@blamejs/blamejs-shop 0.4.3 → 0.4.5

package/lib/vendor/blamejs/lib/auth/oauth.js

@@ -122,6 +122,11 @@ var lazyRequire = require("../lazy-require");
 // convention §3; no circular load — jwt-external requires nothing from
 // oauth.
 var jwtExternal = require("./jwt-external");
+// RFC 9101 request-object builder — composed by pushAuthorizationRequest
+// when the operator opts into sending a signed request object. Top-of-file
+// per convention §3; no circular load — jar requires jwt-external +
+// validate-opts only, nothing from oauth.
+var jar         = require("./jar");
 var audit       = lazyRequire(function () { return require("../audit"); });
 
 // Cap on responses parsed from upstream OAuth providers. Token /
@@ -517,97 +522,62 @@ var MAX_ATTESTATION_JWT_BYTES = C.BYTES.kib(16);
 var DEFAULT_POP_MAX_AGE_SEC = C.TIME.minutes(5) / C.TIME.seconds(1);
 
 // Sign/verify params keyed by alg — superset of _verifyParamsForAlg that
-// also covers EdDSA (used only on the attestation path; the ID-token
-// verifier keeps its own narrower table untouched).
+// also covers EdDSA (used only on the attestation verify path; the
+// ID-token verifier keeps its own narrower table untouched).
 function _attestationCryptoParams(alg) {
   if (alg === "EdDSA") return { hash: null };
   return _verifyParamsForAlg(alg);
 }
 
+// _toAttestationPrivateKey / _resolveAttestationAlg / _signAttestationJws —
+// thin wrappers over the classical-JWS signer that the jwt-external module
+// owns (b.auth.jws.sign internals). The attestation path keeps its own
+// `auth-oauth/attestation-*` error codes so operators routing alerts on
+// that class see no change; the signer BODIES (alg-from-key derivation,
+// compact-JWS assembly) live in exactly one place — the classical-JOSE
+// domain owner — rather than duplicated here. RFC 7518 §3.1 alg↔key
+// binding and the self-invalid-alg defenses are enforced by the composed
+// primitive.
+
 function _toAttestationPrivateKey(value, label) {
-  if (!value) {
-    throw new OAuthError("auth-oauth/attestation-no-key", label + ": privateKey is required");
-  }
-  if (value instanceof nodeCrypto.KeyObject) return value;
-  try {
-    if (typeof value === "string" || Buffer.isBuffer(value)) {
-      return nodeCrypto.createPrivateKey({ key: value, format: "pem" });
-    }
-    if (typeof value === "object" && value.kty) {
-      return nodeCrypto.createPrivateKey({ key: value, format: "jwk" });
-    }
-  } catch (e) {
-    throw new OAuthError("auth-oauth/attestation-bad-key",
-      label + ": private key parse failed: " + ((e && e.message) || String(e)));
+  try { return jwtExternal._toPrivateKey(value, label); }
+  catch (e) {
+    var code = (e && e.code) === "auth-jwt-external/sign-no-key"
+      ? "auth-oauth/attestation-no-key" : "auth-oauth/attestation-bad-key";
+    throw new OAuthError(code, (e && e.message) || String(e));
   }
-  throw new OAuthError("auth-oauth/attestation-bad-key",
-    label + ": privateKey must be a PEM string/Buffer, JWK object, or KeyObject");
 }
 
