@blamejs/core 0.12.57 → 0.12.58

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.12.x
 
+- v0.12.58 (2026-05-25) — **`b.jsonPointer` (RFC 6901) + `b.jsonPatch` (RFC 6902) — JSON Pointer + Patch.** Two related JSON primitives. b.jsonPointer.get references a value within a JSON document by RFC 6901 path (/foo/0/bar), handling the ~1 / ~0 escapes and array indices, and refusing pointers that do not resolve. b.jsonPatch.apply applies an RFC 6902 patch — add / remove / replace / move / copy / test — the standard HTTP PATCH payload (application/json-patch+json). It is atomic: operations run against a deep copy, so a failure at any step (an out-of-range index, a missing source, or a failed test) throws and leaves the input document untouched, and test compares values structurally. Verified against the official json-patch/json-patch-tests conformance suite (every enabled result and error case) plus the RFC 6901 §5 pointer examples. **Added:** *`b.jsonPointer.get(doc, pointer)` / `b.jsonPointer.parse(pointer)`* — Resolve an RFC 6901 JSON Pointer against a document — walking object keys and array indices, decoding `~1` → `/` and `~0` → `~`, and returning the whole document for the empty pointer. Throws `json-pointer/not-found` for a missing key, an out-of-range or non-numeric (leading-zero) array index, or descent into a primitive, and `json-pointer/bad-pointer` for a non-`/`-prefixed pointer. `parse` exposes the decoded reference tokens. · *`b.jsonPatch.apply(doc, operations)`* — Apply an RFC 6902 patch and return the result. Supports `add` (insert / append with `-` for arrays, set for objects, whole-document for `""`), `remove`, `replace` (overwrite an existing location), `move`, `copy`, and `test` (structural equality). Atomic — the patch runs on a deep copy, so the input `doc` is never mutated and any failure (unknown op, missing `path` / `value` / `from`, bad index, failed `test`, or moving a location into its own child) throws a typed error. Paths are RFC 6901 pointers resolved through `b.jsonPointer`; suitable for HTTP PATCH endpoints.
+
 - v0.12.57 (2026-05-25) — **`b.linkHeader` — RFC 8288 Web Linking (HTTP Link header) codec.** Parse and build the HTTP Link header (RFC 8288) — the standard way to convey resource relations, most visibly REST pagination (Link: <…?page=2>; rel="next"). b.linkHeader.parse returns one { uri, rel, params } per link, splitting multiple links on top-level commas and unwrapping quoted parameter values via the framework's RFC 8941 structured-field helpers, so a comma inside a quoted title never fake-splits the list; rel is exposed as its array of space-separated relation types. b.linkHeader.serialize is the inverse, angle-bracketing the URI, emitting rel first, and double-quoting parameter values. Verified against the RFC 8288 §3.5 examples and GitHub-style pagination links. **Added:** *`b.linkHeader.parse(headerValue)` / `b.linkHeader.serialize(links)`* — `parse` reads an HTTP Link header into `[{ uri, rel, params }]` — `uri` is the angle-bracketed target, `rel` the array of space-separated relation types, `params` the remaining parameters with quoted values unwrapped (a repeated parameter keeps the first occurrence per RFC 8288 §3.4). It refuses a link without a bracketed URI, an unterminated URI or quoted parameter, control bytes, and oversized headers. `serialize` builds the header value from `{ uri, rel, params? }` objects (or a single one), angle-bracketing the URI and double-quoting parameter values. Composes the framework's structured-field splitter so quoting is handled consistently; pair with `b.pagination` to emit standard `rel="next"` / `rel="prev"` navigation.
