npm - @blamejs/core - Versions diffs - 0.12.29 → 0.12.31 - Mend

@blamejs/core 0.12.29 → 0.12.31

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 ## v0.12.x
+- v0.12.31 (2026-05-24) — **`b.auth.jar.parse` — verify RFC 9101 JWT-Secured Authorization Requests (server side).** A plain OAuth authorization request carries its parameters in the URL query string, where a browser, proxy, or referer log can tamper with or leak them. RFC 9101 JAR packs those parameters into a JWT the client signs — the request object — so the authorization server can confirm they arrived exactly as sent. `b.auth.jar.parse(jar, opts)` is the server-side verifier and the request-side counterpart to the existing JARM response handling (`b.auth.oauth.parseJarmResponse`). It delegates the signature check to `b.auth.jwt.verifyExternal` — which already enforces a mandatory `algorithms` allowlist and refuses the alg-confusion (`alg: "none"`, HMAC-vs-RSA) and JWE-on-a-JWS-verifier shapes against a JWKS public-key trust source — then pins `iss` and the `client_id` claim to the expected client, pins `aud` to this server's issuer identifier, refuses a nested `request` / `request_uri` (RFC 9101 §6.3 recursion / confused-deputy vector), and returns the authorization parameters with the JWT envelope claims stripped. **Added:** *`b.auth.jar.parse(jar, opts)` — request-object verification* — `opts.clientId` (the expected client — pins `iss` + the `client_id` claim), `opts.audience` (this server's issuer identifier — pins `aud`), `opts.algorithms` (required signature allowlist — no defaults, the alg-confusion defense), and one of `opts.jwks` / `opts.jwksUri` / `opts.keyResolver` (the client's verification key). Returns `{ params, claims }` where `params` is the authorization parameters (`response_type`, `redirect_uri`, `scope`, `state`, `nonce`, …) with the JWT envelope claims (`iss`, `aud`, `exp`, `iat`, `nbf`, `jti`) removed. A request object whose `client_id` claim disagrees with `opts.clientId`, or that nests a `request` / `request_uri`, is refused. Emitting a request object (the client side) is deferred-with-condition: it requires signing with the client's key under a classical JWS algorithm, and the framework's own JWT signer is PQC-only for the tokens it issues — a PQC-signed request object would not interoperate with a standard authorization server; client-side emission re-opens when a classical JWS signer lands or operators surface the need. Until then clients sign request objects with their existing JOSE tooling.
+- v0.12.30 (2026-05-24) — **`bundleAdapterStorage.keyRotation(opts)` — verified whole-repository envelope key rotation.** Rotating the key that wraps a backup repository is only safe if you can prove every bundle still reads under the new key — a rotation that silently corrupts one bundle is a time-bomb the operator discovers at restore time, exactly when they can least afford it. `storage.keyRotation(opts)` rotates every bundle's envelope from the old key to the new key (composing `rewrapAllBundles`) and then re-reads every bundle under the NEW key (composing `verifyAllBundles`), so a bad rotation surfaces as `verifyFailed > 0` immediately instead of at restore. It emits a `backup/key-rotated` audit event with the rotation id + per-status counts — a key-rotation event is a compliance record (SOC 2 CC6.1, PCI DSS 3.6.4) operators wire into their signed audit chain. Works for both `recipient` (hybrid PQC envelope) and `passphrase` (Argon2id) storage; refused cleanly on plaintext (`cryptoStrategy: "none"`) storage and when the new key is missing. **Added:** *`bundleAdapterStorage.keyRotation(opts)` — rotate then prove* — `opts.newRecipient` / `opts.newPassphrase` is the key bundles rotate TO (matched to the storage's `cryptoStrategy`); `opts.oldRecipient` / `opts.oldPassphrase` unwraps the current envelope when it differs from the configured key. Returns `{ rotationId, rotatedAt, total, rotated, skipped, failed, verified, verifyFailed, rotateResults, verifyResults }`. `opts.verify` (default true) runs the post-rotation read-back under the new key; `opts.concurrency` / `opts.stopOnFirstFailure` forward to the batch passes. Plaintext bundles + non-wrappable formats are skipped cleanly; a rotation that leaves any bundle unreadable reports `verifyFailed > 0` and emits the audit event with `outcome: "failure"`. A true overlap window where BOTH the old and new key decrypt a bundle (`dualWrap: true`) is refused with `backup/dual-wrap-unsupported` — it needs multi-recipient archive envelopes `b.archive.wrap` does not yet emit, and re-opens when the wrap layer gains them; until then stage a rotation by keeping the old key available to readers until `keyRotation` reports `failed: 0` + `verifyFailed: 0`, then retire it.
