@blamejs/blamejs-shop 0.0.44

package/lib/vendor/blamejs/lib/auth/aal.js

@@ -0,0 +1,169 @@
+"use strict";
+/**
+ * NIST SP 800-63-4 Authentication Assurance Levels.
+ *
+ * Three bands (AAL1, AAL2, AAL3) describe the rigor of the
+ * authentication ceremony that gated this session. Operators wiring
+ * step-up flows compare the AAL band of an incoming request against
+ * the minimum required for a given route — break-glass / financial /
+ * PHI / admin paths gate at AAL2 or AAL3, low-risk read paths at
+ * AAL1.
+ *
+ *   const aal = b.auth.aal.fromMethods({
+ *     password:  true,    // memorized secret (single factor)
+ *     webauthn:  true,    // multi-factor cryptographic authenticator
+ *   });   // → "AAL3"
+ *
+ *   b.middleware.requireAal({ minimum: "AAL2" })
+ *
+ * SP 800-63-4 (final, 2026) replaces SP 800-63-3 (2017). The band
+ * ordering is unchanged; the framework helpers reflect the 2026
+ * vocabulary (memorized secret / single-factor / multi-factor /
+ * phishing-resistant) rather than the older "Something you know /
+ * are / have" trichotomy.
+ */
+
+var validateOpts = require("../validate-opts");
+var { AuthError } = require("../framework-error");
+
+// ---- band constants ----
+//
+// Strings (not enums) so operator audit logs / observability sinks
+// see the canonical "AAL1" / "AAL2" / "AAL3" labels directly.
+
+var AAL1 = "AAL1";
+var AAL2 = "AAL2";
+var AAL3 = "AAL3";
+
+var BANDS_ORDER = [AAL1, AAL2, AAL3];
+
+function _bandRank(band) {
+  var idx = BANDS_ORDER.indexOf(band);
+  if (idx === -1) return -1;
+  return idx;
+}
+
+// ---- method classification ----
+//
+// Per SP 800-63B / 63-4 §4.2.1 — each authenticator class carries an
+// implicit factor count. The compose helper below combines a set of
+// satisfied methods into the resulting AAL band.
+//
+// METHOD CLASSES:
+//   - password / pin   → memorized-secret single factor
+//   - totp             → out-of-band single factor
+//   - sms              → restricted single factor (SP 800-63-4 §5.1.3.3
+//                        marks SMS as RESTRICTED — fine for AAL1 only)
+//   - webauthn         → cryptographic multi-factor (verifier-attached
+//                        UV=true → phishing-resistant per SP 800-63B §5.2.5)
+//   - passkey          → synonym for webauthn-with-UV (operator
+//                        contract: a "passkey" implies UV=true)
+//   - hardware         → hardware cryptographic single factor
+//                        (smart card, FIDO U2F-only)
+//   - mtls             → cryptographic single factor; combine with
+//                        memorized secret for AAL2
+//
+// The compose function takes a methods-object `{ password: true,
+// webauthn: true, ... }` and returns the resulting band. Operators
+// supply the methods object based on what THEIR auth flow verified.
+
+var KNOWN_METHODS = [
+  "password", "pin", "totp", "sms", "webauthn", "passkey",
+  "hardware", "mtls",
+  // `uv` is a webauthn-side qualifier: when true, the
+  // authenticator-data UV bit was set on the assertion. Required
+  // for AAL3 paired with `webauthn` / `passkey` per SP 800-63-4
+  // §5.1.7.
+  "uv",
+];
+
+function fromMethods(methods) {
+  if (!methods || typeof methods !== "object") {
+    throw new AuthError("auth-aal/bad-methods",
+      "fromMethods: methods must be an object like { password: true, webauthn: true, uv: true }");
+  }
+  var has = function (m) { return methods[m] === true; };
+  // SP 800-63-4 §5.1.7 — WebAuthn / passkey satisfies AAL3 only when
+  // user verification (UV) was actually performed on the assertion
+  // (MF-CRYPT requires the verifier to confirm the user authorized
+  // the operation). Pre-v0.9.2 this returned AAL3 unconditionally
+  // for any webauthn:true assertion; an operator using
+  // `userVerification: "preferred"` whose authenticator skipped UV
+  // landed in AAL3 despite not satisfying the spec's MF requirement.
