@blamejs/core 0.12.63 → 0.12.65

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.12.x
 
+- v0.12.65 (2026-05-26) — **`b.base32` — RFC 4648 Base32 encode / decode.** Encode and decode RFC 4648 Base32 — the case-insensitive alphabet behind TOTP / 2FA secrets, DNSSEC NSEC3 hashes, and human-transcribable identifiers. Both RFC 4648 variants are supported: the standard alphabet (the default) and the extended-hex alphabet. b.base32.encode pads to an 8-character boundary by default (pass padding: false for the bare form TOTP key URIs use); b.base32.decode is strict by default but accepts the real-world shapes humans produce — lower-case, embedded spaces and dashes, missing padding — under loose: true. Verified against the RFC 4648 §10 test vectors for both alphabets. The TOTP primitive now composes this codec instead of carrying its own Base32 implementation. **Added:** *`b.base32.encode` / `b.base32.decode`* — RFC 4648 Base32 codec. `encode(buf, opts)` takes a Buffer or Uint8Array and returns a Base32 string, padded to an 8-character boundary unless `padding: false`; `decode(str, opts)` returns a Buffer. The `variant` option selects the standard (`"rfc4648"`, default) or extended-hex (`"rfc4648-hex"`) alphabet. Decoding is strict by default — any character outside the alphabet throws `Base32Error` — and `loose: true` up-cases the input and ignores embedded spaces, dashes, and missing padding, which is how copied TOTP keys and hand-typed codes arrive. **Changed:** *TOTP composes `b.base32`* — `b.auth.totp` now encodes and decodes its secrets through `b.base32` rather than a private Base32 implementation. Behavior is unchanged — secrets are still emitted unpadded and parsed leniently (case-insensitive, ignoring spaces and dashes).
+
+- v0.12.64 (2026-05-25) — **`b.jsonSchema` — JSON Schema 2020-12 validation.** Validate JSON against a JSON Schema 2020-12 document — the dialect OpenAPI 3.1 adopted and the most widely implemented schema language. b.jsonSchema.compile(schema) returns a reusable validator; b.jsonSchema.validate(schema, instance) compiles and runs in one call, returning { valid, errors } where each error names the failing instance location, keyword, and schema path. The full 2020-12 vocabulary is supported: every applicator (allOf / anyOf / oneOf / not / if-then-else, properties / patternProperties / additionalProperties / prefixItems / items / contains), the annotation-aware unevaluatedProperties / unevaluatedItems, every assertion keyword, and reference resolution ($ref / $anchor / $dynamicRef / $dynamicAnchor / $defs / $id base URIs). format is an annotation by default (opt in to assertion with assertFormat). External references resolve through an operator-supplied schema map — never a network fetch. Verified against the official JSON-Schema-Test-Suite (1292 of 1295 draft2020-12 cases; the remainder need the bundled dialect metaschema or $vocabulary selection, both opt-in). This is the standards-track counterpart to the fluent b.safeSchema builder and the portable b.jtd. **Added:** *`b.jsonSchema` — JSON Schema 2020-12* — `compile(schema, opts)` returns `{ validate, isValid }`; `validate(schema, instance, opts)` and `isValid(schema, instance, opts)` compile and run in one call. `validate` returns `{ valid, errors }`, each error a `{ instancePath, keyword, schemaPath, message }`. The full 2020-12 vocabulary is implemented — applicators, annotation-aware `unevaluatedProperties` / `unevaluatedItems`, every assertion keyword, and `$ref` / `$anchor` / `$dynamicRef` / `$dynamicAnchor` / `$defs` / `$id` resolution. `format` is an annotation by default (`assertFormat: true` to assert). External references resolve through `opts.schemas` (a URI→schema map), never a network fetch. Reach for it when the schema is an existing JSON Schema document (an API contract, OpenAPI component, or config schema); `b.safeSchema` remains the fluent in-process builder and `b.jtd` the portable codegen-friendly option. Validating a schema document against the dialect metaschema requires supplying that metaschema via `opts.schemas`, and `$vocabulary`-based keyword selection is not honored (every standard keyword always asserts).
+
 - v0.12.63 (2026-05-25) — **`b.cloudEvents` gains the JSON event format, batch, and the HTTP binding.** b.cloudEvents grows beyond wrap / parse into a full CloudEvents 1.0.2 surface. b.cloudEvents.validate / isValid check an envelope against the spec without throwing (the non-throwing companion to parse). toJSON / fromJSON serialize and parse the JSON event format, and toJSONBatch / fromJSONBatch handle the JSON batch format; untrusted bodies parse through the framework's bounded, prototype-pollution-safe JSON reader. The new http.* binding speaks both content modes the spec defines — binary mode spreads context attributes across percent-encoded ce-* headers with the data in the body, structured mode carries the whole event as application/cloudevents+json — plus the batch mode, and http.decode auto-detects the incoming mode from Content-Type exactly as a conformant receiver does. Verified against the spec's normative example events. **Added:** *`b.cloudEvents` JSON event format, batch, and HTTP binding* — `validate` / `isValid` report spec violations without throwing (the non-throwing companion to `parse`). `toJSON` / `fromJSON` and `toJSONBatch` / `fromJSONBatch` serialize and parse the JSON event and batch formats over the existing envelope shape. `http.encodeBinary` / `http.encodeStructured` / `http.encodeBatch` render the three HTTP content modes — binary spreads attributes across percent-encoded `ce-*` headers, structured and batched carry the event(s) as `application/cloudevents+json` / `application/cloudevents-batch+json` — and `http.decode` parses a request back into an envelope (or array) by auto-detecting the mode from `Content-Type`. `b.jtd` or `b.safeSchema` still validate the event's `data` payload. **Fixed:** *`b.csp.build` accepts `fenced-frame-src` and `webrtc`* — The CSP3 `fenced-frame-src` directive — which the default security-headers policy emits to block `<fencedframe>` embeds — was missing from the builder's recognized-directive set, so the default policy could not round-trip through `b.csp.build` (it threw `csp/unknown-directive`). Both `fenced-frame-src` and the CSP3 `webrtc` directive are now recognized.
 
 - v0.12.62 (2026-05-26) — **`b.jtd` — JSON Type Definition validation (RFC 8927).** Validate JSON against a JSON Type Definition schema (RFC 8927) — a small, portable, cross-implementation schema language, the interop-friendly companion to the framework's fluent b.safeSchema builder. b.jtd.validate(schema, instance) returns an array of { instancePath, schemaPath } errors (empty = valid); b.jtd.isValid is the boolean form. All eight schema forms are supported — empty, type, enum, elements, properties (with optional / additional properties and nullable), values, discriminator (with mapping), and ref (with definitions) — including the integer-range and RFC 3339 timestamp types. A malformed schema is rejected at compile time with jtd/bad-schema rather than silently mis-validating. Verified against the official json-typedef-spec suites: all 316 validation cases and all 49 invalid-schema cases. **Added:** *`b.jtd.validate(schema, instance)` / `b.jtd.isValid(schema, instance)`* — `validate` returns the RFC 8927 error list — each `{ instancePath, schemaPath }` naming the offending value and the broken schema rule — and `isValid` is the boolean convenience form. Supports every JTD form and type: the numeric types enforce their exact ranges (int8 … uint32, float32 / float64), `timestamp` requires an RFC 3339 date-time, `properties` honours `optionalProperties` / `additionalProperties` / `nullable`, and `discriminator` selects a `mapping` schema by a tag property. The schema is checked for well-formedness before validation, so unknown keywords, multiple forms, bad refs, or a discriminator over a non-properties mapping all throw `jtd/bad-schema`. Use JTD for schemas you share across implementations or generate code from; use `b.safeSchema` for in-process fluent validation.