 
 - v0.12.56 (2026-05-25) — **`b.canonicalJson` — RFC 8785 JSON Canonicalization Scheme, now a public primitive.** The deterministic JSON serializer the framework uses internally for audit-chain and config-drift fingerprints is now an operator-facing primitive, for signing your own JSON (custom credentials, receipts, deterministic request signing). b.canonicalJson.stringifyJcs is strict RFC 8785: keys sorted in UTF-16 code-unit order at every depth, numbers in the ECMAScript format JCS references, and types JCS does not define (BigInt / Buffer / Date / Map / Set / circular references) refused rather than silently lost. b.canonicalJson.stringify is a lenient variant that also serializes Buffers (hex), Dates (ISO-8601), and BigInts. Exposing it surfaced and fixed a latent ordering bug: the serializer built a sorted-key object and let JSON.stringify emit it, but V8 hoists integer-like keys ("1", "10") to the front — so canonical output was wrong for objects with integer-like string keys. Members are now written in sorted order directly. Validated against the official cyberphone/json-canonicalization conformance vectors. **Added:** *`b.canonicalJson.stringifyJcs(value)` / `stringify(value, opts?)` / `sortKeys(obj)`* — `stringifyJcs` produces strict RFC 8785 canonical JSON — the byte-for-byte stable form to hash or sign — with UTF-16 code-unit key sorting and ECMAScript number formatting, refusing BigInt / Buffer / Date / Map / Set / RegExp / Symbol / function / circular references. `stringify` is the lenient framework variant (Buffers → hex, Dates → ISO-8601, BigInts → decimal; `opts.bufferAs: "reject"` to forbid binary). `sortKeys` returns an object's own keys in the canonical UTF-16 ordering. These were framework-internal; they are now documented public API. **Fixed:** *Canonical JSON now emits integer-like keys in sorted order* — The canonical serializer built a sorted-key object and serialized it with JSON.stringify, which hoists integer-like string keys ("1", "10") to the front per V8 own-property ordering — producing non-canonical output for objects containing such keys (a violation of RFC 8785 §3.2.3). Members are now written in sorted-key order directly. Real-world consumers (audit-chain, config-drift) use named fields and are unaffected; only objects with integer-like string keys change, and the new output is the correct canonical form.

package/README.md

@@ -99,6 +99,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 - **Signed webhooks + API encryption** — SLH-DSA-SHAKE-256f default; ML-DSA-65 opt-in; ECIES API encryption (`b.webhook`, `b.crypto`)
 - **HPKE / HTTP signatures** — RFC 9180 HPKE with ML-KEM-1024 + HKDF-SHA3-512 + ChaCha20-Poly1305 (`b.crypto.hpke`); RFC 9421 HTTP Message Signatures with derived components and ed25519 / ML-DSA-65 (`b.crypto.httpSig`); RFC 9530 Content-Digest / Repr-Digest body-integrity fields (SHA-256 / SHA-512, legacy algorithms refused — `b.contentDigest`) to sign the digest rather than the whole body
 - **Link header** — RFC 8288 Web Linking codec (`b.linkHeader.parse` / `serialize`): parse and build `Link: <uri>; rel="next"` relations, the standard REST pagination mechanism; quote-aware (a comma inside a quoted parameter never splits the list)
+- **JSON Pointer / Patch** — RFC 6901 `b.jsonPointer.get` (reference a value by `/foo/0/bar`) + RFC 6902 `b.jsonPatch.apply` (atomic add / remove / replace / move / copy / test for HTTP PATCH; the input document is never mutated, structural `test` comparison)
 - **Canonical JSON** — RFC 8785 JSON Canonicalization Scheme (`b.canonicalJson.stringifyJcs`): the deterministic, sorted-key byte form to hash or sign (custom credentials, receipts, deterministic request signing); UTF-16 key ordering + ECMAScript number formatting, with a lenient `stringify` variant for Buffers / Dates / BigInts
