@blamejs/core 0.12.61 → 0.12.63

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.12.x
 
+- v0.12.63 (2026-05-25) — **`b.cloudEvents` gains the JSON event format, batch, and the HTTP binding.** b.cloudEvents grows beyond wrap / parse into a full CloudEvents 1.0.2 surface. b.cloudEvents.validate / isValid check an envelope against the spec without throwing (the non-throwing companion to parse). toJSON / fromJSON serialize and parse the JSON event format, and toJSONBatch / fromJSONBatch handle the JSON batch format; untrusted bodies parse through the framework's bounded, prototype-pollution-safe JSON reader. The new http.* binding speaks both content modes the spec defines — binary mode spreads context attributes across percent-encoded ce-* headers with the data in the body, structured mode carries the whole event as application/cloudevents+json — plus the batch mode, and http.decode auto-detects the incoming mode from Content-Type exactly as a conformant receiver does. Verified against the spec's normative example events. **Added:** *`b.cloudEvents` JSON event format, batch, and HTTP binding* — `validate` / `isValid` report spec violations without throwing (the non-throwing companion to `parse`). `toJSON` / `fromJSON` and `toJSONBatch` / `fromJSONBatch` serialize and parse the JSON event and batch formats over the existing envelope shape. `http.encodeBinary` / `http.encodeStructured` / `http.encodeBatch` render the three HTTP content modes — binary spreads attributes across percent-encoded `ce-*` headers, structured and batched carry the event(s) as `application/cloudevents+json` / `application/cloudevents-batch+json` — and `http.decode` parses a request back into an envelope (or array) by auto-detecting the mode from `Content-Type`. `b.jtd` or `b.safeSchema` still validate the event's `data` payload. **Fixed:** *`b.csp.build` accepts `fenced-frame-src` and `webrtc`* — The CSP3 `fenced-frame-src` directive — which the default security-headers policy emits to block `<fencedframe>` embeds — was missing from the builder's recognized-directive set, so the default policy could not round-trip through `b.csp.build` (it threw `csp/unknown-directive`). Both `fenced-frame-src` and the CSP3 `webrtc` directive are now recognized.
+
+- v0.12.62 (2026-05-26) — **`b.jtd` — JSON Type Definition validation (RFC 8927).** Validate JSON against a JSON Type Definition schema (RFC 8927) — a small, portable, cross-implementation schema language, the interop-friendly companion to the framework's fluent b.safeSchema builder. b.jtd.validate(schema, instance) returns an array of { instancePath, schemaPath } errors (empty = valid); b.jtd.isValid is the boolean form. All eight schema forms are supported — empty, type, enum, elements, properties (with optional / additional properties and nullable), values, discriminator (with mapping), and ref (with definitions) — including the integer-range and RFC 3339 timestamp types. A malformed schema is rejected at compile time with jtd/bad-schema rather than silently mis-validating. Verified against the official json-typedef-spec suites: all 316 validation cases and all 49 invalid-schema cases. **Added:** *`b.jtd.validate(schema, instance)` / `b.jtd.isValid(schema, instance)`* — `validate` returns the RFC 8927 error list — each `{ instancePath, schemaPath }` naming the offending value and the broken schema rule — and `isValid` is the boolean convenience form. Supports every JTD form and type: the numeric types enforce their exact ranges (int8 … uint32, float32 / float64), `timestamp` requires an RFC 3339 date-time, `properties` honours `optionalProperties` / `additionalProperties` / `nullable`, and `discriminator` selects a `mapping` schema by a tag property. The schema is checked for well-formedness before validation, so unknown keywords, multiple forms, bad refs, or a discriminator over a non-properties mapping all throw `jtd/bad-schema`. Use JTD for schemas you share across implementations or generate code from; use `b.safeSchema` for in-process fluent validation.
+
 - v0.12.61 (2026-05-26) — **`b.jsonPath` — JSONPath query (RFC 9535).** A full RFC 9535 JSONPath query evaluator, complementing the framework's JSONPath guards (which screen path strings). b.jsonPath.query(doc, path) compiles a path and returns the matched node values; b.jsonPath.paths returns their normalized locations. The complete surface is implemented: name / wildcard / index / slice selectors, descendant segments (..), filter selectors (?) with comparison and logical operators, relative (@) and absolute ($) embedded queries, and the five standard functions length / count / match / search / value — with the spec's well-typedness rules enforced at compile time so a malformed or ill-typed query is rejected rather than silently mis-evaluated. Descendant walks are node-capped to bound work on hostile input. Verified against all 703 cases of the official jsonpath-compliance-test-suite. **Added:** *`b.jsonPath.query(doc, path)` / `b.jsonPath.paths(doc, path)`* — `query` returns the array of node values selected by an RFC 9535 JSONPath; `paths` returns the normalized-path string of each match (e.g. `$['a'][1]['p']`). Supports every selector (name, wildcard `*`, index incl. negative, slice `start:end:step` incl. negative step, comma-separated selections), child and descendant (`..`) segments, and filter expressions with `==` / `!=` / `<` / `<=` / `>` / `>=`, `&&` / `||` / `!`, existence tests, and the standard functions. The well-typedness rules are checked when the path is compiled — a non-singular query used as a comparison operand, an ill-typed function argument, or a value-typed function used as a test all throw `json-path/invalid`. Pairs with `b.guardJsonPath`, which screens operator-supplied path strings before they reach the evaluator.
 
 - v0.12.60 (2026-05-25) — **`b.jsonMergePatch` — JSON Merge Patch (RFC 7396).** The simpler companion to JSON Patch: b.jsonMergePatch.merge applies an RFC 7396 merge patch (application/merge-patch+json), the partial-document PATCH body. A member present in the patch replaces or — for nested objects — merges into the target, a member whose value is null removes that key, and a patch that is itself an array, scalar, or null replaces the target wholesale. The inputs are never mutated (the merge runs on a deep copy) and member keys are written as literal own properties, so a "__proto__" member cannot reach any prototype. Verified against every RFC 7396 Appendix A test case. **Added:** *`b.jsonMergePatch.merge(target, patch)`* — Applies a JSON Merge Patch to a target document and returns the result without mutating either input. When the patch is an object it overlays the target (a null member deletes the key, a nested object merges recursively, any other value replaces); when the patch is an array, scalar, or null it replaces the whole target. Member keys are set via `Object.defineProperty`, so a `"__proto__"` member becomes a literal own key rather than altering a prototype. Pairs with `b.jsonPatch` — merge patch reads like the resource you want, JSON Patch expresses precise operations (array reordering, literal-null values).