 - v0.12.29 (2026-05-24) — **`b.ai.dp` — float-safe differential privacy: snapping-mechanism Laplace + discrete Gaussian + Rényi-DP budgets.** Differential privacy adds calibrated noise so an aggregate is provably insensitive to any single record — but the guarantee is fragile: Mironov (2012) showed that a Laplace mechanism sampled with naive double-precision floats lets an attacker distinguish neighbouring datasets with > 35% probability from a single output, silently destroying the promise. `b.ai.dp` ships only mechanisms whose sampling is hardened against that attack class: Laplace via the snapping mechanism (clamp + CSPRNG sign + full-mantissa uniform + power-of-two-grid rounding) and the discrete Gaussian (Canonne–Kamath–Steinke 2020) via integer-exact rejection sampling built from Bernoulli(exp(−γ)) over exact rationals — no floating-point noise at all. All randomness comes from `b.crypto.generateBytes` (SHAKE256 over the OS CSPRNG), never `Math.random`. `b.ai.dp.budget({ scope, epsilon, delta })` tracks a privacy budget per scope and refuses a `consume` that would exceed it, accounting composition either by basic summation (default) or a Rényi-DP accountant (Mironov 2017) for a much tighter bound under repeated Gaussian releases. NIST SP 800-226 (2025) is the evaluation standard; Dwork & Roth is the canonical reference. The exponential and sparse-vector mechanisms are deferred-with-condition — their float-safe constructions (base-2 / permute-and-flip; snapped SVT) re-open on operator demand, since shipping them float-unsafe would defeat the module's purpose. **Added:** *`b.ai.dp.mechanism({ type, sensitivity, epsilon, ... })` — float-safe noise mechanisms* — `type: "laplace"` is the snapping mechanism (pure ε-DP, real-valued, requires a clamp `bound` the guarantee depends on); `type: "gaussian"` is the discrete Gaussian (integer-valued, (ε, δ)-DP, requires `delta`). The Gaussian uses the classic calibration σ = √(2 ln(1.25/δ))·Δ/ε, proven for ε ≤ 1 — larger ε is refused with a pointer to splitting the release under an rdp budget. Descriptors are validated + frozen at construction so a malformed parameter fails fast. · *`b.ai.dp.budget({ scope, epsilon, delta, accounting })` — per-scope privacy budget* — Returns `{ consume, remaining, spent, reset }`. `consume(mechanism, value)` adds the mechanism's noise, charges the accountant, and throws `aiDp/budget-exhausted` if the release would push the scope past its (ε, δ). `accounting: "basic"` (default) sums per-release ε and δ; `accounting: "rdp"` runs a Rényi-DP accountant across a grid of orders and converts to (ε, δ) at the scope's δ for a tight composition bound under repeated Gaussian releases (requires `delta > 0`). The scope budget is enforced on both ε and δ independently. **Security:** *`b.crypto.generateBytes` uniformity fix at 1-byte length* — Node's SHAKE256 XOF is non-uniform at `outputLength: 1` — the byte values 0x00 and 0xff never occur and the low bit skews to ~0.54. `b.crypto.generateBytes(1)` (and the underlying `random(1)`) now draws at least 2 bytes and slices, so a single-byte CSPRNG request is uniform. Surfaced by `b.ai.dp` per-byte noise sampling; any per-byte consumer of `generateBytes` inherits the fix. A regression test asserts 0x00 / 0xff occur and the low bit is balanced.
