@blamejs/blamejs-shop 0.0.44

package/lib/vendor/blamejs/lib/middleware/scim-server.js

@@ -0,0 +1,375 @@
+"use strict";
+// SCIM 2.0 server middleware (RFC 7642 / 7643 / 7644).
+// Provides /Users + /Groups + /ServiceProviderConfig + /ResourceTypes
+// + /Schemas surfaces backed by operator-supplied CRUD callbacks.
+
+var framework_error = require("../framework-error");
+var validateOpts    = require("../validate-opts");
+var safeJson        = require("../safe-json");
+var safeBuffer      = require("../safe-buffer");
+var requestHelpers  = require("../request-helpers");
+var C               = require("../constants");
+
+var H = requestHelpers.HTTP_STATUS;
+
+var ScimServerError = framework_error.defineClass(
+  "ScimServerError",
+  "middleware/scim-server"
+);
+
+var SCIM_CORE_SCHEMA_USER  = "urn:ietf:params:scim:schemas:core:2.0:User";
+var SCIM_CORE_SCHEMA_GROUP = "urn:ietf:params:scim:schemas:core:2.0:Group";
+var SCIM_MESSAGE_ERROR     = "urn:ietf:params:scim:api:messages:2.0:Error";
+var SCIM_MESSAGE_LIST      = "urn:ietf:params:scim:api:messages:2.0:ListResponse";
+
+var ALLOWED_FILTER_OPS = ["eq", "ne", "co", "sw", "ew", "pr", "gt", "ge", "lt", "le"];
+
+var SCIM_FILTER_RE = /^\s*([a-zA-Z][a-zA-Z0-9._-]*)\s+(eq|ne|co|sw|ew|pr|gt|ge|lt|le)(?:\s+(.+))?\s*$/;
+var RESOURCE_PATH_RE = /^\/(Users|Groups)(?:\/([^/]+))?$/;
+var BEARER_RE = /^Bearer\s+(.+)$/i;
+
+/**
+ * @primitive b.middleware.scimServer
+ * @signature b.middleware.scimServer(opts)
+ * @since     0.8.77
+ * @related   b.auth.oauth.introspectToken
+ *
+ * Returns a request middleware that handles SCIM 2.0 requests
+ * (RFC 7642-7644). Operator supplies CRUD callbacks per resource.
+ *
+ * @opts
+ *   {
+ *     basePath?:    string,
+ *     users:        ScimResourceImpl,
+ *     groups?:      ScimResourceImpl,
+ *     bearer?:      (token) => Promise<actor>,
+ *     maxPageSize?: number,
+ *   }
+ *
+ * @example
+ *   var mw = b.middleware.scimServer({
+ *     basePath: "/scim/v2",
+ *     users:  myUserAdapter,
+ *     groups: myGroupAdapter,
+ *   });
+ *   app.use(mw);
+ */
+function create(opts) {
+  validateOpts.requireObject(opts, "middleware.scimServer",
+    ScimServerError, "middleware/scim-server/bad-opts");
+  _validateResourceImpl(opts.users,  "users");
+  if (opts.groups) _validateResourceImpl(opts.groups, "groups");
+
+  var basePath    = opts.basePath || "/scim/v2";
+  var maxPageSize = opts.maxPageSize || 200;                                                                  // allow:raw-byte-literal — page-size count, not bytes
+  var bearer      = opts.bearer || null;
+
+  function middleware(req, res, next) {
+    var url = req.url.split("?")[0];
+    if (url.indexOf(basePath) !== 0) { next(); return; }
+    _dispatch(req, res, basePath, bearer, opts, maxPageSize)
+      .catch(function (err) {
+        _writeScimError(res, err.statusCode || 500, err.scimType || "internal",
+          (err.message || String(err)).slice(0, 500));
+      });
+  }
+
+  middleware.basePath           = basePath;
+  middleware.serviceProviderDoc = _serviceProviderConfig(opts);
+  return middleware;
+}
+
+function _validateResourceImpl(impl, name) {
+  if (!impl || typeof impl !== "object") {
+    throw new ScimServerError("middleware/scim-server/no-" + name,
+      "middleware.scimServer: opts." + name + " must be an object implementing { create, read, update, patch, remove, list }");
+  }
+  ["create", "read", "update", "patch", "remove", "list"].forEach(function (m) {
+    if (typeof impl[m] !== "function") {
+      throw new ScimServerError("middleware/scim-server/bad-" + name + "-impl",