 - **Structured Fields** — full RFC 9651 codec (`b.structuredFields.parse` / `serialize`): Items / Lists / Dictionaries, Inner Lists, Parameters, and every bare-item type (Integer / Decimal / String / Token / Byte Sequence / Boolean / Date / Display String) with strict grammar + range enforcement — the parser behind Content-Digest, Client Hints, and HTTP Message Signatures
 - **CMS codec** — RFC 5652 Cryptographic Message Syntax encoder + decoder with PQC signers (ML-DSA-65 / ML-DSA-87 / SLH-DSA-SHAKE-256f; RFC 9909 + 9881) and KEMRecipientInfo recipients (ML-KEM-1024; RFC 9629 + 9936); ChaCha20-Poly1305 content encryption (RFC 8103) so Efail-class malleability cannot apply (`b.cms`)

package/index.js

@@ -398,6 +398,8 @@ var privacyPass = require("./lib/privacy-pass");
 var contentDigest = require("./lib/content-digest");
 var canonicalJson = require("./lib/canonical-json");
 var linkHeader = require("./lib/link-header");
+var jsonPointer = require("./lib/json-pointer");
+var jsonPatch = require("./lib/json-patch");
 var standardWebhooks = require("./lib/standard-webhooks");
 var lro = require("./lib/lro");
 var jsonApi = require("./lib/jsonapi");
@@ -417,6 +419,8 @@ module.exports = {
   contentDigest:    contentDigest,
   canonicalJson:    canonicalJson,
   linkHeader:       linkHeader,
+  jsonPointer:      jsonPointer,
+  jsonPatch:        jsonPatch,
   standardWebhooks: standardWebhooks,
   lro:              lro,
   jsonApi:          jsonApi,

package/lib/json-patch.js

@@ -0,0 +1,206 @@
+"use strict";
+/**
+ * @module b.jsonPatch
+ * @nav    Data
+ * @title  JSON Patch
+ *
+ * @intro
+ *   Apply an RFC 6902 JSON Patch — an ordered list of operations
+ *   (<code>add</code>, <code>remove</code>, <code>replace</code>,
+ *   <code>move</code>, <code>copy</code>, <code>test</code>) — to a JSON
+ *   document, the standard payload of an HTTP <code>PATCH</code> with
+ *   <code>Content-Type: application/json-patch+json</code>. Each
+ *   operation's <code>path</code> (and <code>from</code>) is an RFC 6901
+ *   JSON Pointer, resolved through <code>b.jsonPointer</code>.
+ *
+ *   <code>apply</code> is atomic: operations run against a deep copy, so
+ *   if any operation fails — an out-of-range index, a missing source, or
+ *   a failed <code>test</code> — the original document is returned
+ *   untouched and a typed error is thrown. The <code>test</code>
+ *   operation compares structurally (object key order is irrelevant).
+ *
+ * @card
+ *   JSON Patch (RFC 6902) — apply add / remove / replace / move / copy /
+ *   test operations to a JSON document for HTTP PATCH. Atomic
+ *   (all-or-nothing on a copy) with structural <code>test</code>
+ *   comparison; paths are RFC 6901 JSON Pointers.
+ */
+
+var jsonPointer = require("./json-pointer");
+var canonicalJson = require("./canonical-json");
+var { defineClass } = require("./framework-error");
+
+var JsonPatchError = defineClass("JsonPatchError", { alwaysPermanent: true });
+
+var OPS = { add: 1, remove: 1, replace: 1, move: 1, copy: 1, test: 1 };
+
+// Structural equality for the `test` op — canonical (sorted-key) JSON of
+// both sides, so member order does not matter (RFC 6902 §4.6).
+function _deepEqual(a, b) {
+  return canonicalJson.stringify(a) === canonicalJson.stringify(b);
+}
+
+// Set an own property WITHOUT invoking the legacy __proto__ setter — a
+// patch with path "/__proto__" must create a literal JSON key, not
+// rewrite the object's prototype (prototype-pollution defense). Object
+// member reads above are already gated by hasOwnProperty, so traversal
+// through an inherited __proto__ is blocked; only the write needs this.