 - v0.12.28 (2026-05-24) — **`b.ai.capability` — model-capability registry + cheapest-satisfying-model router.** `b.ai.capability.create({ models })` turns a fleet of AI model descriptors into a routing decision: given a set of requirements (context window, input/output modalities, tool use, structured output, reasoning tier, citation support, prompt-caching size), it picks the cheapest model that satisfies all of them. NIST AI RMF (AI 100-1) MAP 2.x requires documenting each model's capabilities and limitations; the Model Cards convention (Mitchell et al., 2019) formalizes that descriptor — this primitive makes the descriptor actionable. Routing to the cheapest sufficient model is a front-line defense against over-provisioning spend and composes directly with `b.ai.quota`'s `cost-usd` dimension (the chosen descriptor's rate feeds the budget charge); refusing to route a request to a model that cannot satisfy it (missing modality, too-small context window, no tool use) catches a capability mismatch before the inference call burns tokens on a guaranteed-bad result. Cost ranking uses a supplied `costBasis` (`{ inputTokens, outputTokens }`) for real per-call spend, else the sum of the per-1k rates; ties break by model id so the choice is deterministic across calls and nodes. **Added:** *`b.ai.capability.create({ models })` — capability registry + router* — Returns `{ describe, list, register, satisfies, route }`. A descriptor carries `maxContextTokens`, `maxOutputTokens`, `modalitiesIn` / `modalitiesOut` (arrays), `toolUse`, `structuredOutput`, `fineTunable`, `reasoningTier` (`none` / `basic` / `standard` / `advanced`, ordered), `citationSupport`, `promptCachingMaxTokens`, and the cost rates `costPer1kInputTokens` / `costPer1kOutputTokens`. Descriptors are validated + frozen at registration so a typo (negative cost, unknown reasoning tier, non-array modality list) surfaces at config time rather than as a silent mis-route. `describe(modelId)` returns the frozen descriptor; `register(modelId, descriptor)` adds or replaces one at runtime. · *`route({ requirements, fallback?, costBasis? })` — cheapest-satisfying selection* — Collects every model whose descriptor satisfies all requirements, then returns the cheapest (`{ modelId, descriptor, estimatedCost, reason }`). Requirements: `minContextTokens`, `minOutputTokens`, `modalitiesIn` / `modalitiesOut` (model must support every listed modality), `toolUse`, `structuredOutput`, `fineTunable`, `minReasoningTier` (tier ordering — `standard` is met by `standard` or `advanced`), `citationSupport`, `minPromptCachingTokens`. When no model matches, `fallback` (a registered model id) is returned with `reason: "fallback"`, or the call refuses with `aiCapability/no-candidate` if no fallback was supplied. Routing decisions emit `ai/capability-routed` / `ai/capability-fallback` / `ai/capability-no-candidate` through the drop-silent audit chain. · *`satisfies(modelId, requirements)` — precise capability-mismatch reasons* — Returns `{ ok, failures }` where each failure names the `requirement`, the `need`, and what the model `have`s — so a caller surfaces a precise reason (e.g. `minReasoningTier need advanced have basic`) instead of a bare boolean. Use it to explain a routing miss or to gate a request against a specific model before calling it.