+        "middleware.scimServer: opts." + name + "." + m + " must be a function");
+    }
+  });
+}
+
+async function _dispatch(req, res, basePath, bearer, opts, maxPageSize) {
+  var relUrl = req.url.slice(basePath.length) || "/";
+  var qIdx   = relUrl.indexOf("?");
+  var path   = qIdx === -1 ? relUrl : relUrl.slice(0, qIdx);
+  var query  = _parseQuery(qIdx === -1 ? "" : relUrl.slice(qIdx + 1));
+
+  if (path === "/ServiceProviderConfig" && req.method === "GET") {
+    _writeJson(res, H.OK, _serviceProviderConfig(opts)); return;
+  }
+  if (path === "/ResourceTypes" && req.method === "GET") {
+    _writeJson(res, H.OK, _resourceTypes(opts)); return;
+  }
+  if (path === "/Schemas" && req.method === "GET") {
+    _writeJson(res, H.OK, _schemas()); return;
+  }
+
+  var actor = null;
+  if (bearer) {
+    var authz = req.headers && req.headers.authorization;
+    // BEARER_RE applies to a single header line; node http caps header lines at 8 KiB.
+    var m = authz && typeof authz === "string" && authz.length < C.BYTES.kib(8) && BEARER_RE.test(authz)    // allow:regex-no-length-cap header line bounded above
+      ? authz.match(BEARER_RE) : null;
+    if (!m) {
+      res.writeHead(H.UNAUTHORIZED, {
+        "Content-Type":     "application/scim+json",
+        "WWW-Authenticate": "Bearer",
+        "Cache-Control":    "no-store",
+      });
+      res.end(JSON.stringify({
+        schemas:  [SCIM_MESSAGE_ERROR],
+        status:   "401",
+        detail:   "Missing Bearer token",
+      }));
+      return;
+    }
+    try { actor = await bearer(m[1]); }
+    catch (_e) { actor = null; }
+    if (!actor) {
+      res.writeHead(H.UNAUTHORIZED, {
+        "Content-Type":     "application/scim+json",
+        "WWW-Authenticate": 'Bearer error="invalid_token"',
+        "Cache-Control":    "no-store",
+      });
+      res.end(JSON.stringify({
+        schemas:  [SCIM_MESSAGE_ERROR],
+        status:   "401",
+        detail:   "Bearer token rejected",
+      }));
+      return;
+    }
+  }
+
+  var ctx     = { actor: actor, req: req };
+  var users   = opts.users;
+  var groups  = opts.groups;
+
+  // RESOURCE_PATH_RE applies to a URL path; node http caps URL at 8 KiB.
+  var match = path.length < C.BYTES.kib(8) && RESOURCE_PATH_RE.test(path) ? path.match(RESOURCE_PATH_RE) : null;   // allow:regex-no-length-cap URL bounded above
+  if (!match) {
+    _writeScimError(res, H.NOT_FOUND, "notFound", "no SCIM resource at " + path);
+    return;
+  }
+  var resourceType = match[1];
+  var resourceId   = match[2] || null;
+  var impl = resourceType === "Users" ? users : groups;
+  if (!impl) {
+    _writeScimError(res, 404, "notFound", "/" + resourceType + " not configured");
+    return;
+  }
+
+  var body = null;
+  if (req.method === "POST" || req.method === "PUT" || req.method === "PATCH") {
+    body = await _readJsonBody(req);
+  }
+
+  if (req.method === "GET" && !resourceId) {
+    var filter = _parseFilter(query.filter);
+    var pageSize   = Math.min(maxPageSize, parseInt(query.count || "100", 10) || 100);
+    var startIndex = Math.max(1, parseInt(query.startIndex || "1", 10) || 1);
+    var listRv = await impl.list({
+      filter:             filter,
+      startIndex:         startIndex,
+      count:              pageSize,
+      sortBy:             query.sortBy || null,
+      sortOrder:          query.sortOrder || null,
+      attributes:         query.attributes ? query.attributes.split(",") : null,                  // allow:bare-split-on-quoted-header — RFC 7644 §3.9 attributes/excludedAttributes are SCIM attribute paths (URN-ish identifiers); grammar excludes DQUOTE
