@blamejs/blamejs-shop 0.0.44

package/lib/vendor/blamejs/lib/vendor/vendor-data-pubkey.js

@@ -0,0 +1,16 @@
+// vendor-data-pubkey — SLH-DSA-SHAKE-256f public key inlined as a CommonJS
+// module so lib/vendor-data.js can verify .data.js signatures without
+// any fs.readFileSync call. Packaging-mode-invariant (SEA / pkg / nexe /
+// esbuild / Bun compile / Deno compile / Lambda all preserve require()
+// resolution but not __dirname-relative file lookups).
+//
+// Fingerprint (SHA-256 of the raw SPKI): dd02aaf2f700e1403172f1e57619ba6308642e107853891866ffd8589b4164d1
+//
+// Regenerated by scripts/vendor-data-keygen.js whenever the maintainer
+// vendor-data signing key rotates. The companion PEM at
+// lib/vendor/.vendor-data-pubkey is the operator-readable form; this
+// JS module is the runtime form. Both regenerate together.
+
+"use strict";
+
+module.exports = "-----BEGIN SLH-DSA-SHAKE-256F PUBLIC KEY-----\nNyFNN00fxmgkHnZwtfy1FU9SodrVbgJRihT5/S605tM7c6YAKIS1mry4y8VCKh2h\nG+oRhGOPLb1ebxNmcQZw+g==\n-----END SLH-DSA-SHAKE-256F PUBLIC KEY-----\n";

package/lib/vendor/blamejs/lib/vendor-data.js

@@ -0,0 +1,520 @@
+"use strict";
+/**
+ * @module     b.vendorData
+ * @nav        Supply Chain
+ * @title      Vendor Data — packaging-mode-invariant + signed + canary-guarded
+ * @order      710
+ *
+ * @intro
+ *   Loader for vendored data files that ship inside the framework
+ *   tarball (`lib/vendor/*`). Inline-as-JS means the data survives any
+ *   packaging mode — SEA, esbuild bundle, `pkg`, `nexe`, Bun compile,
+ *   AWS Lambda — without `__dirname`-relative `fs.readFileSync` paths
+ *   collapsing under the bundler. Every load runs four orthogonal
+ *   integrity checks before returning a byte to the caller:
+ *
+ *     1. SHA-256 of the embedded payload matches the expected constant
+ *     2. SHA3-512 of the embedded payload matches the expected constant
+ *     3. SLH-DSA-SHAKE-256f signature over the payload verifies against
+ *        the maintainer's pinned public key (`lib/vendor/.vendor-data-pubkey`)
+ *     4. The known canary entry (where applicable per data file) is
+ *        present in the parsed payload — defends against content swap
+ *        even when an attacker forges hashes + signatures
+ *
+ *   Refusal at any step throws `VendorDataError`. `verifyAll()` runs
+ *   at framework boot so a tampered vendor file is a fail-fast — not
+ *   a first-request-touches-PSL surprise.
+ *
+ *   Each vendored data file ships as a `<name>.data.js` module that
+ *   exports `{ payload, metadata, canary }`. The `.data.js` is
+ *   regenerated by `scripts/vendor-update.sh --refresh-data` whenever
+ *   the upstream source is refreshed; it is never hand-edited.
+ *
+ * @card
+ *   Signed + dual-hashed + canary-guarded loader for vendored data.
+ *   Survives SEA / pkg / bundler builds because the data is inline,
+ *   not `fs.readFileSync`-loaded.
+ */
+
+var nodeCrypto = require("node:crypto");
+var safeEnv = require("./parsers/safe-env");
+var lazyRequire = require("./lazy-require");
+var { defineClass } = require("./framework-error");
+var pqcSoftware = require("./pqc-software");
+var bCrypto = lazyRequire(function () { return require("./crypto"); });
+
+var _audit = lazyRequire(function () { return require("./audit"); });
+
+// Lazy: audit imports b.crypto which imports b.audit indirectly via
+// vendor-data verifyAll on framework boot. Defer the audit module
+// until the first opt-out / digest-mismatch path runs.