+function _safeObjectSet(obj, key, value) {
+  Object.defineProperty(obj, key, { value: value, writable: true, enumerable: true, configurable: true });
+}
+
+// Split a pointer into { parent: tokens, key }; "" (whole doc) → null.
+function _parentAndKey(pointer) {
+  var tokens = jsonPointer.parse(pointer);
+  if (tokens.length === 0) return null;
+  return { parent: tokens.slice(0, -1), key: tokens[tokens.length - 1] };
+}
+
+function _resolveParent(doc, parentTokens, fn) {
+  var cur = doc;
+  for (var i = 0; i < parentTokens.length; i += 1) {
+    if (Array.isArray(cur)) {
+      if (!jsonPointer.ARRAY_INDEX_RE.test(parentTokens[i]) || Number(parentTokens[i]) >= cur.length) {   // allow:regex-no-length-cap — anchored linear index regex (no backtracking); tokens are short JSON Pointer segments
+        throw new JsonPatchError("json-patch/path-not-found", "jsonPatch." + fn + ": path parent does not resolve at '" + parentTokens[i] + "'");
+      }
+      cur = cur[Number(parentTokens[i])];
+    } else if (cur !== null && typeof cur === "object") {
+      if (!Object.prototype.hasOwnProperty.call(cur, parentTokens[i])) {
+        throw new JsonPatchError("json-patch/path-not-found", "jsonPatch." + fn + ": path parent does not resolve at '" + parentTokens[i] + "'");
+      }
+      cur = cur[parentTokens[i]];
+    } else {
+      throw new JsonPatchError("json-patch/path-not-found", "jsonPatch." + fn + ": cannot descend into a non-container at '" + parentTokens[i] + "'");
+    }
+  }
+  return cur;
+}
+
+function _addAt(doc, pointer, value, fn) {
+  var pk = _parentAndKey(pointer);
+  if (pk === null) return value;                              // add to "" replaces the whole document
+  var parent = _resolveParent(doc, pk.parent, fn);
+  if (Array.isArray(parent)) {
+    if (pk.key === "-") { parent.push(value); return doc; }
+    if (!jsonPointer.ARRAY_INDEX_RE.test(pk.key)) throw new JsonPatchError("json-patch/bad-index", "jsonPatch." + fn + ": array index '" + pk.key + "' is invalid");   // allow:regex-no-length-cap — anchored linear index regex (no backtracking); tokens are short JSON Pointer segments
+    var idx = Number(pk.key);
+    if (idx > parent.length) throw new JsonPatchError("json-patch/bad-index", "jsonPatch." + fn + ": array index " + idx + " is out of range");
+    parent.splice(idx, 0, value);
+    return doc;
+  }
+  if (parent !== null && typeof parent === "object") { _safeObjectSet(parent, pk.key, value); return doc; }
+  throw new JsonPatchError("json-patch/path-not-found", "jsonPatch." + fn + ": target parent is not a container");
+}
+
+function _removeAt(doc, pointer, fn) {
+  var pk = _parentAndKey(pointer);
+  if (pk === null) throw new JsonPatchError("json-patch/bad-op", "jsonPatch." + fn + ": cannot remove the whole document");
+  var parent = _resolveParent(doc, pk.parent, fn);
+  if (Array.isArray(parent)) {
+    if (!jsonPointer.ARRAY_INDEX_RE.test(pk.key) || Number(pk.key) >= parent.length) throw new JsonPatchError("json-patch/path-not-found", "jsonPatch." + fn + ": array index '" + pk.key + "' does not exist");   // allow:regex-no-length-cap — anchored linear index regex (no backtracking); tokens are short JSON Pointer segments
+    var removed = parent.splice(Number(pk.key), 1)[0];
+    return removed;
+  }
+  if (parent !== null && typeof parent === "object") {
+    if (!Object.prototype.hasOwnProperty.call(parent, pk.key)) throw new JsonPatchError("json-patch/path-not-found", "jsonPatch." + fn + ": key '" + pk.key + "' does not exist");
+    var v = parent[pk.key];
+    delete parent[pk.key];
+    return v;
+  }
+  throw new JsonPatchError("json-patch/path-not-found", "jsonPatch." + fn + ": target parent is not a container");
+}
+
+// replace overwrites an EXISTING location (array set, not insert), unlike
+// add which inserts (RFC 6902 §4.3). The target must already exist.