package/README.md

@@ -100,6 +100,8 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 - **HPKE / HTTP signatures** — RFC 9180 HPKE with ML-KEM-1024 + HKDF-SHA3-512 + ChaCha20-Poly1305 (`b.crypto.hpke`); RFC 9421 HTTP Message Signatures with derived components and ed25519 / ML-DSA-65 (`b.crypto.httpSig`); RFC 9530 Content-Digest / Repr-Digest body-integrity fields (SHA-256 / SHA-512, legacy algorithms refused — `b.contentDigest`) to sign the digest rather than the whole body
 - **Link header** — RFC 8288 Web Linking codec (`b.linkHeader.parse` / `serialize`): parse and build `Link: <uri>; rel="next"` relations, the standard REST pagination mechanism; quote-aware (a comma inside a quoted parameter never splits the list)
 - **JSON Type Definition** — RFC 8927 validation (`b.jtd.validate` / `isValid`): portable, cross-implementation schema validation (all eight forms — type / enum / elements / properties / values / discriminator / ref / empty), returning instancePath / schemaPath errors; validated against the official 316-case suite. Interop companion to the fluent `b.safeSchema` builder
+- **JSON Schema 2020-12** — the OpenAPI 3.1 dialect (`b.jsonSchema.compile` / `validate` / `isValid`): full vocabulary including every applicator, annotation-aware `unevaluatedProperties` / `unevaluatedItems`, and `$ref` / `$dynamicRef` / `$anchor` / `$id` resolution (external refs via an operator-supplied schema map, never a network fetch); `format` is an annotation unless `assertFormat` is set; returns located `{ valid, errors }`. Validated against the official JSON-Schema-Test-Suite. Standards-track counterpart to `b.safeSchema` and `b.jtd`
+- **Base32** — RFC 4648 codec (`b.base32.encode` / `decode`): standard + extended-hex alphabets, padded or bare, strict or lenient decode (case-insensitive, ignoring spaces / dashes for copied TOTP keys); validated against the RFC 4648 §10 vectors. The codec behind `b.auth.totp` secrets
 - **JSONPath** — full RFC 9535 query evaluator (`b.jsonPath.query` / `paths`): name / wildcard / index / slice / descendant selectors, `?filter` expressions, and the five standard functions, with compile-time well-typedness checks (validated against the official 703-case compliance suite); complements the JSONPath guards
 - **JSON Pointer / Patch** — RFC 6901 `b.jsonPointer.get` (reference a value by `/foo/0/bar`) + RFC 6902 `b.jsonPatch.apply` (atomic add / remove / replace / move / copy / test for HTTP PATCH; the input document is never mutated, structural `test` comparison) + RFC 7396 `b.jsonMergePatch.merge` (the `merge-patch+json` partial-document format; both PATCH formats are prototype-pollution-safe)
 - **Canonical JSON** — RFC 8785 JSON Canonicalization Scheme (`b.canonicalJson.stringifyJcs`): the deterministic, sorted-key byte form to hash or sign (custom credentials, receipts, deterministic request signing); UTF-16 key ordering + ECMAScript number formatting, with a lenient `stringify` variant for Buffers / Dates / BigInts

package/index.js

@@ -403,6 +403,8 @@ var jsonPatch = require("./lib/json-patch");
 var jsonMergePatch = require("./lib/json-merge-patch");
 var jsonPath = require("./lib/json-path");
 var jtd = require("./lib/jtd");
+var jsonSchema = require("./lib/json-schema");
+var base32 = require("./lib/base32");
 var standardWebhooks = require("./lib/standard-webhooks");
 var lro = require("./lib/lro");
 var jsonApi = require("./lib/jsonapi");
@@ -427,6 +429,8 @@ module.exports = {
   jsonMergePatch:   jsonMergePatch,
   jsonPath:         jsonPath,
   jtd:              jtd,
+  jsonSchema:       jsonSchema,
+  base32:           base32,
   standardWebhooks: standardWebhooks,
   lro:              lro,
   jsonApi:          jsonApi,

package/lib/base32.js

@@ -0,0 +1,154 @@
+"use strict";
+/**
+ * @module b.base32
+ * @nav    Data
+ * @title  Base32
+ *
+ * @intro
+ *   Encode and decode <a href="https://www.rfc-editor.org/rfc/rfc4648">RFC
+ *   4648</a> Base32 — the case-insensitive, digit-light alphabet used for
+ *   TOTP / 2FA secrets, DNSSEC NSEC3 hashes, and human-transcribable
+ *   identifiers. Both RFC 4648 variants are supported: the standard
+ *   alphabet (<code>variant: "rfc4648"</code>, default) and the
+ *   extended-hex alphabet (<code>variant: "rfc4648-hex"</code>, which sorts
+ *   in the same order as the underlying bytes).
+ *
+ *   <code>encode</code> pads to an 8-character boundary with
+ *   <code>=</code> by default (pass <code>padding: false</code> for the
+ *   bare form TOTP key URIs use). <code>decode</code> is strict by default
+ *   — it rejects any character outside the alphabet — but
+ *   <code>loose: true</code> accepts the real-world shapes humans produce:
+ *   lower-case input, embedded spaces and dashes, and missing padding.
+ *
+ * @card
+ *   RFC 4648 Base32 encode / decode (standard + extended-hex alphabets,
+ *   padded or bare, strict or lenient) — the codec behind TOTP secrets and
+ *   transcribable identifiers.
+ */
+
+var { defineClass } = require("./framework-error");
+
+var Base32Error = defineClass("Base32Error", { alwaysPermanent: true });
+
+var ALPHABETS = {
+  "rfc4648": "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567",
+  "rfc4648-hex": "0123456789ABCDEFGHIJKLMNOPQRSTUV",
+};
+// Reverse lookups per variant: char-code → 5-bit value.
+var LOOKUPS = {};
+Object.keys(ALPHABETS).forEach(function (v) {
+  var map = {};
+  for (var i = 0; i < ALPHABETS[v].length; i++) map[ALPHABETS[v].charAt(i)] = i;
+  LOOKUPS[v] = map;
+});
+
+var GROUP = 8;                                              // allow:raw-byte-literal — Base32 emits 8 chars per 5 input bytes (RFC 4648 §6)
+var BITS = 5;                                               // 5 bits per Base32 symbol
+
+function _alphabet(variant) {
+  var a = ALPHABETS[variant || "rfc4648"];
+  if (!a) throw new Base32Error("base32/bad-variant", "base32: variant must be 'rfc4648' or 'rfc4648-hex'");
+  return a;
+}
+
+/**
+ * @primitive  b.base32.encode
+ * @signature  b.base32.encode(input, opts?)
+ * @since      0.12.65
+ * @status     stable
+ * @related    b.base32.decode
+ *
+ * Encode a Buffer (or Uint8Array) to an RFC 4648 Base32 string. Output is
+ * padded to an 8-character boundary with <code>=</code> unless
+ * <code>padding: false</code>. The empty input encodes to the empty string.
+ *
+ * @opts
+ *   variant:   "rfc4648" | "rfc4648-hex",   // default: "rfc4648"
+ *   padding:   boolean,                      // default: true
+ *
+ * @example
+ *   b.base32.encode(Buffer.from("foobar"));
+ *   // → "MFRGGZDFMZTWQ===="
+ */
+function encode(input, opts) {
+  opts = opts || {};
+  var buf;
+  if (Buffer.isBuffer(input)) buf = input;
+  else if (input instanceof Uint8Array) buf = Buffer.from(input);
+  else throw new Base32Error("base32/bad-input", "base32.encode: input must be a Buffer or Uint8Array");
+  var alphabet = _alphabet(opts.variant);
+  var pad = opts.padding !== false;
+
+  var out = "";
+  var value = 0, bits = 0;
+  for (var i = 0; i < buf.length; i++) {
+    value = (value << 8) | buf[i];                          // allow:raw-byte-literal — shift in one input byte
+    bits += 8;                                              // allow:raw-byte-literal — eight bits per input byte
+    while (bits >= BITS) {
+      out += alphabet.charAt((value >>> (bits - BITS)) & 31);   // allow:raw-byte-literal — low 5 bits mask (2^5 - 1)
+      bits -= BITS;
+    }
+  }
+  if (bits > 0) out += alphabet.charAt((value << (BITS - bits)) & 31);   // allow:raw-byte-literal — final partial group, low 5 bits
+  if (pad) while (out.length % GROUP !== 0) out += "=";
+  return out;
+}
+
+/**
+ * @primitive  b.base32.decode
+ * @signature  b.base32.decode(str, opts?)
+ * @since      0.12.65
+ * @status     stable
+ * @related    b.base32.encode
+ *
+ * Decode an RFC 4648 Base32 string to a Buffer. Strict by default: any
+ * character outside the variant's alphabet (other than trailing
+ * <code>=</code> padding) throws <code>Base32Error</code>. With
+ * <code>loose: true</code> the decoder up-cases the input and ignores
+ * embedded spaces and dashes (and missing padding) — the shapes TOTP keys
+ * and hand-typed codes take.
+ *
+ * @opts
+ *   variant:   "rfc4648" | "rfc4648-hex",   // default: "rfc4648"
+ *   loose:     boolean,                      // default: false
+ *
+ * @example
+ *   b.base32.decode("MFRGGZDFMZTWQ====").toString();
+ *   // → "foobar"
+ */
+function decode(str, opts) {
+  opts = opts || {};
+  if (typeof str !== "string") throw new Base32Error("base32/bad-input", "base32.decode: input must be a string");
+  _alphabet(opts.variant);
+  var lookup = LOOKUPS[opts.variant || "rfc4648"];
+  var loose = opts.loose === true;
+
+  var bytes = [];
+  var value = 0, bits = 0;
+  var inPad = false;   // once "=" padding starts, only more "=" may follow
+  for (var i = 0; i < str.length; i++) {
+    var ch = str.charAt(i);
+    if (ch === "=") { inPad = true; continue; }             // trailing padding
+    if (loose && (ch === " " || ch === "-")) continue;      // ignore separators
+    // A data character after padding is malformed in either mode — the "="
+    // run must be trailing (rejects "M=Y======" / "MZXW=6YTB").
+    if (inPad) throw new Base32Error("base32/bad-char", "base32.decode: data character '" + ch + "' after padding at index " + i);
+    if (loose) ch = ch.toUpperCase();
+    var idx = lookup[ch];
+    if (idx === undefined) throw new Base32Error("base32/bad-char", "base32.decode: invalid Base32 character '" + str.charAt(i) + "' at index " + i);
+    value = (value << BITS) | idx;
+    bits += BITS;
+    if (bits >= 8) {                                        // allow:raw-byte-literal — emit a full output byte
+      bytes.push((value >>> (bits - 8)) & 0xff);            // allow:raw-byte-literal — eight-bit output byte mask
+      bits -= 8;                                            // allow:raw-byte-literal — consumed eight bits
+    }
+  }
+  return Buffer.from(bytes);
+}
+
+module.exports = {
+  encode:      encode,
+  decode:      decode,
+  ALPHABETS:   ALPHABETS,
+  Base32Error: Base32Error,
+};