-// EC curve → the one ES* alg whose hash matches it (RFC 7518 §3.4).
-var _EC_CURVE_ALG = { prime256v1: "ES256", secp384r1: "ES384", secp521r1: "ES512" };
-
 // Resolve the JWS alg for an attestation / PoP signature. When the caller
-// gives no `algorithm`, infer the default that matches the key type so a
-// non-EC attester key (RSA, Ed25519) yields a self-consistent JWS — header
-// alg ⇄ signature key — instead of a fixed `ES256` header signed with the
-// real key, which `verifyClientAttestation`'s alg/kty cross-check would
-// then reject. An explicit alg incompatible with the key is refused BEFORE
-// signing rather than producing a self-invalid attestation.
+// gives no `algorithm`, the composed signer infers the default that matches
+// the key type so a non-EC attester key (RSA, Ed25519) yields a
+// self-consistent JWS — header alg ⇄ signature key — instead of a fixed
+// `ES256` header signed with the real key, which `verifyClientAttestation`'s
+// alg/kty cross-check would then reject. An explicit alg incompatible with
+// the key is refused BEFORE signing. The draft additionally floors the
+// accepted set to ATTESTATION_ALGS (no HMAC / none); the composed resolver
+// already refuses those, surfaced here as the attestation-specific code.
 function _resolveAttestationAlg(explicitAlg, privateKey, label) {
-  var kty = privateKey.asymmetricKeyType;
-  var defaultAlg, compatible;
-  if (kty === "ec") {
-    var curve = (privateKey.asymmetricKeyDetails && privateKey.asymmetricKeyDetails.namedCurve) || "";
-    defaultAlg = _EC_CURVE_ALG[curve];
-    if (!defaultAlg) {
-      throw new OAuthError("auth-oauth/attestation-key-unsupported",
-        label + ": EC curve '" + curve + "' has no attestation JWS alg (use P-256 / P-384 / P-521)");
-    }
-    compatible = [defaultAlg];                       // an EC curve pins exactly one ES alg
-  } else if (kty === "rsa") {
-    defaultAlg = "RS256";
-    compatible = ["RS256", "RS384", "RS512", "PS256", "PS384", "PS512"];
-  } else if (kty === "rsa-pss") {
-    defaultAlg = "PS256";
-    compatible = ["PS256", "PS384", "PS512"];        // an RSA-PSS key cannot produce an RS* signature
-  } else if (kty === "ed25519" || kty === "ed448") {
-    defaultAlg = "EdDSA";
-    compatible = ["EdDSA"];
-  } else {
-    throw new OAuthError("auth-oauth/attestation-key-unsupported",
-      label + ": key type '" + String(kty) + "' is not a supported attestation key (EC / RSA / Ed25519 / Ed448)");
-  }
-  if (explicitAlg === undefined || explicitAlg === null) return defaultAlg;
-  if (ATTESTATION_ALGS.indexOf(explicitAlg) === -1) {
-    throw new OAuthError("auth-oauth/attestation-alg-not-accepted",
-      label + ": alg '" + explicitAlg + "' is not an accepted attestation algorithm");
-  }
-  if (compatible.indexOf(explicitAlg) === -1) {
-    throw new OAuthError("auth-oauth/attestation-alg-key-mismatch",
-      label + ": alg '" + explicitAlg + "' is incompatible with the " + kty +
-      " key (compatible: " + compatible.join(", ") + ")");
+  try {
+    return jwtExternal._resolveSignAlg(explicitAlg, privateKey, label);
+  } catch (e) {
+    var ec = (e && e.code) || "";
+    if (ec === "auth-jwt-external/sign-alg-key-mismatch") {
+      throw new OAuthError("auth-oauth/attestation-alg-key-mismatch", (e && e.message) || String(e));
+    }
+    if (ec === "auth-jwt-external/sign-alg-refused" || ec === "auth-jwt-external/sign-alg-unsupported") {
+      throw new OAuthError("auth-oauth/attestation-alg-not-accepted",
+        label + ": alg '" + explicitAlg + "' is not an accepted attestation algorithm");
+    }
+    if (ec === "auth-jwt-external/sign-key-unsupported") {
+      throw new OAuthError("auth-oauth/attestation-key-unsupported", (e && e.message) || String(e));
+    }
+    throw new OAuthError("auth-oauth/attestation-bad-key", (e && e.message) || String(e));
   }
-  return explicitAlg;
 }
 
