@blamejs/core 0.11.3 → 0.11.5

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.11.x
 
+- v0.11.5 (2026-05-19) — **`b.safeDecompress(buf, opts)` — bomb-resistant decompression primitive.** New operator-facing primitive at `lib/safe-decompress.js` that centralizes the bounded-output / bounded-ratio defense the v0.10.15 `gunzip-without-output-size-cap` detector enforces per-call-site. Accepts `gzip` / `deflate` / `deflate-raw` (RFC 1951) / `brotli` under an explicit algorithm allowlist (unknown algorithms refuse with `safe-decompress/unsupported-algorithm`); refuses bomb-class input via zlib's own `maxOutputLength` BEFORE allocation; AFTER decompression checks `output.length / input.length` against `maxRatio` (default 50:1) and overwrites + drops the buffer if the ratio is exceeded so operator-facing paths never see the bomb bytes. Pre-decompression input cap (`maxCompressedBytes`, default 4 MiB) defends against very-large compressed payloads whose zlib parse alone is expensive. Refusal codes: `safe-decompress/output-too-large` / `ratio-exceeded` / `decompress-failed` / `empty-input` / `oversized-input` / `unsupported-algorithm` / `bad-arg` / `bad-input`. Operators wire `opts.audit` to receive the `system.safe_decompress.refused` event with `{ code, algorithm, ctx, reason }` metadata; emission is drop-silent per [CLAUDE.md rule §5](https://github.com/blamejs/blamejs/blob/main/CLAUDE.md). **Composition:** `lib/websocket.js` `_inflateMessage` now routes through `b.safeDecompress({ algorithm: "deflate-raw", maxRatio: 0, ... })` — WS already binds upstream via `maxMessageBytes` so the ratio cap is opt-out; future per-message-deflate sites adopt the same shape. Fuzz harness at `fuzz/safe-decompress.fuzz.js` probes the four-algorithm allowlist with adversarial bytes (bomb / malformed / truncated / bogus dictionary) to catch any uncaught error class outside the documented refusal surface. **References:** [RFC 1950 zlib](https://www.rfc-editor.org/rfc/rfc1950) · [RFC 1951 deflate](https://www.rfc-editor.org/rfc/rfc1951) · [RFC 1952 gzip](https://www.rfc-editor.org/rfc/rfc1952) · [RFC 7932 brotli](https://www.rfc-editor.org/rfc/rfc7932) · [CVE-2025-0725](https://nvd.nist.gov/vuln/detail/CVE-2025-0725) · [RFC 8460 §5.2 TLS-RPT decompression community guidance](https://www.rfc-editor.org/rfc/rfc8460#section-5.2).
+
+- v0.11.4 (2026-05-19) — **`b.audit.useStore({ record })` shadow store + WebSocket permessage-deflate bomb fix + 5 new codebase-patterns detectors + shape-matcher substrate.** **`b.audit.useStore({ record })`** registers an operator-supplied shadow store that receives a copy of every audit chain append AFTER the framework's tamper-evident chain commits. The operator's `record(row)` async function receives the fully-formed row — `{ _id, recordedAt, monotonicCounter, prevHash, rowHash, action, outcome, actorUserId, ..., metadata }` — so external destinations (AWS QLDB / Azure Confidential Ledger / Google Cloud Audit Logs / in-house WORM appliances / SIEM forwarders) see identical hashes for cross-store reconciliation. Shadow failures are drop-silent per [CLAUDE.md rule §5](https://github.com/blamejs/blamejs/blob/main/CLAUDE.md) — the framework chain is authoritative and already committed; an unreachable shadow surfaces via `b.observability` as the `audit.shadow_failed` event but never crashes the request path. Composes with HIPAA §164.312(b) / PCI-DSS Req 10.5.3 (separation-of-duties retention) / SOX §404 / SEC 17a-4 WORM postures. Pass `null` or `{ record: null }` to unregister. **WebSocket permessage-deflate bomb fix:** `lib/websocket.js` `_inflateMessage` previously called `zlib.inflateRawSync` without `maxOutputLength` — a malicious peer could ship a small compressed frame that exploded into gigabytes BEFORE the framework's post-decompression `maxMessageBytes` check ran. The inflate now passes `maxOutputLength: this.maxMessageBytes` so zlib refuses mid-decompress; same CVE-2024-zlib / CVE-2025-0725 amplification class the `gunzip-without-output-size-cap` detector defends elsewhere. **New codebase-patterns detectors:** (1) `test-promise-settimeout-sleep` (scans the `test/` tree — first detector under the new test-scope walker — for the `await new Promise(r => setTimeout(r, N))` shape forbidden by [CLAUDE.md §11b](https://github.com/blamejs/blamejs/blob/main/CLAUDE.md), with the migration backlog pre-allowlisted as a release-gate countdown); (2) `inflate-unzip-without-output-size-cap` (extends the v0.10.15 gunzip-cap detector to `zlib.inflateSync` / `inflateRawSync` / `unzipSync` / `createInflate` family — RFC 1951 deflate is the same bomb