@blamejs/core 0.10.15 → 0.11.0

package/lib/cms-codec.js

@@ -674,10 +674,151 @@ function _encryptedContentInfo(plaintext, contentKey) {
   ]));
 }
 
+/**
+ * @primitive b.cms.parseSignedData
+ * @signature b.cms.parseSignedData(buf, opts?)
+ * @since     0.10.16
+ * @status    stable
+ * @related   b.cms.encodeSignedData, b.cms.decode
+ *
+ * Decode a CMS ContentInfo carrying SignedData and walk into the
+ * inner structure per RFC 5652 §5.1. Returns a structured object
+ * with `digestAlgs`, `encapContent`, `certificates`, and `signerInfos`
+ * arrays so downstream verifiers (b.mail.crypto.smime.verify) can
+ * check signatures without re-implementing the SignedData walker.
+ *
+ * @opts
+ *   maxBytes:    number,            // default 64 MiB
+ *
+ * @example
+ *   var sd = b.cms.parseSignedData(derBytes);
+ *   sd.signerInfos[0].sigAlgOid;  // → "2.16.840.1.101.3.4.3.18" (ML-DSA-65)
+ */
+function parseSignedData(buf, opts) {
+  var ci = decode(buf, opts);
+  if (ci.contentType !== OID.signedData) {
+    throw new CmsCodecError("cms/not-signed-data",
+      "parseSignedData: ContentInfo type is " + ci.contentType + ", expected " + OID.signedData);
+  }
+  if (ci.content.tag !== asn1.TAG.SEQUENCE) {
+    throw new CmsCodecError("cms/bad-signed-data", "SignedData must be a SEQUENCE");
+  }
+  var children = asn1.readSequence(ci.content.value);
+  if (children.length < 4) {
+    throw new CmsCodecError("cms/bad-signed-data",
+      "SignedData SEQUENCE must have at least 4 children");
+  }
+  var idx = 0;
+  idx += 1;   // version
+  var digestAlgsSet = children[idx]; idx += 1;
+  if (digestAlgsSet.tag !== asn1.TAG.SET) {
+    throw new CmsCodecError("cms/bad-signed-data", "digestAlgorithms must be a SET");
+  }
+  var digestAlgs = asn1.readSequence(digestAlgsSet.value).map(_readAlgIdOid);
+  var encapInfoNode = children[idx]; idx += 1;
+  if (encapInfoNode.tag !== asn1.TAG.SEQUENCE) {
+    throw new CmsCodecError("cms/bad-signed-data", "encapContentInfo must be a SEQUENCE");
+  }
+  var encapContent = _readEncapContent(encapInfoNode);
+  var certificates = [];
+  while (idx < children.length - 1) {
+    var n = children[idx];
+    if (n.tagClass === asn1.TAG_CLASS.CONTEXT_SPECIFIC && n.tag === 0) {
+      var certChildren = asn1.readSequence(n.value);
+      for (var ci2 = 0; ci2 < certChildren.length; ci2 += 1) {
+        certificates.push(_reEncodeNode(certChildren[ci2]));
+      }
+      idx += 1;
+    } else if (n.tagClass === asn1.TAG_CLASS.CONTEXT_SPECIFIC && n.tag === 1) {
+      idx += 1;
+    } else {
+      break;
+    }
+  }
+  var signerInfosSet = children[idx];
+  if (!signerInfosSet || signerInfosSet.tag !== asn1.TAG.SET) {
+    throw new CmsCodecError("cms/bad-signed-data", "signerInfos must be a SET");
+  }
+  var signerInfos = asn1.readSequence(signerInfosSet.value).map(_readSignerInfo);
+  return {
+    digestAlgs:   digestAlgs,
+    encapContent: encapContent,
+    certificates: certificates,
+    signerInfos:  signerInfos,
+  };
+}
+
+function _readAlgIdOid(seqNode) {
+  if (seqNode.tag !== asn1.TAG.SEQUENCE) {
+    throw new CmsCodecError("cms/bad-alg-id", "AlgorithmIdentifier must be a SEQUENCE");
+  }
+  var c = asn1.readSequence(seqNode.value);
+  if (c.length === 0) {
+    throw new CmsCodecError("cms/bad-alg-id", "AlgorithmIdentifier missing OID");
+  }
+  return asn1.readOid(c[0]);
+}
+
+function _readEncapContent(encapInfoNode) {
+  var children = asn1.readSequence(encapInfoNode.value);
