstream DB writes / log lines unbounded. The 254-character cap now refuses oversized addresses before the regex runs. **Fixed:** *Email length cap closes a DoS-shape gap in operator request validation* — Pre-fix the validator was the regex-only `/^[^\s@]+@[^\s@]+\.[^\s@]+$/`, which accepts arbitrarily long matching strings — an operator chaining `.email()` on a request body was open to a DoS shape (50 KB email passes validation, downstream DB writes / log lines unbounded). The validator now rejects with `string/email-too-long` at 255+ chars before the regex even runs, with a message naming the RFC. Operators with a legitimate non-RFC reason for longer addresses skip `.email()` and chain `.regex(custom)` directly. **References:** [RFC 5321 §4.5.3.1.3 — Path length limits](https://www.rfc-editor.org/rfc/rfc5321#section-4.5.3.1.3)
+- v0.6.60 (2026-05-03) — **`b.pagination.encodeCursor` rejects non-plain types instead of silently losing data.** The cursor `_canonicalize` walker silently encoded `Date` as `{}`, `Buffer`/`Uint8Array` as `{"0":97,…}`, and stack-overflowed on circular references. After encode → decode the operator's data was either gone or unrecognisable. The walker now preserves `Date` as ISO string and refuses the other classes with a clear `pagination/bad-state` error. **Fixed:** *Date round-trips as ISO string; Buffer / Map / Set / RegExp / circular reject cleanly* — Pre-fix the `_canonicalize` walker did `if (typeof === "object") Object.keys(...)`, which silently lost data on three classes of input: `Date` silently encoded as `{}` (Date instances have no own enumerable keys); `Buffer` / `Uint8Array` silently encoded as `{"0":97,"1":98,…}` (indexed-key serialisation); circular references stack-overflowed instead of throwing a clean error. After encode → decode the operator's data was either gone or unrecognisable. The fix: `Date` now serialises to its ISO string (matches stdlib `JSON.stringify` semantics — round-trips through encode/decode as the ISO string operators expect); `Buffer` / `Uint8Array` / `Map` / `Set` / `RegExp` throw `pagination/bad-state` with a message naming the offending constructor and pointing operators at the right conversion (`"convert to a plain primitive (string / number / iso-string) first"`); circular references throw `pagination/bad-state` cleanly via WeakSet cycle detection.
+- v0.6.59 (2026-05-03) — **HTTP/2 session teardown extracted to `lib/http2-teardown.js` + applied across http-client.** The v0.6.58 inline `session.close()` + `session.destroy()` block was the right fix for the OTLP-gRPC sink hang, but the same bug class lived in `lib/http-client.js`'s h2 transport pool. A new shared helper consolidates the teardown routine across both consumers. **Fixed:** *`lib/http2-teardown.js` consolidates the close()-then-destroy() routine* — The h2 transport pool in `lib/http-client.js` had five call sites running the bare `session.close()` (`_resetTransports`, the ALPN-fallback path, the h2 connect-error path, the h2c connect-error path, the idle-timeout handler, `_resetForTest`) all of which leak the underlying TCP socket on idle / error / fallback paths in exactly the same way as the v0.6.58 OTLP-gRPC sink. New `lib/http2-teardown.js` exports `tearDownH2Session(session)` which performs the close()-then-destroy() routine; `lib/http-client.js` and `lib/log-stream-otlp-grpc.js` both import it. The v0.6.58 inline block in the OTLP-gRPC sink is removed in favour of the shared helper.
+- v0.6.58 (2026-05-03) — **`b.logStream` OTLP-gRPC sink no longer leaks its TCP socket on close.** The sink's `close()` was calling HTTP/2 `session.close()` (graceful) but never `session.destroy()`, leaving the underlying TCP socket connected — which blocked `server.close()` indefinitely on Linux CI runners and silently broke the npm-publish gate from v0.6.38 through v0.6.57. **Fixed:** *OTLP-gRPC sink `close()` follows graceful close with `session.destroy()`* — Pre-fix the sink's `close()` was calling `session.close()` (HTTP/2 graceful close — waits for in-flight streams before freeing the socket) but never `session.destroy()`. The graceful close completed but the underlying TCP socket stayed connected, blocking the test fixture's `server.close()` indefinitely on Linux CI runners. Same bug also added ~120 seconds of lingering latency to every local smoke run on Windows (smoke 196s → 76s after fix). The fix calls `session.close()` then `session.destroy()`; by the time we reach close(), all buffered records have been flushed via the awaited `inflightPromise` + final `_doExport`, so destroy() is structurally safe. · *Unblocks npm-publish stuck since v0.6.37* — The npm registry had been stuck at v0.6.37 since 2026-05-02; every tag from v0.6.38 through v0.6.57 timed out at the publish workflow's smoke step because of the lingering HTTP/2 socket. With this fix the publish reaches `npm publish`.
+- v0.6.57 (2026-05-03) — **`b.safeBuffer.boundedChunkCollector` enforces positive-finite-integer `maxBytes`.** The OOM-cap validator previously accepted `Infinity` (defeating its purpose) and fractional floats like `3.5` (confusing downstream arithmetic). It now requires a positive finite integer and throws `buffer/bad-arg` at boot on anything else, catching operator typos and broken env-var coercions. **Fixed:** *`maxBytes` validator no longer silently accepts `Infinity` / `NaN` / fractional floats* — Pre-fix the validator was `typeof opts.maxBytes === "number" && opts.maxBytes > 0` which silently accepted `Infinity` (defeating the OOM-cap purpose entirely — a hostile 10-GB upstream would accumulate fully) and non-integer floats like `3.5` (which set a fractional cap that confused downstream `total + chunk.length > maxBytes` arithmetic). The validator now requires positive finite integer; everything else throws `buffer/bad-arg` at boot with the offending value in the message. Real-world consumers (`b.httpClient` request cap, `b.atomicFile.read`, `b.parsers.*`, multipart body parser) are unaffected because they pass real positive integers via `C.BYTES.*` helpers; the fix catches operator typos / misconfigured env-var coercions where `Number(env.MAX_BYTES)` produces NaN or Infinity.
+- v0.6.56 (2026-05-03) — **`b.auth.totp.verify` strips whitespace + separators from pasted codes.** TOTP verification now normalises common paste / authenticator-UI artefacts (whitespace, `-`, `.`, `_`) before the timing-safe comparison, so codes like `"123 456"` or `"123-456"` from Google Authenticator, Authy, Duo, and 1Password verify instead of being rejected as typos. **Changed:** *TOTP code normalisation before timing-safe compare* — `b.auth.totp.verify` strips whitespace + common separators (`\s`, `-`, `.`, `_`) from the user-supplied code before the timing-safe comparison. Authenticator UIs (Google Authenticator, Authy, Duo, 1Password, etc.) and clipboard paste typically introduce these — `"123 456"`, `"123-456"`, `"123.456"`, `"  123456\t"` — and the framework was rejecting all of them as if they were real typos. RFC 6238 / NIST 800-63B don't mandate normalisation, but every consumer-facing TOTP implementation strips these because the alternative is a silent operator footgun. Letters and other non-numeric characters are NOT stripped — those are real input errors, not paste artefacts. Comparison stays timing-safe via the framework's `crypto.timingSafeEqual` wrapper. **References:** [RFC 6238 — TOTP](https://www.rfc-editor.org/rfc/rfc6238) · [NIST SP 800-63B](https://pages.nist.gov/800-63-3/sp800-63b.html)
+- v0.6.55 (2026-05-03) — **SMTP SNI suppression on IP literals + shellcheck fix unblocks publish.** Two bug fixes: the `b.mail` SMTP transport no longer sets a TLS ServerName when the host is an IP literal (Node refuses), and the MongoDB TLS init shell script's broken short-circuit is rewritten to a real `if` so shellcheck stops blocking the npm-publish gate. **Fixed:** *`b.mail` SMTP TLS handshake refuses IP literals as SNI* — The TLS handshake (implicit on port 465 + STARTTLS upgrade) was unconditionally setting `servername: cfg.host`, which Node's `tls.connect` rejects when host is an IP literal with `Setting the TLS ServerName to an IP address is not permitted`. Operators with `host: "127.0.0.1"` (or any IPv4/IPv6 literal) hit the error before a real cert-verification or auth issue could surface. SNI is now auto-suppressed on IP literals (matching `lib/redis-client.js`'s v0.6.28 convention); operators with private CAs and an IP-only target pass `opts.servername: "expected-cn.example"` explicitly. · *`docker/mongo/init-tls.sh` rewritten as `if … then … fi`* — SC2015 — `id mongodb >/dev/null && chown mongodb:mongodb ... || true` is not if-then-else; the `|| true` would fire if `chown` failed (treating it as if `id` had failed), masking real failures. The script is rewritten as a plain `if id mongodb …; then chown …; fi`. The shellcheck failure was blocking the v0.6.54 npm-publish gate.
+- v0.6.54 (2026-05-03) — **`npm-publish` workflow cap raised + shellcheck gate on tracked shell scripts.** Releases from v0.6.38 through v0.6.53 stalled at the npm registry because the publish workflow timed out at 15 minutes before reaching `npm publish`. The cap is now 30 minutes (matching `release-container.yml`), and every tracked `.sh` file now runs through `ludeeus/action-shellcheck` so shell-script regressions fail the publish gate before the tarball ships. **Changed:** *`npm-publish` workflow timeout raised from 15 to 30 minutes* — Smoke alone runs ~3 minutes locally and 6-8 minutes on CI; combined with eslint cold-pull, wiki e2e, and SBOM generation the full pipeline exceeded the previous 15-minute cap and got cancelled before reaching `npm publish`. The cap now matches `release-container.yml` at 30 minutes so tagged releases actually publish. · *Shellcheck enforced on every tracked `.sh` file in the publish gate* — `vendor-update.sh` and the docker init scripts ship in the npm tarball, so a shell-script regression must fail the publish workflow. The gate runs `ludeeus/action-shellcheck@master` against every tracked `.sh` file. Hadolint stays in `release-container.yml` only because the Dockerfile is container-only and is not part of the npm artifact.
+- v0.6.53 (2026-05-03) — **Audit + observability emissions across `b.objectStore.bucketOps` SigV4 state-changing surface.** Object Lock, retention, and legal-hold landed in v0.6.47 positioned as SEC 17a-4 / FINRA / HIPAA-grade primitives but shipped without an audit trail — an auditor asking "who set the retention on this object, and when?" got nothing. Every state-changing call on the SigV4 backend now emits an audit event and an observability counter, with `bypassGovernance: true` surfaced as alertable metadata. **Added:** *`audit` + `observability` opts on `bucketOps.create`* — `bucketOps.create({ audit, observability, auditSuccess, auditFailures })` wires the operator's `b.audit` and `b.observability` instances into every state-changing call. `auditSuccess` and `auditFailures` default to true; operators at extreme volume opt out of success-path auditing while keeping failure auditing on. · *Audit events for every state-changing object-store op* — Emissions cover `objectstore.bucket.create`, `objectstore.bucket.delete`, `objectstore.bucket.setLifecycle`, `objectstore.bucket.setCorsRules`, `objectstore.bucket.setObjectLockConfiguration`, `objectstore.object.setRetention`, and `objectstore.object.setLegalHold`. Each accepts `{ req }` so the audit chain populates `actorIp`, `actorUserAgent`, `actorSessionId`, `requestId`, `method`, and `route` via `requestHelpers.resolveActorWithOverride`. · *Observability counters on reads + writes* — Every op increments an observability counter, including read paths (`getObjectLockConfiguration`, `getRetention`, `getLegalHold`). Operators get visibility into retention-introspection traffic alongside the state-changing surface. · *`objectstore` namespace registered in `audit.FRAMEWORK_NAMESPACES`* — The new event family registers as a first-class framework namespace so operator-side audit consumers route it like any other built-in primitive. **Security:** *`bypassGovernance` flagged in retention audit metadata* — `setObjectRetention` audit metadata sets `bypassGovernance: true` when the operator used the bypass-shorten path. Operators wire alerting on this field to satisfy compliance postures that require human review of every governance-mode override.
+- v0.6.52 (2026-05-03) — **`b.mtlsCa` serial-number normaliser rejects gibberish instead of silently mangling it.** Before this release `_normalizeSerial("xyz-not-hex")` ran `.replace(/[^0-9a-fA-F]/g, "")` which kept just the single `e` and silently registered a phantom `revoke("e")` row. A typo from `openssl x509 -noout -serial` — or any non-serial paste — would have landed in the next CRL the operator published. The normaliser now strips only documented operator-paste shapes (leading `0x`, `:` / `-` / whitespace separators) and asserts the remainder is all-hex; anything else throws `mtls-ca/bad-serial`. **Added:** *Three live-CA integration assertions on top of the existing 41* — `test/integration/mtls-ca.test.js` now covers the bad-input refusal paths end-to-end against the real CA engine (44 checks total). **Fixed:** *Serial-number normaliser refuses non-hex input* — Real shapes still accepted (`"0xABC123"`, `"AB:C1:23"`, `"AB-C1-23"`, `"abc 123"`, `"abc123"` all normalise to `abc123`). Gibberish input (`"xyz-not-hex"`, `"   "`, `"nope"`) throws `mtls-ca/bad-serial` at the call site so the typo never reaches the revocation registry or a published CRL.
+- v0.6.51 (2026-05-03) — **`b.objectStore.bucketOps` Object Lock readers return clean defaults instead of raw 4xx errors.** Live MinIO probing surfaced a UX regression: `getObjectLockConfiguration` on a bucket created without `objectLockEnabled` threw HTTP 404 `ObjectLockConfigurationNotFoundError`, forcing a try/catch on the operationally-trivial "is this bucket lock-enabled?" question. `getObjectRetention` and `getObjectLegalHold` had the same shape. All three now return semantically-correct defaults for never-configured state while real errors still throw. **Added:** *Layer-0 + live MinIO coverage for the not-configured paths* — 7 new mock-server assertions cover the not-configured branches; 8 new live MinIO assertions in `_runObjectLockOnEndpoint` and a new no-lock-bucket variant in `_runOnEndpoint` exercise the round-trip end-to-end (object-store-sigv4 39 to 47 checks). **Fixed:** *Object Lock readers return defaults for never-configured state* — A new `_isLockNotConfigured` helper recognises both the AWS and MinIO error shapes. `getObjectLockConfiguration` now returns `{ enabled: false, mode: null, days: null, years: null }`, `getObjectRetention` returns `{ mode: null, retainUntil: null }`, and `getObjectLegalHold` returns `{ status: "OFF" }` (operationally identical to "no hold ever applied"). Auth failures, network errors, and bucket-not-found still throw as before.
+- v0.6.50 (2026-05-03) — **SigV4 multipart subresource consistency + live coverage.** **Added:** *Live multipart-upload integration* — `test/integration/object-store-sigv4.test.js` `_runOnEndpoint` gains a multipart-upload + get round-trip pass (forces multipart with `multipartThresholdBytes: 1`, `partSizeBytes: 5 MiB`, payload 6 MiB -> 2-part flow). The live MinIO assertion locks in `?uploads`, `?partNumber=N&uploadId=...`, and `?uploadId=...` (CompleteMultipartUpload) wire flow. **Changed:** *`?uploads` bare on the wire* — `lib/object-store/sigv4.js` was the only remaining `URLSearchParams.set(k, "")` empty-value site — `initiateUrl.searchParams.set("uploads", "")` produced `?uploads=` for InitiateMultipartUpload. AWS S3 and MinIO both accept `?uploads=` today, so this wasn't broken in the real world, but the convention drift would mask future regressions and a stricter S3 implementation could route differently. `?uploads` is now bare on the wire, matching the prior subresource fix; SigV4 canonicalization is unchanged (still presents `uploads=` to the signer per AWS spec).
+- v0.6.49 (2026-05-03) — **SigV4 subresource-query wire form (no trailing `=`).** **Fixed:** *Bare `?subresource` for empty-value query keys* — The previous Object Lock implementation built URLs via `URLSearchParams.set("retention", "")`, producing `?retention=` on the wire. Strict S3 implementations (MinIO in particular) interpret the trailing `=` as a body PUT with a query parameter and route the request to the put-object handler, which then rejects with `InvalidRequest: Object is WORM protected and cannot be overwritten`. `_bucketUrl` and `_objectUrl` now build the URL string manually with `?subresource` (no `=`) for empty-value query keys; `URL` preserves the bare token in `url.search` while `url.searchParams` still presents it as `subresource=` to the SigV4 canonicalizer (AWS spec REQUIRES `key=` in the canonical query string for signature computation). · *Live integration coverage for Object Lock* — `test/integration/object-store-sigv4.test.js` gains a third endpoint variant (`_runObjectLockOnEndpoint`) that creates a bucket with `objectLockEnabled: true` against live MinIO and exercises per-object retention set + get, per-object legal hold ON/OFF round-trip, bucket-level `setObjectLockConfiguration` + `getObjectLockConfiguration` round-trip, `bypassGovernance` retention shortening, and cleanup. **Detectors:** *Subresource bare-token wire-form regression check* — `test/layer-0-primitives/sigv4-bucket-ops.test.js` gains three wire-form assertions on `?retention`, `?legal-hold`, and `?object-lock` (`bare subresource, no '=' suffix`) to catch this class of regression before it reaches operators.
+- v0.6.48 (2026-05-03) — **Doc catch-up for the v0.6.47 Object Lock surface.** **Changed:** *README + SECURITY weave-ins for Object Lock* — The README `What ships in the box` object-store bullet now mentions S3 Object Lock + per-object retention + legal hold for write-once-read-many compliance workloads. SECURITY application checklist gains a sibling line to `b.retention` covering the operator's hardening checklist for WORM archives (SEC 17a-4, FINRA, HIPAA-shaped retention) — `objectLockEnabled: true` at create time only, `COMPLIANCE` mode irrevocable by anyone (including root), `bypassGovernance` requires `s3:BypassGovernanceRetention`. No code changes.
+- v0.6.47 (2026-05-03) — **S3 Object Lock, retention, and legal-hold for `b.objectStore.bucketOps`.** Adds the write-once-read-many compliance surface (SEC 17a-4, FINRA, HIPAA retention) to the SigV4 protocol; Azure and GCS handle WORM out-of-band. **Added:** *Object Lock + retention + legal-hold* — `create(name, { objectLockEnabled: true })` flips the underlying versioning and WORM at create time (the only point S3 allows it). `setObjectLockConfiguration(name, { mode, days|years })` / `getObjectLockConfiguration(name)` apply and read bucket-level default retention. `setObjectRetention(name, key, { mode, retainUntil, bypassGovernance? })` / `getObjectRetention(name, key)` apply and read per-object retention dates. `setObjectLegalHold(name, key, "ON"|"OFF")` / `getObjectLegalHold(name, key)` apply and read per-object legal holds. · *Up-front validation* — Bad inputs are rejected at the call site before any request is signed: unknown mode, `days` + `years` together, fractional or negative durations, non-Date or past-dated `retainUntil`, statuses outside `ON` / `OFF` — all throw `INVALID_OBJECT_LOCK` / `INVALID_RETENTION` / `INVALID_LEGAL_HOLD` (or `INVALID_KEY`) before TCP. `bypassGovernance: true` adds the `x-amz-bypass-governance-retention: true` header for accounts with the `s3:BypassGovernanceRetention` permission; `COMPLIANCE` mode cannot be shortened or bypassed by anyone, including root.
+- v0.6.46 (2026-05-02) — **`b.i18n.messageFormat` ICU MessageFormat parser + evaluator.** **Added:** *ICU MessageFormat support* — `lib/i18n-messageformat.js` ships a minimal-but-correct ICU MessageFormat parser and evaluator (~330 LOC, zero npm dep). Supports `{argName}` replacement; `{argName, plural, =N {...} category {...} other {...}}` with optional `offset:N` and `#` placeholder for the plural arg minus offset; `{argName, selectordinal, ...}` (CLDR ordinal categories via `Intl.PluralRules({ type: "ordinal" })`); `{argName, select, caseA {...} other {...}}`; nested arguments inside any case body; and ICU-spec apostrophe escaping. CLDR cardinal + ordinal categories via `Intl.PluralRules` per locale (cached). Inline `number` / `date` / `time` formatters, choice-format, and custom argument types are out of scope — operators use `formatNumber` / `formatDate` from `b.i18n` separately and inline the result. · *Auto-detect via `b.i18n.t`* — `b.i18n.t(key, vars, opts)` auto-detects MessageFormat-shaped entries via `messageFormat.looksLikeMessageFormat(template)` (matches `{name, plural / select / selectordinal, ...}`); operators force the path with `opts.messageFormat = true`. Plain `{var}` interpolation and existing CLDR plural-shaped JSON entries continue to work unchanged on the legacy interpolator.
+- v0.6.45 (2026-05-02) — **`b.mtlsCa` revocation registry + signed CRL generation.** **Added:** *`ca.revoke(serialNumber, opts?)`* — Records a revocation in `dataDir/revocations.json` with serial / reason / `revokedAt` timestamp. Serials are normalized (strips `0x`, removes non-hex chars, lowercases) so operators can paste any of `"0xABC123"` / `"AB:C1:23"` / `"abc123"` and hit the same row. Reason names map to RFC 5280 numeric codes (full set: `unspecified / keyCompromise / caCompromise / affiliationChanged / superseded / cessationOfOperation / certificateHold / removeFromCRL / privilegeWithdrawn / aACompromise`). Idempotent — repeated revoke of the same serial preserves the original `revokedAt`. · *`ca.isRevoked` / `ca.getRevocations`* — Registry queries, also serial-format-agnostic so callers can pass whichever shape their upstream emits. · *`ca.generateCrl(opts?)`* — Builds an RFC 5280 X.509 CRL signed with the CA private key via `engine.generateCrl({ caCertPem, caKeyPem, revocations, thisUpdate, nextUpdate })`. Default `nextUpdate` is 7 days after `thisUpdate`; operators publishing at a different cadence pass explicit dates. CRL persists to `dataDir/ca.crl` by default; `{ persist: false }` returns the bytes without writing. Operators serve `ca.crl` at the CRL distribution point referenced from issued certs. **References:** [RFC 5280 — X.509 Public Key Infrastructure](https://www.rfc-editor.org/rfc/rfc5280.html)
+- v0.6.44 (2026-05-02) — **`b.bundler` engine surface for ESM module-graph bundling.** **Added:** *Pluggable engine layer* — `b.bundler.create({ engine })` accepts any object implementing `{ name, transform(entryPath, contentBuf) -> { content, sourceMap?, imports? } }` between the file read and the cache-bust hash. `b.bundler.engine.passthrough` is the default and preserves the prior byte-verbatim behavior — no breaking change. · *`b.bundler.engine.fromEsbuild(esbuild, opts?)`* — Wraps an operator-supplied esbuild module into the engine contract. Routes through `esbuild.build({ entryPoints, write: false, ...opts })`, picks the JS output and `.map` sibling out of `outputFiles`, returns `{ content, sourceMap }` for the framework to hash and write atomically. Source maps land as `<hashed-filename>.map` siblings; the bundler's `outputs[i].sourceMapPath` reports the on-disk path. The framework does not vendor `esbuild-wasm` — at ~10 MB it would 3-5x the npm tarball for a build-time tool most operators only need at deploy time. The integration seam is the framework's; the heavy machinery stays operator-supplied.
