@blamejs/core 0.12.64 → 0.12.66

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.12.x
 
+- v0.12.66 (2026-05-26) — **`b.uriTemplate` — RFC 6570 URI Template expansion.** Expand RFC 6570 URI Templates — the {var} syntax that OpenAPI links, HAL _links, and hypermedia API clients use to turn a template plus a set of variables into a concrete URI. The full Level 4 grammar is supported: every operator ({+var} reserved, {#var} fragment, {.var} label, {/var} path, {;var} path-style parameters, {?var} query, {&var} query continuation), the {var:3} prefix modifier, and the {var*} explode modifier for lists and associative arrays. b.uriTemplate.expand(template, vars) returns the expanded string; b.uriTemplate.compile(template) parses once for templates applied to many variable sets. A malformed template (unclosed expression, reserved operator, non-numeric prefix, unmatched brace) throws UriTemplateError. Verified against the official uritemplate-test conformance suite (all 135 spec, extended, and negative cases). **Added:** *`b.uriTemplate.expand` / `b.uriTemplate.compile`* — RFC 6570 URI Template expansion, full Level 4. `expand(template, vars)` substitutes variables into a template and returns the URI; `compile(template)` returns a reusable `{ expand }` for repeated use. Variable values may be strings, numbers, booleans, arrays (lists), or plain objects (associative arrays); undefined, null, and empty list/map variables are omitted. All eight operators, the `:N` prefix modifier, and the `*` explode modifier follow §3.2, including reserved-set encoding for `{+var}` / `{#var}`. Composes naturally with `b.hal`, `b.linkHeader`, and `b.openapi` link objects. A malformed template throws `UriTemplateError`.
+
+- v0.12.65 (2026-05-26) — **`b.base32` — RFC 4648 Base32 encode / decode.** Encode and decode RFC 4648 Base32 — the case-insensitive alphabet behind TOTP / 2FA secrets, DNSSEC NSEC3 hashes, and human-transcribable identifiers. Both RFC 4648 variants are supported: the standard alphabet (the default) and the extended-hex alphabet. b.base32.encode pads to an 8-character boundary by default (pass padding: false for the bare form TOTP key URIs use); b.base32.decode is strict by default but accepts the real-world shapes humans produce — lower-case, embedded spaces and dashes, missing padding — under loose: true. Verified against the RFC 4648 §10 test vectors for both alphabets. The TOTP primitive now composes this codec instead of carrying its own Base32 implementation. **Added:** *`b.base32.encode` / `b.base32.decode`* — RFC 4648 Base32 codec. `encode(buf, opts)` takes a Buffer or Uint8Array and returns a Base32 string, padded to an 8-character boundary unless `padding: false`; `decode(str, opts)` returns a Buffer. The `variant` option selects the standard (`"rfc4648"`, default) or extended-hex (`"rfc4648-hex"`) alphabet. Decoding is strict by default — any character outside the alphabet throws `Base32Error` — and `loose: true` up-cases the input and ignores embedded spaces, dashes, and missing padding, which is how copied TOTP keys and hand-typed codes arrive. **Changed:** *TOTP composes `b.base32`* — `b.auth.totp` now encodes and decodes its secrets through `b.base32` rather than a private Base32 implementation. Behavior is unchanged — secrets are still emitted unpadded and parsed leniently (case-insensitive, ignoring spaces and dashes).
+
 - v0.12.64 (2026-05-25) — **`b.jsonSchema` — JSON Schema 2020-12 validation.** Validate JSON against a JSON Schema 2020-12 document — the dialect OpenAPI 3.1 adopted and the most widely implemented schema language. b.jsonSchema.compile(schema) returns a reusable validator; b.jsonSchema.validate(schema, instance) compiles and runs in one call, returning { valid, errors } where each error names the failing instance location, keyword, and schema path. The full 2020-12 vocabulary is supported: every applicator (allOf / anyOf / oneOf / not / if-then-else, properties / patternProperties / additionalProperties / prefixItems / items / contains), the annotation-aware unevaluatedProperties / unevaluatedItems, every assertion keyword, and reference resolution ($ref / $anchor / $dynamicRef / $dynamicAnchor / $defs / $id base URIs). format is an annotation by default (opt in to assertion with assertFormat). External references resolve through an operator-supplied schema map — never a network fetch. Verified against the official JSON-Schema-Test-Suite (1292 of 1295 draft2020-12 cases; the remainder need the bundled dialect metaschema or $vocabulary selection, both opt-in). This is the standards-track counterpart to the fluent b.safeSchema builder and the portable b.jtd. **Added:** *`b.jsonSchema` — JSON Schema 2020-12* — `compile(schema, opts)` returns `{ validate, isValid }`; `validate(schema, instance, opts)` and `isValid(schema, instance, opts)` compile and run in one call. `validate` returns `{ valid, errors }`, each error a `{ instancePath, keyword, schemaPath, message }`. The full 2020-12 vocabulary is implemented — applicators, annotation-aware `unevaluatedProperties` / `unevaluatedItems`, every assertion keyword, and `$ref` / `$anchor` / `$dynamicRef` / `$dynamicAnchor` / `$defs` / `$id` resolution. `format` is an annotation by default (`assertFormat: true` to assert). External references resolve through `opts.schemas` (a URI→schema map), never a network fetch. Reach for it when the schema is an existing JSON Schema document (an API contract, OpenAPI component, or config schema); `b.safeSchema` remains the fluent in-process builder and `b.jtd` the portable codegen-friendly option. Validating a schema document against the dialect metaschema requires supplying that metaschema via `opts.schemas`, and `$vocabulary`-based keyword selection is not honored (every standard keyword always asserts).
 
