@blamejs/blamejs-shop 0.0.44

package/lib/vendor/blamejs/keys/release-pqc-pub.json

@@ -0,0 +1,7 @@
+{
+  "algorithm": "ml-dsa-65",
+  "publicKey": "DcnshAVvNoVF4QnhuyC84qT3k8MsjQJD2JGNdJU8AesluLzvVfvTSZui21MWnaFpvzaLsjObCb70D9THE15iae7_9VwpuKG6gnPIX06GkMIljJFIhPY8DzqXbVd7ZOB7SXlo3IZBOPgbQsceT37MRJcP88ZA2qmufxTIz48Mt-Hixwv1fT_hGTfL2ytx7vHcJ_cRP4MaU3h9qEY8KKRXWm_rQBijO8ZNcLlHozRh2WMIJ1-oqxwu8xfVGG_9lEsg9YRHVWWbREi9oKfwgbr88qrshmRbtv6FuUU_qHA8rB5OPEw7g4-eZyhvBGA-PkMqIQPxldlDClpJhCnt8eBCPYbp9wmEYfPnwSogE2fqc9xWtdxQzFQnJahugrbhYrNtNbc5qiVV8y7c5SNsmWJJDYRBe5hIqUTBFHMQZ2Epti1kfAbnCAhTbiKUtoTUZqVl1lzr_73pHmoNJVSzXZ6nmqeqajt6e1liHrRujNcfeI2yEEo6dtURbZ_VesOh6vVSkgnSbaKHQWw3B6zj1oW8BNjMu47JhIJP4rFtQcibq0OjyRq8bGyRhfhuGYWPnpvplg3JX02bjbmZVLU6_eEpphbvMzBi1wTyMXT690sV1N0aOh8Qx0Q834J6AMWCERPLgw8YMSJLuqhDGZxxmkXWPlbV-FP7juexugEBC5nGushbrzm6V0bvGI42e5rYZBAOZ_1ACRhcGRmdwTYUwLi9v4DVlTpGhOh035-sKiFTCFBxQFKVdJAZqhf0eVbIbLwTiQ3gPx1wGC6IjJ10dyJ_aUxEs8x1a_NNDsTzMoi3J6lkgpUWLnsyqWHbACjPyd7oFJRu4r9TVW_dadA-JGzIbLMoDJYX6YhEaHSLwnduqWSJ1ijZb4zjL2ckJFOlYMa0R299R6oOnbLBWv0snmNt_B4oVbRgylY5uJMtiB3Wq9yPwjzKgcEOAHDGHmM5dpnDspFsc0_ht1kRSG8vMCi6b1jqjqaBA5kzxS5azbZj5D4LSsD9ShrhCQFxxcVhzlcCrzkYB4YleP_2hdUJ0w4w_UC-X4v0NKj1zOmcmlIL7sh7VFPuN41j_oTL52NwJVuR2sLzRA11W7EAvTa5Ny2fs-1BuNT8mbkK73Fbcq6v8E4L65_WakOp_bleXIFSwBf-cyTtisrOq-NY8Cu8ZCWIxcEtX8mSoa4fefVLB-QIZdgcUII5oh-VjFGVdtYcv1Wbnrx2RRIrOoRnhKEIVotTFasgJHR9b4NsPrVMovwJJFtPT-WCfzhWSlUNOf7RP0AJ9X0IRsTH4qCKY4qKh4kBJ659amxjGk_XRmezPR12MRxXlQqKpmlZed8UUfEJo8LQVvQqA1Io2nla45Lkrv283OKPbmD7bJ_bBg1fIGvZaHWgLLkfklHTqhr1Gomuhe4zxQMeeM_WavW37Sfq8Qfju6WCjmcDFoVLLAqYR0E12rZH_Na1aUalg7rMe46w9YSSxE-BsB_zPW3n2aK6n41eGMG6D33Z9aM0CtqIw1M4LiBXRKfa4YPQAbiYq3Da5EDdp-Me5D81tXDUz4EacMUkK9ZbyDlidNVMPKpGCeFy3726zCUZuOcLFeKJd3gRsCSUx11Yox_TtFm7b26B48W1zRGzVBHaxJvcI-rrsBM8f8NWnkpMolmY3jcKP11c4Bn7tGanE979mrl5FNNuVRkAA0R1XJN576axz4aDDpYNE-XbX_rBlB_BuZi1QaWTltklZ1LAvph17Wz2Bfjut-MHP7Xpo3hU0d10cRVjJ90g-mUeSUG8AhleS1xkwFpCEpW7Dia7RhKNyj3PV7li_f2JY_0JpNx3HD0XG96GCTQO2Dlstae0QbM6KoPiulhOVFMZ67OQ8mNrIBphU7pjTMwyK7izfu1XtdqJrLXiNuFplXw5gC0FkGUxMLNSC9LmAfvFzlclr-dTYpxx8nU350OXrlNo34PqsVuN6HO9OOeVI4UMUh3ypC9p2lhIP8jZbUbWqI7mv8YjjpqGDo70SUSYj6Cr-dOOdoAlf3nwnJwmYIhtgIry8H17ySt34RQgGZ2itAC3jQrPYQ5lh3i2iyBZZB0lUNv5-36nD9v3P9mBZSsU5jjAnoaE9nqqiwzsnm403zvnoItLvyiTuEks81EUG_jF4aaSvDR-NQ9cMUv_lHD0kjGBazVoveprm3m0SBHg2IgjlSmmaYutR5NcRmCiM2FfXrjMQIZ4mCKHtGHUBMszpF9VVrx6J_mxXQfdZIPJP-pKzhQ_og-SpiO1kgEmY1_MjpK-_PCn6oPMBpmSuEDdxm_Dqv8lXG7k8EHf05PJ5YGQ8FhyAZMTtQW-vStHWAdHcdOzju0UtAkhWrSXx8MdW5fyzPuc4dSFbH4OnJRnbR83ZnfDGXXN440EQazoEjmI9i63CeB1JHnEIs3Wp-IaGYmPVZDahB4V1CTcjiAf32bBWAm8rbk0GL-yjqs-Y6Sd3XPeSJu0JxK__pReKOc2GLkKnxn0f6zUxeW0OEqy7EIMfx56EEuy1eLZ0iP7mZVEoc1kgx7DMv8dMSayHnAkr_eSbAJlA9btj-elni5NodGODQXsbOJytX6ZSKiS_ZCQ1H5ayLknYnqnWmqQavE",
