npm - @blamejs/core - Versions diffs - 0.12.34 → 0.12.36 - Mend

@blamejs/core 0.12.34 → 0.12.36

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 ## v0.12.x
+- v0.12.36 (2026-05-24) — **`b.cose.encrypt0` / `b.cose.decrypt0` — COSE_Encrypt0 single-recipient AEAD (RFC 9052 §5.2).** Completes the COSE family with encryption alongside the v0.12.33 signing: COSE_Encrypt0 is the single-recipient AEAD container where the recipient already holds the symmetric key (direct mode). The default algorithm is ChaCha20/Poly1305 (COSE alg 24) — AES-GCM stays opt-in, since hard-rule #2 forbids AES-GCM as a default. The Enc_structure (`["Encrypt0", protected, external_aad]`) is bound as the AEAD associated data so the algorithm + any external context are authenticated, and the authentication tag is appended to the ciphertext per COSE. Composes the in-tree `b.cbor` codec and `node:crypto` AEAD. **Added:** *`b.cose.encrypt0(plaintext, opts)` / `b.cose.decrypt0(coseEncrypt0, opts)`* — `encrypt0` produces a tagged COSE_Encrypt0 with `alg` in the protected header and a random 12-byte IV in the unprotected header (label 5); `alg` is `"ChaCha20-Poly1305"` (default), `"A256GCM"`, or `"A128GCM"`, with the key length enforced (32 / 16 bytes). `decrypt0` reads the algorithm from the protected header (must be in the required `opts.algorithms` allowlist), reconstructs the Enc_structure as the AEAD AAD, and returns `{ plaintext, alg, protectedHeaders, unprotectedHeaders }`; a wrong key, tampered ciphertext, or `external_aad` mismatch fails AEAD authentication and is refused with `cose/decrypt-failed`. `external_aad` binds request context into the tag.
+- v0.12.35 (2026-05-24) — **`b.eat` — Entity Attestation Token (RFC 9711) over `b.cwt`.** An EAT is the token a Relying Party asks a device or software entity to produce to prove what it is and what state it is in — a freshness nonce, a Universal Entity ID, OEM / hardware identifiers, debug status, software measurements, and nested submodule attestations. `b.eat` is the RFC 9711 profile over the v0.12.34 `b.cwt`: it maps the EAT claim names to their IANA CWT claim-key integer labels and adds the attestation-specific verification on top of the CWT signature + time checks. The central control is the verifier-nonce binding: when the Relying Party supplies a fresh `expectedNonce`, the token's `eat_nonce` (claim 10) must match it (constant-time compare) — without it a captured attestation replays forever. `verify` also enforces a debug-status policy (`requireDebugDisabled` refuses an `enabled` or absent `dbgstat`) and pins the `eat_profile`. RFC 9711 is a finalized standard; signing follows `b.cwt` / `b.cose` (ES256/384/512 + EdDSA interoperable today, ML-DSA-87 PQC-forward). **Added:** *`b.eat.sign(claims, opts)` / `b.eat.verify(eat, opts)`* — `sign` maps EAT claim names (`nonce`, `ueid`, `oemid`, `hwmodel`, `dbgstat`, `eat_profile`, `swname`/`swversion`, `measurements`, `submods`, …) to their RFC 9711 integer labels and accepts the `dbgstat` enum by name (`disabled-since-boot` → 2); standard CWT claims (`iss` / `exp` / …) pass through. `verify` returns `{ claims, raw, alg, protectedHeaders }` with the labels mapped back to friendly names and `dbgstat` decoded to its enum name. Attestation enforcement: `expectedNonce` requires a matching `eat_nonce` (refused `eat/nonce-mismatch`, missing `eat/nonce-missing` — `eat_nonce` may be a single byte string or an array for multiple verifiers), `requireDebugDisabled` refuses a non-disabled `dbgstat` (`eat/debug-not-disabled`), and `expectedProfile` pins `eat_profile`. The signature, algorithm allowlist, and `exp`/`nbf` checks delegate to `b.cwt` / `b.cose`. · *`b.cwt.sign` accepts a `Map`* — `b.cwt.sign` now takes either a plain object (string keys, standard claims mapped by name) or a `Map`, which preserves integer claim keys verbatim — profiles like `b.eat` resolve their claim names to integer labels and pass them through without the keys being stringified. The plain-object path is unchanged.