 - v0.12.63 (2026-05-25) — **`b.cloudEvents` gains the JSON event format, batch, and the HTTP binding.** b.cloudEvents grows beyond wrap / parse into a full CloudEvents 1.0.2 surface. b.cloudEvents.validate / isValid check an envelope against the spec without throwing (the non-throwing companion to parse). toJSON / fromJSON serialize and parse the JSON event format, and toJSONBatch / fromJSONBatch handle the JSON batch format; untrusted bodies parse through the framework's bounded, prototype-pollution-safe JSON reader. The new http.* binding speaks both content modes the spec defines — binary mode spreads context attributes across percent-encoded ce-* headers with the data in the body, structured mode carries the whole event as application/cloudevents+json — plus the batch mode, and http.decode auto-detects the incoming mode from Content-Type exactly as a conformant receiver does. Verified against the spec's normative example events. **Added:** *`b.cloudEvents` JSON event format, batch, and HTTP binding* — `validate` / `isValid` report spec violations without throwing (the non-throwing companion to `parse`). `toJSON` / `fromJSON` and `toJSONBatch` / `fromJSONBatch` serialize and parse the JSON event and batch formats over the existing envelope shape. `http.encodeBinary` / `http.encodeStructured` / `http.encodeBatch` render the three HTTP content modes — binary spreads attributes across percent-encoded `ce-*` headers, structured and batched carry the event(s) as `application/cloudevents+json` / `application/cloudevents-batch+json` — and `http.decode` parses a request back into an envelope (or array) by auto-detecting the mode from `Content-Type`. `b.jtd` or `b.safeSchema` still validate the event's `data` payload. **Fixed:** *`b.csp.build` accepts `fenced-frame-src` and `webrtc`* — The CSP3 `fenced-frame-src` directive — which the default security-headers policy emits to block `<fencedframe>` embeds — was missing from the builder's recognized-directive set, so the default policy could not round-trip through `b.csp.build` (it threw `csp/unknown-directive`). Both `fenced-frame-src` and the CSP3 `webrtc` directive are now recognized.