package/lib/json-schema.js

@@ -0,0 +1,740 @@
+"use strict";
+/**
+ * @module b.jsonSchema
+ * @nav    Data
+ * @title  JSON Schema
+ *
+ * @intro
+ *   Validate JSON against a <a href="https://json-schema.org/">JSON Schema</a>
+ *   2020-12 document — the dialect <a href="https://www.openapis.org/">OpenAPI
+ *   3.1</a> adopted and the most widely implemented schema language. This is
+ *   the standards-track counterpart to the fluent <code>b.safeSchema</code>
+ *   builder (in-process, ergonomic) and the portable <code>b.jtd</code>
+ *   (small, codegen-friendly): reach for <code>b.jsonSchema</code> when the
+ *   schema is an existing JSON Schema document — an API contract, a config
+ *   schema, an OpenAPI component.
+ *
+ *   <code>compile(schema, opts)</code> returns a reusable validator;
+ *   <code>validate(schema, instance, opts)</code> compiles and runs in one
+ *   call, returning <code>{ valid, errors }</code> where each error names the
+ *   failing instance location, the schema keyword, and a message. The full
+ *   2020-12 vocabulary is supported — every applicator
+ *   (<code>allOf</code> / <code>anyOf</code> / <code>oneOf</code> /
+ *   <code>not</code> / <code>if</code>-<code>then</code>-<code>else</code>,
+ *   <code>properties</code> / <code>patternProperties</code> /
+ *   <code>additionalProperties</code> / <code>prefixItems</code> /
+ *   <code>items</code> / <code>contains</code>), the annotation-aware
+ *   <code>unevaluatedProperties</code> / <code>unevaluatedItems</code>, every
+ *   assertion keyword, and reference resolution
+ *   (<code>$ref</code> / <code>$anchor</code> / <code>$dynamicRef</code> /
+ *   <code>$dynamicAnchor</code> / <code>$defs</code> / <code>$id</code> base
+ *   URIs). <code>format</code> is an annotation by default (opt in to
+ *   assertion with <code>assertFormat: true</code>). External references
+ *   resolve through an operator-supplied schema map (<code>opts.schemas</code>)
+ *   — never a network fetch.
+ *
+ *   Two advanced behaviors are opt-in rather than built in: validating a
+ *   schema <em>document</em> against the dialect metaschema works only if you
+ *   supply that metaschema via <code>opts.schemas</code> (it is not bundled),
+ *   and <code>$vocabulary</code>-based keyword selection is not honored —
+ *   every standard keyword always asserts.
+ *
+ * @card
+ *   JSON Schema 2020-12 validation (the OpenAPI 3.1 dialect) — full
+ *   vocabulary including <code>$dynamicRef</code> and annotation-aware
+ *   <code>unevaluated*</code>, returning located <code>{ valid, errors }</code>.
+ *   The standards-track companion to <code>b.safeSchema</code> and
+ *   <code>b.jtd</code>.
+ */
+
+var numericBounds = require("./numeric-bounds");
+var rfc3339 = require("./rfc3339");
+var { defineClass } = require("./framework-error");
+
+var JsonSchemaError = defineClass("JsonSchemaError", { alwaysPermanent: true });
+
+var DIALECT_2020_12 = "https://json-schema.org/draft/2020-12/schema";
+var MAX_REF_DEPTH = 10000;                                  // allow:raw-byte-literal — recursion-depth cap (count, not a byte size)
+var DEFAULT_MAX_ERRORS = 100;                               // error-collection cap
+
+function _typeOf(v) {
+  if (v === null) return "null";
+  if (Array.isArray(v)) return "array";
+  if (typeof v === "number") return "number";
+  if (typeof v === "boolean") return "boolean";
+  if (typeof v === "string") return "string";
+  if (typeof v === "object") return "object";
+  return "unknown";
+}
+function _isObject(v) { return v !== null && typeof v === "object" && !Array.isArray(v); }
+function _isInteger(v) { return typeof v === "number" && isFinite(v) && Math.floor(v) === v; }
+
+// Deep equality for enum / const / uniqueItems (JSON value semantics).
+function _deepEqual(a, b) {
+  if (a === b) return true;
+  var ta = _typeOf(a), tb = _typeOf(b);
+  if (ta !== tb) return false;
+  if (ta === "number") return a === b;
+  if (ta === "array") {
+    if (a.length !== b.length) return false;
+    for (var i = 0; i < a.length; i++) if (!_deepEqual(a[i], b[i])) return false;
+    return true;
+  }
+  if (ta === "object") {
+    var ka = Object.keys(a), kb = Object.keys(b);
+    if (ka.length !== kb.length) return false;
+    for (var j = 0; j < ka.length; j++) {
+      if (!Object.prototype.hasOwnProperty.call(b, ka[j])) return false;
+      if (!_deepEqual(a[ka[j]], b[ka[j]])) return false;
+    }
+    return true;
+  }
+  return false;
+}
+
+// --- URI helpers (RFC 3986 resolution via WHATWG URL where possible) ---
+
+function _resolveUri(ref, base) {
+  if (!base) {
+    // No base — keep absolute as-is; bare fragments stay as "#...".
+    if (ref.indexOf("#") === 0) return ref;
+    return ref;
+  }
+  if (ref === "") return base;
+  // RFC 3986 relative→absolute resolution of a schema $id/$ref (operator-
+  // trusted schema text, not request data); safeUrl.parse intentionally
+  // rejects the relative refs and non-http schemes schemas legitimately use.
+  try { return new URL(ref, base).href; }   // allow:raw-new-url — schema $id/$ref URI resolution, not request-data URL handling
+  catch (_e) {
+    // Relative resolution against a non-URL base (e.g. "urn:..." or a
+    // bare name). Fall back to fragment-aware concatenation.
+    if (ref.indexOf("#") === 0) {
+      var hashIdx = base.indexOf("#");
+      return (hashIdx === -1 ? base : base.slice(0, hashIdx)) + ref;
+    }
+    return ref;
+  }
+}
+function _splitFragment(uri) {
+  var i = uri.indexOf("#");
+  if (i === -1) return { base: uri, fragment: null };
+  return { base: uri.slice(0, i), fragment: uri.slice(i + 1) };
+}
+// Decode a JSON Pointer reference token (~1 → /, ~0 → ~) per RFC 6901.
+function _unescapePointerToken(t) { return t.replace(/~1/g, "/").replace(/~0/g, "~"); }
+
+// --- registry: indexes every subschema by canonical URI + anchors ---
+
+function _Registry() { this.schemas = {}; this.dynamicAnchors = {}; this.baseByNode = new Map(); }
+
+_Registry.prototype.add = function (schema, baseUri) {
+  this._walk(schema, baseUri || "", "");
+  // A document retrieved from URI X is addressable by X even when its own
+  // $id is a different (canonical) URI — register the retrieval URI too.
+  if (baseUri && (_isObject(schema) || typeof schema === "boolean")) {
+    if (!Object.prototype.hasOwnProperty.call(this.schemas, baseUri)) this.schemas[baseUri] = schema;
+    if (!Object.prototype.hasOwnProperty.call(this.schemas, baseUri + "#")) this.schemas[baseUri + "#"] = schema;
+  }
+};
+
+// Walk a schema document, registering $id base changes, $anchor and
+// $dynamicAnchor names, and indexing every subschema by its base URI +
+// JSON-pointer fragment.
+_Registry.prototype._walk = function (node, baseUri, pointer) {
+  if (!_isObject(node) && typeof node !== "boolean") return;
+  if (typeof node === "boolean") { this.schemas[baseUri + "#" + pointer] = node; return; }
+
+  var thisBase = baseUri;
+  if (typeof node.$id === "string") {
+    thisBase = _resolveUri(node.$id, baseUri);
+    var sf = _splitFragment(thisBase);
+    thisBase = sf.base + (sf.fragment ? "#" + sf.fragment : "");
+    // Canonicalize: $id without fragment becomes the new base.
