npm - @blamejs/core - Versions diffs - 0.13.1 → 0.13.3 - Mend

@blamejs/core 0.13.1 → 0.13.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 ## v0.13.x
+- v0.13.3 (2026-05-26) — **`b.crypto.xwing` — X-Wing hybrid post-quantum KEM.** b.crypto.xwing adds the X-Wing hybrid key-encapsulation mechanism (draft-connolly-cfrg-xwing-kem): it runs ML-KEM-768 and X25519 side by side and binds their shared secrets with SHA3-256, so an encapsulated key stays secure as long as either ML-KEM-768 or X25519 holds. That is the conservative shape for moving off classical ECDH today — a harvest-now-decrypt-later attacker must break the lattice KEM, and a hypothetical ML-KEM break still leaves X25519 standing. keygen() produces a 32-byte decapsulation seed and a 1216-byte public key; encapsulate(publicKey) returns a 1120-byte ciphertext and a 32-byte shared secret; decapsulate(secretKey, ciphertext) recovers it. The X-Wing combiner is frozen, but its specification is still an IETF Internet-Draft, so this primitive is marked experimental and sits beside the existing pre-RFC post-quantum HPKE drafts; it composes the framework's vendored ML-KEM-768 and X25519 with SHA3 and adds no new cryptographic core. The combiner is known-answer-tested byte-for-byte against the draft's definition. **Added:** *`b.crypto.xwing` — X-Wing hybrid PQ/T KEM (experimental)* — `keygen(seed?)` → `{ publicKey (1216 B), secretKey (32-byte seed) }`; `encapsulate(publicKey, eseed?)` → `{ ciphertext (1120 B), sharedSecret (32 B) }`; `decapsulate(secretKey, ciphertext)` → the 32-byte shared secret. Both `keygen` and `encapsulate` accept an optional seed for deterministic operation. The combiner — `SHA3-256(ssMLKEM ‖ ssX25519 ‖ ctX25519 ‖ pkX25519 ‖ label)` — is exposed as `combiner` for advanced use. Marked `experimental` while draft-connolly-cfrg-xwing-kem remains an Internet-Draft; the algorithm itself is frozen.
+- v0.13.2 (2026-05-26) — **`b.iabTcf.encode` — write TCF consent strings, and a TC-string timestamp fix.** b.iabTcf gains the encode half of its consent-string codec: b.iabTcf.encode(obj) serialises a parsed object back into an IAB TCF v2 TC string, and b.iabTcf.isValid(tcString) is a total never-throwing validity check. Vendor and purpose collections may be Sets, id arrays, or the parsed sections parseString returns; vendor sections are written with whichever of the bit-field and range forms is smaller, matching the reference CMP encoders, so a parsed string round-trips to an equivalent signal. parseString now fully decodes the Core publisher-restrictions list and the PublisherTC segment's publisher and custom purposes, where it previously reported only the segment's presence. The encoder is verified against the worked-example string in the IAB Tech Lab consent-string specification: it re-encodes that string's Core segment byte-for-byte. This release also fixes a TC-string parsing bug — the bit reader accumulated values with a 32-bit shift, so the 36-bit Created and LastUpdated timestamp fields were silently truncated for any real date; they now decode and round-trip exactly. **Added:** *`b.iabTcf.encode` / `b.iabTcf.isValid`* — `encode(obj)` serialises a TCF object (the shape `parseString` returns) into a TC string — Core plus optional DisclosedVendors, AllowedVendors, and PublisherTC segments — choosing the smaller of the bit-field and range vendor encodings. `isValid(tcString)` returns whether a string parses as a well-formed Core segment without throwing. `parseString` now fully decodes Core publisher restrictions and the PublisherTC purposes that were previously reported only as present. **Fixed:** *TC-string 36-bit timestamps were truncated on parse* — `b.iabTcf.parseString` read multi-bit fields with a 32-bit left-shift accumulation. The 36-bit Created and LastUpdated fields hold deciseconds-since-epoch, which exceeds 2^31 for any date after 1976, so those timestamps were silently corrupted. The reader now accumulates without the 32-bit truncation; timestamps decode correctly and round-trip through `encode`.
 - v0.13.1 (2026-05-26) — **`b.worm` — write-once-read-many retention.** Store records that cannot be altered or deleted before a retention period elapses — the immutable-storage discipline regulators require (SEC 17a-4(f), CFTC 1.31, FINRA 4511). b.worm.create(opts) returns a WORM store that enforces, on every mutating call, that a record is not overwritten or deleted while it is within its retainUntil window or under a legal hold. Two modes mirror cloud Object-Lock: compliance (the default — no one, including the operator, can delete before expiry) and governance (a privileged caller may override with an audited reason). Retention can only be extended, never shortened; every record carries a SHA3-512 digest that get verifies, so tampering with the underlying bytes is detected on read; every allow/refuse decision is audited. Storage is pluggable via a synchronous store adapter, so the policy layer sits over a sealed DB table, a filesystem, or any non-S3 backend — the store-agnostic, application-level companion to b.objectStore's S3 Object Lock, with content-integrity verification that native Object Lock does not provide. **Added:** *`b.worm.create` — write-once-read-many retention* — Returns a store with `put` / `get` / `delete` / `extendRetention` / `placeLegalHold` / `releaseLegalHold` / `list`. `put` is write-once (an overwrite of a retained or held record is refused); `delete` is gated by the retention window, legal holds, and the mode (`compliance` refuses any early delete; `governance` allows a privileged override with a required, audited reason); `extendRetention` is extend-only; `get` verifies the stored SHA3-512 digest and throws `worm/tampered` on a mismatch. Storage is a pluggable synchronous adapter (`get` / `set` / `delete` / `has` / `keys`), defaulting to in-memory for tests. Use it for SEC 17a-4 / CFTC / FINRA immutable records on backends without native Object Lock; `b.objectStore` remains the path for S3 Object Lock.