+var audit = lazyRequire(function () { return require("./audit"); });
+
+// Framework-pinned vendor-data public key. Inlined as a CommonJS
+// module (lib/vendor/vendor-data-pubkey.js) so the loader has zero
+// fs.readFileSync calls and survives any packaging mode that
+// preserves require() resolution (SEA, pkg, nexe, esbuild, Bun /
+// Deno compile, Lambda layers). The companion PEM at
+// lib/vendor/.vendor-data-pubkey is the operator-readable form for
+// external inspection; this JS module is the runtime trust root.
+// Both regenerate together whenever the maintainer signing key
+// rotates (scripts/vendor-data-keygen.js).
+var PUBKEY_PEM = require("./vendor/vendor-data-pubkey");
+
+// Static require()s — every modern bundler (esbuild, webpack, ncc,
+// rollup, Bun's bundler, Deno's bundler) traces these at bundle time
+// only when the require() argument is a STRING LITERAL. A dynamic
+// `require(variable)` is opaque to static analysis: bundlers can't
+// determine what files to include, so the .data.js payloads silently
+// fall out of the SEA / pkg / nexe / esbuild blob and the SEA-mode
+// promise of v0.9.8 is defeated at boot. Each require below sits at
+// column 0 with a literal-string argument so static analysis traces
+// them; codebase-patterns enforces this via the testNoDynamicRequires
+// + testNoInlineRequires detectors.
+var _PSL_DATA           = require("./vendor/public-suffix-list.data");
+var _COMMON_PW_DATA     = require("./vendor/common-passwords-top-10000.data");
+var _BIMI_ANCHORS_DATA  = require("./vendor/bimi-trust-anchors.data");
+
+var _MODULES = {
+  "public-suffix-list":         _PSL_DATA,
+  "common-passwords-top-10000": _COMMON_PW_DATA,
+  "bimi-trust-anchors":         _BIMI_ANCHORS_DATA,
+};
+
+var VendorDataError = defineClass("VendorDataError", { alwaysPermanent: true });
+
+// Boot-time-safe constant-time hex compare. Framework convention
+// is timingSafeEqual for every digest / MAC compare even
+// when the value is a public tag (a `!==` here is the smell, not
+// the secret/public distinction). b.crypto.timingSafeEqual would
+// match the convention but it's lazyRequire'd to break a circular
+// load chain and is not available during verifyAll()'s boot-time
+// pass; nodeCrypto.timingSafeEqual is the direct primitive.
+//
+// Both inputs MUST be hex strings (0-9a-fA-F only). The hex shape
+// guard sidesteps the UTF-16 / UTF-8 byte-length skew that would
+// otherwise let `Buffer.from(non-ascii-string, "utf8")` produce
+// different byte lengths for equal-string-length inputs — which
+// would make nodeCrypto.timingSafeEqual throw
+// ERR_CRYPTO_TIMING_SAFE_EQUAL_LENGTH instead of returning false,
+// surfacing an unexpected boot-time error on a tampered metadata
+// instead of the documented VendorDataError. Refuse non-hex with
+// a plain false return so the caller's `!equal` branch throws the
+// VendorDataError as designed.
+// Accept bare hex digests (Layer 1 / Layer 2 SHA outputs) and
+// `<alg>:<hex>` fingerprint shapes (Layer 3 — `sha256:abc...`). All
+// chars are ASCII so UTF-8 byte length equals string length.
+var ASCII_TAG_RE_VD = /^[0-9a-zA-Z:]+$/;
+function _timingSafeHexEqual(a, b) {
+  if (typeof a !== "string" || typeof b !== "string") return false;
+  if (a.length !== b.length) return false;
+  if (!ASCII_TAG_RE_VD.test(a) || !ASCII_TAG_RE_VD.test(b)) return false;
+  // Hex chars are ASCII; UTF-8 encode is identity, so equal string
+  // length now guarantees equal byte length.
+  var ba = Buffer.from(a, "utf8");
+  var bb = Buffer.from(b, "utf8");
+  return nodeCrypto.timingSafeEqual(ba, bb);                                    // allow:raw-timing-safe-equal — hex + length pre-check above guarantees same-length ASCII inputs; b.crypto wrapper would be circular at boot
+}
+
+// KNOWN_VENDOR_DATA — the canonical list of vendored data names. Each
+// entry carries the canary token the payload must contain after parse
+// (where applicable) and a description for the inventory surface.