+  //
+  // The operator passes `methods.uv: true` when verifyAuthentication's
+  // result confirmed UV on the authenticator data (vendor's
+  // `userVerified` flag). When `uv` is omitted or false, webauthn
+  // alone caps at AAL2 (SF-CRYPT — the cryptographic authenticator
+  // is verified, but user-verification proof is missing).
+  // Operators wanting the legacy optimistic path can pass
+  // `methods.uv: true` based on their startAuthentication
+  // `userVerification: "required"` setting having forced UV.
+  if ((has("webauthn") || has("passkey")) && has("uv")) return AAL3;
+  if ((has("webauthn") || has("passkey")) && !has("uv")) {
+    // SF-CRYPT (cryptographic but no UV-bound MF). Combine with a
+    // memorized secret to satisfy MF.
+    if (has("password") || has("pin")) return AAL3;
+    return AAL2;
+  }
+  if (has("hardware") && (has("password") || has("pin"))) return AAL3;
+
+  if (has("password") || has("pin")) {
+    if (has("totp") || has("sms") || has("hardware") || has("mtls")) return AAL2;
+    return AAL1;     // memorized secret alone
+  }
+
+  if (has("hardware") || has("mtls")) return AAL1;
+
+  throw new AuthError("auth-aal/no-methods",
+    "fromMethods: methods object did not assert any known authenticator " +
+    "(known: " + KNOWN_METHODS.join(", ") + ")");
+}
+
+function isValidBand(band) {
+  return band === AAL1 || band === AAL2 || band === AAL3;
+}
+
+function meets(actualBand, requiredBand) {
+  if (!isValidBand(actualBand)) return false;
+  if (!isValidBand(requiredBand)) return false;
+  return _bandRank(actualBand) >= _bandRank(requiredBand);
+}
+
+// ---- helper for operator-side AAL ↔ AMR JWT claim ----
+//
+// SP 800-63-4 doesn't define a JWT claim shape; operators emitting
+// access tokens with AAL info typically use `acr` / `amr` (RFC 9068
+// §3 / OpenID Connect Core §2). The framework leaves that wiring to
+// the operator — but the constants make the AMR strings consistent.
+// RFC 8176 §2 — registered AMR values. Pre-v0.9.x mapped WEBAUTHN to
+// `fido-u2f`; that's the OLD U2F protocol AMR. Modern WebAuthn
+// authenticators use the `hwk` ("proof-of-possession of a hardware-
+// secured key") AMR — the same one HARDWARE uses, since WebAuthn IS
+// a hardware-cryptographic-authenticator binding. PASSKEY remains a
+// distinct AMR for the synced multi-device case (operators using the
+// FIDO-published "passkey" AMR can disambiguate from one-device hwk).
+var AMR = Object.freeze({
+  PASSWORD:  "pwd",
+  PIN:       "pin",
+  TOTP:      "otp",
+  SMS:       "sms",
+  WEBAUTHN:  "hwk",
+  PASSKEY:   "passkey",
+  HARDWARE:  "hwk",
+  MTLS:      "mtls",
+});
+
+module.exports = {
+  AAL1:         AAL1,
+  AAL2:         AAL2,
+  AAL3:         AAL3,
+  BANDS:        Object.freeze([AAL1, AAL2, AAL3]),
+  KNOWN_METHODS: Object.freeze(KNOWN_METHODS),
+  AMR:          AMR,
+  fromMethods:  fromMethods,
+  isValidBand:  isValidBand,
+  meets:        meets,
+  // Operator-facing optional-band validator — used by middleware below.
+  _validateOpts: validateOpts,
+};

package/lib/vendor/blamejs/lib/auth/access-lock.js

@@ -0,0 +1,220 @@
+"use strict";
+/**
+ * b.auth.accessLock — three-mode access-lock primitive for stop-the-
+ * world / read-only / role-restricted operator interventions.