+      excludedAttributes: query.excludedAttributes ? query.excludedAttributes.split(",") : null,    // allow:bare-split-on-quoted-header — same SCIM attribute-name grammar
+    }, ctx);
+    _writeJson(res, H.OK, {
+      schemas:      [SCIM_MESSAGE_LIST],
+      totalResults: listRv.totalResults,
+      startIndex:   startIndex,
+      itemsPerPage: listRv.Resources.length,
+      Resources:    listRv.Resources,
+    });
+    return;
+  }
+
+  if (req.method === "GET" && resourceId) {
+    var rec = await impl.read(resourceId, ctx);
+    if (!rec) { _writeScimError(res, H.NOT_FOUND, "notFound", "no resource with id " + resourceId); return; }
+    _writeJson(res, H.OK, rec);
+    return;
+  }
+
+  if (req.method === "POST" && !resourceId) {
+    _assertSchema(body, resourceType === "Users" ? SCIM_CORE_SCHEMA_USER : SCIM_CORE_SCHEMA_GROUP);
+    var created = await impl.create(body, ctx);
+    _writeJson(res, H.CREATED, created);
+    return;
+  }
+
+  if (req.method === "PUT" && resourceId) {
+    _assertSchema(body, resourceType === "Users" ? SCIM_CORE_SCHEMA_USER : SCIM_CORE_SCHEMA_GROUP);
+    var updated = await impl.update(resourceId, body, ctx);
+    _writeJson(res, H.OK, updated);
+    return;
+  }
+
+  if (req.method === "PATCH" && resourceId) {
+    if (!body || !Array.isArray(body.Operations) || body.Operations.length === 0) {
+      _writeScimError(res, H.BAD_REQUEST, "invalidValue", "PATCH body must include Operations[]");
+      return;
+    }
+    body.Operations.forEach(function (op, i) {
+      if (!op || typeof op !== "object" || typeof op.op !== "string") {
+        var e = new Error("Operations[" + i + "] missing op");
+        e.statusCode = H.BAD_REQUEST; e.scimType = "invalidValue";
+        throw e;
+      }
+      var verb = op.op.toLowerCase();
+      if (verb !== "add" && verb !== "remove" && verb !== "replace") {
+        var e2 = new Error("Operations[" + i + "].op = '" + op.op + "' not in add/remove/replace");
+        e2.statusCode = H.BAD_REQUEST; e2.scimType = "invalidValue";
+        throw e2;
+      }
+    });
+    var patched = await impl.patch(resourceId, body.Operations, ctx);
+    _writeJson(res, H.OK, patched);
+    return;
+  }
+
+  if (req.method === "DELETE" && resourceId) {
+    await impl.remove(resourceId, ctx);
+    res.writeHead(H.NO_CONTENT, { "Cache-Control": "no-store" });
+    res.end();
+    return;
+  }
+
+  _writeScimError(res, H.METHOD_NOT_ALLOWED, "noTarget", req.method + " not allowed on " + path);
+}
+
+function _parseQuery(qs) {
+  var out = {};
+  if (!qs) return out;
+  qs.split("&").forEach(function (pair) {
+    var eq = pair.indexOf("=");
+    var k  = eq === -1 ? pair : pair.slice(0, eq);
+    var v  = eq === -1 ? ""   : pair.slice(eq + 1);
+    try { out[decodeURIComponent(k)] = decodeURIComponent(v.replace(/\+/g, " ")); }
+    catch (_e) { /* skip malformed */ }
+  });
+  return out;
+}
+
+function _parseFilter(filter) {
+  if (typeof filter !== "string" || filter.length === 0) return null;
+  if (!SCIM_FILTER_RE.test(filter)) return { raw: filter };
+  var m = filter.match(SCIM_FILTER_RE);
+  var op = m[2].toLowerCase();
+  if (ALLOWED_FILTER_OPS.indexOf(op) === -1) return { raw: filter };
+  var rv = { attribute: m[1], op: op, raw: filter };
+  if (op === "pr") return rv;
+  var v = (m[3] || "").trim();
+  if (v.charAt(0) === '"' && v.charAt(v.length - 1) === '"') {
+    v = v.slice(1, -1).replace(/\\"/g, '"');
+  }
+  rv.value = v;
+  return rv;
+}
+
+function _readJsonBody(req) {
+  var MAX = C.BYTES.mib(1);
+  if (req.body && Buffer.isBuffer(req.body)) {
+    return Promise.resolve(safeJson.parse(req.body.toString("utf8"), { maxBytes: MAX }));
