@blamejs/core 0.12.62 → 0.12.63

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.12.x
 
+- v0.12.63 (2026-05-25) — **`b.cloudEvents` gains the JSON event format, batch, and the HTTP binding.** b.cloudEvents grows beyond wrap / parse into a full CloudEvents 1.0.2 surface. b.cloudEvents.validate / isValid check an envelope against the spec without throwing (the non-throwing companion to parse). toJSON / fromJSON serialize and parse the JSON event format, and toJSONBatch / fromJSONBatch handle the JSON batch format; untrusted bodies parse through the framework's bounded, prototype-pollution-safe JSON reader. The new http.* binding speaks both content modes the spec defines — binary mode spreads context attributes across percent-encoded ce-* headers with the data in the body, structured mode carries the whole event as application/cloudevents+json — plus the batch mode, and http.decode auto-detects the incoming mode from Content-Type exactly as a conformant receiver does. Verified against the spec's normative example events. **Added:** *`b.cloudEvents` JSON event format, batch, and HTTP binding* — `validate` / `isValid` report spec violations without throwing (the non-throwing companion to `parse`). `toJSON` / `fromJSON` and `toJSONBatch` / `fromJSONBatch` serialize and parse the JSON event and batch formats over the existing envelope shape. `http.encodeBinary` / `http.encodeStructured` / `http.encodeBatch` render the three HTTP content modes — binary spreads attributes across percent-encoded `ce-*` headers, structured and batched carry the event(s) as `application/cloudevents+json` / `application/cloudevents-batch+json` — and `http.decode` parses a request back into an envelope (or array) by auto-detecting the mode from `Content-Type`. `b.jtd` or `b.safeSchema` still validate the event's `data` payload. **Fixed:** *`b.csp.build` accepts `fenced-frame-src` and `webrtc`* — The CSP3 `fenced-frame-src` directive — which the default security-headers policy emits to block `<fencedframe>` embeds — was missing from the builder's recognized-directive set, so the default policy could not round-trip through `b.csp.build` (it threw `csp/unknown-directive`). Both `fenced-frame-src` and the CSP3 `webrtc` directive are now recognized.
+
 - v0.12.62 (2026-05-26) — **`b.jtd` — JSON Type Definition validation (RFC 8927).** Validate JSON against a JSON Type Definition schema (RFC 8927) — a small, portable, cross-implementation schema language, the interop-friendly companion to the framework's fluent b.safeSchema builder. b.jtd.validate(schema, instance) returns an array of { instancePath, schemaPath } errors (empty = valid); b.jtd.isValid is the boolean form. All eight schema forms are supported — empty, type, enum, elements, properties (with optional / additional properties and nullable), values, discriminator (with mapping), and ref (with definitions) — including the integer-range and RFC 3339 timestamp types. A malformed schema is rejected at compile time with jtd/bad-schema rather than silently mis-validating. Verified against the official json-typedef-spec suites: all 316 validation cases and all 49 invalid-schema cases. **Added:** *`b.jtd.validate(schema, instance)` / `b.jtd.isValid(schema, instance)`* — `validate` returns the RFC 8927 error list — each `{ instancePath, schemaPath }` naming the offending value and the broken schema rule — and `isValid` is the boolean convenience form. Supports every JTD form and type: the numeric types enforce their exact ranges (int8 … uint32, float32 / float64), `timestamp` requires an RFC 3339 date-time, `properties` honours `optionalProperties` / `additionalProperties` / `nullable`, and `discriminator` selects a `mapping` schema by a tag property. The schema is checked for well-formedness before validation, so unknown keywords, multiple forms, bad refs, or a discriminator over a non-properties mapping all throw `jtd/bad-schema`. Use JTD for schemas you share across implementations or generate code from; use `b.safeSchema` for in-process fluent validation.
 
 - v0.12.61 (2026-05-26) — **`b.jsonPath` — JSONPath query (RFC 9535).** A full RFC 9535 JSONPath query evaluator, complementing the framework's JSONPath guards (which screen path strings). b.jsonPath.query(doc, path) compiles a path and returns the matched node values; b.jsonPath.paths returns their normalized locations. The complete surface is implemented: name / wildcard / index / slice selectors, descendant segments (..), filter selectors (?) with comparison and logical operators, relative (@) and absolute ($) embedded queries, and the five standard functions length / count / match / search / value — with the spec's well-typedness rules enforced at compile time so a malformed or ill-typed query is rejected rather than silently mis-evaluated. Descendant walks are node-capped to bound work on hostile input. Verified against all 703 cases of the official jsonpath-compliance-test-suite. **Added:** *`b.jsonPath.query(doc, path)` / `b.jsonPath.paths(doc, path)`* — `query` returns the array of node values selected by an RFC 9535 JSONPath; `paths` returns the normalized-path string of each match (e.g. `$['a'][1]['p']`). Supports every selector (name, wildcard `*`, index incl. negative, slice `start:end:step` incl. negative step, comma-separated selections), child and descendant (`..`) segments, and filter expressions with `==` / `!=` / `<` / `<=` / `>` / `>=`, `&&` / `||` / `!`, existence tests, and the standard functions. The well-typedness rules are checked when the path is compiled — a non-singular query used as a comparison operand, an ill-typed function argument, or a value-typed function used as a test all throw `json-path/invalid`. Pairs with `b.guardJsonPath`, which screens operator-supplied path strings before they reach the evaluator.