+ *
+ * Operators flip the framework's serving posture between modes during
+ * incident response, schema migration windows, security investigations,
+ * and break-glass review:
+ *
+ *   "open"      — normal operation; every request reaches its handler
+ *   "read-only" — refuses non-idempotent methods (POST/PUT/PATCH/DELETE)
+ *                 with 503; GET/HEAD/OPTIONS pass
+ *   "locked"    — refuses every request with 503 except a small set of
+ *                 operator-specified pass-through paths (status, health,
+ *                 break-glass-unlock); useful during schema migrations or
+ *                 a hard maintenance window
+ *
+ * Mode flips audit + emit a metric so dashboards see the transition.
+ * The operator-supplied unlockRoles allows a privileged role
+ * (configured via b.permissions) to bypass all three modes — the
+ * break-glass operator can always reach the unlock endpoint to flip
+ * back to "open". Without unlockRoles, "locked" is genuinely closed
+ * and the operator has to redeploy with an opts.startMode override
+ * to recover.
+ *
+ *   var lock = b.auth.accessLock.create({
+ *     startMode:    "open",
+ *     unlockRoles:  ["sre", "security-incident-response"],
+ *     passthroughPaths: ["/healthz", "/readyz", "/admin/access-lock"],
+ *     audit:        b.audit,
+ *     getRole:      function (req) { return req.user && req.user.role; },
+ *   });
+ *
+ *   router.use(lock.middleware());
+ *   router.post("/admin/access-lock/:mode", function (req, res) {
+ *     await lock.set(req.params.mode, { actor: req.user.id, reason: req.body.reason });
+ *     res.json({ mode: lock.mode() });
+ *   });
+ */
+
+var defineClass = require("../framework-error").defineClass;
+var lazyRequire = require("../lazy-require");
+var validateOpts = require("../validate-opts");
+
+var audit = lazyRequire(function () { return require("../audit"); });
+var observability = lazyRequire(function () { return require("../observability"); });
+
+var AccessLockError = defineClass("AccessLockError", { alwaysPermanent: true });
+
+var VALID_MODES = Object.freeze({ open: 1, "read-only": 1, locked: 1 });
+var SAFE_METHODS = Object.freeze({ GET: 1, HEAD: 1, OPTIONS: 1 });
+
+function _normalizeMode(mode) {
+  if (typeof mode !== "string") return null;
+  var m = mode.toLowerCase();
+  return VALID_MODES[m] ? m : null;
+}
+
+function create(opts) {
+  opts = opts || {};
+  validateOpts(opts, [
+    "startMode", "unlockRoles", "passthroughPaths",
+    "audit", "getRole", "errorMessage",
+  ], "auth.accessLock");
+
+  var startMode = _normalizeMode(opts.startMode || "open");
+  if (!startMode) {
+    throw new AccessLockError("auth-access-lock/bad-mode",
+      "auth.accessLock: opts.startMode must be one of " + Object.keys(VALID_MODES).join(", "));
+  }
+  var unlockRoles = Array.isArray(opts.unlockRoles) ? opts.unlockRoles.slice() : [];
+  for (var ri = 0; ri < unlockRoles.length; ri++) {
+    if (typeof unlockRoles[ri] !== "string" || unlockRoles[ri].length === 0) {
+      throw new AccessLockError("auth-access-lock/bad-role",
+        "auth.accessLock: unlockRoles[" + ri + "] must be a non-empty string");
+    }
+  }
+  var passthroughPaths = Array.isArray(opts.passthroughPaths)
+    ? opts.passthroughPaths.slice() : [];
+  var auditOn = opts.audit !== false;
+  var getRole = typeof opts.getRole === "function" ? opts.getRole : null;
+  var errorMessage = typeof opts.errorMessage === "string" && opts.errorMessage.length > 0
+    ? opts.errorMessage : "service in restricted access mode";
+
+  var currentMode = startMode;
+  var modeSetAt   = Date.now();
+  var modeSetBy   = "boot";
+  var modeReason  = "initial mode at boot";
+
+  function _emitAudit(action, outcome, metadata) {
+    if (!auditOn) return;
+    try {
+      audit().safeEmit({
+        action:   "auth.access_lock." + action,
+        outcome:  outcome,
+        metadata: metadata || {},
+      });
+    } catch (_e) { /* drop-silent — audit is best-effort */ }
