@blamejs/blamejs-shop 0.3.39 → 0.3.41

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (62) hide show
  1. package/CHANGELOG.md +4 -0
  2. package/lib/admin.js +331 -0
  3. package/lib/asset-manifest.json +1 -1
  4. package/lib/storefront.js +244 -4
  5. package/lib/vendor/MANIFEST.json +2 -2
  6. package/lib/vendor/blamejs/CHANGELOG.md +8 -0
  7. package/lib/vendor/blamejs/README.md +8 -5
  8. package/lib/vendor/blamejs/SECURITY.md +7 -0
  9. package/lib/vendor/blamejs/api-snapshot.json +266 -2
  10. package/lib/vendor/blamejs/examples/wiki/lib/source-comment-block-validator.js +1 -0
  11. package/lib/vendor/blamejs/index.js +7 -1
  12. package/lib/vendor/blamejs/lib/agent-idempotency.js +113 -0
  13. package/lib/vendor/blamejs/lib/agent-orchestrator.js +108 -0
  14. package/lib/vendor/blamejs/lib/agent-snapshot.js +137 -0
  15. package/lib/vendor/blamejs/lib/agent-tenant.js +193 -17
  16. package/lib/vendor/blamejs/lib/ai-input.js +167 -3
  17. package/lib/vendor/blamejs/lib/ai-output.js +463 -0
  18. package/lib/vendor/blamejs/lib/ai-prompt.js +304 -0
  19. package/lib/vendor/blamejs/lib/archive-wrap.js +234 -1
  20. package/lib/vendor/blamejs/lib/archive.js +1 -0
  21. package/lib/vendor/blamejs/lib/audit.js +3 -0
  22. package/lib/vendor/blamejs/lib/auth/oid4vp.js +47 -28
  23. package/lib/vendor/blamejs/lib/cluster.js +186 -14
  24. package/lib/vendor/blamejs/lib/codepoint-class.js +18 -0
  25. package/lib/vendor/blamejs/lib/compliance-ai-act.js +446 -0
  26. package/lib/vendor/blamejs/lib/consent.js +104 -8
  27. package/lib/vendor/blamejs/lib/content-credentials.js +851 -41
  28. package/lib/vendor/blamejs/lib/crypto-field.js +5 -0
  29. package/lib/vendor/blamejs/lib/db.js +15 -0
  30. package/lib/vendor/blamejs/lib/framework-error.js +21 -0
  31. package/lib/vendor/blamejs/lib/mail-srs.js +122 -19
  32. package/lib/vendor/blamejs/lib/privacy.js +168 -0
  33. package/lib/vendor/blamejs/lib/safe-archive.js +196 -136
  34. package/lib/vendor/blamejs/lib/validate-opts.js +24 -0
  35. package/lib/vendor/blamejs/lib/vault/rotate.js +175 -15
  36. package/lib/vendor/blamejs/lib/vault-aad.js +84 -33
  37. package/lib/vendor/blamejs/package.json +1 -1
  38. package/lib/vendor/blamejs/release-notes/v0.14.11.json +72 -0
  39. package/lib/vendor/blamejs/release-notes/v0.14.12.json +95 -0
  40. package/lib/vendor/blamejs/release-notes/v0.14.13.json +52 -0
  41. package/lib/vendor/blamejs/release-notes/v0.14.14.json +31 -0
  42. package/lib/vendor/blamejs/test/00-primitives.js +9 -1
  43. package/lib/vendor/blamejs/test/layer-0-primitives/agent-idempotency.test.js +103 -0
  44. package/lib/vendor/blamejs/test/layer-0-primitives/agent-orchestrator.test.js +91 -0
  45. package/lib/vendor/blamejs/test/layer-0-primitives/agent-snapshot.test.js +186 -0
  46. package/lib/vendor/blamejs/test/layer-0-primitives/agent-tenant.test.js +140 -0
  47. package/lib/vendor/blamejs/test/layer-0-primitives/ai-input.test.js +59 -0
  48. package/lib/vendor/blamejs/test/layer-0-primitives/ai-output.test.js +125 -0
  49. package/lib/vendor/blamejs/test/layer-0-primitives/ai-prompt.test.js +133 -0
  50. package/lib/vendor/blamejs/test/layer-0-primitives/app-shutdown.test.js +6 -1
  51. package/lib/vendor/blamejs/test/layer-0-primitives/archive-read.test.js +94 -0
  52. package/lib/vendor/blamejs/test/layer-0-primitives/archive-wrap.test.js +176 -0
  53. package/lib/vendor/blamejs/test/layer-0-primitives/cluster-vault-rotation.test.js +243 -0
  54. package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +250 -0
  55. package/lib/vendor/blamejs/test/layer-0-primitives/compliance-ai-act.test.js +130 -0
  56. package/lib/vendor/blamejs/test/layer-0-primitives/consent-purposes.test.js +70 -0
  57. package/lib/vendor/blamejs/test/layer-0-primitives/content-credentials.test.js +289 -2
  58. package/lib/vendor/blamejs/test/layer-0-primitives/federation-vc-suite.test.js +22 -0
  59. package/lib/vendor/blamejs/test/layer-0-primitives/mail-srs.test.js +61 -0
  60. package/lib/vendor/blamejs/test/layer-0-primitives/privacy-vendor-review.test.js +69 -0
  61. package/lib/vendor/blamejs/test/layer-0-primitives/vault-rotate-aad.test.js +158 -0
  62. package/package.json +1 -1
package/lib/storefront.js CHANGED
@@ -3916,7 +3916,7 @@ function renderReturns(opts) {
3916
3916
  rowsHtml +=
3917
3917
  "<li class=\"return-card\">" +
3918
3918
  "<div class=\"return-card__head\">" +
3919
- "<code class=\"return-card__rma\">" + esc(r.rma_code) + "</code>" +
3919
+ "<a class=\"return-card__rma\" href=\"/account/returns/" + esc(String(r.id)) + "\"><code>" + esc(r.rma_code) + "</code></a>" +
3920
3920
  _returnStatusBadge(r.status) +
3921
3921
  "</div>" +
3922
3922
  "<p class=\"return-card__meta\">" + esc(String(r.reason || "")) +
@@ -3962,6 +3962,150 @@ function renderReturns(opts) {
3962
3962
  });
3963
3963
  }
3964
3964
 
3965
+ // Customer-facing phrasing for a return label's carrier-scan status. The
3966
+ // return-labels module's FSM enum (issued / shipped / in_transit /
3967
+ // delivered / exception) is operator/carrier vocabulary; these read for
3968
+ // the shopper following their parcel back to the merchant.
3969
+ var RETURN_LABEL_STATUS_LABELS = {
3970
+ issued: "Label ready",
3971
+ shipped: "Dropped off",
3972
+ in_transit: "On its way back",
3973
+ delivered: "Delivered to us",
3974
+ exception: "Delivery issue",
3975
+ };
3976
+
3977
+ function _returnLabelStatusBadge(status) {
3978
+ var esc = b.template.escapeHtml;
3979
+ var label = RETURN_LABEL_STATUS_LABELS[status] || status;
3980
+ return "<span class=\"return-status return-status--" + esc(String(status)) + "\">" +
3981
+ esc(String(label)) + "</span>";
3982
+ }
3983
+
3984
+ // Human label for a return_label_events row. The event_type mirrors the
3985
+ // label FSM transitions (issued / shipped / in_transit / delivered /
3986
+ // exception); these are the shopper-facing phrasings on the timeline.
3987
+ var RETURN_LABEL_EVENT_LABELS = {
3988
+ issued: "Label issued",
3989
+ shipped: "Parcel dropped off",
3990
+ in_transit: "In transit",
3991
+ delivered: "Delivered to the merchant",
3992
+ exception: "Delivery exception",
3993
+ };
3994
+
3995
+ // One return's status detail, including its return-shipping label (if one
3996
+ // has been issued) and the carrier-scan timeline. Ownership-scoped: the
3997
+ // route only renders this for a return whose customer_id matches the
3998
+ // session customer, so the label + tracking reads are already gated.
3999
+ //
4000
+ // `opts.rma` is the return_authorizations row. `opts.label` is the most
4001
+ // recent return_labels row (or null — a return with no label yet shows a
4002
+ // neutral "no label" state, never an error). `opts.events` is the label's
4003
+ // ordered return_label_events timeline (empty when there's no label).
4004
+ // Reuses the account/returns layout classes — no new CSS.