package/README.md CHANGED Viewed

@@ -75,6 +75,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
   - RP-Initiated / Front-Channel / Back-Channel Logout 1.0 (`parseFrontchannelLogoutRequest` + `verifyBackchannelLogoutToken` with jti-replay defense)
   - RFC 9207 AS Issuer Identifier validation on callbacks (`parseCallback` — refuses iss mismatch + OP `error=` redirect)
   - OAuth 2.0 JARM signed-response decode (`parseJarmResponse`)
+  - RFC 9101 JWT-Secured Authorization Request verification — server-side request-object parse with mandatory alg allowlist + iss/client_id/aud binding + anti-nesting (`b.auth.jar.parse`)
   - One-time-use refresh-token rotation with operator-supplied replay-defense callback (RFC 9700 §4.13 / OAuth 2.1 §6.1 — `refreshAccessToken({ seen })`)
 - **Federation / VC** — CIBA Core 1.0 (`b.auth.ciba`, poll/ping/push); OpenID Federation 1.0 trust chain + metadata_policy (`b.auth.openidFederation`); SAML 2.0 SP with XMLDSig signature-wrapping defense + RFC 9525 server-identity (`b.auth.saml`); OpenID4VCI 1.0 issuer (`b.auth.oid4vci`); OpenID4VP 1.0 verifier with DCQL (`b.auth.oid4vp`); SD-JWT VC with `key_attestation` extension (`b.auth.sdJwtVc`)
 - **Sessions** — `b.session`

package/index.js CHANGED Viewed

@@ -243,6 +243,7 @@ var auth = {
               require("./lib/auth/jwt"),
               { verifyExternal: require("./lib/auth/jwt-external").verifyExternal }),
   oauth:    require("./lib/auth/oauth"),
+  jar:      require("./lib/auth/jar"),
   lockout:  require("./lib/auth/lockout"),
   dpop:     require("./lib/auth/dpop"),
   aal:      require("./lib/auth/aal"),

package/lib/auth/jar.js ADDED Viewed

@@ -0,0 +1,168 @@
+"use strict";
+/**
+ * @module b.auth.jar
+ * @nav    Identity
+ * @title  JWT-Secured Authorization Request (JAR)
+ *
+ * @intro
+ *   RFC 9101 JWT-Secured Authorization Request — the authorization-
+ *   server side of the request object, the counterpart to the JARM
+ *   response handling in <code>b.auth.oauth</code>. A plain OAuth
+ *   authorization request passes its parameters as URL query string,
+ *   where they can be tampered with in the browser or leaked into
+ *   proxy / referer logs. JAR packs the parameters into a JWT signed
+ *   by the client (the "request object") so the authorization server
+ *   can verify they arrived exactly as the client sent them.
+ *
+ *   <code>b.auth.jar.parse(jar, opts)</code> verifies an incoming
+ *   request object: the signature is checked through
+ *   <code>b.auth.jwt.verifyExternal</code> (mandatory <code>algorithms</code>
+ *   allowlist — no <code>alg: "none"</code>, no HMAC-vs-RSA confusion,
+ *   no JWE-on-a-JWS-verifier), <code>iss</code> is pinned to the
+ *   expected <code>clientId</code>, <code>aud</code> to this server's
+ *   issuer identifier, the request object's <code>client_id</code>
+ *   claim must match the client, and the authorization parameters are
+ *   returned with the JWT envelope claims stripped.
+ *
+ *   <strong>Anti-nesting (RFC 9101 §6.3):</strong> a request object
+ *   may not itself carry a <code>request</code> or <code>request_uri</code>
+ *   parameter — <code>parse</code> refuses it, closing the recursion /
+ *   confused-deputy vector.
+ *
+ *   The signature verification — the security-critical step — is
+ *   delegated to <code>verifyExternal</code>, which already enforces
+ *   the alg allowlist and refuses the alg-confusion / JWE-bypass
+ *   shapes against a JWKS public-key trust source. JAR adds the
+ *   request-object-specific bindings on top.
+ *
+ *   <strong>Emitting</strong> a request object (the client side) is
+ *   deferred-with-condition: it requires signing with the client's
+ *   key under a classical JWS algorithm (RS256 / ES256 / EdDSA), and
+ *   the framework's own JWT signer (<code>b.auth.jwt.sign</code>) is
+ *   PQC-only (ML-DSA / SLH-DSA) for the tokens the framework itself
+ *   issues — a PQC-signed request object would not interoperate with
+ *   any standard authorization server today. blamejs sits on the
+ *   authorization-server side here (it verifies client request
+ *   objects); client-side emission re-opens when a classical
+ *   <code>b.auth.jws.sign</code> primitive lands or operators surface
+ *   the need. Until then clients sign their request objects with
+ *   their existing JOSE tooling.
