@blamejs/core 0.13.44 → 0.13.45

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.13.x
 
+- v0.13.45 (2026-05-29) — **`b.cert` now fetches and staples a validated OCSP response per certificate, and validates declared compliance postures at create().** Two capabilities that b.cert documented but did not act on are now wired through. OCSP stapling: the cert manager fetches the leaf's OCSP response from the responder named in its Authority Information Access extension, validates it against the issuer (status, nonce, serial) via b.network.tls.ocsp, caches the DER, and exposes it on getContext().ocspResponse so a TLS server's OCSPRequest handler can staple it. The fetch runs in the background on a refresh timer and never blocks cert.start() — a slow or unreachable responder produces an audited per-certificate failure, not a stalled boot. Compliance postures: opts.compliance names are now validated against b.compliance.KNOWN_POSTURES at create() (an unknown name throws cert/unknown-compliance-posture instead of being silently recorded) and are surfaced on getContext().compliance for an auditor. Storage-confidentiality postures hold by construction because cert keys and certificates are always sealed at rest. The supporting composition primitive b.network.tls.ocsp.fetch (build request, POST to the responder through b.httpClient, validate the response) is now part of the public OCSP surface. **Added:** *b.network.tls.ocsp.fetch — fetch and validate an OCSP response* — The OCSP helper set previously built requests and evaluated responses but had no way to actually retrieve one. b.network.tls.ocsp.fetch({ leafPem, issuerPem, nonce?, timeoutMs? }) reads the responder URL from the leaf certificate's Authority Information Access extension, builds the request, POSTs it through b.httpClient (so the SSRF guard and pinned DNS apply), and validates the response against the issuer — returning the validated DER plus the parsed evaluation. It rejects when the leaf carries no OCSP responder URL or the response fails validation. · *b.cert staples a validated OCSP response per certificate* — With ocsp.stapling enabled (the default), the cert manager refreshes each certificate's OCSP response on a timer (ocsp.refreshMs, default 12h) and caches the validated DER. getContext(serverName).ocspResponse returns that DER for a TLS server to hand back from its OCSPRequest handler. The refresh runs in the background and is never on the path of cert.start(): an unreachable or slow responder is recorded as an audited cert.ocsp.refresh failure for that certificate and leaves the rest of the manager running. **Changed:** *opts.compliance posture names are validated at create()* — b.cert.create now checks each name in opts.compliance against b.compliance.KNOWN_POSTURES and throws cert/unknown-compliance-posture on an unrecognized name, so a typo is caught at construction rather than being silently recorded. The declared postures are surfaced on getContext().compliance. Cert keys and certificates are always sealed at rest, so storage-confidentiality postures are satisfied by construction.
+
 - v0.13.44 (2026-05-29) — **Error codes on the consent, compliance, and protocol namespaces now follow the namespace/kebab-case contract.** The framework's error contract is `err.code = "namespace/kebab-case"`, and the vast majority of namespaces already followed it. This release normalizes the holdouts: fifteen namespaces that threw bare UPPER_SNAKE codes with no namespace, and nine that used a camelCase namespace prefix. After this release every error these namespaces throw carries a `namespace/kebab-case` code, so an operator switching on `err.code` no longer has to special-case them. This is a breaking change for code that matches the old strings — pre-1.0, there is no compatibility shim, so update any `err.code` comparisons against the listed namespaces. A codebase check now enforces the convention so it cannot regress. A small set of older codes (the cluster, scheduler, circuit-breaker, object-store, and upload subsystems) is intentionally left for the 1.0 release, where it will carry a deprecation cycle. **Changed:** *Bare UPPER_SNAKE error codes are now namespaced (breaking)* — Fifteen namespaces threw bare UPPER_SNAKE error codes with no namespace prefix (for example `mcp` threw `BAD_JSON`, `BAD_ENVELOPE`, `BAD_METHOD`). Their `err.code` values are now `namespace/kebab-case` — `mcp/bad-json`, `mcp/bad-envelope`, and so on. The affected namespaces are `b.a2a`, `b.aiInput`, `b.aiPref`, `b.budr`, `b.contentCredentials`, `b.darkPatterns`, `b.fapi2`, `b.fdx`, `b.graphqlFederation`, `b.iabTcf`, `b.iabMspa`, `b.mcp`, `b.secCyber`, `b.sse`, and `b.tcpa10dlc`. Operators matching the old bare codes on `err.code` must update those comparisons; the error message text is unchanged. · *camelCase error-code namespaces are now kebab-case (breaking)* — Nine namespaces emitted error codes whose namespace segment was camelCase (for example `aiDp/bad-bound`, `argParser/flag-duplicate`). The namespace segment is now kebab-case to match every other code: `ai-dp/`, `ai-capability/`, `ai-quota/`, `arg-parser/`, `audit-sign/`, `auth-step-up/`, `ddl-change-control/`, `dr-runbook/`, `tenant-quota/`, and `boot-gates/`. The `b.*` API namespace keys themselves are unchanged (those remain camelCase, e.g. `b.argParser`); only the `err.code` string changed. Operators matching these `err.code` strings must update them. **Detectors:** *Error-code shape is enforced* — A codebase check now flags any error code constructed via `new XError(...)` or the per-class `factory(...)` whose value is a bare UPPER_SNAKE string or carries a camelCase namespace segment, so the `namespace/kebab-case` contract cannot silently regress. It correctly ignores native error constructors (whose first argument is the message, not a code).
 