 function _signAttestationJws(header, payload, privateKey, alg) {
-  var params = _attestationCryptoParams(alg);
-  var headerB64  = _b64urlEncode(Buffer.from(JSON.stringify(header), "utf8"));
-  var payloadB64 = _b64urlEncode(Buffer.from(JSON.stringify(payload), "utf8"));
-  var signingInput = headerB64 + "." + payloadB64;
-  var sig;
-  var input = Buffer.from(signingInput, "ascii");
-  if (params.hash === null) {
-    sig = nodeCrypto.sign(null, input, privateKey);     // EdDSA — no prehash
-  } else {
-    var keyParam = { key: privateKey };
-    if (params.padding !== undefined)     keyParam.padding     = params.padding;
-    if (params.saltLength !== undefined)  keyParam.saltLength  = params.saltLength;
-    if (params.dsaEncoding !== undefined) keyParam.dsaEncoding = params.dsaEncoding;
-    sig = nodeCrypto.sign(params.hash, input, keyParam);
-  }
-  return signingInput + "." + _b64urlEncode(sig);
+  return jwtExternal._signCompactJws(header, payload, privateKey, alg);
 }
 
 // Verify a compact JWS against an already-imported public KeyObject. The
@@ -751,16 +721,9 @@ function buildClientAttestation(aopts) {
   };
   if (typeof aopts.nbf === "number") payload.nbf = aopts.nbf;
   // Operator extra claims merged WITHOUT overriding the spec-required
-  // fields (no prototype-pollution: only own enumerable keys, reserved
-  // names rejected).
+  // fields (proto-pollution sentinels skipped, the spec keys reserved).
   if (aopts.extraClaims && typeof aopts.extraClaims === "object" && !Array.isArray(aopts.extraClaims)) {
-    var ck = Object.keys(aopts.extraClaims);
-    for (var i = 0; i < ck.length; i += 1) {
-      var k = ck[i];
-      if (k === "__proto__" || k === "constructor" || k === "prototype") continue;
-      if (Object.prototype.hasOwnProperty.call(payload, k)) continue;   // never override spec fields
-      payload[k] = aopts.extraClaims[k];
-    }
+    validateOpts.assignOwnEnumerable(payload, aopts.extraClaims, Object.keys(payload));
   }
   return _signAttestationJws(
     { typ: "oauth-client-attestation+jwt", alg: alg }, payload, key, alg);
@@ -1996,6 +1959,13 @@ function create(opts) {
   // browser-side redirect to /authorize. Defends against parameter
   // tampering by an MITM at the user-agent + against URL-length
   // overflow on long authorization requests.
+  //
+  // RFC 9101 signed request object: pass `signedRequestObject: { key,
+  // alg?, kid?, audience?, expiresInMs? }` to push a JAR request object
+  // instead of plain form params. The authorization parameters then
+  // travel as signed claims (RFC 9126 §3 — form body carries only
+  // `request` + client auth), so the PAR endpoint can verify they
+  // arrived exactly as the client signed them. Absent → plain-form PAR.
   async function pushAuthorizationRequest(uopts) {
     uopts = uopts || {};
     var endpoint;
@@ -2006,6 +1976,20 @@ function create(opts) {
         "pushed_authorization_request_endpoint (set opts.pushedAuthorizationRequestEndpoint " +
         "on create() if the IdP doesn't publish it)");
     }
+    // RFC 9101 signed-request-object opt: when the operator supplies
+    // `signedRequestObject` (a config object carrying the client's signing
+    // key), the authorization parameters travel as claims of a JAR request
+    // object rather than as bare form params. Validated config-time; absent
+    // → the existing plain-form path sends the same key/value set
+    // (form-encoded params are unordered per the media type).
+    var sro = uopts.signedRequestObject || null;
+    if (sro) {
+      validateOpts.optionalPlainObject(sro, "pushAuthorizationRequest: signedRequestObject",
+        OAuthError, "auth-oauth/par-bad-request-object-opt",
+        "must be an object { key, alg?, kid?, audience?, expiresInMs? }");
+      validateOpts(sro, ["key", "alg", "kid", "audience", "expiresInMs"],
+        "pushAuthorizationRequest.signedRequestObject");
+    }
     // Same PKCE-downgrade gate as authorizationUrl (RFC 9700 §4.13):
     // PAR pushes the identical S256 challenge, so an OP advertising
     // code_challenge_methods_supported without S256 is refused here too.
@@ -2015,31 +1999,60 @@ function create(opts) {
     var state = uopts.state || _generateRandomToken(STATE_NONCE_BYTES);