 - v0.12.34 (2026-05-24) — **`b.cwt` — CBOR Web Token (RFC 8392) sign / verify over `b.cose`.** A CWT is the CBOR-native counterpart to JWT — a signed claims set for constrained / IoT, FIDO attestation, and verifiable-credential contexts. `b.cwt` composes the v0.12.33 `b.cose` (COSE_Sign1 signature + mandatory algorithm allowlist) and v0.12.32 `b.cbor` (deterministic claims encoding) and layers the standard-claim handling on top: `sign` takes a friendly claims object, maps the standard claims to their RFC 8392 §3.1.1 integer labels (iss=1, sub=2, aud=3, exp=4, nbf=5, iat=6, cti=7), and signs; `verify` checks the COSE signature, decodes the claims, and enforces the time + identity claims — a passed `exp` (with clock-skew tolerance), a future `nbf`, and an `iss` / `aud` mismatch against the expected values are each refused. Signing algorithms follow `b.cose`: classical ES256/384/512 + EdDSA (final COSE ids, interoperable today) and ML-DSA-87 (PQC-forward). RFC 8392 is a finalized standard, so CWTs produced here interoperate with other COSE/CWT implementations. **Added:** *`b.cwt.sign(claims, opts)` / `b.cwt.verify(cwt, opts)`* — `sign` maps standard claim names to integer labels and keeps custom claims verbatim; `exp` / `nbf` / `iat` must be non-negative integer NumericDates. `opts.tagged` wraps the COSE_Sign1 in the CWT CBOR tag 61 (RFC 8392 §6); `verify` accepts tagged or bare input. `verify` returns `{ claims, raw, alg, protectedHeaders }` — `claims` is the friendly object (labels mapped back to names), `raw` the integer-keyed Map. Standard-claim enforcement: `exp` past `now + clockSkewSec` (default 60s) is refused with `cwt/expired`, `nbf` beyond `now - skew` with `cwt/not-yet-valid`, and `expectedIssuer` / `expectedAudience` mismatches with `cwt/issuer-mismatch` / `cwt/audience-mismatch` (aud may be a single value or an array). `opts.now` overrides the clock for testing. The signature itself is verified by `b.cose.verify`, so a tampered token fails there.
 - v0.12.33 (2026-05-24) — **`b.cose` — COSE_Sign1 sign / verify (RFC 9052) over the in-tree CBOR codec.** COSE is the signed-statement substrate under SCITT, CWT, and C2PA — the CBOR-native counterpart to JWS. `b.cose` ships COSE_Sign1 signing and verification composing the v0.12.32 `b.cbor` codec for the deterministic Sig_structure encoding. It signs with the classical COSE algorithms that interoperate today — ES256 / ES384 / ES512 (ECDSA) and EdDSA (Ed25519), all with final IANA algorithm ids (RFC 9053) — and with ML-DSA-87 (FIPS 204) for PQC-forward deployments. Verification accepts the same set, so the framework both produces COSE other implementations read today and consumes third-party COSE. There is no classical default: the caller names the algorithm and supplies the key. **Added:** *`b.cose.sign(payload, opts)` / `b.cose.verify(coseSign1, opts)`* — `sign` produces a tagged COSE_Sign1 with `alg` in the integrity-protected header; `verify` returns `{ payload, alg, protectedHeaders, unprotectedHeaders }`. The Sig_structure (`["Signature1", protected, external_aad, payload]`) is deterministically CBOR-encoded; ECDSA signatures use the IEEE-P1363 fixed-width encoding COSE mandates (RFC 9053 §2.1), not ASN.1 DER. `external_aad` is bound into the signature. v1 is single-signer with an attached payload; detached payload, COSE_Sign (multi-signer), COSE_Mac0, and COSE_Encrypt are deferred-with-condition (operator demand). **Security:** *Bounded, alg-allowlisted, crit-checked verification* — `verify` decodes the COSE_Sign1 bytes AND the protected-header bstr through the bounded `b.cbor.decode` (depth + size caps, indefinite-length / tag / duplicate-key refusal). `opts.algorithms` is a required allowlist (no defaults — name the accepted algorithms). A `crit` header (label 2) listing a header label the verifier does not understand is refused (RFC 9052 §3.1 crit-bypass defense), as is a `crit` label absent from the protected header. The COSE algorithm switch refuses any unrecognized id at the default branch. · *ML-DSA-87 COSE algorithm id is a non-final draft* — ML-DSA-87 uses COSE algorithm id `-50`, a requested (non-final) IANA assignment from draft-ietf-cose-dilithium — an ML-DSA-87 COSE_Sign1 is not yet broadly interoperable and the id may change; it is pinned deliberately with the re-open condition being IANA finalization. SLH-DSA-SHAKE-256f has no registered COSE algorithm id at all and cannot be represented in COSE. The COSE_Sign1 mechanism and the classical algorithms are stable; ML-DSA-87 is the forward-looking opt-in.