 - v0.13.43 (2026-05-29) — **LTS window stated consistently as 24 months, experimental primitives declared semver-exempt, and stale version references cleaned up.** Documentation and operator-facing string hygiene ahead of the 1.0 stability contract. The LTS support window is now stated as 24 months everywhere (GOVERNANCE.md and the LTS calendar previously disagreed — 24 vs 18). The LTS calendar gains an explicit clause that primitives marked experimental are exempt from the stability/LTS contract, so operators can tell at a glance which surfaces may change between minors. Several error messages and doc blocks that pinned to long-past version numbers ("lands in v0.10.9", "not supported in v0.12.7", "ships in v0.6.45+") are restated version-agnostically with their escape hatch, and the S/MIME module now points operators at the live PGP encrypt/decrypt path for confidentiality today. No API or behavior changes. **Changed:** *LTS support window is consistently 24 months* — `GOVERNANCE.md` promised a 24-month LTS window while `LTS-CALENDAR.md` and `SECURITY.md` stated 18 — a six-month contradiction in the single most load-bearing number of the support contract. All three now state 24 months of security-only patches per major. The calendar table and the supported-versions prose are aligned. · *Experimental primitives are declared exempt from the stability contract* — `LTS-CALENDAR.md` now states explicitly that primitives documented as experimental (shown as "experimental" on their wiki page, and via the `experimental` segment in namespaces like `b.jose.jwe.experimental`) are not covered by the stability contract or the LTS window — they may change signature, behavior, or wire format, or be removed, in any minor without a deprecation cycle. This lets the framework ship primitives that track in-flight standards without freezing an unsettled format, and tells operators precisely which surfaces are not yet frozen. **Fixed:** *Stale version references removed from operator-facing errors and docs* — Error messages and documentation that pinned to long-past versions are restated version-agnostically with the relevant escape hatch: ZIP64 and unsupported-compression errors in archive reading, the CMS AuthEnvelopedData / fielded-decoder notes, the mTLS CRL-engine error, the safe-archive format-detection summary (which also now correctly lists the supported zip / tar / tar.gz set rather than claiming only zip), and the AI-content IPTC-reader note. None changed behavior; they no longer read as broken promises against the published version history. · *S/MIME confidentiality deferral points to the working PGP path* — `b.mail.crypto.smime` ships sign + verify; encrypt/decrypt is deferred. The deferral note previously cited an open-ended internal condition; it now names the escape hatch directly — use `b.mail.crypto.pgp.encrypt` / `decrypt` for mail confidentiality today — and states the concrete trigger that would re-open S/MIME-specific (X.509-recipient) encryption. · *Governance doc no longer references an internal file operators cannot see* — `GOVERNANCE.md` cited a rule number in a contributor-only file that does not ship in the repository. The deprecation-policy statement is now self-contained.