+  }
+  function _emitMetric(verb, n, labels) {
+    try { observability().safeEvent("auth.access_lock." + verb, n || 1, labels || {}); }
+    catch (_e) { /* drop-silent */ }
+  }
+
+  function _isPassthrough(req) {
+    if (passthroughPaths.length === 0) return false;
+    var p = req.url || "";
+    var qpos = p.indexOf("?");
+    if (qpos !== -1) p = p.slice(0, qpos);
+    for (var i = 0; i < passthroughPaths.length; i++) {
+      var entry = passthroughPaths[i];
+      if (typeof entry === "string" && (p === entry || p.indexOf(entry + "/") === 0)) return true;
+      if (entry instanceof RegExp && entry.test(p)) return true;
+    }
+    return false;
+  }
+
+  function _hasUnlockRole(req) {
+    if (!getRole || unlockRoles.length === 0) return false;
+    var role;
+    try { role = getRole(req); }
+    catch (_e) { return false; }
+    if (!role) return false;
+    if (typeof role === "string") return unlockRoles.indexOf(role) !== -1;
+    if (Array.isArray(role)) {
+      for (var i = 0; i < role.length; i++) {
+        if (unlockRoles.indexOf(role[i]) !== -1) return true;
+      }
+    }
+    return false;
+  }
+
+  function set(mode, info) {
+    var next = _normalizeMode(mode);
+    if (!next) {
+      throw new AccessLockError("auth-access-lock/bad-mode",
+        "auth.accessLock.set: mode must be one of " + Object.keys(VALID_MODES).join(", "));
+    }
+    if (next === currentMode) return { mode: currentMode, changed: false };
+    var prev = currentMode;
+    info = info || {};
+    currentMode = next;
+    modeSetAt = Date.now();
+    modeSetBy = typeof info.actor === "string" ? info.actor : "unspecified";
+    modeReason = typeof info.reason === "string" ? info.reason : "";
+    _emitAudit("mode_changed", "success", {
+      from:   prev,
+      to:     next,
+      actor:  modeSetBy,
+      reason: modeReason,
+    });
+    _emitMetric("mode_changed", 1, { from: prev, to: next });
+    return { mode: currentMode, changed: true, from: prev };
+  }
+
+  function mode() { return currentMode; }
+  function status() {
+    return {
+      mode:      currentMode,
+      since:     modeSetAt,
+      setBy:     modeSetBy,
+      reason:    modeReason,
+      passthroughPaths: passthroughPaths.slice(),
+      unlockRoles:      unlockRoles.slice(),
+    };
+  }
+
+  function _refuse(res, reason) {
+    if (!res.writableEnded && typeof res.writeHead === "function") {
+      res.writeHead(503, {
+        "Content-Type":  "application/json; charset=utf-8",
+        "Retry-After":   "60",
+        "Cache-Control": "no-store",
+      });
+      res.end(JSON.stringify({ error: errorMessage, mode: currentMode, reason: reason }));
+    }
+  }
+
+  function middleware() {
+    return function accessLockMiddleware(req, res, next) {
+      // open — fast path, no checks.
+      if (currentMode === "open") return next();
+      // passthrough paths bypass all modes (status / health / unlock endpoint).
+      if (_isPassthrough(req)) return next();
+      // unlockRoles bypass all modes.
+      if (_hasUnlockRole(req)) return next();
+      if (currentMode === "read-only") {
+        var method = (req.method || "GET").toUpperCase();
+        if (SAFE_METHODS[method]) return next();
+        _emitAudit("refused", "denied", { mode: currentMode, method: method, path: req.url });
+        _emitMetric("refused", 1, { mode: currentMode, reason: "non-safe-method" });
+        return _refuse(res, "non-safe-method-in-read-only");
+      }
+      // locked — refuse everything that wasn't passthrough / unlockRole.
+      _emitAudit("refused", "denied", { mode: currentMode, method: req.method, path: req.url });
+      _emitMetric("refused", 1, { mode: currentMode, reason: "locked" });
+      return _refuse(res, "locked");
+    };
+  }
+
+  // Initial-mode audit fires once at create-time so operators see the
+  // boot-time posture in the audit chain (confirms the deploy started
+  // in the expected mode).