+  "fingerprint_sha3_512": "ad6bee961782cd01a0751286c23ddc04a6a0ce5d2672cfb6f4ade0cc7cdc62c351c857599e9d22996e91ee56462ddf3939951808286132335d56d3bfe99d2ede",
+  "createdAt": "2026-05-20",
+  "rotation_note": "Re-running scripts/generate-release-signing-key.js rotates the key. Update RELEASE_PQC_SIGNING_KEY secret + SECURITY.md fingerprint in the same commit."
+}

package/lib/vendor/blamejs/lib/_test/crypto-fixtures.js

@@ -0,0 +1,67 @@
+"use strict";
+/**
+ * lib/_test/crypto-fixtures.js — test-only fixtures for crypto round-
+ * trip coverage. Not part of the public `b.*` surface; not loaded by
+ * `index.js`. Operator code never reaches here — the only callers are
+ * tests under `test/layer-0-primitives/crypto-*.test.js` and
+ * fuzz harnesses that exercise the legacy-envelope read path.
+ *
+ * The leading underscore in the directory name signals "internal" to
+ * downstream consumers walking the tree; the `_test` segment makes the
+ * intent explicit. `package.json#files` MUST NOT include `lib/_test/`
+ * so the published tarball doesn't ship these mints to operators.
+ */
+
+var nodeCrypto = require("node:crypto");
+var { xchacha20poly1305 } = require("../vendor/noble-ciphers.cjs");
+var C = require("../constants");
+var bCrypto = require("../crypto");
+
+/**
+ * mintLegacyEnvelope0xE1 — produce a pre-bump 0xE1-shape envelope
+ * sealing `plaintext` against `recipient = { publicKey, ecPublicKey }`.
+ * The 0xE1 wire shape matches 0xE2 except the magic byte is 0xE1 AND
+ * the KDF input concatenates only (mlkemSs || ecSs), omitting the
+ * NIST SP 800-56C r2 §4.1 FixedInfo suite-binding bytes the v0.7.16
+ * bump introduced. Used by crypto-envelope tests to round-trip a
+ * known-shape 0xE1 blob through `b.crypto.decrypt(..., { allowLegacy: true })`.
+ *
+ * Production code NEVER calls this — operators with at-rest 0xE1 data
+ * sealed those bytes pre-bump and the framework's only contract today
+ * is READING them, never producing them.
+ */
+function mintLegacyEnvelope0xE1(plaintext, recipient) {
+  var mlkemPub = nodeCrypto.createPublicKey(recipient.publicKey);
+  var kem = nodeCrypto.encapsulate(mlkemPub);
+  var ephEc = nodeCrypto.generateKeyPairSync("ec", {
+    namedCurve: "P-384",
+    publicKeyEncoding:  { type: "spki",  format: "der" },
+    privateKeyEncoding: { type: "pkcs8", format: "pem" },
+  });
+  var ecSs = nodeCrypto.diffieHellman({
+    privateKey: nodeCrypto.createPrivateKey(ephEc.privateKey),
+    publicKey:  nodeCrypto.createPublicKey(recipient.ecPublicKey),
+  });
+  // KDF input: NO FixedInfo — that's the 0xE1 → 0xE2 difference.
+  var key = bCrypto.kdf(Buffer.concat([kem.sharedKey, ecSs]), C.BYTES.bytes(32));
+  var nonce = bCrypto.generateBytes(C.BYTES.bytes(24));
+  // Legacy 0xE1 envelope header — 4 bytes: magic, kemId, cipherId, kdfId.