 - v0.13.0 (2026-05-26) — **`b.crypto.oprf` — RFC 9497 Oblivious PRFs.** Compute F(serverKey, input) without the server learning the input and without the client learning the key — the Oblivious PRF primitive behind password hardening (the server peppers a password it never sees), private set intersection, and Privacy Pass. b.crypto.oprf.suite(name) returns an RFC 9497 ciphersuite — ristretto255-sha512, p256-sha256, p384-sha384, or p521-sha512 — each exposing the base oprf mode and the verifiable voprf mode (a DLEQ proof lets the client confirm the server used the key committed in its public key). The client blinds its input, the server blind-evaluates with its secret key, and the client finalizes by un-blinding and hashing; because un-blinding cancels the blind, the output depends only on key and input. Validated byte-for-byte against the RFC 9497 Appendix-A test vectors. Group and hash-to-curve operations come from the newly vendored @noble/curves (Paul Miller, MIT) — the same maintainer as the framework's existing vendored @noble/post-quantum and @noble/ciphers, with no added npm runtime dependency. **Added:** *`b.crypto.oprf` — RFC 9497 OPRF / VOPRF* — `suite(name)` returns `{ name, oprf, voprf }` for one of the four RFC 9497 ciphersuites (ristretto255-SHA512 / P-256-SHA256 / P-384-SHA384 / P-521-SHA512). The `oprf` (base) mode provides `deriveKeyPair` / `generateKeyPair` / `blind` / `blindEvaluate` / `finalize` / `evaluate`; `voprf` (verifiable) adds a DLEQ proof so the client can prove the server used the committed key. Use it for password hardening, private set intersection, and OPRF-based tokens. Verified against the RFC 9497 Appendix-A vectors. The partially-oblivious `poprf` mode is not yet exposed (the vendored `@noble/curves` does not implement it) and will follow upstream. · *Vendored `@noble/curves`* — `@noble/curves` 2.2.0 (Paul Miller, MIT) is vendored under `lib/vendor/` (no npm runtime dependency), supplying the ristretto255 / NIST-curve group and hash-to-curve operations behind `b.crypto.oprf`. It joins the existing vendored `@noble/post-quantum` and `@noble/ciphers` from the same maintainer; tracked in the SBOM and the vendor-currency gate.

package/README.md CHANGED Viewed

@@ -101,6 +101,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 - **AAD-bound sealed columns** — AEAD tag tied to `(table, rowId, column, schemaVersion)`; copy-paste between rows or schema-version replay surfaces as refused decrypt (`b.vault.aad`)
 - **Signed webhooks + API encryption** — SLH-DSA-SHAKE-256f default; ML-DSA-65 opt-in; ECIES API encryption (`b.webhook`, `b.crypto`)
 - **HPKE / HTTP signatures** — RFC 9180 HPKE with ML-KEM-1024 + HKDF-SHA3-512 + ChaCha20-Poly1305 (`b.crypto.hpke`); RFC 9421 HTTP Message Signatures with derived components and ed25519 / ML-DSA-65 (`b.crypto.httpSig`); RFC 9530 Content-Digest / Repr-Digest body-integrity fields (SHA-256 / SHA-512, legacy algorithms refused — `b.contentDigest`) to sign the digest rather than the whole body
+- **X-Wing hybrid KEM** — `b.crypto.xwing` (draft-connolly-cfrg-xwing-kem, experimental): ML-KEM-768 + X25519 bound by SHA3-256, secure if either component holds — the conservative key-encapsulation shape for migrating off classical ECDH. `keygen` / `encapsulate` / `decapsulate` with a 1216-byte public key, 1120-byte ciphertext, and 32-byte shared secret
 - **Link header** — RFC 8288 Web Linking codec (`b.linkHeader.parse` / `serialize`): parse and build `Link: <uri>; rel="next"` relations, the standard REST pagination mechanism; quote-aware (a comma inside a quoted parameter never splits the list)
 - **URI Templates** — RFC 6570 expansion (`b.uriTemplate.expand` / `compile`): full Level 4 — every operator, the `:N` prefix and `*` explode modifiers — turning `{/path}{?q*}` plus variables into a concrete URI; validated against the official uritemplate-test suite. The `{var}` syntax behind OpenAPI links and HAL `_links`
 - **JSON Type Definition** — RFC 8927 validation (`b.jtd.validate` / `isValid`): portable, cross-implementation schema validation (all eight forms — type / enum / elements / properties / values / discriminator / ref / empty), returning instancePath / schemaPath errors; validated against the official 316-case suite. Interop companion to the fluent `b.safeSchema` builder
@@ -207,7 +208,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 - **Change control + WORM** — m-of-n approver DDL change-control with maintenance-window + ML-DSA-87 signed proposals (`b.ddlChangeControl`); row-level WORM triggers boot-asserted under `sec-17a-4` / `finra-4511` / `fda-21cfr11` (`b.db.declareWorm`); dual-control physical delete + crypto-erase + REINDEX in one transaction (`b.db.declareRequireDualControl`, `b.db.eraseHard`)
 - **Consumer-protection** — FTC click-to-cancel UX-parity attestation (`ftc-2024` / `ca-sb942` / `strict`) (`b.darkPatterns`)
 - **Differential privacy** — float-safe DP for aggregate releases: snapping-mechanism Laplace (Mironov 2012) + discrete Gaussian (Canonne–Kamath–Steinke 2020), CSPRNG noise, per-scope ε/δ budgets with basic + Rényi-DP accounting; defends the floating-point distinguishing attack that breaks naive Laplace samplers (NIST SP 800-226) (`b.ai.dp`)