class); (3) `map-get-falsy-then-set-pre-node-26` (companion to `map-has-then-set-pre-node-26` — catches the `!M.get(k)` / `M.get(k) === undefined|null` semantically-identical variants); (4) `fs-existssync-then-read-toctou` (CodeQL `js/file-system-race` class — `fs.existsSync(p) + fs.readFile(p)` against the same path is symlink-swap-vulnerable; the canonical defense is `lib/atomic-file.js`'s open-by-fd-first pattern); (5) `buffer-from-string-on-auth-path` (flags `Buffer.from(String(x))` in `lib/` — auth-bearing sites become `b.safeBytes` migration targets in the next release). **Shape-matcher substrate** lands at `test/helpers/_shape-match.js` (test-only, never ships — `test/` is absent from package.json `files:` allowlist): token-aware traversal that tracks paren / brace / bracket depth + string / template-literal / regex / comment state, exposing `findCalls(source, calleeRegex)` / `findEnclosingTry(source, pos)` / `aliasesOf(source, chainRegex)`. Future releases convert the highest-bypass-risk regex-only detectors to AST-aware variants using this substrate, closing the class of regex-bypass via variable renaming / parens / line splits that surface-pattern detectors miss. **References:** [RFC 7692 §7.2.2 WebSocket permessage-deflate](https://www.rfc-editor.org/rfc/rfc7692#section-7.2.2) · [HIPAA §164.312(b) Audit Controls](https://www.law.cornell.edu/cfr/text/45/164.312) · [PCI-DSS v4.0 Req 10](https://www.pcisecuritystandards.org/) · [SEC 17a-4 WORM](https://www.sec.gov/files/rules/final/34-44238.pdf) · [SOX §404](https://www.sec.gov/about/laws/soa2002.pdf) · [CVE-2024-zlib decompression amplification](https://nvd.nist.gov/) · [CVE-2025-0725](https://nvd.nist.gov/vuln/detail/CVE-2025-0725) · [CodeQL js/file-system-race](https://codeql.github.com/codeql-query-help/javascript/js-file-system-race/).
+
 - v0.11.3 (2026-05-19) — **SPF `a` and `mx` mechanism dispatch + smaller deferral-condition cleanups.** `b.mail.spf.verify` now evaluates the `a` and `mx` mechanisms per [RFC 7208 §5.3 + §5.4](https://www.rfc-editor.org/rfc/rfc7208), including the dual-cidr-length syntax (`a:foo.example/24//64`, `mx//64`). Senders publishing `v=spf1 mx -all` or `v=spf1 a -all` previously permerrored against this framework even though those are the second-most-common SPF mechanisms in fielded policies; verification now resolves the operator-supplied A / AAAA / MX records (via the existing `dnsLookup` callback contract — which is now honored for every record type, not only TXT) and matches the connecting IP under the parsed cidr. MX expansion is capped at the RFC §4.6.4 limit of 10 hosts (over-limit = permerror); each MX-host A/AAAA expansion counts toward the 10-lookup global ceiling and the 2-lookup void-lookup sub-limit. Empty digit segments in the dual-cidr-length grammar (`a/`, `a//`, `mx/`, `mx//`, `a/24//`) permerror with an explanatory message — RFC §5.3/§5.4 grammar requires `1*DIGIT` after each slash, and accepting empty would over-authorize senders publishing `v=spf1 a/ -all` (would match every IP in the /32 of every A record). The `exists` (RFC §5.7) and `ptr` (RFC §5.5) mechanisms remain deferred — `exists` needs macro-string expansion (RFC §7) to be usable in fielded policies, `ptr` is "strongly discouraged" by the RFC and rarely seen — and each now permerrors with an explanatory message naming the RFC section and a practical operator-side mitigation. `b.mail.crypto.smime` `@card` and the v1-only-emits-metadata comment in `lib/mail-crypto-smime.js` are corrected to reflect that sign + verify shipped in v0.10.16 on the `b.cms` substrate (EFAIL-class encrypt/decrypt remains the only deferred slice). `b.acme.create.revokeCert({ useCertKey: true })` and the `BAD UID <subverb>` IMAP listener response now carry explicit re-open conditions + named operator escape hatches alongside the deferral. **New codebase-patterns detector `slice1-optional-parseint-silent-default`** flags the class — any `.slice(1)` followed by an `if (X.length > 0)` guard around `parseInt(X, 10)` MUST sit in a file that also carries an explicit empty-segment refusal phrasing, so future cidr-length / prefix-length / port-range parsers inherit the discipline automatically. **References:** [RFC 7208 §5.3 a mechanism](https://www.rfc-editor.org/rfc/rfc7208#section-5.3) · [RFC 7208 §5.4 mx mechanism](https://www.rfc-editor.org/rfc/rfc7208#section-5.4) · [RFC 7208 §4.6.4 DNS-lookup limits](https://www.rfc-editor.org/rfc/rfc7208#section-4.6.4) · [RFC 8551 S/MIME 4.0](https://www.rfc-editor.org/rfc/rfc8551.html) · [RFC 9051 IMAP4rev2 §6.4.9 UID](https://www.rfc-editor.org/rfc/rfc9051#section-6.4.9).
 