+  var headerAad = Buffer.from([
+    0xE1,                                                                                            // allow:raw-byte-literal — legacy 0xE1 envelope magic byte
+    C.KEM_IDS.ML_KEM_1024_P384,
+    C.CIPHER_IDS.XCHACHA20_POLY1305,
+    C.KDF_IDS.SHAKE256,
+  ]);
+  var ct = xchacha20poly1305(key, nonce, headerAad).encrypt(Buffer.from(plaintext, "utf8"));
+  var kemCtLen = Buffer.alloc(2); kemCtLen.writeUInt16BE(kem.ciphertext.length);                     // allow:raw-byte-literal — 16-bit length-prefix field
+  var ecEphDer = ephEc.publicKey;
+  var ecEphLen = Buffer.alloc(2); ecEphLen.writeUInt16BE(ecEphDer.length);                           // allow:raw-byte-literal — 16-bit length-prefix field
+  return Buffer.concat([
+    headerAad,
+    kemCtLen, kem.ciphertext, ecEphLen, ecEphDer, nonce, Buffer.from(ct),
+  ]).toString("base64");
+}
+
+module.exports = {
+  mintLegacyEnvelope0xE1: mintLegacyEnvelope0xE1,
+};

package/lib/vendor/blamejs/lib/a2a-tasks.js

@@ -0,0 +1,598 @@
+"use strict";
+/**
+ * @module     b.a2a
+ * @nav        Agent
+ * @title      A2A Tasks
+ * @order      600
+ *
+ * @intro
+ *   A2A v1 task-exchange surface — the work primitive on top of
+ *   `b.a2a.{createCard, signCard, verifyCard}`. A2A (Linux Foundation,
+ *   v1 spec Apr 2026) defines a JSON-RPC 2.0 over HTTPS protocol with
+ *   three task verbs (`tasks/send`, `tasks/get`, `tasks/cancel`) plus
+ *   optional SSE streaming for long-running tasks.
+ *
+ *   The framework ships:
+ *
+ *     - Client-side dispatchers: `b.a2a.tasks.send({ peerUrl, agentCard, task })`
+ *       posts a `tasks/send` JSON-RPC request; `get({ taskId })` polls
+ *       status; `cancel({ taskId })` requests cancellation.
+ *     - Server-side middleware: `b.a2a.middleware.agentCard({ card })`
+ *       serves `/.well-known/agent.json`; `b.a2a.middleware.tasks
+ *       ({ scopes, handler })` parses inbound JSON-RPC, enforces
+ *       per-skill scope, and dispatches to an operator handler.
+ *     - SSE streaming: when the handler returns a long-running shape,
+ *       the middleware switches to SSE and streams progress events
+ *       to the client.
+ *
+ *   PQC-first: every signed-card flow uses the existing `b.a2a.signCard
+ *   / verifyCard` ML-DSA-87 surface. The task-exchange envelopes
+ *   themselves are NOT separately signed — operators wanting per-call
+ *   non-repudiation compose `b.crypto.httpSig.sign` (RFC 9421) at the
+ *   HTTP layer.
+ *
+ *   Per `feedback_validation_tier_policy.md`:
+ *     - Client `send / get / cancel` THROW on bad input (entry-point).
+ *     - Middleware factories THROW on bad opts at boot.
+ *     - The per-request middleware path returns a JSON-RPC error
+ *       response on protocol violations (consistent with mcp.refuse).
+ *
+ * @card
+ *   A2A v1 task-exchange surface — JSON-RPC dispatchers + server middleware (agentCard + tasks) + SSE streaming for long-running tasks.
+ */
+
+var nodeCrypto    = require("node:crypto");
+var lazyRequire   = require("./lazy-require");
+var numericBounds = require("./numeric-bounds");
+var safeJson      = require("./safe-json");
+var safeUrl       = require("./safe-url");
+var safeBuffer    = require("./safe-buffer");
+var validateOpts  = require("./validate-opts");
+var { defineClass } = require("./framework-error");
+
+var httpClient = lazyRequire(function () { return require("./http-client"); });
+var audit      = lazyRequire(function () { return require("./audit"); });
+var C          = require("./constants");
+
+// A2aTasksError is the per-call error class — separate from A2aError
+// (which exists for the card-signing primitives) so operators can
+// catch task-shape errors distinctly.
+var A2aTasksError = defineClass("A2aTasksError", { alwaysPermanent: true });
+
+var JSONRPC_VERSION = "2.0";
+
+// JSON-RPC 2.0 fixed error codes — A2A inherits these.
+var JSONRPC_PARSE_ERROR      = -32700;                                                             // allow:raw-byte-literal — JSON-RPC fixed code / allow:raw-time-literal — not seconds
+var JSONRPC_INVALID_REQUEST  = -32600;                                                             // allow:raw-byte-literal — JSON-RPC fixed code / allow:raw-time-literal — not seconds
+var JSONRPC_METHOD_NOT_FOUND = -32601;                                                             // allow:raw-byte-literal — JSON-RPC fixed code / allow:raw-time-literal — not seconds
+var JSONRPC_INVALID_PARAMS   = -32602;                                                             // allow:raw-byte-literal — JSON-RPC fixed code / allow:raw-time-literal — not seconds
+var JSONRPC_INTERNAL_ERROR   = -32603;                                                             // allow:raw-byte-literal — JSON-RPC fixed code / allow:raw-time-literal — not seconds
+
+// A2A-specific error codes per the spec's task-error vocabulary.