+- v0.6.43 (2026-05-02) — **AWS SQS queue backend.** **Added:** *`b.queue` SQS protocol* — `protocol: "sqs"` for operators on AWS who want a fully-managed queue without standing up a Redis cluster. Wire is AWSJsonProtocol_1.0 over HTTPS (Content-Type `application/x-amz-json-1.0`, `X-Amz-Target: AmazonSQS.<Action>`), SigV4-signed via the framework's service-agnostic `lib/object-store/sigv4.js`. Action mapping: `enqueue -> SendMessage`, `lease -> ReceiveMessage` (long-poll up to `WaitTimeSeconds`), `extendLease -> ChangeMessageVisibility`, `complete -> DeleteMessage`, `fail -> ChangeMessageVisibility(VisibilityTimeout=0)`, `size -> GetQueueAttributes`, `purge -> PurgeQueue`. Queue-name -> URL by default `https://sqs.{region}.amazonaws.com/{accountId}/{queueName}`; operators with cross-account / FIFO / VPCE endpoints pass an explicit `queueUrlByName(name) -> url` resolver. STS session tokens propagate as `x-amz-security-token`. Payloads pass through `cryptoField.sealRow("_blamejs_jobs", row)` before SendMessage so SQS only ever sees the sealed envelope. · *SQS hard-cap clamps* — `DelaySeconds` is clamped to the 900-second SQS hard cap; `MaxNumberOfMessages` is clamped to 10 (SQS's per-call ceiling). **Removed:** *`sqs` removed from `DEFERRED_PROTOCOLS`* — The SQS queue backend is first-class and no longer listed as a deferred protocol. DLQ inspection (`dlqList` / `dlqRetry` / `dlqSize`), flow / cron / parent-child dependencies, and `sweepExpired` stay on `local` / `redis` — SQS handles those server-side or via separate-queue DLQs operators wire as a second backend.
+- v0.6.42 (2026-05-02) — **Wiki primitive sections for testing / format-helpers / backup-restore.** **Added:** *`testing` page primitive sections* — `b.testing.mockReq(opts?)` / `.mockRes()`, `b.testing.fakeClock(initialMs?)`, `b.testing.captureAudit()` (corrected surface: `.byAction` / `.captured`), `b.testing.captureObservability()` (corrected surface: `.byName` / `.captured`), `b.testing.fakeHttpClient(handler)`, `b.testing.runMiddleware(fn, req, res)`, `b.testing.waitFor(predicate, opts?)`, `b.testing.tempDir(name?)`. · *`format-helpers` page primitive sections* — `b.csv.parse(input, opts?)` / `.stringify(rows, opts?)`, `b.uuid.v4 / .v7 / .parse / .isValid`, `b.slug(input, opts?)` / `.unique(input, exists, opts?)`, `b.time.toParts / .format / .addDays / .addMonths / .startOfDay / .endOfDay / .diffDays / .parseISO / .tzOffsetMs`, `b.archive.zip()`, `b.pagination.cursor(query, opts)` (corrected from non-existent `b.pagination.create({...})`), `b.forms.render(spec, opts?)` / `.validate(spec, body)` / `.generateCsrfToken / .verifyCsrfToken`. · *`backup-restore` page primitive sections* — `b.backup.create(opts)` and `b.restore.create(opts)`. The wiki primitive-runtime gate is up from 147 to 186 clean exec runs.
+- v0.6.41 (2026-05-02) — **Wiki primitive sections for welcome / crypto-vault / network-crypto / safe-parsers.** **Added:** *`welcome` page primitive sections* — `b.createApp(opts)` documented as the operator entry point that wires the dependency-ordered boot. · *`crypto-vault` page primitive sections* — `b.vault.seal(plaintext) / .unseal(sealed)` and `b.cryptoField.registerTable(name, opts)` (sealedFields + derivedHashes registry the db-query layer reads on every read/write). The API-drift `b.webhook.signer.create({...})` / `b.webhook.verifier.create({...})` examples are removed — actual API is `b.webhook.signer({...})` and `b.webhook.verifier({...})` documented at outbound-http; crypto-vault now cross-links instead of restating. · *`network-crypto` page primitive sections* — `b.mtlsCa.create(opts)` (lib allow-list reflects `dataDir / vault / paths / caKeySealedMode / generation / engine`), `b.pqcGate.create(opts)` (corrected to `internalPort / internalHost / bypass / clientHelloTimeoutMs / maxClientHelloBytes / log`), `b.pqcAgent.create(opts?)` (with the `b.pqcAgent.agent` and `.enforced` shared-singleton handles documented). · *`safe-parsers` page primitive sections* — `b.safeJson.parse(text, opts?)`, `b.safeBuffer.normalizeText(input, opts?)` / `.boundedChunkCollector(opts)` / `.secureZero(buf)` (corrected to `bytesCollected()`), `b.safeSql.validateIdentifier(value, opts?)` (corrected from `b.safeSql.identifier` which doesn't exist), and the `b.safeSchema` builder factories (`object / string / number / boolean / array / literal / union` with refinements). The wiki primitive-runtime gate is up from 130 to 147 clean exec runs.
+- v0.6.40 (2026-05-02) — **Wiki harness upgrade + compound-primitive coverage for routing / middleware / outbound-http.** **Added:** *Harness extension for operator-side identifiers* — `examples/wiki/test/run-example.js` adds stub bindings for `app` (Express-shape stub with the full HTTP-verb surface), `users` (db-model stub), `template`, `metrics`, `currentToken`, `largeBuffer`, `body`, `loginUrl`, `meUrl`, `authMiddleware`, and `loginHandler`. Compound-primitive examples can now round-trip cleanly through the runtime gate. · *`routing` page primitive sections* — `new b.router.Router(opts?)`, `router.METHOD(path, spec?, ...handlers)`, `router.openapi(opts)`, `b.render.htmlString / .json / .text / .redirect`, `b.htmlBalance.check`, `b.staticServe.create(opts)` (corrected to opts-only with required `root`), `b.errorPage.create(opts)`, `b.requestHelpers.extractActorContext / .parseQualityList / .parseListHeader`. · *`middleware` page primitive sections* — `b.middleware.rateLimit / .csrfProtect / .cspNonce / .bodyParser / .bodyParser.raw / .sse(handler, opts?) / .requestLog / .networkAllowlist`, `b.cookies.create(opts?)` / `.parse(headerValue)`, `b.validateOpts`. Real API drifts corrected: `rateLimit` uses `refillPerSecond`, `csrfProtect` uses `tokenLookup / fieldName`, `requestLog` uses `logger`, `cookies.create` accepts `vault` for sealing values, `sse(handler, opts?)` takes the handler positionally. · *`outbound-http` page primitive sections* — `b.httpClient.request(opts)` with subsections for `maxRedirects`, `multipart`, `before / after` interceptors; `b.httpClient.cookieJar.create`; `b.ssrfGuard.checkUrl / .classify`; `b.safeUrl.parse`; `b.webhook.signer / .verifier`. The wiki primitive-runtime gate is up from 87 to 130 clean exec runs.
+- v0.6.39 (2026-05-02) — **Wiki primitive sections for self-contained pure-function helpers.** The wiki harness exec-runs every example with only `b` in scope; this release converts the self-contained primitives whose examples fit in two or three pure-function lines. Compound primitives that need operator stubs (`app`, `req`, `res`) land in a follow-up patch alongside the harness upgrade. **Added:** *Primitive sections for pure-function helpers* — `b.requestHelpers.parseQualityList(value, opts?)` (RFC 9110 §12.5 Accept-* parser), `b.requestHelpers.parseListHeader(value, opts?)` (comma-separated parser with trim / lowercase / unique opts), `b.htmlBalance.check(html)` (structural HTML check returning `null` when balanced or `{code, message, line, column}` when not), `b.ssrfGuard.classify(ip)` (offline IP classifier), and `b.safeUrl.parse(input, opts?)` each gain a four-piece primitive section (heading + opts model + description + example). The wiki primitive-runtime gate is up from 75 to 87 clean exec runs.
+- v0.6.38 (2026-05-02) — **OTLP gRPC + protobuf transport for `b.logStream`.** **Added:** *`otlp-grpc` log sink* — First-class `protocol: "otlp-grpc"` companion to the existing OTLP/JSON sink: same OTel Logs Data Model, transported over HTTP/2 + gRPC framing for the higher-throughput path operators reach for when pushing past 100K logs per second straight to a collector. Single HTTP/2 session per sink, kept alive across many Export calls; recreated on disconnect. Reads `grpc-status` + `grpc-message` from response trailers; non-zero gRPC status surfaces as `HTTP_ERROR` with the gRPC error code and message preserved. Same back-pressure semantics as the JSON sink. · *`lib/protobuf-encoder.js`* — Minimal proto3 wire-format encoder (write-only — no decoder ships). Implements varint, 64-bit fixed, length-delimited, and 32-bit fixed wire types with helpers for `uint32` / `uint64` / `bool` / `fixed64` / `double` / `string` / `bytes` / `embeddedMessage` / `repeatedMessage`. Operators reach for it when constructing protobuf bodies for any external service that accepts proto over HTTP — gRPC, AWS SigV4-protobuf, GCP protobuf APIs. Zero vendored protobuf parser; the encoder is the framework's own. · *`lib/log-stream-otlp-grpc.js`* — Encodes `ExportLogsServiceRequest` per the OTel `logs.proto` schema (Resource -> ScopeLogs -> LogRecord -> AnyValue / KeyValue), wraps in gRPC framing (1-byte compression flag + 4-byte big-endian length + protobuf body), POSTs over `node:http2` to `/opentelemetry.proto.collector.logs.v1.LogsService/Export` with `content-type: application/grpc+proto` plus `te: trailers`. Severity mapping debug=5 / info=9 / warn=13 / error=17.
+- v0.6.37 (2026-05-02) — **Azure + GCS bucket-ops parity for `b.objectStore.bucketOps`.** **Added:** *Protocol-dispatching `bucketOps` factory* — `b.objectStore.bucketOps` now accepts `{ protocol: 'sigv4' | 'azure-blob' | 'gcs', ... }` and returns a service-scoped client for the matching cloud. Previously SigV4 only. · *Azure Blob bucket-ops* — `lib/object-store/azure-blob-bucket-ops.js` provides container lifecycle via Shared Key auth: `create(name, {publicAccess?})` (PUT `/{container}?restype=container`), `delete(name)` (DELETE), `list({prefix?, maxResults?})` (GET `/?comp=list` with XML response parsed into `[{ name, lastModified, etag, leaseStatus, leaseState, publicAccess }]`), `setCorsRules(rules)` (account-level — Azure CORS is not per-container). `setLifecycle` throws `NOT_SUPPORTED` because Azure lifecycle lives on Azure Resource Manager with Azure AD bearer auth; the error message points at Terraform / Bicep / az CLI. · *GCS bucket-ops* — `lib/object-store/gcs-bucket-ops.js` provides bucket lifecycle via service-account JWT exchanged for an OAuth2 access token (admin-scoped `devstorage.full_control`): `create(name, {location?, storageClass?, iamConfiguration?})`, `delete(name)`, `list({prefix?, maxResults?, pageToken?})`, `setLifecycle(name, rules)` (PATCH bucket with `lifecycle: { rule: [{ action, condition }] }` — supports `Delete` / `SetStorageClass` / `AbortIncompleteMultipartUpload`), `setCorsRules(name, rules)`. · *Per-cloud bucket-name validation* — Azure containers (3-63 lowercase alphanumeric + hyphens, no consecutive hyphens, start/end alphanumeric); GCS buckets (3-63 lowercase + digits + hyphens + underscores + dots, no consecutive dots, no `goog` prefix). Bad names rejected at the call site before the request leaves the process. Both modules treat 404 on delete as already-gone and 409 on create as `BUCKET_ALREADY_OWNED`.
+- v0.6.36 (2026-05-02) — **`b.db.from("schema.table")` cross-schema chain.** **Added:** *Two-part `schema.table` identifiers* — `b.db.from("audit.events")` now accepts a two-part identifier. Both halves validated separately as SQL identifiers (rejects three-part names, empty parts, embedded quotes / SQL keywords); both halves wrapped in `"..."` when interpolated so generated SQL is `SELECT * FROM "audit"."events" WHERE ...`. The bare `b.db.from("users")` form still works unchanged. Sealed-field registry lookup tries the qualified name (`audit.users`) first when schema is set, falls back to the bare table. Use cases: cross-schema joins on Postgres external-db, SQLite `ATTACH DATABASE` per-classification audit / archive databases.
+- v0.6.35 (2026-05-02) — **`cluster-provider-db` gains MySQL dialect.** **Added:** *MySQL dialect for the default leader-election provider* — `b.cluster.create({ provider: clusterProviderDb.create({ dialect: "mysql", ... }) })` lets operators on MySQL use the framework's default DB-row leader-election provider; it now speaks all three of postgres / sqlite / mysql. MySQL acquireLease uses `INSERT INTO _blamejs_leader (...) VALUES (...) ON DUPLICATE KEY UPDATE col = IF(expiresAt < ?, VALUES(col), col), ..., expiresAt = IF(expiresAt < ?, VALUES(expiresAt), expiresAt)` so a still-valid lease is preserved untouched and an expired one is overwritten atomically, followed by a `SELECT` to read who holds. Renew uses `UPDATE ... SET expiresAt=?, endpoint=? WHERE scope='leader' AND nodeId=? AND leaseId=?` followed by a check-SELECT to surface takeover races as `LEASE_LOST`. Schema generation switches to `BIGINT` / `VARCHAR(64)` / `VARCHAR(255)` per MySQL's primary-key length rules, drops the `CHECK` constraint that some MariaDB / MySQL 5.x versions silently strip, and flips placeholder style to `?`.
+- v0.6.34 (2026-05-02) — **`b.pubsub` distributed pub/sub primitive.** Single API for cross-node fan-out with three backends — `local`, `cluster` (shared DB table polled), and `redis` (SUBSCRIBE/PSUBSCRIBE). **Added:** *`b.pubsub` with local / cluster / redis backends* — Operator API: `ps.subscribe(channel, handler) -> token`, `ps.subscribePattern(pattern, handler) -> token` (glob-style on local + cluster, native PSUBSCRIBE on redis), `ps.unsubscribe(token)`, `await ps.publish(channel, payload) -> { local, remote }`, `await ps.close()`. `topicPrefix` opt scopes channel names so independent pubsub instances sharing a backend don't collide. Handler errors are caught and logged via the framework's boot logger; they never abort dispatch to other handlers on the same channel. · *Redis push-message demultiplexing* — `lib/redis-client.js` adds push-message demultiplexing: server-pushed `["message", channel, payload]` and `["pmessage", pattern, channel, payload]` arrays route through `setOnPushMessage` instead of consuming a pending request slot, while SUBSCRIBE / UNSUBSCRIBE acks still flow through the normal command pipeline. Per-instance nonce stamped on outgoing redis payloads so the SUBSCRIBE socket recognizes its own publishes and skips the loopback. · *`lib/websocket-channels.js` reroutes through `b.pubsub`* — Replaces the inline cluster-poll-and-fan-out logic with `b.pubsub` consumption. The hub owns one pubsub instance per primitive; cross-node delivery is `pubsub.subscribe` per channel the hub joins, with the hub's `_localDispatch` as the handler. Per-channel pubsub subscription is refcounted by local conn count. The `_blamejs_ws_messages` table is renamed to `_blamejs_pubsub_messages` (column `channel` -> `topic`); pre-1.0, no compat shim — operators upgrading wipe the previous table. · *`b.cache.create({ invalidationPubsub })`* — Passing a `b.pubsub.create()` instance auto-publishes on every successful `del` / `clear` / `invalidateTag`, and subscribes for the same events so other cache instances on other nodes (or processes sharing the pubsub backend) react locally. Re-entrancy guard prevents inbound invalidation events from re-publishing.
+- v0.6.33 (2026-05-02) — **`b.logStream` syslog sink (RFC 5424) + CloudWatch `autoCreate`.** **Added:** *Syslog sink (RFC 5424)* — `protocol: "syslog"` for `b.logStream.init`; new module `lib/log-stream-syslog.js`. URL-driven transport selection: `udp://host:514`, `tcp://host:514`, `tls://host:6514`. UDP is best-effort one-datagram-per-record; TCP / TLS use RFC 6587 octet-counting framing. TLS is TLS 1.3 minimum; operators with private CAs pass `ca` for trust pinning, `servername` for SNI override (auto-suppressed on IP literals). Records formatted with PRI = `(facility << 3) | severity` (default facility `local0`), severity mapped from the framework's level field (debug=7 / info=6 / warn=4 / error=3); operators override via `facility`, `appName` (default `blamejs`), `procId` (default `process.pid`), `hostname` (default `os.hostname()`), `structuredData` (default `-`). TCP / TLS reconnect with exponential backoff; records buffer during the down window with `bufferLimit`-bounded oldest-drop, replay on reconnect. `close()` waits up to 3s for an in-flight (re)connect to drain the buffer before tearing down. Operator-supplied `onDrop({reason, batch, error})` surfaces every drop class. · *CloudWatch sink `autoCreate`* — Pass `{ autoCreate: true }` to have the framework issue `CreateLogGroup` + `CreateLogStream` on first emit. Idempotent: AWS's `ResourceAlreadyExistsException` is treated as success on both calls. Hard failures drop the batch with `onDrop` reason `autocreate-failed`. Default remains `autoCreate: false`. **Fixed:** *`docker/init/generate-certs.sh` preserves existing CA* — Was overwriting an existing CA when re-run with `.complete` removed, invalidating every previously-issued leaf cert. Now reuses an existing `(ca.crt, ca.key)` pair across `.complete`-only resets and only generates a fresh CA when neither file is present. **References:** [RFC 5424 — The Syslog Protocol](https://www.rfc-editor.org/rfc/rfc5424.html) · [RFC 6587 — Transmission of Syslog Messages over TCP](https://www.rfc-editor.org/rfc/rfc6587.html)
+- v0.6.32 (2026-05-02) — **`b.cache` Redis backend.** **Added:** *First-class `backend: "redis"` for `b.cache.create`* — New module `lib/cache-redis.js` consumes `lib/redis-client.js` directly with no operator-supplied glue. Storage layout: `<namespace>:e:<key>` STRING (JSON-encoded value, PEXPIREAT-bounded), `<namespace>:t:<tag>` SET (cacheKeys carrying that tag — powers `invalidateTag` fan-out), `<namespace>:k:<key>:tags` SET (tags this key carries — powers per-key tag cleanup on `del` / `set`-overwrite, expires alongside the entry). TTL is enforced by Redis itself (PEXPIREAT) so the framework's sweeper is a no-op for this backend; sliding TTL bumps the entry's expiry on every read when `slidingTtl: true` AND `ttlMs` is finite. · *Redis cache opts* — New opts on `cache.create`: `redisUrl` (required when `backend: "redis"`), `redisPassword`, `redisUsername`, `redisTls`, `redisCa` (private-CA trust pinning), `redisServername`, `redisConnectTimeoutMs`, `redisCommandTimeoutMs`, `redisMaxReconnectAttempts`. Lazy connect — `cache.create({backend:"redis"})` stays sync-safe and the first op opens the socket. `invalidateTag` filters out ghost entries (key already PEXPIRE'd from the keyspace but lingering in a tag SET) by EXISTS-checking before del.
+- v0.6.31 (2026-05-02) — **Redis queue priority + flow `dependsOn`; WebSocket per-message-deflate.** **Added:** *Redis queue priority ordering* — `b.queue.enqueue({ priority })` on the Redis backend now matches `queue-local`'s `ORDER BY priority DESC, availableAt ASC, enqueuedAt ASC` semantics. The Redis ZSET stays scored by availableAt only, but `LEASE_LUA` over-fetches `maxRows*5` candidates by score, HMGETs priority + availableAt + enqueuedAt for each, sorts server-side in Lua by the same triple, and leases the top `maxRows`. · *Redis queue flow `dependsOn` cascade* — `b.queue.enqueue({ flowId, flowChildName, dependsOn })` on the Redis backend now releases dependent jobs when their parents complete, mirroring `_maybeReleaseFlowChildren` in `queue-local`. A per-flow `<prefix>:flow:<flowId>` Redis SET tracks every job in the flow; `complete()` walks the set, looks up siblings whose `dependsOn` matches the just-completed job (by id or `flowChildName`) AND every other dep is satisfied, and HSET-bumps their `availableAt` to now and ZADDs them into the ready zset. · *WebSocket per-message-deflate (RFC 7692)* — `b.websocket.handleUpgrade` negotiates the `permessage-deflate` extension when the client offers it, accepting `client_max_window_bits` / `server_max_window_bits` (8-15, default 15) and always asserting `client_no_context_takeover` + `server_no_context_takeover` so every message uses fresh zlib state. Send path compresses TEXT/BINARY frames via `zlib.deflateRawSync`, strips the 4-byte `0x00 0x00 0xff 0xff` trailer per RFC 7692 §7.2.1, and sets RSV1 on the first frame. Receive path appends the trailer back and inflates via `zlib.inflateRawSync`. RSV1 on a continuation frame, RSV1 without negotiated extension, RSV2/RSV3 set, and decompressed payload exceeding `maxMessageBytes` all close with the appropriate RFC 6455 status. Operator opt-out: pass `permessageDeflate: false`. **References:** [RFC 7692 — Compression Extensions for WebSocket](https://www.rfc-editor.org/rfc/rfc7692.html)
+- v0.6.30 (2026-05-02) — **Wiki-app integration gate + framework follow-ups.** **Added:** *`scripts/test-wiki-integration.js`* — Boots `examples/wiki` against the docker-compose fixture stack (real Redis, MinIO, Mailpit, CoreDNS, NTP, mtls-ca) and drives every backend through the wiki's HTTP surface AND the underlying framework primitives — validates that each primitive routes through the configured backend (cache -> custom backend, queue -> Redis Streams, mail -> Mailpit SMTP, object-store -> MinIO SigV4, log-stream -> webhook receiver). · *Wiki test-only routes under `/test/*`* — Gated by `WIKI_INTEGRATION_TEST=1`, mounted before CSRF / staticServe so test POSTs don't have to round-trip a token cookie. Covers cache get/set/del, queue enqueue/size, mail send, object-store put/get, http-client fetch, log-stream emit, mtls-ca issue, ntp query, dns lookup, ssrf classify+check, plus `/test/diagnostic` exposing the active backend posture. · *External-integration two-gate rule* — When a release diff touches a primitive that talks to an external service, operators run BOTH `scripts/test-integration.js` (per-primitive) AND `scripts/test-wiki-integration.js` (wiki app exercising the same backends end to end) before pushing. Documented in CONTRIBUTING.md and the release workflow. The smoke and wiki-e2e gates stay pure (no docker dependency). **Fixed:** *`b.mtlsCa.create` auto-creates `dataDir`* — Now creates `opts.dataDir` with `mode: 0o700` if it doesn't exist (matches `b.logStream`'s local sink, `b.backup`, `b.restoreBundle`). Without it the first `initCA()` call hit `ENOENT` writing `ca.key.tmp`. · *`b.logStream` webhook-sink close-order, revisited* — `close()` now waits for the in-flight `_flush()` before draining the buffer. The previous drain fix only tracked emit-time wrapper promises, not the actual HTTP POST in flight; a record arriving mid-flush would buffer, the emit-time `_flush` early-returned on `if (inFlight) return`, and shutdown would then strand it. · *`b.queue.bootFromEnv()` wired in the wiki app* — The wiki app's `build-app.js` now calls `bootFromEnv()` unconditionally so the wiki picks up `BLAMEJS_QUEUE_PROTOCOL=redis` from env without code changes.