+    if (!sf.fragment) {
+      this.schemas[thisBase] = node;
+      this.schemas[thisBase + "#"] = node;
+    }
+    pointer = "";   // pointer is now relative to the new base
+  }
+  // Index this node by base#pointer + record its canonical base so the
+  // validator uses it directly (a $ref to a node with its own relative $id
+  // must NOT re-resolve that $id against the URI used to reach it).
+  this.schemas[thisBase + "#" + pointer] = node;
+  if (pointer === "") this.schemas[thisBase] = node;
+  this.baseByNode.set(node, thisBase);
+
+  if (typeof node.$anchor === "string") {
+    this.schemas[thisBase + "#" + node.$anchor] = node;
+  }
+  if (typeof node.$dynamicAnchor === "string") {
+    this.schemas[thisBase + "#" + node.$dynamicAnchor] = node;
+    if (!this.dynamicAnchors[node.$dynamicAnchor]) this.dynamicAnchors[node.$dynamicAnchor] = [];
+    this.dynamicAnchors[node.$dynamicAnchor].push({ uri: thisBase, schema: node });
+  }
+
+  // Recurse. Keywords whose values are schemas vs maps-of-schemas vs
+  // arrays-of-schemas are walked with the right shape.
+  var self = this;
+  function child(key, sub, ptr) { self._walk(sub, thisBase, ptr); }
+  SCHEMA_KEYWORDS.forEach(function (k) {
+    if (node[k] !== undefined) child(k, node[k], pointer + "/" + k);
+  });
+  SCHEMA_MAP_KEYWORDS.forEach(function (k) {
+    if (_isObject(node[k])) {
+      Object.keys(node[k]).forEach(function (sk) {
+        child(k, node[k][sk], pointer + "/" + k + "/" + _escPtr(sk));
+      });
+    }
+  });
+  SCHEMA_ARRAY_KEYWORDS.forEach(function (k) {
+    if (Array.isArray(node[k])) {
+      node[k].forEach(function (sub, idx) { child(k, sub, pointer + "/" + k + "/" + idx); });
+    }
+  });
+};
+
+_Registry.prototype.resolve = function (uri) {
+  if (Object.prototype.hasOwnProperty.call(this.schemas, uri)) return this.schemas[uri];
+  var sf = _splitFragment(uri);
+  // Try base with empty fragment.
+  if (sf.fragment === null) {
+    if (Object.prototype.hasOwnProperty.call(this.schemas, sf.base + "#")) return this.schemas[sf.base + "#"];
+    return undefined;
+  }
+  // JSON-pointer fragment: resolve against the registered base document.
+  if (sf.fragment === "" || sf.fragment.charAt(0) === "/") {
+    var doc = this.schemas[sf.base] !== undefined ? this.schemas[sf.base] : this.schemas[sf.base + "#"];
+    if (doc === undefined) return undefined;
+    return _pointerInto(doc, sf.fragment);
+  }
+  // Plain-name anchor.
+  return this.schemas[sf.base + "#" + sf.fragment];
+};
+
+function _escPtr(s) { return s.replace(/~/g, "~0").replace(/\//g, "~1"); }
+
+function _pointerInto(doc, fragment) {
+  if (fragment === "" ) return doc;
+  var parts = fragment.split("/");
+  parts.shift();   // leading ""
+  var cur = doc;
+  for (var i = 0; i < parts.length; i++) {
+    var tok = _unescapePointerToken(decodeURIComponent(parts[i]));
+    if (cur === null || typeof cur !== "object") return undefined;
+    if (Array.isArray(cur)) {
+      var idx = Number(tok);
+      if (!_isInteger(idx) || idx < 0 || idx >= cur.length) return undefined;
+      cur = cur[idx];
+    } else {
+      if (!Object.prototype.hasOwnProperty.call(cur, tok)) return undefined;
+      cur = cur[tok];
+    }
+  }
+  return cur;
+}
+
+// Keyword classification for the registry walker.
+var SCHEMA_KEYWORDS = ["additionalProperties", "propertyNames", "items",
+  "contains", "not", "if", "then", "else", "unevaluatedItems",
+  "unevaluatedProperties"];
+var SCHEMA_MAP_KEYWORDS = ["$defs", "definitions", "properties",
+  "patternProperties", "dependentSchemas"];
+var SCHEMA_ARRAY_KEYWORDS = ["allOf", "anyOf", "oneOf", "prefixItems"];
+
+module.exports = _buildModule();
+
+function _buildModule() {
+  return {
+    DIALECT:          DIALECT_2020_12,
+    JsonSchemaError:  JsonSchemaError,
+    compile:          compile,
+    validate:         validate,
+    isValid:          isValid,
+  };
+}
+
+/**
+ * @primitive  b.jsonSchema.compile
+ * @signature  b.jsonSchema.compile(schema, opts?)
+ * @since      0.12.64
+ * @status     stable
+ * @related    b.jsonSchema.validate, b.safeSchema, b.jtd
+ *
+ * Compile a JSON Schema 2020-12 document into a reusable validator. The
+ * returned object has <code>validate(instance)</code> →
+ * <code>{ valid, errors }</code> and <code>isValid(instance)</code> →
+ * boolean. Compiling once and validating many instances avoids re-indexing
+ * the schema's references on every call.
+ *
+ * @opts
+ *   schemas:       object,   // map of external $id/URI → schema, for $ref
+ *   assertFormat:  boolean,  // default: false (format is an annotation)
+ *   maxErrors:     number,   // default: 100 — stop collecting past this
+ *
+ * @example
+ *   var v = b.jsonSchema.compile({ type: "object",
+ *     properties: { n: { type: "integer" } }, required: ["n"] });
+ *   v.validate({ n: 1 }).valid;   // → true
+ */
+function compile(schema, opts) {
+  opts = opts || {};
+  if (!_isObject(schema) && typeof schema !== "boolean") {
+    throw new JsonSchemaError("json-schema/bad-schema", "jsonSchema.compile: schema must be an object or boolean");
+  }
+  var registry = new _Registry();
+  // Register operator-supplied external schemas first (so $id collisions
+  // prefer the root document registered last).
+  if (_isObject(opts.schemas)) {
+    Object.keys(opts.schemas).forEach(function (uri) {
+      registry.add(opts.schemas[uri], uri);
+    });
+  }
+  var rootBase = (_isObject(schema) && typeof schema.$id === "string") ? _resolveUri(schema.$id, "") : "";
+  registry.add(schema, rootBase);
+
+  var assertFormat = opts.assertFormat === true;
+  var maxErrors = numericBounds.isPositiveFiniteInt(opts.maxErrors) ? opts.maxErrors : DEFAULT_MAX_ERRORS;
+
+  function _run(instance) {
+    var ctx = {
+      registry: registry, assertFormat: assertFormat, maxErrors: maxErrors,
+      errors: [], depth: 0, dynamicScope: [],
+    };
+    _validate(schema, instance, "", "#", rootBase, ctx);
+    return { valid: ctx.errors.length === 0, errors: ctx.errors };
+  }
+  return {
+    validate: _run,
+    isValid: function (instance) { return _run(instance).valid; },
+  };
+}
+
+/**
+ * @primitive  b.jsonSchema.validate
+ * @signature  b.jsonSchema.validate(schema, instance, opts?)
+ * @since      0.12.64
+ * @status     stable
+ * @related    b.jsonSchema.compile, b.jsonSchema.isValid
+ *
+ * Compile <code>schema</code> and validate <code>instance</code> in one
+ * call, returning <code>{ valid, errors }</code>. Each error is
+ * <code>{ instancePath, keyword, schemaPath, message }</code>. For repeated
+ * validation against the same schema, use <code>compile</code> instead.
+ *
+ * @opts
+ *   schemas:       object,   // map of external $id/URI → schema, for $ref
+ *   assertFormat:  boolean,  // default: false (format is an annotation)
+ *   maxErrors:     number,   // default: 100 — stop collecting past this
+ *
+ * @example
+ *   b.jsonSchema.validate({ type: "string", minLength: 2 }, "hi").valid;
+ *   // → true
+ */
+function validate(schema, instance, opts) {
+  return compile(schema, opts).validate(instance);
+}
+
+/**
+ * @primitive  b.jsonSchema.isValid
+ * @signature  b.jsonSchema.isValid(schema, instance, opts?)
+ * @since      0.12.64
