@blamejs/core 0.13.1 → 0.13.2

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.13.x
 
+- v0.13.2 (2026-05-26) — **`b.iabTcf.encode` — write TCF consent strings, and a TC-string timestamp fix.** b.iabTcf gains the encode half of its consent-string codec: b.iabTcf.encode(obj) serialises a parsed object back into an IAB TCF v2 TC string, and b.iabTcf.isValid(tcString) is a total never-throwing validity check. Vendor and purpose collections may be Sets, id arrays, or the parsed sections parseString returns; vendor sections are written with whichever of the bit-field and range forms is smaller, matching the reference CMP encoders, so a parsed string round-trips to an equivalent signal. parseString now fully decodes the Core publisher-restrictions list and the PublisherTC segment's publisher and custom purposes, where it previously reported only the segment's presence. The encoder is verified against the worked-example string in the IAB Tech Lab consent-string specification: it re-encodes that string's Core segment byte-for-byte. This release also fixes a TC-string parsing bug — the bit reader accumulated values with a 32-bit shift, so the 36-bit Created and LastUpdated timestamp fields were silently truncated for any real date; they now decode and round-trip exactly. **Added:** *`b.iabTcf.encode` / `b.iabTcf.isValid`* — `encode(obj)` serialises a TCF object (the shape `parseString` returns) into a TC string — Core plus optional DisclosedVendors, AllowedVendors, and PublisherTC segments — choosing the smaller of the bit-field and range vendor encodings. `isValid(tcString)` returns whether a string parses as a well-formed Core segment without throwing. `parseString` now fully decodes Core publisher restrictions and the PublisherTC purposes that were previously reported only as present. **Fixed:** *TC-string 36-bit timestamps were truncated on parse* — `b.iabTcf.parseString` read multi-bit fields with a 32-bit left-shift accumulation. The 36-bit Created and LastUpdated fields hold deciseconds-since-epoch, which exceeds 2^31 for any date after 1976, so those timestamps were silently corrupted. The reader now accumulates without the 32-bit truncation; timestamps decode correctly and round-trip through `encode`.
+
 - v0.13.1 (2026-05-26) — **`b.worm` — write-once-read-many retention.** Store records that cannot be altered or deleted before a retention period elapses — the immutable-storage discipline regulators require (SEC 17a-4(f), CFTC 1.31, FINRA 4511). b.worm.create(opts) returns a WORM store that enforces, on every mutating call, that a record is not overwritten or deleted while it is within its retainUntil window or under a legal hold. Two modes mirror cloud Object-Lock: compliance (the default — no one, including the operator, can delete before expiry) and governance (a privileged caller may override with an audited reason). Retention can only be extended, never shortened; every record carries a SHA3-512 digest that get verifies, so tampering with the underlying bytes is detected on read; every allow/refuse decision is audited. Storage is pluggable via a synchronous store adapter, so the policy layer sits over a sealed DB table, a filesystem, or any non-S3 backend — the store-agnostic, application-level companion to b.objectStore's S3 Object Lock, with content-integrity verification that native Object Lock does not provide. **Added:** *`b.worm.create` — write-once-read-many retention* — Returns a store with `put` / `get` / `delete` / `extendRetention` / `placeLegalHold` / `releaseLegalHold` / `list`. `put` is write-once (an overwrite of a retained or held record is refused); `delete` is gated by the retention window, legal holds, and the mode (`compliance` refuses any early delete; `governance` allows a privileged override with a required, audited reason); `extendRetention` is extend-only; `get` verifies the stored SHA3-512 digest and throws `worm/tampered` on a mismatch. Storage is a pluggable synchronous adapter (`get` / `set` / `delete` / `has` / `keys`), defaulting to in-memory for tests. Use it for SEC 17a-4 / CFTC / FINRA immutable records on backends without native Object Lock; `b.objectStore` remains the path for S3 Object Lock.