+  if (children.length === 0) {
+    throw new CmsCodecError("cms/bad-encap", "encapContentInfo missing eContentType");
+  }
+  var eContentType = asn1.readOid(children[0]);
+  var eContent = null;
+  if (children.length >= 2) {
+    var ec = children[1];
+    if (ec.tagClass === asn1.TAG_CLASS.CONTEXT_SPECIFIC && ec.tag === 0) {
+      var inner = asn1.readNode(ec.value);
+      if (inner.tag === asn1.TAG.OCTET_STRING) {
+        eContent = asn1.readOctetString(inner);
+      }
+    }
+  }
+  return { eContentType: eContentType, eContent: eContent };
+}
+
+function _readSignerInfo(siNode) {
+  if (siNode.tag !== asn1.TAG.SEQUENCE) {
+    throw new CmsCodecError("cms/bad-signer-info", "SignerInfo must be a SEQUENCE");
+  }
+  var c = asn1.readSequence(siNode.value);
+  if (c.length < 5) {
+    throw new CmsCodecError("cms/bad-signer-info", "SignerInfo must have at least 5 children");
+  }
+  var idx = 0;
+  idx += 1;   // version
+  var sidNode = c[idx]; idx += 1;
+  var digestAlgOid = _readAlgIdOid(c[idx]); idx += 1;
+  // Optional [0] IMPLICIT signedAttrs — re-tag as universal SET
+  // (0x31) per RFC 5652 §5.4 to recover the byte sequence the
+  // signature was computed over.
+  var signedAttrsRaw = null;
+  if (c[idx] && c[idx].tagClass === asn1.TAG_CLASS.CONTEXT_SPECIFIC && c[idx].tag === 0) {
+    var implicitRaw = _reEncodeNode(c[idx]);
+    signedAttrsRaw = Buffer.concat([Buffer.from([0x31]), implicitRaw.slice(1)]);                      // allow:raw-byte-literal — universal SET tag per RFC 5652 §5.4
+    idx += 1;
+  }
+  var sigAlgOid = _readAlgIdOid(c[idx]); idx += 1;
+  var sigNode = c[idx]; idx += 1;
+  if (sigNode.tag !== asn1.TAG.OCTET_STRING) {
+    throw new CmsCodecError("cms/bad-signer-info", "signature must be an OCTET STRING");
+  }
+  var signature = asn1.readOctetString(sigNode);
+  return {
+    sid:            _reEncodeNode(sidNode),
+    digestAlgOid:   digestAlgOid,
+    signedAttrsRaw: signedAttrsRaw,
+    sigAlgOid:      sigAlgOid,
+    signature:      signature,
+  };
+}
+
 module.exports = {
   encodeSignedData:    encodeSignedData,
   encodeEnvelopedData: encodeEnvelopedData,
   decode:              decode,
+  parseSignedData:     parseSignedData,
   OID:                 OID,
   MAX_DEPTH:           MAX_DEPTH,
   DEFAULT_MAX_LEN:     DEFAULT_MAX_LEN,

package/lib/compliance.js

@@ -1126,6 +1126,79 @@ var POSTURE_DEFAULTS = Object.freeze({
   "cmmc-2.0-level-1":        Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
   "cmmc-2.0-level-2":        Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true  }),
   "cmmc-2.0-level-3":        Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true, fipsMode: false }),
+  // ---- v0.10.16 — sectoral catch-up ----
+  // 42 CFR Part 2 — Substance Use Disorder records confidentiality
+  // (HHS final rule 2024-04-16 aligns Part 2 with HIPAA but retains
+  // a stricter consent floor; encrypted backups + signed audit chain
+  // + post-erase vacuum because the rule narrows the consent window
+  // and operators must demonstrate effective erasure on revocation).
+  "42-cfr-part-2":           Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true  }),
+  // ONC HTI-1 final rule (45 CFR Part 170 / 89 FR 1192, effective
+  // 2024-12-31) — health IT certification. Brings algorithmic
+  // transparency / DSI (Decision Support Interventions) requirements.
+  // Cascade: encrypted backups + signed audit + vacuum (PHI-tier).