-- **Privacy / DSR** — GDPR Articles 15–22 / CCPA / CPRA / LGPD / PIPEDA data-subject-rights workflow (`b.dsr`); IAB TCF v2.3 consent-string parser + `disclosedVendors` validator (`b.iabTcf`); IAB MSPA / GPP universal-opt-out (USNAT / USCA / USVA / USCO / USCT / USUT) + GPC mirror (`b.iabMspa`); generic consent capture + withdrawal (`b.consent`)
+- **Privacy / DSR** — GDPR Articles 15–22 / CCPA / CPRA / LGPD / PIPEDA data-subject-rights workflow (`b.dsr`); IAB TCF v2 consent-string parse + encode + `disclosedVendors` validator (`b.iabTcf`); IAB MSPA / GPP universal-opt-out (USNAT / USCA / USVA / USCO / USCT / USUT) + GPC mirror (`b.iabMspa`); generic consent capture + withdrawal (`b.consent`)
 - **Incident reporters** — EU DORA Article 17 ICT-incident workflow per Commission Delegated Regulation 2024/1772 (`b.dora`); EU NIS2 (`b.nis2`); EU Cyber Resilience Act SBOM + secure-software-attestation (`b.cra`); SEC Form 8-K Item 1.05 cybersecurity-incident materiality-disclosure (`b.secCyber`); incident lifecycle coordinator (`b.incident`)
 - **Outbound DLP** — interceptor-installed on httpClient + mail + webhook with built-in detectors for PAN (Luhn), SSN, EIN, IBAN (mod-97), api-key shapes, PEM, SSH private keys, JWTs, AWS access keys, PHI composite; refuse / redact / audit-only verdicts under pci-dss / hipaa / fapi2 / soc2 / gdpr presets (`b.redact.installOutboundDlp`)
 ### Observability

package/index.js CHANGED Viewed

@@ -58,6 +58,7 @@ var crypto = require("./lib/crypto");
 // the dedicated lib files; these are thin aliases.
 crypto.hpke = require("./lib/crypto-hpke");
 crypto.oprf = require("./lib/crypto-oprf");
+crypto.xwing = require("./lib/crypto-xwing");
 // Both PQ-HPKE drafts behind one opt-in sub-namespace — see
 // lib/crypto-hpke-pq.js. Operators that need a draft-codepoint
 // shape reach for b.crypto.hpke.pq.connolly / .wg explicitly; the

package/lib/crypto-xwing.js ADDED Viewed

@@ -0,0 +1,213 @@
+"use strict";
+/**
+ * @module b.crypto.xwing
+ * @nav    Crypto
+ * @title  X-Wing KEM
+ *
+ * @intro
+ *   X-Wing is a general-purpose hybrid post-quantum / traditional key
+ *   encapsulation mechanism: it runs ML-KEM-768 and X25519 side by side and
+ *   binds their shared secrets with SHA3-256, so the resulting key stays
+ *   secure as long as <em>either</em> ML-KEM-768 or X25519 holds. That is the
+ *   conservative shape for migrating off classical ECDH today — a harvest-now-
+ *   decrypt-later attacker must break the lattice KEM, and a hypothetical
+ *   ML-KEM break still leaves X25519 standing.
+ *
+ *   The construction follows
+ *   <code>draft-connolly-cfrg-xwing-kem</code>. The combiner is frozen — it
+ *   hashes the ML-KEM shared secret, the X25519 shared secret, the X25519
+ *   ephemeral public key, the recipient's X25519 public key, and a fixed
+ *   six-byte label — but the document is still an IETF Internet-Draft, so this
+ *   primitive is marked <code>experimental</code> and sits beside the other
+ *   pre-RFC post-quantum drafts (<code>b.crypto.hpke.pq</code>). The wire
+ *   sizes are fixed: a 1216-byte public key (ML-KEM-768 1184 ‖ X25519 32), a
+ *   1120-byte ciphertext (ML-KEM-768 1088 ‖ X25519 32), a 32-byte decapsulation
+ *   seed, and a 32-byte shared secret.
+ *
+ *   X-Wing composes the framework's vendored ML-KEM-768 and X25519 plus
+ *   SHA3 — it adds no new cryptographic core, only the standard combiner and
+ *   wire framing.
+ *
+ * @card
+ *   X-Wing hybrid PQ/T KEM (`b.crypto.xwing`) — ML-KEM-768 + X25519 bound by
+ *   SHA3-256 per draft-connolly-cfrg-xwing-kem, secure if either component
+ *   holds. 1216-byte key, 1120-byte ciphertext, 32-byte shared secret.
+ */
+var nodeCrypto = require("node:crypto");
+var pqc = require("./vendor/noble-post-quantum.cjs");
+var { defineClass } = require("./framework-error");
+var XWingError = defineClass("XWingError", { alwaysPermanent: true });
+var mlkem = pqc.ml_kem768;
+// draft-connolly-cfrg-xwing-kem: the combiner label, ASCII "\./" + "/^\".
+var XWING_LABEL = Buffer.from("5c2e2f2f5e5c", "hex");
+// Component + composite sizes (bytes), fixed by the draft — protocol wire
+// widths, not buffer-capacity tunables.
+var ML_KEM_PK = 1184;                  // allow:raw-byte-literal — ML-KEM-768 public key
+var ML_KEM_CT = 1088;                  // allow:raw-byte-literal — ML-KEM-768 ciphertext
+var X25519_LEN = 32;                   // allow:raw-byte-literal — X25519 key/share length
+var SEED_LEN = 32;                     // allow:raw-byte-literal — X-Wing seed length
+var SS_LEN = 32;                       // allow:raw-byte-literal — shared-secret length
+var PK_LEN = ML_KEM_PK + X25519_LEN;   // 1216
+var CT_LEN = ML_KEM_CT + X25519_LEN;   // 1120
+var MLKEM_SEED = 64;                   // allow:raw-byte-literal — d ‖ z for ML-KEM KeyGen_internal
+var EXPAND_LEN = 96;                   // allow:raw-byte-literal — SHAKE256(seed) → d ‖ z ‖ sk_X
+// X25519 raw-scalar helpers via fixed PKCS8 / SPKI DER prefixes (OID
+// 1.3.101.110). Node clamps the scalar per RFC 7748 on use, matching X-Wing.