 
 - v0.13.0 (2026-05-26) — **`b.crypto.oprf` — RFC 9497 Oblivious PRFs.** Compute F(serverKey, input) without the server learning the input and without the client learning the key — the Oblivious PRF primitive behind password hardening (the server peppers a password it never sees), private set intersection, and Privacy Pass. b.crypto.oprf.suite(name) returns an RFC 9497 ciphersuite — ristretto255-sha512, p256-sha256, p384-sha384, or p521-sha512 — each exposing the base oprf mode and the verifiable voprf mode (a DLEQ proof lets the client confirm the server used the key committed in its public key). The client blinds its input, the server blind-evaluates with its secret key, and the client finalizes by un-blinding and hashing; because un-blinding cancels the blind, the output depends only on key and input. Validated byte-for-byte against the RFC 9497 Appendix-A test vectors. Group and hash-to-curve operations come from the newly vendored @noble/curves (Paul Miller, MIT) — the same maintainer as the framework's existing vendored @noble/post-quantum and @noble/ciphers, with no added npm runtime dependency. **Added:** *`b.crypto.oprf` — RFC 9497 OPRF / VOPRF* — `suite(name)` returns `{ name, oprf, voprf }` for one of the four RFC 9497 ciphersuites (ristretto255-SHA512 / P-256-SHA256 / P-384-SHA384 / P-521-SHA512). The `oprf` (base) mode provides `deriveKeyPair` / `generateKeyPair` / `blind` / `blindEvaluate` / `finalize` / `evaluate`; `voprf` (verifiable) adds a DLEQ proof so the client can prove the server used the committed key. Use it for password hardening, private set intersection, and OPRF-based tokens. Verified against the RFC 9497 Appendix-A vectors. The partially-oblivious `poprf` mode is not yet exposed (the vendored `@noble/curves` does not implement it) and will follow upstream. · *Vendored `@noble/curves`* — `@noble/curves` 2.2.0 (Paul Miller, MIT) is vendored under `lib/vendor/` (no npm runtime dependency), supplying the ristretto255 / NIST-curve group and hash-to-curve operations behind `b.crypto.oprf`. It joins the existing vendored `@noble/post-quantum` and `@noble/ciphers` from the same maintainer; tracked in the SBOM and the vendor-currency gate.

package/README.md

@@ -207,7 +207,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 - **Change control + WORM** — m-of-n approver DDL change-control with maintenance-window + ML-DSA-87 signed proposals (`b.ddlChangeControl`); row-level WORM triggers boot-asserted under `sec-17a-4` / `finra-4511` / `fda-21cfr11` (`b.db.declareWorm`); dual-control physical delete + crypto-erase + REINDEX in one transaction (`b.db.declareRequireDualControl`, `b.db.eraseHard`)
 - **Consumer-protection** — FTC click-to-cancel UX-parity attestation (`ftc-2024` / `ca-sb942` / `strict`) (`b.darkPatterns`)
 - **Differential privacy** — float-safe DP for aggregate releases: snapping-mechanism Laplace (Mironov 2012) + discrete Gaussian (Canonne–Kamath–Steinke 2020), CSPRNG noise, per-scope ε/δ budgets with basic + Rényi-DP accounting; defends the floating-point distinguishing attack that breaks naive Laplace samplers (NIST SP 800-226) (`b.ai.dp`)
-- **Privacy / DSR** — GDPR Articles 15–22 / CCPA / CPRA / LGPD / PIPEDA data-subject-rights workflow (`b.dsr`); IAB TCF v2.3 consent-string parser + `disclosedVendors` validator (`b.iabTcf`); IAB MSPA / GPP universal-opt-out (USNAT / USCA / USVA / USCO / USCT / USUT) + GPC mirror (`b.iabMspa`); generic consent capture + withdrawal (`b.consent`)
+- **Privacy / DSR** — GDPR Articles 15–22 / CCPA / CPRA / LGPD / PIPEDA data-subject-rights workflow (`b.dsr`); IAB TCF v2 consent-string parse + encode + `disclosedVendors` validator (`b.iabTcf`); IAB MSPA / GPP universal-opt-out (USNAT / USCA / USVA / USCO / USCT / USUT) + GPC mirror (`b.iabMspa`); generic consent capture + withdrawal (`b.consent`)
 - **Incident reporters** — EU DORA Article 17 ICT-incident workflow per Commission Delegated Regulation 2024/1772 (`b.dora`); EU NIS2 (`b.nis2`); EU Cyber Resilience Act SBOM + secure-software-attestation (`b.cra`); SEC Form 8-K Item 1.05 cybersecurity-incident materiality-disclosure (`b.secCyber`); incident lifecycle coordinator (`b.incident`)