+  _emitAudit("boot", "success", { mode: currentMode });
+  _emitMetric("boot", 1, { mode: currentMode });
+
+  return {
+    middleware:       middleware,
+    set:              set,
+    mode:             mode,
+    status:           status,
+    VALID_MODES:      Object.keys(VALID_MODES),
+  };
+}
+
+module.exports = {
+  create:          create,
+  AccessLockError: AccessLockError,
+  VALID_MODES:     Object.keys(VALID_MODES),
+};

package/lib/vendor/blamejs/lib/auth/acr-vocabulary.js

@@ -0,0 +1,265 @@
+"use strict";
+/**
+ * ACR (Authentication Context Class Reference) vocabulary.
+ *
+ * The `acr` claim is RFC 9470 §3 + OIDC Core 1.0 §2 + ISO/IEC 29115. It
+ * denotes the rigor of the authentication ceremony that backs the
+ * current session — operators reason about it the same way they reason
+ * about NIST 800-63-4 AAL bands, but ACR carries finer granularity: it
+ * also encodes WHICH method achieved the strength.
+ *
+ * The framework ships a built-in dictionary of well-known ACR values
+ * with a strength-rank assigned from the spec authors' intent, but the
+ * dictionary is operator-extendable: every ACR your IdP issues should
+ * be registered with `register({ value, rank })` so policy decisions
+ * can compare what the request carries against what the route requires.
+ *
+ * Built-in vocabulary (rank ascending):
+ *
+ *   "0"                     → no authentication (public access)
+ *   "1"                     → password / single-factor (OIDC Core)
+ *   "loa1" / "low"          → loa1 / iso-29115 LOA-1 (low confidence)
+ *   "phr"                   → phishing-resistant single-factor
+ *                             (RFC 9470 example value)
+ *   "loa2" / "substantial"  → multi-factor, ISO LOA-2
+ *   "2"                     → multi-factor (OIDC Core)
+ *   "phrh"                  → phishing-resistant + hardware (RFC 9470)
+ *   "loa3" / "high"         → multi-factor + phishing-resistant + hw
+ *   "loa4"                  → in-person verified, hardware-bound
+ *   "urn:mace:incommon:iap:bronze"  → InCommon LoA-1
+ *   "urn:mace:incommon:iap:silver"  → InCommon LoA-2
+ *   "urn:mace:incommon:iap:gold"    → InCommon LoA-3
+ *   "aal1" / "aal2" / "aal3"        → NIST 800-63-4 (cross-walked)
+ *   "ial1" / "ial2" / "ial3"        → NIST 800-63A identity (cross-walked)
+ *   "fal1" / "fal2" / "fal3"        → NIST 800-63C federation
+ *
+ * Operators with a private vocabulary register before evaluation:
+ *
+ *   b.auth.acr.register({ value: "myco:strong", rank: 70 });
+ *
+ * Ranks are operator-comparable integers in [0, 100]. The framework's
+ * built-ins occupy the ranges:
+ *
+ *   0–9    public / unauthenticated
+ *   10–29  single factor
+ *   30–49  multi-factor
+ *   50–69  phishing-resistant multi-factor
+ *   70–89  hardware-bound + phishing-resistant
+ *   90–100 in-person identity-proofed + hardware
+ *
+ * ACR is a STRING value carried in the `acr` JWT claim. Some IdPs emit
+ * the value directly; others stuff a JSON-array of ACRs into the
+ * `acr_values` parameter and let the policy engine pick. The framework
+ * accepts both.
+ *
+ * AMR (Authentication Methods References) per RFC 8176 is a separate
+ * but adjacent vocabulary — it lists WHICH methods were used (e.g.
+ * `["pwd", "otp"]` for password+TOTP). The framework's policy engine
+ * also evaluates AMR: a route requiring `requiredAmr: ["hwk"]`
+ * (hardware-key per RFC 8176) rejects sessions whose AMR lacks `hwk`
+ * even when their ACR ranks high enough.