+ *
+ * @card
+ *   RFC 9101 JWT-Secured Authorization Request (server side) — verify
+ *   the OAuth request object with mandatory alg allowlist, iss +
+ *   client_id binding, audience pinning, and anti-nesting.
+ */
+var jwtExternal = require("./jwt-external");
+var validateOpts = require("../validate-opts");
+var { defineClass } = require("../framework-error");
+var AuthJarError = defineClass("AuthJarError", { alwaysPermanent: true });
+var JAR_TYP = "oauth-authz-req+jwt";
+// JWT-standard claims that are request-object envelope metadata, not
+// OAuth authorization parameters — stripped from the returned params.
+var ENVELOPE_CLAIMS = ["iss", "aud", "exp", "iat", "nbf", "jti"];
+/**
+ * @primitive b.auth.jar.parse
+ * @signature b.auth.jar.parse(jar, opts)
+ * @since     0.12.31
+ * @status    stable
+ * @compliance soc2
+ * @related   b.auth.oauth.parseJarmResponse
+ *
+ * Verify an RFC 9101 request object and return its authorization
+ * parameters. The signature is checked via
+ * <code>b.auth.jwt.verifyExternal</code> (mandatory <code>algorithms</code>
+ * allowlist), <code>iss</code> is pinned to <code>opts.clientId</code>,
+ * <code>aud</code> to <code>opts.audience</code>, and the request
+ * object's <code>client_id</code> claim must equal
+ * <code>opts.clientId</code>. A request object carrying a nested
+ * <code>request</code> / <code>request_uri</code> is refused
+ * (RFC 9101 §6.3). Returns <code>{ params, claims }</code> where
+ * <code>params</code> is the authorization parameters with the JWT
+ * envelope claims removed.
+ *
+ * @opts
+ *   {
+ *     clientId:     string,    // required — expected client (iss + client_id pin)
+ *     audience:     string,    // required — this server's issuer identifier (aud pin)
+ *     algorithms:   string[],  // required — accepted signature algorithms (allowlist)
+ *     jwks?:        object,    // one of jwks / jwksUri / keyResolver (the client's key)
+ *     jwksUri?:     string,
+ *     keyResolver?: function,
+ *     clockSkewMs?: number,
+ *   }
+ *
+ * @example
+ *   var out = await b.auth.jar.parse(jar, {
+ *     clientId:   "s6BhdRkqt3",
+ *     audience:   "https://as.example.com",
+ *     algorithms: ["ES256"],
+ *     jwks:       clientJwks,
+ *   });
+ *   // → { params: { response_type: "code", redirect_uri: "...", ... }, claims: {...} }
+ */
+async function parse(jar, opts) {
+  if (typeof jar !== "string" || jar.length === 0) {
+    throw new AuthJarError("auth-jar/no-jar", "jar.parse: jar must be a non-empty string");
+  }
+  validateOpts.requireObject(opts, "jar.parse", AuthJarError);
+  validateOpts(opts, [
+    "clientId", "audience", "algorithms", "jwks", "jwksUri", "keyResolver", "clockSkewMs",
+  ], "jar.parse");
+  validateOpts.requireNonEmptyString(opts.clientId, "jar.parse: clientId", AuthJarError, "auth-jar/bad-client-id");
+  validateOpts.requireNonEmptyString(opts.audience, "jar.parse: audience", AuthJarError, "auth-jar/bad-audience");
+  // Delegate signature + alg-allowlist + iss/aud/exp verification to
+  // verifyExternal (the hardened JWS verifier). It throws on alg
+  // confusion / none / JWE / bad signature / iss / aud / expiry and
+  // returns `{ header, claims }`.