package/README.md

@@ -99,8 +99,10 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 - **Signed webhooks + API encryption** — SLH-DSA-SHAKE-256f default; ML-DSA-65 opt-in; ECIES API encryption (`b.webhook`, `b.crypto`)
 - **HPKE / HTTP signatures** — RFC 9180 HPKE with ML-KEM-1024 + HKDF-SHA3-512 + ChaCha20-Poly1305 (`b.crypto.hpke`); RFC 9421 HTTP Message Signatures with derived components and ed25519 / ML-DSA-65 (`b.crypto.httpSig`); RFC 9530 Content-Digest / Repr-Digest body-integrity fields (SHA-256 / SHA-512, legacy algorithms refused — `b.contentDigest`) to sign the digest rather than the whole body
 - **Link header** — RFC 8288 Web Linking codec (`b.linkHeader.parse` / `serialize`): parse and build `Link: <uri>; rel="next"` relations, the standard REST pagination mechanism; quote-aware (a comma inside a quoted parameter never splits the list)
+- **URI Templates** — RFC 6570 expansion (`b.uriTemplate.expand` / `compile`): full Level 4 — every operator, the `:N` prefix and `*` explode modifiers — turning `{/path}{?q*}` plus variables into a concrete URI; validated against the official uritemplate-test suite. The `{var}` syntax behind OpenAPI links and HAL `_links`
 - **JSON Type Definition** — RFC 8927 validation (`b.jtd.validate` / `isValid`): portable, cross-implementation schema validation (all eight forms — type / enum / elements / properties / values / discriminator / ref / empty), returning instancePath / schemaPath errors; validated against the official 316-case suite. Interop companion to the fluent `b.safeSchema` builder
 - **JSON Schema 2020-12** — the OpenAPI 3.1 dialect (`b.jsonSchema.compile` / `validate` / `isValid`): full vocabulary including every applicator, annotation-aware `unevaluatedProperties` / `unevaluatedItems`, and `$ref` / `$dynamicRef` / `$anchor` / `$id` resolution (external refs via an operator-supplied schema map, never a network fetch); `format` is an annotation unless `assertFormat` is set; returns located `{ valid, errors }`. Validated against the official JSON-Schema-Test-Suite. Standards-track counterpart to `b.safeSchema` and `b.jtd`
+- **Base32** — RFC 4648 codec (`b.base32.encode` / `decode`): standard + extended-hex alphabets, padded or bare, strict or lenient decode (case-insensitive, ignoring spaces / dashes for copied TOTP keys); validated against the RFC 4648 §10 vectors. The codec behind `b.auth.totp` secrets
 - **JSONPath** — full RFC 9535 query evaluator (`b.jsonPath.query` / `paths`): name / wildcard / index / slice / descendant selectors, `?filter` expressions, and the five standard functions, with compile-time well-typedness checks (validated against the official 703-case compliance suite); complements the JSONPath guards
 - **JSON Pointer / Patch** — RFC 6901 `b.jsonPointer.get` (reference a value by `/foo/0/bar`) + RFC 6902 `b.jsonPatch.apply` (atomic add / remove / replace / move / copy / test for HTTP PATCH; the input document is never mutated, structural `test` comparison) + RFC 7396 `b.jsonMergePatch.merge` (the `merge-patch+json` partial-document format; both PATCH formats are prototype-pollution-safe)
 - **Canonical JSON** — RFC 8785 JSON Canonicalization Scheme (`b.canonicalJson.stringifyJcs`): the deterministic, sorted-key byte form to hash or sign (custom credentials, receipts, deterministic request signing); UTF-16 key ordering + ECMAScript number formatting, with a lenient `stringify` variant for Buffers / Dates / BigInts

package/index.js

@@ -404,6 +404,8 @@ var jsonMergePatch = require("./lib/json-merge-patch");
 var jsonPath = require("./lib/json-path");
 var jtd = require("./lib/jtd");
 var jsonSchema = require("./lib/json-schema");
+var base32 = require("./lib/base32");
+var uriTemplate = require("./lib/uri-template");
 var standardWebhooks = require("./lib/standard-webhooks");
 var lro = require("./lib/lro");
 var jsonApi = require("./lib/jsonapi");
@@ -429,6 +431,8 @@ module.exports = {
   jsonPath:         jsonPath,
   jtd:              jtd,
   jsonSchema:       jsonSchema,
+  base32:           base32,
+  uriTemplate:      uriTemplate,
   standardWebhooks: standardWebhooks,
   lro:              lro,
   jsonApi:          jsonApi,