+function _replaceAt(doc, pointer, value, fn) {
+  var pk = _parentAndKey(pointer);
+  if (pk === null) return value;                              // replace "" → the whole document
+  var parent = _resolveParent(doc, pk.parent, fn);
+  if (Array.isArray(parent)) {
+    if (!jsonPointer.ARRAY_INDEX_RE.test(pk.key) || Number(pk.key) >= parent.length) throw new JsonPatchError("json-patch/path-not-found", "jsonPatch." + fn + ": replace target array index '" + pk.key + "' does not exist");   // allow:regex-no-length-cap — anchored linear index regex (no backtracking); tokens are short JSON Pointer segments
+    parent[Number(pk.key)] = value;
+    return doc;
+  }
+  if (parent !== null && typeof parent === "object") {
+    if (!Object.prototype.hasOwnProperty.call(parent, pk.key)) throw new JsonPatchError("json-patch/path-not-found", "jsonPatch." + fn + ": replace target key '" + pk.key + "' does not exist");
+    _safeObjectSet(parent, pk.key, value);
+    return doc;
+  }
+  throw new JsonPatchError("json-patch/path-not-found", "jsonPatch." + fn + ": replace target parent is not a container");
+}
+
+/**
+ * @primitive b.jsonPatch.apply
+ * @signature b.jsonPatch.apply(doc, operations)
+ * @since     0.12.58
+ * @status    stable
+ * @compliance soc2
+ * @related   b.jsonPointer.get
+ *
+ * Apply an RFC 6902 JSON Patch (an array of operation objects) to a JSON
+ * document and return the patched result. The operations run against a
+ * deep copy, so a failure at any step — an unknown op, a missing
+ * <code>path</code> / <code>value</code> / <code>from</code>, an
+ * out-of-range array index, or a failed <code>test</code> — throws a
+ * typed error and leaves the input <code>doc</code> unmodified. The
+ * <code>test</code> operation compares values structurally.
+ *
+ * @example
+ *   b.jsonPatch.apply({ a: 1 }, [
+ *     { op: "add", path: "/b", value: 2 },
+ *     { op: "remove", path: "/a" },
+ *   ]);
+ *   // → { b: 2 }
+ */
+function apply(doc, operations) {
+  if (!Array.isArray(operations)) throw new JsonPatchError("json-patch/bad-patch", "jsonPatch.apply: operations must be an array");
+  var work = structuredClone(doc);
+  for (var i = 0; i < operations.length; i += 1) {
+    var op = operations[i];
+    if (!op || typeof op !== "object" || typeof op.op !== "string" || !OPS[op.op]) {
+      throw new JsonPatchError("json-patch/bad-op", "jsonPatch.apply: operations[" + i + "] has an invalid 'op'");
+    }
+    if (typeof op.path !== "string") throw new JsonPatchError("json-patch/bad-op", "jsonPatch.apply: operations[" + i + "] is missing 'path'");
+
+    if (op.op === "add") {
+      if (!("value" in op)) throw new JsonPatchError("json-patch/bad-op", "jsonPatch.apply: 'add' requires 'value'");
+      work = _addAt(work, op.path, op.value, "apply");
+    } else if (op.op === "remove") {
+      work = _wholeOrMutate(work, op.path, function (d) { return _removeAt(d, op.path, "apply"); });
+    } else if (op.op === "replace") {
+      if (!("value" in op)) throw new JsonPatchError("json-patch/bad-op", "jsonPatch.apply: 'replace' requires 'value'");
+      work = _replaceAt(work, op.path, op.value, "apply");
+    } else if (op.op === "move" || op.op === "copy") {
