@blamejs/core 0.13.19 → 0.13.20

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.13.x
 
+- v0.13.20 (2026-05-27) — **`b.archive.wrap` can seal an archive for a tenant with no key-pair to manage — `recipient: "tenant"`.** b.archive.wrap previously sealed only to an explicit hybrid-PQC key-pair or a peer certificate; the documented recipient: "tenant" strategy threw. It now works: pass { recipient: "tenant", tenantId } and the archive is sealed under a deterministic per-tenant key derived from the vault root (SHAKE256 KDF) with XChaCha20-Poly1305, the tenant id mixed into the AEAD additional-authenticated-data so one tenant's envelope cannot be opened under another tenant's key. There is no recipient key-pair for the operator to generate, store, or rotate — b.archive.unwrap re-derives the key from the same tenantId. Rotating the vault re-keys every tenant (rotation intent is re-seal). The derivation is exposed directly as b.agent.tenant.derivedKey(tenantId, purpose) for operators who need the raw per-tenant key for their own AEAD. Requires an initialized vault. **Added:** *`b.archive.wrap` / `b.archive.unwrap` `recipient: "tenant"` — per-tenant archive sealing, no key-pair* — `b.archive.wrap(bytes, { recipient: "tenant", tenantId })` seals under a deterministic per-tenant key derived from the vault root with XChaCha20-Poly1305 (draft-irtf-cfrg-xchacha-03) and a SHAKE256 KDF (FIPS 202); the tenant id is bound into the AEAD AAD so a tenant-A envelope cannot decrypt under tenant-B's key even if an attacker swaps envelope headers. `b.archive.unwrap(sealed, { recipient: "tenant", tenantId })` (or just `{ tenantId }`) re-derives the key and recovers the bytes — no recipient key-pair to manage. The tenant envelope carries a distinct version byte so it is never fed to the hybrid-KEM decrypt path. The static-key and peer-cert recipient strategies are unchanged. · *`b.agent.tenant.derivedKey(tenantId, purpose)` — direct per-tenant key derivation* — The deterministic, domain-separated per-tenant key derivation (vault root + tenantId + purpose, SHAKE256, NUL-separated) is now exported at the module level, returning a 64-char hex key. Previously reachable only as a method on a created tenant manager; operators who need the raw key for their own AEAD can now call it directly. Throws if the vault is not initialized.
+
 - v0.13.19 (2026-05-27) — **`auditTools` export / archive / forensic-snapshot can return the bundle as bytes — no output directory for serverless / read-only filesystems.** b.auditTools.exportSlice, b.auditTools.archive, and b.auditTools.forensicSnapshot required an `out` directory to write the encrypted bundle (rows.enc + optional checkpoint.enc + manifest.json), which is unusable on a read-only or ephemeral serverless filesystem. Each now accepts `returnBytes: true` instead of `out` and returns the bundle as an in-memory `{ filename: Buffer }` map — ready to stream to object storage or over the wire with no filesystem access. `out` and `returnBytes` are mutually exclusive. The on-disk path is unchanged. The bundle's encryption (XChaCha20-Poly1305 + Argon2id), chain-proof material, and manifest checksums are identical to the written bundle, so an in-memory bundle written to disk verifies exactly as one produced by the `out` path. **Added:** *`returnBytes` on `auditTools.exportSlice` / `archive` / `forensicSnapshot` — in-memory bundles* — Pass `returnBytes: true` (and omit `out`) to get the encrypted audit bundle as an in-memory `{ filename: Buffer }` map instead of a directory write — the read-only / serverless path. `exportSlice` / `archive` return `{ manifest, files, rowCount, range }`; `forensicSnapshot` returns `{ ...manifest, files }` where `files` carries the slice's `rows.enc` + `manifest.json` plus the `forensic-snapshot.json` incident wrapper. The encryption, chain proof, and manifest checksums match the on-disk bundle byte-for-byte, so the bytes verify with `verifyBundle` once written out. `out` and `returnBytes` are mutually exclusive (passing both throws). **Fixed:** *`auditTools.forensicSnapshot` now honors the `since` window instead of capturing the entire audit history* — `forensicSnapshot` passed its `since` bound to the slice exporter under the wrong option name, so the time filter was silently dropped and the snapshot bundled every audit row regardless of `since`. The window is now applied — a snapshot scoped to an incident window contains only that window's rows. The snapshot manifest's `auditSliceFile` field, previously always undefined, now records the slice location.
 