+  }
+  if (req.body && typeof req.body === "object") return Promise.resolve(req.body);
+  return safeBuffer.boundedChunkCollector(req, MAX, ScimServerError, "middleware/scim-server/body-too-large")
+    .then(function (buf) {
+      return safeJson.parse(buf.toString("utf8"), { maxBytes: MAX });
+    });
+}
+
+function _assertSchema(body, expectedSchema) {
+  if (!body || typeof body !== "object") {
+    var e = new Error("request body must be a JSON object");
+    e.statusCode = H.BAD_REQUEST; e.scimType = "invalidValue"; throw e;
+  }
+  if (!Array.isArray(body.schemas) || body.schemas.indexOf(expectedSchema) === -1) {
+    var e2 = new Error("body.schemas must include '" + expectedSchema + "'");
+    e2.statusCode = H.BAD_REQUEST; e2.scimType = "invalidValue"; throw e2;
+  }
+}
+
+function _writeJson(res, status, body) {
+  res.writeHead(status, {
+    "Content-Type":  "application/scim+json",
+    "Cache-Control": "no-store",
+  });
+  res.end(JSON.stringify(body));
+}
+
+function _writeScimError(res, status, scimType, detail) {
+  res.writeHead(status, {
+    "Content-Type":  "application/scim+json",
+    "Cache-Control": "no-store",
+  });
+  res.end(JSON.stringify({
+    schemas:  [SCIM_MESSAGE_ERROR],
+    status:   String(status),
+    scimType: scimType,
+    detail:   detail,
+  }));
+}
+
+function _serviceProviderConfig(opts) {
+  return {
+    schemas: ["urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"],
+    documentationUri: opts.documentationUri || "https://datatracker.ietf.org/doc/html/rfc7643",
+    patch:            { supported: true },
+    bulk:             { supported: false, maxOperations: 0, maxPayloadSize: 0 },
+    filter:           { supported: true, maxResults: opts.maxPageSize || 200 },
+    changePassword:   { supported: false },
+    sort:             { supported: true },
+    etag:             { supported: false },
+    authenticationSchemes: [
+      {
+        type:        "oauthbearertoken",
+        name:        "OAuth 2.0 Bearer Token",
+        description: "Authentication scheme using the OAuth Bearer Token Standard",
+        specUri:     "https://www.rfc-editor.org/info/rfc6750",
+        primary:     true,
+      },
+    ],
+  };
+}
+
+function _resourceTypes(opts) {
+  var rv = [
+    {
+      schemas:  ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],
+      id:       "User", name: "User", endpoint: "/Users",
+      description: "User resource (RFC 7643 §4.1)",
+      schema:   SCIM_CORE_SCHEMA_USER,
+    },
+  ];
+  if (opts.groups) {
+    rv.push({
+      schemas:  ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],
+      id:       "Group", name: "Group", endpoint: "/Groups",
+      description: "Group resource (RFC 7643 §4.2)",
+      schema:   SCIM_CORE_SCHEMA_GROUP,
+    });
+  }
+  return rv;
+}
+
+function _schemas() {
+  return [
+    { id: SCIM_CORE_SCHEMA_USER,  name: "User",  description: "RFC 7643 §4.1 User resource" },
+    { id: SCIM_CORE_SCHEMA_GROUP, name: "Group", description: "RFC 7643 §4.2 Group resource" },
+  ];
+}
+
+module.exports = {
+  create:                 create,
+  ScimServerError:        ScimServerError,
+  SCIM_CORE_SCHEMA_USER:  SCIM_CORE_SCHEMA_USER,
+  SCIM_CORE_SCHEMA_GROUP: SCIM_CORE_SCHEMA_GROUP,
+  ALLOWED_FILTER_OPS:     ALLOWED_FILTER_OPS,
+};

package/lib/vendor/blamejs/lib/middleware/security-headers.js

@@ -0,0 +1,285 @@
+"use strict";
+/**
+ * Security headers middleware. Sets the headers every modern app should
+ * send, regardless of content. Deliberately strict by default — operators
+ * who need to soften a header opt in explicitly per option.
