@blamejs/core 0.12.29 → 0.12.30

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.12.x
 
+- v0.12.30 (2026-05-24) — **`bundleAdapterStorage.keyRotation(opts)` — verified whole-repository envelope key rotation.** Rotating the key that wraps a backup repository is only safe if you can prove every bundle still reads under the new key — a rotation that silently corrupts one bundle is a time-bomb the operator discovers at restore time, exactly when they can least afford it. `storage.keyRotation(opts)` rotates every bundle's envelope from the old key to the new key (composing `rewrapAllBundles`) and then re-reads every bundle under the NEW key (composing `verifyAllBundles`), so a bad rotation surfaces as `verifyFailed > 0` immediately instead of at restore. It emits a `backup/key-rotated` audit event with the rotation id + per-status counts — a key-rotation event is a compliance record (SOC 2 CC6.1, PCI DSS 3.6.4) operators wire into their signed audit chain. Works for both `recipient` (hybrid PQC envelope) and `passphrase` (Argon2id) storage; refused cleanly on plaintext (`cryptoStrategy: "none"`) storage and when the new key is missing. **Added:** *`bundleAdapterStorage.keyRotation(opts)` — rotate then prove* — `opts.newRecipient` / `opts.newPassphrase` is the key bundles rotate TO (matched to the storage's `cryptoStrategy`); `opts.oldRecipient` / `opts.oldPassphrase` unwraps the current envelope when it differs from the configured key. Returns `{ rotationId, rotatedAt, total, rotated, skipped, failed, verified, verifyFailed, rotateResults, verifyResults }`. `opts.verify` (default true) runs the post-rotation read-back under the new key; `opts.concurrency` / `opts.stopOnFirstFailure` forward to the batch passes. Plaintext bundles + non-wrappable formats are skipped cleanly; a rotation that leaves any bundle unreadable reports `verifyFailed > 0` and emits the audit event with `outcome: "failure"`. A true overlap window where BOTH the old and new key decrypt a bundle (`dualWrap: true`) is refused with `backup/dual-wrap-unsupported` — it needs multi-recipient archive envelopes `b.archive.wrap` does not yet emit, and re-opens when the wrap layer gains them; until then stage a rotation by keeping the old key available to readers until `keyRotation` reports `failed: 0` + `verifyFailed: 0`, then retire it.
+
 - v0.12.29 (2026-05-24) — **`b.ai.dp` — float-safe differential privacy: snapping-mechanism Laplace + discrete Gaussian + Rényi-DP budgets.** Differential privacy adds calibrated noise so an aggregate is provably insensitive to any single record — but the guarantee is fragile: Mironov (2012) showed that a Laplace mechanism sampled with naive double-precision floats lets an attacker distinguish neighbouring datasets with > 35% probability from a single output, silently destroying the promise. `b.ai.dp` ships only mechanisms whose sampling is hardened against that attack class: Laplace via the snapping mechanism (clamp + CSPRNG sign + full-mantissa uniform + power-of-two-grid rounding) and the discrete Gaussian (Canonne–Kamath–Steinke 2020) via integer-exact rejection sampling built from Bernoulli(exp(−γ)) over exact rationals — no floating-point noise at all. All randomness comes from `b.crypto.generateBytes` (SHAKE256 over the OS CSPRNG), never `Math.random`. `b.ai.dp.budget({ scope, epsilon, delta })` tracks a privacy budget per scope and refuses a `consume` that would exceed it, accounting composition either by basic summation (default) or a Rényi-DP accountant (Mironov 2017) for a much tighter bound under repeated Gaussian releases. NIST SP 800-226 (2025) is the evaluation standard; Dwork & Roth is the canonical reference. The exponential and sparse-vector mechanisms are deferred-with-condition — their float-safe constructions (base-2 / permute-and-flip; snapped SVT) re-open on operator demand, since shipping them float-unsafe would defeat the module's purpose. **Added:** *`b.ai.dp.mechanism({ type, sensitivity, epsilon, ... })` — float-safe noise mechanisms* — `type: "laplace"` is the snapping mechanism (pure ε-DP, real-valued, requires a clamp `bound` the guarantee depends on); `type: "gaussian"` is the discrete Gaussian (integer-valued, (ε, δ)-DP, requires `delta`). The Gaussian uses the classic calibration σ = √(2 ln(1.25/δ))·Δ/ε, proven for ε ≤ 1 — larger ε is refused with a pointer to splitting the release under an rdp budget. Descriptors are validated + frozen at construction so a malformed parameter fails fast. · *`b.ai.dp.budget({ scope, epsilon, delta, accounting })` — per-scope privacy budget* — Returns `{ consume, remaining, spent, reset }`. `consume(mechanism, value)` adds the mechanism's noise, charges the accountant, and throws `aiDp/budget-exhausted` if the release would push the scope past its (ε, δ). `accounting: "basic"` (default) sums per-release ε and δ; `accounting: "rdp"` runs a Rényi-DP accountant across a grid of orders and converts to (ε, δ) at the scope's δ for a tight composition bound under repeated Gaussian releases (requires `delta > 0`). The scope budget is enforced on both ε and δ independently. **Security:** *`b.crypto.generateBytes` uniformity fix at 1-byte length* — Node's SHAKE256 XOF is non-uniform at `outputLength: 1` — the byte values 0x00 and 0xff never occur and the low bit skews to ~0.54. `b.crypto.generateBytes(1)` (and the underlying `random(1)`) now draws at least 2 bytes and slices, so a single-byte CSPRNG request is uniform. Surfaced by `b.ai.dp` per-byte noise sampling; any per-byte consumer of `generateBytes` inherits the fix. A regression test asserts 0x00 / 0xff occur and the low bit is balanced.
 