+  "hti-1":                   Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true  }),
+  // USCDI v4 (ONC October 2023) — US Core Data for Interoperability
+  // standard data classes for EHR exchange. PHI-tier cascade.
+  "uscdi-v4":                Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true  }),
+  // IRS Publication 1075 — Federal Tax Information (FTI) safeguards.
+  // FTI-tier: encrypted at rest, signed audit, vacuum after erasure
+  // (Pub 1075 §4.3 requires sanitization on disposal).
+  "irs-1075":                Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true  }),
+  // NIST 800-172 Rev 3 — Enhanced Security Requirements for Protecting
+  // CUI. Layered atop 800-171 / CMMC-L2. FIPS-validated crypto
+  // floor — same operator-opt-in flag pattern as fedramp-rev5-moderate.
+  "nist-800-172-r3":         Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true, fipsMode: false }),
+  // FIRST Traffic Light Protocol 2.0 (August 2022) — controls sharing
+  // of cyber threat information. Cascade: signed audit chain (the
+  // protocol's normative effect is on the audit + sharing surface,
+  // not data-at-rest).
+  "tlp-2.0":                 Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
+  // Security of Critical Infrastructure Act 2018 (Australia, SOCI Act)
+  // + 2021/2022 amendments — critical-infrastructure cyber + ENS
+  // (Enhanced Cyber Security Obligations). Cascade: encrypted backups
+  // + signed audit (ENS §30CT data-integrity obligation).
+  "soci-au":                 Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
+  // EU NIS 2 Directive (Directive (EU) 2022/2555) — transposition
+  // deadline 2024-10-17. Cybersecurity for essential + important
+  // entities. Encrypted backups + signed audit chain (Art. 21(2)(d)
+  // requires backup management + crisis recovery).
+  "nis2":                    Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
+  // EU Cyber Resilience Act (Reg. (EU) 2024/2847) — product
+  // cybersecurity; full applicability 2027-12-11 with reporting
+  // obligations starting 2026-09-11. SUPPLY-tier cascade.
+  "cra":                     Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
+  // FFIEC Cybersecurity Assessment Tool 2.0 — financial-tier; aligns
+  // with NIST CSF 2.0 + CRI Profile. Cascade matches glba-safeguards.
+  "ffiec-cat-2":             Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
+  // CRI Profile v2.0 (Cyber Risk Institute, May 2024) — financial-tier
+  // cyber risk + NIST CSF 2.0 cross-walk.
+  "cri-profile-v2.0":        Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
+  // OMB M-22-09 — Moving to Zero Trust (US federal). Cascade: signed
+  // audit + TLS 1.3 (the memorandum's normative effect rides through
+  // the identity + segmentation surfaces).
+  "m-22-09":                 Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
+  // OMB M-22-18 — Enhancing the Security of the Software Supply Chain
+  // (the SSDF / attestation requirement). SUPPLY-tier — audit-chain
+  // signed for the attestation records.
+  "m-22-18":                 Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
+  // NIST 800-53 Rev 5 Privacy baseline — additive privacy controls
+  // overlay. Cascade: vacuum-after-erase per PT-2(2) and SI-12.
+  "nist-800-53-r5-privacy":  Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true  }),
+  // NIST AI-RMF Generative AI Profile (NIST AI 600-1, July 2024) —
+  // generative AI risk management overlay. AI-tier cascade.
+  "nist-ai-600-1-genai":     Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true  }),
+  // NIST CSF 2.0 (February 2024) — Cybersecurity Framework with the
+  // GOVERN function added.
+  "nist-csf-2.0":            Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
+  // SB 53 / California Frontier AI Disclosure (effective 2026 fiscal)
+  // — frontier-model critical incident disclosure ledger.
+  "sb-53":                   Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true  }),
+  // NYC Local Law 144 (2023) — Automated Employment Decision Tools
+  // (bias-audit + candidate notice) — bias-audit posture (already
+  // present as "nyc-ll144"); 2024 amendment adds annual re-audit
+  // signing.
+  "nyc-ll144-2024":          Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
 });
 
 /**

package/lib/csp.js

@@ -0,0 +1,271 @@
+"use strict";
+/**
+ * @module     b.csp
+ * @nav        Security
+ * @title      CSP3 builder
+ * @order      150
+ * @slug       csp
+ *
+ * @card
+ *   Content Security Policy Level 3 header builder. Composable per-
+ *   directive surface with Trusted Types defaults and nonce/hash
+ *   helpers. Operators wire the resulting header value into
+ *   b.middleware.securityHeaders via the `csp` opt.