 - **Outbound DLP** — interceptor-installed on httpClient + mail + webhook with built-in detectors for PAN (Luhn), SSN, EIN, IBAN (mod-97), api-key shapes, PEM, SSH private keys, JWTs, AWS access keys, PHI composite; refuse / redact / audit-only verdicts under pci-dss / hipaa / fapi2 / soc2 / gdpr presets (`b.redact.installOutboundDlp`)
 ### Observability

package/lib/iab-tcf.js

@@ -95,6 +95,7 @@
  */
 
 var audit = require("./audit");
+var bCrypto = require("./crypto");
 var { defineClass } = require("./framework-error");
 var IabTcfError = defineClass("IabTcfError", { alwaysPermanent: true });
 
@@ -129,11 +130,15 @@ function _bitReader(buf) {
       throw IabTcfError.factory("BAD_LENGTH",
         "iabTcf: read past end of segment (offset=" + bitOffset + " want=" + n + " total=" + totalBits + ")");
     }
+    // Accumulate with `* 2`, not `<< 1`: the Created / LastUpdated fields are
+    // 36 bits and their deciseconds values exceed 2^31 for any real date, so a
+    // 32-bit shift would silently truncate them. `* 2 + bit` stays exact up to
+    // 2^53, well above the widest TCF field.
     var v = 0;
     for (var i = 0; i < n; i += 1) {
       var byteIdx = (bitOffset + i) >> 3;
       var bitIdx  = 7 - ((bitOffset + i) & 7);                                                  // allow:raw-byte-literal — high-bit-first ordering
-      v = (v << 1) | ((buf[byteIdx] >> bitIdx) & 1);
+      v = (v * 2) + ((buf[byteIdx] >> bitIdx) & 1);
     }
     bitOffset += n;
     return v;
@@ -178,6 +183,7 @@ function _parseCore(buf) {
   // the vendorConsents/LIs bitmaps when present.
   var vendorConsents = _parseVendorSection(r);
   var vendorLIs      = _parseVendorSection(r);
+  var publisherRestrictions = _parsePublisherRestrictions(r);
   return {
     version:               version,
     createdAt:             createdRaw * 100,                                                   // allow:raw-time-literal — TCF spec deciseconds → ms
@@ -197,6 +203,56 @@ function _parseCore(buf) {
     publisherCC:           publisherCC,
     vendorConsents:        vendorConsents,
     vendorLIs:             vendorLIs,
+    publisherRestrictions: publisherRestrictions,
+  };
+}
+
+// Publisher restrictions follow the two core vendor sections:
+// NumPubRestrictions (12 bits) then, per restriction, PurposeId (6) +
+// RestrictionType (2) + a range list of vendor ids. NumPubRestrictions is
+// mandatory even when zero, so a core that ends before it is truncated — the
+// reader's bounds check throws rather than treating the gap as "no
+// restrictions", which would let a malformed string validate.
+function _parsePublisherRestrictions(r) {
+  var out = [];
+  var num = r.read(12);                                                                         // allow:raw-byte-literal — TCF spec field width
+  for (var i = 0; i < num; i += 1) {
+    var purposeId       = r.read(6);                                                            // allow:raw-byte-literal — TCF spec field width
+    var restrictionType = r.read(2);
+    var numEntries      = r.read(12);                                                           // allow:raw-byte-literal — TCF spec field width
+    var vendorIds = [];
+    for (var e = 0; e < numEntries; e += 1) {
+      var isRange       = r.read(1) === 1;
+      var startVendorId = r.read(16);                                                           // allow:raw-byte-literal — TCF spec field width
+      if (isRange) {
+        var endVendorId = r.read(16);                                                           // allow:raw-byte-literal — TCF spec field width
+        for (var v = startVendorId; v <= endVendorId; v += 1) vendorIds.push(v);
+      } else {
+        vendorIds.push(startVendorId);
+      }
+    }
+    out.push({ purposeId: purposeId, restrictionType: restrictionType, vendorIds: vendorIds });
+  }
+  return out;
+}
+
+// PublisherTC segment (type 3): publisher purpose consent + LI bit-fields
+// then a custom-purpose count and its two bit-fields.