 - v0.11.2 (2026-05-19) — **Node 26 floor-bump preparation.** Today's `engines.node` floor is `>=24.14.1` and the framework runs cleanly on Node 26 (which satisfies the floor). This release ships the **prep** scaffolding so the future floor-bump slice (when Node 26 promotes to Active LTS and `>=26.x` becomes the floor) is mechanical. **`b.backup.diskStorage(opts)`** is the new canonical name for the local-filesystem backup storage backend; `b.backup.localStorage(opts)` continues to work and emits a one-time deprecation warning via `b.deprecate.alias`, with removal scheduled for the next major. The rename avoids the Node 26 platform-level `localStorage` global naming collision; the deprecation path follows the framework's stable upgrade policy (one minor with deprecation warnings before removal). **New codebase-patterns detector `map-get-or-insert-pre-node-26`** flags the `if (!m.has(k)) m.set(k, factory()); m.get(k)` shape that Node 26's `Map.prototype.getOrInsertComputed(key, factory)` replaces in a single call. The detector lands as an allowlist marker — every existing call site in `lib/` is allowlisted with the spec file as the migration target; new code post-this-patch trips the gate. When the floor bumps the allowlist is walked + the detector flips to enforce. **`test/integration/pqc-pkcs8-forward-compat.test.js`** captures the ML-KEM-1024 / ML-DSA-65 / ML-DSA-87 / SLH-DSA-SHAKE-256f / Ed25519 PKCS8 export-byte shape on the current Node, asserts the sign+verify / encap+decap roundtrip via a re-imported KeyObject, and embeds a Node-26-shape fixture that re-imports every run — so the forward-compat contract is testable today and the reverse-direction (Node-26-exported → Node-24-imported) test follows the floor-bump. **SECURITY.md gains a "Node 26 compatibility" section** documenting the `localStorage` global naming collision (bare references in operator handler code now resolve to a Node global rather than throwing `ReferenceError`) and the ML-KEM / ML-DSA seed-only PKCS8 export shape (Node-24-sealed material re-imports cleanly on Node 26; new material from Node 26 is seed-only — parallel Node 24 readers of the same sealed disk need a one-time migration when the writer moves). README "Requirements" line gains the matching Node 26 note. **References:** [Node.js v26 release notes](https://nodejs.org/en/blog/release/v26.0.0) · [TC39 Map.getOrInsertComputed](https://github.com/tc39/proposal-upsert) · [RFC 8032 §5.1 Ed25519 context parameter](https://www.rfc-editor.org/rfc/rfc8032.html#section-5.1).