+      if (typeof op.from !== "string") throw new JsonPatchError("json-patch/bad-op", "jsonPatch.apply: '" + op.op + "' requires 'from'");
+      if (op.op === "move" && (op.path === op.from || _isProperPrefix(op.from, op.path))) {
+        if (op.path !== op.from) throw new JsonPatchError("json-patch/bad-op", "jsonPatch.apply: cannot move a location into one of its children");
+      }
+      var moved = op.op === "move" ? _removeAt(work, op.from, "apply") : structuredClone(jsonPointer.get(work, op.from));
+      work = _addAt(work, op.path, moved, "apply");
+    } else if (op.op === "test") {
+      if (!("value" in op)) throw new JsonPatchError("json-patch/bad-op", "jsonPatch.apply: 'test' requires 'value'");
+      var actual = jsonPointer.get(work, op.path);
+      if (!_deepEqual(actual, op.value)) throw new JsonPatchError("json-patch/test-failed", "jsonPatch.apply: 'test' at '" + op.path + "' did not match");
+    }
+  }
+  return work;
+}
+
+// remove/replace at "" is undefined in RFC 6902; route whole-doc ops
+// through here so they fail cleanly rather than corrupting state.
+function _wholeOrMutate(doc, pointer, mutate) {
+  if (pointer === "") throw new JsonPatchError("json-patch/bad-op", "jsonPatch.apply: cannot remove the whole document");
+  mutate(doc);
+  return doc;
+}
+
+// Is `prefix` a proper ancestor pointer of `path`? (move-into-child guard)
+function _isProperPrefix(prefix, path) {
+  return path !== prefix && path.indexOf(prefix + "/") === 0;
+}
+
+module.exports = {
+  apply:          apply,
+  OPS:            OPS,
+  JsonPatchError: JsonPatchError,
+};

package/lib/json-pointer.js

@@ -0,0 +1,109 @@
+"use strict";
+/**
+ * @module b.jsonPointer
+ * @nav    Data
+ * @title  JSON Pointer
+ *
+ * @intro
+ *   Reference a single value within a JSON document by path (RFC 6901) —
+ *   <code>/foo/0/bar</code> walks <code>doc.foo[0].bar</code>. A pointer
+ *   is a sequence of <code>/</code>-prefixed reference tokens; the empty
+ *   string points at the whole document. The two escapes
+ *   (<code>~1</code> → <code>/</code>, <code>~0</code> → <code>~</code>)
+ *   let a token contain a literal slash or tilde.
+ *
+ *   <code>get</code> returns the referenced value or throws when the path
+ *   does not resolve; <code>parse</code> exposes the decoded reference
+ *   tokens. It is the path language JSON Patch (<code>b.jsonPatch</code>)
+ *   builds on.
+ *
+ * @card
+ *   JSON Pointer (RFC 6901) — reference a value inside a JSON document by
+ *   <code>/path/0/token</code>, with the <code>~1</code> / <code>~0</code>
+ *   escapes. The path language behind JSON Patch.
+ */
+
+var { defineClass } = require("./framework-error");
+
+var JsonPointerError = defineClass("JsonPointerError", { alwaysPermanent: true });
+
+var ARRAY_INDEX_RE = /^(?:0|[1-9][0-9]*)$/;                  // no leading zeros (RFC 6901 §4)
+
+/**
+ * @primitive b.jsonPointer.parse
+ * @signature b.jsonPointer.parse(pointer)
+ * @since     0.12.58
+ * @status    stable
+ * @related   b.jsonPointer.get, b.jsonPatch.apply
+ *
+ * Decode an RFC 6901 JSON Pointer string into its array of reference
+ * tokens, unescaping <code>~1</code> → <code>/</code> and <code>~0</code>
+ * → <code>~</code>. The empty string yields an empty array (the whole
+ * document); a non-empty pointer must begin with <code>/</code>.