 - v0.12.28 (2026-05-24) — **`b.ai.capability` — model-capability registry + cheapest-satisfying-model router.** `b.ai.capability.create({ models })` turns a fleet of AI model descriptors into a routing decision: given a set of requirements (context window, input/output modalities, tool use, structured output, reasoning tier, citation support, prompt-caching size), it picks the cheapest model that satisfies all of them. NIST AI RMF (AI 100-1) MAP 2.x requires documenting each model's capabilities and limitations; the Model Cards convention (Mitchell et al., 2019) formalizes that descriptor — this primitive makes the descriptor actionable. Routing to the cheapest sufficient model is a front-line defense against over-provisioning spend and composes directly with `b.ai.quota`'s `cost-usd` dimension (the chosen descriptor's rate feeds the budget charge); refusing to route a request to a model that cannot satisfy it (missing modality, too-small context window, no tool use) catches a capability mismatch before the inference call burns tokens on a guaranteed-bad result. Cost ranking uses a supplied `costBasis` (`{ inputTokens, outputTokens }`) for real per-call spend, else the sum of the per-1k rates; ties break by model id so the choice is deterministic across calls and nodes. **Added:** *`b.ai.capability.create({ models })` — capability registry + router* — Returns `{ describe, list, register, satisfies, route }`. A descriptor carries `maxContextTokens`, `maxOutputTokens`, `modalitiesIn` / `modalitiesOut` (arrays), `toolUse`, `structuredOutput`, `fineTunable`, `reasoningTier` (`none` / `basic` / `standard` / `advanced`, ordered), `citationSupport`, `promptCachingMaxTokens`, and the cost rates `costPer1kInputTokens` / `costPer1kOutputTokens`. Descriptors are validated + frozen at registration so a typo (negative cost, unknown reasoning tier, non-array modality list) surfaces at config time rather than as a silent mis-route. `describe(modelId)` returns the frozen descriptor; `register(modelId, descriptor)` adds or replaces one at runtime. · *`route({ requirements, fallback?, costBasis? })` — cheapest-satisfying selection* — Collects every model whose descriptor satisfies all requirements, then returns the cheapest (`{ modelId, descriptor, estimatedCost, reason }`). Requirements: `minContextTokens`, `minOutputTokens`, `modalitiesIn` / `modalitiesOut` (model must support every listed modality), `toolUse`, `structuredOutput`, `fineTunable`, `minReasoningTier` (tier ordering — `standard` is met by `standard` or `advanced`), `citationSupport`, `minPromptCachingTokens`. When no model matches, `fallback` (a registered model id) is returned with `reason: "fallback"`, or the call refuses with `aiCapability/no-candidate` if no fallback was supplied. Routing decisions emit `ai/capability-routed` / `ai/capability-fallback` / `ai/capability-no-candidate` through the drop-silent audit chain. · *`satisfies(modelId, requirements)` — precise capability-mismatch reasons* — Returns `{ ok, failures }` where each failure names the `requirement`, the `need`, and what the model `have`s — so a caller surfaces a precise reason (e.g. `minReasoningTier need advanced have basic`) instead of a bare boolean. Use it to explain a routing miss or to gate a request against a specific model before calling it.