+ */
+
+var validateOpts = require("../validate-opts");
+var { AuthError } = require("../framework-error");
+
+// Core ranks — ascending strength. Operator-extendable via register().
+var BUILTIN_RANKS = {
+  // Public / unauthenticated
+  "0":                                 0,
+
+  // Single factor
+  "1":                                 10,
+  "loa1":                              10,
+  "low":                               10,
+  "ial1":                              10,
+  "fal1":                              10,
+  "aal1":                              10,
+  "urn:mace:incommon:iap:bronze":      12,
+
+  // Phishing-resistant single factor (e.g. mTLS)
+  "phr":                               25,
+
+  // Multi-factor
+  "2":                                 30,
+  "loa2":                              30,
+  "substantial":                       30,
+  "ial2":                              30,
+  "fal2":                              30,
+  "aal2":                              35,
+  "urn:mace:incommon:iap:silver":      32,    // allow:raw-byte-literal — ACR rank, not bytes
+
+  // Phishing-resistant multi-factor (passkey UV)
+  "phrh":                              60,    // allow:raw-time-literal — ACR rank, not seconds
+
+  // Hardware-bound + phishing-resistant + multi-factor
+  "loa3":                              70,
+  "high":                              70,
+  "ial3":                              75,
+  "fal3":                              75,
+  "aal3":                              75,
+  "urn:mace:incommon:iap:gold":        80,    // allow:raw-byte-literal — ACR rank, not bytes
+
+  // In-person identity-proofed + hardware-bound
+  "loa4":                              95,
+};
+
+// AMR catalog per RFC 8176 — used for requiredAmr policy evaluation.
+// Each entry maps the canonical RFC 8176 short-form to a category that
+// allows operators to evaluate broad classes (e.g. "any phishing-
+// resistant method" → `category: "phishing-resistant"`).
+var BUILTIN_AMR = {
+  "face":   { category: "biometric",          phishingResistant: false },
+  "fpt":    { category: "biometric",          phishingResistant: false },
+  "geo":    { category: "context",            phishingResistant: false },
+  "hwk":    { category: "hardware",           phishingResistant: true  },
+  "iris":   { category: "biometric",          phishingResistant: false },
+  "kba":    { category: "knowledge",          phishingResistant: false },
+  "mca":    { category: "multi-channel",      phishingResistant: false },
+  "mfa":    { category: "composite",          phishingResistant: false },
+  "otp":    { category: "out-of-band",        phishingResistant: false },
+  "pin":    { category: "knowledge",          phishingResistant: false },
+  "pop":    { category: "proof-of-possession", phishingResistant: true },
+  "pwd":    { category: "knowledge",          phishingResistant: false },
+  "rba":    { category: "context",            phishingResistant: false },
+  "retina": { category: "biometric",          phishingResistant: false },
+  "sc":     { category: "smart-card",         phishingResistant: true  },
+  "sms":    { category: "out-of-band",        phishingResistant: false },
+  "swk":    { category: "software-key",       phishingResistant: false },
+  "tel":    { category: "out-of-band",        phishingResistant: false },
+  "user":   { category: "user-presence",      phishingResistant: false },
+  "vbm":    { category: "biometric",          phishingResistant: false },
+  "wia":    { category: "windows-integrated", phishingResistant: false },
+};
+
+// In-process registry — operators may extend (and re-extend) at boot.