+ *
+ * @intro
+ *   Content Security Policy Level 3 (W3C CSP3 / candidate
+ *   recommendation 2024-09) directive builder. The framework's
+ *   b.middleware.securityHeaders module ships a strict default CSP;
+ *   this module exposes the per-directive surface so operators can
+ *   build out a policy by composition without hand-concatenating
+ *   strings (which is the failure mode behind most CSP-bypass
+ *   incidents — a missing `'self'`, an accidental `'unsafe-inline'`,
+ *   or quoting that the UA silently ignores).
+ *
+ *   Posture:
+ *     - Refuses `'unsafe-inline'` / `'unsafe-eval'` / `'unsafe-hashes'`
+ *       in any script-* directive unless explicitly acknowledged via
+ *       `acknowledgeUnsafe: true` with a documented reason. The CSP3
+ *       spec defines these as no-ops when `'strict-dynamic'` is
+ *       present, but UAs that haven't shipped strict-dynamic full
+ *       support still honor the unsafe keywords — refusing at builder
+ *       time prevents shipping an unintentional bypass.
+ *     - Defaults `require-trusted-types-for 'script'` + the named
+ *       Trusted Types policy "default" when operators wire any
+ *       script-* source (Trusted Types is the strongest defense
+ *       against DOM-XSS available in browsers today).
+ *     - Refuses `data:` in img-src / media-src / font-src unless the
+ *       operator explicitly opts in (data: URLs sidestep most CSP
+ *       defenses and are a common XSS pivot).
+ *     - Refuses `https:` / `*` as a source in any directive (catch-all
+ *       sources defeat the principle of least privilege).
+ *
+ *   v0.10.16 light-up: builder + nonce helper + hash helper. Trusted
+ *   Types policy declaration helper. CSP-report-uri / report-to wiring
+ *   composes with b.middleware.cspReport (existing).
+ *
+ * Spec citations:
+ *   - W3C CSP Level 3 (CR 2024-09)
+ *   - W3C Trusted Types (CR 2023-05)
+ *   - Reporting API Level 1 (W3C 2024)
+ */
+var nodeCrypto   = require("node:crypto");
+var validateOpts = require("./validate-opts");
+var bCrypto      = require("./crypto");
+var { defineClass } = require("./framework-error");
+
+var CspError = defineClass("CspError", { alwaysPermanent: true });
+
+// Directives that participate in script execution — operator-facing
+// keyword discipline only applies here (refuse 'unsafe-*' unless
+// acknowledgeUnsafe is set).
+var SCRIPT_DIRECTIVES = ["script-src", "script-src-elem", "script-src-attr",
+                         "style-src", "style-src-elem", "style-src-attr",
+                         "worker-src", "frame-src", "child-src"];
+
+var ALL_DIRECTIVES = [
+  "default-src", "script-src", "script-src-elem", "script-src-attr",
+  "style-src", "style-src-elem", "style-src-attr",
+  "img-src", "media-src", "font-src", "connect-src", "object-src",
+  "frame-src", "child-src", "worker-src", "manifest-src", "prefetch-src",
+  "form-action", "frame-ancestors", "navigate-to", "base-uri", "sandbox",
+  "report-to", "report-uri",
+  "require-trusted-types-for", "trusted-types",
+  "upgrade-insecure-requests", "block-all-mixed-content",
+];
+
+var UNSAFE_KEYWORDS = ["'unsafe-inline'", "'unsafe-eval'", "'unsafe-hashes'"];
+var CATCH_ALL_SOURCES = ["*", "https:"];
+
+/**
+ * @primitive b.csp.build
+ * @signature b.csp.build(directives, opts?)
+ * @since     0.10.16
+ * @status    stable
+ * @compliance soc2, gdpr
+ * @related   b.middleware.securityHeaders, b.csp.nonce, b.csp.hash
+ *
+ * Build a CSP3 header value from a per-directive object. Each key is
+ * a CSP directive name; each value is an array of sources (strings).
+ * Returns a single string ready for `Content-Security-Policy:` or
+ * `Content-Security-Policy-Report-Only:`.