package/README.md

@@ -158,7 +158,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 - **WebSockets (server)** — channel/room fan-out across cluster replicas; RFC 6455 §5.5 control-frame size + FIN enforcement on inbound (defends 1 MiB-PING-as-PONG amplification) (`b.websocket`, `b.websocketChannels`)
 - **WebSockets (client)** — `b.wsClient` with PQC-TLS handshake, permessage-deflate negotiation with decompression-bomb cap, fatal UTF-8 validation, permanent-error classifier (skips reconnect on 4xx / accept mismatch / bad-subprotocol), exponential-backoff with full jitter
 - **Pub/sub + events** — distributed pub/sub with cluster-table / Redis PUB/SUB / custom backends (`b.pubsub`); framework-emitted signal bus for breach / integrity events (`b.events`)
-- **CloudEvents + SSE** — CloudEvents 1.0 envelope for AWS EventBridge / Knative / Azure Event Grid / Google Eventarc / CNCF (`b.cloudEvents`); Server-Sent Events with newline-injection refusal in `event:` / `id:` / `data:` / `Last-Event-ID` (CVE-2026-33128 / 29085 / 44217 class) (`b.sse`, `b.middleware.sse`)
+- **CloudEvents + SSE** — CloudEvents 1.0.2 for AWS EventBridge / Knative / Azure Event Grid / Google Eventarc / CNCF: `wrap` / `parse` envelopes, non-throwing `validate` / `isValid`, the JSON event + batch formats (`toJSON` / `fromJSON` / `toJSONBatch` / `fromJSONBatch`), and the HTTP binding in both binary and structured content modes with auto-detecting `http.decode` (`b.cloudEvents`); Server-Sent Events with newline-injection refusal in `event:` / `id:` / `data:` / `Last-Event-ID` (CVE-2026-33128 / 29085 / 44217 class) (`b.sse`, `b.middleware.sse`)
 - **Mail (outbound)** — multipart + attachments + DKIM + calendar invites; bounce intake (`b.mail`, `b.mailBounce`)
 - **Mail (outbound delivery)** — turnkey MX-lookup → MTA-STS-fetch → DANE-TLSA → REQUIRETLS handshake → SMTP wire layer → RFC 3464 DSN-on-permanent-failure → deferred-retry scheduling, all wired once (`b.mail.send.deliver`)
 - **Mail (inbound auth)** — SPF / DMARC / ARC verify + ARC chain signing for relays (`b.mail.spf`, `b.mail.dmarc`, `b.mail.arc`)

package/lib/backup/manifest.js

@@ -95,7 +95,7 @@ var VALID_KINDS = { "raw": 1, "vault-sealed": 1, "plaintext": 1 };
 // in the manifest, so the hex string is 128 chars long.
 var SHA3_512_HEX_LENGTH = 128;
 var HEX_RE = safeBuffer.HEX_RE;
-var BASE64_RE = /^[A-Za-z0-9+/]*={0,2}$/;
+var BASE64_RE = safeBuffer.BASE64_RE;
 
 function _isHex(s, evenLength) {
   if (typeof s !== "string" || s.length === 0) return false;

package/lib/cloud-events.js

@@ -36,11 +36,16 @@
 
 var nodeCrypto = require("node:crypto");
 var validateOpts = require("./validate-opts");
+var rfc3339 = require("./rfc3339");
+var safeJson = require("./safe-json");
+var safeBuffer = require("./safe-buffer");
+var C = require("./constants");
 var { defineClass } = require("./framework-error");
 
 var CloudEventsError = defineClass("CloudEventsError", { alwaysPermanent: true });
 
 var SPECVERSION = "1.0";
+var DEFAULT_MAX_BYTES = C.BYTES.mib(1);   // fromJSON / http.decode input cap
 
 // CloudEvents §3.1 — required string attributes.
 var REQUIRED_ATTRS = ["id", "source", "specversion", "type"];
@@ -268,9 +273,459 @@ function parse(envelope) {
   };
 }
 