+function _parsePublisherTC(buf) {
+  var r = _bitReader(buf);
+  r.read(3);                                                                                    // allow:raw-byte-literal — segment-type prefix
+  var pubPurposesConsent = r.readBitField(24);                                                  // allow:raw-byte-literal — TCF spec field width
+  var pubPurposesLI      = r.readBitField(24);                                                  // allow:raw-byte-literal — TCF spec field width
+  var numCustomPurposes  = r.read(6);                                                           // allow:raw-byte-literal — TCF spec field width
+  var customConsent      = r.readBitField(numCustomPurposes);
+  var customLI           = r.readBitField(numCustomPurposes);
+  return {
+    present:                      true,
+    pubPurposesConsent:           pubPurposesConsent,
+    pubPurposesLITransparency:    pubPurposesLI,
+    numCustomPurposes:            numCustomPurposes,
+    customPurposesConsent:        customConsent,
+    customPurposesLITransparency: customLI,
   };
 }
 
@@ -298,7 +354,7 @@ function parseString(tcString) {
       } else if (segType === SEGMENT_TYPE_ALLOWED_VENDORS) {
         allowedVendors = { present: true, vendorIds: _parseSecondaryVendorSegment(segBuf, SEGMENT_TYPE_ALLOWED_VENDORS).ids };
       } else if (segType === SEGMENT_TYPE_PUBLISHER_TC) {
-        publisherTC = { present: true };
+        publisherTC = _parsePublisherTC(segBuf);
       } else {
         errors.push("segment[" + i + "] unknown type: " + segType);
       }
@@ -451,8 +507,227 @@ function checkVendor(parsed, vendorId) {
   };
 }
 
+// ---- encode ----------------------------------------------------------------
+
+// Accept a Set, an array, or a parsed `{ ids: Set }` / `{ vendorIds: Set }`
+// section as an id collection, and return a sorted unique array of positive
+// integers.
+function _idArray(x) {
+  var src = x;
+  if (x && typeof x === "object" && !Array.isArray(x) && !(x instanceof Set)) {
+    src = x.ids != null ? x.ids : x.vendorIds;
+  }
+  var list = src instanceof Set ? Array.from(src) : (Array.isArray(src) ? src : []);
+  var seen = Object.create(null);
+  var out = [];
+  list.forEach(function (id) {
+    if (typeof id !== "number" || !isFinite(id) || id < 1 || Math.floor(id) !== id) {
+      throw IabTcfError.factory("BAD_VALUE", "iabTcf.encode: vendor/purpose ids must be positive integers, got " + id);
+    }
+    if (!seen[id]) { seen[id] = 1; out.push(id); }
+  });
+  out.sort(function (a, b) { return a - b; });
+  return out;
+}
+
+// Collapse a sorted unique id array into [start, end] runs for range encoding.
+function _idRuns(ids) {
+  var runs = [];
+  for (var i = 0; i < ids.length; i += 1) {
+    var start = ids[i];
+    var end = start;
+    while (i + 1 < ids.length && ids[i + 1] === end + 1) { end = ids[i + 1]; i += 1; }
+    runs.push([start, end]);
+  }
+  return runs;
+}
+
+function _decisec(t) {
+  var ms = t instanceof Date ? t.getTime() : (t == null ? Date.now() : Number(t));
+  if (!isFinite(ms) || ms < 0) throw IabTcfError.factory("BAD_VALUE", "iabTcf.encode: timestamp must be a Date or non-negative epoch-ms");
+  return Math.round(ms / 100);                                                                  // allow:raw-time-literal — ms → TCF deciseconds
+}
+
+// Bit writer mirroring _bitReader: bits are packed high-bit-first, then the
+// stream is right-padded to a whole number of bytes (byte-oriented base64url,
+// matching the reference CMP encoders and this module's own reader).
