@blamejs/blamejs-shop 0.1.0 → 0.1.2

package/lib/vendor/blamejs/SECURITY.md

@@ -278,6 +278,7 @@ This is the minimum-viable security posture for a production deployment. The fra
 - [ ] Confirm `vault: { mode: "wrapped" }` in the app's config (not `"plaintext"`)
 - [ ] Store the passphrase in a secret manager (1Password / Vault / AWS Secrets Manager / sops) — never in git, never in shell history
 - [ ] Rotate the vault passphrase quarterly: `blamejs vault rotate`
+- [ ] In FIPS / regulated deployments, run `b.crypto.selfTest()` at start-up as a power-on integrity gate — it KATs SHA3/SHAKE against NIST FIPS 202 vectors and pairwise-tests ML-KEM-1024 / ML-DSA-87 / SLH-DSA-SHAKE-256f, throwing `crypto/self-test-failed` (fail closed) if the crypto stack is broken
 
 **Audit chain**
 - [ ] Run `blamejs audit verify-chain --db <path>` weekly via cron — walks the live audit chain end-to-end and reports tampering with `breakAt` / `breakRowId` / expected-vs-actual prevHash
@@ -350,6 +351,7 @@ This is the minimum-viable security posture for a production deployment. The fra
 - [ ] At boot, before any outbound socket opens: call `b.network.bootFromEnv({ env: process.env, audit: b.audit })` so operator-supplied NTP / DNS / proxy / DPI-trust / TCP socket settings (`BLAMEJS_NTP_*`, `BLAMEJS_DNS_*`, `HTTP_PROXY` / `HTTPS_PROXY` / `NO_PROXY`, `BLAMEJS_EXTRA_CA_CERTS`, `BLAMEJS_SOCKET_*`) apply uniformly
 - [ ] If the deployment sits behind a deep-packet-inspection proxy with its own re-signing CA: install the CA via `b.network.tls.addCa("/path/to/corp-ca.pem", { label: "corp-mitm" })` and pass `allowDpiTrust: true` to `b.security.assertProduction` — every CA addition audits with subject + fingerprint so a forensic review can reconstruct the trust path
 - [ ] For authenticated time (HIPAA / PCI / FIPS shops): use `b.network.ntp.nts.query({ host: ntsKeServer })` (RFC 8915) instead of plain SNTP; set `BLAMEJS_NTS_REQUIRE=1` to fail closed on negotiation failure
+- [ ] When a DNS answer drives a trust decision (DANE / TLSA pinning, SSHFP, CAA enforcement, OPENPGPKEY lookup) and the upstream resolver isn't itself trusted: verify the answer's DNSSEC signature with `b.network.dns.dnssec.verifyRrset(...)` rather than trusting the resolver's AD bit — an on-path or compromised resolver can set AD on a forged answer, but cannot forge the RRSIG. Validate the DNSKEY against the parent's DS with `b.network.dns.dnssec.verifyDs(...)` up the chain to a trust anchor you pin
 - [ ] At boot in production: call `await b.security.assertProduction({ vault: "wrapped", dbAtRest: "encrypted", auditSigning: "wrapped", ntpStrict: true, requireEnv: ["BLAMEJS_VAULT_PASSPHRASE"], dataDir: "./data" })` to refuse to start on weak posture instead of warning
 - [ ] At boot: call `await b.configDrift.create({ dataDir, audit }).checkpoint({ allowedOrigins, csp, vaultMode, ... })` so the next boot detects + audits any silent runtime config change
 - [ ] At boot, before any listener opens: call `b.configDrift.verifyVendorIntegrity({ manifestPath: "./lib/vendor/MANIFEST.json", audit: b.audit })` so a tampered `lib/vendor/*.cjs` artifact aborts start instead of running with a swapped crypto bundle

package/lib/vendor/blamejs/api-snapshot.json

@@ -1,7 +1,7 @@
 {
   "version": 1,
-  "frameworkVersion": "0.12.41",
-  "createdAt": "2026-05-25T05:05:33.017Z",
+  "frameworkVersion": "0.12.48",
+  "createdAt": "2026-05-25T11:29:28.593Z",
   "exports": {
     "a2a": {
       "type": "object",
@@ -13501,6 +13501,10 @@
           "type": "primitive",
           "valueType": "number"
         },
+        "COSE_MAC0_TAG": {
+          "type": "primitive",
+          "valueType": "number"
+        },
         "COSE_SIGN1_TAG": {
           "type": "primitive",
           "valueType": "number"
@@ -13509,6 +13513,23 @@
           "type": "function",
           "arity": 4
         },
+        "MAC_ALGORITHMS": {
+          "type": "object",
+          "members": {
+            "HMAC-256/256": {
+              "type": "primitive",
+              "valueType": "number"
+            },
+            "HMAC-384/384": {
+              "type": "primitive",
+              "valueType": "number"
+            },
+            "HMAC-512/512": {
+              "type": "primitive",
+              "valueType": "number"
+            }
+          }
+        },
         "decrypt0": {
           "type": "function",
           "arity": 2
@@ -13517,6 +13538,18 @@
           "type": "function",
           "arity": 2
         },
+        "importKey": {
+          "type": "function",
+          "arity": 1
+        },
+        "mac0": {
+          "type": "function",
+          "arity": 2
+        },
+        "macVerify0": {
+          "type": "function",
+          "arity": 2
+        },
         "sign": {