package/lib/base32.js

@@ -0,0 +1,154 @@
+"use strict";
+/**
+ * @module b.base32
+ * @nav    Data
+ * @title  Base32
+ *
+ * @intro
+ *   Encode and decode <a href="https://www.rfc-editor.org/rfc/rfc4648">RFC
+ *   4648</a> Base32 — the case-insensitive, digit-light alphabet used for
+ *   TOTP / 2FA secrets, DNSSEC NSEC3 hashes, and human-transcribable
+ *   identifiers. Both RFC 4648 variants are supported: the standard
+ *   alphabet (<code>variant: "rfc4648"</code>, default) and the
+ *   extended-hex alphabet (<code>variant: "rfc4648-hex"</code>, which sorts
+ *   in the same order as the underlying bytes).
+ *
+ *   <code>encode</code> pads to an 8-character boundary with
+ *   <code>=</code> by default (pass <code>padding: false</code> for the
+ *   bare form TOTP key URIs use). <code>decode</code> is strict by default
+ *   — it rejects any character outside the alphabet — but
+ *   <code>loose: true</code> accepts the real-world shapes humans produce:
+ *   lower-case input, embedded spaces and dashes, and missing padding.
+ *
+ * @card
+ *   RFC 4648 Base32 encode / decode (standard + extended-hex alphabets,
+ *   padded or bare, strict or lenient) — the codec behind TOTP secrets and
+ *   transcribable identifiers.
+ */
+
+var { defineClass } = require("./framework-error");
+
+var Base32Error = defineClass("Base32Error", { alwaysPermanent: true });
+
+var ALPHABETS = {
+  "rfc4648": "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567",
+  "rfc4648-hex": "0123456789ABCDEFGHIJKLMNOPQRSTUV",
+};
+// Reverse lookups per variant: char-code → 5-bit value.
+var LOOKUPS = {};
+Object.keys(ALPHABETS).forEach(function (v) {
+  var map = {};
+  for (var i = 0; i < ALPHABETS[v].length; i++) map[ALPHABETS[v].charAt(i)] = i;
+  LOOKUPS[v] = map;
+});
+
+var GROUP = 8;                                              // allow:raw-byte-literal — Base32 emits 8 chars per 5 input bytes (RFC 4648 §6)
+var BITS = 5;                                               // 5 bits per Base32 symbol
+
+function _alphabet(variant) {
+  var a = ALPHABETS[variant || "rfc4648"];
+  if (!a) throw new Base32Error("base32/bad-variant", "base32: variant must be 'rfc4648' or 'rfc4648-hex'");
+  return a;
+}
+
+/**
+ * @primitive  b.base32.encode
+ * @signature  b.base32.encode(input, opts?)
+ * @since      0.12.65
+ * @status     stable
+ * @related    b.base32.decode
+ *
+ * Encode a Buffer (or Uint8Array) to an RFC 4648 Base32 string. Output is
+ * padded to an 8-character boundary with <code>=</code> unless
+ * <code>padding: false</code>. The empty input encodes to the empty string.
+ *
+ * @opts
+ *   variant:   "rfc4648" | "rfc4648-hex",   // default: "rfc4648"
+ *   padding:   boolean,                      // default: true
+ *
+ * @example
+ *   b.base32.encode(Buffer.from("foobar"));
+ *   // → "MFRGGZDFMZTWQ===="
+ */
+function encode(input, opts) {
+  opts = opts || {};
+  var buf;
+  if (Buffer.isBuffer(input)) buf = input;
+  else if (input instanceof Uint8Array) buf = Buffer.from(input);
+  else throw new Base32Error("base32/bad-input", "base32.encode: input must be a Buffer or Uint8Array");
+  var alphabet = _alphabet(opts.variant);
+  var pad = opts.padding !== false;
+
+  var out = "";
+  var value = 0, bits = 0;
+  for (var i = 0; i < buf.length; i++) {
+    value = (value << 8) | buf[i];                          // allow:raw-byte-literal — shift in one input byte
+    bits += 8;                                              // allow:raw-byte-literal — eight bits per input byte
+    while (bits >= BITS) {
+      out += alphabet.charAt((value >>> (bits - BITS)) & 31);   // allow:raw-byte-literal — low 5 bits mask (2^5 - 1)
+      bits -= BITS;
+    }
+  }
+  if (bits > 0) out += alphabet.charAt((value << (BITS - bits)) & 31);   // allow:raw-byte-literal — final partial group, low 5 bits
+  if (pad) while (out.length % GROUP !== 0) out += "=";
+  return out;
+}
+
+/**
+ * @primitive  b.base32.decode
+ * @signature  b.base32.decode(str, opts?)
+ * @since      0.12.65
+ * @status     stable
+ * @related    b.base32.encode
+ *
+ * Decode an RFC 4648 Base32 string to a Buffer. Strict by default: any
+ * character outside the variant's alphabet (other than trailing
+ * <code>=</code> padding) throws <code>Base32Error</code>. With
+ * <code>loose: true</code> the decoder up-cases the input and ignores
+ * embedded spaces and dashes (and missing padding) — the shapes TOTP keys
+ * and hand-typed codes take.
+ *
+ * @opts
+ *   variant:   "rfc4648" | "rfc4648-hex",   // default: "rfc4648"
+ *   loose:     boolean,                      // default: false
+ *
+ * @example
+ *   b.base32.decode("MFRGGZDFMZTWQ====").toString();
+ *   // → "foobar"
+ */
+function decode(str, opts) {
+  opts = opts || {};
+  if (typeof str !== "string") throw new Base32Error("base32/bad-input", "base32.decode: input must be a string");
+  _alphabet(opts.variant);
+  var lookup = LOOKUPS[opts.variant || "rfc4648"];
+  var loose = opts.loose === true;
+
+  var bytes = [];
+  var value = 0, bits = 0;
+  var inPad = false;   // once "=" padding starts, only more "=" may follow
+  for (var i = 0; i < str.length; i++) {
+    var ch = str.charAt(i);
+    if (ch === "=") { inPad = true; continue; }             // trailing padding
+    if (loose && (ch === " " || ch === "-")) continue;      // ignore separators
+    // A data character after padding is malformed in either mode — the "="
+    // run must be trailing (rejects "M=Y======" / "MZXW=6YTB").
+    if (inPad) throw new Base32Error("base32/bad-char", "base32.decode: data character '" + ch + "' after padding at index " + i);
+    if (loose) ch = ch.toUpperCase();
+    var idx = lookup[ch];
+    if (idx === undefined) throw new Base32Error("base32/bad-char", "base32.decode: invalid Base32 character '" + str.charAt(i) + "' at index " + i);
+    value = (value << BITS) | idx;
+    bits += BITS;
+    if (bits >= 8) {                                        // allow:raw-byte-literal — emit a full output byte
+      bytes.push((value >>> (bits - 8)) & 0xff);            // allow:raw-byte-literal — eight-bit output byte mask
+      bits -= 8;                                            // allow:raw-byte-literal — consumed eight bits
+    }
+  }
+  return Buffer.from(bytes);
+}
+
+module.exports = {
+  encode:      encode,
+  decode:      decode,
+  ALPHABETS:   ALPHABETS,
+  Base32Error: Base32Error,
+};