+function _bitWriter() {
+  var bits = "";
+  function writeInt(v, n) {
+    if (typeof v !== "number" || !isFinite(v) || v < 0 || Math.floor(v) !== v) throw IabTcfError.factory("BAD_VALUE", "iabTcf.encode: expected a non-negative integer, got " + v);
+    if (v >= Math.pow(2, n)) throw IabTcfError.factory("VALUE_OVERFLOW", "iabTcf.encode: " + v + " does not fit in " + n + " bits");
+    bits += v.toString(2).padStart(n, "0");
+  }
+  function writeBool(flag) { bits += flag ? "1" : "0"; }
+  function writeBitField(ids, n) {
+    var set = Object.create(null);
+    _idArray(ids).forEach(function (id) { set[id] = 1; });
+    for (var i = 1; i <= n; i += 1) writeBool(set[i] === 1);
+  }
+  function writeVendorSection(ids) {
+    var clean = _idArray(ids);
+    var maxVendorId = clean.length ? clean[clean.length - 1] : 0;
+    writeInt(maxVendorId, 16);                                                                  // allow:raw-byte-literal — TCF spec field width
+    if (maxVendorId === 0) { writeBool(false); return; }
+    var runs = _idRuns(clean);
+    var rangeBits = 1 + 12;                                                                     // allow:raw-byte-literal — TCF spec field width
+    runs.forEach(function (run) { rangeBits += 1 + 16 + (run[0] === run[1] ? 0 : 16); });       // allow:raw-byte-literal — TCF spec field width
+    var bitfieldBits = 1 + maxVendorId;
+    if (rangeBits < bitfieldBits) {
+      writeBool(true);
+      writeInt(runs.length, 12);                                                                // allow:raw-byte-literal — TCF spec field width
+      runs.forEach(function (run) {
+        if (run[0] === run[1]) { writeBool(false); writeInt(run[0], 16); }                      // allow:raw-byte-literal — TCF spec field width
+        else { writeBool(true); writeInt(run[0], 16); writeInt(run[1], 16); }                   // allow:raw-byte-literal — TCF spec field width
+      });
+    } else {
+      writeBool(false);
+      writeBitField(clean, maxVendorId);
+    }
+  }
+  function toBuffer() {
+    var padded = bits + "0".repeat((8 - (bits.length % 8)) % 8);                                // allow:raw-byte-literal — pad to whole bytes
+    var byteLen = padded.length / 8;                                                            // allow:raw-byte-literal — bits per byte
+    var out = Buffer.alloc(byteLen);
+    for (var i = 0; i < byteLen; i += 1) out[i] = parseInt(padded.slice(i * 8, i * 8 + 8), 2);  // allow:raw-byte-literal — bits per byte
+    return out;
+  }
+  return { writeInt: writeInt, writeBool: writeBool, writeBitField: writeBitField, writeVendorSection: writeVendorSection, toBuffer: toBuffer };
+}
+
+function _b64urlEncode(buf) {
+  return bCrypto.toBase64Url(buf);
+}
+
+function _writeLetters(w, s, label) {
+  var str = String(s).toUpperCase();
+  if (str.length !== 2) throw IabTcfError.factory("BAD_VALUE", "iabTcf.encode: " + label + " must be a 2-letter code, got '" + s + "'");
+  for (var i = 0; i < 2; i += 1) {
+    var v = str.charCodeAt(i) - 0x41;                                                           // allow:raw-byte-literal — ASCII 'A' offset
+    if (v < 0 || v > 25) throw IabTcfError.factory("BAD_VALUE", "iabTcf.encode: '" + str.charAt(i) + "' is not an A-Z letter");
+    w.writeInt(v, 6);                                                                           // allow:raw-byte-literal — TCF spec field width
+  }
+}
+
+function _encodePublisherTC(pub) {
+  var w = _bitWriter();
+  w.writeInt(SEGMENT_TYPE_PUBLISHER_TC, 3);                                                     // allow:raw-byte-literal — segment-type prefix
+  w.writeBitField(pub.pubPurposesConsent || [], 24);                                            // allow:raw-byte-literal — TCF spec field width