+// ---- validate / isValid (non-throwing spec check) ----
+
+var INT_MIN = -2147483648;                                  // allow:raw-byte-literal — CloudEvents Integer type range
+var INT_MAX = 2147483647;                                   // allow:raw-byte-literal — CloudEvents Integer type range
+// JSON-formatted media type essence (after the parameters are stripped):
+// type/json or type/anything+json. Each run is bounded by the single "/"
+// separator so the match is linear (no overlapping quantifiers → no
+// polynomial backtracking on hostile media-type strings).
+var JSON_MEDIA_RE = /^[^/]+\/(?:[^/]+\+)?json$/i;
+// Extension name MUST be lowercase ASCII alnum (the §3.1 ≤20 length is a
+// SHOULD, so validate enforces only the MUST; wrap is stricter on emit).
+var VALIDATE_EXT_NAME_RE = /^[a-z0-9]+$/;
+
+function _isPlainObject(v) { return v !== null && typeof v === "object" && !Array.isArray(v) && !Buffer.isBuffer(v); }
+function _isNonEmptyString(v) { return typeof v === "string" && v.length > 0; }
+function _isCanonicalBase64(s) { return typeof s === "string" && s.length % 4 === 0 && safeBuffer.BASE64_RE.test(s); }
+function _isJsonMedia(ct) {
+  if (ct == null) return true;   // absent datacontenttype defaults to application/json
+  var essence = String(ct).split(";")[0].trim();   // drop media-type parameters
+  return JSON_MEDIA_RE.test(essence);   // allow:regex-no-length-cap — slash-bounded classes, linear match
+}
+
+function _extIssue(name, v) {
+  if (v === null) return null;
+  if (typeof v === "string" || typeof v === "boolean") return null;
+  if (typeof v === "number") {
+    if (!isFinite(v) || Math.floor(v) !== v) return "extension '" + name + "' must be an integer (CloudEvents has no float type)";
+    if (v < INT_MIN || v > INT_MAX) return "extension '" + name + "' integer out of 32-bit range";
+    return null;
+  }
+  return "extension '" + name + "' must be a string, integer, or boolean";
+}
+
+/**
+ * @primitive b.cloudEvents.validate
+ * @signature b.cloudEvents.validate(event)
+ * @since     0.12.63
+ * @status    stable
+ * @related   b.cloudEvents.parse, b.cloudEvents.fromJSON
+ *
+ * Check an in-memory CloudEvents v1.0 envelope against the §3.1 spec and
+ * return an array of <code>{ attribute, message }</code> issues — an empty
+ * array means the event is conformant. Unlike <code>parse</code> (which
+ * throws and decodes), this never throws, so it suits inspecting events of
+ * unknown provenance before deciding what to do with them.
+ *
+ * @example
+ *   b.cloudEvents.validate({ specversion: "1.0", id: "1",
+ *     source: "/x", type: "com.example.t" });
+ *   // → []
+ */
+function validate(event) {
+  var issues = [];
+  function bad(attribute, message) { issues.push({ attribute: attribute, message: message }); }
+  if (!_isPlainObject(event)) { bad("", "event must be an object"); return issues; }
+
+  if (event.specversion !== SPECVERSION) bad("specversion", "specversion must be the string \"" + SPECVERSION + "\"");
+  if (!_isNonEmptyString(event.id)) bad("id", "id must be a non-empty string");
+  if (!_isNonEmptyString(event.source)) bad("source", "source must be a non-empty URI-reference string");
+  if (!_isNonEmptyString(event.type)) bad("type", "type must be a non-empty string");
+
+  if (event.datacontenttype != null && !_isNonEmptyString(event.datacontenttype)) bad("datacontenttype", "datacontenttype, if present, must be a non-empty string");
+  if (event.dataschema != null && !_isNonEmptyString(event.dataschema)) bad("dataschema", "dataschema, if present, must be a non-empty URI string");
+  if (event.subject != null && !_isNonEmptyString(event.subject)) bad("subject", "subject, if present, must be a non-empty string");
+  if (event.time != null && !rfc3339.isValidDateTime(event.time)) bad("time", "time, if present, must be an RFC 3339 date-time");
+
+  if (Object.prototype.hasOwnProperty.call(event, "data") && Object.prototype.hasOwnProperty.call(event, "data_base64")) {
+    bad("data", "data and data_base64 are mutually exclusive (CloudEvents §3.1.1)");
+  }
+  if (event.data_base64 != null && !_isCanonicalBase64(event.data_base64)) bad("data_base64", "data_base64 must be canonical RFC 4648 base64");
+
+  Object.keys(event).forEach(function (k) {
+    if (REQUIRED_ATTRS.indexOf(k) !== -1 || KNOWN_OPTIONAL_ATTRS[k]) return;
+    if (!VALIDATE_EXT_NAME_RE.test(k)) { bad(k, "attribute name must match [a-z0-9]+ (lower-case letters and digits)"); return; }   // allow:regex-no-length-cap — linear class, key bounded by maxBytes
+    var ei = _extIssue(k, event[k]);
+    if (ei) bad(k, ei);
+  });
+  return issues;
+}
+
+/**
+ * @primitive b.cloudEvents.isValid
+ * @signature b.cloudEvents.isValid(event)
+ * @since     0.12.63
+ * @status    stable
+ * @related   b.cloudEvents.validate
+ *
+ * Boolean convenience form of <code>validate</code> — <code>true</code>
+ * when the event has zero conformance issues.
+ *