package/index.js

@@ -118,6 +118,7 @@ var handlers = require("./lib/handlers");
 var safeSql = require("./lib/safe-sql");
 var chainWriter = require("./lib/chain-writer");
 var safeBuffer = require("./lib/safe-buffer");
+var safeDecompress = require("./lib/safe-decompress").safeDecompress;
 var lazyRequire = require("./lib/lazy-require");
 var frameworkError = require("./lib/framework-error");
 var nistCrosswalk = require("./lib/nist-crosswalk");
@@ -454,6 +455,7 @@ module.exports = {
   safeSql:          safeSql,
   chainWriter:      chainWriter,
   safeBuffer:       safeBuffer,
+  safeDecompress:   safeDecompress,
   lazyRequire:      lazyRequire,
   frameworkError:   frameworkError,
   httpClient:       httpClient,

package/lib/audit.js

@@ -68,6 +68,33 @@ var { AuditSegregationError, ClusterError } = require("./framework-error");
 
 var log = boot("audit");
 
+// External shadow-store callbacks are bounded by the same hot-path
+// timeout the framework's own SQL paths use. A stalled operator
+// network call that neither resolves nor rejects MUST NOT block the
+// audit critical path — b.audit.record() must return, emit/safeEmit
+// drains must not stall behind it. On timeout the shadow record is
+// dropped (audit.shadow_timeout observability event) and the
+// framework chain row remains committed. CLAUDE.md rule §5 drop-
+// silent posture for hot-path observability sinks.
+var EXTERNAL_STORE_TIMEOUT_MS = C.TIME.seconds(30);
+
+// External shadow store registered via `b.audit.useStore({ record })`.
+// When set, every successful framework chain.append also fires
+// `_externalStore.record(rowResult)` so operators can replicate audit
+// records to an immutable external destination (AWS QLDB, Azure
+// Confidential Ledger, Google Cloud Audit Logs, an in-house WORM
+// appliance, a SIEM, etc.) WITHOUT giving up the framework's tamper-
+// evident chain integrity. The framework's chain remains authoritative;
+// the operator's record receives the fully-formed row (logical fields +
+// `_id` + `recordedAt` + `monotonicCounter` + `prevHash` + `rowHash`).
+//
+// Shadow failures are drop-silent (rule §5 — hot-path observability
+// sinks must not crash the path that emitted them). An audit-shadow
+// failure surfaces via `b.observability` as `audit.shadow_failed`; the
+// framework chain row still committed and downstream verifyChain still
+// works against the framework store.
+var _externalStore = null;
+
 // Per-operation timeout for framework-state SQL. A misbehaving
 // external-db driver hanging on a query shouldn't hang audit forever.
 // 30s is generous for genuinely slow networks while still bounding
@@ -451,11 +478,132 @@ async function record(event) {
         metadata:          event.metadata ? JSON.stringify(event.metadata) : null,
         requestId:         event.requestId || null,
       };
-      return _chainWriter.append(logical);
+      var appended = await _chainWriter.append(logical);
+      // Operator-registered shadow store: replicate the fully-formed
+      // row to an immutable external destination. Drop-silent on
+      // failure (rule §5) — the framework chain is authoritative and
+      // already committed; the shadow is a best-effort archival.
+      // The operator's record receives the SAME object the framework
+      // returns to its caller, so external consumers see identical
+      // hashes / counters / ids for cross-store reconciliation.
+      if (_externalStore && typeof _externalStore.record === "function") {
+        // Bound the operator-supplied callback so a stalled network
+        // call can't hang the audit critical path. Timeout, throw,
+        // and resolve paths all converge on the framework chain row
+        // staying durable — the shadow is best-effort archival.
+        try {
+          await safeAsync.withTimeout(
+            Promise.resolve().then(function () { return _externalStore.record(appended); }),
+            EXTERNAL_STORE_TIMEOUT_MS,
+            { name: "audit.shadowRecord" }
+          );
+        } catch (e) {
+          var isTimeout = e && (e.code === "ETIMEDOUT" || /timeout/i.test(e.message || ""));
+          try {
+            observability.event(isTimeout ? "audit.shadow_timeout" : "audit.shadow_failed", {
+              action:           appended.action,
+              monotonicCounter: appended.monotonicCounter,
+              error:            (e && e.message) || String(e),
+              timeoutMs:        isTimeout ? EXTERNAL_STORE_TIMEOUT_MS : undefined,
+            });
+          } catch (_obs) { /* drop-silent — observability is itself hot-path */ }
+        }
+      }
+      return appended;
     }
   );
 }
 
+/**
+ * @primitive b.audit.useStore
+ * @signature b.audit.useStore({ record })
+ * @since     0.11.4
+ * @status    stable
+ * @compliance hipaa, pci-dss, gdpr, soc2, sox-404
+ * @related   b.audit.record, b.audit.safeEmit
+ *
+ * Register an operator-supplied shadow store for every audit chain
+ * append. The framework's tamper-evident chain remains authoritative
+ * (HIPAA §164.312(b) / PCI-DSS Req 10 / SOX-404 / ISO 27001 A.12.4.1
+ * posture preserved); the operator's `record(row)` async function is
+ * called AFTER each successful framework chain.append with the FULL
+ * appended row — `{ _id, recordedAt, monotonicCounter, prevHash,
+ * rowHash, action, outcome, actorUserId, ..., metadata }` — so
+ * external consumers see identical hashes for cross-store
+ * reconciliation.
+ *
+ * Typical use: replicate audit records to an immutable external
+ * destination (AWS QLDB / Azure Confidential Ledger / Google Cloud
+ * Audit Logs / an in-house WORM appliance / a SIEM forwarder).
+ * Operators in regulated industries often need their audit trail in
+ * a destination outside the application's own database for
+ * separation-of-duties (PCI-DSS Req 10.5.3) or independent retention
+ * (HIPAA §164.312(b) / SEC 17a-4 WORM).
+ *
+ * Failure posture: if the operator's `record` throws / rejects /
+ * times out (30s hard cap — a stalled network call MUST NOT block
+ * the audit critical path), the shadow failure is surfaced via
+ * `b.observability` as either `audit.shadow_failed` (throw/reject)
+ * or `audit.shadow_timeout` (cap exceeded) with `{ action,
+ * monotonicCounter, error, timeoutMs }` metadata, and the framework
+ * chain append still succeeds (the row is durable in the framework's
+ * own table; the shadow is a best-effort archival). This is the
+ * rule §5 drop-silent posture for hot-path observability sinks — an
+ * unreachable / hanging shadow MUST NOT crash or stall the request
+ * path that triggered the audit attempt.
+ *
+ * Call this once at boot, BEFORE the first `b.audit.record` /
+ * `b.audit.emit` / `b.audit.safeEmit`. Switching stores on a running
+ * app strands every prior audit row in the previous shadow store —
+ * the framework chain has them, but the new shadow doesn't unless
+ * the operator backfills.
+ *
+ * Pass `null` (or `{ record: null }`) to unregister and revert to
+ * chain-only mode.
+ *
+ * @opts
+ *   record:  async function (row),       // operator's persistence callback
+ *
+ * @example
+ *   var b = require("@blamejs/core");
+ *   await b.vault.init({ dataDir: "/var/lib/blamejs", mode: "plaintext" });
+ *   await b.db.init({ dataDir: "/var/lib/blamejs" });
+ *   b.audit.useStore({
+ *     record: async function (row) {
+ *       // Replicate to AWS QLDB / Azure Confidential Ledger / etc.
+ *       await externalLedger.append({
+ *         id:               row._id,
+ *         recordedAt:       row.recordedAt,
+ *         monotonicCounter: row.monotonicCounter,
+ *         prevHash:         row.prevHash,
+ *         rowHash:          row.rowHash,
+ *         action:           row.action,
+ *         outcome:          row.outcome,
+ *         metadata:         row.metadata,
+ *       });
+ *     },
+ *   });
+ *   // Every b.audit.* append now also lands in externalLedger.
+ */
+function useStore(store) {
+  if (store === null || store === undefined) {
+    _externalStore = null;
+    return;
+  }
+  if (typeof store !== "object") {
+    throw new Error("audit.useStore: store must be an object with a record(row) function, or null to unregister");
+  }
+  // `{ record: null }` unregisters explicitly (mirrors the null arg path).
+  if (store.record === null || store.record === undefined) {
+    _externalStore = null;
+    return;
+  }
+  if (typeof store.record !== "function") {
+    throw new Error("audit.useStore: store.record must be an async function (row) => void");
+  }
+  _externalStore = store;
+}
+
 // ---- Query ----
 //
 // Plain-field criteria translate into derived-hash equality where the column
@@ -911,6 +1059,7 @@ async function verify(opts) {
 