4005
+ function renderReturnDetail(opts) {
4006
+ var esc = b.template.escapeHtml;
4007
+ var rma = opts.rma;
4008
+ var label = opts.label || null;
4009
+ var events = opts.events || [];
4010
+ var date = rma.created_at ? new Date(Number(rma.created_at)).toISOString().slice(0, 10) : "";
4011
+
4012
+ function _row(labelText, value) {
4013
+ return "<p class=\"return-card__meta\"><span class=\"form-field__label\">" + esc(labelText) + "</span> " +
4014
+ (value ? esc(String(value)) : "&mdash;") + "</p>";
4015
+ }
4016
+
4017
+ var summaryRows = "";
4018
+ summaryRows += _row("Reason", rma.reason);
4019
+ if (date) summaryRows += _row("Requested", date);
4020
+ if (rma.status === "rejected" && rma.rejected_reason) {
4021
+ summaryRows += _row("Why it was declined", rma.rejected_reason);
4022
+ }
4023
+ if (Number(rma.refund_amount_minor) > 0) {
4024
+ summaryRows += _row("Refund", pricing.format(Number(rma.refund_amount_minor), rma.refund_currency || "USD"));
4025
+ }
4026
+
4027
+ // The return-label panel. A return with no issued label shows a neutral
4028
+ // note (the label arrives once the operator approves + funds the return)
4029
+ // — never an error. A return WITH a label surfaces the carrier + tracking
4030
+ // number, a download/print affordance, the live status, and the timeline.
4031
+ var labelPanel;
4032
+ if (!label) {
4033
+ labelPanel =
4034
+ "<div class=\"return-card return-label-panel\">" +
4035
+ "<h2 class=\"return-card__subhead\">Return shipping label</h2>" +
4036
+ "<p class=\"return-card__meta return-label-panel__none\">No label yet. We'll add a prepaid return label here once your return is approved.</p>" +
4037
+ "</div>";
4038
+ } else {
4039
+ var carrierLine = label.carrier
4040
+ ? (esc(String(label.carrier)) + (label.service_level ? " &middot; " + esc(String(label.service_level)) : ""))
4041
+ : "";
4042
+ // The download is its own ownership-scoped route (GET
4043
+ // /account/returns/:id/label), which loads the return, re-checks
4044
+ // ownership, then redirects to the carrier label asset — the label_url
4045
+ // is never emitted in the page by id, so the affordance is a link to
4046
+ // the scoped route, not the raw carrier URL.
4047
+ var downloadHref = "/account/returns/" + esc(String(rma.id)) + "/label";
4048
+
4049
+ var timelineRows = "";
4050
+ for (var i = 0; i < events.length; i += 1) {
4051
+ var ev = events[i];
4052
+ var evLabel = RETURN_LABEL_EVENT_LABELS[ev.event_type] || ev.event_type;
4053
+ var when = ev.occurred_at ? new Date(Number(ev.occurred_at)).toISOString().slice(0, 16).replace("T", " ") : "";
4054
+ var detail = "";
4055
+ try {
4056
+ var d = ev.detail_json ? JSON.parse(ev.detail_json) : {};
4057
+ if (d && d.location) detail = String(d.location);
4058
+ else if (d && d.exception) detail = String(d.exception);
4059
+ } catch (_e) { detail = ""; }
4060
+ timelineRows +=
4061
+ "<li class=\"return-timeline__event\">" +
4062
+ "<span class=\"return-timeline__label\">" + esc(String(evLabel)) + "</span>" +
4063
+ (detail ? " <span class=\"return-timeline__detail\">" + esc(detail) + "</span>" : "") +
4064
+ (when ? " <time class=\"return-timeline__when\" datetime=\"" + esc(when) + "\">" + esc(when) + "</time>" : "") +
4065
+ "</li>";
4066
+ }
4067
+ var timeline = timelineRows
4068
+ ? "<ol class=\"return-timeline\">" + timelineRows + "</ol>"
4069
+ : "";
4070
+
4071
+ labelPanel =
4072
+ "<div class=\"return-card return-label-panel\">" +
4073
+ "<div class=\"return-card__head\">" +
4074
+ "<h2 class=\"return-card__subhead\">Return shipping label</h2>" +
4075
+ _returnLabelStatusBadge(label.status) +
4076
+ "</div>" +
4077
+ (carrierLine ? "<p class=\"return-card__meta\"><span class=\"form-field__label\">Carrier</span> " + carrierLine + "</p>" : "") +
4078
+ _row("Tracking number", label.tracking_number) +
4079
+ "<p class=\"return-label-panel__actions\">" +
4080
+ "<a class=\"btn-primary\" href=\"" + downloadHref + "\" rel=\"nofollow\">Download return label</a>" +
4081
+ "</p>" +
4082
+ (timeline ? "<h3 class=\"return-card__subhead\">Tracking</h3>" + timeline : "") +
4083
+ "</div>";
4084
+ }
4085
+
4086
+ var body =
4087
+ "<section class=\"account-returns\">" +
4088
+ "<nav class=\"breadcrumb\" aria-label=\"Breadcrumb\"><ol>" +
4089
+ "<li><a href=\"/account\">Account</a></li>" +
4090
+ "<li><a href=\"/account/returns\">Returns</a></li>" +
4091
+ "<li aria-current=\"page\">" + esc(String(rma.rma_code || "")) + "</li>" +
4092
+ "</ol></nav>" +
4093
+ "<div class=\"return-card__head\">" +
4094
+ "<h1 class=\"account-returns__title\">Return <code>" + esc(String(rma.rma_code || "")) + "</code></h1>" +
4095
+ _returnStatusBadge(rma.status) +
4096
+ "</div>" +
4097
+ "<div class=\"return-card\">" + summaryRows + "</div>" +
4098
+ labelPanel +
4099
+ "</section>";
4100
+ return _wrap({
4101
+ title: "Return " + String(rma.rma_code || ""),
4102
+ shop_name: opts.shop_name || "blamejs.shop",
4103
+ cart_count: opts.cart_count == null ? 0 : opts.cart_count,
4104
+ theme_css: opts.theme_css,
4105
+ body: body,
4106
+ });
4107
+ }
4108
+
3965
4109
  // Customer-facing reasons for an exchange. The values mirror the
3966
4110
  // order-exchanges module's REASONS allow-list; the backend validates the
3967
4111
  // submitted value against its own list, so a forged value is refused
@@ -6709,7 +6853,7 @@ function renderNewsletterError(opts) {
6709
6853
  "<div class=\"newsletter-thanks__card\">" +
6710
6854
  "<p class=\"eyebrow\">Newsletter</p>" +
6711
6855
  "<h1 class=\"newsletter-thanks__title\">Couldn't enroll that address.</h1>" +
6712
- "<p class=\"newsletter-thanks__lede\">" + (opts.message || "Check the address and try again — only RFC-shape email addresses are accepted.") + "</p>" +
6856
+ "<p class=\"newsletter-thanks__lede\">" + b.template.escapeHtml(String(opts.message || "Check the address and try again — only RFC-shape email addresses are accepted.")) + "</p>" +
6713
6857
  "<div class=\"newsletter-thanks__cta\">" +
6714
6858
  "<a href=\"/\" class=\"btn-primary\">Back to the shop <span aria-hidden=\"true\">→</span></a>" +
6715
6859
  "</div>" +
@@ -10479,7 +10623,11 @@ function mount(router, deps) {
10479
10623
  router.get("/pay/:order_id", async function (req, res) {
10480
10624
  var orderId = req.params && req.params.order_id;
10481
10625
  if (!orderId) return _send(res, 404, renderNotFound({ shop_name: shopName, theme: theme }));
10482
- var o = await deps.order.get(orderId);
10626
+ // A malformed (non-UUID) id makes order.get throw a TypeError; map it
10627
+ // to the same 404 as an unknown order rather than an uncaught 500.
10628
+ var o;
10629
+ try { o = await deps.order.get(orderId); }
10630
+ catch (e) { if (e instanceof TypeError) { o = null; } else throw e; }
10483
10631
  if (!o) return _send(res, 404, renderNotFound({ shop_name: shopName, theme: theme }));
10484
10632
  // Read the client_secret from the shop_pay cookie set on POST
10485
10633
  // /checkout. The cookie is scoped Path=/pay/ + SameSite=Strict
@@ -10506,7 +10654,13 @@ function mount(router, deps) {
10506
10654
  router.get("/orders/:order_id", async function (req, res) {
10507
10655
  var orderId = req.params && req.params.order_id;
10508
10656
  if (!orderId) return _send(res, 404, renderNotFound({ shop_name: shopName, theme: theme }));
10509
- var o = await deps.order.get(orderId);
10657
+ // order.get runs _uuid(id), which THROWS a TypeError on a non-UUID id.
10658
+ // A malformed id is a missing record, not a server fault — map it to the
10659
+ // same 404 not-found path a well-formed-but-unknown id takes (mirrors
10660
+ // the reorder + cancel routes), never an uncaught 500.