+- v0.6.29 (2026-05-02) — **Shellcheck gate green and eslint pin alignment.** **Fixed:** *`docker/init/generate-certs.sh` line count* — The footer line counted output via `ls "$CERT_DIR" | wc -l` (SC2012, fragile on filenames with newlines or quoting metacharacters); replaced with `find "$CERT_DIR" -maxdepth 1 -mindepth 1 | wc -l`. Same semantics, robust to any cert filename pki-init might end up writing. · *shellcheck added to the documented pre-push gate list* — CONTRIBUTING.md now lists shellcheck alongside smoke / wiki e2e / eslint / api-snapshot / primitive-section validators. CI's `Lint summary` job has always run it, but the local-dev recipe didn't, so contributors hit it after push instead of catching it locally. · *eslint pin alignment* — `.github/PULL_REQUEST_TEMPLATE.md` and CONTRIBUTING.md still pinned `eslint@10` while CI runners had already swapped to `eslint@latest`; both are bumped to `@latest` to match the forward-track posture of every other CI tool.
+- v0.6.28 (2026-05-02) — **Live integration test suite + framework bugs caught by it.** **Added:** *`test/integration/` suite + docker-compose stack* — 13 live test files covering Redis (plain + TLS), `b.queue` on Redis, `b.mail` SMTP / STARTTLS / multi-rcpt / dot-stuffing, `b.mail.dkim` rsa-sha256 + ed25519-sha256 + bad-algorithm reject, `b.ntpCheck` v4 + v6 + bootCheck, `b.network.dns` plain + DoT + DoH with strict CA pinning + bad-servername + cache, `b.network.heartbeat` http + tcp + state-change callbacks, `b.objectStore` SigV4 on plain HTTP + TLS, `b.cache` memory + Redis-backed cluster, `b.httpClient` direct + Squid forward proxy + TLS pin, `b.ssrfGuard` classify + checkUrl + cloud-metadata block, `b.logStream` local + webhook + deferred-syslog error path, and `b.mtlsCa` CA bootstrap + clientAuth + serverAuth + dual-EKU. Companion `docker-compose.test.yml` stands up redis (plain + TLS), postgres, mysql, mongo, minio (HTTP + HTTPS), rabbitmq (plain + TLS), nats, syslog, ntp, mailpit, coredns (plain + DoT + DoH), haproxy, caddy, mitmproxy, squid, and pki-init. Host port bindings dual-stack on `127.0.0.1` AND `[::1]`. `scripts/test-integration.js` exports the test CA via `docker cp` and sets `NODE_EXTRA_CA_CERTS` per-test child process; no `rejectUnauthorized: false` bypass anywhere. **Fixed:** *`b.ssrfGuard.checkUrl` cloud-metadata hard-deny* — `allowInternal: true` no longer permits 169.254.169.254 (AWS / GCP / Azure metadata). Loopback / private / link-local / reserved stay overridable per existing semantics; cloud-metadata is unconditional because a blanket override would let any compromised request exfiltrate instance credentials. · *`b.mtlsCa` issues server certs and dual-EKU certs* — `generateClientCert({ usage: "client" | "server" | "both", sans: [...] })`: `usage` controls EKU (`client` = clientAuth, `server` = serverAuth, `both` = both); `sans` accepts `DNS:` / `IP:` / bare-DNS entries; serverAuth without an explicit SAN auto-adds the CN. Operators wiring inbound mTLS reverse-proxy fronts no longer hit `unsuitable certificate purpose` on the handshake. · *`b.mtlsCa` algorithm auto-detect* — Probes webcrypto plus the vendored x509 library at first cert issuance and picks the highest-PQC option that round-trips: SLH-DSA-SHAKE-256f -> SLH-DSA-SHAKE-128f -> ML-DSA-87 -> ML-DSA-65 -> ECDSA-P384-SHA384. When the bridge condition lifts the same `b.mtlsCa.create(...)` call self-upgrades; `b.mtlsCa.status().cert.label` and `.posture` surface the chosen algorithm. · *`b.redisClient.create({ ca, servername })`* — Managed-Redis and on-prem-cluster operators connecting over `rediss://` against a private CA can pin trust roots. `servername` auto-suppresses for IP literals so `rediss://127.0.0.1:6380` no longer trips Node's IP-as-SNI rule. · *DoT / DoH accept a `ca` opt* — `b.network.dns.useDnsOverTls` and `useDnsOverHttps` accept a `ca` opt for the same trust-pinning surface against self-signed / private-PKI endpoints. · *DoT handshake errors and socket lifecycle* — DoT TLS handshake errors now route as `DnsError` on the lookup promise rather than leaking as `unhandledRejection`. The DoT socket is now ref'd while a query is in flight and unref'd when idle, so Node doesn't exit during an in-flight lookup. · *`b.ntpCheck.querySingle` honors IPv6 servers* — Previously hardcoded to `dgram.createSocket("udp4")` — `::1` and `fd00::...` queries failed with `EINVAL`. Family is now auto-detected from the server string. · *`b.logStream.shutdown` drains in-flight emits* — `shutdown` now drains in-flight emit microtasks before closing sink fds; fire-and-forget emits queued just before shutdown were previously dropped. · *`b.logStream` webhook-sink close-order* — `close()` flushes before setting `closed = true` — `_flush`'s while loop bailed on `!closed`, leaving any records buffered just before shutdown stranded.
+- v0.6.27 (2026-05-02) — **Redis backend for `b.queue`.** Multi-replica apps can share a single queue without each needing to be cluster leader. **Added:** *Bespoke RESP2 client* — `lib/redis-client.js` is zero-npm-dep: TCP via `node:net` and TLS via `node:tls` (`rediss://` auto-detected), legacy single-arg AUTH plus ACL `AUTH user pass`, `SELECT db`, pipelining, exponential-backoff reconnect, and an EVAL helper. · *`b.queue` Redis protocol* — `lib/queue-redis.js` ships full `enqueue` / `lease` / `extendLease` / `complete` / `fail` / `sweepExpired` / `size` / `purge` / `dlqList` / `dlqRetry` / `dlqSize` parity with the local backend. Atomicity comes from server-side Lua scripts so concurrent consumers can't double-lease and a sweep can't race a complete. Storage: per-job HASH (sealed payload and `lastError` via `cryptoField.sealRow`), per-queue ready ZSET scored by `availableAt`, per-queue inflight ZSET scored by `leaseExpiresAt`, per-queue dlq ZSET scored by `finishedAt`, plus a queues SET so `sweepExpired` walks every known queue without a global secondary index. Cron-repeat handled in `complete()` JS — re-enqueues the next firing as a fresh `jobId` with `availableAt` set to the next cron fire. · *`b.queue.bootFromEnv({ env })`* — Env-driven init mirroring `b.network.bootFromEnv` and `b.logStream.bootFromEnv`. Reads `BLAMEJS_QUEUE_PROTOCOL` (`local` or `redis`), `BLAMEJS_QUEUE_REDIS_URL`, `BLAMEJS_QUEUE_REDIS_PASSWORD`, `BLAMEJS_QUEUE_REDIS_USERNAME`, `BLAMEJS_QUEUE_REDIS_TLS`, and `BLAMEJS_QUEUE_REDIS_KEY_PREFIX`. Operators flip from local to Redis without a code change; both wiki docker-compose configs declare the new env knobs. **Removed:** *`redis` removed from `DEFERRED_PROTOCOLS`* — The Redis queue backend is first-class and no longer listed as a deferred protocol.
+- v0.6.26 (2026-05-02) — **CLI subcommands for restore and audit chain verification.** **Added:** *`blamejs restore`* — `list` enumerates bundles in storage, `inspect` reads the manifest summary without touching live data, `apply` runs an in-place restore preserving rollback, `rollback` reverts to the most-recent or named restore point, and `list-rollbacks` enumerates preserved rollback points. Operators identify a bundle via `--bundle <dir>` (matching what `blamejs backup extract` produces) or `--storage-root <root> --bundle-id <id>`. `apply` honors `--max-pulled-bytes` / `--max-pulled-files` (defaults 4 GiB / 100K), `--rollback-root` (default `<data-dir>.rollbacks`), `--no-audit`, and `BLAMEJS_BACKUP_PASSPHRASE`. · *`blamejs audit verify-chain`* — Walks the live audit chain end to end, reports tampering with `breakAt` / `breakRowId` / expected-versus-actual `prevHash`, and honors `--max-rows` for bounded walks. Default table is `audit_log`. · *Wiki CLI snapshot validates subcommand pairs* — The wiki CLI snapshot test now walks every wiki and README invocation of the form `blamejs <cmd> <sub>` and verifies `<sub>` exists in the perCommand[<cmd>].subcommands list parsed from `lib/cli.js`. Surfaced drift on first run: `backup-restore.js` referenced `blamejs audit verify-signing` which never existed (only `verify-bundle`); the wiki now references the newly shipped `verify-chain`. README CLI table updated with the `restore` row and the two new audit subcommands.
+- v0.6.25 (2026-05-02) — **`b.logStream` CloudWatch Logs sink + framework-level env wiring.** **Added:** *CloudWatch Logs sink* — `protocol: "cloudwatch"` POSTs `PutLogEvents` over HTTPS with SigV4 signing (service `logs`). Operator pre-creates the log group and log stream (the framework does not auto-create here). Honors IAM role and STS session-token credentials. Respects all three CloudWatch caps automatically (10,000 events, 1 MiB total payload, 256 KiB per event); per-event oversize is dropped at `emit()` with `onDrop` fired carrying the truncated message; per-batch oversize splits mid-flush. Permanent AWS errors (`ResourceNotFoundException` / `AccessDeniedException` / `InvalidParameterException` / `UnrecognizedClientException` / `SerializationException`) skip the retry budget. `InvalidSequenceTokenException` (legacy CW accounts) extracts the expected token from the error message and retries with it once. · *`b.logStream.bootFromEnv({ env })`* — Framework-level env-driven init mirroring `b.network.bootFromEnv`. Reads `BLAMEJS_LOG_STREAM_PROTOCOL` (`local` / `webhook` / `otlp` / `cloudwatch`), `BLAMEJS_LOG_STREAM_URL`, `BLAMEJS_LOG_STREAM_TOKEN`, `BLAMEJS_LOG_STREAM_SERVICE_NAME`, `BLAMEJS_LOG_STREAM_SERVICE_VERSION`, `BLAMEJS_LOG_STREAM_CLOUDWATCH_LOG_GROUP`, `BLAMEJS_LOG_STREAM_CLOUDWATCH_LOG_STREAM`, `BLAMEJS_LOG_STREAM_PATH`, plus standard `AWS_*` knobs. Operators get a working sink without writing build-app code; the wiki app's `build-app.js` replaces its inline env-reading with one call. · *Wiki env-snapshot test* — Parallel to `api-snapshot.json` — walks `process.env.X` / `env.X` / `safeEnv.readVar("X")` reads in the wiki app and framework `lib/`, walks docker-compose env declarations, and captures the union as `examples/wiki/env-snapshot.json`. Fails the e2e gate when env vars are added or removed without updating the snapshot, or when source-only / compose-only gaps appear. Surfaced 13 real gaps in the wiki app on first run; all 13 fixed. Update workflow: `BLAMEJS_UPDATE_ENV_SNAPSHOT=1 node examples/wiki/test/validate-env-snapshot.js`. **Changed:** *`object-store/sigv4.js` `signRequest` is service-agnostic* — Accepts `opts.service` (default still `"s3"` for back-compat) so the CloudWatch sink and any future SigV4-protobuf service can share the signer.
+- v0.6.24 (2026-05-02) — **`b.logStream` OTLP/HTTP-JSON sink.** **Added:** *OTLP/HTTP-JSON log sink* — `protocol: "otlp"` forwards log records to any OpenTelemetry collector via the OTel Logs Data Model — `resourceLogs` -> `scopeLogs` -> `logRecords` envelope with `severityNumber` (debug=5 / info=9 / warn=13 / error=17), `severityText`, `timeUnixNano` (string-encoded for JSON-safe 64-bit), `body.stringValue`, and OTel-typed attributes. Operator opts: `{ url, serviceName, serviceVersion, resourceAttributes, auth, headers, batchSize, retry, onDrop, ... }`. Same back-pressure semantics as the webhook sink (per-sink ring buffer, batched flush on size or `maxBatchAgeMs`, exponential-backoff retry, drop-on-overflow with operator-supplied `onDrop`). URL convention: `/v1/logs` is auto-appended when the operator passes the collector root. JSON not protobuf — operators benchmarking past 100K logs per second ship the OTel Collector locally so the framework hands JSON to a sidecar that forwards via gRPC. **Removed:** *`otlp` removed from `DEFERRED_PROTOCOLS`* — The OTLP sink is now first-class and no longer listed as a deferred protocol.
+- v0.6.23 (2026-05-02) — **Cron-repeat call site cleaned up; `enqueue` scheduling precedence documented.** **Added:** *Round-trip preservation regression test* — `testEnqueueRoundTripsAvailableAt` covers three precise targets, the delaySeconds-only path, and the both-opts-set case so any future attempt to rederive `availableAt` from floored seconds fails the gate. **Changed:** *Cron-repeat passes `availableAt` alone* — The cron-repeat call site in `queue-local.js` was passing both `availableAt` and a redundant `delaySeconds = Math.floor((nextMs - nowMs) / 1000)` that only existed to work around the bug fixed in the previous release. The redundant arg is removed; cron repeat now passes `availableAt` alone, matching the queue's documented precedence rule. · *Scheduling-precedence docstring* — `enqueue()` gains a 20-line scheduling-precedence header documenting that `opts.availableAt` wins over `opts.delaySeconds` when both are passed, why the framework chose that direction, and which callers should use which form.
+- v0.6.22 (2026-05-02) — **`b.queue.enqueue({ availableAt })` honored on the local backend.** **Fixed:** *Local enqueue honors `opts.availableAt`* — Previously the local-protocol enqueue ignored `opts.availableAt` and recomputed availableAt from `Date.now() + delaySeconds * 1000`. The cron-repeat path passes both fields (the exact next-fire ms in `availableAt`, the floored seconds in `delaySeconds`); the enqueue's recomputation lost sub-second precision and drifted on the internal clock-versus-caller delta. Symptoms: cron-scheduled jobs landed up to 999ms off the intended boundary, and the queue-flow-repeat smoke test was intermittently flaky on slow CI runners. Enqueue now honors `opts.availableAt` directly when finite and falls back to delaySeconds-based shorthand otherwise.
+- v0.6.21 (2026-05-02) — **Cluster-cache `invalidateTag`, multi-column cursor pagination, DoH POST, DoT pooling, INI parser, persistent cookie jar.** **Added:** *Cluster-cache `invalidateTag` and `getTags`* — The cluster cache backend gains a `_blamejs_cache_tags` junction table (`(cacheKey, tag)` primary key, index on `tag`) and tag-aware `set` / `del` / `clear` / `_sweep` plus `getTags(key)`. Multi-tag rotation, mid-flight tag replacement on update, and namespace-scoped sweeps are all covered. The previous `NOT_SUPPORTED` path on cluster is gone. · *Multi-column cursor pagination* — `b.pagination.cursor({ orderBy: [{column, direction}, ...] })` accepts a string, an array of strings, or an array of `{column, direction}` objects. The keyset `WHERE` expands to the standard OR cascade so successive pages can't skip or repeat rows when ties on the leading columns are broken by trailing ones. `_id` is appended as a tiebreaker when not in the chain. Chained `orderBy(col, dir)` calls on the Query class extend a multi-column `ORDER BY` in the SQL. The cursor format is bumped to encode `{ orderKey, vals, forward }` — pre-1.0 break with no compat shim. · *DoH POST mode* — `b.network.dns.useDnsOverHttps({ method })` accepts `"GET" | "POST" | undefined` (auto). Auto switches to POST when the GET URL would exceed 2048 bytes, covering long DNS names per RFC 8484 §4.1. · *DoT connection pooling* — Per-`(host:port)` cached TLS socket with a 2-minute idle timeout, serialized in-flight queries per socket. Eliminates the per-query TLS handshake. · *`b.parsers.ini`* — Covers Windows `.ini`, `.gitconfig`, systemd-unit, `php.ini`, and `tox.ini` shapes: sections (including `[parent.child]` and `[parent "child"]` nesting), `;` and `#` comments (inline and leading), single and double quoting with `\n` / `\t` / `\\` / `\"` / `\'` escapes, boolean coercion, and decimal / hex / float numerics. Prototype-pollution defense (`__proto__` / `constructor` / `prototype` rejected). Duplicate-key policy throws by default; `onDuplicate: "first" | "last"` opts in to silent shadowing. Section, per-section key, and value-bytes caps are configurable. · *Cookie-jar file persistence* — `b.httpClient.cookieJar.create({ persist: "file", file: "/abs/path", vault: b.vault })` loads at construct, debounce-flushes on every set / clear, plus `flush()` and `close()` for explicit lifecycle. With `vault`, on-disk bytes are sealed; without, plaintext JSON (operator chooses). **Changed:** *Internal-narrative cleanup in operator-facing source* — Comments in `vault/index.js`, `mail.js`, `bundler.js`, `archive.js`, `framework-schema.js`, and `http-client.js` are rewritten to describe what's actually shipped, dropping internal-process narrative. · *README CLI section refreshed* — The CLI section is updated to reflect the additions from the four previous releases (security, config-drift, file-type, password, erase, retention) which were missing six subcommands. **References:** [RFC 8484 — DNS over HTTPS](https://www.rfc-editor.org/rfc/rfc8484.html)
+- v0.6.20 (2026-05-02) — **SBOM bundled into npm tarball; release-attach step made non-fatal.** The npm-publish workflow's `gh release upload` step started failing with HTTP 422 against an already-published immutable release; the SBOM is now the canonical npm-tarball artifact and the GitHub release attachment is supplementary. **Changed:** *`sbom.cyclonedx.json` bundled into the npm tarball* — `sbom.cyclonedx.json` is now declared in `package.json` `files`, so `npm install @blamejs/core && cat node_modules/@blamejs/core/sbom.cyclonedx.json` is the canonical SBOM access path. The prepack guard's known-allowed list covers the just-in-time generation. · *Release-asset attach step made non-fatal* — The workflow's GitHub-release attach step tries to upload, logs a warning if the release is immutable, and lets the publish proceed regardless. The npm tarball is the load-bearing artifact; the GitHub release attachment was only ever supplementary. · *`.gitignore` adds `sbom.cyclonedx.json`* — A stray local `npm sbom` no longer pollutes the working tree.
+- v0.6.19 (2026-05-02) — **NTS reply verification, common-password bundle, TLS trust rotation, and DNS protocol fidelity.** **Added:** *`b.auth.password.policy` bundled common-password list* — The SecLists top-10000 common-password list is bundled (CC-BY-3.0, `lib/vendor/common-passwords-top-10000.txt`) and loaded lazily on first `policy.check()`. Passwords like `password`, `dragon`, and `qwerty` now reject with `policy/forbidden-common`. `useBundledCommon: false` per-policy bypasses if operator ships their own list. · *`b.network.tls` CA-rotation surface* — `removeCa(fingerprint256)`, `removeCaByLabel(label)`, `clearAll()`, `purgeExpired()`, and `expiringSoon(windowMs)` let operators rotate corporate DPI CAs without process restart. Every removal audits with subject + fingerprint + reason. **Removed:** *`b.network.socket.setDefaultLinger` removed* — Previously a silent no-op; now throws `socket/linger-not-supported` with operator guidance to use `socket.destroy()` (abort) versus `socket.end()` (graceful) since Node's public `net.Socket` has no `setLinger()`. **Fixed:** *`b.network.ntp.nts.querySingle` now verifies the server reply* — Extracts the AUTHENTICATOR_AND_ENC extension, AEAD-decrypts with AAD equal to the bytes before the authenticator, and fails closed (`nts/auth-failed` / `nts/no-authenticator`) when verification fails. Server-supplied new cookies in the encrypted plaintext are appended to the cookie pool and the consumed cookie popped (real RFC 8915 cookie rotation). Previously the function returned `authenticated: true` while only checking the unique-identifier echo — any MITM that mirrored the request's 32-byte unique field could spoof timestamps. · *`azure-blob.presignedUploadPolicy` no longer silently misroutes* — Now throws `PRESIGN_NOT_SUPPORTED` instead of returning a SAS PUT URL when operators asked for POST policy semantics — Azure SAS has no body-size cap and the previous shape was a misleading mismatch. The error message points at `presignedUploadUrl` plus a post-upload HEAD as the alternative. · *DoT handshake errors route as `DnsError`* — The secureConnect / error event-listener race had let cert-verification failures escape the per-query Promise wrapping and surface as `unhandledRejection`. Now every lookup-level error routes back through the per-query promise. · *DoT socket lifecycle* — Previously the DoT socket was unconditionally `sock.unref()`'d after construct, causing node to exit during in-flight lookups when no other I/O kept the loop alive. It is now ref'd while a query is in flight and unref'd when idle. · *`b.network.dns` resolver methods use real DNS queries* — `resolve4` / `resolve6` / `resolveAaaa` were aliasing `lookup()`; they now use `dns.promises.resolve4` / `_dohLookup` / `_dotLookup` so semantics match Node's standard library (skips `/etc/hosts`, mDNS). · *`b.network.dns.setResultOrder` covers DoH and DoT* — Previously the order setting only sorted OS-resolver results; it now flips the order on the DoH / DoT dual-stack fallback paths as well. · *Network error-construction argument order corrected* — Every `new XxxError(...)` call across `lib/network*.js` was passing args in the wrong order (message-then-code instead of code-then-message), making `e.code` return human messages and `e.message` return slash-codes. Operators relying on `e.code` for error handling got the wrong field. All affected throws across `lib/network.js`, `network-dns.js`, `network-proxy.js`, `network-tls.js`, `network-heartbeat.js`, and `network-nts.js` are corrected. **Security:** *`.gitleaks.toml` smoke + workflow alignment* — `.gitleaks.toml` adds `test/smoke.js` to the path allowlist and pins the historical commit + fingerprint that tripped the jwt rule on a `REDACTED` placeholder. `npm-publish.yml` job permissions bumped from `contents: read` to `contents: write` so `gh release upload sbom.cyclonedx.json` no longer 403s.