package/README.md

@@ -114,7 +114,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 - **CMS codec** — RFC 5652 Cryptographic Message Syntax encoder + decoder with PQC signers (ML-DSA-65 / ML-DSA-87 / SLH-DSA-SHAKE-256f; RFC 9909 + 9881) and KEMRecipientInfo recipients (ML-KEM-1024; RFC 9629 + 9936); ChaCha20-Poly1305 content encryption (RFC 8103) so Efail-class malleability cannot apply (`b.cms`)
 - **Stream throttle** — shared token-bucket bandwidth limiter (RFC 2697 srTCM shape); N concurrent `node:stream` pipelines draw from one operator-configured `bytesPerSec` budget (`b.streamThrottle`)
 - **TLS-RPT receiver** — RFC 8460 inbound aggregate-report ingest; HTTPS POST handler + §4.4 schema parser with gzip-bomb / ratio-bomb / depth-bomb defenses (`b.mail.deploy.parseTlsRptReport` / `b.mail.deploy.tlsRptIngestHttp`)
-- **TLS / channel binding** — RFC 9266 TLS-Exporter token-to-session pinning (`b.tlsExporter`); RFC 9162 CT v2 inclusion-proof verification (`b.network.tls.ct.verifyInclusion`); RFC 8555 ACME + RFC 9773 ARI for 47-day certs with `{ jitter: true }` fleet-scheduling (`b.acme.renewIfDue`); draft-aaron-acme-profiles (`acme.listProfiles()` + `newOrder({ profile })`); draft-ietf-acme-dns-account-label (`acme.dnsAccount01ChallengeRecord(token, { identifier })`); RFC 8470 0-RTT inbound posture refuse / replay-cache (`b.router.create({tls0Rtt})`); RFC 9794 SecP256r1MLKEM768 in preferred-group order (`b.network.tls.preferredGroups`)
+- **TLS / channel binding** — RFC 9266 TLS-Exporter token-to-session pinning (`b.tlsExporter`); RFC 9162 CT v2 inclusion-proof verification (`b.network.tls.ct.verifyInclusion`); RFC 8555 ACME + RFC 9773 ARI for 47-day certs with `{ jitter: true }` fleet-scheduling (`b.acme.renewIfDue`); draft-aaron-acme-profiles (`acme.listProfiles()` + `newOrder({ profile })`); draft-ietf-acme-dns-account-label (`acme.dnsAccount01ChallengeRecord(token, { identifier })`); RFC 8470 0-RTT inbound posture refuse / replay-cache (`b.router.create({tls0Rtt})`); RFC 9794 SecP256r1MLKEM768 in preferred-group order (`b.network.tls.preferredGroups`); RFC 6960 OCSP stapling — the cert manager (`b.cert`) fetches + validates each managed certificate's OCSP response (`b.network.tls.ocsp.fetch`) on a refresh cadence and exposes it on the served context for a TLS server's `OCSPRequest` handler to staple
 - **mTLS CA** — pure-JS, issues clientAuth / serverAuth / dual-EKU certs with SAN; auto-detects highest-PQC signature alg (today ECDSA-P384-SHA384; self-upgrades to SLH-DSA / ML-DSA when X.509 ecosystem catches up); PQC TLS gates inbound + outbound (`b.mtlsCa`, `b.pqcGate`, `b.pqcAgent`)
 ### HTTP
 