package/lib/totp.js

@@ -61,6 +61,7 @@
  */
 var nodeCrypto = require("node:crypto");
 var C = require("./constants");
+var base32 = require("./base32");
 var { generateBytes, generateToken, timingSafeEqual } = require("./crypto");
 var { AuthError } = require("./framework-error");
 
@@ -84,45 +85,23 @@ var DEFAULT_SECRET_BYTES = C.BYTES.bytes(128);
 var MIN_SECRET_BYTES     = 20;
 // HOTP counter is an 8-byte big-endian field per RFC 4226 §5.1.
 var HOTP_COUNTER_BYTES   = C.BYTES.bytes(8);
-// Base32 (RFC 4648) packs 5 bits per char; bit + byte widths used by the
-// encoder/decoder below. Routed through C.BYTES so every byte literal in
-// the file lives behind the same helper.
-var BITS_PER_BYTE        = C.BYTES.bytes(8);
 
 // ---- Base32 (RFC 4648, no padding — TOTP convention) ----
-
-var BASE32 = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+// Composes b.base32: secrets are emitted unpadded and parsed leniently
+// (case-insensitive, ignoring the spaces / dashes humans add when copying
+// a key). An invalid character is surfaced as the TOTP-specific error code.
 
 function _base32Encode(buf) {
-  var bits = "";
-  for (var i = 0; i < buf.length; i++) {
-    bits += buf[i].toString(2).padStart(BITS_PER_BYTE, "0");
-  }
-  var out = "";
-  for (var j = 0; j < bits.length; j += 5) {
-    var chunk = bits.substring(j, j + 5).padEnd(5, "0");
-    out += BASE32[parseInt(chunk, 2)];
-  }
-  return out;
+  return base32.encode(buf, { padding: false });
 }
 
 function _base32Decode(str) {
-  var bits = "";
-  for (var i = 0; i < str.length; i++) {
-    var c = str[i].toUpperCase();
-    if (c === "=" || c === " " || c === "-") continue;     // spaces + dashes + padding
-    var idx = BASE32.indexOf(c);
-    if (idx === -1) {
-      throw new AuthError("auth-totp/bad-secret",
-        "secret contains invalid base32 character: '" + str[i] + "'");
-    }
-    bits += idx.toString(2).padStart(5, "0");
-  }
-  var bytes = [];
-  for (var j = 0; j + BITS_PER_BYTE <= bits.length; j += BITS_PER_BYTE) {
-    bytes.push(parseInt(bits.substring(j, j + BITS_PER_BYTE), 2));
+  try {
+    return base32.decode(str, { loose: true });
+  } catch (e) {
+    throw new AuthError("auth-totp/bad-secret",
+      "secret contains invalid base32 character" + (e && e.message ? ": " + e.message : ""));
   }
-  return Buffer.from(bytes);
 }
 