+ *
+ *   Strict-Transport-Security        — force HTTPS (HSTS); 2-year max-age + includeSubDomains + preload
+ *   X-Content-Type-Options: nosniff  — block MIME sniffing
+ *   X-Frame-Options: DENY            — prevent clickjacking via iframes
+ *   Referrer-Policy: no-referrer     — don't leak full URL to outbound links
+ *   Permissions-Policy               — disable common-attack APIs (camera, geolocation, payment, etc.)
+ *   Cross-Origin-Opener-Policy: same-origin
+ *   Cross-Origin-Embedder-Policy: require-corp / credentialless   (off by default — breaks images from CDNs; credentialless is the
+ *   CR 2024-12 relaxed mode that lets cross-origin no-cors requests load without CORP markers as long as they don't carry credentials)
+ *   Cross-Origin-Resource-Policy: same-origin
+ *   Origin-Agent-Cluster: ?1        — origin-keyed agent cluster; extra process isolation
+ *   X-DNS-Prefetch-Control: off     — don't pre-resolve DNS for off-page links
+ *   Content-Security-Policy          — operator-supplied; framework provides a safe default that
+ *                                       only allows same-origin and prevents inline scripts
+ *
+ * These are the OWASP-aligned defaults. Apps that need different policies
+ * (e.g. allow-list for analytics scripts, embed iframes from a known
+ * partner) override per-option without losing the others.
+ *
+ * Options:
+ *   {
+ *     hsts:                 '<value>' or false to disable
+ *     contentTypeOptions:   'nosniff' or false
+ *     frameOptions:         'DENY' | 'SAMEORIGIN' or false
+ *     referrerPolicy:       '<value>' or false
+ *     permissionsPolicy:    '<value>' or false
+ *     coop / coep / corp:   '<value>' or false
+ *     originAgentCluster:   '?1' (default) or '?0' or false
+ *     dnsPrefetchControl:   'off' (default) or 'on' or false
+ *     csp:                  '<full CSP string>' or false to disable
+ *   }
+ */
+
+var requestHelpers = require("../request-helpers");
+var validateOpts = require("../validate-opts");
+
+var DEFAULT_PERMISSIONS = [
+  "accelerometer=()", "ambient-light-sensor=()", "autoplay=()",
+  "camera=()", "display-capture=()", "encrypted-media=()", "fullscreen=()",
+  "geolocation=()", "gyroscope=()", "magnetometer=()", "microphone=()",
+  "midi=()", "payment=()", "picture-in-picture=()", "publickey-credentials-get=()",
+  "screen-wake-lock=()", "sync-xhr=()", "usb=()", "web-share=()", "xr-spatial-tracking=()",
+  // v0.8.33 expansion — newer Permissions-Policy feature names that
+  // weren't deny-by-default before. interest-cohort (FLoC, deprecated
+  // but still recognized), attribution-reporting (Privacy Sandbox),
+  // bluetooth / hid / serial (Web USB-shaped APIs), idle-detection,
+  // local-fonts (system-font fingerprinting), compute-pressure
+  // (CPU-load-side-channel), window-management (multi-screen probe),
+  // and the private-state-token-* family (Privacy-Pass-style anti-
+  // fraud tokens). Operators wanting any of these explicitly opt in
+  // by passing their own permissionsPolicy.
+  "interest-cohort=()", "attribution-reporting=()",
+  "bluetooth=()", "hid=()", "serial=()", "idle-detection=()",
+  "local-fonts=()", "compute-pressure=()", "window-management=()",
+  "private-state-token-issuance=()", "private-state-token-redemption=()",
+  // v0.8.70 expansion — Privacy-Sandbox + Storage Access feature
+  // names that landed in Chrome 119+/120+ stable. Default-deny:
+  //   - storage-access — Storage Access API (cross-site cookie
+  //     access flow under Privacy Sandbox); operators serving an
+  //     embedded-iframe SaaS opt in explicitly.
+  //   - browsing-topics — Topics API (replacement for FLoC);
+  //     enabled by default in Chrome but trackable surface, so
+  //     deny-by-default unless the operator opts in.