+var X25519_PKCS8_PREFIX = Buffer.from("302e020100300506032b656e04220420", "hex");
+var X25519_SPKI_PREFIX  = Buffer.from("302a300506032b656e032100", "hex");
+function _x25519Public(sk) {
+  var key = nodeCrypto.createPrivateKey({ key: Buffer.concat([X25519_PKCS8_PREFIX, sk]), format: "der", type: "pkcs8" });
+  var spki = nodeCrypto.createPublicKey(key).export({ format: "der", type: "spki" });
+  return spki.subarray(spki.length - X25519_LEN);
+}
+function _x25519Shared(sk, pk) {
+  return nodeCrypto.diffieHellman({
+    privateKey: nodeCrypto.createPrivateKey({ key: Buffer.concat([X25519_PKCS8_PREFIX, sk]), format: "der", type: "pkcs8" }),
+    publicKey:  nodeCrypto.createPublicKey({ key: Buffer.concat([X25519_SPKI_PREFIX, pk]), format: "der", type: "spki" }),
+  });
+}
+function _shake256(buf, outLen) { return nodeCrypto.createHash("shake256", { outputLength: outLen }).update(buf).digest(); }
+/**
+ * @primitive  b.crypto.xwing.combiner
+ * @signature  b.crypto.xwing.combiner(ssM, ssX, ctX, pkX)
+ * @since      0.13.3
+ * @status     experimental
+ * @compliance soc2
+ * @related    b.crypto.xwing.encapsulate, b.crypto.xwing.decapsulate
+ *
+ * The X-Wing combiner: <code>SHA3-256(ssM ‖ ssX ‖ ctX ‖ pkX ‖ label)</code>,
+ * where the label is the fixed six bytes the draft defines. Exposed for
+ * advanced use and known-answer testing; <code>encapsulate</code> and
+ * <code>decapsulate</code> call it internally. Each input must be 32 bytes.
+ *
+ * @example
+ *   var ss = b.crypto.xwing.combiner(ssMlkem, ssX25519, ephPub, recipientPub);
+ *   // → 32-byte shared secret
+ */
+function combiner(ssM, ssX, ctX, pkX) {
+  [["ssM", ssM, SS_LEN], ["ssX", ssX, X25519_LEN], ["ctX", ctX, X25519_LEN], ["pkX", pkX, X25519_LEN]].forEach(function (t) {
+    // ML-KEM outputs are Uint8Array; X25519 outputs are Buffer — accept both.
+    if (!(Buffer.isBuffer(t[1]) || t[1] instanceof Uint8Array) || t[1].length !== t[2]) throw new XWingError("xwing/bad-input", "xwing.combiner: " + t[0] + " must be a " + t[2] + "-byte byte array");
+  });
+  return nodeCrypto.createHash("sha3-256").update(Buffer.concat([ssM, ssX, ctX, pkX, XWING_LABEL])).digest();
+}
+// Expand a 32-byte seed into ML-KEM key material + the X25519 scalar.
+function _expand(seed) {
+  var e = _shake256(seed, EXPAND_LEN);
+  var kp = mlkem.keygen(e.subarray(0, MLKEM_SEED));     // KeyGen_internal(d, z)
+  var skX = e.subarray(MLKEM_SEED, EXPAND_LEN);
+  return { skM: kp.secretKey, pkM: kp.publicKey, skX: skX, pkX: _x25519Public(skX) };
+}
+/**
+ * @primitive  b.crypto.xwing.keygen
+ * @signature  b.crypto.xwing.keygen(seed?)
+ * @since      0.13.3
+ * @status     experimental
+ * @compliance soc2
+ * @related    b.crypto.xwing.encapsulate, b.crypto.xwing.decapsulate
+ *
+ * Generate an X-Wing keypair. The decapsulation key is a 32-byte seed (store
+ * this); the encapsulation key is the 1216-byte public key to publish. Pass a
+ * 32-byte <code>seed</code> for deterministic generation, or omit it for a
+ * random key.
+ *
+ * @example
+ *   var kp = b.crypto.xwing.keygen();
+ *   kp.publicKey.length;   // → 1216
+ *   kp.secretKey.length;   // → 32  (the seed — keep it secret)
+ */
+function keygen(seed) {
+  if (seed == null) seed = nodeCrypto.randomBytes(SEED_LEN);
+  if (!Buffer.isBuffer(seed) || seed.length !== SEED_LEN) throw new XWingError("xwing/bad-seed", "xwing.keygen: seed must be a " + SEED_LEN + "-byte Buffer");
+  var k = _expand(seed);
+  return { publicKey: Buffer.concat([k.pkM, k.pkX]), secretKey: Buffer.from(seed) };
+}
+/**
+ * @primitive  b.crypto.xwing.encapsulate
+ * @signature  b.crypto.xwing.encapsulate(publicKey, eseed?)
+ * @since      0.13.3
+ * @status     experimental
+ * @compliance soc2
+ * @related    b.crypto.xwing.decapsulate, b.crypto.xwing.keygen
+ *
+ * Encapsulate to a 1216-byte X-Wing public key. Returns the 1120-byte
+ * <code>ciphertext</code> to send and the 32-byte <code>sharedSecret</code> to
+ * key a symmetric cipher with. Pass a 64-byte <code>eseed</code>
+ * (X25519 ephemeral scalar ‖ ML-KEM coins) for deterministic encapsulation, or
+ * omit it for fresh randomness.