package/README.md CHANGED Viewed

@@ -126,8 +126,9 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 - **JSON / SQL / schema** — `b.safeJson` (with `maxKeys` cap defending CVE-2026-21717 V8 HashDoS), `b.safeBuffer`, `b.safeSql`, `b.safeSchema`
 - **URL + path** — `b.safeUrl` (IDN mixed-script / homograph refuse); `b.safeJsonPath` (refuses filter `?(...)`, deep-scan `$..`, script-shape `(@.x)` for safe Postgres JSONB ops)
 - **Binary codec** — `b.cbor` bounded deterministic CBOR (RFC 8949 §4.2): depth/size caps, indefinite-length + reserved-info + tag + duplicate-key refusal, `requireDeterministic` canonical-form check; the in-tree substrate under COSE / CWT / SCITT / WebAuthn attestation
-- **COSE signing** — `b.cose` COSE_Sign1 sign/verify (RFC 9052) over `b.cbor`: classical ES256/384/512 + EdDSA (final COSE ids, interoperable today) plus ML-DSA-87 (PQC-forward, draft id); bounded + alg-allowlisted + crit-bypass-checked verification; the signed-statement substrate under SCITT / CWT / C2PA
+- **COSE signing + encryption** — `b.cose` COSE_Sign1 sign/verify + COSE_Encrypt0 (RFC 9052) over `b.cbor`: classical ES256/384/512 + EdDSA (final COSE ids, interoperable today) plus ML-DSA-87 (PQC-forward, draft id); bounded + alg-allowlisted + crit-bypass-checked verification; single-recipient AEAD (ChaCha20/Poly1305 default, AES-GCM opt-in) with Enc_structure-bound AAD; the signed-statement substrate under SCITT / CWT / C2PA
 - **CBOR Web Token** — `b.cwt` CWT sign/verify (RFC 8392) over `b.cose`: standard-claim mapping (iss/sub/aud/exp/nbf/iat/cti) + `exp`/`nbf` clock-skew enforcement + `iss`/`aud` matching; the CBOR-native JWT for constrained / IoT / FIDO / verifiable-credential contexts
+- **Entity Attestation Token** — `b.eat` EAT sign/verify (RFC 9711) over `b.cwt`: device + software attestation claims (ueid / oemid / hwmodel / measurements / submods) with verifier-nonce freshness binding, `dbgstat` debug-status policy, and `eat_profile` pinning
 - **Document parsers** — `b.parsers` (XML / TOML / YAML / .env); `b.config` (schema-validated env)
 - **File-type detection** — `b.fileType` magic-byte content classification with deny-on-upload categories (image / document / archive / executable / etc.)
 ### Content-safety gates

package/index.js CHANGED Viewed

@@ -458,6 +458,7 @@ module.exports = {
   cbor:             require("./lib/cbor"),
   cose:             require("./lib/cose"),
   cwt:              require("./lib/cwt"),
+  eat:              require("./lib/eat"),
   queue:            queue,
   logStream:        logStream,
   redact:           redact,

package/lib/cose.js CHANGED Viewed

@@ -330,10 +330,192 @@ async function verify(coseSign1, opts) {
   };
 }
+// ---- COSE_Encrypt0 (RFC 9052 §5.2) — single-recipient AEAD ----
+var COSE_ENCRYPT0_TAG = 16;                                                            // allow:raw-byte-literal — RFC 9052 COSE_Encrypt0 CBOR tag
+var HDR_IV = 5;                                                                        // RFC 9052 §3.1 unprotected header label: IV
+var AEAD_TAG_LEN = 16;                                                                 // allow:raw-byte-literal — AEAD authentication tag length (bytes)
+// AEAD algorithm: COSE id → node cipher + key / IV sizes. ChaCha20/
+// Poly1305 (24) is the default; AES-GCM is opt-in (project hard-rule
+// #2 forbids AES-GCM as a default).
+var AEAD_NAME_TO_ID = { "ChaCha20-Poly1305": 24, "A256GCM": 3, "A128GCM": 1 };         // allow:raw-byte-literal — COSE AEAD algorithm identifiers (RFC 9053), not sizes
+var AEAD_ID_TO_NAME = {};
+Object.keys(AEAD_NAME_TO_ID).forEach(function (k) { AEAD_ID_TO_NAME[AEAD_NAME_TO_ID[k]] = k; });
+function _aeadParams(algId) {
+  switch (algId) {
+    case 24: return { cipher: "chacha20-poly1305", keyLen: 32, ivLen: 12 };            // allow:raw-byte-literal — ChaCha20/Poly1305 key+IV sizes
+    case 3:  return { cipher: "aes-256-gcm",      keyLen: 32, ivLen: 12 };             // allow:raw-byte-literal — AES-256-GCM key+IV sizes
+    case 1:  return { cipher: "aes-128-gcm",      keyLen: 16, ivLen: 12 };             // allow:raw-byte-literal — AES-128-GCM key+IV sizes
+    default:
+      throw new CoseError("cose/unknown-alg", "cose: unrecognized AEAD COSE alg id " + algId);
+  }
+}
+// Enc_structure (§5.3) = [ "Encrypt0", body_protected (bstr), external_aad (bstr) ]
+// — deterministically CBOR-encoded, used as the AEAD associated data.