+  //   - private-aggregation, attribution-reporting-cross-site —
+  //     Privacy Sandbox aggregation APIs; deny-by-default.
+  //   - controlled-frame, captured-surface-control — Web App
+  //     embedding APIs; deny-by-default.
+  "storage-access=()", "browsing-topics=()",
+  "private-aggregation=()", "controlled-frame=()", "captured-surface-control=()",
+  // v0.8.77 expansion — remaining Privacy Sandbox + Browser-API
+  // directives surfacing through Chrome 130+ / Firefox 132+ stable.
+  // Default-deny: FedCM (identity-credentials-get), cross-site
+  // attribution reporting, WebAuthn create flow (operators that need
+  // it opt in explicitly), FLEDGE/Topics auction APIs (join-ad-
+  // interest-group / run-ad-auction), Shared Storage API + selectURL,
+  // Smart Card API, all-screens capture, deferred-fetch (background
+  // resource sync).
+  "identity-credentials-get=()", "attribution-reporting-cross-site=()",
+  "publickey-credentials-create=()", "join-ad-interest-group=()",
+  "run-ad-auction=()", "shared-storage=()", "shared-storage-select-url=()",
+  "smartcard=()", "all-screens-capture=()", "deferred-fetch=()",
+];
+
+// Strict CSP — no 'unsafe-inline' on script-src OR style-src.
+// Trusted Types (require-trusted-types-for 'script') enables the
+// browser's strongest XSS-mitigation primitive — DOM-sink writes via
+// innerHTML / outerHTML / setHTML require typed values, surfacing
+// every untrusted-string-to-DOM path at runtime so operators can audit
+// + fix them. Compatible browsers (Chrome 83+, Edge 83+) enforce;
+// Firefox + Safari ignore (no regression). Operators with inline
+// scripts wire `b.middleware.cspNonce()` and use `{{ cspNonce }}` in
+// views.
+var DEFAULT_CSP =
+  "default-src 'self'; " +
+  "script-src 'self'; " +
+  "style-src 'self'; " +
+  "img-src 'self' data:; " +
+  "font-src 'self'; " +
+  "connect-src 'self'; " +
+  "frame-ancestors 'none'; " +
+  // CSP3 fenced-frame-src: refuse <fencedframe> embeds entirely. The
+  // Privacy-Sandbox-era element bypasses traditional frame controls;
+  // operators wanting to embed a Privacy-Sandbox vendor opt in by
+  // passing their own csp.
+  "fenced-frame-src 'none'; " +
+  "base-uri 'self'; " +
+  "form-action 'self'; " +
+  "object-src 'none'; " +
+  "require-trusted-types-for 'script'; " +
+  "trusted-types 'allow-duplicates' default;";
+
+// Document-Policy default — denies the highest-risk DOM/JS surfaces
+// that aren't otherwise covered by Permissions-Policy. `unsized-media`
+// blocks layout-jank from images without explicit width/height,
+// `oversized-images` caps the served-vs-displayed ratio, and the
+// document-write feature disables the legacy synchronous DOM-injection
+// API. Operators with a third-party widget that needs the legacy API
+// override.
+var DEFAULT_DOCUMENT_POLICY =
+  "document-write=?0, " +
+  "unsized-media=?0, " +
+  "oversized-images=?0";
+
+// RFC 9651 (Structured Field Values) Permissions-Policy validation —
+// each policy is `feature=value-list` where value-list is `*` /
+// `(self)` / `(self "https://...")` / `()` (empty = deny). Reject
+// header values that don't conform; operators get a clear refusal at
+// boot rather than a silently-broken header at runtime.
+var PP_POLICY_RE =
+  /^[a-z][a-z0-9-]*=(?:\*|\([^)]*\)|self)$/;
+function _validatePermissionsPolicy(value) {
+  if (typeof value !== "string" || value.length === 0) return;
+  var parts = String(value).split(/\s*,\s*/);
+  for (var i = 0; i < parts.length; i += 1) {
+    var p = parts[i];
+    if (!p) continue;
+    if (!PP_POLICY_RE.test(p)) {  // allow:regex-no-length-cap — RFC 9651 SF entries are bounded by browser parsers; operator-supplied
+      throw new TypeError(
+        "middleware.securityHeaders: permissionsPolicy entry '" + p +
+        "' is not a valid RFC 9651 structured field (expected " +
+        "'feature=*' / 'feature=()' / 'feature=(self ...)')");
+    }
+  }
+}
+
+/**
+ * @primitive b.middleware.securityHeaders
+ * @signature b.middleware.securityHeaders(req, res, next)
+ * @since     0.1.0
+ * @related   b.middleware.cspNonce, b.middleware.cspReport, b.middleware.cors
+ *
+ * Sets the OWASP-aligned response headers every modern app should
+ * send. Constructed via `b.middleware.securityHeaders(opts)`; the
+ * resulting middleware has the `(req, res, next)` shape shown above.