+- v0.6.18 (2026-05-02) — **`b.network` namespace covering NTP / DNS / proxy / TLS trust / heartbeat / socket / env boot.** A single namespace covering every runtime-configurable network behaviour the framework owns: authenticated time, operator-pinned DNS resolvers, HTTP/HTTPS proxy honoring, runtime-overridable trust store for DPI-fronted deploys, application-level heartbeats, socket-default tuning, and env-driven boot. **Added:** *`b.network.ntp` with NTS-KE authenticated time* — Tunable warn / fatal drift thresholds with env-var bindings (`BLAMEJS_NTP_SERVERS`, `BLAMEJS_NTP_TIMEOUT_MS`, `BLAMEJS_NTP_DRIFT_WARN_MS`, `BLAMEJS_NTP_DRIFT_FATAL_MS`). `b.network.ntp.nts.query(opts)` performs an NTS-KE handshake (RFC 8915) over TLS 1.3 with the framework's PQC-hybrid group preference, extracts C2S / S2C keys via the standard TLS exporter, and authenticates NTPv4 packets with AES-SIV-CMAC-256 or AEAD-CHACHA20-POLY1305 — no extra vendored deps. · *`b.network.dns` operator-pinned resolvers, family + ordering, DoH / DoT* — Exposes operator-pinned resolvers, IPv4 / IPv6 / dual-stack family selection, `ipv4first` / `verbatim` / `ipv6first` ordering, DNS lookup timeout (Node's native `dns.lookup` has none), in-memory positive and negative cache, and DoH / DoT (cloudflare / google / quad9 / custom URL). `b.ssrfGuard` and `b.httpClient` route through it when configured. · *`b.network.proxy` honors the standard env knobs* — Honors `HTTP_PROXY` / `HTTPS_PROXY` / `NO_PROXY` / `ALL_PROXY` (lower- and upper-case) with CIDR + suffix + wildcard `NO_PROXY` matching, basic-auth via `BLAMEJS_PROXY_AUTH`, and CONNECT tunnels for HTTPS through HTTP proxies; `b.httpClient` picks up the agent automatically. · *`b.network.tls` runtime-overridable trust store* — `addCa(pemOrPath)` / `addCaBundle(path)` / `useSystemTrust()` / `getTrustStore()` for deep-packet-inspection deploys behind Zscaler / Netskope / corporate Squid with custom CA. Node's `NODE_EXTRA_CA_CERTS` only works at boot; this primitive accepts adds at any time and `b.pqcAgent` picks them up immediately. Every `addCa` audits with subject + issuer + fingerprint256 + validity + isSelfSigned. `b.security.assertProduction({ allowDpiTrust })` refuses to boot in production with installed CAs unless explicitly allowed. · *`b.network.heartbeat` application-level liveness probes* — HTTP / TCP / NTP probe types, a healthy -> degraded -> down state machine with consecutive-failure threshold, audit on state change, and observability counters per probe. · *`b.network.socket` defaults* — Operator-tunable defaults for `TCP_NODELAY`, `SO_KEEPALIVE`, and `SO_LINGER`. · *`b.network.bootFromEnv()`* — Reads every supported env var at startup and applies in the right order so configuration takes effect before the first outbound socket. The wiki app's docker-compose configs ship every knob with a default-empty value; the production overlay tightens DNS lookup timeout, cache TTL, `NTP_STRICT=1`, and `SOCKET_NO_DELAY=1`. **Fixed:** *`.gitleaks.toml` allowlisted in dotfile policy* — Previously gitignored by the deny-all-dotfiles allowlist, so CI's secret-scan job failed loading the framework's allowlist with `.gitleaks.toml: no such file or directory`. The file is now explicitly allowlisted. **References:** [RFC 8915 — NTS for NTP](https://www.rfc-editor.org/rfc/rfc8915.html)
+- v0.6.17 (2026-05-02) — **Six new CLI subcommands wrapping the v0.6.14 primitives.** Operators can now drive the v0.6.14 security / config-drift / file-type / password / erase / retention primitives from runbooks, cron, and one-off ops without writing app code. **Added:** *`blamejs security assert`* — Boots the framework and runs `b.security.assertProduction()` against the live posture, aggregating every failure with its code. Exits 1 on any failure. · *`blamejs config-drift inspect/verify`* — Reads the signed sidecar without rebooting. `verify` exits 1 on tamper or missing sidecar so it composes into supervisord/cron health gates. · *`blamejs file-type detect <file>`* — Magic-byte content classification with `--allowlist` for upload debugging — pure utility, no framework boot needed. · *`blamejs password check --plaintext "..."`* — Tests `b.auth.password.policy` with `--profile pci-4.0` / `nist-aal2` / `hipaa-aal2`, `--breach-check` for HIBP, and `--email` / `--username` context. Pure utility. · *`blamejs erase --table X --row-id Y --confirm`* — One-off cryptographic erasure for GDPR Art. 17 — replaces sealed columns and derived hashes with NULL and audits via `system.erase`. · *`blamejs retention preview/run`* — Ad-hoc rule from CLI flags: `--table` + `--age-field` + `--ttl-ms` + `--action`, with `preview` for dry-run reporting. **Changed:** *`b.dualControl` intentionally NOT exposed in the CLI* — Its grants live in an operator-supplied `b.cache` instance the CLI can't bind to without operator wiring; admins approve / revoke from the operator's app instead. · *Hadolint action pin* — Pinned to `@master` because the published `@v3` floating tag doesn't exist; the maintainer ships only patch tags plus master. **Fixed:** *Per-subcommand `--help` now reaches each handler's USAGE block* — The previous `main()` dispatch short-circuited every `<sub> --help` to the top-level help text. The fix applies to all existing subcommands too (`api-key --help`, `vault --help`, etc.).
+- v0.6.16 (2026-05-02) — **CI secret-scan + action pin forward-track posture.** The CI secret-scan job switches off `gitleaks/gitleaks-action` (which began requiring a paid license for organization repositories) and installs the OSS gitleaks binary directly. Other CI tooling pins move to floating refs so security improvements ship automatically. **Changed:** *Secret-scan job uses the OSS gitleaks binary* — Replaces `gitleaks/gitleaks-action` (paid `GITLEAKS_LICENSE` requirement for org repos, which had broken the v0.6.14 publish workflow) with a direct install of the Apache-2.0 OSS binary. The job resolves the latest release at job time so new ruleset improvements ship automatically. · *CI tool pins moved to floating refs* — `aquasecurity/trivy-action` swaps from `@v0.36.0` to `@master`; `hadolint/hadolint-action` from `@v3.3.0` to the `@v3` major tag; `ludeeus/action-shellcheck` from `@2.0.0` to `@master`; the ESLint runner moves from `eslint@10` to `eslint@latest` in both `ci.yml` and `npm-publish.yml`. The pinning posture matches every other security-aware CI tool — silent pinning lets security improvements be missed. **Security:** *Vendored crypto libraries verified against upstream* — `@noble/ciphers`, `@simplewebauthn/server`, `argon2`, and `peculiar-pki` checked against upstream latest — no bundle refresh needed. The npm-publish workflow is unblocked for v0.6.14, v0.6.15, and this release.
+- v0.6.15 (2026-05-02) — **Wiki sidebar collapsible nav + three new wiki env knobs.** The wiki sidebar's concern groups become collapsible `<details>` sections that auto-open on the active page, and the wiki app exposes three new env knobs in its docker-compose configs covering trusted-proxy detection, admin-path CIDR fencing, and production-posture boot assertion. **Added:** *Collapsible sidebar concern groups* — Every concern group in the wiki sidebar nav is now a `<details>` element starting collapsed; the section containing the current page is rendered with `open` server-side so the operator's current location is always visible. A custom CSS-only disclosure glyph (`>` rotates to `v`) works under the wiki's strict CSP without inline JS. · *`WIKI_TRUST_PROXY` env knob shipped in docker-compose* — Cookie `Secure`-flag detection through a TLS terminator was already wired in v0.6.12 library code; the env knob now ships in the wiki app's docker-compose configs with documentation so operators fronting the wiki with Caddy / nginx don't have to hand-roll the override. · *`WIKI_ADMIN_ALLOWED_CIDRS` / `WIKI_ADMIN_DENIED_CIDRS`* — In-process CIDR fence on `/admin` paths via `b.middleware.networkAllowlist`. The production docker-compose overlay defaults the allowlist on; the dev overlay leaves it off. · *`WIKI_REQUIRE_PROD_ASSERTS` boot gate* — Boot-time `b.security.assertProduction()` gate that refuses to boot when production posture is incomplete. Defaults on in the production overlay (so a misconfigured prod deploy fails fast) and off in the dev overlay.
+- v0.6.14 (2026-05-02) — **Production-posture primitives — boot assertions, ABAC, MFA, password policy, dual control, retention, drift, file-type, network allowlist.** Ships a broad set of operator-facing primitives covering production-posture assertions, attribute-based authorization, MFA-gated sessions, NIST/PCI/HIPAA password policy, two-person-rule dual control, multi-stage retention with legal hold, signed config-drift baselines, magic-byte file-type detection, CIDR-fenced network middleware, host-allowlisted HTTP client, and cryptographic row-level erasure. CI additionally gains a gitleaks secret scan and a CycloneDX SBOM via `npm sbom`. Every new opt is opt-in; existing callers are unaffected. **Added:** *`b.security.assertProduction(opts)` boot-time policy engine* — Refuses boot when production posture is violated: vault / DB-at-rest / audit-signing posture, NTP strict, Node minimum major, TLS minimum version, required + forbidden env vars, NODE_ENV pinning, dataDir POSIX-mode check, CORS-allow-all detection, plus operator-supplied extra asserts. Each assertion throws with the failing predicate named so operators see the misconfiguration directly. · *`b.permissions.policy(scope, predicate)` ABAC layer* — Per-scope predicates evaluated after RBAC passes, supporting single / requireAll / requireAny composition modes. Lets operators attach attribute-based gates (tenant match, ownership, time-of-day, IP-bound) on top of the existing role check without weaving a parallel auth path. · *`b.permissions` role-spec `requireMfa` / `mfaWindowMs` + per-route MFA enforcement* — Roles can mandate a recent MFA challenge with a configurable freshness window. The middleware refuses requests from sessions outside the window and emits an audit event so operators can wire step-up flows without rolling their own MFA-recency check. · *`b.session` IP/UA fingerprint capture + drift detection* — Sessions capture an IP + user-agent fingerprint at create time. An operator-supplied scorer feeds anomaly detection; strict modes `requireFingerprintMatch` and `maxAnomalyScore` refuse the request when the live fingerprint diverges. Defaults stay permissive so existing deployments aren't broken by a NAT roam. · *`b.auth.password.policy(opts)` with NIST 800-63B / PCI-DSS 4.0 / HIPAA-AAL2 profiles* — Named profiles plus length, common-password, context, dictionary, and complexity rules (categories + min-run + min-sequence). Includes an HIBP k-anonymity breach check (SHA-1 lives in `lib/internal-sha1-hibp.js` and is intentionally NOT exported on `b.crypto`). Rotation (`shouldRotate`) and history-reuse (`reuseProhibited`) are first-class. Aligned with NIST SP 800-63B-4 (March 2024) and PCI-DSS 4.0 (8.3.x). · *`b.dualControl.create(opts)` two-person rule* — m-of-n quorum, cooling-off lock between approval and consume, approver-role gate, requester cancellation, minimum reason length, notification hook on each transition. Designed for break-glass admin actions, large-value transfers, and any op that should require a second authorized human in the loop. · *`b.retention.create(opts)` multi-stage retention* — Warn → archive → erase staged rules, legal-hold per-row exemption, dry-run `preview()`, soft-delete vs hard-delete vs erase, cross-table cascade, per-rule concurrency lock. Operators encode GDPR Art. 17 / CCPA-deletion / sectoral-retention floors as data instead of imperative jobs. · *`b.configDrift.create(opts)` signed-baseline drift detection* — Multi-baseline support, critical-keys severity classification, ignore-keys allowlist, signed sidecar via SLH-DSA, and diff against the previous snapshot. The detector runs on a schedule and surfaces drift before the next deployment instead of at incident-response time. · *`b.fileType.detect` / `b.fileType.assertOneOf` magic-byte classification* — Identifies content (image / document / archive / executable / etc.) from the byte stream's magic. Composes with `b.guardArchive` / `b.guardImage` / `b.fileUpload` so the operator gets one classifier surface instead of N ad-hoc sniffers. · *`b.middleware.networkAllowlist({ paths, allowedCidrs, deniedCidrs })`* — Deny-then-allow CIDR fence per-path. Lets operators ring-fence admin paths to corporate ranges without standing up a reverse-proxy ACL. Emits an audit event on every refused request. · *`b.httpClient.request({ allowedHosts })` host allowlist + audit* — Exact / suffix / wildcard / per-method entries; the client refuses any outbound request to an unlisted host and emits an audit event with the violating destination. Closes a class of SSRF / data-egress risk on outbound integrations. · *`b.cryptoField.eraseRow(table, row)` cryptographic erasure* — Helper for sealed columns + derived hashes — destroys per-row key material so the ciphertext becomes irrecoverable without bulk deletes. Aligned with GDPR Art. 17 right-to-erasure on tenants that share a table. **Changed:** *CI gains gitleaks secret scan + CycloneDX SBOM via `npm sbom`* — Both run on every PR without vendoring additional tooling — gitleaks via the official action pinned to a SHA, SBOM via `npm sbom --sbom-format=cyclonedx` shipped to the artifact bucket. Operators have a verifiable component inventory per release without a separate generation step. · *README + SECURITY operator-checklist updated end to end* — Every new primitive lands in the README's `What ships` matrix and in the SECURITY hardening checklist. The wiki gains an alerting-rule reference table that maps each framework-emitted audit event to a suggested detection rule. **References:** [NIST SP 800-63B-4 (Digital Identity Guidelines)](https://pages.nist.gov/800-63-4/sp800-63b.html) · [PCI-DSS 4.0](https://www.pcisecuritystandards.org/document_library/) · [HIPAA Security Rule (45 CFR Part 164)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164) · [GDPR Article 17 — Right to erasure](https://gdpr-info.eu/art-17-gdpr/) · [CycloneDX 1.6](https://cyclonedx.org/specification/overview/) · [Have I Been Pwned k-anonymity range API](https://haveibeenpwned.com/API/v3#PwnedPasswords)
+- v0.6.13 (2026-05-02) — **Wiki primitive-section docs catch up to the v0.6.12 surface and `numeric-checks` consolidation.** **Changed:** *Wiki primitive-section docs reconciled with v0.6.12* — Documentation for `safeUrl.parse` `allowUserinfo`, `session.touch` `extendBy` ceiling, `queue.consume` `rateLimit` validation, `mail.transports.console` `redactBcc`, the `logStream` webhook sink `onDrop`, `backup.create` `requireFlush`, and `restore.create` `maxPulledBytes` / `maxPulledFiles` is now in sync with the lib surface. The restore default cap is stated as `C.BYTES.gib(4)` rather than a raw byte literal. · *Numeric-check predicates consolidated* — `isPositiveInt`, `isFiniteNonNegative`, and `isPositiveFinite` were duplicated across `api-key`, `cache`, `notify`, `queue`, `restore`, `retry`, `slug`, `testing`, and `webhook`; the helpers are now consolidated into `lib/numeric-checks.js` and every consumer routes through it. · *API snapshot refreshed* — `api-snapshot.json` is refreshed to capture the new public surface introduced by the previous release.
+- v0.6.12 (2026-05-01) — **Hardening sweep across `safeUrl`, `session`, `queue`, middleware, backup/restore, mail, and log-stream.** **Added:** *`b.backup.create({ requireFlush: true })` opt-in* — When set, the backup fails if the pre-flush step fails instead of producing a stale snapshot. · *`b.restore.create` preflight bounds* — `maxPulledBytes` and `maxPulledFiles` preflight bounds bound bundle footprint before and after pull. Defaults are 4 GiB and 100K files. · *`b.mail.transports.console({ redactBcc: true })`* — When set, the console mail transport prints a recipient count instead of address strings so dev logs don't leak BCC lists. · *`b.logStream.transports.webhook({ onDrop })`* — Callback fires on overflow and retry-exhausted batch drops so operators see every drop class instead of silent loss. **Changed:** *`b.safeUrl.parse` rejects `user:pass@` userinfo by default* — Operators wanting userinfo opt in per-call via `allowUserinfo: true`. The default refuses the shape that most often appears in URL-confusion phishing payloads. · *`b.session.touch({ extendBy })` enforces the `MAX_TTL_MS` ceiling* — `touch` now applies the same `MAX_TTL_MS` ceiling as `create` and `rotate` so a long-lived session can't be extended past the configured maximum. · *`b.queue.consume({ rateLimit })` validates `max`* — Negative, zero, `NaN`, `Infinity`, and fractional `max` values are rejected at queue creation instead of silently bypassing the rate limit at consume time. · *`b.middleware.requireAuth` JSON detection narrowed* — Request `Content-Type: application/json` is no longer treated as a JSON-preference signal; only `Accept` and `X-Requested-With` count so an attacker can't downgrade the response shape by tampering with the request body's content type. **Security:** *Wiki admin login wired through `b.auth.lockout`* — Admin login now applies exponential backoff after bad-credential attempts instead of accepting unlimited retries. · *Cookie `Secure` flag routes through `requestProtocol`* — The wiki app's cookie `Secure` flag now routes through `b.requestHelpers.requestProtocol` with `WIKI_TRUST_PROXY` opt-in instead of trusting `x-forwarded-proto` raw. The wiki README documents the trust model for editable page bodies and the sanitization pattern operators should adopt before expanding the editor surface.
+- v0.6.11 (2026-05-01) — **Wiki example-execution validator: fixture init no longer reaches across module realms.** Unblocks the npm-publish workflow's wiki-e2e gate, where `npm install --install-links` copies the framework into the wiki's `node_modules` and produces two distinct framework singletons. **Fixed:** *Fixture init no longer reaches across module realms* — The wiki example-execution validator constructed its fixture by reaching into framework internals across module realms; with `npm install --install-links` (used by the npm-publish workflow) the wiki's `node_modules` carries a separate framework copy, producing two singletons. The fixture is reworked so initialisation runs entirely inside the wiki's realm and the workflow's wiki-e2e gate unblocks.
+- v0.6.10 (2026-05-01) — **Doc accuracy sweep across README / SECURITY / CONTRIBUTING / wiki.** **Fixed:** *Stale version stamps removed* — Several README and SECURITY sections carried version stamps that drifted across releases; they are removed in favor of pointing at the live manifest. · *Vendored-dep list points at the live manifest* — SECURITY now points at `lib/vendor/MANIFEST.json` as the authoritative vendored-dependency list instead of an out-of-date prose enumeration. The supported-versions table no longer pins to a specific minor line. · *Archive example renamed digest variable* — The wiki archive example named the digest variable `sha256` even though `b.archive.zip().digest()` now returns SHA3-512 hex; the variable is renamed so the example reads correctly.
+- v0.6.9 (2026-05-01) — **`b.archive.zip().digest()` returns SHA3-512 hex (was SHA-256).** Operators reconciling archive digests against an external SHA-256 must now hash the bytes themselves. **Changed:** *Archive digest output switched to SHA3-512* — `b.archive.zip().digest()` now returns a SHA3-512 hex string, matching the framework's PQC-first hash posture. Operators reconciling against an external SHA-256 must hash the produced bytes themselves with `sha256` to recover the prior value.
+- v0.6.8 (2026-05-01) — **Wiki primitive-section validator covering presence, opts diff, and example execution.** **Added:** *Primitive-section validator for wiki pages* — Wiki pages documenting a primitive now run through a validator that asserts presence of the documented surface, diffs documented opts against the lib allow-list, and executes every example against a canonical fixture so drift is caught at the gate.
+- v0.6.7 (2026-05-01) — **`db.role.switched` audit, per-role metrics, and an API snapshot baseline.** **Added:** *`db.role.switched` audit event* — Every request-time role switch on the db pool emits an audit event so operators can correlate role-bound queries with the requests that triggered them. · *Per-role observability counters* — Observability counters now break down query / acquire / commit / rollback metrics per active DB role. · *API snapshot baseline* — An `api-snapshot.json` baseline is checked in and validated by CI so accidental surface drift between releases is refused at the gate.
+- v0.6.6 (2026-05-01) — **Request-time DB role binding and Postgres RLS migrations.** **Added:** *Request-time DB role binding* — The db primitive binds a request-scoped role per acquire so Postgres RLS policies and least-privilege roles compose naturally with the request lifecycle. · *Postgres RLS migration helpers* — Migration helpers emit the `CREATE POLICY` / `ALTER TABLE ... ENABLE ROW LEVEL SECURITY` boilerplate Postgres needs for row-level-security rollout.
+- v0.6.5 (2026-05-01) — **`b.db.declareView` and `b.externalDb.migrate`.** **Added:** *`b.db.declareView`* — Operators declare a named view at boot and the framework manages its creation, replacement, and audit alongside table schemas. · *`b.externalDb.migrate`* — Schema migrations against an external database now run through the same advisory-lock + version-table workflow the local db primitive uses.
+- v0.6.4 (2026-05-01) — **Wiki schema docs realigned with the actual lib API.** **Fixed:** *Wiki schema docs realigned with the actual lib API* — Several wiki pages documented opts and method shapes that had drifted from the underlying lib surface; every documented signature is now reconciled against the validator and exec-runtime gates.
+- v0.6.3 (2026-05-01) — **`externalDb` pool tuning, role-aware connect, and read-replica routing.** **Added:** *Pool tuning opts for `b.externalDb`* — Operators can now tune the underlying connection pool from primitive opts instead of passing a pre-built driver. · *Role-aware connect* — Connections can now bind to a request-scoped role on acquire, giving Postgres RLS and least-privilege deploys a clean wiring point. · *Read-replica routing* — Read-only queries route to a replica pool when configured, with the writer-pool fallback used for any statement that mutates state.
+- v0.6.2 (2026-05-01) — **Input validation tightening and identifier-quoting consistency.** **Changed:** *Input validation tightened across primitives* — Validation paths refuse a broader class of malformed input at the entry boundary, surfacing typos at boot or at the request edge instead of mid-flight. · *SQL identifier quoting normalised* — Identifier quoting in generated SQL is normalised across the db primitives so cross-dialect output stays consistent.
+- v0.6.1 (2026-05-01) — **Security tightenings and operator-facing jargon sweep.** Several security defaults are tightened and operator-facing prose across the wiki and README is rewritten to remove internal vocabulary. **Changed:** *Operator-facing jargon sweep* — Wiki and README prose is rewritten to remove internal vocabulary so operators read primitive descriptions in their own terms. **Security:** *Default tightenings across the request lifecycle* — Several security defaults across the request lifecycle are tightened so operators inherit stricter posture without extra opt-in.
+- v0.6.0 (2026-05-01) — **Wiki restructured into 22 focused pages with missing-primitive coverage.** The wiki is reorganized into 22 concern-scoped pages so operators land on the primitive surface for their task instead of scrolling a monolithic index, and every previously missing primitive gains its own page. **Changed:** *Wiki reorganized into 22 concern-scoped pages* — Operators land on the primitive page for the concern they are working in rather than scrolling a single index. The new layout closes coverage gaps where previously missing primitives now ship their own pages.