     var nonce = uopts.nonce || (isOidc ? _generateRandomToken(STATE_NONCE_BYTES) : null);
     var pkceVals = _generatePkce();
-    var body = new URLSearchParams();
-    body.set("response_type", "code");
-    body.set("client_id",     clientId);
-    body.set("redirect_uri",  redirectUri);
-    body.set("scope",         scope.join(" "));
-    body.set("state",         state);
-    if (nonce) body.set("nonce", nonce);
-    body.set("code_challenge",        pkceVals.challenge);
-    body.set("code_challenge_method", "S256");
-    if (responseMode) body.set("response_mode", responseMode);
-    if (uopts.prompt)    body.set("prompt", uopts.prompt);
-    if (uopts.loginHint) body.set("login_hint", uopts.loginHint);
-    if (uopts.maxAge != null) body.set("max_age", String(uopts.maxAge));
-    if (clientSecret) body.set("client_secret", clientSecret);
+    // The authorization-request parameters. On the plain path these are set
+    // on the form body directly; on the JAR path they become request-object
+    // claims and the form body carries only `request` + client auth.
+    var authzParams = {
+      response_type:        "code",
+      client_id:            clientId,
+      redirect_uri:         redirectUri,
+      scope:                scope.join(" "),
+      state:                state,
+      code_challenge:        pkceVals.challenge,
+      code_challenge_method: "S256",
+    };
+    if (nonce)        authzParams.nonce         = nonce;
+    if (responseMode) authzParams.response_mode = responseMode;
+    if (uopts.prompt)    authzParams.prompt     = uopts.prompt;
+    if (uopts.loginHint) authzParams.login_hint = uopts.loginHint;
+    if (uopts.maxAge != null) authzParams.max_age = String(uopts.maxAge);
     // RFC 9396 — push the fine-grained authorization request through PAR
     // identically to the redirect path (validated, then JSON-serialized).
     var requestedAuthzDetails = null;
     if (uopts.authorizationDetails !== undefined) {
       requestedAuthzDetails = _validateAuthorizationDetailsArray(
         uopts.authorizationDetails, "pushAuthorizationRequest");
-      body.set("authorization_details", JSON.stringify(requestedAuthzDetails));
+      authzParams.authorization_details = JSON.stringify(requestedAuthzDetails);
     }
     if (uopts.extraParams && typeof uopts.extraParams === "object") {
       var ek = Object.keys(uopts.extraParams);
-      for (var i = 0; i < ek.length; i++) body.set(ek[i], String(uopts.extraParams[ek[i]]));
+      for (var i = 0; i < ek.length; i++) authzParams[ek[i]] = String(uopts.extraParams[ek[i]]);
+    }
+
+    var body = new URLSearchParams();
+    if (sro) {
+      // RFC 9126 §3 — when a signed request object is pushed, the
+      // authorization parameters MUST appear ONLY as claims of the JWT;
+      // the form body carries `request` plus the parameters a client
+      // authentication method requires (client_id, and client_secret for
+      // the secret-based methods) and nothing else. The JAR `aud` is the
+      // AS issuer identifier (RFC 9101 §5) — the operator may override but
+      // it defaults to the configured `issuer`.
+      var requestJwt = jar.build(authzParams, {
+        clientId:    clientId,
+        audience:    sro.audience || issuer,
+        key:         sro.key,
+        alg:         sro.alg,
+        kid:         sro.kid,
+        expiresInMs: sro.expiresInMs,
+      });
+      body.set("request",   requestJwt);
+      body.set("client_id", clientId);                 // RFC 9126 §3 — client identification
+      if (clientSecret) body.set("client_secret", clientSecret);
+    } else {
+      var ak = Object.keys(authzParams);
+      for (var ap = 0; ap < ak.length; ap++) body.set(ak[ap], authzParams[ak[ap]]);
+      if (clientSecret) body.set("client_secret", clientSecret);
     }
     var rv = await _postForm(endpoint, body);
     if (!rv || typeof rv.request_uri !== "string" || rv.request_uri.length === 0) {
@@ -2062,6 +2075,7 @@ function create(opts) {
       requestUri:  rv.request_uri,
       expiresIn:   typeof rv.expires_in === "number" ? rv.expires_in : null,
       authorizationDetails: requestedAuthzDetails,
+      requestObjectSent:    !!sro,
     };
   }
 