 // ---- Core HOTP (RFC 4226 §5.3) ----

package/lib/uri-template.js

@@ -0,0 +1,286 @@
+"use strict";
+/**
+ * @module b.uriTemplate
+ * @nav    HTTP
+ * @title  URI Templates
+ *
+ * @intro
+ *   Expand <a href="https://www.rfc-editor.org/rfc/rfc6570">RFC 6570</a> URI
+ *   Templates — the <code>{var}</code> syntax that OpenAPI links, HAL
+ *   <code>_links</code>, and hypermedia API clients use to turn a template
+ *   plus a set of variables into a concrete URI. The full Level 4 grammar
+ *   is supported: every operator (<code>{+var}</code> reserved,
+ *   <code>{#var}</code> fragment, <code>{.var}</code> label,
+ *   <code>{/var}</code> path, <code>{;var}</code> path-style parameters,
+ *   <code>{?var}</code> query, <code>{&amp;var}</code> query continuation),
+ *   the <code>{var:3}</code> prefix modifier, and the <code>{var*}</code>
+ *   explode modifier for lists and associative arrays.
+ *
+ *   <code>expand(template, vars)</code> returns the expanded string;
+ *   <code>compile(template)</code> parses once and returns a reusable
+ *   <code>{ expand }</code> for templates applied to many variable sets. A
+ *   malformed template (an unclosed expression, an unknown operator, or a
+ *   non-numeric prefix) throws <code>UriTemplateError</code>.
+ *
+ * @card
+ *   RFC 6570 URI Template expansion (full Level 4 — every operator, the
+ *   <code>:N</code> prefix and <code>*</code> explode modifiers) — the
+ *   <code>{var}</code> syntax behind OpenAPI links and HAL hypermedia.
+ */
+
+var { defineClass } = require("./framework-error");
+
+var UriTemplateError = defineClass("UriTemplateError", { alwaysPermanent: true });
+
+var MAX_PREFIX = 10000;                                     // allow:raw-byte-literal — RFC 6570 caps prefix length at 9999
+
+// Operator table (RFC 6570 §2.2 / §3.2.1). first = prefix when any value is
+// present; sep = separator between values; named = emit "name=value";
+// ifemp = string used when a named value is empty; reserved = allow the
+// reserved set through unencoded.
+var OPERATORS = {
+  "":  { first: "",  sep: ",", named: false, ifemp: "",  reserved: false },
+  "+": { first: "",  sep: ",", named: false, ifemp: "",  reserved: true },
+  "#": { first: "#", sep: ",", named: false, ifemp: "",  reserved: true },
+  ".": { first: ".", sep: ".", named: false, ifemp: "",  reserved: false },
+  "/": { first: "/", sep: "/", named: false, ifemp: "",  reserved: false },
+  ";": { first: ";", sep: ";", named: true,  ifemp: "",  reserved: false },
+  "?": { first: "?", sep: "&", named: true,  ifemp: "=", reserved: false },
+  "&": { first: "&", sep: "&", named: true,  ifemp: "=", reserved: false },
+};
+
+var UNRESERVED = /[A-Za-z0-9\-._~]/;
+// Reserved = gen-delims + sub-delims (RFC 3986 §2.2).
+var RESERVED = /[:/?#[\]@!$&'()*+,;=]/;
+
+function _pctEncode(str, allowReserved) {
+  var out = "";
+  for (var i = 0; i < str.length; i++) {
+    var ch = str.charAt(i);
+    // Preserve existing percent-encoded triplets when the reserved set is
+    // allowed (operators "+" and "#").
+    if (allowReserved && ch === "%" && /^[0-9A-Fa-f]{2}$/.test(str.substr(i + 1, 2))) {
+      out += str.substr(i, 3); i += 2; continue;
+    }
+    if (UNRESERVED.test(ch) || (allowReserved && RESERVED.test(ch))) { out += ch; continue; }
+    // Percent-encode the character's raw UTF-8 bytes (handles surrogate
+    // pairs). encodeURIComponent is not used — it leaves !*'() unencoded,
+    // which RFC 6570 unreserved-only expansion must escape.
+    var cp = str.codePointAt(i);
+    var bytes = Buffer.from(String.fromCodePoint(cp), "utf8");
+    for (var b = 0; b < bytes.length; b++) out += "%" + bytes[b].toString(16).toUpperCase().padStart(2, "0");   // allow:raw-byte-literal — hex radix
+    if (cp > 0xFFFF) i++;   // consumed a surrogate pair   // allow:raw-byte-literal — BMP boundary for surrogate-pair detection
+  }
+  return out;
+}
+
+function _allDigits(s) {
+  if (s.length === 0) return false;
+  for (var i = 0; i < s.length; i++) { var c = s.charCodeAt(i); if (c < 48 || c > 57) return false; }   // allow:raw-byte-literal — ASCII '0'..'9' code-point bounds
+  return true;
+}
+
+// A composite member/value is "defined" unless it is undefined or null
+// (an empty string, 0, or false is defined and expands).
+function _memberDefined(v) { return v !== undefined && v !== null; }
+
+function _isDefined(v) {
+  if (v === undefined || v === null) return false;
+  if (Array.isArray(v)) return v.length > 0;