+ * Headers include: HSTS (2-year max-age + includeSubDomains + preload), X-CTO
+ * nosniff, X-Frame-Options DENY, Referrer-Policy no-referrer, an
+ * extensive Permissions-Policy denylist (camera / geolocation /
+ * payment / Privacy-Sandbox attribution-reporting / bluetooth /
+ * etc.), COOP same-origin, CORP same-origin, Origin-Agent-Cluster
+ * `?1`, and a strict default CSP with `require-trusted-types-for
+ * 'script'`. Each header can be softened by passing the option
+ * value or disabled by passing `false`. Mount FIRST (after
+ * `requestId`) so headers are set before any response could be
+ * partially sent.
+ *
+ * @opts
+ *   {
+ *     hsts:               string|false,
+ *     contentTypeOptions: "nosniff"|false,
+ *     frameOptions:       "DENY"|"SAMEORIGIN"|false,
+ *     referrerPolicy:     string|false,
+ *     permissionsPolicy:  string|false,
+ *     coop:               string|false,
+ *     coep:               string|false,
+ *     corp:               string|false,
+ *     originAgentCluster: "?1"|"?0"|false,
+ *     dnsPrefetchControl: "off"|"on"|false,
+ *     csp:                string|false,
+ *     documentPolicy:     string|false,
+ *     acceptCh:           string|false,
+ *     criticalCh:         string|false,
+ *     reportingEndpoints: object,
+ *     trustProxy:         boolean|number,
+ *   }
+ *
+ * @example
+ *   var b = require("@blamejs/core");
+ *   var app = b.router.create();
+ *   app.use(b.middleware.securityHeaders({
+ *     hsts: "max-age=63072000; includeSubDomains; preload",
+ *   }));
+ */
+function create(opts) {
+  opts = opts || {};
+  validateOpts(opts, [
+    "hsts", "contentTypeOptions", "frameOptions", "referrerPolicy",
+    "permissionsPolicy", "coop", "coep", "corp",
+    "originAgentCluster", "dnsPrefetchControl", "csp", "trustProxy",
+    "reportingEndpoints", "documentPolicy", "criticalCh", "acceptCh",
+  ], "middleware.securityHeaders");
+  if (opts.permissionsPolicy && typeof opts.permissionsPolicy === "string") {
+    _validatePermissionsPolicy(opts.permissionsPolicy);
+  }
+  var trustProxy = opts.trustProxy === true || typeof opts.trustProxy === "number"
+    ? opts.trustProxy : false;
+  var hsts = opts.hsts === undefined ? "max-age=63072000; includeSubDomains; preload" : opts.hsts;
+  var ctOpts = opts.contentTypeOptions === undefined ? "nosniff" : opts.contentTypeOptions;
+  var frameOpts = opts.frameOptions === undefined ? "DENY" : opts.frameOptions;
+  var refPolicy = opts.referrerPolicy === undefined ? "no-referrer" : opts.referrerPolicy;
+  var permPolicy = opts.permissionsPolicy === undefined ? DEFAULT_PERMISSIONS.join(", ") : opts.permissionsPolicy;
+  var coop  = opts.coop === undefined ? "same-origin" : opts.coop;
+  var coep  = opts.coep === undefined ? false : opts.coep;
+  var corp  = opts.corp === undefined ? "same-origin" : opts.corp;
+  var oac   = opts.originAgentCluster === undefined ? "?1" : opts.originAgentCluster;
+  var dpc   = opts.dnsPrefetchControl === undefined ? "off" : opts.dnsPrefetchControl;
+  var csp   = opts.csp === undefined ? DEFAULT_CSP : opts.csp;
+  var docPolicy = opts.documentPolicy === undefined ? DEFAULT_DOCUMENT_POLICY : opts.documentPolicy;
+  var criticalCh = opts.criticalCh && typeof opts.criticalCh === "string" ? opts.criticalCh : false;
+  var acceptCh   = opts.acceptCh   && typeof opts.acceptCh   === "string" ? opts.acceptCh   : false;
+  // Reporting-Endpoints (W3C Reporting API) — when operator passes a
+  // map of endpoint-name → URL, we emit `Reporting-Endpoints: name="url",
+  // name2="url2", ...` and (when default CSP is in force) append
+  // `report-to default` to the CSP so violations route to the named
+  // endpoint. Operators using a custom CSP add `report-to` to it
+  // themselves.