           "type": "function",
           "arity": 2
@@ -13805,6 +13838,10 @@
           "type": "function",
           "arity": 2
         },
+        "selfTest": {
+          "type": "function",
+          "arity": 1
+        },
         "sha3Hash": {
           "type": "function",
           "arity": 1
@@ -14489,7 +14526,7 @@
         },
         "keyToDid": {
           "type": "function",
-          "arity": 1
+          "arity": 2
         },
         "parse": {
           "type": "function",
@@ -40433,6 +40470,10 @@
           "type": "function",
           "arity": 4
         },
+        "verifyDeviceAuth": {
+          "type": "function",
+          "arity": 1
+        },
         "verifyIssuerSigned": {
           "type": "function",
           "arity": 2
@@ -41537,6 +41578,120 @@
               "type": "function",
               "arity": 1
             },
+            "dnssec": {
+              "type": "object",
+              "members": {
+                "ALGORITHMS": {
+                  "type": "object",
+                  "members": {
+                    "8": {
+                      "type": "object",
+                      "members": {
+                        "hash": {
+                          "type": "primitive",
+                          "valueType": "string"
+                        },
+                        "kind": {
+                          "type": "primitive",
+                          "valueType": "string"
+                        },
+                        "name": {
+                          "type": "primitive",
+                          "valueType": "string"
+                        }
+                      }
+                    },
+                    "13": {
+                      "type": "object",
+                      "members": {
+                        "coord": {
+                          "type": "primitive",
+                          "valueType": "number"
+                        },
+                        "crv": {
+                          "type": "primitive",
+                          "valueType": "string"
+                        },
+                        "hash": {
+                          "type": "primitive",
+                          "valueType": "string"
+                        },
+                        "kind": {
+                          "type": "primitive",
+                          "valueType": "string"
+                        },
+                        "name": {
+                          "type": "primitive",
+                          "valueType": "string"
+                        }
+                      }
+                    },
+                    "14": {
+                      "type": "object",
+                      "members": {
+                        "coord": {
+                          "type": "primitive",
+                          "valueType": "number"
+                        },
+                        "crv": {
+                          "type": "primitive",
+                          "valueType": "string"
+                        },
+                        "hash": {
+                          "type": "primitive",
+                          "valueType": "string"
+                        },
+                        "kind": {
+                          "type": "primitive",
+                          "valueType": "string"
+                        },
+                        "name": {
+                          "type": "primitive",
+                          "valueType": "string"
+                        }
+                      }
+                    },
+                    "15": {
+                      "type": "object",
+                      "members": {
+                        "crv": {
+                          "type": "primitive",
+                          "valueType": "string"
+                        },
+                        "hash": {
+                          "type": "primitive",
+                          "valueType": "null"
+                        },
+                        "kind": {
+                          "type": "primitive",
+                          "valueType": "string"
+                        },
+                        "name": {
+                          "type": "primitive",
+                          "valueType": "string"
+                        }
+                      }
+                    }
+                  }
+                },
+                "DnssecError": {
+                  "type": "function",
+                  "arity": 4
+                },
+                "keyTag": {
+                  "type": "function",
+                  "arity": 1
+                },
+                "verifyDs": {
+                  "type": "function",
+                  "arity": 1