+ * @status     stable
+ * @related    b.jsonSchema.validate
+ *
+ * Boolean convenience form of <code>validate</code>.
+ *
+ * @opts
+ *   schemas:       object,   // map of external $id/URI → schema, for $ref
+ *   assertFormat:  boolean,  // default: false (format is an annotation)
+ *   maxErrors:     number,   // default: 100 — stop collecting past this
+ *
+ * @example
+ *   b.jsonSchema.isValid({ type: "integer" }, 3);   // → true
+ */
+function isValid(schema, instance, opts) {
+  return compile(schema, opts).validate(instance).valid;
+}
+
+// ============================================================
+// Core evaluation. Returns { evaluatedProps: {name:true}, evaluatedItems:
+// {index:true} } describing the annotations produced for unevaluated*.
+// Errors are pushed onto ctx.errors. A subschema "fails" iff it pushed at
+// least one error during its own evaluation (tracked via error-count
+// snapshot at each applicator boundary).
+// ============================================================
+
+function _err(ctx, instancePath, keyword, schemaPath, message) {
+  if (ctx.errors.length < ctx.maxErrors) {
+    ctx.errors.push({ instancePath: instancePath, keyword: keyword, schemaPath: schemaPath, message: message });
+  }
+}
+
+// Validate `instance` against `schema`. Annotations (evaluated props/items)
+// are returned so callers (objects/arrays with unevaluated*) can consult
+// them. `silent` runs validation without recording errors (used by
+// applicators that only need the boolean + annotations, e.g. anyOf/oneOf
+// branches, if).
+function _validate(schema, instance, instancePath, schemaPath, baseUri, ctx, silent) {
+  var ann = { evaluatedProps: {}, evaluatedItems: {} };
+  if (schema === true) return ann;
+  if (schema === false) {
+    if (!silent) _err(ctx, instancePath, "false", schemaPath, "schema is false — no value is valid");
+    ann.failed = true;
+    return ann;
+  }
+  if (!_isObject(schema)) return ann;
+
+  if (ctx.depth++ > MAX_REF_DEPTH) throw new JsonSchemaError("json-schema/ref-loop", "jsonSchema: reference depth exceeded (cyclic $ref?)");
+  // The effective base for this subschema. The registry already computed
+  // each walked node's canonical base (its $id resolved against its lexical
+  // parent), so prefer that — re-resolving $id against the URI we arrived
+  // by would double a relative $id. Fall back to live resolution for nodes
+  // the registry didn't index (defensive).
+  var effectiveBase = ctx.registry.baseByNode.has(schema)
+    ? ctx.registry.baseByNode.get(schema)
+    : (typeof schema.$id === "string" ? _resolveUri(schema.$id, baseUri) : baseUri);
+  // Push the effective base onto the dynamic scope so $dynamicRef can find
+  // the outermost frame carrying a matching $dynamicAnchor.
+  ctx.dynamicScope.push(effectiveBase);
+  try {
+    return _validateBody(schema, instance, instancePath, schemaPath, effectiveBase, ctx, silent, ann);
+  } finally { ctx.depth--; ctx.dynamicScope.pop(); }
+}
+
+function _validateBody(schema, instance, instancePath, schemaPath, baseUri, ctx, silent, ann) {
+  // baseUri already reflects this subschema's $id (resolved in _validate).
+  var type = _typeOf(instance);
+  var startErrors = ctx.errors.length;
+  function fail() { return ctx.errors.length > startErrors; }
+  function emit(kw, msg) { if (!silent) _err(ctx, instancePath, kw, schemaPath + "/" + kw, msg); ann.failed = true; }
+
+  // ---- $ref / $dynamicRef (in-place applicators) ----
+  if (typeof schema.$ref === "string") {
+    var refUri = _resolveUri(schema.$ref, baseUri);
+    var target = ctx.registry.resolve(refUri);
+    if (target === undefined) target = ctx.registry.resolve(_splitFragment(refUri).base + "#" + (_splitFragment(refUri).fragment || ""));
+    if (target === undefined) {
+      emit("$ref", "cannot resolve $ref '" + schema.$ref + "'");
+    } else {
+      var refBase = _splitFragment(refUri).base || baseUri;
+      var refAnn = _validate(target, instance, instancePath, schemaPath + "/$ref", refBase, ctx, silent);
+      _mergeAnn(ann, refAnn);
+      if (refAnn.failed) ann.failed = true;   // the child emits its own errors (when not silent); propagate pass/fail
+    }
+  }
+  if (typeof schema.$dynamicRef === "string") {
+    _applyDynamicRef(schema.$dynamicRef, instance, instancePath, schemaPath, baseUri, ctx, silent, ann);
+  }
+
+  // ---- assertions ----
+  if (schema.type !== undefined && !_typeMatches(schema.type, instance, type)) {
+    emit("type", "value is " + type + ", expected " + (Array.isArray(schema.type) ? schema.type.join("/") : schema.type));
+  }
+  if (schema.enum !== undefined) {
+    var inEnum = false;
+    for (var ei = 0; ei < schema.enum.length; ei++) { if (_deepEqual(instance, schema.enum[ei])) { inEnum = true; break; } }
+    if (!inEnum) emit("enum", "value is not one of the enum values");
+  }
+  if (Object.prototype.hasOwnProperty.call(schema, "const")) {
+    if (!_deepEqual(instance, schema.const)) emit("const", "value does not equal const");
+  }
+
+  if (type === "number") _checkNumber(schema, instance, emit);
+  if (type === "string") _checkString(schema, instance, ctx, emit);
+  if (type === "array") _checkArray(schema, instance, instancePath, schemaPath, baseUri, ctx, silent, ann, emit);
+  if (type === "object") _checkObject(schema, instance, instancePath, schemaPath, baseUri, ctx, silent, ann, emit);
+
+  // ---- in-place applicators (apply regardless of type) ----
+  _applyLogical(schema, instance, instancePath, schemaPath, baseUri, ctx, silent, ann, emit);
+
+  // ---- format (annotation by default; assertion when enabled) ----
+  if (typeof schema.format === "string" && ctx.assertFormat) {
+    if (!_checkFormat(schema.format, instance, type)) emit("format", "value does not match format '" + schema.format + "'");
+  }
+
+  // ---- unevaluatedProperties / unevaluatedItems (consume annotations) ----
+  if (type === "object" && schema.unevaluatedProperties !== undefined) {
+    Object.keys(instance).forEach(function (key) {
+      if (ann.evaluatedProps[key]) return;
+      var sub = _validate(schema.unevaluatedProperties, instance[key], instancePath + "/" + _escPtr(key), schemaPath + "/unevaluatedProperties", baseUri, ctx, silent);
+      if (!sub.failed) ann.evaluatedProps[key] = true;
+      else emit("unevaluatedProperties", "unevaluated property '" + key + "' is invalid");
+    });
+  }
+  if (type === "array" && schema.unevaluatedItems !== undefined) {
+    for (var ui = 0; ui < instance.length; ui++) {
+      if (ann.evaluatedItems[ui]) continue;
+      var subi = _validate(schema.unevaluatedItems, instance[ui], instancePath + "/" + ui, schemaPath + "/unevaluatedItems", baseUri, ctx, silent);
+      if (!subi.failed) ann.evaluatedItems[ui] = true;
+      else emit("unevaluatedItems", "unevaluated item at index " + ui + " is invalid");
+    }
+  }
+
+  if (fail()) ann.failed = true;
+  return ann;
+}
+
+function _typeMatches(typeKw, instance, actual) {
+  var list = Array.isArray(typeKw) ? typeKw : [typeKw];
+  for (var i = 0; i < list.length; i++) {
+    var t = list[i];
+    if (t === actual) return true;
+    if (t === "integer" && actual === "number" && _isInteger(instance)) return true;