package/lib/cert.js

@@ -22,9 +22,9 @@
  *     - `b.acme.create`         → ACME orders, JWS, ARI fetch
  *     - `b.vault.seal`          → sealed-disk persistence of certs + keys + account material
  *     - `b.safeAsync.repeating` → renewal scheduler with drop-silent error path
- *     - `b.network.tls.ocsp`    → server-side stapling helpers
+ *     - `b.network.tls.ocsp`    → fetches + caches a validated OCSP response per cert for server-side stapling
  *     - `b.audit`               → cert.* lifecycle audit chain
- *     - `b.compliance`          → posture refusals (e.g. plaintext storage refused under HIPAA / PCI)
+ *     - `b.compliance`          → validates the declared posture names; storage-confidentiality postures hold because keys/certs are always sealed at rest
  *
  *   Does NOT ship the challenge-solver implementations (HTTP-01 server,
  *   DNS provider integrations, TLS-ALPN-01 socket). Those are operator-
@@ -60,6 +60,7 @@ var acme          = lazyRequire(function () { return require("./acme"); });
 var vault         = lazyRequire(function () { return require("./vault"); });
 var audit         = lazyRequire(function () { return require("./audit"); });
 var networkTls    = lazyRequire(function () { return require("./network-tls"); });
+var compliance    = lazyRequire(function () { return require("./compliance"); });
 var bCrypto       = lazyRequire(function () { return require("./crypto"); });
 
 var CertError = defineClass("CertError");
@@ -222,7 +223,7 @@ function _createSealedDiskStorage(opts) {
  *     refreshMs:  number,             // default 12h — OCSP-response cache lifetime
  *   },
  *   audit:    boolean | object,       // default true — emit cert.* lifecycle events via b.audit.safeEmit
- *   compliance: Array<string>,         // optional — posture refusals (e.g. ["hipaa"]); refuses plaintext storage etc.
+ *   compliance: Array<string>,         // optional — posture names (e.g. ["hipaa"]); validated against b.compliance.KNOWN_POSTURES (throws on an unknown name) + surfaced on getContext().compliance. Cert keys/certs are always sealed at rest, so storage-confidentiality postures hold by construction.
  *
  * @example
  *   var mgr = b.cert.create({
@@ -383,13 +384,31 @@ function create(opts) {
 
   // ---- Audit + compliance ----
   var auditEnabled = opts.audit !== false;
-  var compliance = Array.isArray(opts.compliance) ? opts.compliance.slice() : [];
+  var compliancePostures = Array.isArray(opts.compliance) ? opts.compliance.slice() : [];
+  // Validate posture names against the framework catalog so a typo is
+  // caught at create() rather than silently ignored. The cert manager
+  // satisfies the storage-confidentiality postures (HIPAA / PCI-DSS /
+  // GDPR …) by construction — keys + certs are always sealed at rest
+  // (storage.type is enforced to "sealed-disk"), so there is no plaintext-
+  // storage state for a posture to fail to. The postures are recorded +
+  // surfaced on the served context for an auditor.
+  if (compliancePostures.length > 0) {
+    var knownPostures = compliance().KNOWN_POSTURES;
+    compliancePostures.forEach(function (p) {
+      if (knownPostures.indexOf(p) === -1) {
+        throw new CertError("cert/unknown-compliance-posture",
+          "cert.create: opts.compliance posture '" + p + "' is not a known posture; " +
+          "see b.compliance.KNOWN_POSTURES");
+      }
+    });
+  }
 
   // ---- Internal state ----
   var emitter = new EventEmitter();
-  var loadedContexts = Object.create(null);   // name → { cert, key, ca, expiresAt, fingerprintSha256, sniNames }
+  var loadedContexts = Object.create(null);   // name → { cert, key, ca, expiresAt, fingerprintSha256, sniNames, ocspResponse }
   var acmeClient = null;
   var scheduler = null;
+  var ocspTimer = null;
   var stopped = false;
 
   function _emitAudit(action, outcome, metadata) {
@@ -689,6 +708,39 @@ function create(opts) {
     }
   }
 