+function _encStructure(protectedBstr, externalAad) {
+  return cbor.encode(["Encrypt0", protectedBstr, externalAad]);
+}
+/**
+ * @primitive b.cose.encrypt0
+ * @signature b.cose.encrypt0(plaintext, opts)
+ * @since     0.12.36
+ * @status    stable
+ * @related   b.cose.decrypt0, b.cose.sign
+ *
+ * Encrypt bytes into a tagged COSE_Encrypt0 (RFC 9052 §5.2), a
+ * single-recipient AEAD container where the recipient already holds
+ * the symmetric key (direct mode). Default algorithm is
+ * <code>ChaCha20-Poly1305</code>; <code>A256GCM</code> / <code>A128GCM</code>
+ * are opt-in. The Enc_structure is bound as the AEAD associated data,
+ * and the authentication tag is appended to the ciphertext per COSE.
+ *
+ * @opts
+ *   {
+ *     alg:        string,   // "ChaCha20-Poly1305" (default) | "A256GCM" | "A128GCM"
+ *     key:        Buffer,   // symmetric key (32 bytes for ChaCha/A256GCM, 16 for A128GCM)
+ *     iv?:        Buffer,   // 12-byte IV (random if omitted)
+ *     externalAad?: Buffer, // bound into the AEAD tag
+ *     unprotectedHeaders?: object,
+ *   }
+ *
+ * @example
+ *   var enc = b.cose.encrypt0(Buffer.from("secret"), { alg: "ChaCha20-Poly1305", key: k });
+ */
+function encrypt0(plaintext, opts) {
+  validateOpts.requireObject(opts, "cose.encrypt0", CoseError);
+  validateOpts(opts, ["alg", "key", "iv", "externalAad", "unprotectedHeaders"], "cose.encrypt0");
+  var alg = opts.alg || "ChaCha20-Poly1305";
+  if (!(alg in AEAD_NAME_TO_ID)) {
+    throw new CoseError("cose/unknown-alg", "cose.encrypt0: alg must be one of " + Object.keys(AEAD_NAME_TO_ID).join(" / "));
+  }
+  var algId = AEAD_NAME_TO_ID[alg];
+  var p = _aeadParams(algId);
+  var key = _bstr(opts.key);
+  if (key.length !== p.keyLen) throw new CoseError("cose/bad-key", "cose.encrypt0: " + alg + " requires a " + p.keyLen + "-byte key");
+  var iv = opts.iv != null ? _bstr(opts.iv) : nodeCrypto.randomBytes(p.ivLen);
+  if (iv.length !== p.ivLen) throw new CoseError("cose/bad-iv", "cose.encrypt0: " + alg + " requires a " + p.ivLen + "-byte IV");
+  var protMap = new Map(); protMap.set(HDR_ALG, algId);
+  var protectedBstr = cbor.encode(protMap);
+  var aad = _encStructure(protectedBstr, opts.externalAad == null ? Buffer.alloc(0) : _bstr(opts.externalAad));
+  var cipher = nodeCrypto.createCipheriv(p.cipher, key, iv, { authTagLength: AEAD_TAG_LEN });
+  cipher.setAAD(aad);
+  var ct = Buffer.concat([cipher.update(_bstr(plaintext)), cipher.final()]);
+  var ciphertext = Buffer.concat([ct, cipher.getAuthTag()]);                            // COSE appends the auth tag to the ciphertext
+  var unprot = new Map(); unprot.set(HDR_IV, iv);
+  if (opts.unprotectedHeaders && typeof opts.unprotectedHeaders === "object") {
+    var uk = Object.keys(opts.unprotectedHeaders);
+    for (var i = 0; i < uk.length; i++) {
+      var label = Number(uk[i]);
+      // The IV (label 5) is managed via opts.iv and must match the IV
+      // the AEAD used — refuse an override that would emit a token whose
+      // stored IV disagrees with the one it was encrypted under.
+      if (label === HDR_IV) {
+        throw new CoseError("cose/reserved-header",
+          "cose.encrypt0: unprotectedHeaders must not set label 5 (IV) — pass opts.iv instead");
+      }
+      unprot.set(label, opts.unprotectedHeaders[uk[i]]);
+    }
+  }
+  return cbor.encode(new cbor.Tag(COSE_ENCRYPT0_TAG, [protectedBstr, unprot, ciphertext]));
+}
+/**
+ * @primitive b.cose.decrypt0
+ * @signature b.cose.decrypt0(coseEncrypt0, opts)
+ * @since     0.12.36
+ * @status    stable
+ * @related   b.cose.encrypt0
+ *
+ * Decrypt a COSE_Encrypt0 and return the plaintext. The algorithm is
+ * read from the protected header and must be in
+ * <code>opts.algorithms</code>; the Enc_structure is reconstructed as
+ * the AEAD associated data and authentication failure (wrong key /
+ * tampered ciphertext or AAD) is refused.