 - v0.13.18 (2026-05-27) — **`bodyParser` multipart can buffer uploads in memory — no tmp directory for serverless / read-only filesystems.** The multipart/form-data sub-parser previously streamed every file part to a tmp directory on disk (os.tmpdir() by default), which fails on a read-only or ephemeral serverless filesystem. A new multipart.storage option selects where file parts land: "disk" (default, unchanged — req.files[].path points at a tmp file cleaned up on response end) or "memory" (req.files[].buffer holds the assembled bytes, with no filesystem access at all). Both modes enforce the same per-file (fileSize), per-field, and total-request (totalSize) caps, so memory mode adds no new memory-exhaustion surface. The file object shape is stable across both modes — disk sets path with buffer null, memory sets buffer with path null — so a handler branches on whichever is non-null. An invalid storage value is rejected when the middleware is constructed. **Added:** *`bodyParser` multipart `storage: "memory"` — buffer uploads in RAM instead of a tmp directory* — `b.middleware.bodyParser({ multipart: { storage: "memory" } })` buffers each uploaded file part in memory and exposes it as `req.files[].buffer` (a Buffer), with no `os.tmpdir()` write and no tmp-file cleanup — the read-only / serverless path. The default `storage: "disk"` is unchanged: file parts stream to a tmp file, `req.files[].path` points at it, and it is removed when the response finishes. Both modes apply the existing `fileSize` / per-field `maxBytes` / `totalSize` caps and SHA3-512 hash each part during streaming, so memory mode is bounded by the same limits and adds no new DoS surface. The `req.files[]` shape is stable across modes (disk: `path` set, `buffer` null; memory: `buffer` set, `path` null). A `storage` value other than `"disk"` or `"memory"` throws a `TypeError` at construction.

package/README.md

@@ -228,7 +228,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 - **i18n** — CLDR plural rules, Accept-Language negotiation, Intl formatters, RTL (`b.i18n`)
 - **CSV** — RFC 4180 with Excel formula-injection prevention (`b.csv`)
 - **IDs + slugs** — RFC 9562 UUID v4 + v7 (`b.uuid`); URL-safe slugs (`b.slug`)
-- **Time + archive** — TZ-aware datetime (`b.time`); ZIP creation + adversarial-safe read with bomb caps + path-traversal + LFH/CD-skew defense (`b.archive` + `b.archive.read.zip`); one-liner quarantine extraction (`b.safeArchive.extract`); in-memory extraction with no disk write for read-only / serverless filesystems (`b.archive.read.zip(...).extractEntries()` / `.tar`); fs / objectStore / http / buffer / trusted-stream adapter contract (`b.archive.adapters`)
+- **Time + archive** — TZ-aware datetime (`b.time`); ZIP creation + adversarial-safe read with bomb caps + path-traversal + LFH/CD-skew defense (`b.archive` + `b.archive.read.zip`); one-liner quarantine extraction (`b.safeArchive.extract`); in-memory extraction with no disk write for read-only / serverless filesystems (`b.archive.read.zip(...).extractEntries()` / `.tar`); fs / objectStore / http / buffer / trusted-stream adapter contract (`b.archive.adapters`); recipient-sealed envelopes — hybrid-PQC key-pair, peer certificate, or per-tenant key with no key-pair to manage (`b.archive.wrap({ recipient: "tenant", tenantId })`)
 - **Pagination + forms** — HMAC-signed cursor pagination (`b.pagination`); HTML form rendering + validation + CSRF (`b.forms`)
 
 ### Production

package/lib/agent-tenant.js

@@ -386,6 +386,35 @@ function _deriveTenantKeyBytes(tenantId, purpose) {
   return bCrypto.kdf(input, TENANT_KEY_BYTES);
 }
 