+//
+// The `module` string is documentation-only as of v0.9.9 — the runtime
+// uses the `_MODULES` table above (static literal-string requires) so
+// bundlers can statically trace the .data.js dependency. The `module`
+// field stays exported for downstream tooling that inspects
+// `b.vendorData.KNOWN_VENDOR_DATA[name].module` for diagnostics or
+// vendor-refresh tooling. NEVER call `require(entry.module)` — dynamic
+// require(variable) breaks SEA / esbuild / pkg bundling.
+var KNOWN_VENDOR_DATA = Object.freeze({
+  "public-suffix-list": {
+    module: "./vendor/public-suffix-list.data",
+    canary: "_blamejs_canary_v0_9_8_.local",
+    // Canary parse check — operator-side `b.publicSuffix.isPublicSuffix(canary)`
+    // MUST return true after the PSL parser ingests the data. The check
+    // is run by every `get()` via the .data.js's canaryCheck closure.
+    description: "Mozilla Public Suffix List (PSL). Used by b.publicSuffix for organizational-domain + public-suffix lookups.",
+  },
+  "common-passwords-top-10000": {
+    module: "./vendor/common-passwords-top-10000.data",
+    canary: "_blamejs_canary_password_2026_05_13_blamejs_internal_",
+    description: "Top-10000 most common passwords (SecLists). Used by b.auth.password to refuse known-breached credentials.",
+  },
+  "bimi-trust-anchors": {
+    module: "./vendor/bimi-trust-anchors.data",
+    canary: null,
+    // BIMI trust anchor file is a PEM bundle; injecting an in-payload
+    // canary would require minting a real self-signed cert against
+    // every refresh which would inflate the vendor pipeline. The
+    // dual-hash + SLH-DSA signature layers cover the threat; canary
+    // is intentionally skipped for this entry.
+    description: "BIMI Group VMC + CMC trust anchors. Used by b.mail.bimi.fetchAndVerifyMark for chain validation.",
+  },
+});
+
+// Per-name cache so verify-once-on-first-load + boot-time verifyAll
+// don't pay the SLH-DSA-SHAKE-256f verify cost twice. Cached entries
+// are payload Buffers (caller-receivable); signature verification
+// runs at module-load (in `_loadAndVerify`), not at every `get()`.
+var _payloadCache = Object.create(null);
+
+function _loadAndVerify(name) {
+  if (_payloadCache[name]) return _payloadCache[name];
+
+  var entry = KNOWN_VENDOR_DATA[name];
+  if (!entry) {
+    throw new VendorDataError("vendor-data/unknown",
+      "vendorData: '" + name + "' not in KNOWN_VENDOR_DATA. " +
+      "Registered names: " + Object.keys(KNOWN_VENDOR_DATA).join(", "));
+  }
+
+  var mod = _MODULES[name];
+  if (!mod) {
+    throw new VendorDataError("vendor-data/module-missing",
+      "vendorData: '" + name + "' .data.js module not statically " +
+      "require'd by lib/vendor-data.js. Add the literal-string require " +
+      "to the _MODULES table at the top of the file — dynamic " +    // allow:dynamic-require — diagnostic message text
+      "require(variable) breaks SEA / esbuild bundling.");           // allow:dynamic-require — diagnostic message text
+  }
+
+  // Module-shape gate
+  if (!mod || !Buffer.isBuffer(mod.payload) || !mod.metadata) {
+    throw new VendorDataError("vendor-data/bad-shape",
+      "vendorData: '" + name + "' .data.js missing payload Buffer or metadata. " +
+      "File is hand-edited or corrupted; re-run vendor-update.sh --refresh-data.");
+  }
+  var meta = mod.metadata;
+  if (typeof meta.sha256 !== "string" || typeof meta.sha3_512 !== "string" ||
+      typeof meta.signatureB64 !== "string") {
+    throw new VendorDataError("vendor-data/bad-metadata",
+      "vendorData: '" + name + "' metadata missing sha256 / sha3_512 / signatureB64. " +
+      "File is hand-edited or corrupted; re-run vendor-update.sh --refresh-data.");
+  }
+
+  // Layer 1: SHA-256 self-verify. Timing-safe compare matches the
+  // framework convention (every other digest / MAC compare uses
+  // timing-safe regardless of whether the value is a secret). The SHA
+  // is a public tag here, but reaching for `!==` whenever a value
+  // "isn't a secret" is the smell — the convention is the gate.