+                },
+                "verifyRrset": {
+                  "type": "function",
+                  "arity": 1
+                }
+              }
+            },
             "getServers": {
               "type": "function",
               "arity": 0
@@ -49221,9 +49376,17 @@
           "type": "function",
           "arity": 2
         },
+        "present": {
+          "type": "function",
+          "arity": 1
+        },
         "verify": {
           "type": "function",
           "arity": 2
+        },
+        "verifyPresentation": {
+          "type": "function",
+          "arity": 2
         }
       }
     },

package/lib/vendor/blamejs/lib/cose.js

@@ -53,6 +53,7 @@
 
 var nodeCrypto = require("node:crypto");
 var cbor = require("./cbor");
+var bCrypto = require("./crypto");
 var validateOpts = require("./validate-opts");
 var { defineClass } = require("./framework-error");
 
@@ -143,6 +144,7 @@ function _toBeSigned(protectedBstr, externalAad, payload) {
  *     externalAad?:        Buffer,    // default empty — bound into the signature
  *     unprotectedHeaders?: object,    // extra unprotected map entries (numeric keys)
  *     protectedHeaders?:   object,    // extra INTEGRITY-PROTECTED map entries (numeric keys); label 1 (alg) is reserved
+ *     detached?:           boolean,   // emit a nil payload (RFC 9052 §4.1) — signature still covers it; caller transmits the payload separately
  *   }
  *
  * @example
@@ -152,7 +154,7 @@ function _toBeSigned(protectedBstr, externalAad, payload) {
  */
 async function sign(payload, opts) {
   validateOpts.requireObject(opts, "cose.sign", CoseError);
-  validateOpts(opts, ["alg", "privateKey", "kid", "contentType", "externalAad", "unprotectedHeaders", "protectedHeaders"], "cose.sign");
+  validateOpts(opts, ["alg", "privateKey", "kid", "contentType", "externalAad", "unprotectedHeaders", "protectedHeaders", "detached"], "cose.sign");
   if (SIGNABLE.indexOf(opts.alg) === -1) {
     throw new CoseError("cose/unsignable-alg",
       "cose.sign: alg must be one of " + SIGNABLE.join(" / ") +
@@ -213,7 +215,10 @@ async function sign(payload, opts) {
     ? nodeCrypto.sign(null, toBeSigned, key)
     : nodeCrypto.sign(params.nodeAlg, toBeSigned, { key: key, dsaEncoding: params.dsaEncoding });
 
-  var sign1 = [protectedBstr, unprot, payloadBytes, signature];
+  // Detached payload (RFC 9052 §4.1): the COSE_Sign1 carries nil in the
+  // payload slot; the signature still covers the payload (above), and the
+  // caller transmits / re-supplies it out of band as externalPayload.
+  var sign1 = [protectedBstr, unprot, opts.detached ? null : payloadBytes, signature];
   return cbor.encode(new cbor.Tag(COSE_SIGN1_TAG, sign1));
 }
 
@@ -237,6 +242,7 @@ async function sign(payload, opts) {
  *     publicKey?:   object,    // the verification key (KeyObject / PEM)
  *     keyResolver?: function,  // (protectedHeaders, unprotectedHeaders) → key
  *     externalAad?: Buffer,    // must match what was signed
+ *     externalPayload?: Buffer, // required when the COSE_Sign1 payload is detached (nil); bound into the Sig_structure
  *     maxBytes?:    number,    // forwarded to b.cbor.decode
  *     maxDepth?:    number,
  *   }
@@ -247,7 +253,7 @@ async function sign(payload, opts) {
  */
 async function verify(coseSign1, opts) {
   validateOpts.requireObject(opts, "cose.verify", CoseError);
-  validateOpts(opts, ["algorithms", "publicKey", "keyResolver", "externalAad", "maxBytes", "maxDepth"], "cose.verify");
+  validateOpts(opts, ["algorithms", "publicKey", "keyResolver", "externalAad", "externalPayload", "maxBytes", "maxDepth"], "cose.verify");
   if (!Array.isArray(opts.algorithms) || opts.algorithms.length === 0) {
     throw new CoseError("cose/algorithms-required",
       "cose.verify: opts.algorithms is required (no defaults — name the accepted algorithms)");
@@ -278,14 +284,23 @@ async function verify(coseSign1, opts) {
   if (!Buffer.isBuffer(protectedBstr) || !Buffer.isBuffer(signature)) {
     throw new CoseError("cose/malformed", "cose.verify: protected header and signature must be byte strings");
   }
+  // Detached payload (RFC 9052 §4.1): a nil payload slot means the caller
+  // must supply the payload out of band via opts.externalPayload, which
+  // is then bound into the Sig_structure. Supplying externalPayload for
+  // an attached (non-nil) token is ambiguous and refused.
   if (payload === null || payload === undefined) {
-    throw new CoseError("cose/detached-unsupported",
-      "cose.verify: detached payload (nil) is not supported in v1 — attached payload only");
-  }
-  // COSE_Sign1 payload is a bstr (RFC 9052 §4.2) — refuse a non-byte
-  // payload rather than return a value that violates the documented
-  // { payload: Buffer } shape.