+  var reportingEndpoints = null;
+  if (opts.reportingEndpoints && typeof opts.reportingEndpoints === "object") {
+    var pairs = [];
+    var keys = Object.keys(opts.reportingEndpoints);
+    for (var i = 0; i < keys.length; i += 1) {
+      var k = keys[i];
+      var v = opts.reportingEndpoints[k];
+      if (typeof v !== "string" || v.length === 0) continue;
+      // Defensive — refuse CR/LF/NUL in either side (header injection).
+      if (/[\r\n\0]/.test(k) || /[\r\n\0]/.test(v)) continue;                   // allow:duplicate-regex — CR/LF/NUL header-injection rejection appears in cookies / mail / security-headers; each is the boundary primitive — extracting forces a shared module that hides the boundary check from each domain
+      pairs.push(k + '="' + v + '"');
+    }
+    if (pairs.length > 0) reportingEndpoints = pairs.join(", ");
+  }
+  // Auto-append `report-to default` to the default CSP when operator
+  // wires a `default` reporting endpoint and didn't override `csp`.
+  if (csp === DEFAULT_CSP && reportingEndpoints &&
+      opts.reportingEndpoints && opts.reportingEndpoints["default"]) {
+    csp = csp.replace(/;\s*$/, "") + "; report-to default;";
+  }
+
+  return function securityHeaders(req, res, next) {
+    if (typeof res.setHeader !== "function") return next();
+    // RFC 6797 §7.2: HSTS over plain HTTP is meaningless (UAs ignore
+    // it). Skip the header on non-TLS requests so dev-over-HTTP doesn't
+    // surface confusing "Strict-Transport-Security on http://" lines.
+    // requestProtocol respects trustProxy — operators behind a TLS
+    // terminator opt in to read X-Forwarded-Proto.
+    if (hsts && requestHelpers.requestProtocol(req, { trustProxy: trustProxy }) === "https") {
+      res.setHeader("Strict-Transport-Security", hsts);
+    }
+    if (ctOpts)     res.setHeader("X-Content-Type-Options", ctOpts);
+    if (frameOpts)  res.setHeader("X-Frame-Options", frameOpts);
+    if (refPolicy)  res.setHeader("Referrer-Policy", refPolicy);
+    if (permPolicy) res.setHeader("Permissions-Policy", permPolicy);
+    if (coop)       res.setHeader("Cross-Origin-Opener-Policy", coop);
+    if (coep)       res.setHeader("Cross-Origin-Embedder-Policy", coep);
+    if (corp)       res.setHeader("Cross-Origin-Resource-Policy", corp);
+    if (oac)        res.setHeader("Origin-Agent-Cluster", oac);
+    if (dpc)        res.setHeader("X-DNS-Prefetch-Control", dpc);
+    if (csp)                res.setHeader("Content-Security-Policy", csp);
+    if (docPolicy)          res.setHeader("Document-Policy", docPolicy);
+    if (acceptCh)           res.setHeader("Accept-CH", acceptCh);
+    if (criticalCh)         res.setHeader("Critical-CH", criticalCh);
+    if (reportingEndpoints) res.setHeader("Reporting-Endpoints", reportingEndpoints);
+    next();
+  };
+}
+
+module.exports = {
+  create:                  create,
+  DEFAULT_PERMISSIONS:     DEFAULT_PERMISSIONS,
+  DEFAULT_CSP:             DEFAULT_CSP,
+  DEFAULT_DOCUMENT_POLICY: DEFAULT_DOCUMENT_POLICY,
+};