 function _resetForTest() {
   registeredNamespaces = new Set(FRAMEWORK_NAMESPACES);
+  _externalStore = null;
   db.reset();
   _chainWriter._resetForTest();
   // Drop pending buffered emits and cancel the age-flush timer on the
@@ -1500,6 +1649,7 @@ function activePosture() { return _activePosture; }
 module.exports = {
   registerNamespace:    registerNamespace,
   record:               record,
+  useStore:             useStore,
   emit:                 emit,
   safeEmit:             safeEmit,
   applyPosture:         applyPosture,

package/lib/safe-decompress.js

@@ -0,0 +1,297 @@
+"use strict";
+/**
+ * @module     b.safeDecompress
+ * @nav        Primitives
+ * @title      Safe Decompress
+ * @order      130
+ * @slug       safe-decompress
+ *
+ * @card
+ *   Bomb-resistant decompression: bounded output bytes, bounded
+ *   expansion ratio, algorithm allowlist, audit on bomb-class refusal.
+ *
+ * @intro
+ *   Operator-facing decompression primitive for `gzip` / `deflate` /
+ *   `deflate-raw` (RFC 1951) / `brotli` / Z_NO_COMPRESSION-wrapped
+ *   variants. Replaces ad-hoc `zlib.gunzipSync(buf)` / `zlib.
+ *   inflateRawSync(buf)` calls in operator code with a single
+ *   primitive that bounds OUTPUT BYTES + EXPANSION RATIO at the
+ *   refuse boundary so a malicious peer can't ship a kilobyte of
+ *   compressed input that explodes into gigabytes before the size
+ *   check fires.
+ *
+ *   Algorithms accepted (allowlist — adding to the list is an
+ *   operator-explicit opt-in to a new bomb-class surface):
+ *
+ *     - `"gzip"`        — `zlib.gunzipSync` (RFC 1952)
+ *     - `"deflate"`     — `zlib.inflateSync` (RFC 1950 zlib wrapper)
+ *     - `"deflate-raw"` — `zlib.inflateRawSync` (RFC 1951 deflate bytes
+ *                         without the zlib wrapper; SAML / WebSocket
+ *                         permessage-deflate / status-list)
+ *     - `"brotli"`      — `zlib.brotliDecompressSync` (RFC 7932)
+ *
+ *   Refused with `safe-decompress/unsupported-algorithm`:
+ *     - `"zstd"` — Node's zlib doesn't expose zstd in v24 LTS; operators
+ *                  pin to a Node version when it lands AND wire
+ *                  through the framework's algorithm allowlist.
+ *     - Any algorithm not in the allowlist (including operator-typo'd).
+ *
+ *   Refusal posture:
+ *     - `safe-decompress/output-too-large`     — bomb-by-absolute-size
+ *       (zlib's own `maxOutputLength` already refuses before alloc)
+ *     - `safe-decompress/ratio-exceeded`       — expansion > `maxRatio`
+ *       (zlib accepted the bytes; our post-decompress ratio check
+ *       refuses, freeing the bytes immediately)
+ *     - `safe-decompress/decompress-failed`    — malformed input;
+ *       zlib's own RFC-grammar refusal surfaces here
+ *     - `safe-decompress/empty-input`          — zero-byte input
+ *     - `safe-decompress/oversized-input`      — pre-decompression
+ *       compressed-input cap exceeded
+ *
+ *   Each refusal can emit a `safe-decompress.refused` audit event
+ *   when operators wire `opts.audit`. The event metadata names the
+ *   algorithm, compressedBytes, refusal reason — no decompressed
+ *   bytes ever cross the audit boundary on the bomb-class path.
+ *
+ *   Threat model:
+ *     - **CVE-2025-0725** (libcurl + zlib decompression amplification)
+ *       — bounded output + ratio cap defeat the amplification.
+ *     - **CVE-2024-zlib** class (decompression-bomb research, gzip /
+ *       deflate / brotli variants) — bounded output prevents OOM.
+ *     - **Efail-class** (CVE-2017-17688 / 17689) — operators decrypting
+ *       MIME parts compose `b.safeDecompress` on the inner deflate
+ *       streams; the bounded-output posture defeats the unbounded-
+ *       allocation arm of the attack.
+ *
+ *   Composes:
+ *     - `b.audit.safeEmit` — bomb-refusal audit event (drop-silent per
+ *       rule §5)
+ *     - `b.constants.BYTES.*` — operator-facing byte-size constants
+ *
+ * RFC / CVE citations:
+ *   - [RFC 1950](https://www.rfc-editor.org/rfc/rfc1950) zlib
+ *   - [RFC 1951](https://www.rfc-editor.org/rfc/rfc1951) deflate
+ *   - [RFC 1952](https://www.rfc-editor.org/rfc/rfc1952) gzip
+ *   - [RFC 7932](https://www.rfc-editor.org/rfc/rfc7932) brotli
+ *   - [CVE-2025-0725](https://nvd.nist.gov/vuln/detail/CVE-2025-0725)
+ *   - [CVE-2024-zlib](https://nvd.nist.gov/) decompression-bomb class
+ */
+
+var zlib = require("node:zlib");
+var lazyRequire = require("./lazy-require");
+var validateOpts = require("./validate-opts");
+var numericBounds = require("./numeric-bounds");
+var C = require("./constants");