+ *
+ * @opts
+ *   {
+ *     acknowledgeUnsafe?:    boolean,   // default false — refuses 'unsafe-*' otherwise
+ *     allowDataImages?:      boolean,   // default false — refuses data: in img-src/media-src/font-src
+ *     trustedTypesPolicies?: string[],  // policy names allowed by trusted-types directive
+ *     requireTrustedTypes?:  boolean,   // default true when any script-* is set
+ *   }
+ *
+ * @example
+ *   var policy = b.csp.build({
+ *     "default-src":           ["'self'"],
+ *     "script-src":            ["'self'", "'nonce-" + req.cspNonce + "'"],
+ *     "style-src":             ["'self'"],
+ *     "img-src":               ["'self'"],
+ *     "connect-src":           ["'self'"],
+ *     "frame-ancestors":       ["'none'"],
+ *     "base-uri":              ["'self'"],
+ *     "form-action":           ["'self'"],
+ *     "object-src":            ["'none'"],
+ *     "report-to":             ["default"],
+ *   }, { trustedTypesPolicies: ["default", "app-sanitizer"] });
+ *   res.setHeader("Content-Security-Policy", policy);
+ */
+function build(directives, opts) {
+  if (!directives || typeof directives !== "object") {
+    throw new CspError("csp/bad-directives",
+      "csp.build: directives must be an object keyed by CSP directive name");
+  }
+  opts = opts || {};
+  validateOpts(opts, ["acknowledgeUnsafe", "allowDataImages",
+                       "trustedTypesPolicies", "requireTrustedTypes"], "csp.build");
+  var acknowledgeUnsafe = opts.acknowledgeUnsafe === true;
+  var allowDataImages   = opts.allowDataImages   === true;
+
+  var keys = Object.keys(directives);
+  var hasScriptDirective = false;
+  for (var ki = 0; ki < keys.length; ki += 1) {
+    var name = keys[ki];
+    if (ALL_DIRECTIVES.indexOf(name) === -1) {
+      throw new CspError("csp/unknown-directive",
+        "csp.build: '" + name + "' is not a recognized CSP3 directive");
+    }
+    var values = directives[name];
+    if (!Array.isArray(values)) {
+      throw new CspError("csp/bad-directive-value",
+        "csp.build: directives['" + name + "'] must be an array of source strings");
+    }
+    if (SCRIPT_DIRECTIVES.indexOf(name) !== -1) hasScriptDirective = true;
+    for (var vi = 0; vi < values.length; vi += 1) {
+      var src = values[vi];
+      if (typeof src !== "string" || src.length === 0) {
+        throw new CspError("csp/bad-source",
+          "csp.build: directives['" + name + "'][" + vi + "] must be a non-empty string");
+      }
+      // CR/LF/NUL header-injection rejection.
+      if (/[\r\n\0]/.test(src)) {                                                                 // allow:duplicate-regex — CR/LF/NUL header-injection rejection
+        throw new CspError("csp/header-injection",
+          "csp.build: source '" + src + "' contains CR/LF/NUL");
+      }
+      if (!acknowledgeUnsafe && SCRIPT_DIRECTIVES.indexOf(name) !== -1 &&
+          UNSAFE_KEYWORDS.indexOf(src) !== -1) {
+        throw new CspError("csp/unsafe-keyword",
+          "csp.build: " + name + " contains " + src + "; pass acknowledgeUnsafe:true with a " +
+          "documented justification to allow it (CSP3 §6.2.5.x — unsafe keywords are a " +
+          "common XSS bypass surface)");
+      }
+      if (CATCH_ALL_SOURCES.indexOf(src) !== -1) {
+        throw new CspError("csp/catch-all-source",
+          "csp.build: " + name + " contains catch-all source '" + src + "'; CSP3 best " +
+          "practice refuses these (use an explicit allowlist instead)");
+      }
+      if (!allowDataImages && (name === "img-src" || name === "media-src" || name === "font-src") &&
+          src === "data:") {
+        throw new CspError("csp/data-source",
+          "csp.build: " + name + " contains 'data:'; pass allowDataImages:true with a " +
+          "documented reason (data: URLs sidestep most CSP defenses)");
+      }
+    }
+  }
+
+  // Trusted Types defaults. When operator has any script-* directive
+  // and didn't override `requireTrustedTypes`, append the require-
+  // trusted-types-for + trusted-types directives.