-  if (!Buffer.isBuffer(payload)) {
+    if (opts.externalPayload == null) {
+      throw new CoseError("cose/detached-no-payload",
+        "cose.verify: COSE_Sign1 has a detached (nil) payload — pass opts.externalPayload to verify it");
+    }
+    payload = _bstr(opts.externalPayload);
+  } else if (opts.externalPayload != null) {
+    throw new CoseError("cose/payload-ambiguous",
+      "cose.verify: opts.externalPayload was supplied but the COSE_Sign1 carries an attached payload");
+  } else if (!Buffer.isBuffer(payload)) {
+    // COSE_Sign1 payload is a bstr (RFC 9052 §4.2) — refuse a non-byte
+    // payload rather than return a value that violates the documented
+    // { payload: Buffer } shape.
     throw new CoseError("cose/malformed", "cose.verify: payload must be a byte string (bstr)");
   }
   // The unprotected header is a CBOR map — refuse a non-map rather
@@ -534,12 +549,271 @@ function decrypt0(coseEncrypt0, opts) {
   return { plaintext: pt, alg: algName, protectedHeaders: protMap, unprotectedHeaders: unprotected };
 }
 
+// ---- COSE_Mac0 (RFC 9052 §6.2) — single shared-key MAC ----
+
+var COSE_MAC0_TAG = 17;                                                       // allow:raw-byte-literal — RFC 9052 COSE_Mac0 CBOR tag
+// HMAC algorithms (RFC 9053 §3.1). Only the full-length tags are offered —
+// the truncated HMAC 256/64 (id 4) is omitted. HMAC is symmetric, so its
+// post-quantum strength is fine; these are the COSE-standard MAC algs.
+var HMAC_NAME_TO_ID = { "HMAC-256/256": 5, "HMAC-384/384": 6, "HMAC-512/512": 7 };   // allow:raw-byte-literal — COSE HMAC algorithm ids (RFC 9053)
+var HMAC_ID_TO_NAME = {};
+Object.keys(HMAC_NAME_TO_ID).forEach(function (k) { HMAC_ID_TO_NAME[HMAC_NAME_TO_ID[k]] = k; });
+function _hmacHash(algId) {
+  switch (algId) {
+    case 5: return "sha256";
+    case 6: return "sha384";
+    case 7: return "sha512";
+    default: throw new CoseError("cose/unknown-alg", "cose: unrecognized HMAC COSE alg id " + algId);
+  }
+}
+
+// MAC_structure (§6.3) = [ "MAC0", body_protected (bstr), external_aad (bstr), payload (bstr) ].
+function _macStructure(protectedBstr, externalAad, payload) {
+  return cbor.encode(["MAC0", protectedBstr, externalAad, payload]);
+}
+
+/**
+ * @primitive b.cose.mac0
+ * @signature b.cose.mac0(payload, opts)
+ * @since     0.12.47
+ * @status    stable
+ * @related   b.cose.macVerify0, b.cose.sign
+ *
+ * Produce a tagged COSE_Mac0 (RFC 9052 §6.2) — a single shared-key MAC
+ * over <code>payload</code>. The MAC is HMAC-SHA-256 / 384 / 512 (the
+ * COSE-standard MAC algorithms; HMAC is symmetric, so post-quantum
+ * strength is preserved). Use when both parties hold a shared key (e.g.
+ * an ECDH-derived key) and a non-repudiable signature is not wanted.
+ * <code>detached: true</code> emits a nil payload, verified later with
+ * <code>opts.externalPayload</code>.