10661
+ var o;
10662
+ try { o = await deps.order.get(orderId); }
10663
+ catch (e) { if (e instanceof TypeError) { o = null; } else throw e; }
10510
10664
  if (!o) return _send(res, 404, renderNotFound({ shop_name: shopName, theme: theme }));
10511
10665
  // Ownership gate against IDOR: an order's confirmation page exposes
10512
10666
  // the customer's name, address, and line items by UUID alone. An order
@@ -13227,6 +13381,39 @@ function mount(router, deps) {
13227
13381
  return order;
13228
13382
  }
13229
13383
 
13384
+ // Load the return named in :id and confirm it belongs to the
13385
+ // signed-in customer. The return_authorizations row carries
13386
+ // `customer_id` directly, so ownership is a single comparison — no
13387
+ // transitive lookup. A malformed id (guardUuid TypeError), an unknown
13388
+ // return, or someone else's return ALL return 404 — never a 500,
13389
+ // never a cross-customer reveal. This is the gate the return detail
13390
+ // view + the label-download route funnel through, so a return label /
13391
+ // its tracking is never reachable by a return/label id alone.
13392
+ async function _ownedReturn(req, res, auth) {
13393
+ var rma;
13394
+ try { rma = await deps.returns.get(req.params && req.params.id); }
13395
+ catch (e) {
13396
+ if (e instanceof TypeError) { _send(res, 404, renderNotFound({ shop_name: shopName, theme: theme })); return null; }
13397
+ throw e;
13398
+ }
13399
+ if (!rma || rma.customer_id !== auth.customer_id) {
13400
+ _send(res, 404, renderNotFound({ shop_name: shopName, theme: theme }));
13401
+ return null;
13402
+ }
13403
+ return rma;
13404
+ }
13405
+
13406
+ // The most-recent issued label for an owned return (or null). Returns
13407
+ // null when the label primitive isn't wired or no label has been
13408
+ // issued — the detail view renders the neutral "no label yet" state.
13409
+ // Best-effort on a read failure (tables not migrated) so the return
13410
+ // detail never 500s on a missing label table.
13411
+ async function _labelForReturn(returnId) {
13412
+ if (!deps.returnLabels) return null;
13413
+ try { return await deps.returnLabels.labelForReturn(returnId); }
13414
+ catch (e) { if (e instanceof TypeError) return null; throw e; }
13415
+ }
13416
+
13230
13417
  router.get("/account/returns", async function (req, res) {
13231
13418
  var auth = _returnsAuth(req, res); if (!auth) return;
13232
13419
  var page = await deps.returns.listForCustomer(auth.customer_id, { limit: 50 });
@@ -13240,6 +13427,58 @@ function mount(router, deps) {
13240
13427
  }));
13241
13428
  });
13242
13429
 
13430
+ // One return's status detail, including its return-shipping label and
13431
+ // carrier-scan timeline once a label has been issued. Ownership-scoped
13432
+ // through _ownedReturn (foreign / unknown / malformed id → 404). A
13433
+ // return with no issued label renders a neutral "no label yet" state.
13434
+ router.get("/account/returns/:id", async function (req, res) {
13435
+ var auth = _returnsAuth(req, res); if (!auth) return;
13436
+ var rma = await _ownedReturn(req, res, auth); if (!rma) return;
13437
+ var label = await _labelForReturn(rma.id);
13438
+ var events = [];
13439
+ if (label && deps.returnLabels) {
13440
+ try { events = await deps.returnLabels.eventsForLabel(label.id); }
13441
+ catch (e) { if (!(e instanceof TypeError)) throw e; events = []; }
13442
+ }
13443
+ var cartCount = await _cartCountForReq(req);
13444
+ _send(res, 200, renderReturnDetail({
13445
+ rma: rma,
13446
+ label: label,
13447
+ events: events,
13448
+ shop_name: shopName,
13449
+ cart_count: cartCount,
13450
+ }));
13451
+ });
13452
+
13453
+ // Download / print the return label. Ownership-scoped: load + verify
13454
+ // the return belongs to the session customer (via _ownedReturn — a
13455
+ // foreign / unknown / malformed return id all 404 identically) BEFORE
13456
+ // resolving its label, then redirect to the carrier label asset. The
13457
+ // label_url is resolved server-side through the owning return, never
13458
+ // exposed by a bare label id, and a return with no issued label 404s
13459
+ // (there is nothing to download yet). Mounts only when the label
13460
+ // primitive is wired.
13461
+ if (deps.returnLabels) {
13462
+ router.get("/account/returns/:id/label", async function (req, res) {
13463
+ var auth = _returnsAuth(req, res); if (!auth) return;
13464
+ var rma = await _ownedReturn(req, res, auth); if (!rma) return;
13465
+ var label = await _labelForReturn(rma.id);
13466
+ if (!label || !label.label_url) {
13467
+ _send(res, 404, renderNotFound({ shop_name: shopName, theme: theme }));
13468
+ return;
13469
+ }
13470
+ // The carrier label asset is an already-validated HTTPS URL
13471
+ // (return-labels runs label_url through b.safeUrl on issue), so a
13472
+ // redirect can't smuggle a javascript:/credentialed target. The
13473
+ // shopper reaches the printable label through the scoped route,
13474
+ // never the raw URL by id.
13475
+ res.status(302);
13476
+ res.setHeader && res.setHeader("location", label.label_url);
13477
+ res.setHeader && res.setHeader("cache-control", "private, no-store");
13478
+ return res.end ? res.end() : res.send("");
13479
+ });
13480
+ }
13481
+
13243
13482
  router.get("/account/orders/:order_id/return", async function (req, res) {
13244
13483
  var auth = _returnsAuth(req, res); if (!auth) return;
13245
13484
  var order = await _ownedOrder(req, res, auth); if (!order) return;
@@ -15069,6 +15308,7 @@ module.exports = {
15069
15308
  renderProfile: renderProfile,
15070
15309
  renderAccountSubscriptions: renderAccountSubscriptions,
15071
15310
  renderCookiePreferences: renderCookiePreferences,
15311
+ renderNewsletterError: renderNewsletterError,
15072
15312
  renderNotFound: renderNotFound,
15073
15313
  // Layout exposed so operators forking the framework can override.
15074
15314
  _wrap: _wrap,
@@ -3,8 +3,8 @@
3
3
  "_about": "blamejs.shop vendors a single framework — blamejs — which itself bundles every server-side crypto/identity dependency. The transitive packages blamejs ships are surfaced in its own MANIFEST.json at lib/vendor/blamejs/lib/vendor/MANIFEST.json — Trivy / Grype rely on that nested data for CVE attribution.",
4
4
  "packages": {
5
5
  "blamejs": {
6
- "version": "0.14.10",
7
- "tag": "v0.14.10",
6
+ "version": "0.14.15",
7
+ "tag": "v0.14.15",
8
8
  "license": "Apache-2.0",
9
9
  "author": "blamejs contributors",
10
10
  "source": "https://github.com/blamejs/blamejs",
@@ -8,6 +8,14 @@ upgrading across more than a few patches at a time.
8
8
 
9
9
  ## v0.14.x
10
10
 
11
+ - v0.14.14 (2026-05-31) — **Recognized consent purposes with lawful-basis gating, and a new b.privacy namespace for annual EdTech vendor-review attestations.** Closes the student-data gap where an educational-only consent purpose and an annual third-party vendor-review report were described but never implemented. b.consent gains a recognized-purpose vocabulary: a purpose value matching a recognized key carries lawful-basis constraints that grant() enforces, and the named educational-only purpose (FERPA's school-official exception and California's SOPIPA) refuses a legitimate_interests lawful basis. The new b.privacy namespace ships vendorReview(), a builder for the dated, clause-by-clause annual EdTech third-party / processor review FERPA and SOPIPA expect a school or district to keep — it computes whether every required clause (no targeted advertising, no commercial profiling, no sale of student data, deletion on request, school-official designation, and so on) is attested, names the gaps, and stamps a 365-day re-review clock. Free-form consent purposes keep working unchanged, so the vocabulary is opt-in and additive. **Added:** *`b.consent` recognized-purpose vocabulary + lawful-basis gating* — `b.consent.recognizedPurpose(name)` looks up a recognized purpose and `b.consent.listPurposes()` enumerates them. When a `grant({ purpose })` value matches a recognized key, `grant()` enforces that purpose's lawful-basis constraints; the `educational-only` purpose forbids a `legitimate_interests` basis (FERPA 34 CFR 99.31(a)(1) school-official exception; California SOPIPA Cal. B&P 22584; FTC school-authorized COPPA consent 16 CFR 312.5(c)(10)) and marks the data commercial-use-prohibited. The commercial-use prohibition is an operator trust-boundary obligation — `isGranted()` does not re-derive it. Any purpose value NOT in the vocabulary stays free-form and unconstrained, so existing callers are unaffected; the hash-chain column set is unchanged, so `b.consent.verify()` over existing rows is unaffected. · *`b.privacy.vendorReview` — annual EdTech vendor-review attestation* — A new `b.privacy` namespace whose `vendorReview(opts)` builds the dated third-party / processor review a FERPA school-official arrangement and California SOPIPA expect for every vendor that touches student data. The operator supplies a boolean attestation per clause (educational-purpose-only, no-targeted-advertising, no-commercial-profiling, no-sale-of-student-data, security-safeguards, deletion-on-request, sub-processor-currency, breach-notification, school-official-designation, directory-information-handling); `vendorReview` validates the shape, computes whether every required clause is attested (`attested`) and which are not (`gaps`), and stamps `reviewedAt` plus a 365-day `nextReviewDueAt` re-review clock. `b.privacy.listVendorReviewClauses()` returns the clause set with citations. Operator-feeds-metadata: the frozen report is not framework-persisted — compose it into your retention / audit / export sink. A best-effort `privacy.vendor_review.recorded` audit event fires when an audit sink is wired. **Detectors:** *A gated consent purpose must go through `b.consent`* — A new check flags any lib code that mints a consent row with a hardcoded `educational-only` purpose literal without composing the recognized-purpose vocabulary — which would record the value while never enforcing its FERPA / SOPIPA lawful-basis constraint.