+var _registry = Object.create(null);
+for (var k in BUILTIN_RANKS) {
+  if (Object.prototype.hasOwnProperty.call(BUILTIN_RANKS, k)) {
+    _registry[k] = BUILTIN_RANKS[k];
+  }
+}
+
+function register(opts) {
+  opts = opts || {};
+  validateOpts(opts, ["value", "rank"], "auth.acr.register");
+  validateOpts.requireNonEmptyString(opts.value, "register: value",
+    AuthError, "auth-stepUp/bad-acr");
+  if (typeof opts.rank !== "number" || !isFinite(opts.rank)) {
+    throw new AuthError("auth-stepUp/bad-rank",
+      "auth.acr.register: rank must be a finite number — got " +
+      JSON.stringify(opts.rank));
+  }
+  if (opts.rank < 0 || opts.rank > 100) {
+    throw new AuthError("auth-stepUp/bad-rank",
+      "auth.acr.register: rank must be in [0, 100] — got " + opts.rank);
+  }
+  _registry[opts.value] = opts.rank;
+  return { value: opts.value, rank: opts.rank };
+}
+
+function rankOf(value) {
+  if (typeof value !== "string" || value.length === 0) return -1;
+  if (Object.prototype.hasOwnProperty.call(_registry, value)) {
+    return _registry[value];
+  }
+  return -1;
+}
+
+function isRegistered(value) {
+  return rankOf(value) !== -1;
+}
+
+function listRegistered() {
+  var out = [];
+  for (var k in _registry) {
+    if (Object.prototype.hasOwnProperty.call(_registry, k)) {
+      out.push({ value: k, rank: _registry[k] });
+    }
+  }
+  out.sort(function (a, b) {
+    if (a.rank !== b.rank) return a.rank - b.rank;
+    if (a.value < b.value) return -1;
+    if (a.value > b.value) return 1;
+    return 0;
+  });
+  return out;
+}
+
+function meets(presented, required) {
+  if (typeof required !== "string") return true;
+  if (typeof presented !== "string") return false;
+  var rp = rankOf(presented);
+  var rr = rankOf(required);
+  if (rr === -1) {
+    throw new AuthError("auth-stepUp/unknown-acr",
+      "auth.acr.meets: required acr is not registered (call b.auth.acr.register first): " +
+      JSON.stringify(required));
+  }
+  if (rp === -1) return false;
+  return rp >= rr;
+}
+
+function meetsAny(presented, requiredList) {
+  if (!Array.isArray(requiredList) || requiredList.length === 0) return true;
+  for (var i = 0; i < requiredList.length; i += 1) {
+    if (meets(presented, requiredList[i])) return true;
+  }
+  return false;
+}
+
+function _classifyAmr(amrValue) {
+  if (typeof amrValue !== "string") return null;
+  if (Object.prototype.hasOwnProperty.call(BUILTIN_AMR, amrValue)) {
+    return BUILTIN_AMR[amrValue];
+  }
+  return null;
+}
+
+function amrIncludesPhishingResistant(amrList) {
+  if (!Array.isArray(amrList)) return false;
+  for (var i = 0; i < amrList.length; i += 1) {
+    var info = _classifyAmr(amrList[i]);
+    if (info && info.phishingResistant) return true;
+  }
+  return false;
+}
+
+function amrSatisfiesRequiredList(presentedAmr, required) {
+  if (!Array.isArray(required) || required.length === 0) return true;
+  if (!Array.isArray(presentedAmr)) return false;
+  var seen = Object.create(null);
+  for (var i = 0; i < presentedAmr.length; i += 1) {
+    if (typeof presentedAmr[i] === "string") seen[presentedAmr[i]] = true;
+  }
+  for (var j = 0; j < required.length; j += 1) {
+    if (!seen[required[j]]) return false;
+  }
+  return true;
+}
+
+// Reset hook — for tests only. Restores built-in registry.
+function _resetForTests() {
+  for (var k in _registry) {
+    if (Object.prototype.hasOwnProperty.call(_registry, k)) delete _registry[k];
+  }
+  for (var bk in BUILTIN_RANKS) {
+    if (Object.prototype.hasOwnProperty.call(BUILTIN_RANKS, bk)) {
+      _registry[bk] = BUILTIN_RANKS[bk];
+    }
+  }
+}
+
+module.exports = {
+  register:                       register,
+  rankOf:                         rankOf,
+  isRegistered:                   isRegistered,
+  listRegistered:                 listRegistered,
+  meets:                          meets,
+  meetsAny:                       meetsAny,
+  amrIncludesPhishingResistant:   amrIncludesPhishingResistant,
+  amrSatisfiesRequiredList:       amrSatisfiesRequiredList,
+  BUILTIN_RANKS:                  BUILTIN_RANKS,
+  BUILTIN_AMR:                    BUILTIN_AMR,
+  _resetForTests:                 _resetForTests,
+};