+ * @example
+ *   b.cloudEvents.isValid(evt);   // → true
+ */
+function isValid(event) { return validate(event).length === 0; }
+
+function _assertValid(event, label) {
+  var issues = validate(event);
+  if (issues.length) {
+    throw new CloudEventsError("cloud-events/invalid",
+      label + ": " + issues.map(function (i) { return i.message; }).join("; "));
+  }
+}
+
+// ---- JSON event format ----
+
+/**
+ * @primitive b.cloudEvents.toJSON
+ * @signature b.cloudEvents.toJSON(event, opts?)
+ * @since     0.12.63
+ * @status    stable
+ * @related   b.cloudEvents.fromJSON, b.cloudEvents.toJSONBatch
+ *
+ * Serialize a CloudEvents envelope (as produced by <code>wrap</code>) to a
+ * JSON event-format string — media type
+ * <code>application/cloudevents+json</code>. The envelope is already in
+ * wire shape (JSON <code>data</code> inline, binary as a
+ * <code>data_base64</code> string), so this validates it and renders the
+ * JSON. Throws <code>CloudEventsError</code> on a non-conformant event.
+ *
+ * @opts
+ *   space:   number | string,   // JSON.stringify indentation (default: none)
+ *
+ * @example
+ *   var json = b.cloudEvents.toJSON(b.cloudEvents.wrap({ source: "/x", type: "t" }));
+ */
+function toJSON(event, opts) {
+  opts = opts || {};
+  _assertValid(event, "cloudEvents.toJSON");
+  return JSON.stringify(event, null, opts.space);
+}
+
+function _coerceInput(input, label, maxBytes) {
+  if (!Buffer.isBuffer(input) && typeof input !== "string") {
+    throw new CloudEventsError("cloud-events/bad-input", label + ": input must be a string or Buffer");
+  }
+  try {
+    return safeJson.parse(input, { maxBytes: maxBytes });
+  } catch (e) {
+    if (e && e.code === "json/too-large") throw new CloudEventsError("cloud-events/too-large", label + ": input exceeds maxBytes (" + maxBytes + ")");
+    throw new CloudEventsError("cloud-events/bad-json", label + ": body is not valid JSON");
+  }
+}
+
+/**
+ * @primitive b.cloudEvents.fromJSON
+ * @signature b.cloudEvents.fromJSON(input, opts?)
+ * @since     0.12.63
+ * @status    stable
+ * @related   b.cloudEvents.toJSON, b.cloudEvents.parse
+ *
+ * Parse a single JSON event-format document (string or Buffer) into a
+ * validated CloudEvents envelope. Untrusted bytes route through the
+ * framework's bounded, prototype-pollution-safe JSON reader. The envelope
+ * is returned in wire shape (binary stays a <code>data_base64</code>
+ * string); call <code>parse</code> instead when you want the
+ * Buffer-decoded record. Throws <code>CloudEventsError</code> on malformed
+ * or non-conformant input.
+ *
+ * @opts
+ *   maxBytes:   number,   // default: 1 MiB — reject larger inputs
+ *
+ * @example
+ *   var evt = b.cloudEvents.fromJSON(req.rawBody);
+ */
+function fromJSON(input, opts) {
+  opts = opts || {};
+  var maxBytes = opts.maxBytes == null ? DEFAULT_MAX_BYTES : opts.maxBytes;
+  var obj = _coerceInput(input, "cloudEvents.fromJSON", maxBytes);
+  if (!_isPlainObject(obj)) throw new CloudEventsError("cloud-events/invalid", "cloudEvents.fromJSON: event must be a JSON object");
+  _assertValid(obj, "cloudEvents.fromJSON");
+  return obj;
+}
+
+/**
+ * @primitive b.cloudEvents.toJSONBatch
+ * @signature b.cloudEvents.toJSONBatch(events, opts?)
+ * @since     0.12.63
+ * @status    stable
+ * @related   b.cloudEvents.fromJSONBatch, b.cloudEvents.toJSON
+ *
+ * Serialize an array of CloudEvents envelopes to the JSON batch format
+ * (media type <code>application/cloudevents-batch+json</code>) — a JSON
+ * array of events, each rendered as by <code>toJSON</code>. An empty array
+ * yields <code>"[]"</code>.
+ *
+ * @opts
+ *   space:   number | string,   // JSON.stringify indentation (default: none)
+ *
+ * @example
+ *   var body = b.cloudEvents.toJSONBatch([evtA, evtB]);
+ */
+function toJSONBatch(events, opts) {
+  opts = opts || {};
+  if (!Array.isArray(events)) throw new CloudEventsError("cloud-events/bad-input", "cloudEvents.toJSONBatch: events must be an array");
+  events.forEach(function (event, idx) { _assertValid(event, "cloudEvents.toJSONBatch: event[" + idx + "]"); });
+  return JSON.stringify(events, null, opts.space);
+}
+
+/**
+ * @primitive b.cloudEvents.fromJSONBatch
+ * @signature b.cloudEvents.fromJSONBatch(input, opts?)
+ * @since     0.12.63
+ * @status    stable
+ * @related   b.cloudEvents.toJSONBatch, b.cloudEvents.fromJSON
+ *
+ * Parse a JSON batch (a JSON array of events) from a string or Buffer into
+ * an array of validated CloudEvents envelopes. Each element is validated as
+ * by <code>fromJSON</code>; an empty array is valid. A non-array body,
+ * over-size input, or any non-conformant element throws
+ * <code>CloudEventsError</code>.
+ *
+ * @opts
+ *   maxBytes:   number,   // default: 1 MiB — reject larger inputs
+ *
+ * @example
+ *   var events = b.cloudEvents.fromJSONBatch(req.rawBody);
+ */
+function fromJSONBatch(input, opts) {
+  opts = opts || {};