package/lib/vendor/blamejs/lib/http-client.js

@@ -673,13 +673,12 @@ function _buildMultipartBody(spec) {
 var SENSITIVE_HEADERS_LC = ["authorization", "cookie", "proxy-authorization"];
 
 function _stripCrossOriginAuth(headers) {
-  var out = {};
   var keys = Object.keys(headers);
+  var strip = [];
   for (var i = 0; i < keys.length; i++) {
-    if (SENSITIVE_HEADERS_LC.indexOf(keys[i].toLowerCase()) !== -1) continue;
-    out[keys[i]] = headers[keys[i]];
+    if (SENSITIVE_HEADERS_LC.indexOf(keys[i].toLowerCase()) !== -1) strip.push(keys[i]);
   }
-  return out;
+  return validateOpts.assignOwnEnumerable({}, headers, strip);
 }
 
 /**

package/lib/vendor/blamejs/lib/lro.js

@@ -185,13 +185,12 @@ function create(opts) {
 }
 
 function _stripPrivate(op) {
-  var out = {};
   var keys = Object.keys(op);
+  var priv = [];
   for (var i = 0; i < keys.length; i += 1) {
-    if (keys[i].charAt(0) === "_") continue;
-    out[keys[i]] = op[keys[i]];
+    if (keys[i].charAt(0) === "_") priv.push(keys[i]);
   }
-  return out;
+  return validateOpts.assignOwnEnumerable({}, op, priv);
 }
 
 module.exports = {

package/lib/vendor/blamejs/lib/middleware/deny-response.js

@@ -34,18 +34,10 @@
  */
 
 var problemDetails = require("../problem-details");
+var validateOpts = require("../validate-opts");
 
 function _isFn(x) { return typeof x === "function"; }
 
-function _mergeInto(target, extra) {
-  if (!extra || typeof extra !== "object") return target;
-  var keys = Object.keys(extra);
-  for (var i = 0; i < keys.length; i += 1) {
-    target[keys[i]] = extra[keys[i]];
-  }
-  return target;
-}
-
 /**
  * Resolve a deny-path refusal through the uniform hook / problem+json
  * / default chain. Returns whatever the `onDeny` hook returns when it
@@ -144,7 +136,7 @@ function denyResponse(req, res, ctx) {
     return undefined;
   }
 
-  var head = _mergeInto({ "Content-Type": ctx.contentType }, extra);
+  var head = validateOpts.assignOwnEnumerable({ "Content-Type": ctx.contentType }, extra);
   var denyOut = (ctx.body === undefined || ctx.body === null) ? ""
     : (typeof ctx.body === "string" ? ctx.body : JSON.stringify(ctx.body));
   if (ctx.body !== undefined && ctx.body !== null && req && typeof req.apiEncryptEncode === "function") {