+  // nodeCrypto direct (not lazy bCrypto) because this runs at boot
+  // before b.crypto is initialized on the module-graph hot path.
+  var actual256 = nodeCrypto.createHash("sha256").update(mod.payload).digest("hex");
+  if (!_timingSafeHexEqual(actual256, meta.sha256)) {
+    throw new VendorDataError("vendor-data/sha256-mismatch",
+      "vendorData: '" + name + "' SHA-256 mismatch — payload tampered. " +
+      "expected=" + meta.sha256.slice(0, 12) + "… got=" + actual256.slice(0, 12) + "…");
+  }
+
+  // Layer 2: SHA3-512 self-verify (timing-safe compare; see Layer 1).
+  var actual3 = nodeCrypto.createHash("sha3-512").update(mod.payload).digest("hex");
+  if (!_timingSafeHexEqual(actual3, meta.sha3_512)) {
+    throw new VendorDataError("vendor-data/sha3-512-mismatch",
+      "vendorData: '" + name + "' SHA3-512 mismatch — payload tampered. " +
+      "expected=" + meta.sha3_512.slice(0, 12) + "… got=" + actual3.slice(0, 12) + "…");
+  }
+
+  // Cross-check meta.publicKeyFingerprint against the inlined pubkey
+  // before signature verify. An attacker who has swapped BOTH the
+  // payload AND the pubkey module (matched signature under the swap
+  // key) would otherwise pass every previous integrity layer; the
+  // fingerprint becomes decorative. Compute the sha3-512(PUBKEY_PEM)
+  // once at module load (memoized below) and compare each entry's
+  // declared fingerprint against the actual pubkey we'll verify
+  // under.
+  var actualPubkeyFp = _actualPubkeyFingerprint();
+  if (typeof meta.publicKeyFingerprint === "string" &&
+      meta.publicKeyFingerprint.length > 0 &&
+      !_timingSafeHexEqual(meta.publicKeyFingerprint, actualPubkeyFp)) {
+    throw new VendorDataError("vendor-data/pubkey-fingerprint-mismatch",
+      "vendorData: '" + name + "' declared publicKeyFingerprint '" +
+      meta.publicKeyFingerprint + "' does not match the inlined pubkey " +
+      "fingerprint '" + actualPubkeyFp + "'. An attacker has either swapped " +
+      "the pubkey module + payload + signature in lockstep (impossible " +
+      "without the maintainer private key) OR the .data.js file was " +
+      "generated against a different signing key. Re-run scripts/vendor-data-keygen.js " +
+      "+ scripts/vendor-update.sh --refresh-data.");
+  }
+
+  // Layer 3a: operator-supplied fingerprint pin. SLSA L3 / in-toto
+  // attestation pattern — the runtime trust root (PUBKEY_PEM, inlined
+  // at build time) defends against payload swap; an operator-supplied
+  // env-var pin defends against attacker-swap of both pubkey AND
+  // signature in the same compromise. The pin is SHA-256 over the
+  // PEM-decoded raw SPKI bytes; operators capture it once at install
+  // time from a trusted channel (npm provenance / sigstore attestation
+  // / out-of-band copy) and re-verify on every boot.
+  var pubkeyBytes = _pemToRaw(PUBKEY_PEM);
+  var pubkeyFp = nodeCrypto.createHash("sha256").update(pubkeyBytes).digest("hex");
+  var operatorFp = safeEnv.readVar("BLAMEJS_VENDOR_DATA_PUBKEY_FINGERPRINT", { default: "" });
+  if (operatorFp.length > 0) {
+    var normalizedOperatorFp = operatorFp.replace(/^sha256:/i, "").toLowerCase().trim();
+    if (!/^[0-9a-f]{64}$/.test(normalizedOperatorFp)) {
+      throw new VendorDataError("vendor-data/operator-fingerprint-bad-shape",
+        "vendorData: BLAMEJS_VENDOR_DATA_PUBKEY_FINGERPRINT must be a 64-hex SHA-256 (optionally `sha256:`-prefixed)");
+    }
+    // Length-tolerant timing-safe compare via b.crypto.timingSafeEqual.