+  w.writeBitField(pub.pubPurposesLITransparency || [], 24);                                     // allow:raw-byte-literal — TCF spec field width
+  var custom = _idArray(pub.customPurposesConsent || []);
+  var customLI = _idArray(pub.customPurposesLITransparency || []);
+  var n = pub.numCustomPurposes != null
+    ? pub.numCustomPurposes
+    : Math.max(custom.length ? custom[custom.length - 1] : 0, customLI.length ? customLI[customLI.length - 1] : 0);
+  w.writeInt(n, 6);                                                                             // allow:raw-byte-literal — TCF spec field width
+  w.writeBitField(custom, n);
+  w.writeBitField(customLI, n);
+  return _b64urlEncode(w.toBuffer());
+}
+
+/**
+ * @primitive b.iabTcf.encode
+ * @signature b.iabTcf.encode(obj)
+ * @since     0.13.1
+ * @status    stable
+ * @compliance iab-tcf
+ * @related   b.iabTcf.parseString, b.iabTcf.isValid
+ *
+ * Serialise a TCF object — in the shape `parseString` returns — back into a
+ * TC string. Vendor and purpose collections may be `Set`s, arrays of ids, or
+ * the parsed `{ ids }` / `{ vendorIds }` sections. Vendor sections are written
+ * with whichever of the bit-field and range forms is smaller, matching the
+ * reference CMP encoders, so a parsed string round-trips to an equivalent
+ * signal. Pass `disclosedVendors` / `allowedVendors` / `publisherTC` to append
+ * those segments. Throws `IabTcfError` on a value that does not fit its field.
+ *
+ * @example
+ *   var s = b.iabTcf.encode({
+ *     core: { version: 2, cmpId: 5, vendorListVersion: 100, consentLanguage: "EN",
+ *             purposesConsent: [1, 2, 3], vendorConsents: [1, 28, 100], publisherCC: "DE" },
+ *     disclosedVendors: [1, 28, 100],
+ *   });
+ */
+function encode(obj) {
+  if (!obj || typeof obj !== "object" || !obj.core || typeof obj.core !== "object") {
+    throw IabTcfError.factory("BAD_INPUT", "iabTcf.encode: obj must have a 'core' object");
+  }
+  var c = obj.core;
+  var w = _bitWriter();
+  w.writeInt(c.version != null ? c.version : TCF_V23_CORE_VERSION, 6);                          // allow:raw-byte-literal — TCF spec field width
+  w.writeInt(_decisec(c.createdAt), 36);                                                        // allow:raw-byte-literal — TCF spec field width
+  w.writeInt(_decisec(c.lastUpdatedAt != null ? c.lastUpdatedAt : c.createdAt), 36);            // allow:raw-byte-literal — TCF spec field width
+  w.writeInt(c.cmpId || 0, 12);                                                                 // allow:raw-byte-literal — TCF spec field width
+  w.writeInt(c.cmpVersion || 0, 12);                                                            // allow:raw-byte-literal — TCF spec field width
+  w.writeInt(c.consentScreen || 0, 6);                                                          // allow:raw-byte-literal — TCF spec field width
+  _writeLetters(w, c.consentLanguage || "EN", "consentLanguage");
+  w.writeInt(c.vendorListVersion || 0, 12);                                                     // allow:raw-byte-literal — TCF spec field width
+  w.writeInt(c.policyVersion != null ? c.policyVersion : TCF_V23_POLICY_VERSION, 6);            // allow:raw-byte-literal — TCF spec field width
+  w.writeBool(c.isServiceSpecific !== false);
+  w.writeBool(c.useNonStandardStacks === true);
+  w.writeBitField(c.specialFeatureOptins || [], 12);                                            // allow:raw-byte-literal — TCF spec field width
+  w.writeBitField(c.purposesConsent || [], 24);                                                 // allow:raw-byte-literal — TCF spec field width
+  w.writeBitField(c.purposesLI || [], 24);                                                      // allow:raw-byte-literal — TCF spec field width
+  w.writeBool(c.purposeOneTreatment === true);