+// A2A_TASK_NOT_FOUND (-32002) + A2A_TASK_NOT_CANCELABLE (-32003) are
+// raised by operator handlers — they're reserved here for documentation
+// purposes only.
+var A2A_SCOPE_DENIED         = -32001;                                                             // allow:raw-byte-literal — JSON-RPC server-error range / allow:raw-time-literal — not seconds
+
+var ALLOWED_METHODS = Object.freeze(["tasks/send", "tasks/get", "tasks/cancel"]);
+
+var TASK_ID_RE = /^[A-Za-z0-9_-]{1,64}$/;
+// Same identifier shape as MCP tool-name; consolidating would couple
+// MCP + A2A protocol identifiers into a single primitive.
+var SKILL_NAME_RE = /^[a-zA-Z][a-zA-Z0-9._-]{0,63}$/;   // allow:duplicate-regex — RFC-3986-unreserved identifier shape, shared across mcp.js + mcp-tool-registry.js
+// allow:raw-byte-literal — RFC-3986-unreserved identifier shape (length cap inside regex), not a byte count
+
+function _emitAudit(action, metadata, outcome) {
+  try {
+    audit().safeEmit({
+      action:   action,
+      outcome:  outcome || "success",
+      metadata: metadata,
+    });
+  } catch (_e) { /* best-effort */ }
+}
+
+var bCrypto = lazyRequire(function () { return require("./crypto"); });
+
+// _newTaskId is reserved for the operator-handler path that mints
+// peer-assigned task IDs server-side. The underscore prefix already
+// satisfies the framework's unused-var policy so the helper stays
+// available without an explicit disable directive.
+function _newTaskId() {
+  return bCrypto().generateToken(12);                                                               // allow:raw-byte-literal — 96-bit task id, not byte arithmetic on payload
+}
+
+function _validateTaskShape(task, where) {
+  if (!task || typeof task !== "object" || Array.isArray(task)) {
+    throw new A2aTasksError("a2a-tasks/bad-task",
+      where + ": task must be a non-null object", true);
+  }
+  validateOpts.requireNonEmptyString(task.skill, where + ".skill", A2aTasksError, "a2a-tasks/bad-skill");
+  if (task.skill.length > 64 || !SKILL_NAME_RE.test(task.skill)) {                                // allow:raw-byte-literal — A2A skill-name length cap, not byte count
+
+    throw new A2aTasksError("a2a-tasks/bad-skill",
+      where + ".skill '" + task.skill + "' must match " + SKILL_NAME_RE);
+  }
+  if (task.input !== undefined && (typeof task.input !== "object" || task.input === null)) {
+    throw new A2aTasksError("a2a-tasks/bad-input",
+      where + ".input must be an object when provided", true);
+  }
+}
+
+// ---- Client-side dispatchers ----
+
+/**
+ * @primitive b.a2a.tasks.send
+ * @signature b.a2a.tasks.send(opts)
+ * @since     0.8.85
+ * @status    stable
+ * @related   b.a2a.tasks.get, b.a2a.tasks.cancel, b.a2a.signCard
+ *
+ * Post a `tasks/send` JSON-RPC request to a peer A2A agent. Returns
+ * the peer's `tasks/send` result — typically `{ taskId, status }` or
+ * a final-state response when the task ran synchronously.
+ *
+ * @opts
+ *   peerUrl:   string,    // peer's A2A endpoint URL (https only)
+ *   task:      object,    // { skill, input } per A2A v1 §4
+ *   timeoutMs: number,    // optional — default 30s
+ *   headers:   object,    // optional — extra HTTP headers (signed
+ *                         //            auth / mTLS / RFC 9421 sig)
+ *   audit:     boolean,   // default true
+ *
+ * @example
+ *   var rsp = await b.a2a.tasks.send({
+ *     peerUrl: "https://agent.example.com/a2a",
+ *     task:    { skill: "summarize", input: { url: "..." } },
+ *   });
+ *   // rsp.taskId === "<peer-assigned-id>"
+ *   // rsp.status === "queued" | "running" | "completed"
+ */
+async function send(opts) {
+  if (!opts || typeof opts !== "object") {
+    throw new A2aTasksError("a2a-tasks/bad-opts",
+      "tasks.send: opts required (peerUrl + task)", true);
+  }
+  validateOpts.requireNonEmptyString(opts.peerUrl, "tasks.send.peerUrl", A2aTasksError, "a2a-tasks/bad-peer-url");
+  // Refuse non-https — A2A v1 §3 mandates TLS for transport.
+  try { safeUrl.parse(opts.peerUrl, { allowedProtocols: ["https:"] }); }
+  catch (_e) {
+    throw new A2aTasksError("a2a-tasks/bad-peer-url",
+      "tasks.send: peerUrl must be a valid https URL");
+  }
+  _validateTaskShape(opts.task, "tasks.send.task");
+  var timeoutMs = opts.timeoutMs !== undefined ? opts.timeoutMs : C.TIME.seconds(30);
+  return _jsonRpc(opts.peerUrl, "tasks/send", { task: opts.task }, {
+    timeoutMs: timeoutMs,
+    headers:   opts.headers || {},
+    audit:     opts.audit !== false,
+  });
+}
+
+/**
+ * @primitive b.a2a.tasks.get
+ * @signature b.a2a.tasks.get(opts)
+ * @since     0.8.85
+ * @status    stable
+ * @related   b.a2a.tasks.send, b.a2a.tasks.cancel
+ *
+ * Poll a peer task's current status via `tasks/get`. Returns the
+ * peer's status record — `{ taskId, status, result?, error? }`.