+    if (!bCrypto.timingSafeEqual(normalizedOperatorFp, pubkeyFp)) {
+      throw new VendorDataError("vendor-data/operator-fingerprint-mismatch",
+        "vendorData: '" + name + "' SLH-DSA pubkey fingerprint does not match the " +
+        "operator-supplied BLAMEJS_VENDOR_DATA_PUBKEY_FINGERPRINT pin. " +
+        "expected=" + normalizedOperatorFp.slice(0, 12) + "… got=" +
+        pubkeyFp.slice(0, 12) + "…. The inlined PUBKEY_PEM has been swapped " +
+        "from what the operator captured at install time — refuse to load.");
+    }
+  }
+
+  // Layer 3b: SLH-DSA-SHAKE-256f signature verify against maintainer pubkey
+  var sigBytes = Buffer.from(meta.signatureB64, "base64");
+  var slh = pqcSoftware.slh_dsa_shake_256f;
+  var sigOk = false;
+  try {
+    // noble API: verify(signature, message, publicKey)
+    sigOk = slh.verify(sigBytes, mod.payload, pubkeyBytes);
+  } catch (e) {
+    throw new VendorDataError("vendor-data/signature-verify-error",
+      "vendorData: '" + name + "' SLH-DSA-SHAKE-256f verify threw: " +
+      (e && e.message ? e.message : "unknown error"));
+  }
+  if (!sigOk) {
+    throw new VendorDataError("vendor-data/signature-invalid",
+      "vendorData: '" + name + "' SLH-DSA-SHAKE-256f signature INVALID — " +
+      "payload not signed by maintainer pubkey (fingerprint " +
+      meta.publicKeyFingerprint + "). An attacker has swapped content + " +
+      "forged hashes but cannot forge the signature without the maintainer " +
+      "private key. Stop the framework and audit the install path immediately.");
+  }
+
+  // Layer 4: canary check (always-on, runs per get() not only at verifyAll).
+  // For entries with a registered canary, the .data.js exports a
+  // canaryCheck closure that scans the raw payload for the expected
+  // token. Refuses to return the bytes if the canary is absent.
+  if (entry.canary !== null) {
+    if (typeof mod.canaryCheck !== "function" || mod.canaryCheck() !== true) {
+      throw new VendorDataError("vendor-data/canary-absent",
+        "vendorData: '" + name + "' canary '" + entry.canary +
+        "' NOT FOUND in payload. An attacker has swapped data bytes with " +
+        "correctly-forged hashes + signatures but failed to preserve the " +
+        "canary token the framework expects.");
+    }
+  }
+
+  _payloadCache[name] = mod.payload;
+  return mod.payload;
+}
+
+// Memoized — "sha256:" + sha256(pemToRaw(PUBKEY_PEM)). Matches the
+// canonical fingerprint shape `scripts/vendor-data-gen.js` writes into
+// each .data.js's `metadata.publicKeyFingerprint`. Computed lazily on
+// first verify (also lazily by verifyAll at boot). CRYPTO-11 — every
+// per-entry verify cross-checks this against the entry's declared
+// `meta.publicKeyFingerprint` so a pubkey-swap attack fails before
+// signature verify even runs.
+var _PUBKEY_FINGERPRINT = null;
+function _actualPubkeyFingerprint() {
+  if (_PUBKEY_FINGERPRINT !== null) return _PUBKEY_FINGERPRINT;
+  var raw = _pemToRaw(PUBKEY_PEM);
+  _PUBKEY_FINGERPRINT = "sha256:" +
+    nodeCrypto.createHash("sha256").update(raw).digest("hex");
+  return _PUBKEY_FINGERPRINT;
+}
+
+// _pemToRaw — extract the raw SPKI bytes from a PEM-wrapped public key.
+// The .vendor-data-pubkey file ships as PEM (BEGIN PUBLIC KEY ... END
+// PUBLIC KEY); the SLH-DSA verifier expects raw bytes. We strip the
+// header/footer + decode base64. Defensive — refuses anything that
+// doesn't look like the expected PEM shape.