package/README.md

@@ -99,6 +99,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 - **Signed webhooks + API encryption** — SLH-DSA-SHAKE-256f default; ML-DSA-65 opt-in; ECIES API encryption (`b.webhook`, `b.crypto`)
 - **HPKE / HTTP signatures** — RFC 9180 HPKE with ML-KEM-1024 + HKDF-SHA3-512 + ChaCha20-Poly1305 (`b.crypto.hpke`); RFC 9421 HTTP Message Signatures with derived components and ed25519 / ML-DSA-65 (`b.crypto.httpSig`); RFC 9530 Content-Digest / Repr-Digest body-integrity fields (SHA-256 / SHA-512, legacy algorithms refused — `b.contentDigest`) to sign the digest rather than the whole body
 - **Link header** — RFC 8288 Web Linking codec (`b.linkHeader.parse` / `serialize`): parse and build `Link: <uri>; rel="next"` relations, the standard REST pagination mechanism; quote-aware (a comma inside a quoted parameter never splits the list)
+- **JSON Type Definition** — RFC 8927 validation (`b.jtd.validate` / `isValid`): portable, cross-implementation schema validation (all eight forms — type / enum / elements / properties / values / discriminator / ref / empty), returning instancePath / schemaPath errors; validated against the official 316-case suite. Interop companion to the fluent `b.safeSchema` builder
 - **JSONPath** — full RFC 9535 query evaluator (`b.jsonPath.query` / `paths`): name / wildcard / index / slice / descendant selectors, `?filter` expressions, and the five standard functions, with compile-time well-typedness checks (validated against the official 703-case compliance suite); complements the JSONPath guards
 - **JSON Pointer / Patch** — RFC 6901 `b.jsonPointer.get` (reference a value by `/foo/0/bar`) + RFC 6902 `b.jsonPatch.apply` (atomic add / remove / replace / move / copy / test for HTTP PATCH; the input document is never mutated, structural `test` comparison) + RFC 7396 `b.jsonMergePatch.merge` (the `merge-patch+json` partial-document format; both PATCH formats are prototype-pollution-safe)
 - **Canonical JSON** — RFC 8785 JSON Canonicalization Scheme (`b.canonicalJson.stringifyJcs`): the deterministic, sorted-key byte form to hash or sign (custom credentials, receipts, deterministic request signing); UTF-16 key ordering + ECMAScript number formatting, with a lenient `stringify` variant for Buffers / Dates / BigInts
@@ -157,7 +158,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 - **WebSockets (server)** — channel/room fan-out across cluster replicas; RFC 6455 §5.5 control-frame size + FIN enforcement on inbound (defends 1 MiB-PING-as-PONG amplification) (`b.websocket`, `b.websocketChannels`)
 - **WebSockets (client)** — `b.wsClient` with PQC-TLS handshake, permessage-deflate negotiation with decompression-bomb cap, fatal UTF-8 validation, permanent-error classifier (skips reconnect on 4xx / accept mismatch / bad-subprotocol), exponential-backoff with full jitter
 - **Pub/sub + events** — distributed pub/sub with cluster-table / Redis PUB/SUB / custom backends (`b.pubsub`); framework-emitted signal bus for breach / integrity events (`b.events`)
-- **CloudEvents + SSE** — CloudEvents 1.0 envelope for AWS EventBridge / Knative / Azure Event Grid / Google Eventarc / CNCF (`b.cloudEvents`); Server-Sent Events with newline-injection refusal in `event:` / `id:` / `data:` / `Last-Event-ID` (CVE-2026-33128 / 29085 / 44217 class) (`b.sse`, `b.middleware.sse`)
+- **CloudEvents + SSE** — CloudEvents 1.0.2 for AWS EventBridge / Knative / Azure Event Grid / Google Eventarc / CNCF: `wrap` / `parse` envelopes, non-throwing `validate` / `isValid`, the JSON event + batch formats (`toJSON` / `fromJSON` / `toJSONBatch` / `fromJSONBatch`), and the HTTP binding in both binary and structured content modes with auto-detecting `http.decode` (`b.cloudEvents`); Server-Sent Events with newline-injection refusal in `event:` / `id:` / `data:` / `Last-Event-ID` (CVE-2026-33128 / 29085 / 44217 class) (`b.sse`, `b.middleware.sse`)
 - **Mail (outbound)** — multipart + attachments + DKIM + calendar invites; bounce intake (`b.mail`, `b.mailBounce`)
 - **Mail (outbound delivery)** — turnkey MX-lookup → MTA-STS-fetch → DANE-TLSA → REQUIRETLS handshake → SMTP wire layer → RFC 3464 DSN-on-permanent-failure → deferred-retry scheduling, all wired once (`b.mail.send.deliver`)
 - **Mail (inbound auth)** — SPF / DMARC / ARC verify + ARC chain signing for relays (`b.mail.spf`, `b.mail.dmarc`, `b.mail.arc`)

package/index.js

@@ -402,6 +402,7 @@ var jsonPointer = require("./lib/json-pointer");
 var jsonPatch = require("./lib/json-patch");
 var jsonMergePatch = require("./lib/json-merge-patch");
 var jsonPath = require("./lib/json-path");
+var jtd = require("./lib/jtd");
 var standardWebhooks = require("./lib/standard-webhooks");
 var lro = require("./lib/lro");
 var jsonApi = require("./lib/jsonapi");
@@ -425,6 +426,7 @@ module.exports = {
   jsonPatch:        jsonPatch,
   jsonMergePatch:   jsonMergePatch,
   jsonPath:         jsonPath,
+  jtd:              jtd,
   standardWebhooks: standardWebhooks,
   lro:              lro,
   jsonApi:          jsonApi,

package/lib/backup/manifest.js

@@ -95,7 +95,7 @@ var VALID_KINDS = { "raw": 1, "vault-sealed": 1, "plaintext": 1 };
 // in the manifest, so the hex string is 128 chars long.
 var SHA3_512_HEX_LENGTH = 128;
 var HEX_RE = safeBuffer.HEX_RE;
-var BASE64_RE = /^[A-Za-z0-9+/]*={0,2}$/;
+var BASE64_RE = safeBuffer.BASE64_RE;
 
 function _isHex(s, evenLength) {
   if (typeof s !== "string" || s.length === 0) return false;

package/lib/cloud-events.js

@@ -36,11 +36,16 @@
 
 var nodeCrypto = require("node:crypto");
 var validateOpts = require("./validate-opts");
+var rfc3339 = require("./rfc3339");
+var safeJson = require("./safe-json");
+var safeBuffer = require("./safe-buffer");
+var C = require("./constants");
 var { defineClass } = require("./framework-error");
 
 var CloudEventsError = defineClass("CloudEventsError", { alwaysPermanent: true });
 
 var SPECVERSION = "1.0";
+var DEFAULT_MAX_BYTES = C.BYTES.mib(1);   // fromJSON / http.decode input cap
 
 // CloudEvents §3.1 — required string attributes.
 var REQUIRED_ATTRS = ["id", "source", "specversion", "type"];
@@ -268,9 +273,459 @@ function parse(envelope) {
   };
 }
 