+  var maxBytes = opts.maxBytes == null ? DEFAULT_MAX_BYTES : opts.maxBytes;
+  var arr = _coerceInput(input, "cloudEvents.fromJSONBatch", maxBytes);
+  if (!Array.isArray(arr)) throw new CloudEventsError("cloud-events/invalid", "cloudEvents.fromJSONBatch: body must be a JSON array");
+  arr.forEach(function (obj, idx) {
+    if (!_isPlainObject(obj)) throw new CloudEventsError("cloud-events/invalid", "cloudEvents.fromJSONBatch: event[" + idx + "] must be a JSON object");
+    _assertValid(obj, "cloudEvents.fromJSONBatch: event[" + idx + "]");
+  });
+  return arr;
+}
+
+// ---- HTTP protocol binding ----
+
+var STRUCTURED_CT = "application/cloudevents+json; charset=UTF-8";
+var BATCH_CT = "application/cloudevents-batch+json; charset=UTF-8";
+
+// Percent-encode a header value: everything outside printable ASCII plus
+// the spec-named space / double-quote / percent (HTTP binding §3.1). `s` is
+// always the already-stringified value from _headerValueFor.
+function _pctEncode(s) {
+  var bytes = Buffer.from(s, "utf8");
+  var out = "";
+  for (var i = 0; i < bytes.length; i += 1) {
+    var by = bytes[i];
+    if (by < 0x21 || by > 0x7E || by === 0x22 || by === 0x25) {   // allow:raw-byte-literal — printable-ASCII bounds + double-quote and percent (HTTP binding header rule)
+      out += "%" + bytes[i].toString(16).toUpperCase().padStart(2, "0");   // allow:raw-byte-literal — 16 is the hex radix
+    } else {
+      out += String.fromCharCode(by);
+    }
+  }
+  return out;
+}
+function _pctDecode(s) {
+  var bytes = [];
+  var i = 0;
+  while (i < s.length) {
+    if (s[i] === "%" && /^[0-9A-Fa-f]{2}$/.test(s.slice(i + 1, i + 3))) {
+      bytes.push(parseInt(s.slice(i + 1, i + 3), 16));   // allow:raw-byte-literal — 16 is the hex radix
+      i += 3;
+    } else {
+      var ch = Buffer.from(s[i], "utf8");
+      for (var j = 0; j < ch.length; j += 1) bytes.push(ch[j]);
+      i += 1;
+    }
+  }
+  return Buffer.from(bytes).toString("utf8");
+}
+function _headerValueFor(v) { return typeof v === "boolean" ? (v ? "true" : "false") : String(v); }
+function _lowerHeaders(headers) {
+  var out = {};
+  Object.keys(headers || {}).forEach(function (k) {
+    var v = headers[k];
+    out[k.toLowerCase()] = Array.isArray(v) ? v.join(",") : v;
+  });
+  return out;
+}
+
+/**
+ * @primitive b.cloudEvents.http.encodeBinary
+ * @signature b.cloudEvents.http.encodeBinary(event)
+ * @since     0.12.63
+ * @status    stable
+ * @related   b.cloudEvents.http.decode, b.cloudEvents.http.encodeStructured
+ *
+ * Render a CloudEvents envelope in HTTP <em>binary</em> content mode: each
+ * context attribute (and extension) becomes a <code>ce-</code>-prefixed
+ * header with a percent-encoded value, <code>datacontenttype</code> maps to
+ * the plain <code>Content-Type</code> header (never
+ * <code>ce-datacontenttype</code>), and the payload becomes the body.
+ * Returns <code>{ headers, body }</code> where <code>body</code> is a
+ * Buffer (for <code>data_base64</code> payloads) or a string.
+ *
+ * @example
+ *   var enc = b.cloudEvents.http.encodeBinary(evt);
+ *   // enc.headers["ce-id"], enc.headers["content-type"], enc.body
+ */
+function encodeBinary(event) {
+  _assertValid(event, "cloudEvents.http.encodeBinary");
+  var headers = {};
+  Object.keys(event).forEach(function (k) {
+    if (k === "data" || k === "data_base64" || k === "datacontenttype") return;
+    if (event[k] === undefined || event[k] === null) return;
+    headers["ce-" + k] = _pctEncode(_headerValueFor(event[k]));
+  });
+  var body;
+  if (event.data_base64 != null) {
+    body = Buffer.from(event.data_base64, "base64");
+  } else if (Object.prototype.hasOwnProperty.call(event, "data")) {
+    // JSON-media payloads (including a bare string under application/json or
+    // an absent content type, which defaults to JSON) must be JSON-encoded
+    // so the body re-parses; a non-JSON media type carries the string as-is.
+    if (_isJsonMedia(event.datacontenttype)) body = JSON.stringify(event.data);
+    else body = typeof event.data === "string" ? event.data : JSON.stringify(event.data);
+  } else body = "";
+  if (event.datacontenttype != null) headers["content-type"] = event.datacontenttype;
+  else if (_isPlainObject(event.data) || Array.isArray(event.data)) headers["content-type"] = "application/json";
+  return { headers: headers, body: body };
+}
+
+/**
+ * @primitive b.cloudEvents.http.encodeStructured
+ * @signature b.cloudEvents.http.encodeStructured(event)
+ * @since     0.12.63
+ * @status    stable
+ * @related   b.cloudEvents.http.decode, b.cloudEvents.http.encodeBinary
+ *
+ * Render a CloudEvents envelope in HTTP <em>structured</em> content mode:
+ * the whole event is serialized via the JSON event format into the body,
+ * with <code>Content-Type: application/cloudevents+json</code>. Returns
+ * <code>{ headers, body }</code>.
+ *
+ * @example
+ *   var enc = b.cloudEvents.http.encodeStructured(evt);
+ */