+function _pemToRaw(pem) {
+  var lines = pem.replace(/\r/g, "").split("\n");
+  if (lines[0].indexOf("-----BEGIN ") !== 0) {
+    throw new VendorDataError("vendor-data/pubkey-bad-pem",
+      "vendorData: inlined pubkey module is not PEM-shaped (lib/vendor/vendor-data-pubkey.js corrupted; re-run scripts/vendor-data-keygen.js)");
+  }
+  var body = "";
+  for (var i = 1; i < lines.length; i++) {
+    if (lines[i].indexOf("-----END ") === 0) break;
+    body += lines[i];
+  }
+  return Buffer.from(body, "base64");
+}
+
+/**
+ * @primitive  b.vendorData.get
+ * @signature  b.vendorData.get(name)
+ * @since      0.9.8
+ * @status     stable
+ * @related    b.vendorData.verifyAll, b.vendorData.inventory
+ *
+ * Return the verified payload Buffer for the named vendored data file.
+ * First call per name runs all integrity layers (dual-hash + SLH-DSA
+ * signature); subsequent calls return from cache. The canary-in-payload
+ * check is run by `verifyAll()` at framework boot; `get()` skips it on
+ * the hot path because the canary's parse-side semantics are caller-
+ * specific (PSL parser vs password-set lookup vs PEM chain).
+ *
+ * @example
+ *   var pslBytes = b.vendorData.get("public-suffix-list");
+ *   var psl = pslBytes.toString("utf8");
+ */
+function get(name) {
+  return _loadAndVerify(name);
+}
+
+/**
+ * @primitive  b.vendorData.getAsString
+ * @signature  b.vendorData.getAsString(name)
+ * @since      0.9.8
+ * @status     stable
+ * @related    b.vendorData.get
+ *
+ * Convenience wrapper around `get(name)` that returns the payload
+ * decoded as UTF-8. Use when the caller wants a string directly; the
+ * underlying Buffer caches once so repeated calls don't re-decode.
+ *
+ * @example
+ *   var passwordList = b.vendorData.getAsString("common-passwords-top-10000");
+ *   var lines = passwordList.split(/\r?\n/);
+ */
+function getAsString(name) {
+  return _loadAndVerify(name).toString("utf8");
+}
+
+/**
+ * @primitive  b.vendorData.verifyAll
+ * @signature  b.vendorData.verifyAll()
+ * @since      0.9.8
+ * @status     stable
+ * @related    b.vendorData.get, b.vendorData.inventory
+ *
+ * Run all four integrity layers across every registered vendored data
+ * file — including the in-payload canary check via the caller-supplied
+ * canaryCheck closure each `.data.js` exports. Returns the inventory
+ * of names verified. Throws on any failure. Operators wire this into
+ * framework boot so a tampered install fails fast.
+ *
+ * @example
+ *   b.vendorData.verifyAll();   // throws VendorDataError on any tamper
+ */
+function verifyAll() {
+  var names = Object.keys(KNOWN_VENDOR_DATA);
+  for (var i = 0; i < names.length; i++) {
+    // _loadAndVerify runs all four layers (sha256 + sha3-512 +
+    // SLH-DSA signature + canary). verifyAll() now just forces
+    // eager-load of every registered entry — useful in tests and
+    // for operators wanting "verify everything upfront at boot"
+    // semantics even before any caller touches a specific entry.
+    _loadAndVerify(names[i]);
+  }
+  return names.slice();
+}
+
+/**
+ * @primitive  b.vendorData.inventory
+ * @signature  b.vendorData.inventory()
+ * @since      0.9.8
+ * @status     stable
+ * @related    b.vendorData.verifyAll
+ *
+ * Return per-vendor-data metadata for compliance reporting. Each
+ * entry: `{ name, source, fetchedAt, sha256, sha3_512, signedBy,
+ * canary, byteLength }`. Pipes directly into SBOM emission +
+ * b.compliance posture rendering.
+ *
+ * @example
+ *   var inv = b.vendorData.inventory();
+ *   inv.forEach(function (entry) {
+ *     console.log(entry.name + " (" + entry.byteLength + " bytes) " +
+ *                 "fetched " + entry.fetchedAt + " from " + entry.source +
+ *                 " — signed by " + entry.signedBy);
+ *   });
+ */
+// Rendered-inventory cache. Operators wire `b.vendorData.inventory()`
+// into compliance-reporting endpoints (e.g. /admin/vendor-inventory)
+// where the call surface is read-heavy and the underlying inputs
+// (verified payload buffers + frozen KNOWN_VENDOR_DATA + immutable
+// .data.js metadata) never change after boot. Cache once and serve
+// the same frozen array reference. ~30ms saved per call.