+  }
+  return false;
+}
+
+function _checkNumber(schema, n, emit) {
+  if (typeof schema.multipleOf === "number") {
+    var q = n / schema.multipleOf;
+    if (!isFinite(q) || Math.abs(q - Math.round(q)) > 1e-9 * Math.max(1, Math.abs(q))) {   // allow:raw-time-literal — float tolerance for multipleOf
+      // Exact check for integers; tolerance only bridges float error.
+      if (n % schema.multipleOf !== 0) emit("multipleOf", "value is not a multiple of " + schema.multipleOf);
+    }
+  }
+  if (typeof schema.maximum === "number" && n > schema.maximum) emit("maximum", "value > maximum " + schema.maximum);
+  if (typeof schema.exclusiveMaximum === "number" && n >= schema.exclusiveMaximum) emit("exclusiveMaximum", "value >= exclusiveMaximum " + schema.exclusiveMaximum);
+  if (typeof schema.minimum === "number" && n < schema.minimum) emit("minimum", "value < minimum " + schema.minimum);
+  if (typeof schema.exclusiveMinimum === "number" && n <= schema.exclusiveMinimum) emit("exclusiveMinimum", "value <= exclusiveMinimum " + schema.exclusiveMinimum);
+}
+
+function _strLen(s) {
+  // Code-point length (not UTF-16 units) per JSON Schema string length.
+  var n = 0;
+  for (var i = 0; i < s.length; i++) { n++; var c = s.charCodeAt(i); if (c >= 0xD800 && c <= 0xDBFF) i++; }
+  return n;
+}
+function _checkString(schema, s, ctx, emit) {
+  if (typeof schema.maxLength === "number" && _strLen(s) > schema.maxLength) emit("maxLength", "string longer than maxLength " + schema.maxLength);
+  if (typeof schema.minLength === "number" && _strLen(s) < schema.minLength) emit("minLength", "string shorter than minLength " + schema.minLength);
+  if (typeof schema.pattern === "string") {
+    var re = _compileRegex(schema.pattern, ctx);
+    if (re && !re.test(s)) emit("pattern", "string does not match pattern");
+  }
+}
+
+var _regexCache = {};
+function _compileRegex(pattern, ctx) {
+  if (Object.prototype.hasOwnProperty.call(_regexCache, pattern)) return _regexCache[pattern];
+  var re = null;
+  try { re = new RegExp(pattern, "u"); }                    // allow:dynamic-regex — JSON Schema pattern is part of the (operator-trusted) schema, not instance data
+  catch (_e) {
+    try { re = new RegExp(pattern); } catch (_e2) { re = null; }
+  }
+  _regexCache[pattern] = re;
+  return re;
+}
+
+function _checkArray(schema, arr, instancePath, schemaPath, baseUri, ctx, silent, ann, emit) {
+  if (typeof schema.maxItems === "number" && arr.length > schema.maxItems) emit("maxItems", "array longer than maxItems " + schema.maxItems);
+  if (typeof schema.minItems === "number" && arr.length < schema.minItems) emit("minItems", "array shorter than minItems " + schema.minItems);
+  if (schema.uniqueItems === true) {
+    for (var a = 0; a < arr.length; a++) for (var bI = a + 1; bI < arr.length; bI++) {
+      if (_deepEqual(arr[a], arr[bI])) { emit("uniqueItems", "array items are not unique (indices " + a + ", " + bI + ")"); a = arr.length; break; }
+    }
+  }
+  var prefixLen = 0;
+  if (Array.isArray(schema.prefixItems)) {
+    prefixLen = schema.prefixItems.length;
+    for (var pi = 0; pi < prefixLen && pi < arr.length; pi++) {
+      var ps = _validate(schema.prefixItems[pi], arr[pi], instancePath + "/" + pi, schemaPath + "/prefixItems/" + pi, baseUri, ctx, silent);
+      if (!ps.failed) ann.evaluatedItems[pi] = true; else emit("prefixItems", "item " + pi + " does not match prefixItems schema");
+    }
+  }
+  if (schema.items !== undefined) {
+    for (var ii = prefixLen; ii < arr.length; ii++) {
+      var is = _validate(schema.items, arr[ii], instancePath + "/" + ii, schemaPath + "/items", baseUri, ctx, silent);
+      if (!is.failed) ann.evaluatedItems[ii] = true; else emit("items", "item " + ii + " does not match items schema");
+    }
+  }
+  if (schema.contains !== undefined) {
+    var matched = 0;
+    for (var ci = 0; ci < arr.length; ci++) {
+      var cs = _validate(schema.contains, arr[ci], instancePath + "/" + ci, schemaPath + "/contains", baseUri, ctx, true);
+      if (!cs.failed) { matched++; ann.evaluatedItems[ci] = true; }
+    }
+    var minC = typeof schema.minContains === "number" ? schema.minContains : 1;
+    if (matched < minC) emit("contains", "array has " + matched + " matching items, need at least " + minC);
+    if (typeof schema.maxContains === "number" && matched > schema.maxContains) emit("maxContains", "array has " + matched + " matching items, more than maxContains " + schema.maxContains);
+  }
+}
+
+function _checkObject(schema, obj, instancePath, schemaPath, baseUri, ctx, silent, ann, emit) {
+  var keys = Object.keys(obj);
+  if (typeof schema.maxProperties === "number" && keys.length > schema.maxProperties) emit("maxProperties", "object has more than maxProperties " + schema.maxProperties);
+  if (typeof schema.minProperties === "number" && keys.length < schema.minProperties) emit("minProperties", "object has fewer than minProperties " + schema.minProperties);
+  if (Array.isArray(schema.required)) {
+    schema.required.forEach(function (rk) {
+      if (!Object.prototype.hasOwnProperty.call(obj, rk)) emit("required", "missing required property '" + rk + "'");
+    });
+  }
+  if (_isObject(schema.dependentRequired)) {
+    Object.keys(schema.dependentRequired).forEach(function (dk) {
+      if (Object.prototype.hasOwnProperty.call(obj, dk) && Array.isArray(schema.dependentRequired[dk])) {
+        schema.dependentRequired[dk].forEach(function (req) {
+          if (!Object.prototype.hasOwnProperty.call(obj, req)) emit("dependentRequired", "property '" + dk + "' requires '" + req + "'");
+        });
+      }
+    });
+  }
+  if (_isObject(schema.properties)) {
+    keys.forEach(function (k) {
+      if (Object.prototype.hasOwnProperty.call(schema.properties, k)) {
+        var ps = _validate(schema.properties[k], obj[k], instancePath + "/" + _escPtr(k), schemaPath + "/properties/" + _escPtr(k), baseUri, ctx, silent);
+        if (!ps.failed) ann.evaluatedProps[k] = true; else ann.failed = true;
+      }
+    });
+  }
+  if (_isObject(schema.patternProperties)) {
+    Object.keys(schema.patternProperties).forEach(function (pat) {
+      var re = _compileRegex(pat, ctx);
+      if (!re) return;
+      keys.forEach(function (k) {
+        if (re.test(k)) {
+          var ps = _validate(schema.patternProperties[pat], obj[k], instancePath + "/" + _escPtr(k), schemaPath + "/patternProperties/" + _escPtr(pat), baseUri, ctx, silent);
+          if (!ps.failed) ann.evaluatedProps[k] = true; else ann.failed = true;
+        }
+      });
+    });
+  }
+  if (schema.additionalProperties !== undefined) {
+    keys.forEach(function (k) {
+      if (ann.evaluatedProps[k]) return;
+      // additionalProperties applies to keys not in properties and not
+      // matched by patternProperties (regardless of those passing).
+      if (_isObject(schema.properties) && Object.prototype.hasOwnProperty.call(schema.properties, k)) return;
+      if (_patternMatches(schema.patternProperties, k, ctx)) return;
+      var ps = _validate(schema.additionalProperties, obj[k], instancePath + "/" + _escPtr(k), schemaPath + "/additionalProperties", baseUri, ctx, silent);
+      if (!ps.failed) ann.evaluatedProps[k] = true; else ann.failed = true;