+function encodeStructured(event) {
+  return { headers: { "content-type": STRUCTURED_CT }, body: toJSON(event) };
+}
+
+/**
+ * @primitive b.cloudEvents.http.encodeBatch
+ * @signature b.cloudEvents.http.encodeBatch(events)
+ * @since     0.12.63
+ * @status    stable
+ * @related   b.cloudEvents.http.decode, b.cloudEvents.toJSONBatch
+ *
+ * Render an array of CloudEvents in HTTP <em>batched</em> content mode: the
+ * JSON batch format in the body with <code>Content-Type:
+ * application/cloudevents-batch+json</code>. Returns
+ * <code>{ headers, body }</code>.
+ *
+ * @example
+ *   var enc = b.cloudEvents.http.encodeBatch([evtA, evtB]);
+ */
+function encodeBatch(events) {
+  return { headers: { "content-type": BATCH_CT }, body: toJSONBatch(events) };
+}
+
+/**
+ * @primitive b.cloudEvents.http.decodeBinary
+ * @signature b.cloudEvents.http.decodeBinary(headers, body, opts?)
+ * @since     0.12.63
+ * @status    stable
+ * @related   b.cloudEvents.http.decode, b.cloudEvents.http.encodeBinary
+ *
+ * Parse an HTTP binary-mode request into a CloudEvents envelope. Headers are
+ * matched case-insensitively; each <code>ce-*</code> header is
+ * percent-decoded into the matching attribute, <code>Content-Type</code>
+ * becomes <code>datacontenttype</code>, and the body becomes the payload
+ * (parsed as JSON when the content type is JSON, kept as a
+ * <code>data_base64</code> string for opaque bytes). The result is
+ * validated. Binary-mode header values are strings, so extension types
+ * other than String are not recovered.
+ *
+ * @opts
+ *   maxBytes:   number,   // default: 1 MiB — reject larger bodies
+ *
+ * @example
+ *   var evt = b.cloudEvents.http.decodeBinary(req.headers, req.rawBody);
+ */
+function decodeBinary(headers, body, opts) {
+  opts = opts || {};
+  var maxBytes = opts.maxBytes == null ? DEFAULT_MAX_BYTES : opts.maxBytes;
+  var h = _lowerHeaders(headers);
+  var event = {};
+  Object.keys(h).forEach(function (k) {
+    if (k.indexOf("ce-") !== 0) return;
+    event[k.slice(3)] = _pctDecode(String(h[k]));
+  });
+  var ct = h["content-type"] != null ? h["content-type"] : null;
+  if (ct != null) event.datacontenttype = ct;
+  var raw;
+  if (body == null) raw = Buffer.alloc(0);
+  else if (Buffer.isBuffer(body)) raw = body;
+  else if (typeof body === "string") raw = Buffer.from(body, "utf8");
+  else throw new CloudEventsError("cloud-events/bad-input", "cloudEvents.http.decodeBinary: body must be a string or Buffer");
+  if (raw.length > maxBytes) throw new CloudEventsError("cloud-events/too-large", "cloudEvents.http.decodeBinary: body exceeds maxBytes (" + maxBytes + ")");
+  if (raw.length > 0) {
+    if (_isJsonMedia(ct)) {
+      try { event.data = safeJson.parse(raw, { maxBytes: maxBytes }); }
+      catch (_e) { throw new CloudEventsError("cloud-events/bad-json", "cloudEvents.http.decodeBinary: JSON body is not valid JSON"); }
+    } else if (typeof ct === "string" && /^text\//i.test(ct)) {
+      event.data = raw.toString("utf8");
+    } else {
+      event.data_base64 = raw.toString("base64");
+    }
+  }
+  _assertValid(event, "cloudEvents.http.decodeBinary");
+  return event;
+}
+
+/**
+ * @primitive b.cloudEvents.http.decode
+ * @signature b.cloudEvents.http.decode(headers, body, opts?)
+ * @since     0.12.63
+ * @status    stable
+ * @related   b.cloudEvents.http.decodeBinary, b.cloudEvents.http.encodeStructured
+ *
+ * Parse an HTTP request into a CloudEvents envelope (or array, for a batch),
+ * auto-detecting the content mode exactly as a conformant receiver does: a
+ * <code>Content-Type</code> beginning
+ * <code>application/cloudevents-batch</code> is batched, one beginning
+ * <code>application/cloudevents</code> is structured, and anything else is
+ * binary mode. Returns a single envelope for binary/structured modes and an
+ * array for batched mode.
+ *
+ * @opts
+ *   maxBytes:   number,   // default: 1 MiB — reject larger bodies
+ *
+ * @example
+ *   var evt = b.cloudEvents.http.decode(req.headers, req.rawBody);
+ */
+function decode(headers, body, opts) {
+  var h = _lowerHeaders(headers);
+  var ct = (h["content-type"] != null ? h["content-type"] : "") || "";
+  if (/^application\/cloudevents-batch\b/i.test(ct)) return fromJSONBatch(body, opts);
+  if (/^application\/cloudevents\b/i.test(ct)) return fromJSON(body, opts);
+  return decodeBinary(headers, body, opts);
+}
+
 module.exports = {
   wrap:             wrap,
   parse:            parse,
+  validate:         validate,
+  isValid:          isValid,
+  toJSON:           toJSON,
+  fromJSON:         fromJSON,
+  toJSONBatch:      toJSONBatch,
+  fromJSONBatch:    fromJSONBatch,
+  http: {
+    encodeBinary:     encodeBinary,
+    encodeStructured: encodeStructured,
+    encodeBatch:      encodeBatch,
+    decodeBinary:     decodeBinary,
+    decode:           decode,
+  },
   SPECVERSION:      SPECVERSION,
   REQUIRED_ATTRS:   REQUIRED_ATTRS,
   CloudEventsError: CloudEventsError,