+ *
+ * @opts
+ *   {
+ *     key:        Buffer,    // symmetric key
+ *     algorithms: string[],  // required — accepted AEAD algs (allowlist)
+ *     externalAad?: Buffer,  // must match what was encrypted
+ *     maxBytes?:  number,
+ *     maxDepth?:  number,
+ *   }
+ *
+ * @example
+ *   var pt = b.cose.decrypt0(enc, { key: k, algorithms: ["ChaCha20-Poly1305"] }).plaintext;
+ */
+function decrypt0(coseEncrypt0, opts) {
+  validateOpts.requireObject(opts, "cose.decrypt0", CoseError);
+  validateOpts(opts, ["key", "algorithms", "externalAad", "maxBytes", "maxDepth"], "cose.decrypt0");
+  if (!Array.isArray(opts.algorithms) || opts.algorithms.length === 0) {
+    throw new CoseError("cose/algorithms-required", "cose.decrypt0: opts.algorithms is required (no defaults — name the accepted algorithms)");
+  }
+  var decoded = cbor.decode(_bstr(coseEncrypt0), { allowedTags: [COSE_ENCRYPT0_TAG], maxBytes: opts.maxBytes, maxDepth: opts.maxDepth });
+  var arr = (decoded instanceof cbor.Tag && decoded.tag === COSE_ENCRYPT0_TAG) ? decoded.value : decoded;
+  if (!Array.isArray(arr) || arr.length !== 3) {
+    throw new CoseError("cose/malformed", "cose.decrypt0: not a COSE_Encrypt0 (expected a 3-element array)");
+  }
+  var protectedBstr = arr[0], unprotected = arr[1], ciphertext = arr[2];
+  if (!Buffer.isBuffer(protectedBstr) || !Buffer.isBuffer(ciphertext)) {
+    throw new CoseError("cose/malformed", "cose.decrypt0: protected header and ciphertext must be byte strings");
+  }
+  if (!(unprotected instanceof Map)) {
+    throw new CoseError("cose/malformed", "cose.decrypt0: unprotected header must be a CBOR map");
+  }
+  var protMap = protectedBstr.length === 0 ? new Map()
+    : cbor.decode(protectedBstr, { maxBytes: opts.maxBytes, maxDepth: opts.maxDepth });
+  if (!(protMap instanceof Map)) {
+    throw new CoseError("cose/malformed", "cose.decrypt0: protected header is not a CBOR map");
+  }
+  var algId = protMap.get(HDR_ALG);
+  var algName = AEAD_ID_TO_NAME[algId];
+  if (algName === undefined) {
+    throw new CoseError("cose/unknown-alg", "cose.decrypt0: unrecognized AEAD alg id " + algId);
+  }
+  if (opts.algorithms.indexOf(algName) === -1) {
+    throw new CoseError("cose/alg-not-allowed", "cose.decrypt0: alg '" + algName + "' is not in the allowlist");
+  }
+  var p = _aeadParams(algId);
+  var key = _bstr(opts.key);
+  if (key.length !== p.keyLen) throw new CoseError("cose/bad-key", "cose.decrypt0: " + algName + " requires a " + p.keyLen + "-byte key");
+  var iv = unprotected.get(HDR_IV);
+  if (!Buffer.isBuffer(iv) || iv.length !== p.ivLen) {
+    throw new CoseError("cose/bad-iv", "cose.decrypt0: missing or wrong-length IV (unprotected label 5)");
+  }
+  if (ciphertext.length < AEAD_TAG_LEN) {
+    throw new CoseError("cose/malformed", "cose.decrypt0: ciphertext shorter than the AEAD tag");
+  }
+  var tag = ciphertext.subarray(ciphertext.length - AEAD_TAG_LEN);
+  var ct = ciphertext.subarray(0, ciphertext.length - AEAD_TAG_LEN);
+  var aad = _encStructure(protectedBstr, opts.externalAad == null ? Buffer.alloc(0) : _bstr(opts.externalAad));
+  var decipher = nodeCrypto.createDecipheriv(p.cipher, key, iv, { authTagLength: AEAD_TAG_LEN });
+  decipher.setAAD(aad);
+  decipher.setAuthTag(tag);
+  var pt;
+  try {
+    pt = Buffer.concat([decipher.update(ct), decipher.final()]);
+  } catch (_e) {
+    throw new CoseError("cose/decrypt-failed", "cose.decrypt0: AEAD authentication failed (wrong key, tampered ciphertext, or AAD mismatch)");
+  }
+  return { plaintext: pt, alg: algName, protectedHeaders: protMap, unprotectedHeaders: unprotected };
+}
 module.exports = {
   sign:        sign,
   verify:      verify,
+  encrypt0:    encrypt0,
+  decrypt0:    decrypt0,
   ALGORITHMS:  ALG_NAME_TO_ID,
+  AEAD_ALGORITHMS: AEAD_NAME_TO_ID,
   COSE_SIGN1_TAG: COSE_SIGN1_TAG,
+  COSE_ENCRYPT0_TAG: COSE_ENCRYPT0_TAG,
   CoseError:   CoseError,
 };

package/lib/cwt.js CHANGED Viewed

@@ -101,23 +101,28 @@ function _readTagHead(buf) {
  */
 async function sign(claims, opts) {
   if (!claims || typeof claims !== "object" || Array.isArray(claims)) {
-    throw new CwtError("cwt/bad-claims", "cwt.sign: claims must be a plain object");
+    throw new CwtError("cwt/bad-claims", "cwt.sign: claims must be a plain object or a Map");
   }
   validateOpts.requireObject(opts, "cwt.sign", CwtError);
   validateOpts(opts, ["alg", "privateKey", "kid", "tagged", "externalAad"], "cwt.sign");
+  // Accept a plain object (string keys) OR a Map. A Map preserves
+  // INTEGER claim keys verbatim — profiles like b.eat pass their
+  // already-resolved integer labels through and must not have them
+  // stringified.