+  var verified = await jwtExternal.verifyExternal(jar, {
+    algorithms:  opts.algorithms,
+    jwks:        opts.jwks,
+    jwksUri:     opts.jwksUri,
+    keyResolver: opts.keyResolver,
+    issuer:      opts.clientId,
+    audience:    opts.audience,
+    clockSkewMs: opts.clockSkewMs,
+  });
+  var payload = verified.claims;
+  // RFC 9101 §5.2 — the request object MUST carry a client_id claim,
+  // and it MUST match the client. verifyExternal already pinned
+  // iss === clientId, but client_id is a distinct REQUIRED claim;
+  // accepting its absence would let a JAR pass on the strength of an
+  // outer (attacker-controllable) query-param client_id alone, so a
+  // missing client_id is refused rather than waved through.
+  if (payload.client_id === undefined) {
+    throw new AuthJarError("auth-jar/missing-client-id",
+      "jar.parse: request object is missing the required client_id claim (RFC 9101 §5.2)");
+  }
+  if (payload.client_id !== opts.clientId) {
+    throw new AuthJarError("auth-jar/client-id-mismatch",
+      "jar.parse: request object client_id does not match the expected client");
+  }
+  // RFC 9101 §6.3 — a request object must not nest another request /
+  // request_uri (recursion / confused-deputy vector).
+  if (payload.request !== undefined || payload.request_uri !== undefined) {
+    throw new AuthJarError("auth-jar/nested-request",
+      "jar.parse: request object must not carry `request` or `request_uri` (RFC 9101 §6.3)");
+  }
+  var params = {};
+  var keys = Object.keys(payload);
+  for (var i = 0; i < keys.length; i++) {
+    if (ENVELOPE_CLAIMS.indexOf(keys[i]) === -1) params[keys[i]] = payload[keys[i]];
+  }
+  return { params: params, claims: payload };
+}
+module.exports = {
+  parse:        parse,
+  JAR_TYP:      JAR_TYP,
+  AuthJarError: AuthJarError,
+};

package/lib/backup/index.js CHANGED Viewed

@@ -1935,6 +1935,102 @@ function bundleAdapterStorage(opts) {
         results: results,
       };
     },
+    // keyRotation(opts) — orchestrate a whole-repository key rotation:
+    // rotate every bundle's envelope from the old key to the new key
+    // (composing rewrapAllBundles), then re-read every rotated bundle
+    // under the NEW key (composing verifyAllBundles) so a rotation
+    // that silently corrupted a bundle surfaces as a failure rather
+    // than a time-bomb the operator discovers at restore time. Emits
+    // a `backup/key-rotated` audit event with the rotation id + the
+    // per-status counts — key-rotation events are a compliance record
+    // (SOC 2 CC6.1 / PCI DSS 3.6.4) operators wire into their chain.
+    //
+    // opts.newRecipient / opts.newPassphrase is the key bundles are
+    // rotated TO (required, matched to the storage's cryptoStrategy);
+    // opts.oldRecipient / opts.oldPassphrase unwraps the current
+    // envelope when it differs from the storage's configured key.
+    // opts.verify (default true) runs the post-rotation read-back;
+    // opts.concurrency / opts.stopOnFirstFailure forward to the
+    // batch passes. opts.dualWrap is deferred-with-condition — a true
+    // overlap window where BOTH the old and new key decrypt a bundle
+    // needs multi-recipient envelopes (b.archive.wrap currently wraps
+    // to a single recipient); it re-opens when the wrap layer gains
+    // multi-recipient support. Until then operators stage a rotation
+    // by keeping the old key available to readers until keyRotation
+    // reports `failed: 0` + `verifyFailed: 0`, then retiring it.