+/**
+ * @primitive b.agent.tenant.derivedKey
+ * @signature b.agent.tenant.derivedKey(tenantId, purpose)
+ * @since     0.9.25
+ * @status    stable
+ * @compliance hipaa, pci-dss, gdpr, soc2
+ * @related   b.agent.tenant.create, b.archive.wrap, b.vault
+ *
+ * Derive a deterministic, domain-separated 32-byte key for a tenant
+ * and a named purpose, returned as a 64-char hex string. The key is a
+ * SHAKE256 KDF over the vault root (the master keypair PEM hashed),
+ * the `tenantId`, and the `purpose`, with NUL separators so distinct
+ * `(tenantId, purpose)` pairs cannot collide. The same inputs always
+ * produce the same key, so a value sealed under
+ * `derivedKey(t, "archive-wrap")` is recoverable later from the same
+ * tenant + purpose with no key escrow. Rotating the vault
+ * (`b.vaultRotate.rotate`) changes the root and therefore every
+ * derived key — by design, rotation intent is re-seal.
+ *
+ * Throws if the vault has not been initialized (keys cannot be derived
+ * before bootstrap) or if `purpose` is empty. This is the same
+ * derivation the per-tenant `sealField` / archive `recipient: "tenant"`
+ * paths use internally; call it directly when you need the raw key for
+ * your own AEAD.
+ *
+ * @example
+ *   var key = b.agent.tenant.derivedKey("acme-corp", "archive-wrap");
+ *   // → "9f3c…" (64 hex chars; deterministic per tenant + purpose)
+ */
 function _derivedKey(tenantId, purpose) {
   // Public API — returns hex so the existing wire shape (operators
   // storing the derived key string in their DB) is unchanged. Internal
@@ -624,6 +653,7 @@ function _inMemoryBackend() {
 
 module.exports = {
   create:                    create,
+  derivedKey:                _derivedKey,
   CROSS_TENANT_ADMIN_SCOPE:  CROSS_TENANT_ADMIN_SCOPE,
   AgentTenantError:          AgentTenantError,
   guards: {

package/lib/archive-wrap.js

@@ -15,10 +15,11 @@
  *   var bytes  = b.archive.unwrap(sealed, { recipient: privKeys });
  *   var reader = b.archive.read.tar(b.archive.adapters.buffer(bytes));
  *
- * Builder-fluent composition (`tarBuilder.toAdapter(s3, { wrap: ... })`)
- * + per-entry ZIP wrap (Flavor 2) land in v0.12.11 alongside the
- * backup-crypto refactor; this patch ships the recipient substrate
- * + the b.backup `cryptoStrategy: "recipient"` opt that consumes it.
+ * Three recipient strategies: a static hybrid-PQC key-pair, a peer
+ * certificate, and `"tenant"` — a deterministic per-tenant symmetric
+ * seal keyed by the vault root (no key-pair to manage; unwrap
+ * re-derives from the tenant id). b.backup's `cryptoStrategy:
+ * "recipient"` consumes the same substrate.
  */
 
 var C = require("./constants");
@@ -29,13 +30,23 @@ var ArchiveWrapError = defineClass("ArchiveWrapError", { alwaysPermanent: true }
 
 var bCrypto = lazyRequire(function () { return require("./crypto"); });
 var backupCrypto = lazyRequire(function () { return require("./backup/crypto"); });
+var agentTenant = lazyRequire(function () { return require("./agent-tenant"); });
 