+// ---- validate / isValid (non-throwing spec check) ----
+
+var INT_MIN = -2147483648;                                  // allow:raw-byte-literal — CloudEvents Integer type range
+var INT_MAX = 2147483647;                                   // allow:raw-byte-literal — CloudEvents Integer type range
+// JSON-formatted media type essence (after the parameters are stripped):
+// type/json or type/anything+json. Each run is bounded by the single "/"
+// separator so the match is linear (no overlapping quantifiers → no
+// polynomial backtracking on hostile media-type strings).
+var JSON_MEDIA_RE = /^[^/]+\/(?:[^/]+\+)?json$/i;
+// Extension name MUST be lowercase ASCII alnum (the §3.1 ≤20 length is a
+// SHOULD, so validate enforces only the MUST; wrap is stricter on emit).
+var VALIDATE_EXT_NAME_RE = /^[a-z0-9]+$/;
+
+function _isPlainObject(v) { return v !== null && typeof v === "object" && !Array.isArray(v) && !Buffer.isBuffer(v); }
+function _isNonEmptyString(v) { return typeof v === "string" && v.length > 0; }
+function _isCanonicalBase64(s) { return typeof s === "string" && s.length % 4 === 0 && safeBuffer.BASE64_RE.test(s); }
+function _isJsonMedia(ct) {
+  if (ct == null) return true;   // absent datacontenttype defaults to application/json
+  var essence = String(ct).split(";")[0].trim();   // drop media-type parameters
+  return JSON_MEDIA_RE.test(essence);   // allow:regex-no-length-cap — slash-bounded classes, linear match
+}
+
+function _extIssue(name, v) {
+  if (v === null) return null;
+  if (typeof v === "string" || typeof v === "boolean") return null;
+  if (typeof v === "number") {
+    if (!isFinite(v) || Math.floor(v) !== v) return "extension '" + name + "' must be an integer (CloudEvents has no float type)";
+    if (v < INT_MIN || v > INT_MAX) return "extension '" + name + "' integer out of 32-bit range";
+    return null;
+  }
+  return "extension '" + name + "' must be a string, integer, or boolean";
+}
+
+/**
+ * @primitive b.cloudEvents.validate
+ * @signature b.cloudEvents.validate(event)
+ * @since     0.12.63
+ * @status    stable
+ * @related   b.cloudEvents.parse, b.cloudEvents.fromJSON
+ *
+ * Check an in-memory CloudEvents v1.0 envelope against the §3.1 spec and
+ * return an array of <code>{ attribute, message }</code> issues — an empty
+ * array means the event is conformant. Unlike <code>parse</code> (which
+ * throws and decodes), this never throws, so it suits inspecting events of
+ * unknown provenance before deciding what to do with them.
+ *
+ * @example
+ *   b.cloudEvents.validate({ specversion: "1.0", id: "1",
+ *     source: "/x", type: "com.example.t" });
+ *   // → []
+ */
+function validate(event) {
+  var issues = [];
+  function bad(attribute, message) { issues.push({ attribute: attribute, message: message }); }
+  if (!_isPlainObject(event)) { bad("", "event must be an object"); return issues; }
+
+  if (event.specversion !== SPECVERSION) bad("specversion", "specversion must be the string \"" + SPECVERSION + "\"");
+  if (!_isNonEmptyString(event.id)) bad("id", "id must be a non-empty string");
+  if (!_isNonEmptyString(event.source)) bad("source", "source must be a non-empty URI-reference string");
+  if (!_isNonEmptyString(event.type)) bad("type", "type must be a non-empty string");
+
+  if (event.datacontenttype != null && !_isNonEmptyString(event.datacontenttype)) bad("datacontenttype", "datacontenttype, if present, must be a non-empty string");
+  if (event.dataschema != null && !_isNonEmptyString(event.dataschema)) bad("dataschema", "dataschema, if present, must be a non-empty URI string");
+  if (event.subject != null && !_isNonEmptyString(event.subject)) bad("subject", "subject, if present, must be a non-empty string");
+  if (event.time != null && !rfc3339.isValidDateTime(event.time)) bad("time", "time, if present, must be an RFC 3339 date-time");
+
+  if (Object.prototype.hasOwnProperty.call(event, "data") && Object.prototype.hasOwnProperty.call(event, "data_base64")) {
+    bad("data", "data and data_base64 are mutually exclusive (CloudEvents §3.1.1)");
+  }
+  if (event.data_base64 != null && !_isCanonicalBase64(event.data_base64)) bad("data_base64", "data_base64 must be canonical RFC 4648 base64");
+
+  Object.keys(event).forEach(function (k) {
+    if (REQUIRED_ATTRS.indexOf(k) !== -1 || KNOWN_OPTIONAL_ATTRS[k]) return;
+    if (!VALIDATE_EXT_NAME_RE.test(k)) { bad(k, "attribute name must match [a-z0-9]+ (lower-case letters and digits)"); return; }   // allow:regex-no-length-cap — linear class, key bounded by maxBytes
+    var ei = _extIssue(k, event[k]);
+    if (ei) bad(k, ei);
+  });
+  return issues;
+}
+
+/**
+ * @primitive b.cloudEvents.isValid
+ * @signature b.cloudEvents.isValid(event)
+ * @since     0.12.63
+ * @status    stable
+ * @related   b.cloudEvents.validate
+ *
+ * Boolean convenience form of <code>validate</code> — <code>true</code>
+ * when the event has zero conformance issues.
+ *
+ * @example
+ *   b.cloudEvents.isValid(evt);   // → true
+ */
+function isValid(event) { return validate(event).length === 0; }
+
+function _assertValid(event, label) {
+  var issues = validate(event);
+  if (issues.length) {
+    throw new CloudEventsError("cloud-events/invalid",
+      label + ": " + issues.map(function (i) { return i.message; }).join("; "));
+  }
+}
+
+// ---- JSON event format ----
+
+/**
+ * @primitive b.cloudEvents.toJSON
+ * @signature b.cloudEvents.toJSON(event, opts?)
+ * @since     0.12.63
+ * @status    stable
+ * @related   b.cloudEvents.fromJSON, b.cloudEvents.toJSONBatch
+ *
+ * Serialize a CloudEvents envelope (as produced by <code>wrap</code>) to a
+ * JSON event-format string — media type
+ * <code>application/cloudevents+json</code>. The envelope is already in
+ * wire shape (JSON <code>data</code> inline, binary as a
+ * <code>data_base64</code> string), so this validates it and renders the
+ * JSON. Throws <code>CloudEventsError</code> on a non-conformant event.
+ *
+ * @opts
+ *   space:   number | string,   // JSON.stringify indentation (default: none)
+ *
+ * @example
+ *   var json = b.cloudEvents.toJSON(b.cloudEvents.wrap({ source: "/x", type: "t" }));
+ */
+function toJSON(event, opts) {
+  opts = opts || {};
+  _assertValid(event, "cloudEvents.toJSON");
+  return JSON.stringify(event, null, opts.space);
+}
+
+function _coerceInput(input, label, maxBytes) {
+  if (!Buffer.isBuffer(input) && typeof input !== "string") {
+    throw new CloudEventsError("cloud-events/bad-input", label + ": input must be a string or Buffer");
+  }
+  try {
+    return safeJson.parse(input, { maxBytes: maxBytes });