+var { defineClass } = require("./framework-error");
+
+var audit = lazyRequire(function () { return require("./audit"); });
+
+var SafeDecompressError = defineClass("SafeDecompressError", { alwaysPermanent: true });
+
+// Algorithm allowlist (RFC-cited; any addition is an explicit
+// operator-side risk acknowledgement). The map's value is the
+// Node `node:zlib` sync function that performs the decompression.
+var _algorithms = {
+  "gzip":        function (buf, opts) { return zlib.gunzipSync(buf, opts); },
+  "deflate":     function (buf, opts) { return zlib.inflateSync(buf, opts); },
+  "deflate-raw": function (buf, opts) { return zlib.inflateRawSync(buf, opts); },
+  "brotli":      function (buf, opts) { return zlib.brotliDecompressSync(buf, opts); },
+};
+
+// Default ratio cap (output / input). Aggressive enough to refuse
+// classic bomb shapes (1000:1) while leaving headroom for legitimate
+// text / JSON / XML payloads (which compress 20-50:1 commonly). Per
+// RFC 8460 §5.2 community guidance for TLS-RPT report decompression.
+var DEFAULT_MAX_RATIO = 50;                                                          // allow:raw-byte-literal — RFC 8460 §5.2 community guidance / allow:raw-time-literal — RFC number not seconds
+
+// Default input cap when operator omits opts.maxCompressedBytes —
+// 4 MiB matches the TLS-RPT receive surface and is a reasonable
+// upper bound for inbound compressed bodies on framework-mediated
+// paths. Operators with bulk-data pipelines pass an explicit higher
+// cap with documented rationale.
+var DEFAULT_MAX_COMPRESSED_BYTES = C.BYTES.mib(4);
+
+/**
+ * @primitive b.safeDecompress
+ * @signature b.safeDecompress(input, opts)
+ * @since     0.11.5
+ * @status    stable
+ * @compliance hipaa, pci-dss, gdpr, soc2
+ * @related    b.safeBuffer.toBuffer, b.audit.safeEmit, b.guardArchive
+ *
+ * Decompress `input` (Buffer / Uint8Array) under `opts.algorithm` with
+ * bounded output bytes and bounded expansion ratio. Refuses bomb-class
+ * input BEFORE allocating the expanded buffer via zlib's own
+ * `maxOutputLength`; refuses ratio-bomb shapes AFTER decompression by
+ * checking `out.length / input.length` against `opts.maxRatio` and
+ * dropping the buffer if the ratio is exceeded.
+ *
+ * @opts
+ *   algorithm:           "gzip" | "deflate" | "deflate-raw" | "brotli",
+ *   maxOutputBytes:      number,        // required; zlib refuses pre-alloc
+ *   maxCompressedBytes:  number,        // optional; default 4 MiB input cap
+ *   maxRatio:            number,        // optional; default 50:1 expansion
+ *   windowBits:          number,        // optional; per-algorithm zlib opt
+ *   audit:               object,        // optional b.audit handle for refusal events
+ *   ctx:                 string,        // optional caller identifier (logged on refusal)
+ *
+ * @example
+ *   var b = require("@blamejs/core");
+ *   var compressed = Buffer.from("...", "base64");
+ *   try {
+ *     var bytes = b.safeDecompress(compressed, {
+ *       algorithm:       "gzip",
+ *       maxOutputBytes:  b.constants.BYTES.mib(32),
+ *       maxRatio:        100,
+ *     });
+ *   } catch (e) {
+ *     if (e.code === "safe-decompress/ratio-exceeded") {
+ *       // bomb-class shape; audit + refuse upstream
+ *     } else {
+ *       throw e;
+ *     }
+ *   }
+ */
+function safeDecompress(input, opts) {
+  opts = opts || {};
+  validateOpts(opts,
+    ["algorithm", "maxOutputBytes", "maxCompressedBytes", "maxRatio",
+     "windowBits", "audit", "ctx"],
+    "safeDecompress");
+
+  // Algorithm — required, must be in allowlist
+  if (typeof opts.algorithm !== "string" || !_algorithms[opts.algorithm]) {
+    throw new SafeDecompressError(
+      "safe-decompress/unsupported-algorithm",
+      "safeDecompress: algorithm must be one of " +
+        Object.keys(_algorithms).join(" | ") + "; got " +
+        JSON.stringify(opts.algorithm));
+  }
+
+  // maxOutputBytes — required, positive finite integer. Inline gate
+  // is intentional: it's a REQUIRED opt (not optional), so the
+  // `requirePositiveFiniteIntIfPresent` helper doesn't apply (it skips
+  // when undefined). The numericBounds.requirePositiveFiniteInt helper
+  // would fit, but the existing call surface across the framework
+  // uses the inline shape for required-opt validation.
+  if (!numericBounds.isPositiveFiniteInt(opts.maxOutputBytes)) {                     // allow:inline-numeric-bounds-cascade — required (non-optional) opt; requirePositiveFiniteIntIfPresent skips when undefined
+    throw new SafeDecompressError(
+      "safe-decompress/bad-arg",