+    });
+  }
+  if (schema.propertyNames !== undefined) {
+    keys.forEach(function (k) {
+      var ps = _validate(schema.propertyNames, k, instancePath + "/" + _escPtr(k), schemaPath + "/propertyNames", baseUri, ctx, silent);
+      if (ps.failed) emit("propertyNames", "property name '" + k + "' is invalid");
+    });
+  }
+  if (_isObject(schema.dependentSchemas)) {
+    Object.keys(schema.dependentSchemas).forEach(function (dk) {
+      if (Object.prototype.hasOwnProperty.call(obj, dk)) {
+        var ds = _validate(schema.dependentSchemas[dk], obj, instancePath, schemaPath + "/dependentSchemas/" + _escPtr(dk), baseUri, ctx, silent);
+        _mergeAnn(ann, ds);
+        if (ds.failed) ann.failed = true;
+      }
+    });
+  }
+}
+
+function _patternMatches(patternProperties, key, ctx) {
+  if (!_isObject(patternProperties)) return false;
+  var pats = Object.keys(patternProperties);
+  for (var i = 0; i < pats.length; i++) {
+    var re = _compileRegex(pats[i], ctx);
+    if (re && re.test(key)) return true;
+  }
+  return false;
+}
+
+function _applyLogical(schema, instance, instancePath, schemaPath, baseUri, ctx, silent, ann, emit) {
+  if (Array.isArray(schema.allOf)) {
+    schema.allOf.forEach(function (sub, i) {
+      var r = _validate(sub, instance, instancePath, schemaPath + "/allOf/" + i, baseUri, ctx, silent);
+      _mergeAnn(ann, r);
+      if (r.failed) emit("allOf", "value does not match allOf[" + i + "]");
+    });
+  }
+  if (Array.isArray(schema.anyOf)) {
+    var anyMatched = false;
+    schema.anyOf.forEach(function (sub, i) {
+      var r = _validate(sub, instance, instancePath, schemaPath + "/anyOf/" + i, baseUri, ctx, true);
+      if (!r.failed) { anyMatched = true; _mergeAnn(ann, r); }
+    });
+    if (!anyMatched) emit("anyOf", "value does not match any anyOf subschema");
+  }
+  if (Array.isArray(schema.oneOf)) {
+    var matchCount = 0;
+    schema.oneOf.forEach(function (sub, i) {
+      var r = _validate(sub, instance, instancePath, schemaPath + "/oneOf/" + i, baseUri, ctx, true);
+      if (!r.failed) { matchCount++; _mergeAnn(ann, r); }
+    });
+    if (matchCount !== 1) emit("oneOf", "value matches " + matchCount + " oneOf subschemas, expected exactly 1");
+  }
+  if (schema.not !== undefined) {
+    var rn = _validate(schema.not, instance, instancePath, schemaPath + "/not", baseUri, ctx, true);
+    if (!rn.failed) emit("not", "value must not match the 'not' subschema");
+  }
+  if (schema.if !== undefined) {
+    var ri = _validate(schema.if, instance, instancePath, schemaPath + "/if", baseUri, ctx, true);
+    if (!ri.failed) {
+      _mergeAnn(ann, ri);   // if's annotations apply only when 'if' validates
+      if (schema.then !== undefined) {
+        var rt = _validate(schema.then, instance, instancePath, schemaPath + "/then", baseUri, ctx, silent);
+        _mergeAnn(ann, rt);
+        if (rt.failed) emit("then", "value matches 'if' but not 'then'");
+      }
+    } else if (schema.else !== undefined) {
+      var re2 = _validate(schema.else, instance, instancePath, schemaPath + "/else", baseUri, ctx, silent);
+      _mergeAnn(ann, re2);
+      if (re2.failed) emit("else", "value does not match 'if' nor 'else'");
+    }
+  }
+}
+
+function _applyDynamicRef(dref, instance, instancePath, schemaPath, baseUri, ctx, silent, ann) {
+  var refUri = _resolveUri(dref, baseUri);
+  var sf = _splitFragment(refUri);
+  var anchorName = sf.fragment;
+  // Resolve lexically first (exactly like $ref).
+  var target = ctx.registry.resolve(refUri);
+  var targetBase = sf.base || baseUri;
+  // Dynamic scope resolution applies ONLY when the fragment is a plain-name
+  // anchor AND the lexically-resolved target itself carries a matching
+  // $dynamicAnchor. Otherwise $dynamicRef behaves like a normal $ref (so a
+  // plain $anchor of the same name, or a non-matching/absent $dynamicAnchor,
+  // is left as the lexical target).
+  var isPlainName = anchorName && anchorName.charAt(0) !== "/" && anchorName !== "";
+  if (isPlainName && _isObject(target) && target.$dynamicAnchor === anchorName) {
+    for (var i = 0; i < ctx.dynamicScope.length; i++) {
+      var frameBase = ctx.dynamicScope[i];
+      var cand = ctx.registry.schemas[frameBase + "#" + anchorName];
+      if (_isObject(cand) && cand.$dynamicAnchor === anchorName) { target = cand; targetBase = frameBase; break; }
+    }
+  }
+  if (target === undefined) { if (!silent) _err(ctx, instancePath, "$dynamicRef", schemaPath + "/$dynamicRef", "cannot resolve $dynamicRef '" + dref + "'"); ann.failed = true; return; }
+  var r = _validate(target, instance, instancePath, schemaPath + "/$dynamicRef", targetBase, ctx, silent);
+  _mergeAnn(ann, r);
+  if (r.failed) ann.failed = true;
+}
+
+function _mergeAnn(into, from) {
+  if (!from) return;
+  if (from.evaluatedProps) Object.keys(from.evaluatedProps).forEach(function (k) { into.evaluatedProps[k] = true; });
+  if (from.evaluatedItems) Object.keys(from.evaluatedItems).forEach(function (k) { into.evaluatedItems[k] = true; });
+}
+
+// --- format assertions (opt-in) ---
+function _checkFormat(format, value, type) {
+  if (type !== "string") return true;   // format only asserts on strings
+  switch (format) {
+    case "date-time": return rfc3339.isValidDateTime(value);
+    // RFC 3339 full-date: shape + real field ranges (reuse the strict
+    // date-time validator by anchoring a midnight UTC time).
+    case "date": return /^\d{4}-\d{2}-\d{2}$/.test(value) && rfc3339.isValidDateTime(value + "T00:00:00Z");   // allow:regex-no-length-cap — fixed-width date shape
+    // RFC 3339 full-time: a mandatory offset + valid ranges, obtained by
+    // anchoring an epoch date (rejects "12:00:00" and "25:61:61Z").
+    case "time": return rfc3339.isValidDateTime("1970-01-01T" + value);
+    // Single "@", non-empty local + domain, no whitespace. The class
+    // excludes "@", so the split point is unique — the match is linear.
+    case "email": return /^[^@\s]+@[^@\s]+$/.test(value);   // allow:regex-no-length-cap — linear (no overlapping quantifiers)
+    case "uri": case "iri": {
+      if (/\s/.test(value)) return false;                       // raw whitespace is not a valid URI
+      if (/%(?![0-9A-Fa-f]{2})/.test(value)) return false;      // malformed percent-escape
+      if (!/^[A-Za-z][A-Za-z0-9+.-]*:/.test(value)) return false;   // absolute URI requires a scheme   // allow:regex-no-length-cap — linear scheme prefix
+      try { new URL(value); return true; } catch (_e) { return false; }   // allow:raw-new-url — string-shape check, no fetch / SSRF surface
+    }
+    case "uuid": return /^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/.test(value);   // allow:regex-no-length-cap — fixed-width UUID
+    case "ipv4": return /^(\d{1,3}\.){3}\d{1,3}$/.test(value) && value.split(".").every(function (o) { return Number(o) <= 255; });   // allow:regex-no-length-cap — bounded dotted-quad
+    case "regex": try { new RegExp(value); return true; } catch (_e2) { return false; }   // allow:dynamic-regex — format:"regex" validates the string IS a regex
+    default: return true;   // unknown formats are valid (annotation semantics)
+  }
+}