+## v0.5.x
+- v0.5.18 (2026-05-01) — **Bypass-fix cleanup — internal call sites routed through framework primitives.** Internal call sites that were reaching past the framework's own primitives (raw `fs`, `crypto`, `Buffer.alloc`, ad-hoc validators) are routed through the matching `b.*` primitive so security defaults, audit emission, and validation discipline apply uniformly. No public API changes. **Changed:** *Internal call sites routed through framework primitives* — A sweep of `lib/` replaces direct calls to Node built-ins and hand-rolled validators with calls into the framework's own primitives (sealed storage, audit-emitting crypto, typed-error validators). The end-user surface is unchanged; the internal posture is tightened so the security defaults the framework promises operators apply to its own internals as well.
+- v0.5.17 (2026-05-01) — **CSV unification and three new shared primitives extracted from duplicated call sites.** Folds the framework's two CSV parsers into a single primitive and extracts three shared helpers that had been re-implemented across `lib/`. The duplicate-detector in codebase-patterns surfaced the clusters; this release moves every call site onto the unified surface in the same commit. **Changed:** *CSV parsing unified onto one primitive* — The two near-identical CSV parsers that had grown up in different modules are collapsed into a single primitive with one set of validation, ReDoS, and quoting rules. Every caller is migrated in the same release so there is no transitional double-surface for operators. · *Three shared helpers extracted from duplicated call sites* — Inline shapes that the duplicate detector flagged across three or more files are lifted into named helpers, every call site is refactored to consume them, and the original inline shape is registered as a known antipattern so it cannot drift back into the codebase.
+- v0.5.16 (2026-04-30) — **`b.otelExport` — OTLP/HTTP exporter for `b.observability`.** Adds an OTLP/HTTP exporter so the metrics, traces, and logs emitted by `b.observability` can be shipped to any OpenTelemetry-compatible collector without a userland exporter library. **Added:** *`b.otelExport` OTLP/HTTP exporter* — Serializes `b.observability` signals to the OTLP protobuf-over-HTTP format and POSTs them to an operator-configured collector endpoint. Retries with exponential backoff on transient 5xx, drops on permanent 4xx, and applies a bounded queue so a slow collector cannot back-pressure the request path. **References:** [OpenTelemetry OTLP specification](https://opentelemetry.io/docs/specs/otlp/)
+- v0.5.15 (2026-04-30) — **`b.archive` gains ZIP creation.** Extends the `b.archive` primitive with a ZIP creation path so operators can build archives entirely in-framework. The writer streams entries to a destination so large archives do not have to be held in memory. **Added:** *ZIP writer in `b.archive`* — A streaming ZIP creation API that accepts entries with explicit names, modes, and modification times and writes a valid PKZIP archive to a destination stream. The writer enforces sane name handling (no path traversal, no NTFS alternate data streams, no absolute paths) at the boundary so a malicious entry name cannot escape extraction later.
+- v0.5.14 (2026-04-30) — **`b.time` timezone-aware datetime arithmetic and formatting.** Adds the `b.time` primitive — a timezone-aware datetime arithmetic and formatting surface that uses the platform's ICU tz database so DST transitions, fixed-offset zones, and named IANA zones all resolve correctly without a vendored tzdata blob. **Added:** *`b.time` timezone-aware datetime primitive* — Operators can add and subtract durations, convert between zones, and format instants in named IANA zones without pulling a userland datetime library. Arithmetic honors DST boundaries (one wall-clock hour becomes 0 or 2 elapsed hours across spring-forward and fall-back), and formatting uses `Intl.DateTimeFormat` so locale and zone are resolved by the runtime.
+- v0.5.13 (2026-04-30) — **`b.testing.request` — supertest-style chainable HTTP test helper.** **Added:** *`b.testing.request` chainable HTTP test helper* — Supertest-style chainable HTTP test helper for asserting against responses from a `b.serve()` instance — provides `.get()` / `.post()` / `.expect()` / `.end()` style assertions over an ephemeral listener.
+- v0.5.12 (2026-04-30) — **`b.middleware.requestLog` — HTTP access-log middleware.** **Added:** *`b.middleware.requestLog` HTTP access-log middleware* — Structured per-request access log emitted as JSON with method, path, status, duration, and request id — wires into the framework observability sink so operators get one consistent log shape across the request lifecycle.
+- v0.5.11 (2026-04-30) — **`b.config` — schema-validated environment configuration.** **Added:** *`b.config` schema-validated environment configuration* — Boot-time configuration loader that validates environment variables against a declared schema — typos and missing required keys throw at process start instead of surfacing as runtime `undefined` later.
+- v0.5.10 (2026-04-30) — **`b.middleware.sse` — Server-Sent Events.** **Added:** *`b.middleware.sse` Server-Sent Events middleware* — WHATWG-compliant SSE middleware with automatic heartbeat, retry hints, and per-connection backpressure — composes the existing response lifecycle so the operator just writes events and the framework handles framing.
+- v0.5.9 (2026-04-30) — **`b.csv` — RFC 4180 parser and serializer.** **Added:** *`b.csv.parse` and `b.csv.stringify`* — RFC 4180 compliant CSV parser and serializer with quoting / escaping / header-row handling — bounded by an opts `maxBytes` ceiling so untrusted input cannot exhaust memory. **References:** [RFC 4180 CSV](https://www.rfc-editor.org/rfc/rfc4180.html)
+- v0.5.8 (2026-04-30) — **`b.uuid` — RFC 4122 v4 + RFC 9562 v7.** **Added:** *`b.uuid.v4` and `b.uuid.v7`* — Random UUIDv4 (RFC 4122) and time-ordered UUIDv7 (RFC 9562) generators backed by the framework's CSPRNG — v7 is the recommended choice for database primary keys since the lexicographic ordering matches insertion order. **References:** [RFC 4122 UUID](https://www.rfc-editor.org/rfc/rfc4122.html) · [RFC 9562 UUIDv7](https://www.rfc-editor.org/rfc/rfc9562.html)
+- v0.5.7 (2026-04-30) — **Defensive validation + queue closure capture + audit context.** **Fixed:** *Defensive validation on hot-path entry points* — Tightened input validation on config-time entry points to throw `TypeError` on malformed input at boot instead of surfacing later as confusing runtime failures. · *Queue worker closure capture* — Job-queue workers now capture the per-job context at dispatch time rather than reading the shared mutable reference, preventing job N from seeing job N+1's metadata under concurrent dispatch. · *Audit context propagation* — Audit emit calls inside middleware now carry the same request-id / tenant-id context as the surrounding request so an operator searching by request id sees every audit row for that request.
+- v0.5.6 (2026-04-30) — **Break-glass: `trustProxy` honored, cache require hoisted.** **Fixed:** *`b.breakGlass` honors `trustProxy` for client-IP extraction* — The break-glass admission check now reads the client address through the framework's `trustProxy` primitive so deployments behind a reverse proxy see the real client IP in the unseal audit row instead of the proxy's address. · *Cache module require hoisted to top of file* — Moved an inline `require("./cache")` call inside a hot-path function up to the top of the file, matching the framework convention and eliminating a per-call require overhead.
+- v0.5.5 (2026-04-30) — **Strict default CSP + IPv6 special-range expansion.** **Changed:** *Default Content-Security-Policy tightened* — Default CSP now emits `default-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'` plus `script-src 'self'` (no `'unsafe-inline'`, no `'unsafe-eval'`) — operators who need to relax it opt in explicitly via the middleware options. · *IPv6 special-range table completed* — The SSRF / private-range blocklist used by outbound HTTP and DNS now covers IPv4-mapped IPv6 (`::ffff:0:0/96`), `64:ff9b::/96` NAT64, `100::/64` discard, `2002::/16` 6to4, link-local (`fe80::/10`), multicast (`ff00::/8`), and ULA (`fc00::/7`) — blocking the canonical bypass shapes that wrap a private IPv4 inside an IPv6 envelope.
+- v0.5.4 (2026-04-30) — **Close SSRF DNS-rebinding window with pinned outbound DNS.** **Security:** *Outbound HTTP pins the resolved IP for the lifetime of the request* — Outbound HTTP calls now resolve the target hostname once, validate the resulting address against the SSRF blocklist, and then connect to that exact IP — eliminating the DNS-rebinding window where an attacker's resolver could return a public IP for the safety check and then a private IP for the actual connect.
+- v0.5.3 (2026-04-30) — **`b.trustProxy` primitive, `Vary` header merge, and HSTS gating.** Tightens the edge-facing posture: a dedicated `b.trustProxy` primitive replaces ad-hoc proxy-header parsing, response `Vary` headers now merge rather than overwrite, and HSTS is gated so it only emits over verified TLS-terminated requests. **Added:** *`b.trustProxy` proxy-header parsing primitive* — Centralizes the decision of when to trust `X-Forwarded-For`, `Forwarded`, and `X-Forwarded-Proto` into one primitive that takes an operator-declared list of trusted proxy CIDRs. Untrusted hops are dropped from the chain instead of silently honored, closing the IP-spoofing path that hand-rolled parsers regularly leave open. **Fixed:** *Response `Vary` header now merges instead of overwriting* — Middleware that set `Vary` was clobbering values that earlier middleware had already added, so caches saw an incomplete cache-key axis and could serve the wrong variant. The framework now reads any existing `Vary` value, unions the new field name in, and writes back a deduplicated comma-separated list. · *HSTS only emitted on confirmed-TLS requests* — `Strict-Transport-Security` was being emitted on plaintext responses behind misconfigured proxies, training browsers to upgrade to HTTPS endpoints that did not exist. The header is now gated on the request's verified TLS posture (after `b.trustProxy` has resolved the real scheme) so it only ships when the framework can prove the request came in over TLS.
+- v0.5.2 (2026-04-30) — **`b.breakGlass` passkey factor, service-account bypass policy, and admin tooling.** Rounds out the `b.breakGlass` family with a WebAuthn passkey factor option for step-up, a tightly scoped service-account bypass for unattended jobs, and operator-facing admin tools for inspecting, revoking, and auditing grants. **Added:** *WebAuthn passkey as a step-up factor* — Break-glass grants can now be unlocked with a registered passkey instead of (or in addition to) TOTP. The challenge-response flow piggybacks on the framework's existing WebAuthn primitive, so the authenticator binding, attestation policy, and replay defenses are inherited. · *Scoped service-account bypass* — Unattended jobs that legitimately need to read flagged columns can be issued a non-interactive grant bound to a service principal, an explicit allowlist of columns, and a hard expiry. The bypass is refused for any column outside its allowlist, and every use emits an audit event tagged as a service grant so reviewers can separate human break-glass from automated access. · *Admin tooling for grant inspection and revocation* — Operators can list active grants, inspect their column scopes and remaining lifetime, and revoke a grant immediately. Revocation propagates through the existing cluster pubsub so a compromised grant stops decrypting on every node in-flight rather than waiting for its TTL to expire.
+- v0.5.1 (2026-04-30) — **`b.breakGlass` — per-cell encryption, context binding, and migration tooling.** Extends `b.breakGlass` with cryptographic per-cell isolation (one key per protected row) and context binding so unseal grants only work for the request scope they were issued against. Migration helpers move existing column-policy deployments onto the new layout. **Added:** *Per-cell encryption with row-scoped keys* — Each protected row gets its own derived key, so compromise of one cell's plaintext or unseal grant does not expose any other row. Replaces the prior single-key column model for the cryptographic posture path. · *Context binding on unseal grants* — Grants are bound to the issuing request context (operator identity, reason, and request-scope nonce). Replaying a grant outside its bound context is refused, which closes the window where a leaked grant token could be reused against other rows or by other actors. · *Migration tooling for existing deployments* — Provides a migration path from the v0.5.0 column-policy layout to the v0.5.1 per-cell layout, so operators with seal state from the previous release upgrade without re-keying out of band.
+- v0.5.0 (2026-04-30) — **`b.breakGlass` — column-policy / row-enforcement step-up auth.** Introduces the `b.breakGlass` primitive: sensitive columns (PHI, PCI, secrets) require fresh second-factor grants with operator-supplied reason before unsealing, with every unseal audited. **Added:** *`b.breakGlass` step-up auth for sensitive columns and rows* — Column-policy and row-enforcement gates require a freshly issued step-up grant (operator second-factor + reason text) before the framework will decrypt or expose the protected fields. Each unseal emits an audit event carrying the grant identifier, the reason, and the columns or rows touched, so privileged data access has a paper trail by default.
+## v0.4.x
+- v0.4.29 (2026-04-30) — **Drift cleanup: second-pass remediation.** **Changed:** *Second-pass drift remediation across `lib/`* — A follow-up cleanup closes call sites missed by the previous drift cleanup releases — additional inline-require hoists, escape-helper migrations, and time-math constant adoptions across primitives that hadn't been touched in the first pass.
+- v0.4.28 (2026-04-30) — **Drift cleanup: inline-require hoisting + `safeAsync.sleep` + time-math constants.** **Changed:** *Inline `require()` calls hoisted to top-of-file* — Inline `require()` calls inside function bodies are hoisted to top-of-file `require` declarations, matching the project convention. Remaining inline requires are exclusively for documented circular-load cases. · *`safeAsync.sleep` adopted across call sites* — Hand-rolled `setTimeout`-as-promise sleeps are migrated onto the `safeAsync.sleep` primitive so abort-signal handling and the unref posture are uniform. · *Time-math literals migrated to `C.TIME.*` constants* — Bare `* 1000` / `* 60` time-math literals across `lib/` are rewritten to use the `C.TIME.*` constants so the units are self-documenting and a single source of truth handles unit conversion.
+- v0.4.27 (2026-04-30) — **Drift cleanup: regex + escape consolidation, IPv6 completion.** **Changed:** *Regex and string-escape helpers consolidated* — Duplicated regex utilities and HTML / attribute / URL escape helpers across `lib/` are collapsed onto the shared primitives so a single audited implementation handles each escape concern. Behavior is unchanged; call-site shape is uniform. · *IPv6 parsing and matching completion* — IPv6 handling across address parsing, CIDR matching, and host validation paths gains coverage for the remaining corner cases (zone identifiers, IPv4-mapped variants, compressed forms) so operators serving IPv6 traffic don't hit per-call-site gaps.
+- v0.4.26 (2026-04-30) — **Drift cleanup: middleware audit context + `safeUrl`.** **Changed:** *Middleware audit context unified* — Middleware that emits audit events now constructs the audit context through a single shared helper so the actor / outcome / metadata shape stays consistent across the request lifecycle instead of drifting per call site. · *`safeUrl` consolidation* — Call sites that hand-rolled URL safety checks (scheme allowlist, credential stripping, host validation) are migrated onto the `safeUrl` primitive so a single audited implementation handles every outbound URL acceptance.
+- v0.4.25 (2026-04-30) — **`b.objectStore.bucketOps`: bucket-level operations (SigV4).** **Added:** *`b.objectStore.bucketOps` namespace* — A new `b.objectStore.bucketOps` namespace exposes bucket-level operations (create, delete, list, head, policy / versioning / lifecycle config) over the existing SigV4 signing surface. Operators manage buckets through the same primitive that handles object I/O.
+- v0.4.24 (2026-04-30) — **`b.objectStore`: multipart upload + server-side encryption.** **Added:** *Multipart upload in `b.objectStore`* — `b.objectStore` supports S3-style multipart uploads so operators can stream large objects in parts with parallel uploads, automatic retry of failed parts, and completion-on-finish semantics. · *Server-side encryption controls* — `b.objectStore` accepts server-side-encryption parameters (SSE-S3 / SSE-KMS / SSE-C variants) on `put` operations and surfaces the encryption metadata on `get`, so operators meet at-rest encryption requirements without bypassing the primitive.
+- v0.4.23 (2026-04-30) — **`b.mail.dkim` signing + calendar invites.** **Added:** *DKIM signing for outbound mail and calendar-invite generation* — `b.mail.dkim` signs outbound messages with the operator's selector + private key so receivers can verify origin; `b.mail` also gains calendar-invite generation (iCalendar attachments) so transactional flows can attach `.ics` invitations alongside HTML/plain bodies.
+- v0.4.22 (2026-04-30) — **`b.mail` attachments + inline images + plain/HTML alternatives.** **Added:** *Attachments, inline images, and multipart/alternative bodies in `b.mail`* — `b.mail` gains first-class attachment support, inline-image (`cid:`) embedding for HTML bodies, and `multipart/alternative` plain/HTML message construction so receivers without HTML rendering see the text version.
+- v0.4.21 (2026-04-30) — **`b.queue` repeat-in-queue (cron) + parent-child Flows.** **Added:** *Repeatable cron jobs and parent-child Flows in `b.queue`* — `b.queue` gains repeat-in-queue scheduling (cron-expression-driven recurring jobs) and parent-child Flows so a parent job can fan out child jobs and wait on their completion before resolving.
+- v0.4.20 (2026-04-30) — **`b.queue` + `b.jobs` priority, rate-limit, and progress.** **Added:** *Priority, rate-limit, and progress reporting in `b.queue` / `b.jobs`* — `b.queue` and `b.jobs` gain per-job priority ordering, queue-level rate limiting (max jobs per interval), and a `progress(n)` callback workers invoke to publish completion percentage for observers.
+- v0.4.19 (2026-04-30) — **`b.router` schema-validated routes + OpenAPI generation.** **Added:** *Schema-validated routes and OpenAPI document generation in `b.router`* — Routes accept per-request JSON-Schema descriptors for params / query / body / headers / response; the router validates inbound requests against the schema and refuses malformed input before the handler runs. An OpenAPI 3.x document is generated from the registered routes for downstream tooling.
+- v0.4.18 (2026-04-30) — **`cookieJar` forensic-test strengthening (real crypto, replay, nonce).** **Changed:** *`cookieJar` test coverage exercises real crypto, replay, and nonce paths* — The `b.httpClient.cookieJar` test surface drops in-memory mocks for the encryption layer and exercises the production ChaCha20-Poly1305 sealing path end-to-end, with explicit assertions for replay refusal and nonce-uniqueness invariants so forensic regressions surface at test time.
+- v0.4.17 (2026-04-30) — **`b.httpClient.cookieJar` (encrypted) + wiki catch-up.** **Added:** *Encrypted `b.httpClient.cookieJar`* — `b.httpClient` gains a cookie jar that persists outbound cookies across requests with encrypted-at-rest storage. The jar composes the framework's sealed-storage primitive, so cookies aren't readable from disk by a process without the unlock key. **Changed:** *Wiki documentation catch-up* — The reference wiki gains coverage for the `b.httpClient` primitives that landed across the preceding releases (redirect-following, multipart, interceptors, progress events, cookie jar) so the documentation surface matches the shipped API.
+- v0.4.16 (2026-04-30) — **`b.httpClient`: interceptors + progress events.** **Added:** *Request / response interceptors* — `b.httpClient` accepts ordered interceptor chains for request and response phases. Operators inject auth headers, rewrite URLs, log outcomes, or transform payloads at well-defined extension points instead of wrapping the client surface. · *Progress events on request and response streams* — The client emits progress events with bytes-transferred counters for both upload and download streams, so operators can surface progress UI or telemetry for long-running outbound calls.
+- v0.4.15 (2026-04-30) — **`b.httpClient`: redirect-following + outbound multipart.** **Added:** *Redirect-following in `b.httpClient`* — `b.httpClient` follows HTTP redirects subject to a configurable maximum hop count. Cross-origin redirects strip Authorization headers per the same safe-redirect posture the framework applies to inbound `b.safeRedirect`. · *Outbound multipart request bodies* — `b.httpClient` can build and stream `multipart/form-data` request bodies — file uploads and mixed-field forms — without operators hand-assembling the boundary framing.
+- v0.4.14 (2026-04-30) — **`b.i18n`: lazy locales + ordinal plurals + `onMissingKey` hook.** **Added:** *Lazy locale loading in `b.i18n`* — Locales load on first use rather than at boot, so operators serving many locales pay the parse cost only for locales actually requested by traffic. · *Ordinal plural support* — `b.i18n` exposes ordinal plural rules (1st / 2nd / 3rd / 4th) in addition to cardinal plurals, so operators can format positional strings correctly across locales with rich ordinal grammar. · *`onMissingKey` hook* — Operators can register an `onMissingKey` callback that fires when a translation lookup misses. The hook gets the requested key, locale, and fallback chain — useful for surfacing translation gaps to an observability sink or generating per-locale coverage reports.
+- v0.4.13 (2026-04-30) — **`b.db`: streaming query results.** **Added:** *Streaming query API in `b.db`* — `b.db` gains a streaming query result interface so operators can process arbitrarily large result sets row-by-row without buffering the full result in memory. Backpressure surfaces naturally through the async-iterator contract.
+- v0.4.12 (2026-04-30) — **`b.log`: multi-sink output with per-sink level filtering.** **Added:** *Multi-sink output in `b.log`* — `b.log` can route log records to multiple sinks simultaneously (stdout, file, syslog, network), with an independent level filter per sink. Operators get verbose stdout for local development plus a higher-threshold persistent sink in one configuration.
+- v0.4.11 (2026-04-30) — **`b.cache`: bytes-cap eviction, sliding TTL, tag invalidation.** The in-process cache primitive gains three operator-visible controls: a total-bytes cap with eviction, sliding-window TTL refresh on access, and tag-based bulk invalidation. **Added:** *Bytes-cap eviction in `b.cache`* — `b.cache` accepts a total-bytes cap and evicts least-recently-used entries when the cap is reached. Operators can bound the cache's memory footprint deterministically instead of relying on entry-count limits alone. · *Sliding TTL on access* — Cache entries can be configured with a sliding TTL — every successful read resets the entry's expiry clock, so frequently-accessed data stays warm while idle entries age out on schedule. · *Tag invalidation* — Cache entries can carry one or more tags. Operators invalidate every entry sharing a tag with a single call, enabling cache flushes scoped to a logical concern (per-tenant, per-resource family, post-write invalidation).
+- v0.4.10 (2026-04-30) — **`bodyParser` multipart: `fileFilter` + per-field `maxBytes` / `mimeTypes`.** The multipart body parser gains operator-controlled per-field policy so uploads can be filtered, size-capped, and MIME-restricted at the parse boundary rather than after the fact. **Added:** *`fileFilter` callback in `bodyParser` multipart options* — Operators can pass a `fileFilter` callback to inspect each incoming file part (fieldname, filename, MIME) and refuse it before bytes are consumed. Refused parts short-circuit without buffering payload. · *Per-field `maxBytes` enforcement* — The multipart parser accepts a per-field `maxBytes` cap. Parts exceeding the cap are refused mid-stream with the configured error, so operators don't have to size-check uploads after parse. · *Per-field `mimeTypes` allowlist* — The multipart parser accepts a per-field `mimeTypes` allowlist. Parts whose declared Content-Type isn't in the allowlist are refused at the parse boundary.