+ *
+ * @opts
+ *   {
+ *     alg:        string,   // "HMAC-256/256" | "HMAC-384/384" | "HMAC-512/512"
+ *     key:        Buffer,   // shared symmetric key
+ *     externalAad?: Buffer, // bound into the MAC
+ *     detached?:  boolean,  // emit a nil payload (caller re-supplies it on verify)
+ *     unprotectedHeaders?: object,
+ *   }
+ *
+ * @example
+ *   var mac = b.cose.mac0(Buffer.from("data"), { alg: "HMAC-256/256", key: sharedKey });
+ */
+function mac0(payload, opts) {
+  validateOpts.requireObject(opts, "cose.mac0", CoseError);
+  validateOpts(opts, ["alg", "key", "externalAad", "detached", "unprotectedHeaders"], "cose.mac0");
+  if (!(opts.alg in HMAC_NAME_TO_ID)) {
+    throw new CoseError("cose/unsignable-alg", "cose.mac0: alg must be one of " + Object.keys(HMAC_NAME_TO_ID).join(" / "));
+  }
+  var key = _bstr(opts.key);
+  var algId = HMAC_NAME_TO_ID[opts.alg];
+  var protMap = new Map();
+  protMap.set(HDR_ALG, algId);
+  var protectedBstr = cbor.encode(protMap);
+
+  var unprot = new Map();
+  if (opts.unprotectedHeaders && typeof opts.unprotectedHeaders === "object") {
+    var uk = Object.keys(opts.unprotectedHeaders);
+    for (var i = 0; i < uk.length; i++) unprot.set(Number(uk[i]), opts.unprotectedHeaders[uk[i]]);
+  }
+
+  var payloadBytes = _bstr(payload);
+  var externalAad = opts.externalAad == null ? Buffer.alloc(0) : _bstr(opts.externalAad);
+  var tag = nodeCrypto.createHmac(_hmacHash(algId), key).update(_macStructure(protectedBstr, externalAad, payloadBytes)).digest();
+
+  var mac0arr = [protectedBstr, unprot, opts.detached ? null : payloadBytes, tag];
+  return cbor.encode(new cbor.Tag(COSE_MAC0_TAG, mac0arr));
+}
+
+/**
+ * @primitive b.cose.macVerify0
+ * @signature b.cose.macVerify0(coseMac0, opts)
+ * @since     0.12.47
+ * @status    stable
+ * @related   b.cose.mac0
+ *
+ * Verify a COSE_Mac0 (RFC 9052 §6.2) and return its payload. The HMAC
+ * tag is recomputed over the MAC_structure and compared in constant
+ * time; the <code>alg</code> from the protected header must be in
+ * <code>opts.algorithms</code>. A detached (nil) payload is supplied via
+ * <code>opts.externalPayload</code>.
+ *
+ * @opts
+ *   {
+ *     algorithms:  string[],  // required — accepted HMAC alg names (allowlist)
+ *     key:         Buffer,    // the shared symmetric key
+ *     externalAad?: Buffer,
+ *     externalPayload?: Buffer, // required for a detached payload
+ *     maxBytes?:   number,
+ *     maxDepth?:   number,
+ *   }
+ *
+ * @example
+ *   var out = b.cose.macVerify0(mac, { algorithms: ["HMAC-256/256"], key: sharedKey });
+ *   // → { payload: <Buffer>, alg: "HMAC-256/256", protectedHeaders: Map, unprotectedHeaders: Map }
+ */
+function macVerify0(coseMac0, opts) {
+  validateOpts.requireObject(opts, "cose.macVerify0", CoseError);
+  validateOpts(opts, ["algorithms", "key", "externalAad", "externalPayload", "maxBytes", "maxDepth"], "cose.macVerify0");
+  if (!Array.isArray(opts.algorithms) || opts.algorithms.length === 0) {
+    throw new CoseError("cose/algorithms-required", "cose.macVerify0: opts.algorithms is required");
+  }
+  for (var ai = 0; ai < opts.algorithms.length; ai++) {
+    if (!(opts.algorithms[ai] in HMAC_NAME_TO_ID)) {
+      throw new CoseError("cose/unknown-alg", "cose.macVerify0: unknown algorithm '" + opts.algorithms[ai] + "'");
+    }
+  }
+  if (opts.key == null) throw new CoseError("cose/no-key", "cose.macVerify0: opts.key is required");
+  var key = _bstr(opts.key);
+
+  var decoded = cbor.decode(_bstr(coseMac0), { allowedTags: [COSE_MAC0_TAG], maxBytes: opts.maxBytes, maxDepth: opts.maxDepth });
+  var arr = (decoded instanceof cbor.Tag && decoded.tag === COSE_MAC0_TAG) ? decoded.value : decoded;