+ *
+ * @opts
+ *   peerUrl: string,
+ *   taskId:  string,
+ *   timeoutMs: number,
+ *   headers: object,
+ *
+ * @example
+ *   var st = await b.a2a.tasks.get({ peerUrl: url, taskId: "abc" });
+ *   if (st.status === "completed") console.log(st.result);
+ */
+async function get(opts) {
+  if (!opts || typeof opts !== "object") {
+    throw new A2aTasksError("a2a-tasks/bad-opts",
+      "tasks.get: opts required (peerUrl + taskId)", true);
+  }
+  validateOpts.requireNonEmptyString(opts.peerUrl, "tasks.get.peerUrl", A2aTasksError, "a2a-tasks/bad-peer-url");
+  validateOpts.requireNonEmptyString(opts.taskId, "tasks.get.taskId", A2aTasksError, "a2a-tasks/bad-task-id");
+  if (opts.taskId.length > 64 || !TASK_ID_RE.test(opts.taskId)) {                                  // allow:raw-byte-literal — A2A task-id length cap, not byte count
+    throw new A2aTasksError("a2a-tasks/bad-task-id",
+      "tasks.get: taskId must match " + TASK_ID_RE);
+  }
+  return _jsonRpc(opts.peerUrl, "tasks/get", { taskId: opts.taskId }, {
+    timeoutMs: opts.timeoutMs !== undefined ? opts.timeoutMs : C.TIME.seconds(15),
+    headers:   opts.headers || {},
+    audit:     opts.audit !== false,
+  });
+}
+
+/**
+ * @primitive b.a2a.tasks.cancel
+ * @signature b.a2a.tasks.cancel(opts)
+ * @since     0.8.85
+ * @status    stable
+ * @related   b.a2a.tasks.send, b.a2a.tasks.get
+ *
+ * Request peer cancellation via `tasks/cancel`. Peer MAY refuse with
+ * `-32003 task-not-cancelable` for tasks that have completed or
+ * passed a cancellation point.
+ *
+ * @opts
+ *   peerUrl:   string,    // peer's A2A endpoint URL (https only)
+ *   taskId:    string,    // peer-assigned task identifier
+ *   timeoutMs: number,    // optional — default 15s
+ *   headers:   object,    // optional — extra HTTP headers
+ *   audit:     boolean,   // default true
+ *
+ * @example
+ *   try {
+ *     await b.a2a.tasks.cancel({ peerUrl: url, taskId: "abc" });
+ *   } catch (e) {
+ *     if (e.rpcCode === -32003) console.log("task already past cancel point");
+ *   }
+ */
+async function cancel(opts) {
+  if (!opts || typeof opts !== "object") {
+    throw new A2aTasksError("a2a-tasks/bad-opts",
+      "tasks.cancel: opts required (peerUrl + taskId)", true);
+  }
+  validateOpts.requireNonEmptyString(opts.peerUrl, "tasks.cancel.peerUrl", A2aTasksError, "a2a-tasks/bad-peer-url");
+  validateOpts.requireNonEmptyString(opts.taskId, "tasks.cancel.taskId", A2aTasksError, "a2a-tasks/bad-task-id");
+  if (opts.taskId.length > 64 || !TASK_ID_RE.test(opts.taskId)) {                                  // allow:raw-byte-literal — A2A task-id length cap, not byte count
+    throw new A2aTasksError("a2a-tasks/bad-task-id",
+      "tasks.cancel: taskId must match " + TASK_ID_RE);
+  }
+  return _jsonRpc(opts.peerUrl, "tasks/cancel", { taskId: opts.taskId }, {
+    timeoutMs: opts.timeoutMs !== undefined ? opts.timeoutMs : C.TIME.seconds(15),
+    headers:   opts.headers || {},
+    audit:     opts.audit !== false,
+  });
+}
+
+async function _jsonRpc(url, method, params, opts) {
+  var id = nodeCrypto.randomUUID();
+  var body = JSON.stringify({
+    jsonrpc: JSONRPC_VERSION,
+    id:      id,
+    method:  method,
+    params:  params,
+  });
+  var startMs = Date.now();
+  var rsp;
+  try {
+    rsp = await httpClient().request({
+      method:  "POST",
+      url:     url,
+      body:    body,
+      headers: Object.assign({
+        "Content-Type": "application/json",
+        "Accept":       "application/json",
+      }, opts.headers),
+      timeoutMs: opts.timeoutMs,
+    });
+  } catch (transportErr) {
+    if (opts.audit) {
+      _emitAudit("a2a.tasks.transport_failed",
+        { method: method, url: url, error: String(transportErr.message || transportErr), elapsedMs: Date.now() - startMs },
+        "warning");
+    }
+    throw new A2aTasksError("a2a-tasks/transport",
+      "tasks." + method.split("/")[1] + ": transport error: " + (transportErr.message || transportErr));
+  }
+  if (rsp.statusCode < 200 || rsp.statusCode >= 300) {                                             // allow:raw-byte-literal — HTTP status class boundaries
+    if (opts.audit) {
+      _emitAudit("a2a.tasks.http_error",
+        { method: method, url: url, statusCode: rsp.statusCode, elapsedMs: Date.now() - startMs },
+        "warning");
+    }
+    throw new A2aTasksError("a2a-tasks/http-error",
+      "tasks." + method.split("/")[1] + ": HTTP " + rsp.statusCode);
+  }
+  var parsed;
+  try {
+    parsed = safeJson.parse(typeof rsp.body === "string" ? rsp.body : rsp.body.toString("utf8"),