+  var source = (claims instanceof Map)
+    ? claims
+    : new Map(Object.keys(claims).map(function (k) { return [k, claims[k]]; }));
   var map = new Map();
-  var keys = Object.keys(claims);
-  for (var i = 0; i < keys.length; i++) {
-    var name = keys[i];
-    var value = claims[name];
-    if (NUMERIC_DATE_CLAIMS[name] &&
+  source.forEach(function (value, name) {
+    if (typeof name === "string" && NUMERIC_DATE_CLAIMS[name] &&
         (typeof value !== "number" || !Number.isInteger(value) || value < 0)) {
       throw new CwtError("cwt/bad-numeric-date",
         "cwt.sign: claim '" + name + "' must be a non-negative integer NumericDate (seconds)");
     }
-    map.set(Object.prototype.hasOwnProperty.call(STD, name) ? STD[name] : name, value);
-  }
+    map.set((typeof name === "string" && Object.prototype.hasOwnProperty.call(STD, name)) ? STD[name] : name, value);
+  });
   var claimsCbor = cbor.encode(map);
   var coseSign1 = await cose.sign(claimsCbor, {

package/lib/eat.js ADDED Viewed

@@ -0,0 +1,240 @@
+"use strict";
+/**
+ * @module b.eat
+ * @nav    Crypto
+ * @title  Entity Attestation Token (EAT)
+ *
+ * @intro
+ *   RFC 9711 Entity Attestation Token — a CWT (or JWT) profile that
+ *   carries attestation claims describing the state of a device or
+ *   software entity: a freshness nonce, a Universal Entity ID, OEM /
+ *   hardware identifiers, debug status, software measurements, and
+ *   nested submodule attestations. EAT is the token a Relying Party
+ *   asks a device to produce to prove what it is and what state it is
+ *   in. This module is the EAT profile over <code>b.cwt</code> — it
+ *   maps the RFC 9711 claim names to their CWT claim-key integer
+ *   labels and adds the attestation-specific verification.
+ *
+ *   <code>b.eat.sign(claims, opts)</code> takes a friendly claims
+ *   object (<code>nonce</code>, <code>ueid</code>, <code>oemid</code>,
+ *   <code>dbgstat</code>, <code>eat_profile</code>,
+ *   <code>measurements</code>, <code>submods</code>, … plus the
+ *   standard CWT claims) and signs it as a CWT.
+ *
+ *   <code>b.eat.verify(eat, opts)</code> verifies the CWT (signature +
+ *   alg allowlist + time claims, via <code>b.cwt</code>) and then
+ *   enforces the attestation contract:
+ *
+ *   - <strong>Nonce binding</strong> — when the Relying Party supplied
+ *     a fresh <code>expectedNonce</code>, the token's
+ *     <code>eat_nonce</code> (claim 10) MUST match it (constant-time
+ *     compare). This is the freshness / anti-replay defense: without
+ *     it a captured attestation can be replayed indefinitely.
+ *   - <strong>Debug status</strong> — <code>requireDebugDisabled</code>
+ *     refuses a token whose <code>dbgstat</code> is
+ *     <code>enabled</code> (0) or absent; only the disabled states
+ *     (1–4) pass.
+ *   - <strong>Profile</strong> — <code>expectedProfile</code> pins the
+ *     <code>eat_profile</code> claim.
+ *
+ *   Signing algorithms follow <code>b.cwt</code> / <code>b.cose</code>:
+ *   ES256/384/512 + EdDSA (interoperable today) and ML-DSA-87.
+ *
+ * @card
+ *   RFC 9711 Entity Attestation Token over b.cwt — sign / verify
+ *   device + software attestation claims with verifier-nonce binding,
+ *   debug-status policy, and profile pinning.
+ */
+var cwt = require("./cwt");
+var bCrypto = require("./crypto");
+var validateOpts = require("./validate-opts");
+var { defineClass } = require("./framework-error");
+var EatError = defineClass("EatError", { alwaysPermanent: true });
+// RFC 9711 / IANA CWT Claims registry claim keys.