+  if (!Array.isArray(arr) || arr.length !== 4) {
+    throw new CoseError("cose/malformed", "cose.macVerify0: not a COSE_Mac0 (expected a 4-element array)");
+  }
+  var protectedBstr = arr[0];
+  var unprotected = arr[1];
+  var payload = arr[2];
+  var tag = arr[3];
+  if (!Buffer.isBuffer(protectedBstr) || !Buffer.isBuffer(tag)) {
+    throw new CoseError("cose/malformed", "cose.macVerify0: protected header and tag must be byte strings");
+  }
+  if (!(unprotected instanceof Map)) {
+    throw new CoseError("cose/malformed", "cose.macVerify0: unprotected header must be a CBOR map");
+  }
+  if (payload === null || payload === undefined) {
+    if (opts.externalPayload == null) {
+      throw new CoseError("cose/detached-no-payload", "cose.macVerify0: detached (nil) payload — pass opts.externalPayload");
+    }
+    payload = _bstr(opts.externalPayload);
+  } else if (opts.externalPayload != null) {
+    throw new CoseError("cose/payload-ambiguous", "cose.macVerify0: externalPayload supplied but the COSE_Mac0 carries an attached payload");
+  } else if (!Buffer.isBuffer(payload)) {
+    throw new CoseError("cose/malformed", "cose.macVerify0: payload must be a byte string (bstr)");
+  }
+
+  var protMap = protectedBstr.length === 0 ? new Map()
+    : cbor.decode(protectedBstr, { maxBytes: opts.maxBytes, maxDepth: opts.maxDepth });
+  if (!(protMap instanceof Map)) {
+    throw new CoseError("cose/malformed", "cose.macVerify0: protected header is not a CBOR map");
+  }
+  // crit-bypass defense (RFC 9052 §3.1) — same as b.cose.verify: every
+  // label a crit array names must be one this verifier understands AND
+  // be present in the protected header.
+  if (protMap.has(HDR_CRIT)) {
+    var crit = protMap.get(HDR_CRIT);
+    if (!Array.isArray(crit)) {
+      throw new CoseError("cose/bad-crit", "cose.macVerify0: crit (label 2) must be an array");
+    }
+    for (var ci = 0; ci < crit.length; ci++) {
+      if (UNDERSTOOD_LABELS.indexOf(crit[ci]) === -1) {
+        throw new CoseError("cose/crit-unknown",
+          "cose.macVerify0: crit lists header label " + crit[ci] + " which is not understood (RFC 9052 §3.1)");
+      }
+      if (!protMap.has(crit[ci])) {
+        throw new CoseError("cose/crit-absent",
+          "cose.macVerify0: crit lists label " + crit[ci] + " not present in the protected header");
+      }
+    }
+  }
+  var algId = protMap.get(HDR_ALG);
+  var algName = HMAC_ID_TO_NAME[algId];
+  if (algName === undefined) {
+    throw new CoseError("cose/unknown-alg", "cose.macVerify0: unrecognized protected MAC alg id " + algId);
+  }
+  if (opts.algorithms.indexOf(algName) === -1) {
+    throw new CoseError("cose/alg-not-allowed", "cose.macVerify0: alg '" + algName + "' is not in the allowlist");
+  }
+
+  var externalAad = opts.externalAad == null ? Buffer.alloc(0) : _bstr(opts.externalAad);
+  var expected = nodeCrypto.createHmac(_hmacHash(algId), key).update(_macStructure(protectedBstr, externalAad, payload)).digest();
+  if (!bCrypto.timingSafeEqual(expected, tag)) {
+    throw new CoseError("cose/bad-tag", "cose.macVerify0: MAC tag verification failed");
+  }
+  return { payload: payload, alg: algName, protectedHeaders: protMap, unprotectedHeaders: unprotected };
+}
+
+// ---- COSE_Key (RFC 9052 §7 / RFC 9053 §7) → KeyObject ----
+
+// COSE_Key EC2 curve identifiers (RFC 9053 §7.1) → JWK crv names. Only
+// the curves b.cose.verify has an algorithm for are accepted: P-256
+// (ES256), P-384 (ES384), P-521 (ES512). secp256k1 is intentionally
+// absent — there is no ES256K path here, so importing one would let a
+// secp256k1 key be verified under ES256, breaking the COSE alg/curve
+// binding (RFC 9053). Re-add with an explicit ES256K algorithm.