 // Envelope magic — 5-byte ASCII prefix the safe-archive sniffer
 // recognises. Distinct from b.crypto.encrypt's base64 envelope so
 // archive-wrap output can carry an unambiguous "this is an archive
 // wrap envelope" magic before the operator-controlled payload.
 var ARCH_WRAP_MAGIC = "BAWRP";                                                       // allow:raw-byte-literal — 5-byte ASCII archive-wrap recipient envelope magic
-var ARCH_WRAP_VERSION = 0x01;                                                        // allow:raw-byte-literal — recipient version byte
+var ARCH_WRAP_VERSION = 0x01;                                                        // allow:raw-byte-literal — recipient version byte (hybrid-KEM envelope)
+// Tenant strategy uses the same BAWRP magic with a distinct version
+// byte: the body is a symmetric XChaCha20-Poly1305 packed ciphertext
+// (b.crypto.encryptPacked) keyed by the tenant's vault-derived key,
+// not a hybrid-KEM envelope. unwrap dispatches on the version byte so
+// a tenant envelope is never fed to the KEM decrypt path.
+var ARCH_WRAP_VERSION_TENANT = 0x02;                                                 // allow:raw-byte-literal — tenant symmetric-seal version byte
+// Purpose label for the per-tenant key derivation (domain-separates
+// the archive-wrap key from a tenant's seal / audit / session keys).
+var TENANT_KEY_PURPOSE = "archive-wrap";
 var ARCH_WRAP_HEADER_BYTES = C.BYTES.bytes(6);                                        // magic(5) + version(1)
 // Passphrase variant — wire format: magic(5) + version(1) + saltLen(1)
 // + salt(saltLen bytes) + encrypted bytes (24-byte nonce + ciphertext+tag
@@ -66,10 +77,14 @@ var ARCH_PASSPHRASE_HEADER_BYTES = C.BYTES.bytes(7);
  *   - peer cert   — `{ recipient: { peerCertDer, peerKemPubkey } }` composes
  *                   `b.crypto.encryptEnvelopeAsCertPeer` (extracts the
  *                   P-384 half from the cert).
- *   - tenant      — `{ recipient: "tenant", tenantId: "alpha" }` resolves
- *                   the tenant's KEM keypair via `b.vault.derivedKey`
- *                   (deferred to v0.12.11 alongside the backup
- *                   `cryptoStrategy: "recipient"` adoption).
+ *   - tenant      — `{ recipient: "tenant", tenantId: "alpha" }` seals
+ *                   under a deterministic per-tenant key derived from the
+ *                   vault root (`b.agent.tenant.derivedKey`) with
+ *                   XChaCha20-Poly1305, the tenant id mixed into the AEAD
+ *                   AAD so one tenant's envelope cannot open under
+ *                   another's key. No recipient key-pair to manage;
+ *                   `unwrap` re-derives from the same `tenantId`. Requires
+ *                   an initialized vault.
  *
  * @opts
  *   recipient:  object | string,   // see strategies above; required
@@ -96,15 +111,16 @@ function wrap(bytes, opts) {
     throw new ArchiveWrapError("archive-wrap/no-recipient",
       "wrap: opts.recipient is required (static key object | \"tenant\" string | peer-cert object)");
   }
-  var envelope = _encryptForRecipient(bytes, opts);
-  // envelope is a base64 string from b.crypto.encrypt. Buffer it and
-  // prepend the 6-byte archive-wrap header so safeArchive's sniffer
-  // can identify it without attempting decryption.
-  var envelopeBuf = Buffer.from(envelope, "utf-8");
+  var enc = _encryptForRecipient(bytes, opts);
+  // enc.body is the envelope bytes (base64 KEM envelope for static /
+  // peer-cert recipients, symmetric packed ciphertext for tenant).
+  // Prepend the 6-byte archive-wrap header stamped with the strategy's
+  // version byte so safeArchive's sniffer + unwrap can identify the
+  // envelope (and pick the right decrypt path) without trial decryption.
   var header = Buffer.alloc(ARCH_WRAP_HEADER_BYTES);
   header.write(ARCH_WRAP_MAGIC, 0, 5, "ascii");
-  header[5] = ARCH_WRAP_VERSION;
-  return Buffer.concat([header, envelopeBuf]);
+  header[5] = enc.version;
+  return Buffer.concat([header, enc.body]);
 }
 