+ *
+ * @example
+ *   var enc = b.crypto.xwing.encapsulate(recipientPublicKey);
+ *   enc.ciphertext.length;   // → 1120
+ *   enc.sharedSecret.length; // → 32
+ */
+function encapsulate(publicKey, eseed) {
+  if (!Buffer.isBuffer(publicKey) || publicKey.length !== PK_LEN) throw new XWingError("xwing/bad-public-key", "xwing.encapsulate: publicKey must be a " + PK_LEN + "-byte Buffer");
+  var pkM = publicKey.subarray(0, ML_KEM_PK);
+  var pkX = publicKey.subarray(ML_KEM_PK, PK_LEN);
+  var ekX, mlkemCoins = null;
+  if (eseed == null) {
+    ekX = nodeCrypto.randomBytes(X25519_LEN);
+  } else {
+    if (!Buffer.isBuffer(eseed) || eseed.length !== 2 * X25519_LEN) throw new XWingError("xwing/bad-eseed", "xwing.encapsulate: eseed must be a " + (2 * X25519_LEN) + "-byte Buffer");
+    // draft EncapsulateDerand: eseed[0:32] = ML-KEM coins, eseed[32:64] = X25519
+    // ephemeral scalar. This order matches the draft's test vectors.
+    mlkemCoins = eseed.subarray(0, X25519_LEN);
+    ekX = eseed.subarray(X25519_LEN, 2 * X25519_LEN);
+  }
+  var ctX = _x25519Public(ekX);
+  var ssX = _x25519Shared(ekX, pkX);
+  var kem = mlkemCoins ? mlkem.encapsulate(pkM, mlkemCoins) : mlkem.encapsulate(pkM);
+  var ss = combiner(kem.sharedSecret, ssX, ctX, pkX);
+  return { ciphertext: Buffer.concat([kem.cipherText, ctX]), sharedSecret: ss };
+}
+/**
+ * @primitive  b.crypto.xwing.decapsulate
+ * @signature  b.crypto.xwing.decapsulate(secretKey, ciphertext)
+ * @since      0.13.3
+ * @status     experimental
+ * @compliance soc2
+ * @related    b.crypto.xwing.encapsulate, b.crypto.xwing.keygen
+ *
+ * Recover the 32-byte shared secret from a 1120-byte X-Wing ciphertext using
+ * the 32-byte decapsulation seed. ML-KEM-768's implicit-rejection means a
+ * tampered ciphertext yields a different (still 32-byte) secret rather than an
+ * error, so never branch on success — derive keys and let the AEAD tag fail.
+ *
+ * @example
+ *   var ss = b.crypto.xwing.decapsulate(kp.secretKey, enc.ciphertext);
+ *   ss.equals(enc.sharedSecret);   // → true
+ */
+function decapsulate(secretKey, ciphertext) {
+  if (!Buffer.isBuffer(secretKey) || secretKey.length !== SEED_LEN) throw new XWingError("xwing/bad-seed", "xwing.decapsulate: secretKey must be a " + SEED_LEN + "-byte Buffer");
+  if (!Buffer.isBuffer(ciphertext) || ciphertext.length !== CT_LEN) throw new XWingError("xwing/bad-ciphertext", "xwing.decapsulate: ciphertext must be a " + CT_LEN + "-byte Buffer");
+  var k = _expand(secretKey);
+  var ctM = ciphertext.subarray(0, ML_KEM_CT);
+  var ctX = ciphertext.subarray(ML_KEM_CT, CT_LEN);
+  var ssM = mlkem.decapsulate(ctM, k.skM);
+  var ssX = _x25519Shared(k.skX, ctX);
+  return combiner(ssM, ssX, ctX, k.pkX);
+}
+module.exports = {
+  NAME:        "X-Wing",
+  keygen:      keygen,
+  encapsulate: encapsulate,
+  decapsulate: decapsulate,
+  combiner:    combiner,
+  SIZES:       { publicKey: PK_LEN, ciphertext: CT_LEN, secretKey: SEED_LEN, sharedSecret: SS_LEN },
+  XWingError:  XWingError,
+};

package/lib/iab-tcf.js CHANGED Viewed

@@ -95,6 +95,7 @@
  */
 var audit = require("./audit");
+var bCrypto = require("./crypto");
 var { defineClass } = require("./framework-error");
 var IabTcfError = defineClass("IabTcfError", { alwaysPermanent: true });
@@ -129,11 +130,15 @@ function _bitReader(buf) {
       throw IabTcfError.factory("BAD_LENGTH",
         "iabTcf: read past end of segment (offset=" + bitOffset + " want=" + n + " total=" + totalBits + ")");
     }
+    // Accumulate with `* 2`, not `<< 1`: the Created / LastUpdated fields are
+    // 36 bits and their deciseconds values exceed 2^31 for any real date, so a
+    // 32-bit shift would silently truncate them. `* 2 + bit` stays exact up to
+    // 2^53, well above the widest TCF field.
     var v = 0;
     for (var i = 0; i < n; i += 1) {
       var byteIdx = (bitOffset + i) >> 3;
       var bitIdx  = 7 - ((bitOffset + i) & 7);                                                  // allow:raw-byte-literal — high-bit-first ordering
-      v = (v << 1) | ((buf[byteIdx] >> bitIdx) & 1);
+      v = (v * 2) + ((buf[byteIdx] >> bitIdx) & 1);
     }
     bitOffset += n;
     return v;
@@ -178,6 +183,7 @@ function _parseCore(buf) {
   // the vendorConsents/LIs bitmaps when present.
   var vendorConsents = _parseVendorSection(r);
   var vendorLIs      = _parseVendorSection(r);
+  var publisherRestrictions = _parsePublisherRestrictions(r);
   return {
     version:               version,
     createdAt:             createdRaw * 100,                                                   // allow:raw-time-literal — TCF spec deciseconds → ms
@@ -197,6 +203,56 @@ function _parseCore(buf) {
     publisherCC:           publisherCC,
     vendorConsents:        vendorConsents,
     vendorLIs:             vendorLIs,
+    publisherRestrictions: publisherRestrictions,
+  };
+}
+// Publisher restrictions follow the two core vendor sections:
+// NumPubRestrictions (12 bits) then, per restriction, PurposeId (6) +
+// RestrictionType (2) + a range list of vendor ids. NumPubRestrictions is
+// mandatory even when zero, so a core that ends before it is truncated — the
+// reader's bounds check throws rather than treating the gap as "no
+// restrictions", which would let a malformed string validate.