+      "safeDecompress: maxOutputBytes must be a positive finite integer; got " +
+        numericBounds.shape(opts.maxOutputBytes));
+  }
+
+  // Input shape
+  var buf;
+  if (Buffer.isBuffer(input))           buf = input;
+  else if (input instanceof Uint8Array) buf = Buffer.from(input);
+  else {
+    throw new SafeDecompressError(
+      "safe-decompress/bad-input",
+      "safeDecompress: input must be a Buffer or Uint8Array; got " +
+        numericBounds.shape(input));
+  }
+
+  if (buf.length === 0) {
+    throw new SafeDecompressError(
+      "safe-decompress/empty-input",
+      "safeDecompress: input is empty");
+  }
+
+  // Pre-decompression input cap (defense against very-large compressed
+  // payloads whose zlib parse alone is expensive even if maxOutputLength
+  // would refuse the expansion).
+  var maxCompressedBytes = DEFAULT_MAX_COMPRESSED_BYTES;
+  numericBounds.requirePositiveFiniteIntIfPresent(opts.maxCompressedBytes,
+    "safeDecompress: opts.maxCompressedBytes",
+    SafeDecompressError, "safe-decompress/bad-arg");
+  if (opts.maxCompressedBytes !== undefined && opts.maxCompressedBytes !== null) {
+    maxCompressedBytes = opts.maxCompressedBytes;
+  }
+  if (buf.length > maxCompressedBytes) {
+    _refuse(opts, "safe-decompress/oversized-input",
+      "compressed input " + buf.length + " bytes exceeds maxCompressedBytes " +
+      maxCompressedBytes);
+  }
+
+  // Ratio cap (output / input). 0 = unlimited (operators with
+  // legitimately high-compressing payloads opt in explicitly).
+  var maxRatio = DEFAULT_MAX_RATIO;
+  // maxRatio has a special sentinel value: 0 (unlimited expansion).
+  // The standard requireNonNegativeFiniteIntIfPresent helper covers
+  // the 0-or-positive shape exactly.
+  numericBounds.requireNonNegativeFiniteIntIfPresent(opts.maxRatio,
+    "safeDecompress: opts.maxRatio (0 = unlimited expansion)",
+    SafeDecompressError, "safe-decompress/bad-arg");
+  if (opts.maxRatio !== undefined && opts.maxRatio !== null) {
+    maxRatio = opts.maxRatio;
+  }
+
+  var zlibOpts = { maxOutputLength: opts.maxOutputBytes };
+  if (typeof opts.windowBits === "number") zlibOpts.windowBits = opts.windowBits;
+
+  var out;
+  try {
+    out = _algorithms[opts.algorithm](buf, zlibOpts);
+  } catch (e) {
+    // zlib refuses bombs by throwing; surface as a typed error and
+    // refuse-emit. The original zlib error message is preserved on
+    // .cause for operator debugging.
+    var err = new SafeDecompressError(
+      "safe-decompress/decompress-failed",
+      "safeDecompress: decompression refused (" + opts.algorithm + "): " +
+        ((e && e.message) || String(e)));
+    err.cause = e;
+    _refuse(opts, err.code, err.message, err);
+  }
+
+  // Ratio cap — runs AFTER decompression but BEFORE returning. zlib
+  // already enforced maxOutputBytes; the ratio cap catches "bomb that
+  // fit under the absolute cap but expanded 1000x." We immediately
+  // drop the buffer if the ratio is exceeded so the operator-facing
+  // path never sees the bomb bytes.
+  if (maxRatio > 0) {
+    var ratio = Math.ceil(out.length / buf.length);
+    if (ratio > maxRatio) {
+      // Zero the buffer before drop — defends against side-channel
+      // peek + bug-induced leak. zlib already heap-allocated it; we
+      // overwrite + release.
+      out.fill(0);
+      _refuse(opts, "safe-decompress/ratio-exceeded",
+        "expansion ratio " + ratio + ":1 exceeds maxRatio " + maxRatio +
+        ":1 (compressed=" + buf.length + " decompressed=" + out.length + ")");
+    }
+  }
+
+  return out;
+}
+
+// Drop-silent audit emission per rule §5: refuse-emit is best-effort,
+// failures here don't crash the operator's path. Then throw the typed
+// error so the caller's catch block decides downstream.
+function _refuse(opts, code, message, originalError) {
+  var auditImpl = opts.audit || (audit() && audit().safeEmit ? audit() : null);
+  if (auditImpl && typeof auditImpl.safeEmit === "function") {
+    try {
+      auditImpl.safeEmit({
+        action:   "system.safe_decompress.refused",
+        outcome:  "denied",
+        metadata: {
+          code:      code,
+          algorithm: opts.algorithm,
+          ctx:       opts.ctx || null,
+          reason:    message,
+        },
+      });
+    } catch (_e) { /* drop-silent per rule §5 */ }
+  }
+  var err = new SafeDecompressError(code, message);
+  if (originalError) err.cause = originalError;
+  throw err;
+}
+
+module.exports = {
+  safeDecompress:        safeDecompress,
+  DEFAULT_MAX_RATIO:     DEFAULT_MAX_RATIO,
+  SafeDecompressError:   SafeDecompressError,
+};