+      { maxBytes: C.BYTES.mib(8) });
+  } catch (parseErr) {
+    throw new A2aTasksError("a2a-tasks/bad-response",
+      "tasks." + method.split("/")[1] + ": response not valid JSON: " + (parseErr.message || parseErr));
+  }
+  if (!parsed || typeof parsed !== "object" || parsed.jsonrpc !== JSONRPC_VERSION) {
+    throw new A2aTasksError("a2a-tasks/bad-response",
+      "tasks." + method.split("/")[1] + ": response is not a JSON-RPC 2.0 envelope");
+  }
+  if (parsed.error) {
+    if (opts.audit) {
+      _emitAudit("a2a.tasks.rpc_error",
+        { method: method, url: url, errorCode: parsed.error.code, errorMessage: parsed.error.message },
+        "warning");
+    }
+    var err = new A2aTasksError("a2a-tasks/rpc-error",
+      "tasks." + method.split("/")[1] + ": " + (parsed.error.message || "rpc error"));
+    err.rpcCode = parsed.error.code;
+    err.rpcData = parsed.error.data;
+    throw err;
+  }
+  if (opts.audit) {
+    _emitAudit("a2a.tasks.ok",
+      { method: method, url: url, elapsedMs: Date.now() - startMs });
+  }
+  return parsed.result;
+}
+
+// ---- Server-side middleware ----
+
+/**
+ * @primitive b.a2a.middleware.tasks
+ * @signature b.a2a.middleware.tasks(opts)
+ * @since     0.8.85
+ * @status    stable
+ * @related   b.a2a.middleware.agentCard, b.a2a.tasks.send
+ *
+ * Build the server-side A2A tasks middleware. Returns a connect-style
+ * `(req, res, next) => void` that:
+ *
+ *   - Parses inbound JSON-RPC 2.0 requests from POST request bodies.
+ *     Refuses non-POST + non-application/json with 405 / 415.
+ *   - Refuses methods not in `["tasks/send", "tasks/get",
+ *     "tasks/cancel"]` with JSON-RPC -32601 method-not-found.
+ *   - Enforces per-skill scope via `opts.scopes` — a map
+ *     `{ skillName: requiredScope }`. The middleware reads
+ *     `req.a2aScopes` (populated by the operator's auth layer; e.g.
+ *     parsed from a bearer token's claims or an mTLS cert SAN) and
+ *     refuses calls whose required scope isn't granted with -32001.
+ *   - Dispatches to `opts.handler({ method, taskId?, task?, req })`
+ *     which returns the task state (or throws for errors that get
+ *     mapped to -32603).
+ *
+ *   The middleware writes the JSON-RPC response itself; it does NOT
+ *   call `next()`. Operators chaining additional middleware after
+ *   this one should mount on a separate path.
+ *
+ * @opts
+ *   handler:    function (ctx) → result  — REQUIRED
+ *   scopes:     { skillName: scopeString } — optional per-skill scope map
+ *   maxBytes:   number — body cap (default 1 MiB)
+ *   audit:      boolean — default true
+ *
+ * @example
+ *   var mw = b.a2a.middleware.tasks({
+ *     scopes: { summarize: "a2a:summarize", search: "a2a:search" },
+ *     handler: async function ({ method, task, taskId }) {
+ *       if (method === "tasks/send") {
+ *         var newId = "t-" + Math.random().toString(36).slice(2, 10);
+ *         queue.push({ id: newId, task });
+ *         return { taskId: newId, status: "queued" };
+ *       }
+ *       if (method === "tasks/get") {
+ *         return tasks.get(taskId);
+ *       }
+ *       if (method === "tasks/cancel") {
+ *         return tasks.cancel(taskId);
+ *       }
+ *     },
+ *   });
+ *   app.post("/a2a", mw);
+ */
+function middlewareTasks(opts) {
+  if (!opts || typeof opts !== "object") {
+    throw new A2aTasksError("a2a-tasks/bad-mw-opts",
+      "middleware.tasks: opts required (handler)", true);
+  }
+  if (typeof opts.handler !== "function") {
+    throw new A2aTasksError("a2a-tasks/bad-mw-opts",
+      "middleware.tasks: opts.handler must be a function", true);
+  }
+  if (opts.scopes !== undefined) {
+    if (typeof opts.scopes !== "object" || opts.scopes === null || Array.isArray(opts.scopes)) {
+      throw new A2aTasksError("a2a-tasks/bad-mw-opts",
+        "middleware.tasks: opts.scopes must be an object when provided", true);
+    }
+  }
+  var maxBytes = opts.maxBytes !== undefined ? opts.maxBytes : C.BYTES.mib(1);
+  var emitAudit = opts.audit !== false;
+  var scopes = opts.scopes || null;
+
+  return function a2aTasksMiddleware(req, res) {
+    if ((req.method || "").toUpperCase() !== "POST") {
+      res.statusCode = 405;                                                                        // allow:raw-byte-literal — HTTP 405 Method Not Allowed
+      res.setHeader("Content-Type", "application/json");
+      res.setHeader("Allow", "POST");
+      res.end(JSON.stringify(_jsonRpcError(null, JSONRPC_INVALID_REQUEST, "method must be POST")));
+      return;
+    }