package/lib/csp.js

@@ -67,9 +67,10 @@ var ALL_DIRECTIVES = [
   "default-src", "script-src", "script-src-elem", "script-src-attr",
   "style-src", "style-src-elem", "style-src-attr",
   "img-src", "media-src", "font-src", "connect-src", "object-src",
-  "frame-src", "child-src", "worker-src", "manifest-src", "prefetch-src",
+  "frame-src", "child-src", "worker-src", "fenced-frame-src",
+  "manifest-src", "prefetch-src",
   "form-action", "frame-ancestors", "navigate-to", "base-uri", "sandbox",
-  "report-to", "report-uri",
+  "webrtc", "report-to", "report-uri",
   "require-trusted-types-for", "trusted-types",
   "upgrade-insecure-requests", "block-all-mixed-content",
 ];

package/lib/jtd.js

@@ -29,6 +29,7 @@
  */
 
 var { defineClass } = require("./framework-error");
+var rfc3339 = require("./rfc3339");
 
 var JtdError = defineClass("JtdError", { alwaysPermanent: true });
 
@@ -48,21 +49,9 @@ var SHARED_KEYWORDS = { definitions: 1, nullable: 1, metadata: 1 };
 function _isPlainObject(v) { return v !== null && typeof v === "object" && !Array.isArray(v); }
 function _isInteger(v) { return typeof v === "number" && isFinite(v) && Math.floor(v) === v; }
 
-// RFC 3339 date-time (the JTD "timestamp" type).
-var RFC3339 = /^(\d{4})-(\d{2})-(\d{2})[Tt](\d{2}):(\d{2}):(\d{2})(\.\d+)?([Zz]|[+-]\d{2}:\d{2})$/;
-function _validTimestamp(s) {
-  var m = RFC3339.exec(s);
-  if (!m) return false;
-  var mo = +m[2], d = +m[3], h = +m[4], mi = +m[5], se = +m[6];
-  if (mo < 1 || mo > 12 || d < 1 || d > 31 || h > 23 || mi > 59 || se > 60) return false;   // allow:raw-time-literal — RFC 3339 field ranges (60 = leap second)
-  var days = [31, ((+m[1] % 4 === 0 && +m[1] % 100 !== 0) || +m[1] % 400 === 0) ? 29 : 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31];   // allow:raw-time-literal — days per month
-  if (d > days[mo - 1]) return false;
-  var tz = m[8];
-  if (tz !== "Z" && tz !== "z") {                            // numeric offset must be in range
-    if (+tz.slice(1, 3) > 23 || +tz.slice(4, 6) > 59) return false;   // allow:raw-time-literal — RFC 3339 offset hour/minute ranges
-  }
-  return true;
-}
+// RFC 3339 date-time (the JTD "timestamp" type) — strict form shared with
+// the other spec-driven consumers via lib/rfc3339.js.
+var _validTimestamp = rfc3339.isValidDateTime;
 