 /**
@@ -121,11 +137,14 @@ function wrap(bytes, opts) {
  * than a crypto-level error.
  *
  * @opts
- *   recipient:  object,   // { privateKey, ecPrivateKey } | { certPrivateKey, kemSecret }; required
+ *   recipient:  object | "tenant",  // { privateKey, ecPrivateKey } | { certPrivateKey, kemSecret } | "tenant"
+ *   tenantId:   string,             // required when the envelope was sealed with recipient: "tenant"
  *
  * @example
  *   var bytes  = b.archive.unwrap(sealed, { recipient: privPair });
  *   var reader = b.archive.read.tar(b.archive.adapters.buffer(bytes));
+ *   // tenant envelope:
+ *   var t = b.archive.unwrap(sealedForTenant, { recipient: "tenant", tenantId: "alpha" });
  */
 function unwrap(sealed, opts) {
   opts = opts || {};
@@ -145,6 +164,27 @@ function unwrap(sealed, opts) {
       JSON.stringify(ARCH_WRAP_MAGIC) + "; got " + JSON.stringify(magic));
   }
   var version = buf[5];
+  // Tenant strategy: symmetric packed ciphertext keyed by the
+  // vault-derived per-tenant key. Re-derive from opts.tenantId and
+  // decrypt under the same tenant-bound AAD that wrap sealed with.
+  if (version === ARCH_WRAP_VERSION_TENANT) {
+    if (opts.recipient !== undefined && opts.recipient !== "tenant") {
+      throw new ArchiveWrapError("archive-wrap/recipient-mismatch",
+        "unwrap: this envelope was sealed with recipient: \"tenant\" — pass opts.tenantId " +
+        "(and either omit opts.recipient or set it to \"tenant\"), not a key-pair recipient");
+    }
+    var tenantKey = _tenantKey(opts.tenantId);
+    var packedBody = buf.slice(ARCH_WRAP_HEADER_BYTES);
+    try {
+      return bCrypto().decryptPacked(packedBody, tenantKey, _tenantAad(opts.tenantId));
+    } catch (e) {
+      var terr = new ArchiveWrapError("archive-wrap/decrypt-failed",
+        "unwrap: tenant envelope decryption refused (wrong tenantId or rotated vault?): " +
+        ((e && e.message) || String(e)));
+      terr.cause = e;
+      throw terr;
+    }
+  }
   if (version !== ARCH_WRAP_VERSION) {
     throw new ArchiveWrapError("archive-wrap/bad-version",
       "unwrap: archive-wrap version " + version + " not supported by this build");
@@ -152,7 +192,8 @@ function unwrap(sealed, opts) {
   if (!opts.recipient || typeof opts.recipient !== "object") {
     throw new ArchiveWrapError("archive-wrap/no-recipient",
       "unwrap: opts.recipient is required ({ privateKey, ecPrivateKey } " +
-      "for the static-key path, { certPrivateKey, kemSecret } for the peer-cert path)");
+      "for the static-key path, { certPrivateKey, kemSecret } for the peer-cert path, " +
+      "or \"tenant\" + opts.tenantId for the tenant path)");
   }
   var envelope = buf.slice(ARCH_WRAP_HEADER_BYTES).toString("utf-8");
   var plaintext;
@@ -183,28 +224,52 @@ function unwrap(sealed, opts) {
   return Buffer.isBuffer(plaintext) ? plaintext : Buffer.from(plaintext);
 }
 