+  var requireTt = opts.requireTrustedTypes !== false && hasScriptDirective &&
+                  directives["require-trusted-types-for"] === undefined;
+  if (requireTt) {
+    directives["require-trusted-types-for"] = ["'script'"];
+  }
+  if (opts.trustedTypesPolicies && Array.isArray(opts.trustedTypesPolicies) &&
+      directives["trusted-types"] === undefined) {
+    directives["trusted-types"] = opts.trustedTypesPolicies;
+  }
+
+  // Emit in canonical order (ALL_DIRECTIVES order) so operators
+  // diffing two policies see structural diffs rather than ordering
+  // noise.
+  var out = [];
+  for (var di = 0; di < ALL_DIRECTIVES.length; di += 1) {
+    var d = ALL_DIRECTIVES[di];
+    var vals = directives[d];
+    if (vals === undefined) continue;
+    if (Array.isArray(vals) && vals.length === 0) {
+      // Directives like upgrade-insecure-requests accept no value.
+      if (d === "upgrade-insecure-requests" || d === "block-all-mixed-content") {
+        out.push(d);
+        continue;
+      }
+      continue;
+    }
+    out.push(d + " " + vals.join(" "));
+  }
+  return out.join("; ");
+}
+
+/**
+ * @primitive b.csp.nonce
+ * @signature b.csp.nonce(byteLen?)
+ * @since     0.10.16
+ * @status    stable
+ *
+ * Generate a CSP3 nonce — base64url-encoded random bytes for use as
+ * `'nonce-<value>'` in script-src / style-src. The CSP3 spec
+ * recommends at least 128 bits of entropy (16 bytes); this primitive
+ * uses 32 bytes by default for a generous margin.
+ *
+ * @example
+ *   req.cspNonce = b.csp.nonce();
+ *   res.setHeader("Content-Security-Policy",
+ *     b.csp.build({ "script-src": ["'self'", "'nonce-" + req.cspNonce + "'"] }));
+ */
+function nonce(byteLen) {
+  var n = typeof byteLen === "number" ? byteLen : 32;                                              // allow:raw-byte-literal — 256-bit nonce default
+  if (!isFinite(n) || n < 16 || n > 64) {                                                          // allow:raw-byte-literal — CSP3 §6.2.x nonce bounds
+    throw new CspError("csp/bad-nonce-len",
+      "csp.nonce: byteLen must be 16-64 (CSP3 §6.2 recommends ≥16 bytes)");
+  }
+  return bCrypto.toBase64Url(nodeCrypto.randomBytes(n));
+}
+
+/**
+ * @primitive b.csp.hash
+ * @signature b.csp.hash(scriptBody, alg?)
+ * @since     0.10.16
+ * @status    stable
+ *
+ * Compute a CSP3 hash source for an inline script/style. Returns the
+ * `'<alg>-<base64>'` token suitable for direct use as a script-src
+ * source.
+ *
+ * @opts
+ *   alg?: "sha256" | "sha384" | "sha512"   // default sha384 (matches
+ *                                           // b.crypto.sri default)
+ *
+ * @example
+ *   var src = b.csp.hash("console.log('boot');");
+ *   // → "'sha384-abcd...'"
+ */
+function hash(scriptBody, alg) {
+  if (typeof scriptBody !== "string" && !Buffer.isBuffer(scriptBody)) {
+    throw new CspError("csp/bad-hash-input",
+      "csp.hash: scriptBody must be a string or Buffer");
+  }
+  var algName = alg || "sha384";
+  if (algName !== "sha256" && algName !== "sha384" && algName !== "sha512") {
+    throw new CspError("csp/bad-hash-alg",
+      "csp.hash: alg must be sha256 / sha384 / sha512 (CSP3 §6.2 hash sources)");
+  }
+  var digest = nodeCrypto.createHash(algName)
+    .update(typeof scriptBody === "string" ? Buffer.from(scriptBody, "utf8") : scriptBody)
+    .digest("base64");
+  return "'" + algName + "-" + digest + "'";
+}
+
+module.exports = {
+  build:  build,
+  nonce:  nonce,
+  hash:   hash,
+  CspError: CspError,
+};