package/lib/vendor/blamejs/lib/middleware/health.js

@@ -317,10 +317,7 @@ function create(opts) {
       var entry = { ok: r.ok, ms: r.ms };
       if (r.detail) {
         // Merge detail keys other than `ok` into the entry.
-        var keys = Object.keys(r.detail);
-        for (var n = 0; n < keys.length; n++) {
-          if (keys[n] !== "ok") entry[keys[n]] = r.detail[keys[n]];
-        }
+        validateOpts.assignOwnEnumerable(entry, r.detail, ["ok"]);
       }
       if (r.error) entry.error = r.error;
       if (!r.critical) entry.critical = false;

package/lib/vendor/blamejs/lib/middleware/trace-log-correlation.js

@@ -52,13 +52,10 @@ function _baggageToObject(entries) {
 
 function _wrapLogger(baseLogger, req, opts) {
   if (!baseLogger || typeof baseLogger !== "object") return baseLogger;
-  var wrapped = Object.create(null);
   // Preserve any non-level properties the operator put on the
-  // logger (e.g. boot context, child-logger metadata).
-  var keys = Object.keys(baseLogger);
-  for (var i = 0; i < keys.length; i++) {
-    if (LOG_LEVELS.indexOf(keys[i]) === -1) wrapped[keys[i]] = baseLogger[keys[i]];
-  }
+  // logger (e.g. boot context, child-logger metadata); the level
+  // methods themselves are re-wrapped below.
+  var wrapped = validateOpts.assignOwnEnumerable(Object.create(null), baseLogger, LOG_LEVELS);
 
   function _enrichMeta(meta) {
     var enriched = Object.assign({}, meta || {});

package/lib/vendor/blamejs/lib/validate-opts.js

@@ -393,6 +393,39 @@ function makeNamespacedEmitters(prefix, deps) {
   return { audit: audit, metric: metric };
 }
 
+// assignOwnEnumerable — copy a source object's own enumerable keys onto a
+// target, skipping the prototype-pollution sentinels (__proto__ /
+// constructor / prototype) and any caller-named reserved keys. Several
+// primitives that merge operator-supplied free-form fields onto a
+// spec-built object (JOSE claim sets, JWS protected headers, attestation
+// extra-claims) previously open-coded the identical
+// `for (k of Object.keys(src)) { if (sentinel) continue; if (reserved)
+// continue; dst[k] = src[k]; }` loop. Centralizing the proto-safe walk
+// keeps the merge contract in one place. Reserved keys win — they are NOT
+// overwritten — so the caller's spec-built fields can never be shadowed by
+// a same-named operator key. Returns the target.
+function assignOwnEnumerable(target, source, reservedKeys) {
+  if (!source || typeof source !== "object") return target;
+  var reserved = Object.create(null);
+  if (reservedKeys) for (var r = 0; r < reservedKeys.length; r += 1) reserved[reservedKeys[r]] = true;
+  var keys = Object.keys(source);
+  var entries = [];
+  for (var i = 0; i < keys.length; i += 1) {
+    var k = keys[i];
+    if (k === "__proto__" || k === "constructor" || k === "prototype") continue;
+    if (reserved[k]) continue;
+    entries.push([k, source[k]]);
+  }
+  // Staged through entries + Object.assign so the copy contains no
+  // computed-name property write at all: Object.fromEntries creates own
+  // data properties (it cannot walk the prototype chain), and the
+  // sentinel skip above means the staging object carries no
+  // __proto__/constructor/prototype key for Object.assign's [[Set]] to
+  // trip over. Same observable result as a key-by-key copy, with the
+  // arbitrary-property-write shape removed instead of merely guarded.
+  return Object.assign(target, Object.fromEntries(entries));
+}
+
 // observabilityShape — operator-supplied `opts.observability` must
 // expose an `event` function. Parallel to auditShape; the n=1 catalog
 // tracks both inline-shape regexes.
@@ -426,3 +459,4 @@ module.exports.requireMethods = requireMethods;
 module.exports.applyDefaults = applyDefaults;
 module.exports.makeAuditEmitter = makeAuditEmitter;
 module.exports.makeNamespacedEmitters = makeNamespacedEmitters;
+module.exports.assignOwnEnumerable = assignOwnEnumerable;

package/lib/vendor/blamejs/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.14.21",
+  "version": "0.14.22",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/lib/vendor/blamejs/release-notes/v0.14.22.json