+- v0.4.9 (2026-04-30) — **Origin-Agent-Cluster + DNS-Prefetch-Control headers; `b.auth.lockout` primitive.** Two new browser-isolation headers ship in the default security-header set, and a new `b.auth.lockout` primitive lands for brute-force defense at the authentication layer. **Added:** *`Origin-Agent-Cluster` header in default response headers* — The default security-header set now emits `Origin-Agent-Cluster: ?1` so cross-origin isolation hints reach browsers without operator wiring. This requests origin-keyed agent clusters to harden the Spectre / cross-origin attack surface. · *`X-DNS-Prefetch-Control` header in default response headers* — The default security-header set emits `X-DNS-Prefetch-Control: off` so browsers don't speculatively resolve hostnames embedded in served pages, reducing the side-channel signal a malicious page could leak to a network observer. · *`b.auth.lockout` primitive* — A new `b.auth.lockout` primitive lands for brute-force defense. It tracks failed authentication attempts per identity + per source-address, applies progressive backoff, and emits audit events on the lockout transitions so operators see the signal in the audit trail.
+- v0.4.8 (2026-04-30) — **Wiki SEO surface: OpenGraph + Twitter + JSON-LD + sitemap + robots.** The reference wiki gains a complete SEO surface so operators self-hosting the wiki get discoverable, share-friendly pages out of the box. **Added:** *Per-page OpenGraph and Twitter card metadata* — Every wiki page emits OpenGraph and Twitter card meta tags so links shared on social platforms render with a title, description, and preview image instead of a bare URL. · *Per-page JSON-LD structured data* — Every wiki page includes JSON-LD structured data describing the document so search engines and content discovery surfaces can index the wiki with semantic context. · *`sitemap.xml` and `robots.txt`* — The wiki serves a `sitemap.xml` enumerating every page and a `robots.txt` declaring crawl policy, so search indexers can discover the documentation tree without relying on link-graph crawling alone.
+- v0.4.7 (2026-04-30) — **Welcome page "what's in the box" table corrected.** **Fixed:** *Welcome page primitive table accuracy* — The wiki welcome page's "what's in the box" table is rewritten to match the actual shipped primitive surface. Drifted entries (primitives renamed, removed, or whose shape changed) are reconciled against the live codebase.
+- v0.4.6 (2026-04-30) — **Wiki brand-flare on every page + content additions.** **Changed:** *Wiki brand styling applied consistently* — The reference wiki gains consistent brand styling across every page so the documentation surface reads as a cohesive site rather than per-page variants. · *Wiki content expansions* — Multiple wiki pages gain expanded content covering primitives and composition patterns operators were previously left to infer from source comments.
+- v0.4.5 (2026-04-30) — **Canonical domain is `blamejs.com`.** The project's canonical domain moves from `blamejs.app` to `blamejs.com`. All operator-facing references — package metadata, documentation, wiki links — are updated to point at the new domain. **Changed:** *Canonical domain renamed to `blamejs.com`* — Every reference to `blamejs.app` is rewritten to `blamejs.com` across the README, wiki, package metadata, and source comments. The new domain is the canonical home for documentation and download links going forward.
+- v0.4.4 (2026-04-30) — **Document `BLAMEJS_AUDIT_SIGNING_PASSPHRASE` everywhere.** **Changed:** *`BLAMEJS_AUDIT_SIGNING_PASSPHRASE` documented across operator-facing surfaces* — The environment variable used to unlock the audit-signing key is documented across the README, SECURITY notes, and wiki so operators don't have to grep the source to discover the configuration knob.
+- v0.4.3 (2026-04-30) — **`b.ssrfGuard` primitive default-on in `b.httpClient` + wiki posture auto-detect.** Outbound HTTP requests now pass through an SSRF guard that refuses requests to loopback / link-local / RFC 1918 / metadata-service targets unless the operator opts in explicitly. The wiki also auto-detects its TLS / bot-guard posture instead of requiring hand-wired flags. **Added:** *`b.ssrfGuard` — default-on guard wired into `b.httpClient`* — Every outbound request the framework makes is screened against the SSRF guard before the socket opens. Targets matching loopback (`127.0.0.0/8`, `::1`), link-local (`169.254.0.0/16`, `fe80::/10`), private (RFC 1918 + `fc00::/7`), and cloud-metadata-service IPs (`169.254.169.254`, `fd00:ec2::254`) are refused unless the operator passes `allowPrivateTargets: true` for the specific call. The guard composes with the existing DoH resolver so DNS rebinding can't shift the target post-resolve. · *Wiki posture auto-detect* — The wiki example app now derives its TLS / bot-guard / CSP posture from the environment instead of requiring operators to hand-wire each flag — running behind a proxy detects the X-Forwarded-Proto chain; running standalone enables the framework defaults.
+- v0.4.2 (2026-04-30) — **`package.json` keywords refresh.** Operator-facing `package.json` keywords expanded so the package surfaces in `npm search` for the concerns it actually covers (server framework, PQC, security defaults). No code changes. **Changed:** *`package.json` keywords expanded* — The `keywords` array now lists the security / PQC / server-framework terms operators actually search for. Tarball contents unchanged; this is a metadata-only release.
+- v0.4.1 (2026-04-29) — **Wiki bot-guard skips `/healthz` so post-publish smoke check passes.** **Fixed:** *Wiki bot-guard exempts `/healthz`* — The reference wiki's bot-guard middleware now allows `/healthz` through unchallenged so the post-publish smoke check can verify the deployed wiki is responding without tripping the bot-detection refusal path.
+- v0.4.0 (2026-04-29) — **Benchmark suite + `b.logger.createLogger` removed.** The framework gains a benchmark suite for primitive-level performance measurement, and the previously deprecated `b.logger.createLogger` API is removed in favor of `b.log`. **Added:** *Benchmark suite* — A benchmark suite lands so operators can measure framework primitives in isolation. The harness composes the existing test scaffolding and reports per-primitive throughput for performance regression detection. **Removed:** *`b.logger.createLogger`* — The deprecated `b.logger.createLogger` API is removed. Callers migrate to `b.log`, which has been the documented logging surface since the deprecation warning shipped.
+## v0.3.x
+- v0.3.39 (2026-04-29) — **`MIGRATING.md` generator scans `deprecate()` calls in `lib/`.** **Added:** *MIGRATING.md generator* — A new generator walks every `deprecate()` call site in `lib/` and emits `MIGRATING.md` so operators always see the current deprecation timeline without hand-editing the doc.
+- v0.3.38 (2026-04-29) — **`LTS-CALENDAR.md` publishes the major-cadence and algorithm posture.** **Added:** *Public LTS calendar* — `LTS-CALENDAR.md` ships the framework's major-version cadence and the PQC-first algorithm posture so operators can plan upgrades and crypto migration windows against a published timeline.
+- v0.3.37 (2026-04-29) — **Bundled pure-JS mTLS engine plus vendor-update tooling.** **Added:** *Pure-JS mTLS engine bundled* — A pure-JavaScript mTLS engine ships in the framework so operators no longer pull a native-crypto dependency for client-certificate authentication. · *`vendor-update.sh` helper* — A vendor-refresh script lands alongside the engine so refreshing the vendored crypto sources is a single command instead of a hand-edit walk. · *CHANGELOG and thanks page* — The repository now carries a structured `CHANGELOG.md` and a thanks page acknowledging upstream contributors whose work the vendored stack composes.
+- v0.3.36 (2026-04-29) — **Prepack guard refuses to publish any path that matches a `.gitignore` rule.** **Security:** *Prepack gitignore cross-check* — A prepack guard now refuses to publish any path the repository's `.gitignore` would have excluded from version control, so build artefacts, `.env` files, and other sensitive bytes can't accidentally ride into the npm tarball.
+- v0.3.35 (2026-04-29) — **Wiki home page gains a logo hero and neon-magenta brand accents.** **Changed:** *Wiki home hero* — The wiki home page now opens with a logo hero and neon-magenta brand accents so the documentation surface visually matches the rest of the framework's identity.
+- v0.3.34 (2026-04-29) — **Rewrite api-snapshot wiki section in plain operator voice and fix `SECURITY.md` flag.** **Changed:** *api-snapshot wiki section rewritten* — The api-snapshot section of the wiki is rewritten in plain operator voice so the surface description matches what operators actually use the snapshot for, rather than internal narrative. **Fixed:** *`SECURITY.md` flag* — A flag in `SECURITY.md` that referenced the wrong primitive name is corrected so the operator hardening checklist points at the right configuration surface.
+- v0.3.33 (2026-04-29) — **Doc sweep folding the mtls CLI references and filling the api-snapshot wiki gap.** **Changed:** *mtls CLI references folded into the docs* — Operator-facing docs now reference the `blamejs mtls` CLI introduced in the previous release so the documentation surface and the shipped CLI surface match. · *api-snapshot wiki gap filled* — The wiki gains an api-snapshot page so operators have an in-tree reference for the snapshot file used by the surface-stability check.
+- v0.3.32 (2026-04-29) — **`blamejs mtls` CLI plus framework posture fix on cert fingerprinting.** **Added:** *`blamejs mtls` CLI* — A new `blamejs mtls` CLI exposes `status`, `show-cert`, `init`, `issue`, and `issue-p12` subcommands so operators manage the mTLS trust store, issue client certificates, and export PKCS#12 bundles without writing custom scripts. **Fixed:** *Cert fingerprinting posture* — The framework's certificate fingerprinting posture is corrected so the surface aligns with the rest of the PQC-first hashing defaults.
+- v0.3.31 (2026-04-29) — **Defensive `NPM_TOKEN` check in the npm-publish workflow plus committed `bin/blamejs.js` executable bit.** **Fixed:** *`NPM_TOKEN` defensive check* — The npm-publish workflow now refuses to run when `NPM_TOKEN` is missing instead of surfacing a confusing downstream npm error, so failures fail fast with a clear cause. · *`bin/blamejs.js` executable bit* — The executable bit on `bin/blamejs.js` is committed to the tree so the CLI is directly runnable after install without a post-install chmod.
+- v0.3.30 (2026-04-29) — **Wiki binds to `0.0.0.0` by default so `docker -p` forwarding reaches the listener.** **Fixed:** *Wiki default bind address* — The wiki server now binds to `0.0.0.0` by default so `docker run -p` port forwarding actually reaches the listener; the previous loopback-only bind made the published port appear unreachable from outside the container.
+- v0.3.29 (2026-04-29) — **`npm-publish` workflow plus `Dockerfile` data-skeleton directory.** **Added:** *npm-publish workflow* — A new GitHub Actions workflow publishes the framework to npm on tag push so releases land on the registry without a manual `npm publish` step. · *Dockerfile data-skeleton directory* — The container image now pre-creates the data-directory skeleton so the framework's sealed-storage and audit primitives have writable paths on first boot under `--cap-drop ALL`.
+- v0.3.28 (2026-04-29) — **`Dockerfile` switches runtime `--chown` from name to numeric UID `65532:65532`.** **Changed:** *Numeric UID for runtime chown* — The runtime container now uses the numeric UID `65532:65532` for `--chown` instead of a username, so the image runs under Kubernetes `runAsNonRoot` enforcement and other admission controllers that refuse images whose user can't be resolved to a numeric ID at admission time.
+- v0.3.27 (2026-04-29) — **`Dockerfile` pre-builds `public/dist` in the deps stage so the runtime container boots cleanly under `--cap-drop ALL`.** **Fixed:** *`public/dist` pre-built in deps stage* — The asset build moves into the deps stage so `public/dist` exists in the runtime image before boot; the previous layout tried to write build output at runtime, which fails the moment the container drops all capabilities.
+- v0.3.26 (2026-04-29) — **Operator-facing env-var surface, GitHub-side ops docs, and contribution standards.** **Added:** *Operator-facing env-var surface* — The full list of operator-tunable environment variables is now documented so operators can configure the framework without reading source. · *GitHub-side ops docs* — The repository ships ops documentation for the GitHub-side surface (workflows, branch protection, container registry usage) so collaborators have a written reference. · *Contribution standards* — Contribution standards land in the repository so external contributors have a published baseline for PR style, signed commits, and the release workflow.
+- v0.3.25 (2026-04-29) — **Env-var surface documented across `Dockerfile`, `docker-compose.prod`, `DEPLOY.md`, and `README`; smoke-test GHCR login fix.** **Added:** *Env-var surface documented* — The operator-tunable environment variables are documented in `Dockerfile`, `docker-compose.prod`, `DEPLOY.md`, and `README` so the same surface is visible from every operator entry point. **Fixed:** *Smoke-test GHCR login* — The smoke-test workflow's GHCR login step is corrected so the post-publish smoke run can pull the just-built image.
+- v0.3.24 (2026-04-29) — **CI and release-container workflows gain structured output, multi-arch builds, cosign signing, and a post-publish smoke run.** **Added:** *Structured workflow output* — CI workflows now emit structured output so failures surface the failing step and command instead of a free-form log dump. · *Multi-arch container builds* — The release-container workflow now builds multi-architecture images so operators on `linux/amd64` and `linux/arm64` pull from the same tag. · *Cosign signing* — Published container images are signed with cosign so operators can verify the signature against the workflow's OIDC identity. · *Post-publish smoke run* — A post-publish smoke run boots the freshly published image and exercises the basic framework boot path so registry-side regressions are caught before operators pull.
+- v0.3.23 (2026-04-29) — **`_runVault` and `_runBackup` refactored onto `b.cliHelpers`.** **Changed:** *`_runVault` and `_runBackup` use `b.cliHelpers`* — The `_runVault` and `_runBackup` CLI entry points are refactored to use the `b.cliHelpers` shared primitive so all three CLI commands the helper was designed for now share a single headless-app and reporter shape.
+- v0.3.22 (2026-04-29) — **`blamejs api-key` CLI plus shared `b.cliHelpers` primitive.** **Added:** *`blamejs api-key` CLI* — A new `blamejs api-key` CLI manages API-key lifecycle from the command line so operators no longer need bespoke scripts to issue, rotate, or revoke keys. · *`b.cliHelpers` shared primitive* — A new `b.cliHelpers` primitive captures the shared headless-app boot and reporter shape used by every framework CLI so future commands compose the helper instead of reimplementing the wrapper.
+- v0.3.21 (2026-04-29) — **`blamejs backup` CLI with inspect / verify / extract subcommands.** **Added:** *`blamejs backup` CLI* — A new `blamejs backup` CLI ships `inspect`, `verify`, and `extract` subcommands so operators can introspect, verify the integrity of, and selectively extract sealed backups from the command line. · *Backup encryption format documented* — The backup encryption format is documented so operators have a written reference for the on-disk shape and the algorithms involved.
+- v0.3.20 (2026-04-29) — **Drop the Windows-flaky `audit.flush` performance assertion.** **Fixed:** *Windows-flaky `audit.flush` assertion removed* — A performance-budget assertion around `audit.flush` was dropping under Windows file-system jitter even when the underlying behavior was correct, so the redundant assertion is removed; the same path is covered by the audit chain's integrity test.
+- v0.3.19 (2026-04-29) — **Wiki docs for the unwired primitives surface.** **Added:** *Wiki coverage for unwired primitives* — The wiki now documents the framework primitives that exist in `lib/` but had not yet been written up, so the documentation surface matches what's actually shipped.
+- v0.3.18 (2026-04-29) — **`blamejs vault` CLI with seal / unseal / rotate / status subcommands.** **Added:** *`blamejs vault` CLI* — A new `blamejs vault` CLI ships `seal`, `unseal`, `rotate`, and `status` subcommands so operators control the framework's sealed-storage vault from the command line instead of writing one-off scripts around the underlying primitives.
+- v0.3.17 (2026-04-29) — **`validateOpts` extended to 15 more operator-facing primitives.** Fifteen additional operator-facing factories now reject typo'd opts at boot, bringing the total coverage to roughly 39 primitives. **Added:** *Boot-time opts validation for 15 more primitives* — `validateOpts` coverage now extends to `i18n`, `bundler`, `migrations`, `seeders`, `template`, `jobs`, `cookies`, `log`, `mtlsCa`, `staticServe`, `handlers`, `websocket`, `pqcGate`, `tracing`, and `metrics`, so a typo in an opt key now throws at boot instead of silently doing nothing. The remaining factories (`appShutdown`, `chainWriter`, `dev`, `errorPage`, `nonceStore`, `protocolDispatcher`, `render`, `session`, `pqcAgent`) are either internal-only or have a single required-key surface where typo guards add no value.
+- v0.3.16 (2026-04-29) — **Config validation, CSRF cookie mode, HTML balance, dynamic `Cache-Control`, URL canonicalization.** **Added:** *Config validation* — A new config-validation surface refuses typo'd or out-of-range configuration values at boot so operators catch mistakes immediately. · *CSRF cookie mode* — A cookie-backed CSRF mode is now supported in addition to the header-token mode, so operators on stateless backends have a primitive that matches their session shape. · *HTML balance check* — An HTML balance check protects against mismatched tag emission from templates so rendered pages can't ship with a structural defect. · *Dynamic `Cache-Control`* — Dynamic `Cache-Control` selection ships so operator-rendered pages get an appropriate cache directive without per-route boilerplate. · *URL canonicalization* — URL canonicalization normalizes incoming request paths so middleware and routing don't see two distinct representations of the same logical resource.
+- v0.3.15 (2026-04-29) — **CORS accepts `Origin: null` when `Sec-Fetch-Site` is same-origin.** **Fixed:** *CORS handling of opaque `Origin: null`* — Browsers send an opaque `Origin: null` on form-navigation POSTs from a page whose response sets `Referrer-Policy: no-referrer`. The CORS check now consults the Fetch-metadata `Sec-Fetch-Site` header to disambiguate: `same-origin` or `none` accepts the request, anything else stays refused. Cross-origin posts can't bypass the check because they'd carry a non-same-origin `Sec-Fetch-Site` value.
+- v0.3.14 (2026-04-29) — **`Dockerfile` hotfix plus lint as a release gate.** **Changed:** *Lint promoted to release gate* — Linting now blocks the release workflow so style and obvious-bug findings are caught before a publish instead of after operators pull. **Fixed:** *`Dockerfile` hotfix* — A hotfix repairs the `Dockerfile` so the container builds cleanly after the previous release's changes.
+- v0.3.13 (2026-04-29) — **CI lint scans, Wolfi container base, two-step Trivy scan, and lint cleanup.** **Added:** *CI lint scans* — Lint scans run on every CI build so style and obvious-bug findings surface alongside the existing smoke gate. · *Wolfi container base* — The container image moves to a Wolfi base for the minimal-surface, vulnerability-tracked distro the security posture wants. · *Two-step Trivy scan* — Trivy now runs as a two-step scan (filesystem then image) so vulnerabilities are caught both pre-build and post-build. **Fixed:** *Lint cleanup* — The codebase is cleaned to satisfy the newly-enforced lint rules so the gate runs cleanly on every release.
+- v0.3.12 (2026-04-29) — **Version bump for a hotfix container-image rebuild.** **Changed:** *Container-image rebuild* — This release exists to bump the version so the container image rebuilds against the latest base layers; no framework-code changes ship in this release.
+- v0.3.11 (2026-04-29) — **CI/CD: GitHub Actions for smoke and wiki e2e, GHCR container publish on tag, Caddy production deploy overlay.** **Added:** *GitHub Actions for smoke and wiki e2e* — Smoke and wiki end-to-end tests now run on every push via GitHub Actions so regressions are caught before a release tag is cut. · *GHCR container publish on tag* — Tagged releases now publish a container image to GHCR so operators can pull a versioned container alongside the npm tarball. · *Caddy production deploy overlay* — A Caddy production deploy overlay ships so operators have a known-good reverse-proxy configuration that exercises the framework's TLS and header defaults.
+- v0.3.10 (2026-04-29) — **Framework correctness fixes across compression, CSP nonce, CORS, and audit.** Four correctness fixes land together: compression now honors backpressure, `cspNonce` exposes a cacheable-render API, CORS rejects cross-origin requests that previously slipped through the same-origin path, and audit namespaces are now correctly threaded through. **Fixed:** *Compression backpressure* — The compression middleware now honors downstream backpressure, preventing unbounded memory growth when the client consumes more slowly than the encoder produces. · *`cspNonce` cacheable-render API* — `cspNonce` exposes a cacheable-render API so responses generated by a shared renderer can carry a per-request nonce without invalidating the rendered cache. · *CORS same-origin handling* — Tightens the CORS middleware's same-origin path so cross-origin requests that previously slipped through under specific header shapes are now refused. · *Audit namespaces* — Audit events are now correctly namespaced so per-domain audit streams stay distinct instead of folding into the global stream.
+- v0.3.9 (2026-04-28) — **Wiki: Docker Compose deploy.** **Added:** *Docker Compose deploy wiki page* — New wiki page describing how to stand up the framework via Docker Compose, including the recommended service layout and the env-var surface operators need to wire.
+- v0.3.8 (2026-04-28) — **Wiki: remaining four concern-group pages.** **Added:** *Remaining concern-group wiki pages* — Finishes the per-concern wiki coverage with the four remaining concern-group pages, completing the wiki navigation surface for all primitive domains.
+- v0.3.7 (2026-04-28) — **Wiki: HTTP & Middleware and Crypto & Vault pages.** **Added:** *HTTP & Middleware and Crypto & Vault wiki pages* — New wiki content covering the HTTP request lifecycle / middleware concern group and the crypto / vault concern group so operators can navigate the primitive surface for those domains.
+- v0.3.6 (2026-04-28) — **Wiki: Auth & Permissions and Storage & State pages.** **Added:** *Auth & Permissions and Storage & State wiki pages* — New wiki content covering the authentication / authorization concern group and the storage / state concern group (session, db, cache, vault) so operators can navigate the primitive surface for those domains.
+- v0.3.5 (2026-04-28) — **Strip stale comments and template language from sources.** **Changed:** *Source comments cleaned of stale and template language* — Removed leftover scaffolding comments and template prose across `lib/` so the in-source documentation reflects current behavior. No runtime behavior change.
+- v0.3.4 (2026-04-28) — **Wiki: Welcome and Observability pages.** **Added:** *Welcome and Observability wiki pages* — New wiki content covering the framework entry-point and the observability concern group (metrics, tracing, audit) so operators can navigate from the landing page into the observability primitive surface.
+- v0.3.3 (2026-04-28) — **Wiki bundler integration + admin editor enhancements.** **Added:** *Wiki bundler integration + admin editor enhancements* — The `examples/wiki` reference app gains bundler integration and admin editor improvements so operators evaluating the framework see the documentation surface render with the same wiring they would use in production.
+- v0.3.2 (2026-04-28) — **Wiki wires `b.notify` / `b.scheduler` / `b.apiKey` / `b.webhook`.** **Added:** *Wiki demonstrates notify / scheduler / apiKey / webhook composition* — The `examples/wiki` reference app now exercises `b.notify`, `b.scheduler`, `b.apiKey`, and `b.webhook` end-to-end so operators evaluating the framework see how these primitives compose with the rest of the request lifecycle.
+- v0.3.1 (2026-04-28) — **Wiki design pass.** **Changed:** *Wiki design pass* — Visual and layout refinements across the `examples/wiki` reference app so the documentation surface reads cleanly and the navigation reflects the current primitive set.
+- v0.3.0 (2026-04-28) — **`examples/wiki` reference app.** The framework ships with a reference wiki application under `examples/wiki` that operators can clone, run, and read to see the framework's primitives composed into a working server. **Added:** *`examples/wiki` reference app* — A working wiki application built on the framework lands under `examples/wiki`. It composes the request lifecycle, the security defaults, the storage primitives, and the documentation surface so operators evaluating the framework see an end-to-end shape instead of isolated snippets.