package/lib/totp.js

@@ -61,6 +61,7 @@
  */
 var nodeCrypto = require("node:crypto");
 var C = require("./constants");
+var base32 = require("./base32");
 var { generateBytes, generateToken, timingSafeEqual } = require("./crypto");
 var { AuthError } = require("./framework-error");
 
@@ -84,45 +85,23 @@ var DEFAULT_SECRET_BYTES = C.BYTES.bytes(128);
 var MIN_SECRET_BYTES     = 20;
 // HOTP counter is an 8-byte big-endian field per RFC 4226 §5.1.
 var HOTP_COUNTER_BYTES   = C.BYTES.bytes(8);
-// Base32 (RFC 4648) packs 5 bits per char; bit + byte widths used by the
-// encoder/decoder below. Routed through C.BYTES so every byte literal in
-// the file lives behind the same helper.
-var BITS_PER_BYTE        = C.BYTES.bytes(8);
 
 // ---- Base32 (RFC 4648, no padding — TOTP convention) ----
-
-var BASE32 = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+// Composes b.base32: secrets are emitted unpadded and parsed leniently
+// (case-insensitive, ignoring the spaces / dashes humans add when copying
+// a key). An invalid character is surfaced as the TOTP-specific error code.
 
 function _base32Encode(buf) {
-  var bits = "";
-  for (var i = 0; i < buf.length; i++) {
-    bits += buf[i].toString(2).padStart(BITS_PER_BYTE, "0");
-  }
-  var out = "";
-  for (var j = 0; j < bits.length; j += 5) {
-    var chunk = bits.substring(j, j + 5).padEnd(5, "0");
-    out += BASE32[parseInt(chunk, 2)];
-  }
-  return out;
+  return base32.encode(buf, { padding: false });
 }
 
 function _base32Decode(str) {
-  var bits = "";
-  for (var i = 0; i < str.length; i++) {
-    var c = str[i].toUpperCase();
-    if (c === "=" || c === " " || c === "-") continue;     // spaces + dashes + padding
-    var idx = BASE32.indexOf(c);
-    if (idx === -1) {
-      throw new AuthError("auth-totp/bad-secret",
-        "secret contains invalid base32 character: '" + str[i] + "'");
-    }
-    bits += idx.toString(2).padStart(5, "0");
-  }
-  var bytes = [];
-  for (var j = 0; j + BITS_PER_BYTE <= bits.length; j += BITS_PER_BYTE) {
-    bytes.push(parseInt(bits.substring(j, j + BITS_PER_BYTE), 2));
+  try {
+    return base32.decode(str, { loose: true });
+  } catch (e) {
+    throw new AuthError("auth-totp/bad-secret",
+      "secret contains invalid base32 character" + (e && e.message ? ": " + e.message : ""));
   }
-  return Buffer.from(bytes);
 }
 
 // ---- Core HOTP (RFC 4226 §5.3) ----

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.12.63",
+  "version": "0.12.65",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:d1709f88-d452-4b6c-9796-971cb4dc9a1a",
+  "serialNumber": "urn:uuid:9f4770af-2b1a-425d-be19-619f1b638c9e",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-26T06:02:00.412Z",
+    "timestamp": "2026-05-26T08:53:06.102Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.12.63",
+      "bom-ref": "@blamejs/core@0.12.65",
       "type": "application",
       "name": "blamejs",
-      "version": "0.12.63",
+      "version": "0.12.65",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.12.63",
+      "purl": "pkg:npm/%40blamejs/core@0.12.65",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.12.63",
+      "ref": "@blamejs/core@0.12.65",
       "dependsOn": []
     }
   ]