+var EAT = {                                                                            // allow:raw-byte-literal — RFC 9711 / IANA CWT claim-key labels, not byte sizes
+  nonce: 10, ueid: 256, sueids: 257, oemid: 258, hwmodel: 259, hwversion: 260,         // allow:raw-byte-literal — CWT claim keys
+  uptime: 261, oemboot: 262, dbgstat: 263, location: 264, eat_profile: 265,            // allow:raw-byte-literal — CWT claim keys
+  submods: 266, swname: 270, swversion: 271, manifests: 272, measurements: 273,        // allow:raw-byte-literal — CWT claim keys
+};
+var EAT_BY_LABEL = {};
+Object.keys(EAT).forEach(function (k) { EAT_BY_LABEL[EAT[k]] = k; });
+// RFC 9711 §4.3.1 debug-status enumeration.
+var DBGSTAT = {
+  "enabled": 0, "disabled": 1, "disabled-since-boot": 2,
+  "disabled-permanently": 3, "disabled-fully-and-permanently": 4,
+};
+var DBGSTAT_BY_VALUE = {};
+Object.keys(DBGSTAT).forEach(function (k) { DBGSTAT_BY_VALUE[DBGSTAT[k]] = k; });
+// Standard CWT claim labels → names (RFC 8392 §3.1.1) so EAT's
+// friendly output names the standard claims alongside the EAT ones.
+var STD_NAME = { 1: "iss", 2: "sub", 3: "aud", 4: "exp", 5: "nbf", 6: "iat", 7: "cti" };
+function _toBuf(x) {
+  if (Buffer.isBuffer(x)) return x;
+  if (x instanceof Uint8Array) return Buffer.from(x);
+  if (typeof x === "string") return Buffer.from(x, "utf8");
+  return null;
+}
+function _nonceMatches(claimValue, expected) {
+  var exp = _toBuf(expected);
+  if (!exp) return false;
+  // eat_nonce may be a single byte string or an array of them (one per
+  // verifier). Constant-time compare against each candidate.
+  var candidates = Array.isArray(claimValue) ? claimValue : [claimValue];
+  for (var i = 0; i < candidates.length; i++) {
+    var c = _toBuf(candidates[i]);
+    if (c && c.length === exp.length && bCrypto.timingSafeEqual(c, exp)) return true;
+  }
+  return false;
+}
+/**
+ * @primitive b.eat.sign
+ * @signature b.eat.sign(claims, opts)
+ * @since     0.12.35
+ * @status    stable
+ * @related   b.eat.verify, b.cwt.sign
+ *
+ * Sign EAT attestation claims into a CWT. EAT claim names map to their
+ * RFC 9711 integer labels; <code>dbgstat</code> accepts the enum name
+ * (<code>"disabled-since-boot"</code>) or its integer. Standard CWT
+ * claims (<code>iss</code> / <code>exp</code> / …) pass through to
+ * <code>b.cwt.sign</code>.
+ *
+ * @opts
+ *   {
+ *     alg:        string,   // COSE signing alg (ES256 / EdDSA / ML-DSA-87 / …)
+ *     privateKey: object,   // signing key
+ *     kid?:       string,
+ *     tagged?:    boolean,  // CWT tag 61
+ *   }
+ *
+ * @example
+ *   var eat = await b.eat.sign(
+ *     { nonce: rpNonce, ueid: deviceUeid, oemid: oem, dbgstat: "disabled-permanently",
+ *       eat_profile: "https://example.com/eat/profile-1", iat: Math.floor(Date.now()/1000) },
+ *     { alg: "ES256", privateKey: deviceKey });
+ */
+async function sign(claims, opts) {
+  if (!claims || typeof claims !== "object" || Array.isArray(claims)) {
+    throw new EatError("eat/bad-claims", "eat.sign: claims must be a plain object");
+  }
+  validateOpts.requireObject(opts, "eat.sign", EatError);
+  // Translate EAT claim names to their integer labels into a Map (so
+  // the integer keys survive — a plain object would stringify them).
+  // Standard CWT names (iss/sub/aud/exp/nbf/iat/cti) + custom keys are
+  // left for b.cwt.sign to handle.
+  var mapped = new Map();
+  var keys = Object.keys(claims);
+  for (var i = 0; i < keys.length; i++) {
+    var name = keys[i];
+    var value = claims[name];
+    if (name === "dbgstat" && typeof value === "string") {
+      if (!Object.prototype.hasOwnProperty.call(DBGSTAT, value)) {
+        throw new EatError("eat/bad-dbgstat",
+          "eat.sign: dbgstat must be one of " + Object.keys(DBGSTAT).join(" / ") + " (or an integer 0-4)");
+      }
+      value = DBGSTAT[value];
+    }
+    mapped.set(Object.prototype.hasOwnProperty.call(EAT, name) ? EAT[name] : name, value);
+  }
+  return cwt.sign(mapped, opts);
+}
+/**
+ * @primitive b.eat.verify
+ * @signature b.eat.verify(eat, opts)
+ * @since     0.12.35
+ * @status    stable
+ * @related   b.eat.sign, b.cwt.verify
+ *
+ * Verify an EAT and return its attestation claims. Delegates the CWT
+ * signature + algorithm-allowlist + time-claim checks to
+ * <code>b.cwt.verify</code>, then enforces the attestation contract:
+ * the <code>eat_nonce</code> must match <code>expectedNonce</code>
+ * (when supplied — the freshness/anti-replay binding),
+ * <code>requireDebugDisabled</code> refuses a non-disabled
+ * <code>dbgstat</code>, and <code>expectedProfile</code> pins
+ * <code>eat_profile</code>.