+## v0.2.x
+- v0.2.39 (2026-04-28) — **Sweep `auditCaptured` + `fakeNow` patterns to `b.testing`.** **Changed:** *Internal test patterns moved onto `b.testing`* — Existing `auditCaptured` and `fakeNow` ad-hoc test patterns across the framework are migrated to the new `b.testing` primitive so every test file uses the same shared helpers instead of rolling its own clock/audit fakes.
+- v0.2.38 (2026-04-28) — **`b.testing`.** **Added:** *`b.testing` primitive* — A shared testing primitive landed at `b.testing` that bundles the framework's recurring test helpers (deterministic clocks, audit capture, fake request/response shapes) so tests across the codebase can share them instead of each file recreating its own mocks.
+- v0.2.37 (2026-04-28) — **`b.notify`.** **Added:** *`b.notify` primitive* — Outbound notification dispatch (email, SMS gateway, webhook, push) is consolidated behind one primitive with per-channel adapters, throttling, and audit emission — applications no longer wire each transport directly.
+- v0.2.36 (2026-04-28) — **`b.i18n`.** **Added:** *`b.i18n` primitive* — Internationalization (message catalogs, locale resolution from request, pluralization, formatting) is a first-class primitive — applications stop wiring their own message-bundle loader and locale negotiator.
+- v0.2.35 (2026-04-28) — **`b.seeders`.** **Added:** *`b.seeders` primitive* — Database/storage seeders are now a first-class primitive — operators declare seed data alongside the application and the framework runs idempotent boot-time provisioning instead of bespoke per-app scripts.
+- v0.2.34 (2026-04-28) — **`b.cache`.** **Added:** *`b.cache` primitive* — A framework-native cache primitive with pluggable backends, TTL, max-bytes ceiling, and observability signals — applications stop reaching for ad-hoc Map-based caches that grow unbounded.
+- v0.2.33 (2026-04-28) — **Audit captures the 5 W's; success on by default when audit is wired.** **Changed:** *Audit envelopes capture the 5 W's* — Every audit event now records who (actor), what (action), when (timestamp), where (request context / route), and why (outcome reason) — a uniform shape across every framework primitive that emits audit. · *Success events on by default when audit is wired* — Once an audit sink is registered, the framework emits success events by default — previously success was opt-in per primitive, leaving asymmetric coverage between failure and success.
+- v0.2.32 (2026-04-28) — **Close api-key visibility holes.** **Fixed:** *API-key visibility holes closed* — `b.apiKey` no longer leaks raw key material into log lines, error messages, or audit envelopes — the key is hashed once at issuance and only the prefix is surfaced to operator-readable output.
+- v0.2.31 (2026-04-28) — **`auditSuccess` split into precursor vs complete-event.** **Changed:** *`auditSuccess` split into two distinct events* — What was a single `auditSuccess` is now two events — a precursor emitted when the operation begins and a complete-event emitted on successful finish — so operators can distinguish started-but-not-yet-complete work from fully completed work in the audit stream.
+- v0.2.30 (2026-04-28) — **`b.permissions`.** **Added:** *`b.permissions` primitive* — A first-class permissions primitive lets handlers declare required capabilities and the framework enforces them before the handler runs — replaces ad-hoc per-route role checks with a uniform model.
+- v0.2.29 (2026-04-28) — **Observability backfill across primitives.** **Changed:** *Observability signals backfilled across the framework* — Primitives that did not yet emit metrics, traces, and audit events are brought up to the same observability baseline as the request lifecycle — queue, scheduler, storage, mail, websocket, and rate-limit all now surface uniform signals.
+- v0.2.28 (2026-04-28) — **Credential hash envelope versioning.** **Added:** *Versioned credential-hash envelope* — Stored credential hashes now carry an explicit envelope version so the framework can roll its KDF parameters or hash algorithm forward without invalidating existing credentials — verifications transparently re-hash on next login under the new parameters.
+- v0.2.27 (2026-04-28) — **`b.apiKey` + repo logo assets.** **Added:** *`b.apiKey` primitive* — API-key issuance, storage (hashed, never plaintext), rotation, and revocation are now a first-class primitive — applications stop rolling their own bearer-token table. · *Repository logo assets* — Logo artwork is committed under the repository for use by downstream documentation, package registries, and operator-facing surfaces.
+- v0.2.26 (2026-04-28) — **`b.webhook` signing + verification.** **Added:** *`b.webhook` signing and verification* — Outbound webhooks are signed with a framework-issued signature header and inbound webhook handlers verify the signature before invoking the callback — replay-protected, constant-time comparison, no per-app HMAC code.
+- v0.2.25 (2026-04-28) — **`b.slug`.** **Added:** *`b.slug` primitive* — URL-safe slug generation with Unicode-aware normalization, length caps, and reserved-word avoidance — applications no longer roll their own ad-hoc lowercase-and-dash function.
+- v0.2.24 (2026-04-28) — **`b.retry` primitive.** **Added:** *`b.retry` primitive* — A composable retry primitive with exponential backoff, jitter, and a bounded attempt budget — callers wrap any async operation and get uniform retry semantics without rolling their own loop.
+- v0.2.23 (2026-04-28) — **Test helpers consolidate.** **Changed:** *Shared test helpers consolidated under `test/helpers/`* — Common mocks (`_mockReq`, `_mockRes`, `_bodyReq`, `_bodyRes`, `_streamingRes`, `setupTestDb`, `teardownTestDb`) are consolidated so test fixtures stop rolling their own copies and instead reuse one canonical implementation.
+- v0.2.22 (2026-04-28) — **Input validation hardened at framework entry points.** **Changed:** *Config-time and entry-point input validation throws on bad input* — Entry-point primitives such as `C.TIME.*`, `C.BYTES.*`, `protocolDispatcher.create`, and `defineClass`-built errors now throw `TypeError` on non-finite numbers, negative durations, or wrong-shape arguments so operator typos surface at boot instead of mid-request.
+- v0.2.21 (2026-04-28) — **`defineClass.factory` replaces per-module `_err` wrappers.** **Changed:** *`defineClass.factory` replaces per-module `_err` wrappers* — Per-module error wrappers (`_err`) are replaced with a single `defineClass.factory` builder so every framework error class is constructed uniformly with a stable `.name`, `.code`, and structured `.metadata` field.
+- v0.2.20 (2026-04-28) — **`b.requestHelpers` + metrics label normalization.** **Added:** *`b.requestHelpers` primitive* — Common request-shape readers (resolveRoute, clientIp, requestId, etc.) are consolidated into `b.requestHelpers` so middleware and handlers share one defensive implementation instead of rolling their own. · *`metrics._normalizeLabelArg`* — Metrics label arguments now flow through a single normalization helper so cardinality stays bounded and string/number/undefined inputs render to a consistent canonical shape.
+- v0.2.19 (2026-04-28) — **`audit.safeEmit` replaces per-module `_emit` wrappers.** **Changed:** *`audit.safeEmit` consolidates per-module audit emitters* — Per-module `_emit` wrappers across `lib/` are replaced with a single `audit.safeEmit` entry point — drop-silent on the hot path, uniform envelope shape, one place to extend audit-sink behavior.
+- v0.2.18 (2026-04-28) — **`b.protocolDispatcher`.** **Added:** *`b.protocolDispatcher` primitive* — A protocol-aware dispatcher routes incoming requests to the matching handler family (HTTP, WebSocket, queue worker) from a single entry point, replacing ad-hoc per-protocol wiring across earlier releases.
+- v0.2.17 (2026-04-28) — **`b.observability.tap`.** **Added:** *`b.observability.tap` primitive* — A single tap point lets operators subscribe to every framework observability signal (metrics, traces, audit events) from one place instead of registering exporters against three different primitives.
+- v0.2.16 (2026-04-28) — **`index.js` header lists the complete public surface.** **Changed:** *Public surface enumerated in `index.js` header* — The top of `index.js` now lists every public namespace the framework ships so operators reading the entry-point file see the full surface at a glance instead of having to grep `lib/`.
+- v0.2.15 (2026-04-28) — **Request middleware captures `statusCode` + promotes span to route template.** **Added:** *Request middleware captures response `statusCode`* — The request lifecycle middleware now records the final response status code on the audit/metric/trace surfaces so operators can correlate outcome with route + latency without instrumenting per-handler. · *Tracing span named after route template* — Spans are renamed from the concrete URL to the matched route template (using `req.routePattern` from the previous release) — cardinality stays bounded and traces group meaningfully.
+- v0.2.14 (2026-04-28) — **Router populates `req.routePattern`.** **Added:** *`req.routePattern` populated by the router* — The router now exposes the matched route template on `req.routePattern` so downstream middleware (metrics labels, tracing span names, audit events) can group requests by template instead of by concrete URL.
+- v0.2.13 (2026-04-28) — **OAuth generic preset.** **Added:** *OAuth generic preset* — `b.auth.oauth` gains a generic preset that covers any spec-compliant OAuth 2.0 / OIDC provider without a per-vendor adapter — operators supply the discovery URL and client credentials and the framework wires the rest.
+- v0.2.12 (2026-04-28) — **Built-in metrics + framework tracing taps.** **Added:** *Built-in metrics* — `b.metrics` ships built-in counters/gauges/histograms for every framework primitive — request latency, queue depth, scheduler fire counts, audit-sink failures — surfaced without per-app instrumentation. · *Framework tracing taps* — `b.tracing` taps every framework primitive boundary so traces span the request lifecycle automatically; operators wire an exporter and get a full waterfall without per-handler code.
+- v0.2.11 (2026-04-28) — **Storage POST-form presigning + logger deprecation warning.** **Added:** *Storage POST-form policy presigning* — `b.storage` gains presigned HTML POST-form policies — browsers can upload directly to the bucket via a standard `<form>` POST with the framework-issued policy document, complementing the existing presigned-URL flow. **Deprecated:** *Legacy logger surface* — The standalone logger surface emits a deprecation warning pointing callers at `b.log`; removal is scheduled for a future minor release.
+- v0.2.10 (2026-04-28) — **Close api-encrypt audit gaps.** **Fixed:** *api-encrypt audit gaps closed* — The `b.middleware.apiEncrypt` surface now emits audit events on every key-handling path — decrypt failures, mismatched envelope versions, and recipient-key mismatches all surface to the audit sink instead of being lost on the error path.
+- v0.2.9 (2026-04-28) — **Cluster-shared nonce-store + audit handler isolation.** **Added:** *Cluster-shared nonce-store* — Replay-protection nonces are now persisted in a cluster-shared store so a replayed request hitting a different worker is still rejected — single-worker memory was insufficient for multi-process deployments. **Changed:** *Audit handler isolation* — Audit-sink handlers are isolated so a faulting handler can no longer take down the request that emitted the audit event — drop-silent on hot-path observability sinks.
+- v0.2.8 (2026-04-28) — **End-to-end PQC payload encryption middleware.** **Added:** *`b.middleware.apiEncrypt` end-to-end PQC payload encryption* — Request and response bodies can now be encrypted end-to-end with the framework's PQC envelope (ML-KEM-1024 + XChaCha20-Poly1305) so payloads stay confidential even past a terminating proxy — opt-in middleware that wires into the request lifecycle without per-route changes.
+- v0.2.7 (2026-04-27) — **WebSocket channel/room hub with cluster pub/sub fan-out.** **Added:** *WebSocket channel/room hub* — `b.websocket` gains a channel/room hub so clients can subscribe to named topics; broadcasts to a topic fan out across the cluster via the existing `b.pubsub` backend instead of staying pinned to the worker that owns the socket.
+- v0.2.6 (2026-04-27) — **`b.mail.bounce` intake primitive.** **Added:** *Mail-bounce intake primitive* — `b.mail.bounce` parses inbound DSN (Delivery Status Notification) messages and surfaces structured bounce events so callers can quarantine bad recipients without writing their own RFC 3464 parser.
+- v0.2.5 (2026-04-27) — **Strip narrative comments from shipped source.** **Changed:** *Narrative comments stripped from shipped source* — Source comments across `lib/` are rewritten to describe behavior instead of carrying internal-process narrative — operators reading the tarball see only operator-facing prose.
+- v0.2.4 (2026-04-27) — **Logger folded into `b.log` + rate-limit cluster backend.** **Added:** *Cluster-shared rate-limit backend* — `b.rateLimit` gains a cluster-shared backend so request counters survive across worker processes — a single client cannot evade limits by hashing onto a different worker. **Changed:** *Logger folded into `b.log`* — The standalone logger surface is consolidated into `b.log` so the framework ships a single canonical logging primitive instead of two overlapping ones.
+- v0.2.3 (2026-04-27) — **Route raw time and byte literals through `C.TIME` / `C.BYTES` and type bare throws.** Numeric literals representing durations and byte sizes are routed through the framework's `C.TIME.*` and `C.BYTES.*` constant tables so the operator-visible unit is named at the call site. Bare `throw new Error(...)` sites that crossed a public boundary are upgraded to typed framework error classes so callers can branch on `instanceof` rather than parsing strings. **Changed:** *Time and byte literals routed through `C.TIME` / `C.BYTES`* — Hand-rolled `* 1000` / `* 1024` arithmetic across `lib/` is replaced with named constants from the central `C.TIME` and `C.BYTES` tables. Operators reading source see `C.TIME.MINUTE` instead of `60 * 1000`, and the codebase-patterns detector that refuses raw-literal multiplication keeps the discipline in place. · *Bare `throw new Error(...)` upgraded to typed framework errors* — Public-boundary throws that previously emitted plain `Error` objects now use the typed framework-error hierarchy (`TypeError` / `ValidationError` / `ConfigError` subclasses). Callers can branch on `instanceof` rather than matching message strings, and the typed errors carry a stable `name` for log-correlation.
+- v0.2.2 (2026-04-27) — **Scheduler + presign follow-up fixes.** **Fixed:** *Scheduler and presign gaps closed* — Closes residual gaps in the scheduler exactly-once contract and the storage presigned-upload helper introduced in the previous release — tightens race-window handling and corrects edge cases in the signing surface.
+- v0.2.1 (2026-04-27) — **Scheduler exactly-once-globally + presigned upload URLs.** **Added:** *Scheduler exactly-once across the cluster* — `b.scheduler` now guarantees exactly-once execution globally rather than per-process, so a cron-style entry fires once across the entire cluster instead of once per worker. · *Storage presigned upload URLs* — `b.storage` exposes a presigning helper for direct browser-to-bucket uploads — the framework issues a short-lived signed URL the client uses without ever holding the master credential.
+- v0.2.0 (2026-04-27) — **Queue lease-extension + Jobs dead-letter queue.** **Added:** *Queue lease-extension* — Long-running job consumers can extend the visibility lease on an in-flight message instead of dropping it back into the queue when a single execution exceeds the original lease window. · *Jobs dead-letter queue* — `b.jobs` consumers that exhaust their retry budget now route the failing envelope into a dedicated dead-letter queue for operator inspection instead of silently dropping the work.
+## v0.1.x
+- v0.1.111 (2026-04-27) — **Modular per-file test layout.** **Added:** *Modular per-file test layout* — Modular per-file test layout.
+- v0.1.110 (2026-04-27) — **Session.rotate + migrations advisory lock.** **Added:** *Session.rotate + migrations advisory lock* — Session.rotate + migrations advisory lock.
+- v0.1.109 (2026-04-27) — **Auth.oauth: OAuth 2 / OIDC client.** **Added:** *Auth.oauth: OAuth 2 / OIDC client* — Auth.oauth: OAuth 2 / OIDC client.
+- v0.1.108 (2026-04-27) — **App-shutdown: graceful-shutdown orchestrator.** **Added:** *App-shutdown: graceful-shutdown orchestrator* — App-shutdown: graceful-shutdown orchestrator.
+- v0.1.107 (2026-04-27) — **Tracing: OpenTelemetry seam.** **Added:** *Tracing: OpenTelemetry seam* — Tracing: OpenTelemetry seam.
+- v0.1.106 (2026-04-27) — **Metrics: Prometheus-format counters/gauges/histograms.** **Added:** *Metrics: Prometheus-format counters/gauges/histograms* — Metrics: Prometheus-format counters/gauges/histograms.
+- v0.1.105 (2026-04-27) — **Csp-nonce middleware + render integration.** **Added:** *Csp-nonce middleware + render integration* — Csp-nonce middleware + render integration.
+- v0.1.104 (2026-04-27) — **Pagination: cursor + offset helpers.** **Added:** *Pagination: cursor + offset helpers* — Pagination: cursor + offset helpers.
+- v0.1.103 (2026-04-27) — **Compression middleware.** **Added:** *Compression middleware* — Compression middleware.
+- v0.1.102 (2026-04-27) — **Health endpoint primitive.** **Added:** *Health endpoint primitive* — Health endpoint primitive.
+- v0.1.101 (2026-04-27) — **Body-parser middleware.** **Added:** *Body-parser middleware* — Body-parser middleware.
+- v0.1.100 (2026-04-27) — **Safe-schema: declarative input validator.** **Added:** *Safe-schema: declarative input validator* — Safe-schema: declarative input validator.
+- v0.1.99 (2026-04-27) — **Events: breach-detection signal bus (audit-tools slice B).** **Added:** *Events: breach-detection signal bus (audit-tools slice B)* — Events: breach-detection signal bus (audit-tools slice B).
+- v0.1.98 (2026-04-27) — **Audit-tools (slice A): archive + export + verify-bundle + purge.** **Added:** *Audit-tools (slice A): archive + export + verify-bundle + purge* — Audit-tools (slice A): archive + export + verify-bundle + purge.
+- v0.1.97 (2026-04-27) — **Backup: encrypted-at-rest support — db.flushToDisk + recommendedFiles.** **Added:** *Backup: encrypted-at-rest support — db.flushToDisk + recommendedFiles* — Backup: encrypted-at-rest support — db.flushToDisk + recommendedFiles.
+- v0.1.96 (2026-04-27) — **Folder-level adjustments + DeprecateError rename.** **Added:** *Folder-level adjustments + DeprecateError rename* — Folder-level adjustments + DeprecateError rename.
+- v0.1.95 (2026-04-27) — **Standardize require ordering across major lib files.** **Changed:** *Standardize require ordering across major lib files* — Standardize require ordering across major lib files.
+- v0.1.94 (2026-04-27) — **Rename import bindings, public namespace, error classes.** **Changed:** *Rename import bindings, public namespace, error classes* — Rename import bindings, public namespace, error classes.
+- v0.1.93 (2026-04-27) — **Rename libs to prefix-grouped names.** **Changed:** *Rename libs to prefix-grouped names* — Rename libs to prefix-grouped names.
+- v0.1.92 (2026-04-27) — **Lift duplicated helpers + frameworkError.defineClass.** **Changed:** *Lift duplicated helpers + frameworkError.defineClass* — Lift duplicated helpers + frameworkError.defineClass.
+- v0.1.91 (2026-04-27) — **Api-snapshot: public API surface walker + breaking-change detectorb.** **Added:** *Api-snapshot: public API surface walker + breaking-change detectorb* — Api-snapshot: public API surface walker + breaking-change detectorb.
+- v0.1.90 (2026-04-27) — **Deprecate: runtime deprecation API for the LTS contracta.** **Added:** *Deprecate: runtime deprecation API for the LTS contracta* — Deprecate: runtime deprecation API for the LTS contracta.
+- v0.1.89 (2026-04-27) — **Restore + restore-rollback: storage-backed restore + atomic swap — complete.** **Added:** *Restore + restore-rollback: storage-backed restore + atomic swap — complete* — Restore + restore-rollback: storage-backed restore + atomic swap — complete.
+- v0.1.88 (2026-04-27) — **Backup: orchestration with pluggable storage + retentiond.** **Added:** *Backup: orchestration with pluggable storage + retentiond* — Backup: orchestration with pluggable storage + retentiond.
+- v0.1.87 (2026-04-27) — **Restore-bundle: extract encrypted bundle to stagingc.** **Added:** *Restore-bundle: extract encrypted bundle to stagingc* — Restore-bundle: extract encrypted bundle to stagingc.
+- v0.1.86 (2026-04-27) — **Backup-bundle: produce an encrypted backup bundle on diskb.** **Added:** *Backup-bundle: produce an encrypted backup bundle on diskb* — Backup-bundle: produce an encrypted backup bundle on diskb.
+- v0.1.85 (2026-04-27) — **Backup-manifest: bundle schema + validate/parse/serializea.** **Added:** *Backup-manifest: bundle schema + validate/parse/serializea* — Backup-manifest: bundle schema + validate/parse/serializea.
+- v0.1.84 (2026-04-27) — **Backup-crypto: Argon2id KDF + XChaCha20-Poly1305 for backup files.** **Added:** *Backup-crypto: Argon2id KDF + XChaCha20-Poly1305 for backup files* — Backup-crypto: Argon2id KDF + XChaCha20-Poly1305 for backup files.
+- v0.1.83 (2026-04-27) — **Mtls-ca: CA file management with engine-pluggable issuance.** **Added:** *Mtls-ca: CA file management with engine-pluggable issuance* — Mtls-ca: CA file management with engine-pluggable issuance.
+- v0.1.82 (2026-04-27) — **Vault-passphrase-ops: seal/unseal/rotate operator primitives.** **Added:** *Vault-passphrase-ops: seal/unseal/rotate operator primitives* — Vault-passphrase-ops: seal/unseal/rotate operator primitives.
+- v0.1.81 (2026-04-27) — **Vault-rotate.rotate: full rotation pipeline.** **Added:** *Vault-rotate.rotate: full rotation pipeline* — Vault-rotate.rotate: full rotation pipeline.
+- v0.1.80 (2026-04-27) — **Vault-rotate (diagnostics): schema-drift + round-trip verify.** **Added:** *Vault-rotate (diagnostics): schema-drift + round-trip verify* — Vault-rotate (diagnostics): schema-drift + round-trip verify.
+- v0.1.79 (2026-04-27) — **Drop SecP256r1MLKEM768 from default TLS group preference.** **Changed:** *Drop SecP256r1MLKEM768 from default TLS group preference* — Drop SecP256r1MLKEM768 from default TLS group preference.
+- v0.1.78 (2026-04-27) — **Pqc-agent: locked-posture HTTPS agent + http-client refactor.** **Added:** *Pqc-agent: locked-posture HTTPS agent + http-client refactor* — Pqc-agent: locked-posture HTTPS agent + http-client refactor.
+- v0.1.77 (2026-04-27) — **Pqc-gate: TCP-level PQC enforcement on ClientHello.** **Added:** *Pqc-gate: TCP-level PQC enforcement on ClientHello* — Pqc-gate: TCP-level PQC enforcement on ClientHello.
+- v0.1.76 (2026-04-27) — **Bundler: content-hashed asset pipeline + manifest — complete.** **Added:** *Bundler: content-hashed asset pipeline + manifest — complete* — Bundler: content-hashed asset pipeline + manifest — complete.
+- v0.1.75 (2026-04-27) — **Dev: file-watch + child-process restart engine.** **Added:** *Dev: file-watch + child-process restart engine* — Dev: file-watch + child-process restart engine.