+function _parsePublisherRestrictions(r) {
+  var out = [];
+  var num = r.read(12);                                                                         // allow:raw-byte-literal — TCF spec field width
+  for (var i = 0; i < num; i += 1) {
+    var purposeId       = r.read(6);                                                            // allow:raw-byte-literal — TCF spec field width
+    var restrictionType = r.read(2);
+    var numEntries      = r.read(12);                                                           // allow:raw-byte-literal — TCF spec field width
+    var vendorIds = [];
+    for (var e = 0; e < numEntries; e += 1) {
+      var isRange       = r.read(1) === 1;
+      var startVendorId = r.read(16);                                                           // allow:raw-byte-literal — TCF spec field width
+      if (isRange) {
+        var endVendorId = r.read(16);                                                           // allow:raw-byte-literal — TCF spec field width
+        for (var v = startVendorId; v <= endVendorId; v += 1) vendorIds.push(v);
+      } else {
+        vendorIds.push(startVendorId);
+      }
+    }
+    out.push({ purposeId: purposeId, restrictionType: restrictionType, vendorIds: vendorIds });
+  }
+  return out;
+}
+// PublisherTC segment (type 3): publisher purpose consent + LI bit-fields
+// then a custom-purpose count and its two bit-fields.
+function _parsePublisherTC(buf) {
+  var r = _bitReader(buf);
+  r.read(3);                                                                                    // allow:raw-byte-literal — segment-type prefix
+  var pubPurposesConsent = r.readBitField(24);                                                  // allow:raw-byte-literal — TCF spec field width
+  var pubPurposesLI      = r.readBitField(24);                                                  // allow:raw-byte-literal — TCF spec field width
+  var numCustomPurposes  = r.read(6);                                                           // allow:raw-byte-literal — TCF spec field width
+  var customConsent      = r.readBitField(numCustomPurposes);
+  var customLI           = r.readBitField(numCustomPurposes);
+  return {
+    present:                      true,
+    pubPurposesConsent:           pubPurposesConsent,
+    pubPurposesLITransparency:    pubPurposesLI,
+    numCustomPurposes:            numCustomPurposes,
+    customPurposesConsent:        customConsent,
+    customPurposesLITransparency: customLI,
   };
 }
@@ -298,7 +354,7 @@ function parseString(tcString) {
       } else if (segType === SEGMENT_TYPE_ALLOWED_VENDORS) {
         allowedVendors = { present: true, vendorIds: _parseSecondaryVendorSegment(segBuf, SEGMENT_TYPE_ALLOWED_VENDORS).ids };
       } else if (segType === SEGMENT_TYPE_PUBLISHER_TC) {
-        publisherTC = { present: true };
+        publisherTC = _parsePublisherTC(segBuf);
       } else {
         errors.push("segment[" + i + "] unknown type: " + segType);
       }
@@ -451,8 +507,227 @@ function checkVendor(parsed, vendorId) {
   };
 }
+// ---- encode ----------------------------------------------------------------
+// Accept a Set, an array, or a parsed `{ ids: Set }` / `{ vendorIds: Set }`
+// section as an id collection, and return a sorted unique array of positive
+// integers.
+function _idArray(x) {
+  var src = x;
+  if (x && typeof x === "object" && !Array.isArray(x) && !(x instanceof Set)) {
+    src = x.ids != null ? x.ids : x.vendorIds;
+  }
+  var list = src instanceof Set ? Array.from(src) : (Array.isArray(src) ? src : []);
+  var seen = Object.create(null);
+  var out = [];
+  list.forEach(function (id) {
+    if (typeof id !== "number" || !isFinite(id) || id < 1 || Math.floor(id) !== id) {
+      throw IabTcfError.factory("BAD_VALUE", "iabTcf.encode: vendor/purpose ids must be positive integers, got " + id);
+    }
+    if (!seen[id]) { seen[id] = 1; out.push(id); }
+  });
+  out.sort(function (a, b) { return a - b; });
+  return out;
+}
+// Collapse a sorted unique id array into [start, end] runs for range encoding.
+function _idRuns(ids) {
+  var runs = [];
+  for (var i = 0; i < ids.length; i += 1) {
+    var start = ids[i];
+    var end = start;
+    while (i + 1 < ids.length && ids[i + 1] === end + 1) { end = ids[i + 1]; i += 1; }
+    runs.push([start, end]);
+  }
+  return runs;
+}
+function _decisec(t) {
+  var ms = t instanceof Date ? t.getTime() : (t == null ? Date.now() : Number(t));
+  if (!isFinite(ms) || ms < 0) throw IabTcfError.factory("BAD_VALUE", "iabTcf.encode: timestamp must be a Date or non-negative epoch-ms");
+  return Math.round(ms / 100);                                                                  // allow:raw-time-literal — ms → TCF deciseconds
+}
+// Bit writer mirroring _bitReader: bits are packed high-bit-first, then the
+// stream is right-padded to a whole number of bytes (byte-oriented base64url,
+// matching the reference CMP encoders and this module's own reader).