package/lib/websocket.js

@@ -76,6 +76,7 @@
 
 var nodeCrypto = require("node:crypto");
 var zlib = require("node:zlib");
+var safeDecompress = require("./safe-decompress").safeDecompress;
 var { EventEmitter } = require("node:events");
 var C                = require("./constants");
 var requestHelpers   = require("./request-helpers");
@@ -603,10 +604,36 @@ function _deflateMessage(payload, windowBits) {
   return raw;
 }
 
-function _inflateMessage(payload, windowBits) {
+function _inflateMessage(payload, windowBits, maxOutputBytes) {
   // Per RFC 7692 §7.2.2, append the 4-byte trailer before inflating.
+  // Routes through `b.safeDecompress` so the bounded-output defense
+  // is uniform with every other RFC 1951 deflate site in the
+  // framework. `maxRatio: 0` (unlimited expansion) because WS
+  // per-message-deflate already binds upstream via the operator's
+  // `maxMessageBytes` opt; the absolute cap is the real defense.
+  // Streaming WS payloads can legitimately compress > 50:1 on
+  // repetitive text (logs, sensor data); operators with a
+  // tighter posture set their own maxMessageBytes.
   var withTrailer = Buffer.concat([payload, DEFLATE_TRAILING]);
-  return zlib.inflateRawSync(withTrailer, { windowBits: windowBits });
+  // `maxCompressedBytes` MUST track the operator's `maxMessageBytes`,
+  // not safeDecompress's 4 MiB default. WS operators with high-
+  // throughput pipelines legitimately set `maxMessageBytes > 4 MiB`
+  // (large file pushes, batched JSON, telemetry); a compressed
+  // payload up to that cap is legitimate input. The compressed input
+  // is bounded above by the same cap the framework enforces on
+  // reassembled-message bytes (RFC 6455 §5.4 fragmented messages are
+  // concatenated then decompressed; the operator's `maxMessageBytes`
+  // is enforced at FrameParser reassembly), so passing it here keeps
+  // safeDecompress aligned with the operator's intent rather than
+  // overriding it with the primitive's general-purpose default.
+  return safeDecompress(withTrailer, {
+    algorithm:          "deflate-raw",
+    maxOutputBytes:     maxOutputBytes,
+    maxCompressedBytes: maxOutputBytes,
+    maxRatio:           0,
+    windowBits:         windowBits,
+    ctx:                "websocket._inflateMessage",
+  });
 }
 
 // ---- Frame parser ----
@@ -1065,8 +1092,13 @@ class WebSocketConnection extends EventEmitter {
     // CLOSE_INVALID_PAYLOAD per §5.6 / §6 of RFC 6455.
     if (wasCompressed) {
       try {
-        data = _inflateMessage(data, this._permessageDeflate.clientMaxWindowBits);
+        data = _inflateMessage(data, this._permessageDeflate.clientMaxWindowBits,
+                                this.maxMessageBytes);
       } catch (e) {
+        // RFC 6455 §7.4.1 / §5.6 — protocol-level decode failure
+        // (including bomb-cap overrun via maxOutputLength) returns
+        // CLOSE_INVALID_PAYLOAD. The over-cap case never allocates the
+        // exploded bytes — zlib's maxOutputLength refuses mid-inflate.
         return this._abort(CLOSE_INVALID_PAYLOAD,
           "permessage-deflate inflate failed: " + ((e && e.message) || String(e)));
       }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.11.3",
+  "version": "0.11.5",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:b5450662-adf2-4f43-baef-731a1c66e80f",
+  "serialNumber": "urn:uuid:8b0da807-db01-45a8-b301-744f3623a4e7",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-19T17:04:46.477Z",
+    "timestamp": "2026-05-19T22:45:04.845Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.11.3",
+      "bom-ref": "@blamejs/core@0.11.5",
       "type": "library",
       "name": "blamejs",
-      "version": "0.11.3",
+      "version": "0.11.5",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.11.3",
+      "purl": "pkg:npm/%40blamejs/core@0.11.5",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.11.3",
+      "ref": "@blamejs/core@0.11.5",
       "dependsOn": []
     }
   ]