+  } catch (e) {
+    if (e && e.code === "json/too-large") throw new CloudEventsError("cloud-events/too-large", label + ": input exceeds maxBytes (" + maxBytes + ")");
+    throw new CloudEventsError("cloud-events/bad-json", label + ": body is not valid JSON");
+  }
+}
+
+/**
+ * @primitive b.cloudEvents.fromJSON
+ * @signature b.cloudEvents.fromJSON(input, opts?)
+ * @since     0.12.63
+ * @status    stable
+ * @related   b.cloudEvents.toJSON, b.cloudEvents.parse
+ *
+ * Parse a single JSON event-format document (string or Buffer) into a
+ * validated CloudEvents envelope. Untrusted bytes route through the
+ * framework's bounded, prototype-pollution-safe JSON reader. The envelope
+ * is returned in wire shape (binary stays a <code>data_base64</code>
+ * string); call <code>parse</code> instead when you want the
+ * Buffer-decoded record. Throws <code>CloudEventsError</code> on malformed
+ * or non-conformant input.
+ *
+ * @opts
+ *   maxBytes:   number,   // default: 1 MiB — reject larger inputs
+ *
+ * @example
+ *   var evt = b.cloudEvents.fromJSON(req.rawBody);
+ */
+function fromJSON(input, opts) {
+  opts = opts || {};
+  var maxBytes = opts.maxBytes == null ? DEFAULT_MAX_BYTES : opts.maxBytes;
+  var obj = _coerceInput(input, "cloudEvents.fromJSON", maxBytes);
+  if (!_isPlainObject(obj)) throw new CloudEventsError("cloud-events/invalid", "cloudEvents.fromJSON: event must be a JSON object");
+  _assertValid(obj, "cloudEvents.fromJSON");
+  return obj;
+}
+
+/**
+ * @primitive b.cloudEvents.toJSONBatch
+ * @signature b.cloudEvents.toJSONBatch(events, opts?)
+ * @since     0.12.63
+ * @status    stable
+ * @related   b.cloudEvents.fromJSONBatch, b.cloudEvents.toJSON
+ *
+ * Serialize an array of CloudEvents envelopes to the JSON batch format
+ * (media type <code>application/cloudevents-batch+json</code>) — a JSON
+ * array of events, each rendered as by <code>toJSON</code>. An empty array
+ * yields <code>"[]"</code>.
+ *
+ * @opts
+ *   space:   number | string,   // JSON.stringify indentation (default: none)
+ *
+ * @example
+ *   var body = b.cloudEvents.toJSONBatch([evtA, evtB]);
+ */
+function toJSONBatch(events, opts) {
+  opts = opts || {};
+  if (!Array.isArray(events)) throw new CloudEventsError("cloud-events/bad-input", "cloudEvents.toJSONBatch: events must be an array");
+  events.forEach(function (event, idx) { _assertValid(event, "cloudEvents.toJSONBatch: event[" + idx + "]"); });
+  return JSON.stringify(events, null, opts.space);
+}
+
+/**
+ * @primitive b.cloudEvents.fromJSONBatch
+ * @signature b.cloudEvents.fromJSONBatch(input, opts?)
+ * @since     0.12.63
+ * @status    stable
+ * @related   b.cloudEvents.toJSONBatch, b.cloudEvents.fromJSON
+ *
+ * Parse a JSON batch (a JSON array of events) from a string or Buffer into
+ * an array of validated CloudEvents envelopes. Each element is validated as
+ * by <code>fromJSON</code>; an empty array is valid. A non-array body,
+ * over-size input, or any non-conformant element throws
+ * <code>CloudEventsError</code>.
+ *
+ * @opts
+ *   maxBytes:   number,   // default: 1 MiB — reject larger inputs
+ *
+ * @example
+ *   var events = b.cloudEvents.fromJSONBatch(req.rawBody);
+ */
+function fromJSONBatch(input, opts) {
+  opts = opts || {};
+  var maxBytes = opts.maxBytes == null ? DEFAULT_MAX_BYTES : opts.maxBytes;
+  var arr = _coerceInput(input, "cloudEvents.fromJSONBatch", maxBytes);
+  if (!Array.isArray(arr)) throw new CloudEventsError("cloud-events/invalid", "cloudEvents.fromJSONBatch: body must be a JSON array");
+  arr.forEach(function (obj, idx) {
+    if (!_isPlainObject(obj)) throw new CloudEventsError("cloud-events/invalid", "cloudEvents.fromJSONBatch: event[" + idx + "] must be a JSON object");
+    _assertValid(obj, "cloudEvents.fromJSONBatch: event[" + idx + "]");
+  });
+  return arr;
+}
+
+// ---- HTTP protocol binding ----
+
+var STRUCTURED_CT = "application/cloudevents+json; charset=UTF-8";
+var BATCH_CT = "application/cloudevents-batch+json; charset=UTF-8";
+
+// Percent-encode a header value: everything outside printable ASCII plus
+// the spec-named space / double-quote / percent (HTTP binding §3.1). `s` is
+// always the already-stringified value from _headerValueFor.
+function _pctEncode(s) {
+  var bytes = Buffer.from(s, "utf8");
+  var out = "";
+  for (var i = 0; i < bytes.length; i += 1) {
+    var by = bytes[i];
+    if (by < 0x21 || by > 0x7E || by === 0x22 || by === 0x25) {   // allow:raw-byte-literal — printable-ASCII bounds + double-quote and percent (HTTP binding header rule)
+      out += "%" + bytes[i].toString(16).toUpperCase().padStart(2, "0");   // allow:raw-byte-literal — 16 is the hex radix
+    } else {
+      out += String.fromCharCode(by);
+    }
+  }
+  return out;
+}
+function _pctDecode(s) {
+  var bytes = [];
+  var i = 0;
+  while (i < s.length) {
+    if (s[i] === "%" && /^[0-9A-Fa-f]{2}$/.test(s.slice(i + 1, i + 3))) {
+      bytes.push(parseInt(s.slice(i + 1, i + 3), 16));   // allow:raw-byte-literal — 16 is the hex radix
+      i += 3;
+    } else {
+      var ch = Buffer.from(s[i], "utf8");
+      for (var j = 0; j < ch.length; j += 1) bytes.push(ch[j]);
+      i += 1;
+    }
+  }
+  return Buffer.from(bytes).toString("utf8");
+}
+function _headerValueFor(v) { return typeof v === "boolean" ? (v ? "true" : "false") : String(v); }
+function _lowerHeaders(headers) {
+  var out = {};
+  Object.keys(headers || {}).forEach(function (k) {
+    var v = headers[k];
+    out[k.toLowerCase()] = Array.isArray(v) ? v.join(",") : v;
+  });
+  return out;
+}
+
+/**
+ * @primitive b.cloudEvents.http.encodeBinary
+ * @signature b.cloudEvents.http.encodeBinary(event)
+ * @since     0.12.63
+ * @status    stable
+ * @related   b.cloudEvents.http.decode, b.cloudEvents.http.encodeStructured
+ *
+ * Render a CloudEvents envelope in HTTP <em>binary</em> content mode: each
+ * context attribute (and extension) becomes a <code>ce-</code>-prefixed
+ * header with a percent-encoded value, <code>datacontenttype</code> maps to
+ * the plain <code>Content-Type</code> header (never
+ * <code>ce-datacontenttype</code>), and the payload becomes the body.
+ * Returns <code>{ headers, body }</code> where <code>body</code> is a
+ * Buffer (for <code>data_base64</code> payloads) or a string.
+ *
+ * @example
+ *   var enc = b.cloudEvents.http.encodeBinary(evt);
+ *   // enc.headers["ce-id"], enc.headers["content-type"], enc.body
+ */
+function encodeBinary(event) {
+  _assertValid(event, "cloudEvents.http.encodeBinary");
+  var headers = {};
+  Object.keys(event).forEach(function (k) {