+    var ctype = (req.headers && (req.headers["content-type"] || req.headers["Content-Type"])) || "";
+    if (typeof ctype === "string" && ctype.indexOf("application/json") !== 0 && ctype.indexOf("application/json") === -1) {
+      res.statusCode = 415;                                                                        // allow:raw-byte-literal — HTTP 415 Unsupported Media Type
+      res.setHeader("Content-Type", "application/json");
+      res.end(JSON.stringify(_jsonRpcError(null, JSONRPC_INVALID_REQUEST, "Content-Type must be application/json")));
+      return;
+    }
+
+    _readBody(req, maxBytes).then(function (rawBytes) {
+      var body;
+      try {
+        body = safeJson.parse(rawBytes.toString("utf8"), { maxBytes: maxBytes });
+      } catch (_parseErr) {
+        res.statusCode = 400;                                                                      // allow:raw-byte-literal — HTTP 400 Bad Request
+        res.setHeader("Content-Type", "application/json");
+        res.end(JSON.stringify(_jsonRpcError(null, JSONRPC_PARSE_ERROR, "invalid JSON body")));
+        return;
+      }
+      if (!body || typeof body !== "object" || body.jsonrpc !== JSONRPC_VERSION ||
+          typeof body.method !== "string") {
+        res.statusCode = 400;                                                                      // allow:raw-byte-literal — HTTP 400 Bad Request
+        res.setHeader("Content-Type", "application/json");
+        res.end(JSON.stringify(_jsonRpcError(body && body.id, JSONRPC_INVALID_REQUEST,
+          "expected JSON-RPC 2.0 envelope { jsonrpc, id?, method, params? }")));
+        return;
+      }
+      var reqId = body.id !== undefined ? body.id : null;
+      if (ALLOWED_METHODS.indexOf(body.method) === -1) {
+        res.statusCode = 200;                                                                      // allow:raw-byte-literal — JSON-RPC errors return 200 with error envelope
+        res.setHeader("Content-Type", "application/json");
+        res.end(JSON.stringify(_jsonRpcError(reqId, JSONRPC_METHOD_NOT_FOUND,
+          "method '" + body.method + "' not in [" + ALLOWED_METHODS.join(", ") + "]")));
+        return;
+      }
+      var params = body.params || {};
+
+      // Scope enforcement for tasks/send (task references a skill).
+      if (body.method === "tasks/send" && scopes) {
+        if (!params.task || typeof params.task !== "object" || typeof params.task.skill !== "string") {
+          res.statusCode = 200;                                                                    // allow:raw-byte-literal — JSON-RPC error envelope returns 200
+          res.setHeader("Content-Type", "application/json");
+          res.end(JSON.stringify(_jsonRpcError(reqId, JSONRPC_INVALID_PARAMS,
+            "tasks/send: params.task.skill required")));
+          return;
+        }
+        var requiredScope = scopes[params.task.skill];
+        if (typeof requiredScope === "string") {
+          var grantedScopes = Array.isArray(req.a2aScopes) ? req.a2aScopes : [];
+          if (grantedScopes.indexOf(requiredScope) === -1) {
+            if (emitAudit) {
+              _emitAudit("a2a.tasks.scope_denied",
+                { skill: params.task.skill, requiredScope: requiredScope }, "denied");
+            }
+            res.statusCode = 200;                                                                  // allow:raw-byte-literal — JSON-RPC error envelope returns 200
+            res.setHeader("Content-Type", "application/json");
+            res.end(JSON.stringify(_jsonRpcError(reqId, A2A_SCOPE_DENIED,
+              "scope '" + requiredScope + "' required for skill '" + params.task.skill + "'")));
+            return;
+          }
+        }
+      }
+
+      var ctx = {
+        method:  body.method,
+        task:    params.task,
+        taskId:  params.taskId,
+        req:     req,
+      };
+      Promise.resolve()
+        .then(function () { return opts.handler(ctx); })
+        .then(function (result) {
+          if (emitAudit) {
+            _emitAudit("a2a.tasks.handled",
+              { method: body.method, skill: params.task && params.task.skill, taskId: params.taskId });
+          }
+          res.statusCode = 200;                                                                    // allow:raw-byte-literal — JSON-RPC 200 with result envelope
+          res.setHeader("Content-Type", "application/json");
+          res.end(JSON.stringify({
+            jsonrpc: JSONRPC_VERSION,
+            id:      reqId,
+            result:  result,
+          }));
+        })