12
+
13
+ - v0.14.13 (2026-05-31) — **Close advertised-but-missing surface: SRS1 chained forwarding, DCQL array-wildcard claim paths, and in-memory safe-archive extraction.** Three primitives advertised a capability in their documentation or card but refused or omitted it at runtime; this release implements each. b.mail.srs gains srs1Rewrite for the SRS1 double-forward (and multi-hop) case — previously the @intro described SRS1 and create() threw, pointing at a function that was never exported. b.safeArchive gains extractToMemory, the in-memory counterpart to extract for read-only / serverless filesystems — previously the card advertised in-memory extraction but the orchestrator required a destination directory. b.auth.oid4vp.matchDcql now honours a null claims-path segment as the array wildcard the OpenID4VP DCQL spec defines, rather than refusing it as unsupported while the card advertised DCQL. A stale version-pinned wording in a safe-archive error message is corrected. Every change is additive or message-only — no existing caller changes behaviour. **Added:** *`b.mail.srs` SRS1 chained forwarding — `srs1Rewrite`* — `b.mail.srs.create(...)` now returns `srs1Rewrite` alongside `rewrite` / `reverse`. `srs1Rewrite(srsAddress)` chains an already-SRS0 (or SRS1) envelope-from for a further forwarding hop: it keeps the original SRS0 body verbatim, prepends the SRS0 originator's domain, and binds the pair with this forwarder's own HMAC-SHA-256 tag — no new timestamp, no repeated original local-part — emitting `SRS1=tag=originator==<SRS0-body>@thisForwarder`. `reverse()` now detects an SRS1 address, verifies this hop's tag and forwarder-domain binding, and unwraps exactly one hop back to the originator's SRS0 so a multi-hop bounce routes straight to the forwarder that can recover the original sender. Typed failure modes: `srs/not-srs0` (input not SRS-encoded), `srs/malformed` (missing the `==` separator), `srs/bad-tag` (tampered), `srs/too-long` (chain exceeds the RFC 5321 256-octet path limit). Implements the Sender Rewriting Scheme SRS1 wire format; the second-hop SPF rationale is RFC 7208 §2.4. · *`b.safeArchive.extractToMemory` — in-memory safe extraction* — An async generator counterpart to `b.safeArchive.extract` for read-only / serverless filesystems: it resolves the source, sniffs the format, auto-unwraps recipient (`BAWRP`) / passphrase (`BAWPP`) envelopes, and dispatches to the zip / tar / tar.gz reader's in-memory `extractEntries()`, yielding `{ name, bytes, size }` per regular-file entry without ever writing to disk. It takes no `destination`. Every defense the disk path runs applies unchanged: the zip-bomb caps (entry-count / per-entry / total / expansion-ratio), the `b.guardArchive` metadata cascade (Zip-Slip / path-traversal / symlink-escape / encrypted-entry refusal, CVE-2025-3445 class), and the entry-type policy. The disk-only realpath-agreement check (CVE-2025-4517 PATH_MAX TOCTOU defense) is intentionally absent — there is no extraction root — so the archive-level name refusals carry containment. Trusted-stream sources are refused upfront (the adversarial-safe central-directory walk needs random access). gzip magic per RFC 1952 §2.3.1. **Fixed:** *OID4VP DCQL `null` claim-path segment now resolves the array wildcard* — `b.auth.oid4vp.matchDcql` previously threw `auth-oid4vp/null-path-segment-not-supported` for a `null` claims-path segment while the namespace card advertised DCQL — under-disclosing a legitimate presentation (CWE-863). Per OpenID4VP 1.0 §7.1.1 a `null` segment selects all elements of the array at that depth; the matcher now recurses over array elements with existence semantics (with DCQL value-matching applied to any selected leaf), composed to arbitrary depth. A `null` segment on a non-array node — like an integer index into a non-array, or a string key into an array — is a clean non-match, not a thrown error, because the matcher walks holder credential data rather than operator config. String and integer claim paths are byte-identical to before; only queries that previously threw now succeed or fail cleanly. · *safe-archive trusted-stream refusal message no longer cites a stale version* — The thrown `safe-archive/trusted-stream-unsupported` message and its comment claimed trusted-stream extraction was "deferred to v0.12.8 / when the v0.12.8 sequential extract path lands." That path shipped long ago — `b.archive.read.zip.fromTrustedStream` and the tar sequential mode exist — so the message now points at them as present capabilities and drops the version-pinned wording. The error code is unchanged. **Detectors:** *A primitive may not advertise a capability and then throw an unimplemented stub* — A new check flags a bare `not yet supported` / `operator demand TBD` / `not supported in v1` refusal in a lib throw string (comments excluded). A defer is only complete with a written re-open condition; the SRS1 and DCQL stubs that this release implements both carried this bare-defer shape, and the detector keeps it from re-entering. · *DCQL `null` path segments must recurse, never refuse* — A new check flags the `null path segment not supported` refusal shape in `lib/auth/oid4vp.js`, so the spec-mandated array wildcard cannot be re-stubbed. · *`extractToMemory` must stay disk-free* — A new check flags any `writeFileSync` / `renameSync` / `mkdirSync` / `createWriteStream` inside the `extractToMemory` generator body, so the read-only / serverless contract cannot regress into a disk write.
14
+
15
+ - v0.14.12 (2026-05-31) — **Vault key rotation re-seals AAD-bound storage under the new root instead of silently orphaning it.** Every AAD-sealed cell derives its key from the live vault root, so rotating the vault keypair changes those keys. `b.vaultRotate.rotate` previously re-sealed only legacy `vault:`-prefixed cells in `db.enc` and skipped `vault.aad:` cells, AAD-bound at-rest files, and operator-supplied AAD stores — leaving them encrypted under the retired keypair while still returning a success result and a passing round-trip verify, so the loss was invisible until the old keypair was discarded and the cells became permanently undecryptable. Rotation now re-seals `db.enc` (preserving its dataDir-bound AAD), `db.key.enc` (location-bound), every `{ aad: true }` table column, and the overflow store under the new root; refuses up front with a fail-closed error when operator-supplied AAD stores (agent idempotency / orchestrator / tenant / snapshot) are reachable unless each has been re-sealed via its module hook and explicitly acknowledged; and the round-trip verify now decrypts AAD-sealed cells under the new root and treats any cell that still opens under the old root as a regression. New explicit-root `b.vault.aad` seal / unseal / reseal primitives carry a cell from the old root to the new one while preserving its AAD tuple; `b.archive.rewrapTenant` re-wraps tenant-scoped archive envelopes; and `b.cluster` can adopt a rotated vault-key fingerprint instead of partitioning the membership during a rolling rotation. **Added:** *`b.vault.aad.sealRoot` / `unsealRoot` / `resealRoot`* — Explicit-root variants of the AAD seal / unseal that take a root-keypair JSON (`b.vault.getKeysJson()` output) instead of reading the live vault singleton. `resealRoot(value, aadParts, oldRootJson, newRootJson)` opens a cell under the old root and re-seals it under the new one while preserving the same AAD tuple (`table` / `rowId` / `column` / `schemaVersion`), which is what lets a rotation worker move AAD-bound state across a keypair change without altering the bound context. The default-root `b.vault.aad.seal` / `unseal` behaviour is unchanged. · *Per-store AAD re-seal hooks on the agent primitives* — `b.agent.idempotency.reseal`, `b.agent.orchestrator.reseal`, `b.agent.snapshot.reseal`, and the `b.agent.tenant` registry / tenant-cell reseal paths re-seal that module's AAD-bound rows from an old root to a new root over the operator's own store. Each module also exposes an `AAD_ROTATION` descriptor naming the store the rotation pipeline cannot reach on its own, so an operator can enumerate exactly what to re-seal before a rotation. · *`b.archive.rewrapTenant`* — Re-wraps a `recipient: "tenant"` archive envelope from an old vault root to a new one for a given `tenantId`, so a keypair rotation does not strand tenant-scoped archives. Opens the blob under the old root + tenantId, refuses a blob that is not a tenant-recipient envelope or that does not open under the supplied old root, and emits a fresh envelope bound to the new root. This is offered alongside the documented re-export path (decrypt with the old keypair, re-archive with the new one) for operators who hold the envelope but not the source. · *Cluster vault-key rotation acceptance* — A vault-key rotation changes the public-key fingerprint recorded in the canonical cluster-state row, which a peer would otherwise report as `VAULT_KEY_DRIFT`. `b.cluster` configuration gains `acceptVaultKeyRotation: true` to declare the change legitimate — the node adopts the rotated fingerprint and bumps a rotation epoch instead of refusing — and an optional `expectedVaultKeyFp` that narrows acceptance to a single blessed post-rotation fingerprint. The