+  _writeLetters(w, c.publisherCC || "AA", "publisherCC");
+  w.writeVendorSection(c.vendorConsents || []);
+  w.writeVendorSection(c.vendorLIs || []);
+  var restrictions = c.publisherRestrictions || [];
+  w.writeInt(restrictions.length, 12);                                                          // allow:raw-byte-literal — TCF spec field width
+  restrictions.forEach(function (pr) {
+    w.writeInt(pr.purposeId, 6);                                                                // allow:raw-byte-literal — TCF spec field width
+    w.writeInt(typeof pr.restrictionType === "number" ? pr.restrictionType : 0, 2);
+    var runs = _idRuns(_idArray(pr.vendorIds || []));
+    w.writeInt(runs.length, 12);                                                                // allow:raw-byte-literal — TCF spec field width
+    runs.forEach(function (run) {
+      if (run[0] === run[1]) { w.writeBool(false); w.writeInt(run[0], 16); }                    // allow:raw-byte-literal — TCF spec field width
+      else { w.writeBool(true); w.writeInt(run[0], 16); w.writeInt(run[1], 16); }               // allow:raw-byte-literal — TCF spec field width
+    });
+  });
+  var segs = [_b64urlEncode(w.toBuffer())];
+
+  if (obj.disclosedVendors != null) {
+    var dw = _bitWriter();
+    dw.writeInt(SEGMENT_TYPE_DISCLOSED_VENDORS, 3);                                              // allow:raw-byte-literal — segment-type prefix
+    dw.writeVendorSection(obj.disclosedVendors);
+    segs.push(_b64urlEncode(dw.toBuffer()));
+  }
+  if (obj.allowedVendors != null) {
+    var aw = _bitWriter();
+    aw.writeInt(SEGMENT_TYPE_ALLOWED_VENDORS, 3);                                                // allow:raw-byte-literal — segment-type prefix
+    aw.writeVendorSection(obj.allowedVendors);
+    segs.push(_b64urlEncode(aw.toBuffer()));
+  }
+  if (obj.publisherTC != null && obj.publisherTC.present !== false) {
+    segs.push(_encodePublisherTC(obj.publisherTC));
+  }
+  return segs.join(".");
+}
+
+/**
+ * @primitive b.iabTcf.isValid
+ * @signature b.iabTcf.isValid(tcString)
+ * @since     0.13.1
+ * @status    stable
+ * @compliance iab-tcf
+ * @related   b.iabTcf.parseString
+ *
+ * Return `true` if the string parses as a well-formed TCF Core segment,
+ * `false` otherwise. A total predicate — never throws. Note this checks
+ * structural validity only; use `requireV23Disclosed` for the v2.3 policy gate.
+ *
+ * @example
+ *   b.iabTcf.isValid("CQSbk4AQSbk4ANwAAAENAwCgAAAAAAAAAAYgACPAAAAA");  // → true
+ *   b.iabTcf.isValid("nonsense");                                      // → false
+ */
+function isValid(tcString) {
+  try { parseString(tcString); return true; } catch (_e) { return false; }
+}
+
 module.exports = {
   parseString:           parseString,
+  encode:                encode,
+  isValid:               isValid,
   requireV23Disclosed:   requireV23Disclosed,
   checkVendor:           checkVendor,
   IabTcfError:           IabTcfError,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.13.1",
+  "version": "0.13.2",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:867201c0-c1e7-42ae-8956-c09389ae0095",
+  "serialNumber": "urn:uuid:45c82292-580f-4bfa-aa46-23d8f36d6b83",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-26T22:27:34.169Z",
+    "timestamp": "2026-05-26T23:17:31.244Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.13.1",
+      "bom-ref": "@blamejs/core@0.13.2",
       "type": "application",
       "name": "blamejs",
-      "version": "0.13.1",
+      "version": "0.13.2",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.13.1",
+      "purl": "pkg:npm/%40blamejs/core@0.13.2",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.13.1",
+      "ref": "@blamejs/core@0.13.2",
       "dependsOn": []
     }
   ]