+// Resolve a tenant's deterministic 32-byte archive-wrap key from the
+// vault root. Throws a clear archive-wrap error (rather than a deep
+// agent-tenant one) when tenantId is missing; the vault-not-initialized
+// case surfaces from agentTenant.derivedKey unchanged.
+function _tenantKey(tenantId) {
+  if (typeof tenantId !== "string" || tenantId.length === 0) {
+    throw new ArchiveWrapError("archive-wrap/no-tenant-id",
+      "recipient: \"tenant\" requires opts.tenantId (a non-empty string)");
+  }
+  return Buffer.from(agentTenant().derivedKey(tenantId, TENANT_KEY_PURPOSE), "hex");
+}
+
+// AAD context-binds the symmetric envelope to the tenant: the Poly1305
+// tag covers this, so a tenant-A envelope cannot be decrypted under
+// tenant-B's key even if an attacker swaps headers between envelopes.
+function _tenantAad(tenantId) {
+  return Buffer.from("archive-wrap|tenant|" + tenantId, "utf8");
+}
+
+// Returns { version, body } so wrap() can stamp the right version byte:
+// hybrid-KEM recipients use ARCH_WRAP_VERSION with a base64 envelope
+// body; the tenant strategy uses ARCH_WRAP_VERSION_TENANT with a
+// symmetric packed-ciphertext body.
 function _encryptForRecipient(bytes, opts) {
   var r = opts.recipient;
   if (typeof r === "string") {
     if (r === "tenant") {
-      // tenant strategy lands in v0.12.11 alongside the backup
-      // cryptoStrategy adoption — refuse cleanly for v0.12.10 so
-      // operators see the deferred-shape contract.
-      throw new ArchiveWrapError("archive-wrap/tenant-strategy-deferred",
-        "wrap: recipient: \"tenant\" lands in v0.12.11 alongside b.backup cryptoStrategy: \"recipient\" + per-tenant key resolution. For v0.12.10, pass an explicit { publicKey, ecPublicKey } recipient");
+      var tenantKey = _tenantKey(opts.tenantId);
+      var packed = bCrypto().encryptPacked(Buffer.from(bytes), tenantKey, _tenantAad(opts.tenantId));
+      return { version: ARCH_WRAP_VERSION_TENANT, body: packed };
     }
     throw new ArchiveWrapError("archive-wrap/bad-recipient",
-      "wrap: recipient string " + JSON.stringify(r) + " not recognised; \"tenant\" deferred to v0.12.11");
+      "wrap: recipient string " + JSON.stringify(r) + " not recognised; the only string recipient is \"tenant\" (with opts.tenantId)");
   }
   if (r.peerCertDer || r.peerKemPubkey) {
     if (!r.peerCertDer || !r.peerKemPubkey) {
       throw new ArchiveWrapError("archive-wrap/bad-recipient",
         "wrap: peer-cert strategy requires BOTH peerCertDer + peerKemPubkey");
     }
-    return bCrypto().encryptEnvelopeAsCertPeer(bytes, {
-      peerCertDer:    r.peerCertDer,
-      peerKemPubkey:  r.peerKemPubkey,
-    });
+    return {
+      version: ARCH_WRAP_VERSION,
+      body: Buffer.from(bCrypto().encryptEnvelopeAsCertPeer(bytes, {
+        peerCertDer:    r.peerCertDer,
+        peerKemPubkey:  r.peerKemPubkey,
+      }), "utf-8"),
+    };
   }
   if (r.publicKey) {
     // Codex P2 on v0.12.10 PR #161 — b.crypto.encrypt falls back to
@@ -221,10 +286,13 @@ function _encryptForRecipient(bytes, opts) {
         "and ecPublicKey (P-384 ECDH PEM). Partial recipients trip b.crypto.encrypt's " +
         "ML-KEM-only fallback which silently degrades the hybrid contract this primitive promises.");
     }
-    return bCrypto().encrypt(bytes, {
-      publicKey:    r.publicKey,
-      ecPublicKey:  r.ecPublicKey,
-    });
+    return {
+      version: ARCH_WRAP_VERSION,
+      body: Buffer.from(bCrypto().encrypt(bytes, {
+        publicKey:    r.publicKey,
+        ecPublicKey:  r.ecPublicKey,
+      }), "utf-8"),
+    };
   }
   throw new ArchiveWrapError("archive-wrap/bad-recipient",
     "wrap: recipient must be { publicKey, ecPublicKey } | { peerCertDer, peerKemPubkey } | \"tenant\"");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.13.19",
+  "version": "0.13.20",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:bcf724d0-38ac-437e-86b3-47da5e8b72dc",
+  "serialNumber": "urn:uuid:aca0caec-3bdf-4b4b-bfd8-436286cc5bbf",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-27T21:23:48.501Z",
+    "timestamp": "2026-05-27T22:48:58.698Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.13.19",
+      "bom-ref": "@blamejs/core@0.13.20",
       "type": "application",
       "name": "blamejs",
-      "version": "0.13.19",
+      "version": "0.13.20",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.13.19",
+      "purl": "pkg:npm/%40blamejs/core@0.13.20",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.13.19",
+      "ref": "@blamejs/core@0.13.20",
       "dependsOn": []
     }
   ]