drift guard stays in force whenever a rotation is not declared; supplying `expectedVaultKeyFp` without `acceptVaultKeyRotation` is rejected at configuration time as a misconfiguration. **Changed:** *`b.vaultRotate.rotate` refuses when reachable AAD stores are not acknowledged* — Because the rotation pipeline walks only `db.enc` and cannot introspect an operator's own AAD-backed stores, it now detects which AAD-store modules are loadable and throws `vault-rotate/external-aad-unresealed` unless `opts.externalAadResealed` is either `true` (you do not use those features) or an array naming every detected store (you have re-sealed each via its hook). This converts a path that previously discarded data and reported success into a fail-closed gate. The error names each store and the hook to call. **Fixed:** *Rotation re-seals `vault.aad:` cells and AAD-bound at-rest files* — `db.enc` is re-written bound to its dataDir-scoped AAD (it was previously re-written un-bound, silently stripping the at-rest AAD binding on every rotation), `db.key.enc` retains its location-bound AAD, and every `{ aad: true }` table column plus the overflow store is re-sealed under the new root. Previously only `vault:`-prefixed cells were carried across, so AAD-sealed data was left encrypted under the retired keypair and lost once it was discarded. · *Round-trip verify no longer reports a false success* — `b.vaultRotate.verify` now samples and decrypts AAD-sealed cells under the new root and treats any cell that still decrypts under the old root as a regression, so an incomplete rotation fails verification instead of passing it. The prior verify checked only `vault:` cells and therefore reported `ok` even when AAD-sealed cells had been orphaned. **Security:** *A vault key rotation can no longer silently destroy encrypted data* — The orphaning path lost agent idempotency / orchestrator / tenant / snapshot state, `{ aad: true }` columns, and tenant archives with no error and a passing verify; the data became unrecoverable the moment the old keypair was retired. Rotation is now fail-closed end to end: it re-seals what it can reach, refuses to proceed past what it cannot until you acknowledge it, and verifies the result under the new root. If you performed a rotation on v0.14.11 or earlier and still hold the retired keypair, re-seal the affected cells under the current root with the explicit-root primitives before discarding it. **Detectors:** *AAD-backed store modules must expose a rotation reseal path* — A new check flags a module that registers an external `{ aad: true }` store but does not expose an `AAD_ROTATION` descriptor and reseal hook, which would leave its state unreachable by the rotation pipeline. · *A root-keyed seal family must ship its reseal* — A new check flags adding a `sealRoot` / `unsealRoot` pair without the matching `resealRoot`, since without it a rotated cell cannot be carried from the old root to the new one. · *Live-root AAD seals need a reseal path* — A new check flags a primitive that AAD-seals under the live vault root without a way to re-seal that state under a new root during rotation. · *Tenant archive re-wrapping must compose `b.archive.rewrapTenant`* — A new check flags tenant-scoped archive re-wrapping that opens and re-seals a tenant envelope by hand instead of routing through `b.archive.rewrapTenant`. · *Cluster vault-key drift needs the rotation-epoch accept gate* — A new check flags a cluster vault-key fingerprint comparison that hard-rejects a mismatch without honouring the `acceptVaultKeyRotation` epoch window. **Migration:** *Re-seal operator AAD stores before rotating* — Before calling `b.vaultRotate.rotate`, re-seal each AAD-backed store you use via its hook (`b.agent.idempotency.reseal`, `b.agent.orchestrator.reseal`, `b.agent.snapshot.reseal`, the `b.agent.tenant` `AAD_ROTATION` reseal paths) with the old and new root JSON, re-wrap tenant archives with `b.archive.rewrapTenant`, then pass `opts.externalAadResealed` as an array naming each re-sealed store. If you use none of these features, pass `opts.externalAadResealed: true`. Declare the rotation to each cluster node with `acceptVaultKeyRotation: true` so the membership adopts the new fingerprint rather than reporting drift.
16
+
17
+ - v0.14.11 (2026-05-31) — **Defensive LLM model-I/O primitives, C2PA timestamp countersignatures with CAWG identity assertions, and signed EU AI Act GPAI adherence declarations.** Closes the output side of the LLM trust boundary and hardens content provenance and AI-Act attestation. b.ai.output.sanitize treats model output as untrusted and neutralizes XSS, gates every markdown-image / link and HTML src/href URL against SSRF (the EchoLeak zero-click exfiltration class, CVE-2025-32711), and flags SQL- and command-shaped fragments; b.ai.output.redact strips PII and secret disclosures. b.ai.input.classifyWithSources classifies a prompt together with its retrieval-augmented sources under a stricter, trust-tier-relative threshold, and the new b.ai.prompt namespace assembles prompts with escape-by-default boundaries — untrusted context / user segments are fenced in a per-render crypto-nonce delimiter the content cannot forge and stripped of bidi, control, zero-width, and Unicode-Tags smuggling characters. b.contentCredentials COSE signatures now carry an RFC 3161 timestamp countersignature (C2PA sigTst2, RFC 9921) verified entirely through b.tsa, so a signed manifest stays verifiable after its signing certificate expires, plus a CAWG identity assertion with trust-anchored verification. b.compliance.aiAct.gpai.declareAdherence emits a tamper-evident, ML-DSA-87-signed GPAI Code-of-Practice adherence declaration whose obligation set is derived from the regulation rather than operator-asserted. **Added:** *`b.ai.output.sanitize` and `b.ai.output.redact`* — A new `b.ai.output` namespace that treats LLM output as untrusted before it reaches a browser, a downstream fetcher, a SQL / command sink, or a log. `sanitize(text, opts)` neutralizes active markup via `b.guardHtml`, gates every markdown image / link and HTML `src` / `href` URL through `b.safeUrl.parse` (scheme + credential) and `b.ssrfGuard.classify` (internal / loopback / link-local / cloud-metadata IP-range) so auto-fetch URLs to attacker or internal hosts are neutralized, and flags SQL- and command-shaped fragments rather than silently repairing them. `redact(text, opts)` strips PII and secret disclosures via `b.redact` plus an entity-selectable pass (`pan` / `ssn` / `ein` / `iban` / `jwt` / `aws` / `phi` / `email` / `phone`). Defends OWASP LLM05:2025 Improper Output Handling and LLM02:2025 Sensitive Information Disclosure; the markdown-image URL gate closes the EchoLeak zero-click exfiltration class (CVE-2025-32711, CVSS 9.3). · *`b.ai.input.classifyWithSources`* — Classifies a prompt together with its retrieval-augmented (RAG) sources, applying a stricter, trust-tier-relative threshold to retrieved data. Each source is `{ id, text, trust? }` with `trust` of `trusted` / `internal` / `untrusted` (unset defaults to `untrusted`, fail-closed); untrusted and internal sources escalate to `suspicious` on a single severity-2 signal and to `malicious` on any severity-3, where the direct prompt keeps the baseline threshold. The aggregate verdict is the worst across the prompt and all sources, and every malicious source is reported in `taintedSources`. Defends indirect prompt injection from poisoned context (OWASP LLM01:2025; NIST AI 600-1). · *`b.ai.prompt.template`* — A new `b.ai.prompt` namespace for assembling LLM prompts with escape-by-default boundaries. The `system` segment is operator-trusted; `context` and `user` segments are treated as untrusted (no global opt-out — mark a segment `{ text, trusted: true }` individually). Untrusted segments are wrapped in a per-render, high-entropy delimiter nonce the content cannot forge, with any forged boundary stripped before wrapping (spotlighting / datamarking, Microsoft 2024; NIST AI 100-2e2025), and stripped of bidi overrides (CVE-2021-42574 Trojan Source), C0 controls, zero-width characters, null bytes, and Unicode Tags (U+E0000..U+E007F ASCII-smuggling). Run `b.ai.input.refuseIfMalicious` on the untrusted content as defense in depth. · *C2PA RFC 3161 timestamp countersignature and CAWG identity assertion* — `b.contentCredentials.signCose` attaches an RFC 3161 timestamp countersignature (C2PA `sigTst2`, RFC 9921) and `b.contentCredentials.verifyCose` verifies it. Pass `timestamp:{ token }` to embed a TimeStampToken, or `timestamp:{}` to get back the DER `application/timestamp-query` to POST to a timestamp authority. `b.contentCredentials.attachIdentityAssertion` / `verifyIdentityAssertion` add the CAWG Identity Assertion v1.2: a signed creator / organization identity hash-bound to a manifest's referenced assertions, where the `x509` binding reports `verified:true` only when an identity trust anchor is supplied and the leaf chain verifies, and the `identity-claims-aggregator` and self-asserted paths stay `verified:false`. · *`b.compliance.aiAct.gpai.declareAdherence` / `verifyAdherence`* — Signed, tamper-evident GPAI Code-of-Practice adherence declarations (Regulation (EU) 2024/1689 Art. 