+ *
+ * @opts
+ *   {
+ *     algorithms:        string[],  // required — accepted COSE algs
+ *     publicKey?:        object,
+ *     keyResolver?:      function,
+ *     expectedNonce?:    Buffer,    // require eat_nonce to match (freshness)
+ *     requireDebugDisabled?: boolean,  // refuse dbgstat enabled / absent
+ *     expectedProfile?:  string,    // pin eat_profile
+ *     expectedIssuer?:   string,    // forwarded to b.cwt.verify
+ *     expectedAudience?: string,
+ *     clockSkewSec?:     number,
+ *     now?:              number,
+ *     externalAad?:      Buffer,
+ *   }
+ *
+ * @example
+ *   var att = await b.eat.verify(eat, { algorithms: ["ES256"], publicKey: devicePub, expectedNonce: rpNonce, requireDebugDisabled: true });
+ *   // → { claims: { nonce, ueid, dbgstat: "disabled-permanently", ... }, raw: Map, alg }
+ */
+async function verify(eat, opts) {
+  validateOpts.requireObject(opts, "eat.verify", EatError);
+  var out = await cwt.verify(eat, {
+    algorithms: opts.algorithms, publicKey: opts.publicKey, keyResolver: opts.keyResolver,
+    expectedIssuer: opts.expectedIssuer, expectedAudience: opts.expectedAudience,
+    clockSkewSec: opts.clockSkewSec, now: opts.now, externalAad: opts.externalAad,
+  });
+  var raw = out.raw;
+  // Nonce binding — the freshness / anti-replay defense. When the RP
+  // supplied a nonce, the token MUST carry a matching eat_nonce.
+  if (opts.expectedNonce != null) {
+    if (!raw.has(EAT.nonce)) {
+      throw new EatError("eat/nonce-missing", "eat.verify: expectedNonce supplied but token has no eat_nonce claim");
+    }
+    if (!_nonceMatches(raw.get(EAT.nonce), opts.expectedNonce)) {
+      throw new EatError("eat/nonce-mismatch", "eat.verify: eat_nonce does not match expectedNonce (stale / replayed attestation)");
+    }
+  }
+  // Debug status — refuse a token that can't prove debug is disabled.
+  if (opts.requireDebugDisabled === true) {
+    var ds = raw.get(EAT.dbgstat);
+    if (typeof ds !== "number" || ds < DBGSTAT.disabled) {
+      throw new EatError("eat/debug-not-disabled",
+        "eat.verify: requireDebugDisabled — dbgstat is " +
+        (ds === undefined ? "absent" : (DBGSTAT_BY_VALUE[ds] || ds)) + ", not a disabled state");
+    }
+  }
+  if (opts.expectedProfile != null && raw.get(EAT.eat_profile) !== opts.expectedProfile) {
+    throw new EatError("eat/profile-mismatch", "eat.verify: eat_profile does not match expectedProfile");
+  }
+  // Build friendly claims: EAT + standard labels → names; decode the
+  // dbgstat enum to its name.
+  var claims = {};
+  raw.forEach(function (v, k) {
+    var name = Object.prototype.hasOwnProperty.call(EAT_BY_LABEL, k) ? EAT_BY_LABEL[k]
+      : (Object.prototype.hasOwnProperty.call(STD_NAME, k) ? STD_NAME[k] : k);
+    if (name === "dbgstat" && typeof v === "number" && Object.prototype.hasOwnProperty.call(DBGSTAT_BY_VALUE, v)) {
+      v = DBGSTAT_BY_VALUE[v];
+    }
+    claims[name] = v;
+  });
+  return { claims: claims, raw: raw, alg: out.alg, protectedHeaders: out.protectedHeaders };
+}
+module.exports = {
+  sign:        sign,
+  verify:      verify,
+  CLAIM_LABELS: EAT,
+  DBGSTAT:     DBGSTAT,
+  EatError:    EatError,
+};

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.12.34",
+  "version": "0.12.36",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json CHANGED Viewed

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:619f056d-4027-4805-8bea-f39101edd638",
+  "serialNumber": "urn:uuid:0d92b39a-5bed-4091-9927-a887660568ee",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-24T22:52:17.036Z",
+    "timestamp": "2026-05-25T00:19:35.328Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.12.34",
+      "bom-ref": "@blamejs/core@0.12.36",
       "type": "application",
       "name": "blamejs",
-      "version": "0.12.34",
+      "version": "0.12.36",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.12.34",
+      "purl": "pkg:npm/%40blamejs/core@0.12.36",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.12.34",
+      "ref": "@blamejs/core@0.12.36",
       "dependsOn": []
     }
   ]