+ *
+ * @example
+ *   b.jsonPointer.parse("/a~1b/m~0n");
+ *   // → ["a/b", "m~n"]
+ */
+function parse(pointer) {
+  if (typeof pointer !== "string") throw new JsonPointerError("json-pointer/bad-pointer", "jsonPointer: pointer must be a string");
+  if (pointer === "") return [];
+  if (pointer.charAt(0) !== "/") throw new JsonPointerError("json-pointer/bad-pointer", "jsonPointer: a non-empty pointer must start with '/'");
+  return pointer.split("/").slice(1).map(function (tok) {
+    // RFC 6901 §3: the only valid `~` escapes are ~0 and ~1; a tilde
+    // followed by anything else (or at end of token) is malformed.
+    if (/~(?![01])/.test(tok)) throw new JsonPointerError("json-pointer/bad-pointer", "jsonPointer: invalid '~' escape (only ~0 and ~1 are allowed)");
+    return tok.replace(/~1/g, "/").replace(/~0/g, "~");      // ~1 before ~0 (RFC 6901 §4)
+  });
+}
+
+// Resolve a token against the current node; returns { found, value }.
+function _step(node, token) {
+  if (Array.isArray(node)) {
+    if (!ARRAY_INDEX_RE.test(token)) return { found: false };   // allow:regex-no-length-cap — anchored linear index regex (no backtracking); tokens are short JSON Pointer segments
+    var idx = Number(token);
+    if (idx >= node.length) return { found: false };
+    return { found: true, value: node[idx] };
+  }
+  if (node !== null && typeof node === "object") {
+    if (!Object.prototype.hasOwnProperty.call(node, token)) return { found: false };
+    return { found: true, value: node[token] };
+  }
+  return { found: false };
+}
+
+/**
+ * @primitive b.jsonPointer.get
+ * @signature b.jsonPointer.get(doc, pointer)
+ * @since     0.12.58
+ * @status    stable
+ * @related   b.jsonPointer.parse, b.jsonPatch.apply
+ *
+ * Return the value an RFC 6901 pointer references within a JSON document,
+ * walking object keys and array indices. Throws
+ * <code>json-pointer/not-found</code> when a token does not resolve (a
+ * missing key, an out-of-range or non-numeric array index, or descending
+ * into a primitive). The whole document is returned for the empty
+ * pointer.
+ *
+ * @example
+ *   b.jsonPointer.get({ foo: ["a", "b"] }, "/foo/1");
+ *   // → "b"
+ */
+function get(doc, pointer) {
+  var tokens = parse(pointer);
+  var cur = doc;
+  for (var i = 0; i < tokens.length; i += 1) {
+    var r = _step(cur, tokens[i]);
+    if (!r.found) throw new JsonPointerError("json-pointer/not-found", "jsonPointer.get: pointer does not resolve at token '" + tokens[i] + "'");
+    cur = r.value;
+  }
+  return cur;
+}
+
+module.exports = {
+  parse:            parse,
+  get:              get,
+  ARRAY_INDEX_RE:   ARRAY_INDEX_RE,
+  JsonPointerError: JsonPointerError,
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.12.57",
+  "version": "0.12.58",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:a145d843-4618-44c4-8e2b-082f70687064",
+  "serialNumber": "urn:uuid:f2b36704-2d8b-4410-9d50-785fba41343d",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-25T23:07:17.164Z",
+    "timestamp": "2026-05-26T00:20:31.737Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.12.57",
+      "bom-ref": "@blamejs/core@0.12.58",
       "type": "application",
       "name": "blamejs",
-      "version": "0.12.57",
+      "version": "0.12.58",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.12.57",
+      "purl": "pkg:npm/%40blamejs/core@0.12.58",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.12.57",
+      "ref": "@blamejs/core@0.12.58",
       "dependsOn": []
     }
   ]