+    if (k === "data" || k === "data_base64" || k === "datacontenttype") return;
+    if (event[k] === undefined || event[k] === null) return;
+    headers["ce-" + k] = _pctEncode(_headerValueFor(event[k]));
+  });
+  var body;
+  if (event.data_base64 != null) {
+    body = Buffer.from(event.data_base64, "base64");
+  } else if (Object.prototype.hasOwnProperty.call(event, "data")) {
+    // JSON-media payloads (including a bare string under application/json or
+    // an absent content type, which defaults to JSON) must be JSON-encoded
+    // so the body re-parses; a non-JSON media type carries the string as-is.
+    if (_isJsonMedia(event.datacontenttype)) body = JSON.stringify(event.data);
+    else body = typeof event.data === "string" ? event.data : JSON.stringify(event.data);
+  } else body = "";
+  if (event.datacontenttype != null) headers["content-type"] = event.datacontenttype;
+  else if (_isPlainObject(event.data) || Array.isArray(event.data)) headers["content-type"] = "application/json";
+  return { headers: headers, body: body };
+}
+
+/**
+ * @primitive b.cloudEvents.http.encodeStructured
+ * @signature b.cloudEvents.http.encodeStructured(event)
+ * @since     0.12.63
+ * @status    stable
+ * @related   b.cloudEvents.http.decode, b.cloudEvents.http.encodeBinary
+ *
+ * Render a CloudEvents envelope in HTTP <em>structured</em> content mode:
+ * the whole event is serialized via the JSON event format into the body,
+ * with <code>Content-Type: application/cloudevents+json</code>. Returns
+ * <code>{ headers, body }</code>.
+ *
+ * @example
+ *   var enc = b.cloudEvents.http.encodeStructured(evt);
+ */
+function encodeStructured(event) {
+  return { headers: { "content-type": STRUCTURED_CT }, body: toJSON(event) };
+}
+
+/**
+ * @primitive b.cloudEvents.http.encodeBatch
+ * @signature b.cloudEvents.http.encodeBatch(events)
+ * @since     0.12.63
+ * @status    stable
+ * @related   b.cloudEvents.http.decode, b.cloudEvents.toJSONBatch
+ *
+ * Render an array of CloudEvents in HTTP <em>batched</em> content mode: the
+ * JSON batch format in the body with <code>Content-Type:
+ * application/cloudevents-batch+json</code>. Returns
+ * <code>{ headers, body }</code>.
+ *
+ * @example
+ *   var enc = b.cloudEvents.http.encodeBatch([evtA, evtB]);
+ */
+function encodeBatch(events) {
+  return { headers: { "content-type": BATCH_CT }, body: toJSONBatch(events) };
+}
+
+/**
+ * @primitive b.cloudEvents.http.decodeBinary
+ * @signature b.cloudEvents.http.decodeBinary(headers, body, opts?)
+ * @since     0.12.63
+ * @status    stable
+ * @related   b.cloudEvents.http.decode, b.cloudEvents.http.encodeBinary
+ *
+ * Parse an HTTP binary-mode request into a CloudEvents envelope. Headers are
+ * matched case-insensitively; each <code>ce-*</code> header is
+ * percent-decoded into the matching attribute, <code>Content-Type</code>
+ * becomes <code>datacontenttype</code>, and the body becomes the payload
+ * (parsed as JSON when the content type is JSON, kept as a
+ * <code>data_base64</code> string for opaque bytes). The result is
+ * validated. Binary-mode header values are strings, so extension types
+ * other than String are not recovered.
+ *
+ * @opts
+ *   maxBytes:   number,   // default: 1 MiB — reject larger bodies
+ *
+ * @example
+ *   var evt = b.cloudEvents.http.decodeBinary(req.headers, req.rawBody);
+ */
+function decodeBinary(headers, body, opts) {
+  opts = opts || {};
+  var maxBytes = opts.maxBytes == null ? DEFAULT_MAX_BYTES : opts.maxBytes;
+  var h = _lowerHeaders(headers);
+  var event = {};
+  Object.keys(h).forEach(function (k) {
+    if (k.indexOf("ce-") !== 0) return;
+    event[k.slice(3)] = _pctDecode(String(h[k]));
+  });
+  var ct = h["content-type"] != null ? h["content-type"] : null;
+  if (ct != null) event.datacontenttype = ct;
+  var raw;
+  if (body == null) raw = Buffer.alloc(0);
+  else if (Buffer.isBuffer(body)) raw = body;
+  else if (typeof body === "string") raw = Buffer.from(body, "utf8");
+  else throw new CloudEventsError("cloud-events/bad-input", "cloudEvents.http.decodeBinary: body must be a string or Buffer");
+  if (raw.length > maxBytes) throw new CloudEventsError("cloud-events/too-large", "cloudEvents.http.decodeBinary: body exceeds maxBytes (" + maxBytes + ")");
+  if (raw.length > 0) {
+    if (_isJsonMedia(ct)) {
+      try { event.data = safeJson.parse(raw, { maxBytes: maxBytes }); }
+      catch (_e) { throw new CloudEventsError("cloud-events/bad-json", "cloudEvents.http.decodeBinary: JSON body is not valid JSON"); }
+    } else if (typeof ct === "string" && /^text\//i.test(ct)) {
+      event.data = raw.toString("utf8");
+    } else {
+      event.data_base64 = raw.toString("base64");
+    }
+  }
+  _assertValid(event, "cloudEvents.http.decodeBinary");
+  return event;
+}
+
+/**
+ * @primitive b.cloudEvents.http.decode
+ * @signature b.cloudEvents.http.decode(headers, body, opts?)
+ * @since     0.12.63
+ * @status    stable
+ * @related   b.cloudEvents.http.decodeBinary, b.cloudEvents.http.encodeStructured
+ *
+ * Parse an HTTP request into a CloudEvents envelope (or array, for a batch),
+ * auto-detecting the content mode exactly as a conformant receiver does: a
+ * <code>Content-Type</code> beginning
+ * <code>application/cloudevents-batch</code> is batched, one beginning
+ * <code>application/cloudevents</code> is structured, and anything else is
+ * binary mode. Returns a single envelope for binary/structured modes and an
+ * array for batched mode.
+ *
+ * @opts
+ *   maxBytes:   number,   // default: 1 MiB — reject larger bodies
+ *
+ * @example
+ *   var evt = b.cloudEvents.http.decode(req.headers, req.rawBody);
+ */
+function decode(headers, body, opts) {
+  var h = _lowerHeaders(headers);
+  var ct = (h["content-type"] != null ? h["content-type"] : "") || "";
+  if (/^application\/cloudevents-batch\b/i.test(ct)) return fromJSONBatch(body, opts);
+  if (/^application\/cloudevents\b/i.test(ct)) return fromJSON(body, opts);
+  return decodeBinary(headers, body, opts);
+}
+
 module.exports = {
   wrap:             wrap,
   parse:            parse,
+  validate:         validate,
+  isValid:          isValid,
+  toJSON:           toJSON,
+  fromJSON:         fromJSON,
+  toJSONBatch:      toJSONBatch,
+  fromJSONBatch:    fromJSONBatch,
+  http: {
+    encodeBinary:     encodeBinary,
+    encodeStructured: encodeStructured,
+    encodeBatch:      encodeBatch,
+    decodeBinary:     decodeBinary,
+    decode:           decode,
+  },
   SPECVERSION:      SPECVERSION,
   REQUIRED_ATTRS:   REQUIRED_ATTRS,
   CloudEventsError: CloudEventsError,