53(1)(a-d); Art. 55 for systemic-risk models under Art. 51(2)). The in-scope obligation set is derived from the classifier, never operator-asserted — a model at or above the 10^25-FLOP systemic-risk threshold that omits the Art. 55 chapter is refused. Each commitment's evidence reference must be a SHA3-512 digest; a malformed hash is rejected so a hollow attestation cannot bind. The declaration ships inside an ML-DSA-87-signed CycloneDX 1.6 ML-BOM via `b.ai.modelManifest`; verify re-canonicalizes before trusting any field and rejects a declaration past its validity window. Cites the GPAI Code of Practice (10 July 2025), Annex XI/XII, and Directive (EU) 2019/790 Art. 4(3). **Security:** *Model output is now an untrusted channel by default* — When feeding retrieved documents into an LLM, classify them with `b.ai.input.classifyWithSources` (untrusted sources escalate on a single signal) rather than trusting model input; assemble prompts with `b.ai.prompt.template` so untrusted context / user text is fenced in a per-render crypto-nonce boundary it cannot forge; and pass model output through `b.ai.output.sanitize` / `b.ai.output.redact` before it is rendered, fetched, or logged. Each primitive is on by default and fail-closed — no opt-in flag enables the protection. · *Timestamp verification routes only through `b.tsa.verifyToken`* — C2PA `sigTst2` verification performs the full RFC 3161 check (CMS signature over the signed attributes, messageDigest recompute, critical sole `id-kp-timeStamping` EKU) — never a chain-only shortcut — closing the timestamp-validation-bypass class (CVE-2025-52556, CWE-347). Supply `timestampTrustAnchorsPem` to `verifyCose` to check the timestamp certificate chain; `verifyCose` returns `{ valid, reason, claims, alg, timestamp }` and never throws. **Detectors:** *LLM output URLs must keep the SSRF gate* — A new check requires the output sanitizer to gate every extracted URL through both `b.safeUrl.parse` and `b.ssrfGuard.classify`, so the markdown-image SSRF gate (the EchoLeak class) cannot be silently dropped. · *RAG sources must compose `classifyWithSources`* — A new check flags any code that maps `b.ai.input.classify` over a sources array by hand, which would lose the trust-tier-relative threshold for retrieved data. · *Prompt boundaries must use a per-render nonce* — A new check flags prompt-assembly that wraps untrusted content in a fixed, guessable literal fence (`<user_input>`, `[DATA]`) instead of a per-render high-entropy delimiter the content cannot forge. · *C2PA timestamp verification must route through `b.tsa`* — A new check flags any bespoke certificate-chain-only walk on a timestamp token in place of `b.tsa.verifyToken`, preventing a re-introduction of the timestamp-validation-bypass class. · *GPAI adherence declarations must be signed* — A new check flags any code that emits the GPAI Code-of-Practice adherence property without routing it through the `b.ai.modelManifest` signed envelope, keeping the declaration tamper-evident.
18
+
11
19
  - v0.14.10 (2026-05-31) — **Full-text-search token hashes move to a keyed MAC; existing mail-store search indexes rebuild automatically on upgrade.** The mail-store full-text-search index hashed its tokens with a hand-rolled salted-SHA3 derived hash. It now routes through the framework's sealed-column hashing primitive in keyed mode (HMAC-SHAKE256 off the per-deployment MAC key), so a search-index token hash is unforgeable and un-correlatable across deployments without that key — the same posture the sealed-column lookup hashes already use. Because the keyed hash changes the stored token values, a mail-store opened after upgrade detects its index as old-format and rebuilds it once from the sealed message rows. The rebuild runs under a format marker: the index is marked `rebuilding` before it is cleared and only marked current after every row is re-hashed inside an explicit transaction, and search falls back to its cursor path (rather than returning partial hits) whenever the marker is not current — so an interrupted rebuild leaves the old index intact and queryable and retries on the next open, never serving a half-built index. A new `b.cryptoField.computeNamespacedHash` primitive backs the keyed hashing for callers that hash outside the registered-column path. **Added:** *`b.cryptoField.computeNamespacedHash`* — A mode-aware namespaced hash for indexed-lookup callers that hash a value outside the registered-column derived-hash path. `computeNamespacedHash(ns, value, { mode, truncateBytes })` routes through the same engine as `computeDerived` — `salted-sha3` (default) or the keyed `hmac-shake256` — with optional hex truncation. The mail-store full-text index is the first consumer. **Changed:** *Mail-store full-text index rehashes to a keyed MAC on upgrade* — The full-text-search token hash now uses `b.cryptoField.computeNamespacedHash` in `hmac-shake256` mode instead of a hand-rolled salted-SHA3. The first time a store is opened after upgrade, its index is detected as old-format and rebuilt once from the sealed message rows; subsequent opens are no-ops. Search is unaffected once the rebuild completes. The rebuild requires the vault to be initialized and fails closed (a clear error) at construction if it is not, rather than leaving a stale searchable index. **Security:** *Keyed, un-correlatable full-text-search token hashes* — A search-index token hash is now a keyed MAC over a per-deployment key, not a static-salted digest — it cannot be forged or correlated across deployments without that key, closing the low-entropy-token correlation gap on the search index. The index remains unrecoverable from a database dump alone, as before. **Detectors:** *Hand-rolled lookup-hash check covers the split form* — The check that requires sealed-column lookup hashes to compose the framework primitive now also catches the across-lines hand-roll (`var salt = getDerivedHashSalt(); var hex = salt.toString(...); sha3(hex + ns + value)`), not only the single-expression form, so the bypass that the mail-store index used can't reappear. **Migration:** *Automatic, one-time full-text index rebuild* — No operator action is required: the rebuild runs automatically and idempotently on first open after upgrade, atomically and crash-safe (an interrupted rebuild keeps the old index and retries). The only requirement is that the vault is initialized before the mail-store is constructed. One caveat for shared stores: do not run a pre-upgrade and post-upgrade node against the same backend file concurrently across this format change — the old node would write old-format hashes the new node cannot match. Roll the deployment fully across the upgrade. This re-open condition is lifted once all nodes are on 0.14.10 or later.
12
20
 
13
21
  - v0.14.9 (2026-05-30) — **Corrects EU AI Act doc paths that named an uncallable namespace, plus source-comment hygiene and two new codebase checks.** A documentation fix and internal hygiene. The `@primitive` / `@signature` / `@example` blocks for the EU AI Act fundamental-rights-impact-assessment and GPAI training-data-summary helpers advertised `b.complianceAiAct.*`, which is undefined — the callable path is `b.compliance.aiAct.*` — so an operator copying the documented call got `undefined is not a function`. The documented paths now match the real surface. Alongside that: a duplicate parser entry in a doc block is removed, version stamps embedded in section-divider comments are stripped, and two codebase checks are added — one that fails the build when a `@primitive` block documents a wholly-unresolvable namespace (the gap that hid the AI Act paths), and one that flags a version stamp left inside a section divider. No exported API, error code, wire format, or runtime behaviour changes. **Changed:** *Source-comment hygiene* — Removed a duplicate `env` entry from the parsers `@module` doc block, and stripped internal version stamps (`vX.Y.Z`) from `// ---- ... ----` section-divider comments across several files, keeping the descriptive label. Comment-only; no behaviour change. **Fixed:** *EU AI Act helper documentation named an uncallable path* — `b.compliance.aiAct.fundamentalRightsImpactAssessment` and `b.compliance.aiAct.gpai.trainingDataSummary` were documented as `b.complianceAiAct.*` in their `@primitive` / `@signature` / `@example` blocks (and one returned reference string). `b.complianceAiAct` is undefined, so the documented call failed; the documented paths now match the callable surface. **Detectors:** *`@primitive` reachability covers wrong-namespace paths* — The reachability check previously only flagged a missing leaf on a resolved namespace; a `@primitive` whose entire dotted prefix is unresolvable (the shape that hid the AI Act doc paths) was silently skipped. It now walks each prefix segment and fails the build on any unresolvable one, while preserving the factory-instance-shorthand exemption. · *Version-stamp-in-divider check* — A new check flags a version stamp (`vX.Y.Z`) left immediately after a section divider's dashes (`// ---- vX.Y.Z ...`) — internal release vocabulary that does not belong in shipped source comments — without matching legitimate `@since` tags or prose version references.