+  if (typeof v === "object") return Object.keys(v).length > 0;
+  return true;
+}
+function _toStr(v) {
+  if (typeof v === "string") return v;
+  if (typeof v === "number" || typeof v === "boolean") return String(v);
+  return String(v);
+}
+
+// A literal run may not contain a stray "}" (an unmatched expression close)
+// — RFC 6570 literals exclude "{" and "}".
+function _checkLiteral(lit) {
+  if (lit.indexOf("}") !== -1) throw new UriTemplateError("uri-template/unmatched-brace", "uriTemplate: unmatched '}' in template literal");
+}
+
+// Parse a template into an array of literal strings + expression objects.
+function _parse(template) {
+  if (typeof template !== "string") throw new UriTemplateError("uri-template/bad-template", "uriTemplate: template must be a string");
+  var parts = [];
+  var i = 0;
+  while (i < template.length) {
+    var open = template.indexOf("{", i);
+    if (open === -1) { _checkLiteral(template.slice(i)); parts.push({ literal: template.slice(i) }); break; }
+    if (open > i) { _checkLiteral(template.slice(i, open)); parts.push({ literal: template.slice(i, open) }); }
+    var close = template.indexOf("}", open);
+    if (close === -1) throw new UriTemplateError("uri-template/unclosed", "uriTemplate: unclosed expression at index " + open);
+    parts.push(_parseExpr(template.slice(open + 1, close)));
+    i = close + 1;
+  }
+  return parts;
+}
+
+function _parseExpr(body) {
+  if (body.length === 0) throw new UriTemplateError("uri-template/empty-expression", "uriTemplate: empty expression {}");
+  var op = "";
+  var c0 = body.charAt(0);
+  if ("+#./;?&".indexOf(c0) !== -1) { op = c0; body = body.slice(1); }
+  else if ("=,!@|".indexOf(c0) !== -1) {
+    // Operators reserved by RFC 6570 §2.2 for future extensions → error.
+    throw new UriTemplateError("uri-template/reserved-operator", "uriTemplate: operator '" + c0 + "' is reserved");
+  }
+  var specs = body.split(",").map(function (raw) {
+    if (raw.length === 0) throw new UriTemplateError("uri-template/bad-varspec", "uriTemplate: empty variable name");
+    var explode = false, prefix = null;
+    var name = raw;
+    if (raw.charAt(raw.length - 1) === "*") { explode = true; name = raw.slice(0, -1); }
+    else {
+      var colon = raw.indexOf(":");
+      if (colon !== -1) {
+        name = raw.slice(0, colon);
+        var n = raw.slice(colon + 1);
+        if (!_allDigits(n)) throw new UriTemplateError("uri-template/bad-prefix", "uriTemplate: prefix length must be a non-negative integer");
+        prefix = parseInt(n, 10);
+        if (prefix >= MAX_PREFIX) throw new UriTemplateError("uri-template/bad-prefix", "uriTemplate: prefix length exceeds 9999");
+      }
+    }
+    if (!/^(?:[A-Za-z0-9_]|%[0-9A-Fa-f]{2})(?:\.?(?:[A-Za-z0-9_]|%[0-9A-Fa-f]{2}))*$/.test(name)) {
+      throw new UriTemplateError("uri-template/bad-varname", "uriTemplate: invalid variable name '" + name + "'");
+    }
+    return { name: name, explode: explode, prefix: prefix };
+  });
+  return { op: op, specs: specs };
+}
+
+function _expandExpr(expr, vars) {
+  var o = OPERATORS[expr.op];
+  var pieces = [];
+  expr.specs.forEach(function (spec) {
+    var value = vars[spec.name];
+    if (!_isDefined(value)) return;
+
+    if (typeof value !== "object") {
+      // Simple string/number/boolean value.
+      var s = _toStr(value);
+      if (spec.prefix !== null) s = _sliceChars(s, spec.prefix);
+      pieces.push(_named(o, spec.name, _pctEncode(s, o.reserved), s.length === 0));
+    } else if (Array.isArray(value)) {
+      if (spec.prefix !== null) throw new UriTemplateError("uri-template/prefix-on-list", "uriTemplate: prefix modifier cannot apply to a list");
+      // Undefined / null members are ignored (RFC 6570 §3.2.1); a list with
+      // no defined members is treated as undefined and omitted entirely.
+      var members = value.filter(_memberDefined);
+      if (members.length === 0) return;
+      if (!spec.explode) {
+        var joined = members.map(function (m) { return _pctEncode(_toStr(m), o.reserved); }).join(",");
+        pieces.push(_named(o, spec.name, joined, false));
+      } else {
+        members.forEach(function (m) {
+          pieces.push(_named(o, spec.name, _pctEncode(_toStr(m), o.reserved), _toStr(m).length === 0));
+        });
+      }
+    } else {
+      // Associative array (object). Pairs whose value is undefined / null
+      // are omitted (RFC 6570 §3.2.1).
+      if (spec.prefix !== null) throw new UriTemplateError("uri-template/prefix-on-map", "uriTemplate: prefix modifier cannot apply to a map");