package/lib/csp.js

@@ -67,9 +67,10 @@ var ALL_DIRECTIVES = [
   "default-src", "script-src", "script-src-elem", "script-src-attr",
   "style-src", "style-src-elem", "style-src-attr",
   "img-src", "media-src", "font-src", "connect-src", "object-src",
-  "frame-src", "child-src", "worker-src", "manifest-src", "prefetch-src",
+  "frame-src", "child-src", "worker-src", "fenced-frame-src",
+  "manifest-src", "prefetch-src",
   "form-action", "frame-ancestors", "navigate-to", "base-uri", "sandbox",
-  "report-to", "report-uri",
+  "webrtc", "report-to", "report-uri",
   "require-trusted-types-for", "trusted-types",
   "upgrade-insecure-requests", "block-all-mixed-content",
 ];

package/lib/jtd.js

@@ -0,0 +1,223 @@
+"use strict";
+/**
+ * @module b.jtd
+ * @nav    Data
+ * @title  JSON Type Definition
+ *
+ * @intro
+ *   Validate a JSON value against a JSON Type Definition schema (RFC
+ *   8927) — a small, portable, cross-implementation schema language.
+ *   Unlike the framework's fluent <code>b.safeSchema</code> builder, a
+ *   JTD schema is plain JSON you can share with any JTD implementation
+ *   (and generate code from), which makes it the right choice for
+ *   interop contracts.
+ *
+ *   <code>validate(schema, instance)</code> returns an array of errors,
+ *   each a <code>{ instancePath, schemaPath }</code> pair pointing at the
+ *   offending value and the schema rule it broke (an empty array means
+ *   valid). All eight schema forms are supported — empty, <code>type</code>,
+ *   <code>enum</code>, <code>elements</code>, <code>properties</code>,
+ *   <code>values</code>, <code>discriminator</code>, and <code>ref</code>
+ *   (with <code>definitions</code>) — and a malformed schema is rejected
+ *   at compile time rather than mis-validating.
+ *
+ * @card
+ *   JSON Type Definition (RFC 8927) — validate JSON against a portable,
+ *   standardized schema (all eight forms), returning instancePath /
+ *   schemaPath errors. The interop-friendly companion to the fluent
+ *   <code>b.safeSchema</code> builder.
+ */
+
+var { defineClass } = require("./framework-error");
+var rfc3339 = require("./rfc3339");
+
+var JtdError = defineClass("JtdError", { alwaysPermanent: true });
+
+var MAX_DEPTH = 10000;                                       // allow:raw-time-literal — recursion cap for self-referential refs
+
+var TYPES = {
+  boolean: 1, string: 1, timestamp: 1, float32: 1, float64: 1,
+  int8: 1, uint8: 1, int16: 1, uint16: 1, int32: 1, uint32: 1,
+};
+var INT_RANGES = {
+  int8: [-128, 127], uint8: [0, 255], int16: [-32768, 32767],                              // allow:raw-byte-literal — RFC 8927 integer type bounds
+  uint16: [0, 65535], int32: [-2147483648, 2147483647], uint32: [0, 4294967295],            // allow:raw-byte-literal — RFC 8927 integer type bounds
+};
+var FORM_KEYWORDS = ["ref", "type", "enum", "elements", "properties", "optionalProperties", "values", "discriminator"];
+var SHARED_KEYWORDS = { definitions: 1, nullable: 1, metadata: 1 };
+
+function _isPlainObject(v) { return v !== null && typeof v === "object" && !Array.isArray(v); }
+function _isInteger(v) { return typeof v === "number" && isFinite(v) && Math.floor(v) === v; }
+
+// RFC 3339 date-time (the JTD "timestamp" type) — strict form shared with
+// the other spec-driven consumers via lib/rfc3339.js.
+var _validTimestamp = rfc3339.isValidDateTime;
+
+// --- compile-time well-formedness (RFC 8927 section 2.2) ---
+function _checkSchema(schema, root, isRoot) {
+  if (!_isPlainObject(schema)) throw new JtdError("jtd/bad-schema", "jtd: schema must be an object");
+  if (!isRoot && Object.prototype.hasOwnProperty.call(schema, "definitions")) throw new JtdError("jtd/bad-schema", "jtd: 'definitions' is allowed only at the root");
+  Object.keys(schema).forEach(function (k) {
+    if (FORM_KEYWORDS.indexOf(k) === -1 && !SHARED_KEYWORDS[k] && k !== "additionalProperties" && k !== "mapping") throw new JtdError("jtd/bad-schema", "jtd: unknown keyword '" + k + "'");
+  });
+  if (Object.prototype.hasOwnProperty.call(schema, "nullable") && typeof schema.nullable !== "boolean") throw new JtdError("jtd/bad-schema", "jtd: 'nullable' must be a boolean");
+  if (Object.prototype.hasOwnProperty.call(schema, "metadata") && !_isPlainObject(schema.metadata)) throw new JtdError("jtd/bad-schema", "jtd: 'metadata' must be an object");
+  if (Object.prototype.hasOwnProperty.call(schema, "definitions")) {
+    if (!_isPlainObject(schema.definitions)) throw new JtdError("jtd/bad-schema", "jtd: 'definitions' must be an object");
+    Object.keys(schema.definitions).forEach(function (k) { _checkSchema(schema.definitions[k], root, false); });
+  }
+  if (Object.prototype.hasOwnProperty.call(schema, "mapping") && !Object.prototype.hasOwnProperty.call(schema, "discriminator")) throw new JtdError("jtd/bad-schema", "jtd: 'mapping' is only valid with 'discriminator'");
+  var formSet = {};
+  FORM_KEYWORDS.forEach(function (k) { if (Object.prototype.hasOwnProperty.call(schema, k)) formSet[(k === "optionalProperties") ? "properties" : k] = 1; });
+  var formNames = Object.keys(formSet);
+  if (formNames.length > 1) throw new JtdError("jtd/bad-schema", "jtd: a schema may use only one form (got " + formNames.join(", ") + ")");
+
+  if ("ref" in schema) {
+    if (typeof schema.ref !== "string" || !root.definitions || !Object.prototype.hasOwnProperty.call(root.definitions, schema.ref)) throw new JtdError("jtd/bad-schema", "jtd: 'ref' must name a key in the root definitions");
+  }
+  if ("type" in schema && !TYPES[schema.type]) throw new JtdError("jtd/bad-schema", "jtd: unknown type '" + schema.type + "'");
+  if ("enum" in schema) {
+    if (!Array.isArray(schema.enum) || schema.enum.length === 0) throw new JtdError("jtd/bad-schema", "jtd: 'enum' must be a non-empty array");
+    var seen = Object.create(null);
+    schema.enum.forEach(function (e) { if (typeof e !== "string") throw new JtdError("jtd/bad-schema", "jtd: 'enum' values must be strings"); if (seen[e]) throw new JtdError("jtd/bad-schema", "jtd: duplicate enum value"); seen[e] = 1; });
+  }
+  if ("elements" in schema) _checkSchema(schema.elements, root, false);
+  if ("values" in schema) _checkSchema(schema.values, root, false);
+  if ("properties" in schema || "optionalProperties" in schema) {
+    var props = schema.properties || {}, opt = schema.optionalProperties || {};
+    if (!_isPlainObject(props) || !_isPlainObject(opt)) throw new JtdError("jtd/bad-schema", "jtd: properties / optionalProperties must be objects");
+    Object.keys(props).forEach(function (k) { if (Object.prototype.hasOwnProperty.call(opt, k)) throw new JtdError("jtd/bad-schema", "jtd: '" + k + "' in both properties and optionalProperties"); _checkSchema(props[k], root, false); });
+    Object.keys(opt).forEach(function (k) { _checkSchema(opt[k], root, false); });
+    if ("additionalProperties" in schema && typeof schema.additionalProperties !== "boolean") throw new JtdError("jtd/bad-schema", "jtd: 'additionalProperties' must be a boolean");