+var _inventoryCache = null;
+
+function inventory() {
+  if (_inventoryCache !== null) return _inventoryCache;
+  var out = [];
+  var names = Object.keys(KNOWN_VENDOR_DATA);
+  for (var i = 0; i < names.length; i++) {
+    var name = names[i];
+    var entry = KNOWN_VENDOR_DATA[name];
+    _loadAndVerify(name);
+    var mod = _MODULES[name];
+    var meta = mod.metadata;
+    out.push(Object.freeze({
+      name:        name,
+      source:      meta.source,
+      fetchedAt:   meta.fetchedAt,
+      license:     meta.license,
+      sha256:      meta.sha256,
+      sha3_512:    meta.sha3_512,
+      signedBy:    meta.publicKeyFingerprint,
+      canary:      entry.canary,
+      byteLength:  mod.payload.length,
+      description: entry.description,
+    }));
+  }
+  _inventoryCache = Object.freeze(out);
+  return _inventoryCache;
+}
+
+// Eager verification at module-load. The first time anything
+// require()s b.vendorData (e.g. lib/public-suffix.js, lib/auth/
+// password.js, lib/mail-bimi.js — all of which load early in any
+// framework consumer's import graph), every registered vendor data
+// file is dual-hash + signature + canary-verified before any caller
+// gets the chance to call get(). Tamper = fail-fast at boot, not at
+// first-request-touches-PSL surprise.
+//
+// Operators wanting to defer verification (test rigs that mock
+// require() resolution, install-pipeline contexts that intentionally
+// run before the trust roots are populated) must opt in via TWO env
+// vars: BLAMEJS_VENDOR_DATA_DEFER_BOOT_VERIFY=1 PLUS a non-empty
+// BLAMEJS_VENDOR_DATA_DEFER_BOOT_VERIFY_REASON explaining WHY.
+// Setting the flag alone is refused so a misconfigured CI / Docker
+// image can't silently bypass tamper detection. SSDF PW.4 — every
+// security-default-disable lives in the audit log with an operator-
+// attributed reason.
+var _deferFlag = safeEnv.readVar("BLAMEJS_VENDOR_DATA_DEFER_BOOT_VERIFY", { default: "" });
+if (_deferFlag === "1") {
+  var _deferReason = safeEnv.readVar("BLAMEJS_VENDOR_DATA_DEFER_BOOT_VERIFY_REASON", { default: "" });
+  if (_deferReason.length === 0) {
+    throw new VendorDataError("vendor-data/defer-reason-required",
+      "vendorData: BLAMEJS_VENDOR_DATA_DEFER_BOOT_VERIFY=1 set WITHOUT " +
+      "BLAMEJS_VENDOR_DATA_DEFER_BOOT_VERIFY_REASON. Boot-time vendor " +
+      "verification is a security default — disabling it requires the " +
+      "operator to record WHY in the env so the misconfig is grep-able in " +
+      "the next deploy diff. Set BLAMEJS_VENDOR_DATA_DEFER_BOOT_VERIFY_REASON " +
+      "to a non-empty string (e.g. 'test-rig:require-mock' or 'install-pipeline:pre-trust-root-populated').");
+  }
+  // Audit emit is best-effort: the audit module may not be initialized
+  // yet (boot sequencing). Operators alerting on "boot-time
+  // verification deferred" catch a malicious pivot that set the flag
+  // through a compromised env source.
+  try {
+    audit().safeEmit({
+      action:  "vendor-data.boot_verify_deferred",
+      outcome: "denied",
+      metadata: {
+        reason:          _deferReason.slice(0, 256),                          // allow:raw-byte-literal — audit metadata truncation limit
+        vendorDataKnown: Object.keys(KNOWN_VENDOR_DATA),
+      },
+    });
+  } catch (_e) { /* drop-silent — audit not ready at boot */ }
+} else {
+  verifyAll();
+}
+
+module.exports = {
+  get:                get,
+  getAsString:        getAsString,
+  verifyAll:          verifyAll,
+  inventory:          inventory,
+  KNOWN_VENDOR_DATA:  KNOWN_VENDOR_DATA,
+  VendorDataError:    VendorDataError,
+};