+function _bitWriter() {
+  var bits = "";
+  function writeInt(v, n) {
+    if (typeof v !== "number" || !isFinite(v) || v < 0 || Math.floor(v) !== v) throw IabTcfError.factory("BAD_VALUE", "iabTcf.encode: expected a non-negative integer, got " + v);
+    if (v >= Math.pow(2, n)) throw IabTcfError.factory("VALUE_OVERFLOW", "iabTcf.encode: " + v + " does not fit in " + n + " bits");
+    bits += v.toString(2).padStart(n, "0");
+  }
+  function writeBool(flag) { bits += flag ? "1" : "0"; }
+  function writeBitField(ids, n) {
+    var set = Object.create(null);
+    _idArray(ids).forEach(function (id) { set[id] = 1; });
+    for (var i = 1; i <= n; i += 1) writeBool(set[i] === 1);
+  }
+  function writeVendorSection(ids) {
+    var clean = _idArray(ids);
+    var maxVendorId = clean.length ? clean[clean.length - 1] : 0;
+    writeInt(maxVendorId, 16);                                                                  // allow:raw-byte-literal — TCF spec field width
+    if (maxVendorId === 0) { writeBool(false); return; }
+    var runs = _idRuns(clean);
+    var rangeBits = 1 + 12;                                                                     // allow:raw-byte-literal — TCF spec field width
+    runs.forEach(function (run) { rangeBits += 1 + 16 + (run[0] === run[1] ? 0 : 16); });       // allow:raw-byte-literal — TCF spec field width
+    var bitfieldBits = 1 + maxVendorId;
+    if (rangeBits < bitfieldBits) {
+      writeBool(true);
+      writeInt(runs.length, 12);                                                                // allow:raw-byte-literal — TCF spec field width
+      runs.forEach(function (run) {
+        if (run[0] === run[1]) { writeBool(false); writeInt(run[0], 16); }                      // allow:raw-byte-literal — TCF spec field width
+        else { writeBool(true); writeInt(run[0], 16); writeInt(run[1], 16); }                   // allow:raw-byte-literal — TCF spec field width
+      });
+    } else {
+      writeBool(false);
+      writeBitField(clean, maxVendorId);
+    }
+  }
+  function toBuffer() {
+    var padded = bits + "0".repeat((8 - (bits.length % 8)) % 8);                                // allow:raw-byte-literal — pad to whole bytes
+    var byteLen = padded.length / 8;                                                            // allow:raw-byte-literal — bits per byte
+    var out = Buffer.alloc(byteLen);
+    for (var i = 0; i < byteLen; i += 1) out[i] = parseInt(padded.slice(i * 8, i * 8 + 8), 2);  // allow:raw-byte-literal — bits per byte
+    return out;
+  }
+  return { writeInt: writeInt, writeBool: writeBool, writeBitField: writeBitField, writeVendorSection: writeVendorSection, toBuffer: toBuffer };
+}
+function _b64urlEncode(buf) {
+  return bCrypto.toBase64Url(buf);
+}
+function _writeLetters(w, s, label) {
+  var str = String(s).toUpperCase();
+  if (str.length !== 2) throw IabTcfError.factory("BAD_VALUE", "iabTcf.encode: " + label + " must be a 2-letter code, got '" + s + "'");
+  for (var i = 0; i < 2; i += 1) {
+    var v = str.charCodeAt(i) - 0x41;                                                           // allow:raw-byte-literal — ASCII 'A' offset
+    if (v < 0 || v > 25) throw IabTcfError.factory("BAD_VALUE", "iabTcf.encode: '" + str.charAt(i) + "' is not an A-Z letter");
+    w.writeInt(v, 6);                                                                           // allow:raw-byte-literal — TCF spec field width
+  }
+}
+function _encodePublisherTC(pub) {
+  var w = _bitWriter();
+  w.writeInt(SEGMENT_TYPE_PUBLISHER_TC, 3);                                                     // allow:raw-byte-literal — segment-type prefix
+  w.writeBitField(pub.pubPurposesConsent || [], 24);                                            // allow:raw-byte-literal — TCF spec field width
+  w.writeBitField(pub.pubPurposesLITransparency || [], 24);                                     // allow:raw-byte-literal — TCF spec field width
+  var custom = _idArray(pub.customPurposesConsent || []);
+  var customLI = _idArray(pub.customPurposesLITransparency || []);
+  var n = pub.numCustomPurposes != null
+    ? pub.numCustomPurposes
+    : Math.max(custom.length ? custom[custom.length - 1] : 0, customLI.length ? customLI[customLI.length - 1] : 0);
+  w.writeInt(n, 6);                                                                             // allow:raw-byte-literal — TCF spec field width
+  w.writeBitField(custom, n);
+  w.writeBitField(customLI, n);
+  return _b64urlEncode(w.toBuffer());
+}
+/**
+ * @primitive b.iabTcf.encode
+ * @signature b.iabTcf.encode(obj)
+ * @since     0.13.1
+ * @status    stable
+ * @compliance iab-tcf
+ * @related   b.iabTcf.parseString, b.iabTcf.isValid
+ *
+ * Serialise a TCF object — in the shape `parseString` returns — back into a
+ * TC string. Vendor and purpose collections may be `Set`s, arrays of ids, or
+ * the parsed `{ ids }` / `{ vendorIds }` sections. Vendor sections are written
+ * with whichever of the bit-field and range forms is smaller, matching the
+ * reference CMP encoders, so a parsed string round-trips to an equivalent
+ * signal. Pass `disclosedVendors` / `allowedVendors` / `publisherTC` to append
+ * those segments. Throws `IabTcfError` on a value that does not fit its field.