+var COSE_EC2_CRV = { 1: "P-256", 2: "P-384", 3: "P-521" };
+var COSE_KTY_OKP = 1;
+var COSE_KTY_EC2 = 2;
+var COSE_OKP_ED25519 = 6;                                                    // allow:raw-byte-literal — COSE OKP Ed25519 crv id (RFC 9053)
+
+function _coseKeyBytes(v, what) {
+  if (Buffer.isBuffer(v)) return v;
+  if (v instanceof Uint8Array) return Buffer.from(v);
+  throw new CoseError("cose/bad-cose-key", "cose.importKey: COSE_Key " + what + " must be a byte string");
+}
+
+/**
+ * @primitive b.cose.importKey
+ * @signature b.cose.importKey(coseKey)
+ * @since     0.12.45
+ * @status    stable
+ * @related   b.cose.verify, b.cbor.decode
+ *
+ * Import a COSE_Key (RFC 9052 §7) — a CBOR map keyed by integer labels —
+ * as a <code>node:crypto</code> public KeyObject for
+ * <code>b.cose.verify</code>. Accepts the EC2 (<code>kty</code> 2:
+ * P-256 / P-384 / P-521) and OKP (<code>kty</code> 1: Ed25519) key
+ * types — the curves <code>b.cose.verify</code> has an algorithm for;
+ * the curve is allowlisted, so an unexpected key type (including
+ * secp256k1, which has no ES256K path here) is refused rather than
+ * imported. The verification key embedded in an mdoc MSO or a COSE_Key
+ * header is consumed this way.
+ *
+ * @example
+ *   var key = b.cose.importKey(coseKeyMap);            // → public KeyObject
+ *   var out = await b.cose.verify(sign1, { algorithms: ["ES256"], publicKey: key });
+ */
+function importKey(coseKey) {
+  if (!(coseKey instanceof Map)) {
+    if (coseKey && typeof coseKey === "object" && !Array.isArray(coseKey)) {
+      var m = new Map();
+      Object.keys(coseKey).forEach(function (k) { m.set(Number(k), coseKey[k]); });
+      coseKey = m;
+    } else {
+      throw new CoseError("cose/bad-cose-key", "cose.importKey: expected a COSE_Key map");
+    }
+  }
+  var kty = coseKey.get(1);
+  var x = _coseKeyBytes(coseKey.get(-2), "x");
+  var jwk;
+  if (kty === COSE_KTY_OKP) {
+    if (coseKey.get(-1) !== COSE_OKP_ED25519) {
+      throw new CoseError("cose/unsupported-key", "cose.importKey: only OKP curve Ed25519 is supported");
+    }
+    jwk = { kty: "OKP", crv: "Ed25519", x: x.toString("base64url") };
+  } else if (kty === COSE_KTY_EC2) {
+    var crvName = COSE_EC2_CRV[coseKey.get(-1)];
+    if (!crvName) throw new CoseError("cose/unsupported-key", "cose.importKey: unsupported EC2 curve id " + coseKey.get(-1));
+    var y = _coseKeyBytes(coseKey.get(-3), "y");
+    jwk = { kty: "EC", crv: crvName, x: x.toString("base64url"), y: y.toString("base64url") };
+  } else {
+    throw new CoseError("cose/unsupported-key", "cose.importKey: kty must be OKP (1) or EC2 (2), got " + kty);
+  }
+  try { return nodeCrypto.createPublicKey({ key: jwk, format: "jwk" }); }
+  catch (e) { throw new CoseError("cose/bad-cose-key", "cose.importKey: could not import COSE_Key: " + ((e && e.message) || e)); }
+}
+
 module.exports = {
   sign:        sign,
   verify:      verify,
   encrypt0:    encrypt0,
   decrypt0:    decrypt0,
+  mac0:        mac0,
+  macVerify0:  macVerify0,
+  importKey:   importKey,
   ALGORITHMS:  ALG_NAME_TO_ID,
+  MAC_ALGORITHMS: HMAC_NAME_TO_ID,
+  COSE_MAC0_TAG: COSE_MAC0_TAG,
   AEAD_ALGORITHMS: AEAD_NAME_TO_ID,
   COSE_SIGN1_TAG: COSE_SIGN1_TAG,
   COSE_ENCRYPT0_TAG: COSE_ENCRYPT0_TAG,