package/lib/backup/index.js

@@ -1935,6 +1935,102 @@ function bundleAdapterStorage(opts) {
         results: results,
       };
     },
+    // keyRotation(opts) — orchestrate a whole-repository key rotation:
+    // rotate every bundle's envelope from the old key to the new key
+    // (composing rewrapAllBundles), then re-read every rotated bundle
+    // under the NEW key (composing verifyAllBundles) so a rotation
+    // that silently corrupted a bundle surfaces as a failure rather
+    // than a time-bomb the operator discovers at restore time. Emits
+    // a `backup/key-rotated` audit event with the rotation id + the
+    // per-status counts — key-rotation events are a compliance record
+    // (SOC 2 CC6.1 / PCI DSS 3.6.4) operators wire into their chain.
+    //
+    // opts.newRecipient / opts.newPassphrase is the key bundles are
+    // rotated TO (required, matched to the storage's cryptoStrategy);
+    // opts.oldRecipient / opts.oldPassphrase unwraps the current
+    // envelope when it differs from the storage's configured key.
+    // opts.verify (default true) runs the post-rotation read-back;
+    // opts.concurrency / opts.stopOnFirstFailure forward to the
+    // batch passes. opts.dualWrap is deferred-with-condition — a true
+    // overlap window where BOTH the old and new key decrypt a bundle
+    // needs multi-recipient envelopes (b.archive.wrap currently wraps
+    // to a single recipient); it re-opens when the wrap layer gains
+    // multi-recipient support. Until then operators stage a rotation
+    // by keeping the old key available to readers until keyRotation
+    // reports `failed: 0` + `verifyFailed: 0`, then retiring it.
+    async keyRotation(opts) {
+      opts = opts || {};
+      if (opts.dualWrap === true) {
+        throw new BackupError("backup/dual-wrap-unsupported",
+          "keyRotation: dualWrap (simultaneous old+new key validity) requires multi-recipient " +
+          "archive envelopes, which b.archive.wrap does not yet emit; rotate sequentially and " +
+          "keep the old key available to readers until keyRotation reports failed: 0 + verifyFailed: 0");
+      }
+      if (cryptoStrategy === "none") {
+        throw new BackupError("backup/no-envelope-to-rewrap",
+          "keyRotation: storage cryptoStrategy is \"none\" — there is no envelope key to rotate");
+      }
+      if (cryptoStrategy === "recipient" &&
+          (!opts.newRecipient || typeof opts.newRecipient !== "object")) {
+        throw new BackupError("backup/no-recipient",
+          "keyRotation: cryptoStrategy \"recipient\" requires opts.newRecipient (the key to rotate to)");
+      }
+      if (cryptoStrategy === "passphrase" &&
+          !(typeof opts.newPassphrase === "string" || Buffer.isBuffer(opts.newPassphrase))) {
+        throw new BackupError("backup/bad-passphrase",
+          "keyRotation: cryptoStrategy \"passphrase\" requires opts.newPassphrase (string or Buffer)");
+      }
+
+      var rotatedAt = new Date().toISOString();
+      var rotationId = "rotation-" + rotatedAt;
+
+      var rotate = await this.rewrapAllBundles(opts);
+
+      // Post-rotation read-back under the NEW key. Skip only when the
+      // operator opts out; default proves the rotation landed.
+      var verify = null;
+      if (opts.verify !== false) {
+        var verifyOpts = {
+          concurrency:       opts.concurrency,
+          stopOnFirstFailure: opts.stopOnFirstFailure,
+        };
+        if (cryptoStrategy === "recipient") verifyOpts.recipient = opts.newRecipient;
+        else verifyOpts.passphrase = opts.newPassphrase;
+        verify = await this.verifyAllBundles(verifyOpts);
+      }
+
+      var verifyFailed = verify ? verify.failed : 0;
+      var outcome = (rotate.failed === 0 && verifyFailed === 0) ? "success" : "failure";
+      try {
+        audit().safeEmit({
+          action:   "backup/key-rotated",
+          outcome:  outcome,
+          metadata: {
+            rotationId:     rotationId,
+            cryptoStrategy: cryptoStrategy,
+            total:          rotate.total,
+            rotated:        rotate.rotated,
+            skipped:        rotate.skipped,
+            failed:         rotate.failed,
+            verified:       verify ? verify.ok : null,
+            verifyFailed:   verifyFailed,
+          },
+        });
+      } catch (_e) { /* audit best-effort — drop-silent */ }
+
+      return {
+        rotationId:   rotationId,
+        rotatedAt:    rotatedAt,
+        total:        rotate.total,
+        rotated:      rotate.rotated,
+        skipped:      rotate.skipped,
+        failed:       rotate.failed,
+        verified:     verify ? verify.ok : null,
+        verifyFailed: verifyFailed,
+        rotateResults: rotate.results,
+        verifyResults: verify ? verify.results : null,
+      };
+    },
     // bundleInfo(bundleId) — v0.12.17 per-bundle introspection.
     // Returns `{ bundleId, format, envelopeKind, sizeBytes }`.
     // `format` is one of `"tar"` / `"tar.gz"` / `"directory"`

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.12.29",
+  "version": "0.12.30",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:ae86440d-174b-4c3d-8fee-c92df10a498a",
+  "serialNumber": "urn:uuid:9dccc9a6-4e09-41ea-bc80-627be74c49a8",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-24T17:32:55.663Z",
+    "timestamp": "2026-05-24T18:46:16.418Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.12.29",
+      "bom-ref": "@blamejs/core@0.12.30",
       "type": "application",
       "name": "blamejs",
-      "version": "0.12.29",
+      "version": "0.12.30",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.12.29",
+      "purl": "pkg:npm/%40blamejs/core@0.12.30",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.12.29",
+      "ref": "@blamejs/core@0.12.30",
       "dependsOn": []
     }
   ]