+    async keyRotation(opts) {
+      opts = opts || {};
+      if (opts.dualWrap === true) {
+        throw new BackupError("backup/dual-wrap-unsupported",
+          "keyRotation: dualWrap (simultaneous old+new key validity) requires multi-recipient " +
+          "archive envelopes, which b.archive.wrap does not yet emit; rotate sequentially and " +
+          "keep the old key available to readers until keyRotation reports failed: 0 + verifyFailed: 0");
+      }
+      if (cryptoStrategy === "none") {
+        throw new BackupError("backup/no-envelope-to-rewrap",
+          "keyRotation: storage cryptoStrategy is \"none\" — there is no envelope key to rotate");
+      }
+      if (cryptoStrategy === "recipient" &&
+          (!opts.newRecipient || typeof opts.newRecipient !== "object")) {
+        throw new BackupError("backup/no-recipient",
+          "keyRotation: cryptoStrategy \"recipient\" requires opts.newRecipient (the key to rotate to)");
+      }
+      if (cryptoStrategy === "passphrase" &&
+          !(typeof opts.newPassphrase === "string" || Buffer.isBuffer(opts.newPassphrase))) {
+        throw new BackupError("backup/bad-passphrase",
+          "keyRotation: cryptoStrategy \"passphrase\" requires opts.newPassphrase (string or Buffer)");
+      }
+      var rotatedAt = new Date().toISOString();
+      var rotationId = "rotation-" + rotatedAt;
+      var rotate = await this.rewrapAllBundles(opts);
+      // Post-rotation read-back under the NEW key. Skip only when the
+      // operator opts out; default proves the rotation landed.
+      var verify = null;
+      if (opts.verify !== false) {
+        var verifyOpts = {
+          concurrency:       opts.concurrency,
+          stopOnFirstFailure: opts.stopOnFirstFailure,
+        };
+        if (cryptoStrategy === "recipient") verifyOpts.recipient = opts.newRecipient;
+        else verifyOpts.passphrase = opts.newPassphrase;
+        verify = await this.verifyAllBundles(verifyOpts);
+      }
+      var verifyFailed = verify ? verify.failed : 0;
+      var outcome = (rotate.failed === 0 && verifyFailed === 0) ? "success" : "failure";
+      try {
+        audit().safeEmit({
+          action:   "backup/key-rotated",
+          outcome:  outcome,
+          metadata: {
+            rotationId:     rotationId,
+            cryptoStrategy: cryptoStrategy,
+            total:          rotate.total,
+            rotated:        rotate.rotated,
+            skipped:        rotate.skipped,
+            failed:         rotate.failed,
+            verified:       verify ? verify.ok : null,
+            verifyFailed:   verifyFailed,
+          },
+        });
+      } catch (_e) { /* audit best-effort — drop-silent */ }
+      return {
+        rotationId:   rotationId,
+        rotatedAt:    rotatedAt,
+        total:        rotate.total,
+        rotated:      rotate.rotated,
+        skipped:      rotate.skipped,
+        failed:       rotate.failed,
+        verified:     verify ? verify.ok : null,
+        verifyFailed: verifyFailed,
+        rotateResults: rotate.results,
+        verifyResults: verify ? verify.results : null,
+      };
+    },
     // bundleInfo(bundleId) — v0.12.17 per-bundle introspection.
     // Returns `{ bundleId, format, envelopeKind, sizeBytes }`.
     // `format` is one of `"tar"` / `"tar.gz"` / `"directory"`

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.12.29",
+  "version": "0.12.31",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json CHANGED Viewed

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:ae86440d-174b-4c3d-8fee-c92df10a498a",
+  "serialNumber": "urn:uuid:db45490d-0a47-4980-8047-83be6cb8f384",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-24T17:32:55.663Z",
+    "timestamp": "2026-05-24T19:33:14.548Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.12.29",
+      "bom-ref": "@blamejs/core@0.12.31",
       "type": "application",
       "name": "blamejs",
-      "version": "0.12.29",
+      "version": "0.12.31",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.12.29",
+      "purl": "pkg:npm/%40blamejs/core@0.12.31",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.12.29",
+      "ref": "@blamejs/core@0.12.31",
       "dependsOn": []
     }
   ]