+- v0.1.74 (2026-04-27) — **Cli: bin/blamejs + migrate up/down/status.** **Added:** *Cli: bin/blamejs + migrate up/down/status* — Cli: bin/blamejs + migrate up/down/status.
+- v0.1.73 (2026-04-27) — **Migrations: public up/down/status runner.** **Added:** *Migrations: public up/down/status runner* — Migrations: public up/down/status runner.
+- v0.1.72 (2026-04-27) — **Cookies: parse/serialize + sealed-value access gate.** **Added:** *Cookies: parse/serialize + sealed-value access gate* — Cookies: parse/serialize + sealed-value access gate.
+- v0.1.71 (2026-04-27) — **Errors-page: rich dev page + safe prod page; middleware shim.** **Added:** *Errors-page: rich dev page + safe prod page; middleware shim* — Errors-page: rich dev page + safe prod page; middleware shim.
+- v0.1.70 (2026-04-27) — **Log: structured JSON logging with request-id correlation.** **Added:** *Log: structured JSON logging with request-id correlation* — Log: structured JSON logging with request-id correlation.
+- v0.1.69 (2026-04-27) — **Scheduler: cron + interval over jobs/queue.** **Added:** *Scheduler: cron + interval over jobs/queue* — Scheduler: cron + interval over jobs/queue.
+- v0.1.68 (2026-04-27) — **Mail: generalize http transport, demote resend to thin preset.** **Added:** *Mail: generalize http transport, demote resend to thin preset* — Mail: generalize http transport, demote resend to thin preset.
+- v0.1.67 (2026-04-27) — **Mail: contract + console/memory/smtp/resend transports.** **Added:** *Mail: contract + console/memory/smtp/resend transports* — Mail: contract + console/memory/smtp/resend transports.
+- v0.1.66 (2026-04-26) — **Jobs (define + enqueue + in-process worker) + createApp wiring.** **Added:** *Jobs (define + enqueue + in-process worker) + createApp wiring* — Jobs (define + enqueue + in-process worker) + createApp wiring.
+- v0.1.65 (2026-04-26) — **CreateApp factory.** **Added:** *CreateApp factory* — CreateApp factory.
+- v0.1.64 (2026-04-26) — **Forms + csrfProtect.** **Added:** *Forms + csrfProtect* — Forms + csrfProtect.
+- v0.1.63 (2026-04-26) — **StaticServe: file serving + ETag + SRI integrity.** **Added:** *StaticServe: file serving + ETag + SRI integrity* — StaticServe: file serving + ETag + SRI integrity.
+- v0.1.62 (2026-04-26) — **Render: HTTP response helpers.** **Added:** *Render: HTTP response helpers* — Render: HTTP response helpers.
+- v0.1.61 (2026-04-26) — **Template engine (eval-free interpreter).** **Added:** *Template engine (eval-free interpreter)* — Template engine (eval-free interpreter).
+- v0.1.60 (2026-04-26) — **Auth.jwt with SLH-DSA-SHAKE-256f default.** **Added:** *Auth.jwt with SLH-DSA-SHAKE-256f default* — Auth.jwt with SLH-DSA-SHAKE-256f default.
+- v0.1.59 (2026-04-26) — **Middleware.attachUser + middleware.requireAuth.** **Added:** *Middleware.attachUser + middleware.requireAuth* — Middleware.attachUser + middleware.requireAuth.
+- v0.1.58 (2026-04-26) — **Auth.passkey (WebAuthn / FIDO2).** **Added:** *Auth.passkey (WebAuthn / FIDO2)* — Auth.passkey (WebAuthn / FIDO2).
+- v0.1.57 (2026-04-26) — **TOTP defaults match spec.** **Added:** *TOTP defaults match spec* — TOTP defaults match spec (HMAC-SHA512 / 128-byte secret / 8 digits / 30s) + crypto.random truncation fix.
+- v0.1.56 (2026-04-26) — **Auth.totp: flip default to HMAC-SHA512, drop SHA-1 support.** **Added:** *Auth.totp: flip default to HMAC-SHA512, drop SHA-1 support* — Auth.totp: flip default to HMAC-SHA512, drop SHA-1 support.
+- v0.1.55 (2026-04-26) — **Auth.totp / lib/totp.js (RFC 6238).** **Added:** *Auth.totp / lib/totp.js (RFC 6238)* — Auth.totp / lib/totp.js (RFC 6238).
+- v0.1.54 (2026-04-26) — **Audit-sign algorithm-agility + flip default to SLH-DSA-SHAKE-256f.** **Added:** *Audit-sign algorithm-agility + flip default to SLH-DSA-SHAKE-256f* — Audit-sign algorithm-agility + flip default to SLH-DSA-SHAKE-256f.
+- v0.1.53 (2026-04-26) — **Auth.password (Argon2id).** **Added:** *Auth.password (Argon2id)* — Auth.password (Argon2id).
+- v0.1.52 (2026-04-26) — **Consent_log integrity parity with audit_log.** **Added:** *Consent_log integrity parity with audit_log* — Consent_log integrity parity with audit_log.
+- v0.1.51 (2026-04-26) — **Queue jobs move to external-db in cluster mode.** **Added:** *Queue jobs move to external-db in cluster mode* — Queue jobs move to external-db in cluster mode.
+- v0.1.50 (2026-04-26) — **Sessions move to external-db in cluster mode.** **Added:** *Sessions move to external-db in cluster mode* — Sessions move to external-db in cluster mode.
+- v0.1.49 (2026-04-26) — **Boot-time vault-key consistency check.** **Added:** *Boot-time vault-key consistency check* — Boot-time vault-key consistency check.
+- v0.1.48 (2026-04-26) — **Boot-time audit-tip rollback detection in cluster mode.** **Added:** *Boot-time audit-tip rollback detection in cluster mode* — Boot-time audit-tip rollback detection in cluster mode.
+- v0.1.47 (2026-04-26) — **Fix handlers.drain unbounded loop on recursive emit (cluster-mode audit hang).** **Fixed:** *Fix handlers.drain unbounded loop on recursive emit (cluster-mode audit hang)* — Fix handlers.drain unbounded loop on recursive emit (cluster-mode audit hang).
+- v0.1.46 (2026-04-26) — **Cluster-mode audit-tip fencing-token guard.** **Added:** *Cluster-mode audit-tip fencing-token guard* — Cluster-mode audit-tip fencing-token guard.
+- v0.1.45 (2026-04-26) — **Cluster discovery surface for service-mesh / load-balancer routing.** **Added:** *Cluster discovery surface for service-mesh / load-balancer routing* — Cluster discovery surface for service-mesh / load-balancer routing.
+- v0.1.44 (2026-04-26) — **Repeating-pattern sweep: sleep + withTimeoutSignal + auth-header + listenOnRandomPort.** **Added:** *Repeating-pattern sweep* — Repeating-pattern sweep: sleep + withTimeoutSignal + auth-header + listenOnRandomPort.
+- v0.1.43 (2026-04-26) — **Url-safe protocol validator at outbound boundary.** **Added:** *Url-safe protocol validator at outbound boundary* — Url-safe protocol validator at outbound boundary.
+- v0.1.42 (2026-04-26) — **Router.closeWebSockets + activeWebSockets.** **Added:** *Router.closeWebSockets + activeWebSockets* — Router.closeWebSockets + activeWebSockets.
+- v0.1.41 (2026-04-26) — **Smoke runner gains groups + fixtures + per-test timing.** **Added:** *Smoke runner gains groups + fixtures + per-test timing* — Smoke runner gains groups + fixtures + per-test timing.
+- v0.1.40 (2026-04-26) — **Router.ws integration + WebSocket lifecycle redesign.** **Added:** *Router.ws integration + WebSocket lifecycle redesign* — Router.ws integration + WebSocket lifecycle redesign.
+- v0.1.39 (2026-04-26) — **H2 WebSocket (RFC 8441 Extended CONNECT) added to websocket.js.** **Added:** *H2 WebSocket (RFC 8441 Extended CONNECT) added to websocket.js* — H2 WebSocket (RFC 8441 Extended CONNECT) added to websocket.js.
+- v0.1.38 (2026-04-26) — **Lib/websocket.js (RFC 6455 server primitive).** **Added:** *Lib/websocket.js (RFC 6455 server primitive)* — Lib/websocket.js (RFC 6455 server primitive).
+- v0.1.37 (2026-04-26) — **AtomicFile.listDir primitive with adoption across affected lib sites.** **Added:** *AtomicFile.listDir primitive with adoption across affected lib sites* — AtomicFile.listDir primitive with adoption across affected lib sites.
+- v0.1.36 (2026-04-26) — **TestConstantsReferenceIntegrity uses framework primitives.** **Added:** *TestConstantsReferenceIntegrity uses framework primitives* — TestConstantsReferenceIntegrity uses framework primitives.
+- v0.1.35 (2026-04-26) — **Fix stale C.TIME.FIVE_MIN refs + add integrity test.** **Fixed:** *Fix stale C.TIME.FIVE_MIN refs + add integrity test* — Fix stale C.TIME.FIVE_MIN refs + add integrity test.
+- v0.1.34 (2026-04-26) — **Document h3-ready transport cache + TLS session resumption stance.** **Changed:** *Document h3-ready transport cache + TLS session resumption stance* — Document h3-ready transport cache + TLS session resumption stance.
+- v0.1.33 (2026-04-26) — **HTTP/2 backend behind same httpClient.request surface.** **Added:** *HTTP/2 backend behind same httpClient.request surface* — HTTP/2 backend behind same httpClient.request surface.
+- v0.1.32 (2026-04-26) — **Http-client primitive (h1 baseline) with adoption across affected adapters.** **Added:** *Http-client primitive (h1 baseline) with adoption across affected adapters* — Http-client primitive (h1 baseline) with adoption across affected adapters.
+- v0.1.31 (2026-04-26) — **Logger primitive + sweep log/logErr/console sites.** **Added:** *Logger primitive + sweep log/logErr/console sites* — Logger primitive + sweep log/logErr/console sites.
+- v0.1.30 (2026-04-26) — **Framework-error base class + sweep operational _err factories.** **Added:** *Framework-error base class + sweep operational _err factories* — Framework-error base class + sweep operational _err factories.
+- v0.1.29 (2026-04-26) — **Lazy-require primitive with adoption across affected modules.** **Added:** *Lazy-require primitive with adoption across affected modules* — Lazy-require primitive with adoption across affected modules.
+- v0.1.28 (2026-04-26) — **Adopt bufferSafe.secureZero in passphrase + key-wrap paths.** **Changed:** *Adopt bufferSafe.secureZero in passphrase + key-wrap paths* — Adopt bufferSafe.secureZero in passphrase + key-wrap paths.
+- v0.1.27 (2026-04-26) — **BufferSafe primitive + sweep parsers/atomic-file/object-store.** **Added:** *BufferSafe primitive + sweep parsers/atomic-file/object-store* — BufferSafe primitive + sweep parsers/atomic-file/object-store.
+- v0.1.26 (2026-04-26) — **EnvSafe.readVar primitive + sweep direct process.env reads.** **Added:** *EnvSafe.readVar primitive + sweep direct process.env reads* — EnvSafe.readVar primitive + sweep direct process.env reads.
+- v0.1.25 (2026-04-26) — **Dedup audit-sign passphrase logic into passphrase-source.** **Changed:** *Dedup audit-sign passphrase logic into passphrase-source* — Dedup audit-sign passphrase logic into passphrase-source.
+- v0.1.24 (2026-04-26) — **Layer 5 extraction + smoke.js as pure orchestrator.** **Added:** *Layer 5 extraction + smoke.js as pure orchestrator* — Layer 5 extraction + smoke.js as pure orchestrator.
+- v0.1.23 (2026-04-26) — **Layer 4 extraction: consumer modules → 40-consumers.js.** **Added:** *Layer 4 extraction: consumer modules → 40-consumers.js* — Layer 4 extraction: consumer modules → 40-consumers.js.
+- v0.1.22 (2026-04-26) — **Layer 3 extraction: chain-writing modules → 30-chain.js.** **Added:** *Layer 3 extraction: chain-writing modules → 30-chain.js* — Layer 3 extraction: chain-writing modules → 30-chain.js.
+- v0.1.21 (2026-04-26) — **Layer 2 extraction: db + framework-schema → 20-db.js.** **Added:** *Layer 2 extraction: db + framework-schema → 20-db.js* — Layer 2 extraction: db + framework-schema → 20-db.js.
+- v0.1.20 (2026-04-26) — **Layer 1 extraction: vault + cluster + framework-schema → 10-state.js.** **Added:** *Layer 1 extraction: vault + cluster + framework-schema → 10-state.js* — Layer 1 extraction: vault + cluster + framework-schema → 10-state.js.
+- v0.1.19 (2026-04-26) — **Layer 0 extraction: atomic-file + parsers + redact → 00-primitives.js.** **Added:** *Layer 0 extraction: atomic-file + parsers + redact → 00-primitives.js* — Layer 0 extraction: atomic-file + parsers + redact → 00-primitives.js.
+- v0.1.18 (2026-04-26) — **Layer 0 extraction: json-safe tests → 00-primitives.js.** **Added:** *Layer 0 extraction: json-safe tests → 00-primitives.js* — Layer 0 extraction: json-safe tests → 00-primitives.js.
+- v0.1.17 (2026-04-26) — **Layer 0 extraction: async-safe + handlers tests → 00-primitives.js.** **Added:** *Layer 0 extraction: async-safe + handlers tests → 00-primitives.js* — Layer 0 extraction: async-safe + handlers tests → 00-primitives.js.
+- v0.1.16 (2026-04-26) — **First Layer 0 extraction (sql-safe + chain-writer → 00-primitives.js).** **Added:** *First Layer 0 extraction (sql-safe + chain-writer → 00-primitives.js)* — First Layer 0 extraction (sql-safe + chain-writer → 00-primitives.js).
+- v0.1.15 (2026-04-26) — **Extract test/_helpers.js (foundation for layer-file split).** **Changed:** *Extract test/_helpers.js (foundation for layer-file split)* — Extract test/_helpers.js (foundation for layer-file split).
+- v0.1.14 (2026-04-26) — **Smoke runner reordered by dependency layer (primitives first, consumers last).** **Added:** *Smoke runner reordered by dependency layer (primitives first, consumers last)* — Smoke runner reordered by dependency layer (primitives first, consumers last).
+- v0.1.13 (2026-04-26) — **Sql-safe + chain-writer primitives; consent gets the audit Mutex fix as a side effect of consolidation.** **Added:** *Sql-safe + chain-writer primitives; consent gets the audit Mutex fix as a sid* — Sql-safe + chain-writer primitives; consent gets the audit Mutex fix as a side effect of consolidation.
+- v0.1.12 (2026-04-26) — **Async-safe + handlers hardening.** **Fixed:** *Async-safe + handlers hardening* — Async-safe + handlers hardening: AbortSignal, Once.reset, isRetryable override, timer-unref bug fix, full primitive test coverage.
+- v0.1.11 (2026-04-26) — **Handlers primitive replaces fire-and-forget audit emission.** **Added:** *Handlers primitive replaces fire-and-forget audit emission* — Handlers primitive replaces fire-and-forget audit emission.
+- v0.1.10 (2026-04-26) — **Async-safe library + audit dispatch via cluster-storage.** **Added:** *Async-safe library + audit dispatch via cluster-storage* — Async-safe library + audit dispatch via cluster-storage.
+- v0.1.9 (2026-04-26) — **Cluster storage step 2: SQL dispatcher (lib/cluster-storage.js).** **Added:** *Cluster storage step 2: SQL dispatcher (lib/cluster-storage.js)* — Cluster storage step 2: SQL dispatcher (lib/cluster-storage.js).
+- v0.1.8 (2026-04-26) — **Cluster storage step 1: framework-state schema for external-db.** **Added:** *Cluster storage step 1: framework-state schema for external-db* — Cluster storage step 1: framework-state schema for external-db.
+- v0.1.7 (2026-04-26) — **Update .env safe loader (lib/parsers/env-safe.js).** **Added:** *Update .env safe loader (lib/parsers/env-safe.js)* — .env safe loader (lib/parsers/env-safe.js).
+- v0.1.6 (2026-04-26) — **YAML 1.2 safe-subset parser (lib/parsers/yaml-safe.js).** **Added:** *YAML 1.2 safe-subset parser (lib/parsers/yaml-safe.js)* — YAML 1.2 safe-subset parser (lib/parsers/yaml-safe.js).
+- v0.1.5 (2026-04-26) — **TOML 1.0 safe parser (lib/parsers/toml-safe.js).** **Added:** *TOML 1.0 safe parser (lib/parsers/toml-safe.js)* — TOML 1.0 safe parser (lib/parsers/toml-safe.js).
+- v0.1.4 (2026-04-26) — **Xml-safe parser adopted in object-store list responses.** **Added:** *Xml-safe parser adopted in object-store list responses* — Xml-safe parser adopted in object-store list responses.
+- v0.1.3 (2026-04-26) — **AtomicFile.readSync for sync init paths.** **Added:** *AtomicFile.readSync for sync init paths* — AtomicFile.readSync for sync init paths.
+- v0.1.2 (2026-04-26) — **Rename b.json public API to b.jsonSafe.** **Changed:** *Rename b.json public API to b.jsonSafe* — Rename b.json public API to b.jsonSafe.
+- v0.1.1 (2026-04-26) — **Rename HA → cluster (no cryptic acronyms in framework names).** **Changed:** *Rename HA → cluster (no cryptic acronyms in framework names)* — Rename HA → cluster (no cryptic acronyms in framework names).
+- v0.1.0 (2026-04-26) — **HA write-side gates wired across framework subsystems.** **Added:** *HA write-side gates wired across framework subsystems* — HA write-side gates wired across framework subsystems.
+## v0.0.x
+- v0.0.19 (2026-04-26) — **HA core: leader election and fencing tokens.** **Added:** *Leader election and fencing-token primitive* — Adds the high-availability core: an operator-facing leader-election primitive with monotonic fencing tokens so followers can detect and refuse stale-leader writes against shared resources.
+- v0.0.18 (2026-04-26) — **Strip internal-process narrative from framework comments.** **Changed:** *Source comments rewritten to operator-facing voice* — Rewrites in-source comments across `lib/` to describe what each primitive does and why operators care, removing internal-process vocabulary that meant nothing outside the maintainer workflow.
+- v0.0.17 (2026-04-25) — **Internal adoption pass and functional scale helpers.** **Changed:** *Internal adoption of framework primitives across `lib/`* — Refactors framework-internal call sites to compose the public primitives they previously open-coded, and adds the functional scale helpers used by hot-path observability sinks.
+- v0.0.16 (2026-04-25) — **Atomic file I/O and safe XML and CSV parsers.** **Added:** *Atomic file I/O and safe XML and CSV parsers* — Adds the atomic file-write primitive that survives mid-write crashes plus hardened XML and CSV parsers with depth, byte, and field-count caps to refuse pathological inputs.
+- v0.0.15 (2026-04-25) — **HTTP middleware: request lifecycle hardening begins.** **Added:** *HTTP middleware request-lifecycle hardening* — Starts the HTTP middleware family with the request-lifecycle hardening primitives that wire security defaults into every request entering the framework.
+- v0.0.14 (2026-04-25) — **External database support, app-data-only shape with bring-your-own client.** **Added:** *External database support in app-data-only shape* — Adds the external-database integration in its app-data-only configuration: operators bring their own database client and the framework uses it exclusively for application data, keeping audit and key material on the sealed local store.
+- v0.0.13 (2026-04-25) — **Log streaming, redaction, and bidirectional command channel.** **Added:** *Log streaming with redaction and bidirectional command channel* — Introduces the log-stream primitive with built-in field redaction plus a bidirectional command channel so operators can stream logs out and push runtime commands in over the same transport.
+- v0.0.12 (2026-04-25) — **Queue dispatcher with local SQLite-backed protocol.** **Added:** *Queue dispatcher and SQLite-backed local protocol* — Adds the work-queue dispatcher primitive together with a local SQLite-backed protocol adapter so operators can run durable background work without standing up an external broker.
+- v0.0.11 (2026-04-25) — **GCS and Azure Blob protocol adapters complete the object-store surface.** **Added:** *Google Cloud Storage and Azure Blob adapters* — Adds the GCS and Azure Blob protocol adapters alongside the existing SigV4 adapter, giving the object-store primitive coverage of every major cloud provider out of the box.
+- v0.0.10 (2026-04-25) — **SigV4 protocol adapter for S3-compatible object stores.** **Added:** *SigV4 protocol adapter* — Adds the AWS SigV4 signing adapter so the object-store primitive can talk to S3, Cloudflare R2, Backblaze B2, MinIO, Wasabi, DigitalOcean Spaces, and any other SigV4-speaking endpoint with a single configuration shape.
+- v0.0.9 (2026-04-25) — **Generic remote data layer with classification-routed bifurcation.** **Added:** *Generic remote data layer with classification-routed bifurcation* — Adds a generic remote data-access layer that routes reads and writes to distinct backends based on the data's classification label, so sensitive records can be steered to a hardened store while bulk data uses a cheaper path.
+- v0.0.8 (2026-04-25) — **Full tamper-proof bar with signed checkpoints and rollback detection.** **Added:** *Signed audit checkpoints and rollback detection* — Completes the tamper-evident bar for the audit chain by adding cryptographically signed checkpoints and a verifier that detects rollback or truncation of the persisted log.
+- v0.0.7 (2026-04-25) — **Traceability hardening and dynamic PK/FK schema declarations.** **Added:** *Traceability hardening and dynamic primary-key/foreign-key schema declarations* — Strengthens the audit trail's correlation identifiers across request boundaries and extends the database schema layer to declare primary and foreign keys dynamically from the migration definitions.
+- v0.0.6 (2026-04-25) — **Security-focused JSON parsing and schema validation.** **Added:** *Hardened JSON parser and schema validator* — Adds a depth-and-byte-capped JSON parser plus a companion schema validator that operators compose at request boundaries to refuse oversized or pathological payloads before they touch handlers.
+- v0.0.5 (2026-04-25) — **Session and storage local backend.** **Added:** *Session primitive and local storage backend* — Introduces the encrypted session primitive and the on-disk local storage backend that hosts session state when no external store is wired.
+- v0.0.4 (2026-04-25) — **Audit chain, consent log, and subject rights.** **Added:** *Tamper-evident audit chain, consent log, and subject-rights primitives* — Adds the append-only audit chain, the consent log used for lawful-basis tracking, and the data-subject-rights workflow primitives covering access, rectification, and erasure requests.
+- v0.0.3 (2026-04-25) — **Database, query builder, field-crypto, and migrations.** **Added:** *Database stack with query builder, field-level crypto, and migrations* — Adds the in-tree database layer including a parameterised query builder, per-field encryption hooks, and a migration runner that operators invoke at boot.
+- v0.0.2 (2026-04-25) — **Vault and key management.** **Added:** *Vault and key-management primitives* — Introduces the framework's sealed key store and the primitives that wrap key derivation, storage, and rotation for downstream crypto consumers.
+- v0.0.1 (2026-04-25) — **Foundation.** **Added:** *Initial framework foundation* — First published version establishing the framework's core layout, module conventions, and zero-runtime-dependency posture.