 // --- compile-time well-formedness (RFC 8927 section 2.2) ---
 function _checkSchema(schema, root, isRoot) {

package/lib/rfc3339.js

@@ -0,0 +1,37 @@
+"use strict";
+/**
+ * rfc3339 — strict RFC 3339 date-time validation, shared by the primitives
+ * whose specs require the full "internet date/time" form (a mandatory
+ * "T"/"t" separator and a mandatory "Z" or numeric UTC offset). b.jtd's
+ * `timestamp` type and b.cloudevents' `time` attribute both point at
+ * RFC 3339, so the field-range + leap-year + offset-range checks live here
+ * once instead of drifting between them.
+ *
+ * This is intentionally NOT the lenient validator b.guardTime ships: that
+ * one accepts a space separator and an absent offset by design (a content-
+ * safety guard tuned per profile), whereas these consumers must reject
+ * anything the spec disallows.
+ *
+ *   var rfc3339 = require("./rfc3339");
+ *   rfc3339.isValidDateTime("2018-04-05T17:31:00Z");   // → true
+ */
+
+// "T" separator required; offset ("Z"/"z" or ±HH:MM) required.
+var RFC3339_RE = /^(\d{4})-(\d{2})-(\d{2})[Tt](\d{2}):(\d{2}):(\d{2})(\.\d+)?([Zz]|[+-]\d{2}:\d{2})$/;
+
+function isValidDateTime(s) {
+  if (typeof s !== "string") return false;
+  var m = RFC3339_RE.exec(s);
+  if (!m) return false;
+  var mo = +m[2], d = +m[3], h = +m[4], mi = +m[5], se = +m[6];
+  if (mo < 1 || mo > 12 || d < 1 || d > 31 || h > 23 || mi > 59 || se > 60) return false;   // allow:raw-time-literal — RFC 3339 field ranges (60 = leap second)
+  var days = [31, ((+m[1] % 4 === 0 && +m[1] % 100 !== 0) || +m[1] % 400 === 0) ? 29 : 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31];   // allow:raw-time-literal — days per month (Gregorian)
+  if (d > days[mo - 1]) return false;
+  var tz = m[8];
+  if (tz !== "Z" && tz !== "z") {
+    if (+tz.slice(1, 3) > 23 || +tz.slice(4, 6) > 59) return false;   // allow:raw-time-literal — RFC 3339 offset hour/minute ranges
+  }
+  return true;
+}
+
+module.exports = { isValidDateTime: isValidDateTime, RFC3339_RE: RFC3339_RE };

package/lib/safe-buffer.js

@@ -372,6 +372,13 @@ var HEX_RE = /^[0-9a-fA-F]+$/;
 // is length-agnostic — callers cap length per protocol contract.
 var BASE64URL_RE = /^[A-Za-z0-9_-]+$/;
 
+// BASE64_RE matches standard base64 (RFC 4648 §4) with the `+` / `/`
+// alphabet and canonical 0-2 chars of `=` padding (empty string allowed).
+// Shared by callers that validate padded base64 fields (backup manifest
+// digests, CloudEvents data_base64) so the alphabet check isn't reinvented.
+// Length-agnostic — callers cap length per their own contract / maxBytes.
+var BASE64_RE = /^[A-Za-z0-9+/]*={0,2}$/;
+
 // Fixed-length hex predicates used by trace-context primitives (W3C
 // trace-id is 16 bytes = 32 hex chars; span-id / parent-id is 8
 // bytes = 16 hex chars). Extracted to keep callers length-bounded
@@ -552,6 +559,7 @@ module.exports = {
   stripTrailingHspace:   stripTrailingHspace,
   HEX_RE:                HEX_RE,
   BASE64URL_RE:          BASE64URL_RE,
+  BASE64_RE:             BASE64_RE,
   IPV6_HEXTET_RE:        IPV6_HEXTET_RE,
   TRACE_ID_HEX_RE:       TRACE_ID_HEX_RE,
   SPAN_ID_HEX_RE:        SPAN_ID_HEX_RE,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.12.62",
+  "version": "0.12.63",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:f56710ee-2e4e-4c8e-af88-80f79561870e",
+  "serialNumber": "urn:uuid:d1709f88-d452-4b6c-9796-971cb4dc9a1a",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-26T03:54:31.896Z",
+    "timestamp": "2026-05-26T06:02:00.412Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.12.62",
+      "bom-ref": "@blamejs/core@0.12.63",
       "type": "application",
       "name": "blamejs",
-      "version": "0.12.62",
+      "version": "0.12.63",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.12.62",
+      "purl": "pkg:npm/%40blamejs/core@0.12.63",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.12.62",
+      "ref": "@blamejs/core@0.12.63",
       "dependsOn": []
     }
   ]