+  // Split a PEM chain into individual certificate blocks (leaf first).
+  function _splitPemChain(pem) {
+    return pem.match(/-----BEGIN CERTIFICATE-----[\s\S]+?-----END CERTIFICATE-----/g) || [];
+  }
+
+  // Fetch + cache a validated OCSP response for one managed cert, for
+  // server-side stapling. Fail-soft: a responder error, or no issuer in the
+  // served chain, leaves any prior staple in place and never throws — an
+  // absent staple degrades gracefully (clients fall back to their own
+  // revocation checking). The validated DER is exposed on
+  // getContext().ocspResponse for the operator's TLS server to staple via
+  // its 'OCSPRequest' handler.
+  async function _refreshOcspFor(name) {
+    var ctx = loadedContexts[name];
+    if (!ctx || !ocspStapling) return;
+    var chain = _splitPemChain(ctx.cert);
+    if (chain.length < 2) return;   // no issuer in the served chain
+    try {
+      // allow:raw-outbound-http — b.network.tls.ocsp.fetch composes b.httpClient internally (SSRF guard + pinned DNS); not a raw outbound call
+      var rv = await networkTls().ocsp.fetch({ leafPem: chain[0], issuerPem: chain[1] });
+      ctx.ocspResponse = rv.ocspDer;
+      _emitAudit("cert.ocsp.refreshed", "success", { name: name });
+    } catch (e) {
+      _emitAudit("cert.ocsp.refresh-failed", "failure",
+        { name: name, error: (e && e.message) || String(e) });
+    }
+  }
+
+  async function _refreshAllOcsp() {
+    var keys = Object.keys(loadedContexts);
+    for (var i = 0; i < keys.length; i += 1) { await _refreshOcspFor(keys[i]); }
+  }
+
   async function start() {
     if (stopped) {
       throw new CertError("cert/already-stopped",
@@ -706,12 +758,21 @@ function create(opts) {
         await _renewCheckOne(certsByName[keys[ki]]);
       }
     }, renewIntervalMs, { name: "cert-renew" });
+    // 3. OCSP stapling. The initial fetch runs in the background so a slow
+    //    responder never delays start(); the staple becomes available
+    //    shortly after, and the timer refreshes on the configured cadence.
+    if (ocspStapling) {
+      _refreshAllOcsp().catch(function () { /* per-cert errors already audited */ });
+      ocspTimer = safeAsync.repeating(_refreshAllOcsp, ocspRefreshMs, { name: "cert-ocsp" });
+    }
   }
 
   async function stop() {
     stopped = true;
     if (scheduler && typeof scheduler.stop === "function") scheduler.stop();
     scheduler = null;
+    if (ocspTimer && typeof ocspTimer.stop === "function") ocspTimer.stop();
+    ocspTimer = null;
   }
 
   function getContext(name) {
@@ -729,6 +790,11 @@ function create(opts) {
       key:                ctx.key,
       expiresAt:          ctx.expiresAt,
       fingerprintSha256:  ctx.fingerprintSha256,
+      // The cached, validated OCSP response (DER Buffer) when ocsp.stapling
+      // is on and a response has been fetched; null otherwise. Staple it
+      // from the TLS server's 'OCSPRequest' handler: cb(null, ocspResponse).
+      ocspResponse:       ctx.ocspResponse || null,
+      compliance:         compliancePostures.slice(),
     };
   }
 
@@ -798,10 +864,6 @@ function create(opts) {
   function off(event, handler)  { emitter.off(event, handler);   return this; }
   function once(event, handler) { emitter.once(event, handler);  return this; }
 
-  // Suppress unused-warnings for ocsp + compliance until those branches
-  // wire up in v0.11.23+ follow-up.
-  void ocspStapling; void ocspRefreshMs; void compliance; void networkTls;
-
   return {
     start:        start,
     stop:         stop,

package/lib/network-tls.js

@@ -20,6 +20,7 @@ var NetworkTlsError = defineClass("NetworkTlsError", { alwaysPermanent: true });
 var observability = lazyRequire(function () { return require("./observability"); });
 var audit = lazyRequire(function () { return require("./audit"); });
 var networkDns = lazyRequire(function () { return require("./network-dns"); });
+var httpClient = lazyRequire(function () { return require("./http-client"); });
 var asn1 = require("./asn1-der");
 