@@ -0,0 +1,91 @@
+{
+  "$schema": "../scripts/release-notes-schema.json",
+  "version": "0.14.22",
+  "date": "2026-06-04",
+  "headline": "RFC 9101 signed request objects: a JAR request-object builder, a classical JWS signer for external interop, and pushed authorization requests that carry `request=`",
+  "summary": "The framework can now mint JWT-Secured Authorization Requests, completing the JAR surface whose verify side (`b.auth.jar.parse`) shipped in v0.12.31 with the builder documented as waiting on a classical signer. `b.auth.jws.sign` is that signer — a compact-JWS producer for RS / PS / ES / EdDSA keys that exists strictly for interop with external ecosystems (authorization servers and relying parties that require classical algorithms); the framework's own tokens stay on the PQC-first signer. `b.auth.jar.build` mints the RFC 9101 request object on top of it, and `pushAuthorizationRequest` composes both so a pushed authorization request can carry the signed `request=` parameter — the FAPI 2.0 message-signing client shape. The OAuth client-attestation builder now composes the same promoted signer internally, with identical wire output.",
+  "sections": [
+    {
+      "heading": "Added",
+      "items": [
+        {
+          "title": "`b.auth.jar.build` — RFC 9101 request-object builder",
+          "body": "Mints the JWT-Secured Authorization Request: header `typ: oauth-authz-req+jwt` (RFC 9101 §10.8), `iss` = the client_id and `aud` = the authorization server (§5), `response_type` and `client_id` required as claims (§4), and every authorization parameter carried as a claim. A params object containing `request` or `request_uri` is refused (§4 forbids nesting), reserved-claim collisions are refused, and a `params.client_id` that disagrees with `opts.clientId` is refused. The JWT carries a short `exp` (default 5 minutes, `expiresInMs`-overridable), `nbf`, and a random `jti` for FAPI 2.0 message signing. The signing algorithm derives from the supplied key; `none` is impossible. Round-trips against the existing `b.auth.jar.parse` verifier."
+        },
+        {
+          "title": "`b.auth.jws.sign` — classical compact-JWS signer for external interop",
+          "body": "Signs a compact JWS with an RS / PS / ES (P-256/P-384/P-521) / EdDSA key, deriving the algorithm from the key per RFC 7518 §3.1 and refusing `none`, HMAC, and algorithm/key mismatches; a caller-supplied `header.alg` cannot override the derived algorithm (algorithm-substitution closed). This primitive exists for interop with external ecosystems that require classical JOSE — JAR request objects, attestation JWTs, and similar cross-vendor surfaces. It is never the framework-internal token default: `b.auth.jwt` remains the PQC-first signer for the framework's own tokens."
+        },
+        {
+          "title": "Pushed authorization requests can carry a signed request object (RFC 9126 §3)",
+          "body": "`pushAuthorizationRequest` accepts a `signedRequestObject` option (`{ key, alg?, kid?, audience?, expiresInMs? }`). When present, the authorization parameters are minted into a JAR request object and the PAR body carries `request=<jwt>` plus only the client-authentication material RFC 9126 allows alongside it; the bare authorization parameters are not duplicated in the form. Absent, the existing plain-form path sends the same key/value set as before."
+        },
+        {
+          "title": "`validateOpts.assignOwnEnumerable` — shared prototype-safe claim merge",
+          "body": "Consolidates the own-enumerable key merge with prototype-pollution and reserved-key guards that the request-object builder, the classical signer, and the client-attestation builder all need. Existing call sites compose it; behavior is unchanged."
+        }
+      ]
+    },
+    {
+      "heading": "Changed",
+      "items": [
+        {
+          "title": "OAuth client-attestation signing composes the promoted classical signer",