@@ -98,7 +98,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
98
98
  - **At-rest envelope** — envelope-versioned PQC (ML-KEM-1024 + P-384 hybrid, XChaCha20-Poly1305, SHAKE256); vault sealing (`b.crypto`, `b.vault`)
99
99
  - **Power-on self-test** — `b.crypto.selfTest()` runs FIPS 140-3-style integrity checks: NIST FIPS 202 known-answer tests (SHA3-256/512, SHAKE256), AEAD round-trip + tamper-detect, and ML-KEM-1024 / ML-DSA-87 / SLH-DSA-SHAKE-256f pairwise-consistency + negative tests; fails closed (throws) on any mismatch
100
100
  - **Field-level + crypto-shred** — `b.cryptoField.eraseRow`; per-column data residency tagging + per-row keys (`K_row = HKDF(K_table, rowId)`) so erasing the per-row key makes WAL / replica residuals undecryptable (`b.cryptoField.declareColumnResidency`, `b.cryptoField.declarePerRowKey`)
101
- - **AAD-bound sealed columns** — AEAD tag tied to `(table, rowId, column, schemaVersion)`; copy-paste between rows or schema-version replay surfaces as refused decrypt (`b.vault.aad`). The database encryption key is sealed the same way — bound to its purpose, data directory, and key path — so a relocated key file fails to unseal; an older unbound key upgrades itself on first load
101
+ - **AAD-bound sealed columns** — AEAD tag tied to `(table, rowId, column, schemaVersion)`; copy-paste between rows or schema-version replay surfaces as refused decrypt (`b.vault.aad`). The database encryption key is sealed the same way — bound to its purpose, data directory, and key path — so a relocated key file fails to unseal; an older unbound key upgrades itself on first load. A vault-key rotation re-seals every AAD-bound cell, the database key, and tenant archives under the new keypair and refuses rather than silently orphaning a store it cannot reach (`b.vaultRotate`, `b.vault.aad.resealRoot`, `b.archive.rewrapTenant`)
102
102
  - **Keyed lookup hashes** — sealed-column equality-lookup hashes default to salted SHA3-512 and can opt into a keyed `hmac-shake256` MAC off a per-deployment key (`cryptoField.registerTable({ derivedHashMode })`, `b.vault.getDerivedHashMacKey`), making the lookup hash unforgeable and un-correlatable across deployments
103
103
  - **Signed webhooks + API encryption** — SLH-DSA-SHAKE-256f default; ML-DSA-65 opt-in; ECIES API encryption (`b.webhook`, `b.crypto`)
104
104
  - **HPKE / HTTP signatures** — RFC 9180 HPKE with ML-KEM-1024 + HKDF-SHA3-512 + ChaCha20-Poly1305 (`b.crypto.hpke`); RFC 9421 HTTP Message Signatures with derived components and ed25519 / ML-DSA-65 (`b.crypto.httpSig`); RFC 9530 Content-Digest / Repr-Digest body-integrity fields (SHA-256 / SHA-512, legacy algorithms refused — `b.contentDigest`) to sign the digest rather than the whole body
@@ -183,13 +183,16 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
183
183
  - `b.mcp.capability.create` — least-privilege capability scopes (OWASP LLM08)
184
184
  - `b.mcp.validateToolInput` — JSON Schema 2020-12 input enforcement
185
185
  - **GraphQL Federation** — `_service.sdl` trust-boundary with router-token + nonce store (`b.graphqlFederation`)
186
- - **Prompt-injection classification** — OWASP LLM01:2025 / NIST COSAIS RFI (`b.ai.input.classify`)
186
+ - **Prompt-injection classification** — OWASP LLM01:2025 / NIST COSAIS RFI (`b.ai.input.classify`), with per-source trust-tier classification for retrieval-augmented context (`b.ai.input.classifyWithSources`) and escape-by-default prompt assembly that fences untrusted segments in a per-render crypto-nonce delimiter the content can't forge (`b.ai.prompt.template`)
187
+ - **LLM output handling** — treats model output as untrusted before it reaches a browser / downstream fetcher / SQL / log: XSS neutralization with SSRF-gated markdown-image and link URLs (the EchoLeak zero-click exfiltration class, CVE-2025-32711) and SQL / command-shape flagging (`b.ai.output.sanitize`), plus PII / secret redaction (`b.ai.output.redact`); OWASP LLM05:2025 + LLM02:2025
187
188
  - **Agent identity** — A2A signed agent-card primitive (Linux Foundation Agentic AI Foundation v1.x, ML-DSA-87) (`b.a2a`)
188
- - **Content provenance** — C2PA 2.1 + California SB-942 / AB-853 manifest builder for AI-generated media (provider, model id + version, timestamp, content ID, signed) (`b.contentCredentials`)
189
+ - **Content provenance** — C2PA 2.1 + California SB-942 / AB-853 manifest builder for AI-generated media (provider, model id + version, timestamp, content ID, signed) (`b.contentCredentials`); COSE signatures carry an RFC 3161 timestamp countersignature (C2PA `sigTst2`, RFC 9921) verified through `b.tsa` so a manifest stays verifiable after its signing certificate expires, plus a CAWG identity assertion with trust-anchored verification
189
190
  - **AI usage quotas** — per-tenant / per-model budgets metered by tokens / requests / cost-usd / compute-hours over calendar-aligned windows, with an atomic conditional reserve (no charge-then-refund race) + hard/soft/warn enforcement and an optional cross-node store; defends OWASP LLM10:2025 unbounded consumption / denial-of-wallet (`b.ai.quota`)
190
191
  - **AI capability routing** — model-capability registry (context window / modalities / tool use / reasoning tier / cost rates) + a router that picks the cheapest model satisfying a request's requirements, refusing capability mismatches before the inference call (NIST AI RMF MAP + Model Cards); composes with `b.ai.quota` cost budgets (`b.ai.capability`)
191
192
  - **AEDT bias audit** — NYC Local Law 144 bias-audit figures (`b.ai.aedtBiasAudit`): selection / scoring rates and EEOC four-fifths-rule impact ratios across sex, race/ethnicity, and their intersection, with the most-selected group and adverse-impact flags (impact ratio < 0.8) for the annual published summary; sub-2% categories excludable per DCWP §5-301
192
193
  - **Frontier AI protocol** — California SB 53 (Transparency in Frontier AI Act) obligations (`b.ai.frontierModelProtocol`): classify the frontier-model (>10²⁶ training FLOPs) and large-frontier-developer (>$500M revenue) thresholds, enumerate the resulting obligations, check a safety framework for required elements, and build a critical-safety-incident report with the 15-day / 24-hour California OES notification deadline (`.incidentReport`)
194
+ - **GPAI Code-of-Practice adherence** — signed, tamper-evident EU AI Act Art. 53 / 55 adherence declarations with a regulation-derived obligation set (a systemic-risk model omitting the Art. 55 chapter is refused) and SHA3-512 evidence binding, emitted inside an ML-DSA-87-signed CycloneDX 1.6 ML-BOM and replay-checked on verify (`b.compliance.aiAct.gpai.declareAdherence` / `verifyAdherence`)
195
+
193
196
  ### Compliance regimes
194
197
 
195
198
  - **Posture coordinator** — `b.compliance` cascades operator-declared regime into retention / audit / db / cryptoField via POSTURE_DEFAULTS:
@@ -209,7 +212,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
209
212
  - **Change control + WORM** — m-of-n approver DDL change-control with maintenance-window + ML-DSA-87 signed proposals (`b.ddlChangeControl`); row-level WORM triggers boot-asserted under `sec-17a-4` / `finra-4511` / `fda-21cfr11` (`b.db.declareWorm`); dual-control physical delete + crypto-erase + REINDEX in one transaction (`b.db.declareRequireDualControl`, `b.db.eraseHard`)
210
213
  - **Consumer-protection** — FTC click-to-cancel UX-parity attestation (`ftc-2024` / `ca-sb942` / `strict`) (`b.darkPatterns`)
211
214
  - **Differential privacy** — float-safe DP for aggregate releases: snapping-mechanism Laplace (Mironov 2012) + discrete Gaussian (Canonne–Kamath–Steinke 2020), CSPRNG noise, per-scope ε/δ budgets with basic + Rényi-DP accounting; defends the floating-point distinguishing attack that breaks naive Laplace samplers (NIST SP 800-226) (`b.ai.dp`)
212
- - **Privacy / DSR** — GDPR Articles 15–22 / CCPA / CPRA / LGPD / PIPEDA data-subject-rights workflow (`b.dsr`); IAB TCF v2 consent-string parse + encode + `disclosedVendors` validator (`b.iabTcf`); IAB MSPA / GPP universal-opt-out (USNAT / USCA / USVA / USCO / USCT / USUT) + GPC mirror (`b.iabMspa`); generic consent capture + withdrawal (`b.consent`)
215