+ *
+ * @example
+ *   var s = b.iabTcf.encode({
+ *     core: { version: 2, cmpId: 5, vendorListVersion: 100, consentLanguage: "EN",
+ *             purposesConsent: [1, 2, 3], vendorConsents: [1, 28, 100], publisherCC: "DE" },
+ *     disclosedVendors: [1, 28, 100],
+ *   });
+ */
+function encode(obj) {
+  if (!obj || typeof obj !== "object" || !obj.core || typeof obj.core !== "object") {
+    throw IabTcfError.factory("BAD_INPUT", "iabTcf.encode: obj must have a 'core' object");
+  }
+  var c = obj.core;
+  var w = _bitWriter();
+  w.writeInt(c.version != null ? c.version : TCF_V23_CORE_VERSION, 6);                          // allow:raw-byte-literal — TCF spec field width
+  w.writeInt(_decisec(c.createdAt), 36);                                                        // allow:raw-byte-literal — TCF spec field width
+  w.writeInt(_decisec(c.lastUpdatedAt != null ? c.lastUpdatedAt : c.createdAt), 36);            // allow:raw-byte-literal — TCF spec field width
+  w.writeInt(c.cmpId || 0, 12);                                                                 // allow:raw-byte-literal — TCF spec field width
+  w.writeInt(c.cmpVersion || 0, 12);                                                            // allow:raw-byte-literal — TCF spec field width
+  w.writeInt(c.consentScreen || 0, 6);                                                          // allow:raw-byte-literal — TCF spec field width
+  _writeLetters(w, c.consentLanguage || "EN", "consentLanguage");
+  w.writeInt(c.vendorListVersion || 0, 12);                                                     // allow:raw-byte-literal — TCF spec field width
+  w.writeInt(c.policyVersion != null ? c.policyVersion : TCF_V23_POLICY_VERSION, 6);            // allow:raw-byte-literal — TCF spec field width
+  w.writeBool(c.isServiceSpecific !== false);
+  w.writeBool(c.useNonStandardStacks === true);
+  w.writeBitField(c.specialFeatureOptins || [], 12);                                            // allow:raw-byte-literal — TCF spec field width
+  w.writeBitField(c.purposesConsent || [], 24);                                                 // allow:raw-byte-literal — TCF spec field width
+  w.writeBitField(c.purposesLI || [], 24);                                                      // allow:raw-byte-literal — TCF spec field width
+  w.writeBool(c.purposeOneTreatment === true);
+  _writeLetters(w, c.publisherCC || "AA", "publisherCC");
+  w.writeVendorSection(c.vendorConsents || []);
+  w.writeVendorSection(c.vendorLIs || []);
+  var restrictions = c.publisherRestrictions || [];
+  w.writeInt(restrictions.length, 12);                                                          // allow:raw-byte-literal — TCF spec field width
+  restrictions.forEach(function (pr) {
+    w.writeInt(pr.purposeId, 6);                                                                // allow:raw-byte-literal — TCF spec field width
+    w.writeInt(typeof pr.restrictionType === "number" ? pr.restrictionType : 0, 2);
+    var runs = _idRuns(_idArray(pr.vendorIds || []));
+    w.writeInt(runs.length, 12);                                                                // allow:raw-byte-literal — TCF spec field width
+    runs.forEach(function (run) {
+      if (run[0] === run[1]) { w.writeBool(false); w.writeInt(run[0], 16); }                    // allow:raw-byte-literal — TCF spec field width
+      else { w.writeBool(true); w.writeInt(run[0], 16); w.writeInt(run[1], 16); }               // allow:raw-byte-literal — TCF spec field width
+    });
+  });
+  var segs = [_b64urlEncode(w.toBuffer())];
+  if (obj.disclosedVendors != null) {
+    var dw = _bitWriter();
+    dw.writeInt(SEGMENT_TYPE_DISCLOSED_VENDORS, 3);                                              // allow:raw-byte-literal — segment-type prefix
+    dw.writeVendorSection(obj.disclosedVendors);
+    segs.push(_b64urlEncode(dw.toBuffer()));
+  }
+  if (obj.allowedVendors != null) {
+    var aw = _bitWriter();
+    aw.writeInt(SEGMENT_TYPE_ALLOWED_VENDORS, 3);                                                // allow:raw-byte-literal — segment-type prefix
+    aw.writeVendorSection(obj.allowedVendors);
+    segs.push(_b64urlEncode(aw.toBuffer()));
+  }
+  if (obj.publisherTC != null && obj.publisherTC.present !== false) {
+    segs.push(_encodePublisherTC(obj.publisherTC));
+  }
+  return segs.join(".");
+}
+/**
+ * @primitive b.iabTcf.isValid
+ * @signature b.iabTcf.isValid(tcString)
+ * @since     0.13.1
+ * @status    stable
+ * @compliance iab-tcf
+ * @related   b.iabTcf.parseString
+ *
+ * Return `true` if the string parses as a well-formed TCF Core segment,
+ * `false` otherwise. A total predicate — never throws. Note this checks
+ * structural validity only; use `requireV23Disclosed` for the v2.3 policy gate.
+ *
+ * @example
+ *   b.iabTcf.isValid("CQSbk4AQSbk4ANwAAAENAwCgAAAAAAAAAAYgACPAAAAA");  // → true
+ *   b.iabTcf.isValid("nonsense");                                      // → false
+ */
+function isValid(tcString) {
+  try { parseString(tcString); return true; } catch (_e) { return false; }
+}
 module.exports = {
   parseString:           parseString,
+  encode:                encode,
+  isValid:               isValid,
   requireV23Disclosed:   requireV23Disclosed,
   checkVendor:           checkVendor,
   IabTcfError:           IabTcfError,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.13.1",
+  "version": "0.13.3",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json CHANGED Viewed

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:867201c0-c1e7-42ae-8956-c09389ae0095",
+  "serialNumber": "urn:uuid:4dae8994-eae5-41f2-9afe-f4d18c950644",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-26T22:27:34.169Z",
+    "timestamp": "2026-05-27T00:14:33.058Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.13.1",
+      "bom-ref": "@blamejs/core@0.13.3",
       "type": "application",
       "name": "blamejs",
-      "version": "0.13.1",
+      "version": "0.13.3",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.13.1",
+      "purl": "pkg:npm/%40blamejs/core@0.13.3",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.13.1",
+      "ref": "@blamejs/core@0.13.3",
       "dependsOn": []
     }
   ]