+          "body": "The attestation builder's private JWS assembly moved to the shared `b.auth.jws.sign` internals. Wire output is identical — same headers, claim order, algorithm selection, and accepted-algorithm set — and the `auth-oauth/attestation-*` error codes are preserved, so operators routing alerts on those codes see no change."
+        },
+        {
+          "title": "Object key-copy sites compose the prototype-safe merge",
+          "body": "The long-running-operation status reader, the deny-path response-header merge, the HTTP client's cross-origin redirect header strip, and the trace-log logger wrapper now copy keys through `validateOpts.assignOwnEnumerable` instead of raw bracket-assign loops, so a `__proto__`/`constructor`/`prototype` key in the source object can never graft onto the copy. Behavior is otherwise unchanged."
+        }
+      ]
+    },
+    {
+      "heading": "Security",
+      "items": [
+        {
+          "title": "`jar.parse` returns prototype-safe authorization params (CWE-1321)",
+          "body": "A verified request object whose payload carried a `__proto__` claim (JSON.parse materializes it as an own key) previously grafted that claim's value onto the returned `params` object's prototype chain — a signature from a registered-but-malicious client was sufficient. The params object is now built through the prototype-safe merge; `__proto__`/`constructor`/`prototype` claim names are inert and are not copied."
+        },
+        {
+          "title": "`jws.sign` refuses `b64` and `crit` protected-header members",
+          "body": "RFC 7797 `b64: false` changes the JWS signing input (the payload is signed raw, not base64url-encoded) and RFC 7515 §4.1.11 `crit` promises the producer implements every extension it names. The signer always base64url-encodes the payload and implements no header extensions, so passing either member through minted a JWS whose header advertised semantics its signature was not computed under — a compliant verifier derives a different signing input or refuses the critical header. Both members are now refused with `auth-jwt-external/sign-unsupported-header`; unencoded-payload support would land as an explicit feature, not a header pass-through."
+        }
+      ]
+    },
+    {
+      "heading": "Removed",
+      "items": [
+        {
+          "title": "Maintainer planning note removed from the repository",
+          "body": "`memory/specs/node-26-map-getorinsert-migration.md` — a maintainer-local planning note that had been committed since v0.11.2 — is gone from the repository (it was never part of the npm package). The Node 26 detector allowlists in the pattern catalog now carry their per-site annotations standalone, and `SECURITY.md` / `.pinact.yaml` no longer reference maintainer-local note paths."
+        }
+      ]
+    },
+    {
+      "heading": "Detectors",
+      "items": [
+        {
+          "title": "raw-key-copy-loop-bypasses-assign-own-enumerable",
+          "body": "Refuses raw `out[keys[i]] = src[keys[i]]` bracket-assign copy loops in `lib/` — the shape behind the `jar.parse` finding. Key-copy sites compose `validateOpts.assignOwnEnumerable`; the two genuinely-different bodies (audit-chain hash canonicalization, schema-shape transforms) carry allowlist entries with structural reasons."
+        },
+        {
+          "title": "jose-header-passthrough-without-b64-crit-refusal",
+          "body": "Any caller-supplied JOSE protected-header pass-through must name-refuse `b64`/`crit` before signing."
+        },
+        {
+          "title": "no-tracked-internal-notes gate",
+          "body": "The pattern catalog now refuses any tracked file under `memory/`, `notes/`, or `.scratch*` paths at commit time."
+        }
+      ]
+    },
+    {
+      "heading": "Migration",
+      "items": [
+        {
+          "title": "No action required; everything is additive",
+          "body": "The JAR builder, the classical signer, the PAR `signedRequestObject` option, and the shared merge helper are new surface. Existing `jar.parse` callers, attestation flows, and plain PAR requests behave exactly as before."
+        }
+      ]
+    }
+  ]
+}