+      var keys = Object.keys(value).filter(function (k) { return _memberDefined(value[k]); });
+      if (keys.length === 0) return;
+      if (!spec.explode) {
+        var pairs = [];
+        keys.forEach(function (k) { pairs.push(_pctEncode(k, o.reserved)); pairs.push(_pctEncode(_toStr(value[k]), o.reserved)); });
+        pieces.push(_named(o, spec.name, pairs.join(","), false));
+      } else {
+        keys.forEach(function (k) {
+          // Exploded map: the key becomes the name.
+          pieces.push(_namedPair(o, _pctEncode(k, o.reserved), _pctEncode(_toStr(value[k]), o.reserved)));
+        });
+      }
+    }
+  });
+  if (pieces.length === 0) return "";
+  return o.first + pieces.join(o.sep);
+}
+
+// Build one "name=value" (or bare value) piece for a non-exploded or
+// string varspec.
+function _named(o, name, encodedValue, isEmpty) {
+  if (!o.named) return encodedValue;
+  if (isEmpty) return name + o.ifemp;
+  return name + "=" + encodedValue;
+}
+// Exploded map pair: key is already the name.
+function _namedPair(o, encodedKey, encodedValue) {
+  if (!o.named) return encodedKey + "=" + encodedValue;
+  if (encodedValue.length === 0) return encodedKey + o.ifemp;
+  return encodedKey + "=" + encodedValue;
+}
+
+// Truncate to N Unicode code points (RFC 6570 prefix length is in chars).
+function _sliceChars(s, n) {
+  var out = "", count = 0;
+  for (var i = 0; i < s.length && count < n; i++) {
+    var cp = s.codePointAt(i);
+    out += String.fromCodePoint(cp);
+    if (cp > 0xFFFF) i++;   // allow:raw-byte-literal — BMP boundary for surrogate pairs
+    count++;
+  }
+  return out;
+}
+
+/**
+ * @primitive  b.uriTemplate.compile
+ * @signature  b.uriTemplate.compile(template)
+ * @since      0.12.66
+ * @status     stable
+ * @related    b.uriTemplate.expand, b.hal, b.linkHeader
+ *
+ * Parse an RFC 6570 URI Template once and return a reusable
+ * <code>{ expand(vars) }</code>, so a template applied to many variable
+ * sets is parsed a single time. Throws <code>UriTemplateError</code> if the
+ * template is malformed.
+ *
+ * @example
+ *   var t = b.uriTemplate.compile("/users/{id}{?fields*}");
+ *   t.expand({ id: 7, fields: ["name", "email"] });
+ *   // → "/users/7?fields=name&fields=email"
+ */
+function compile(template) {
+  var parts = _parse(template);
+  return {
+    expand: function (vars) {
+      vars = vars || {};
+      var out = "";
+      for (var i = 0; i < parts.length; i++) {
+        out += Object.prototype.hasOwnProperty.call(parts[i], "literal") ? parts[i].literal : _expandExpr(parts[i], vars);
+      }
+      return out;
+    },
+  };
+}
+
+/**
+ * @primitive  b.uriTemplate.expand
+ * @signature  b.uriTemplate.expand(template, vars)
+ * @since      0.12.66
+ * @status     stable
+ * @related    b.uriTemplate.compile
+ *
+ * Expand an RFC 6570 URI Template against a set of variables and return the
+ * resulting URI string. Variable values may be strings, numbers, booleans,
+ * arrays (lists), or plain objects (associative arrays); an undefined,
+ * null, or empty list/map variable is omitted. Reserved-set encoding,
+ * <code>:N</code> prefixes, and <code>*</code> explosion follow RFC 6570
+ * §3.2. Throws <code>UriTemplateError</code> on a malformed template.
+ *
+ * @example
+ *   b.uriTemplate.expand("{/path}/here{?q,limit}",
+ *     { path: "search", q: "json schema", limit: 10 });
+ *   // → "/search/here?q=json%20schema&limit=10"
+ */
+function expand(template, vars) {
+  return compile(template).expand(vars);
+}
+
+module.exports = {
+  expand:           expand,
+  compile:          compile,
+  UriTemplateError: UriTemplateError,
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.12.64",
+  "version": "0.12.66",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:35a8fec8-fa70-4913-a315-c839ce432741",
+  "serialNumber": "urn:uuid:4e9da547-078d-46ac-833b-3eae7e281a06",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-26T07:36:53.769Z",
+    "timestamp": "2026-05-26T10:01:10.136Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.12.64",
+      "bom-ref": "@blamejs/core@0.12.66",
       "type": "application",
       "name": "blamejs",
-      "version": "0.12.64",
+      "version": "0.12.66",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.12.64",
+      "purl": "pkg:npm/%40blamejs/core@0.12.66",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.12.64",
+      "ref": "@blamejs/core@0.12.66",
       "dependsOn": []
     }
   ]