 // STATE.tlsKeyShares is initialized to the default PQC group list at
@@ -1194,9 +1195,10 @@ function evaluateOcspResponse(ocspDer, opts) {
 //
 // Constructs a DER-encoded OCSPRequest for a single (leafCertDer,
 // issuerCertDer) pair, optionally with an RFC 8954 nonce extension.
-// Operators send the returned `requestDer` to the OCSP responder URL
-// (e.g. via b.httpClient with `Content-Type: application/ocsp-request`)
-// and pass `nonce` to `ocsp.evaluate(responseDer, { expectedNonce })`
+// `ocsp.fetch` composes this with `b.httpClient` to POST the request to
+// the cert's responder and return a validated response; operators who
+// need the raw request (custom transport, batched requests) call this
+// directly and pass `nonce` to `ocsp.evaluate(responseDer, { expectedNonce })`
 // to defend against replay attacks.
 //
 // Nonce DEFAULT ON — defense in depth. RFC 6960 §4.4.1 marks nonce
@@ -1291,8 +1293,10 @@ function buildOcspRequest(opts) {
   // framework that touches SHA-1" need a signal. Emit an audit row
   // on every OCSP request build so the algorithm choice is visible
   // in the chain.
-  var nameHash = nodeCrypto.createHash("sha1").update(iss.issuerNameDer).digest();
-  var keyHash  = nodeCrypto.createHash("sha1").update(iss.issuerKey).digest();
+  // lgtm[js/weak-cryptographic-algorithm] — RFC 6960 §4.1.1 CertID lookup hash over the PUBLIC issuer name; a name/key lookup, not an integrity or secrecy operation. SHA-256 CertIDs are §4.3-optional and rejected by most responders.
+  var nameHash = nodeCrypto.createHash("sha1").update(iss.issuerNameDer).digest(); // lgtm[js/weak-cryptographic-algorithm]
+  // lgtm[js/weak-cryptographic-algorithm] — RFC 6960 §4.1.1 CertID lookup hash over the PUBLIC issuer key; a name/key lookup, not an integrity or secrecy operation.
+  var keyHash  = nodeCrypto.createHash("sha1").update(iss.issuerKey).digest(); // lgtm[js/weak-cryptographic-algorithm]
   setImmediate(function () {
     try {
       var auditMod = require("./audit");                                            // allow:inline-require — circular-load defense (audit imports network-tls)
@@ -1339,6 +1343,77 @@ function buildOcspRequest(opts) {
   return { requestDer: requestDer, nonce: nonceBytes };
 }
 