+ - **Privacy / DSR** — GDPR Articles 15–22 / CCPA / CPRA / LGPD / PIPEDA data-subject-rights workflow (`b.dsr`); IAB TCF v2 consent-string parse + encode + `disclosedVendors` validator (`b.iabTcf`); IAB MSPA / GPP universal-opt-out (USNAT / USCA / USVA / USCO / USCT / USUT) + GPC mirror (`b.iabMspa`); generic consent capture + withdrawal (`b.consent`); educational-only consent purpose with FERPA / SOPIPA lawful-basis gating + annual EdTech third-party vendor-review attestation (`b.consent.recognizedPurpose`, `b.privacy.vendorReview`)
213
216
  - **Incident reporters** — EU DORA Article 17 ICT-incident workflow per Commission Delegated Regulation 2024/1772 (`b.dora`); EU NIS2 (`b.nis2`); EU Cyber Resilience Act SBOM + secure-software-attestation (`b.cra`); SEC Form 8-K Item 1.05 cybersecurity-incident materiality-disclosure (`b.secCyber`); incident lifecycle coordinator (`b.incident`)
214
217
  - **Outbound DLP** — interceptor-installed on httpClient + mail + webhook with built-in detectors for PAN (Luhn), SSN, EIN, IBAN (mod-97), api-key shapes, PEM, SSH private keys, JWTs, AWS access keys, PHI composite; refuse / redact / audit-only verdicts under pci-dss / hipaa / fapi2 / soc2 / gdpr presets (`b.redact.installOutboundDlp`)
215
218
  ### Observability
@@ -227,7 +230,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
227
230
  - **i18n** — CLDR plural rules, Accept-Language negotiation, Intl formatters, RTL (`b.i18n`)
228
231
  - **CSV** — RFC 4180 with Excel formula-injection prevention (`b.csv`)
229
232
  - **IDs + slugs** — RFC 9562 UUID v4 + v7 (`b.uuid`); URL-safe slugs (`b.slug`)
230
- - **Time + archive** — TZ-aware datetime (`b.time`); ZIP creation + adversarial-safe read with bomb caps + path-traversal + LFH/CD-skew defense (`b.archive` + `b.archive.read.zip`); one-liner quarantine extraction (`b.safeArchive.extract`); in-memory extraction with no disk write for read-only / serverless filesystems (`b.archive.read.zip(...).extractEntries()` / `.tar`); fs / objectStore / http / buffer / trusted-stream adapter contract (`b.archive.adapters`); recipient-sealed envelopes — hybrid-PQC key-pair, peer certificate, or per-tenant key with no key-pair to manage (`b.archive.wrap({ recipient: "tenant", tenantId })`)
233
+ - **Time + archive** — TZ-aware datetime (`b.time`); ZIP creation + adversarial-safe read with bomb caps + path-traversal + LFH/CD-skew defense (`b.archive` + `b.archive.read.zip`); one-liner quarantine extraction (`b.safeArchive.extract`); one-liner in-memory extraction with no disk write for read-only / serverless filesystems (`b.safeArchive.extractToMemory`, or the low-level `b.archive.read.zip(...).extractEntries()` / `.tar`); fs / objectStore / http / buffer / trusted-stream adapter contract (`b.archive.adapters`); recipient-sealed envelopes — hybrid-PQC key-pair, peer certificate, or per-tenant key with no key-pair to manage (`b.archive.wrap({ recipient: "tenant", tenantId })`)
231
234
  - **Pagination + forms** — HMAC-signed cursor pagination (`b.pagination`); HTML form rendering + validation + CSRF (`b.forms`)
232
235
 
233
236
  ### Production
@@ -282,6 +282,7 @@ This is the minimum-viable security posture for a production deployment. The fra
282
282
  - [ ] Confirm `vault: { mode: "wrapped" }` in the app's config (not `"plaintext"`)
283
283
  - [ ] Store the passphrase in a secret manager (1Password / Vault / AWS Secrets Manager / sops) — never in git, never in shell history
284
284
  - [ ] Rotate the vault passphrase quarterly: `blamejs vault rotate`
285
+ - [ ] When rotating the vault *keypair* (not just the passphrase) with `b.vaultRotate.rotate`, first re-seal every AAD-backed store you use via its hook (`b.agent.idempotency.reseal` / `b.agent.orchestrator.reseal` / `b.agent.snapshot.reseal` / the `b.agent.tenant` `AAD_ROTATION` reseal paths) and re-wrap tenant archives with `b.archive.rewrapTenant`, then pass `externalAadResealed` naming each re-sealed store (or `true` if you use none of them). Rotation refuses rather than silently orphaning a store it cannot reach, and its round-trip verify decrypts AAD-sealed cells under the new keypair and flags any that still open under the old one. Declare the rotation to each cluster node with `acceptVaultKeyRotation: true` so the membership adopts the new fingerprint instead of reporting `VAULT_KEY_DRIFT`
285
286
  - [ ] In FIPS / regulated deployments, run `b.crypto.selfTest()` at start-up as a power-on integrity gate — it KATs SHA3/SHAKE against NIST FIPS 202 vectors and pairwise-tests ML-KEM-1024 / ML-DSA-87 / SLH-DSA-SHAKE-256f, throwing `crypto/self-test-failed` (fail closed) if the crypto stack is broken
286
287
 
287
288
  **Audit chain**
@@ -306,6 +307,11 @@ This is the minimum-viable security posture for a production deployment. The fra
306
307
  - [ ] Wire `b.tenantQuota.budget({ tenantField, perTenantQpsCap, perTenantTotalRowsRead })` for tenant-scoped query rate-limiting — replaces global `maxRowsPerQuery` for multi-tenant scenarios
307
308
  - [ ] Wrap query results with `b.tenantQuota.instrumentQuery({ rows, tenantField, tenantId })` — emits `db.tenant.crossover` when a row's tenant disagrees with the operator-claimed tenant (RLS-bypass detection)
308
309
 
310
+ **LLM / AI integration** (only if the app calls an LLM or serves model output)
311
+ - [ ] Classify retrieved RAG context with `b.ai.input.classifyWithSources` (untrusted sources escalate on a single signal) rather than trusting model input, and assemble prompts with `b.ai.prompt.template` so untrusted context / user text is fenced in a per-render crypto-nonce boundary it cannot forge (OWASP LLM01:2025)
312
+ - [ ] Pass model output through `b.ai.output.sanitize` before rendering / fetching / logging it — it gates markdown-image and link URLs against SSRF (the EchoLeak class, CVE-2025-32711) and flags SQL / command shapes — and `b.ai.output.redact` to strip PII / secret disclosures (OWASP LLM05:2025 + LLM02:2025)
313
+ - [ ] When signing C2PA content credentials, attach an RFC 3161 timestamp (`b.contentCredentials.signCose({ timestamp })`) so the manifest stays verifiable after its signing certificate expires, and verify inbound manifests with `b.contentCredentials.verifyCose` supplying `timestampTrustAnchorsPem`
314
+
309
315
  **mTLS** (only if using `b.mtlsCa` for service-to-service auth)
310
316
  - [ ] Boot the CA with `--sealed-mode required` so the CA private key is vault-sealed before hitting disk
311
317
  - [ ] Inspect CA state: `blamejs mtls status --data-dir ./data` — confirms the generation matches the operator's expected version (no silent drift on shared deploys)
@@ -366,6 +372,7 @@ This is the minimum-viable security posture for a production deployment. The fra
366
372
  - [ ] Issue at least one `b.honeytoken` canary per high-value surface (admin API key shape, unused admin URL, fake DB row ID) and wire alerting on `honeytoken.tripped` audit rows to your on-call channel — any positive lookup is by definition unauthorized
367
373
  - [ ] For incident-response runbooks: pre-wire `b.atoKillSwitch.trigger({ userId, reason, actor })` into your SOC tooling so a confirmed compromise is a single call rather than a multi-step manual cleanup
368
374
  - [ ] For DSR-receiving operators: stand up `b.dsr.create({ ticketStore, posture, identityResolver })` and wire `query` / `erase` callbacks for every personal-data source — the framework owns deadline computation, audit emission, and ticket state; the operator owns the storage backend and the per-source data path
375
+ - [ ] For EdTech / K-12 deployments handling student data: pin a student-data posture (`ferpa` / `ca-sopipa`), grant consent under `purpose: "educational-only"` (which refuses a `legitimate_interests` lawful basis at `b.consent.grant` time per the FERPA school-official exception / SOPIPA), and record an annual third-party review with `b.privacy.vendorReview()` for every processor that touches student PII
369
376
  - [ ] For DORA-scoped financial entities: wire `b.dora.create({ audit })` at the incident-classification step; the framework's three-stage report-shape (initial / intermediate / final) maps to Commission Delegated Regulation 2024/1772
370
377
  - [ ] For SEC-registered issuers: feed material cybersecurity incidents through `b.secCyber.eightKArtifact({ ... })` to produce the Form 8-K Item 1.05 disclosure within the 4-business-day window
371
378
  - [ ] For SMS-marketing operators: capture and audit consent via `b.tcpa10dlc.recordConsent({ phone, campaignId, consentText, signature })` BEFORE the first message — TCPA penalties are $500-$1,500 per violation