+  }
+  if ("discriminator" in schema) {
+    if (typeof schema.discriminator !== "string") throw new JtdError("jtd/bad-schema", "jtd: 'discriminator' must be a string");
+    if (!_isPlainObject(schema.mapping)) throw new JtdError("jtd/bad-schema", "jtd: 'discriminator' requires a 'mapping' object");
+    Object.keys(schema.mapping).forEach(function (k) {
+      var sub = schema.mapping[k];
+      _checkSchema(sub, root, false);
+      if (!_isPlainObject(sub) || (!("properties" in sub) && !("optionalProperties" in sub))) throw new JtdError("jtd/bad-schema", "jtd: discriminator mapping schemas must use the properties form");
+      if (sub.nullable === true) throw new JtdError("jtd/bad-schema", "jtd: discriminator mapping schemas must not be nullable");
+      var p = sub.properties || {}, o = sub.optionalProperties || {};
+      if (Object.prototype.hasOwnProperty.call(p, schema.discriminator) || Object.prototype.hasOwnProperty.call(o, schema.discriminator)) throw new JtdError("jtd/bad-schema", "jtd: discriminator tag must not appear in a mapping schema's properties");
+    });
+  }
+  if ("additionalProperties" in schema && !("properties" in schema) && !("optionalProperties" in schema)) throw new JtdError("jtd/bad-schema", "jtd: 'additionalProperties' requires a properties form");
+}
+
+// --- validation (RFC 8927 section 3.3) ---
+function _typeOk(type, v) {
+  if (type === "boolean") return typeof v === "boolean";
+  if (type === "string") return typeof v === "string";
+  if (type === "timestamp") return typeof v === "string" && _validTimestamp(v);
+  if (type === "float32" || type === "float64") return typeof v === "number" && isFinite(v);
+  var range = INT_RANGES[type];
+  return _isInteger(v) && v >= range[0] && v <= range[1];
+}
+
+function _val(schema, inst, ip, sp, root, depth, errors, discrimTag) {
+  if (depth > MAX_DEPTH) throw new JtdError("jtd/too-deep", "jtd: schema recursion exceeded the depth cap");
+  if (schema.nullable === true && inst === null) return;
+
+  if ("ref" in schema) { _val(root.definitions[schema.ref], inst, ip, ["definitions", schema.ref], root, depth + 1, errors, undefined); return; }
+
+  if ("type" in schema) {
+    if (!_typeOk(schema.type, inst)) errors.push({ instancePath: ip.slice(), schemaPath: sp.concat("type") });
+    return;
+  }
+  if ("enum" in schema) {
+    if (typeof inst !== "string" || schema.enum.indexOf(inst) === -1) errors.push({ instancePath: ip.slice(), schemaPath: sp.concat("enum") });
+    return;
+  }
+  if ("elements" in schema) {
+    if (!Array.isArray(inst)) { errors.push({ instancePath: ip.slice(), schemaPath: sp.concat("elements") }); return; }
+    for (var i = 0; i < inst.length; i++) _val(schema.elements, inst[i], ip.concat(String(i)), sp.concat("elements"), root, depth + 1, errors, undefined);
+    return;
+  }
+  if ("properties" in schema || "optionalProperties" in schema) {
+    if (!_isPlainObject(inst)) {
+      errors.push({ instancePath: ip.slice(), schemaPath: sp.concat("properties" in schema ? "properties" : "optionalProperties") });
+      return;
+    }
+    var props = schema.properties || {}, opt = schema.optionalProperties || {};
+    Object.keys(props).forEach(function (k) {
+      if (Object.prototype.hasOwnProperty.call(inst, k)) _val(props[k], inst[k], ip.concat(k), sp.concat("properties", k), root, depth + 1, errors, undefined);
+      else errors.push({ instancePath: ip.slice(), schemaPath: sp.concat("properties", k) });
+    });
+    Object.keys(opt).forEach(function (k) {
+      if (Object.prototype.hasOwnProperty.call(inst, k)) _val(opt[k], inst[k], ip.concat(k), sp.concat("optionalProperties", k), root, depth + 1, errors, undefined);
+    });
+    if (schema.additionalProperties !== true) {
+      Object.keys(inst).forEach(function (k) {
+        if (!Object.prototype.hasOwnProperty.call(props, k) && !Object.prototype.hasOwnProperty.call(opt, k) && k !== discrimTag) {
+          errors.push({ instancePath: ip.concat(k), schemaPath: sp.slice() });
+        }
+      });
+    }
+    return;
+  }
+  if ("values" in schema) {
+    if (!_isPlainObject(inst)) { errors.push({ instancePath: ip.slice(), schemaPath: sp.concat("values") }); return; }
+    Object.keys(inst).forEach(function (k) { _val(schema.values, inst[k], ip.concat(k), sp.concat("values"), root, depth + 1, errors, undefined); });
+    return;
+  }
+  if ("discriminator" in schema) {
+    if (!_isPlainObject(inst)) { errors.push({ instancePath: ip.slice(), schemaPath: sp.concat("discriminator") }); return; }
+    var tag = schema.discriminator;
+    if (!Object.prototype.hasOwnProperty.call(inst, tag)) { errors.push({ instancePath: ip.slice(), schemaPath: sp.concat("discriminator") }); return; }
+    if (typeof inst[tag] !== "string") { errors.push({ instancePath: ip.concat(tag), schemaPath: sp.concat("discriminator") }); return; }
+    if (!Object.prototype.hasOwnProperty.call(schema.mapping, inst[tag])) { errors.push({ instancePath: ip.concat(tag), schemaPath: sp.concat("mapping") }); return; }
+    _val(schema.mapping[inst[tag]], inst, ip, sp.concat("mapping", inst[tag]), root, depth + 1, errors, tag);
+    return;
+  }
+  // empty form: accepts anything
+}
+
+/**
+ * @primitive b.jtd.validate
+ * @signature b.jtd.validate(schema, instance)
+ * @since     0.12.62
+ * @status    stable
+ * @compliance soc2
+ * @related   b.safeSchema, b.jsonPointer.get
+ *
+ * Validate a JSON value against a JSON Type Definition schema (RFC 8927)
+ * and return the array of validation errors — each a
+ * <code>{ instancePath, schemaPath }</code> pair of token arrays naming
+ * the offending value and the schema rule it broke. An empty array means
+ * the instance is valid. All eight schema forms are supported. The schema
+ * itself is checked for well-formedness first; a malformed schema throws
+ * <code>jtd/bad-schema</code> rather than silently mis-validating.
+ *
+ * @example
+ *   b.jtd.validate({ properties: { id: { type: "uint32" } } }, { id: -1 });
+ *   // -> [ { instancePath: ["id"], schemaPath: ["properties", "id", "type"] } ]
+ */
+function validate(schema, instance) {
+  _checkSchema(schema, schema, true);
+  var errors = [];
+  _val(schema, instance, [], [], schema, 0, errors, undefined);
+  return errors;
+}
+
+/**
+ * @primitive b.jtd.isValid
+ * @signature b.jtd.isValid(schema, instance)
+ * @since     0.12.62
+ * @status    stable
+ * @related   b.jtd.validate
+ *
+ * Convenience boolean form of <code>validate</code> — <code>true</code>
+ * when the instance conforms to the JTD schema (no errors). Throws
+ * <code>jtd/bad-schema</code> on a malformed schema.
+ *
+ * @example
+ *   b.jtd.isValid({ type: "string" }, "hello");   // -> true
+ */
+function isValid(schema, instance) { return validate(schema, instance).length === 0; }
+
+module.exports = {
+  validate: validate,
+  isValid:  isValid,
+  JtdError: JtdError,
+};