+// _ocspResponderUrl — pull the OCSP responder URL out of a cert's
+// Authority Information Access extension. node:crypto exposes it as a
+// multi-line string ("OCSP - URI:http://...\nCA Issuers - URI:...\n").
+function _ocspResponderUrl(x509) {
+  var ia = x509 && x509.infoAccess;
+  if (typeof ia !== "string") return null;
+  var m = ia.match(/OCSP\s*-\s*URI:(\S+)/i);
+  return m ? m[1].trim() : null;
+}
+
+// fetch — POST a freshly-built OCSPRequest to the cert's responder and
+// return the validated, known-good response bytes. Composes buildRequest +
+// b.httpClient + evaluate, completing the server-side-stapling fetch path
+// (the response is what a TLS server staples via its 'OCSPRequest' handler).
+// The responder URL is taken from the leaf cert's AIA extension unless
+// opts.responderUrl overrides it. Throws TlsTrustError on any failure
+// (no responder, transport error, non-good certStatus, signature mismatch);
+// callers that staple should treat a throw as "no staple this cycle".
+async function fetchOcspResponse(opts) {
+  opts = opts || {};
+  if (typeof opts.leafPem !== "string" || typeof opts.issuerPem !== "string") {
+    throw new TlsTrustError("tls/ocsp-bad-input",
+      "ocsp.fetch: opts.leafPem and opts.issuerPem (PEM strings) are required");
+  }
+  var leafX, issuerX;
+  try {
+    leafX = new nodeCrypto.X509Certificate(opts.leafPem);
+    issuerX = new nodeCrypto.X509Certificate(opts.issuerPem);
+  } catch (e) {
+    throw new TlsTrustError("tls/ocsp-bad-cert",
+      "ocsp.fetch: could not parse leaf/issuer PEM: " + ((e && e.message) || String(e)));
+  }
+  var responderUrl = opts.responderUrl || _ocspResponderUrl(leafX);
+  if (!responderUrl) {
+    throw new TlsTrustError("tls/ocsp-no-responder",
+      "ocsp.fetch: cert has no AIA OCSP responder URL; pass opts.responderUrl");
+  }
+  var built = buildOcspRequest({
+    leafCertDer: leafX.raw, issuerCertDer: issuerX.raw,
+    nonce: opts.nonce, nonceLen: opts.nonceLen,
+  });
+  var res;
+  try {
+    res = await httpClient().request({
+      url:          responderUrl,
+      method:       "POST",
+      headers:      { "content-type": "application/ocsp-request", "accept": "application/ocsp-response" },
+      body:         built.requestDer,
+      responseMode: "buffer",
+      timeoutMs:    opts.timeoutMs || C.TIME.seconds(10),
+    });
+  } catch (e) {
+    throw new TlsTrustError("tls/ocsp-fetch-failed",
+      "ocsp.fetch: responder request to " + responderUrl + " failed: " + ((e && e.message) || String(e)));
+  }
+  if (res.status !== 200 || !Buffer.isBuffer(res.body) || res.body.length === 0) {
+    throw new TlsTrustError("tls/ocsp-fetch-bad-status",
+      "ocsp.fetch: responder returned status " + res.status + " with an empty/non-buffer body");
+  }
+  var evald = evaluateOcspResponse(res.body, {
+    issuerPem:     opts.issuerPem,
+    serialHex:     opts.serialHex || null,
+    expectedNonce: opts.nonce === false ? null : built.nonce,
+  });
+  if (!evald.ok) {
+    throw new TlsTrustError("tls/ocsp-not-good",
+      "ocsp.fetch: response is not good: " + (evald.errors || []).join("; "));
+  }
+  return { ocspDer: res.body, evaluation: evald, responderUrl: responderUrl };
+}
+
 var ocsp = Object.freeze({
   // Connect with OCSP requested. Returns { authorized, ocspBytes,
   // peerCert }. requireStapled: true makes empty / not-stapled responses
@@ -1379,6 +1454,7 @@ var ocsp = Object.freeze({
   },
   parseResponse:        parseOcspResponse,
   evaluate:             evaluateOcspResponse,
+  fetch:                fetchOcspResponse,
   // buildRequest — construct a DER-encoded OCSPRequest for a single
   // (leafCertDer, issuerCertDer) pair. RFC 8954 nonce extension is ON
   // by default (16 random bytes; opts.nonceLen overrides within RFC

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.13.44",
+  "version": "0.13.45",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:43cf0213-9944-42ad-9695-86dbc4acd548",
+  "serialNumber": "urn:uuid:4f2a624b-9183-4e8a-8807-eb827d32fb2b",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-30T00:54:18.743Z",
+    "timestamp": "2026-05-30T01:55:57.060Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.13.44",
+      "bom-ref": "@blamejs/core@0.13.45",
       "type": "application",
       "name": "blamejs",
-      "version": "0.13.44",
+      "version": "0.13.45",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.13.44",
+      "purl": "pkg:npm/%40blamejs/core@0.13.45",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.13.44",
+      "ref": "@blamejs/core@0.13.45",
       "dependsOn": []
     }
   ]