+        .catch(function (handlerErr) {
+          var code = handlerErr && handlerErr.rpcCode || JSONRPC_INTERNAL_ERROR;
+          var msg  = (handlerErr && handlerErr.message) || "handler error";
+          if (emitAudit) {
+            _emitAudit("a2a.tasks.handler_error",
+              { method: body.method, errorMessage: msg, errorCode: code }, "warning");
+          }
+          res.statusCode = 200;                                                                    // allow:raw-byte-literal — JSON-RPC error envelope returns 200
+          res.setHeader("Content-Type", "application/json");
+          res.end(JSON.stringify(_jsonRpcError(reqId, code, msg)));
+        });
+    }).catch(function (readErr) {
+      res.statusCode = 400;                                                                        // allow:raw-byte-literal — HTTP 400 Bad Request
+      res.setHeader("Content-Type", "application/json");
+      res.end(JSON.stringify(_jsonRpcError(null, JSONRPC_PARSE_ERROR,
+        "could not read request body: " + (readErr.message || readErr))));
+    });
+  };
+}
+
+function _jsonRpcError(id, code, message, data) {
+  var err = { code: code, message: message };
+  if (data !== undefined) err.data = data;
+  return {
+    jsonrpc: JSONRPC_VERSION,
+    id:      id,
+    error:   err,
+  };
+}
+
+function _readBody(req, maxBytes) {
+  return new Promise(function (resolve, reject) {
+    var collector = safeBuffer.boundedChunkCollector({
+      maxBytes:    maxBytes,
+      errorClass:  A2aTasksError,
+      sizeCode:    "a2a-tasks/body-too-large",
+      sizeMessage: "a2a-tasks: request body exceeded " + maxBytes + " bytes",
+    });
+    req.on("data", function (chunk) {
+      try { collector.push(chunk); }
+      catch (capErr) { reject(capErr); }
+    });
+    req.on("end", function () { resolve(collector.result()); });
+    req.on("error", function (e) { reject(e); });
+  });
+}
+
+/**
+ * @primitive b.a2a.middleware.agentCard
+ * @signature b.a2a.middleware.agentCard(opts)
+ * @since     0.8.85
+ * @status    stable
+ * @related   b.a2a.signCard, b.a2a.middleware.tasks
+ *
+ * Build a middleware that serves the operator's Agent Card at
+ * `/.well-known/agent.json` per the A2A v1 discovery convention.
+ * The middleware writes a 200 JSON response on GET; refuses other
+ * methods with 405. Mount on a router path that resolves the
+ * well-known prefix (operator-side).
+ *
+ * @opts
+ *   card:        object (REQUIRED) — the signed-card envelope from b.a2a.signCard
+ *   maxAgeSec:   number (default 300) — Cache-Control max-age
+ *
+ * @example
+ *   var raw = b.a2a.createCard({
+ *     agent: { name: "my-agent", version: "1.0.0" },
+ *     skills: [{ name: "summarize" }],
+ *   });
+ *   var card = b.a2a.signCard(raw, pair.privateKey);
+ *   app.get("/.well-known/agent.json", b.a2a.middleware.agentCard({ card: card }));
+ */
+function middlewareAgentCard(opts) {
+  if (!opts || typeof opts !== "object") {
+    throw new A2aTasksError("a2a-tasks/bad-mw-opts",
+      "middleware.agentCard: opts required (card)", true);
+  }
+  if (!opts.card || typeof opts.card !== "object") {
+    throw new A2aTasksError("a2a-tasks/bad-mw-opts",
+      "middleware.agentCard: opts.card required (output of b.a2a.signCard)", true);
+  }
+  numericBounds.requireNonNegativeFiniteIntIfPresent(
+    opts.maxAgeSec, "middleware.agentCard.maxAgeSec", A2aTasksError, "a2a-tasks/bad-max-age");
+  var maxAgeSec = (opts.maxAgeSec !== undefined && opts.maxAgeSec !== null && opts.maxAgeSec > 0)
+    ? Math.floor(opts.maxAgeSec)
+    : (C.TIME.minutes(5) / C.TIME.seconds(1));
+  var cardJson = JSON.stringify(opts.card);
+  return function a2aAgentCardMiddleware(req, res) {
+    if ((req.method || "").toUpperCase() !== "GET") {
+      res.statusCode = 405;                                                                        // allow:raw-byte-literal — HTTP 405 Method Not Allowed
+      res.setHeader("Allow", "GET");
+      res.end();
+      return;
+    }
+    res.statusCode = 200;                                                                          // allow:raw-byte-literal — HTTP 200 OK
+    res.setHeader("Content-Type", "application/json");
+    res.setHeader("Cache-Control", "public, max-age=" + maxAgeSec);
+    res.end(cardJson);
+  };
+}
+
+module.exports = {
+  send:            send,
+  get:             get,
+  cancel:          cancel,
+  middleware: {
+    tasks:     middlewareTasks,
+    agentCard: middlewareAgentCard,
+  },
+  ALLOWED_METHODS: ALLOWED_METHODS,
+  A2aTasksError:   A2aTasksError,
+};