package/lib/rfc3339.js

@@ -0,0 +1,37 @@
+"use strict";
+/**
+ * rfc3339 — strict RFC 3339 date-time validation, shared by the primitives
+ * whose specs require the full "internet date/time" form (a mandatory
+ * "T"/"t" separator and a mandatory "Z" or numeric UTC offset). b.jtd's
+ * `timestamp` type and b.cloudevents' `time` attribute both point at
+ * RFC 3339, so the field-range + leap-year + offset-range checks live here
+ * once instead of drifting between them.
+ *
+ * This is intentionally NOT the lenient validator b.guardTime ships: that
+ * one accepts a space separator and an absent offset by design (a content-
+ * safety guard tuned per profile), whereas these consumers must reject
+ * anything the spec disallows.
+ *
+ *   var rfc3339 = require("./rfc3339");
+ *   rfc3339.isValidDateTime("2018-04-05T17:31:00Z");   // → true
+ */
+
+// "T" separator required; offset ("Z"/"z" or ±HH:MM) required.
+var RFC3339_RE = /^(\d{4})-(\d{2})-(\d{2})[Tt](\d{2}):(\d{2}):(\d{2})(\.\d+)?([Zz]|[+-]\d{2}:\d{2})$/;
+
+function isValidDateTime(s) {
+  if (typeof s !== "string") return false;
+  var m = RFC3339_RE.exec(s);
+  if (!m) return false;
+  var mo = +m[2], d = +m[3], h = +m[4], mi = +m[5], se = +m[6];
+  if (mo < 1 || mo > 12 || d < 1 || d > 31 || h > 23 || mi > 59 || se > 60) return false;   // allow:raw-time-literal — RFC 3339 field ranges (60 = leap second)
+  var days = [31, ((+m[1] % 4 === 0 && +m[1] % 100 !== 0) || +m[1] % 400 === 0) ? 29 : 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31];   // allow:raw-time-literal — days per month (Gregorian)
+  if (d > days[mo - 1]) return false;
+  var tz = m[8];
+  if (tz !== "Z" && tz !== "z") {
+    if (+tz.slice(1, 3) > 23 || +tz.slice(4, 6) > 59) return false;   // allow:raw-time-literal — RFC 3339 offset hour/minute ranges
+  }
+  return true;
+}
+
+module.exports = { isValidDateTime: isValidDateTime, RFC3339_RE: RFC3339_RE };

package/lib/safe-buffer.js

@@ -372,6 +372,13 @@ var HEX_RE = /^[0-9a-fA-F]+$/;
 // is length-agnostic — callers cap length per protocol contract.
 var BASE64URL_RE = /^[A-Za-z0-9_-]+$/;
 
+// BASE64_RE matches standard base64 (RFC 4648 §4) with the `+` / `/`
+// alphabet and canonical 0-2 chars of `=` padding (empty string allowed).
+// Shared by callers that validate padded base64 fields (backup manifest
+// digests, CloudEvents data_base64) so the alphabet check isn't reinvented.
+// Length-agnostic — callers cap length per their own contract / maxBytes.
+var BASE64_RE = /^[A-Za-z0-9+/]*={0,2}$/;
+
 // Fixed-length hex predicates used by trace-context primitives (W3C
 // trace-id is 16 bytes = 32 hex chars; span-id / parent-id is 8
 // bytes = 16 hex chars). Extracted to keep callers length-bounded
@@ -552,6 +559,7 @@ module.exports = {
   stripTrailingHspace:   stripTrailingHspace,
   HEX_RE:                HEX_RE,
   BASE64URL_RE:          BASE64URL_RE,
+  BASE64_RE:             BASE64_RE,
   IPV6_HEXTET_RE:        IPV6_HEXTET_RE,
   TRACE_ID_HEX_RE:       TRACE_ID_HEX_RE,
   SPAN_ID_HEX_RE:        SPAN_ID_HEX_RE,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.12.61",
+  "version": "0.12.63",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:ad83b06e-a1bc-47e4-9b53-db78947055a5",
+  "serialNumber": "urn:uuid:d1709f88-d452-4b6c-9796-971cb4dc9a1a",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-26T02:37:15.214Z",
+    "timestamp": "2026-05-26T06:02:00.412Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.12.61",
+      "bom-ref": "@blamejs/core@0.12.63",
       "type": "application",
       "name": "blamejs",
-      "version": "0.12.61",
+      "version": "0.12.63",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.12.61",
+      "purl": "pkg:npm/%40blamejs/core@0.12.63",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.12.61",
+      "ref": "@blamejs/core@0.12.63",
       "dependsOn": []
     }
   ]