@blamejs/core 0.13.44 → 0.13.46

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.13.x
 
+- v0.13.46 (2026-05-29) — **`createApp` now wires the documented security middleware ON by default — CSRF, CSP nonce, cookie parser, fetch-metadata, and body parser.** The README has long described a security middleware stack as "wired by createApp", but createApp only mounted request-ID, security-headers, and bot-guard by default — CSRF protection, the CSP nonce, the threat-aware cookie parser, the fetch-metadata guard, and the body parser were documented but not actually wired. This release closes that gap: createApp now mounts all of them by default, in dependency order (cookies, CSP nonce, fetch-metadata, then body parser, then CSRF last so it can read a body-field token). This is a behavior change — apps built with createApp now enforce CSRF on state-changing requests by default. Each layer is configurable via opts.middleware.<name> (operator cookie and field names flow straight through — nothing is hardcoded) or can be turned off with false, and disabling a security default now emits an app.middleware.disabled audit event. Every layer is idempotent: an operator who also mounts one of these inside opts.routes gets a no-op second mount rather than a double-apply. The default CSRF is a double-submit cookie that auto-skips requests carrying an Authorization header or no cookies at all, which are not CSRF-able, so token-authenticated API clients are not rejected. The README middleware list is now an accurate description of what createApp wires. **Added:** *Idempotent security middleware* — The cookie parser, CSP nonce, fetch-metadata, and CSRF middleware are now idempotent within a request: if one has already run (because createApp wired it and an operator also mounted it), the second instance is a no-op rather than re-parsing, re-generating a nonce, or issuing a second CSRF cookie. This lets an application compose its own middleware order on top of createApp's defaults without double-applying. The body parser already had this behavior. **Changed:** *createApp wires CSRF, CSP nonce, cookie parser, fetch-metadata, and body parser by default (breaking)* — Applications constructed with b.createApp now mount, in order: the threat-aware cookie parser, the CSP nonce generator, the fetch-metadata resource-isolation guard, the body parser (JSON / urlencoded / text / multipart), and CSRF protection — in addition to the request-ID, security-headers, and bot-guard layers already wired. The ordering guarantees CSRF runs after the body parser so a body-field token is available. This is a behavior change: state-changing requests (POST / PUT / DELETE / PATCH) that carry a session cookie are now CSRF-validated by default. Each layer is configured through opts.middleware.<name> (an object passes operator options straight through; cookie and field names are not hardcoded) or disabled with false. Operators who were mounting these middleware themselves inside opts.routes do not need to change anything — the second mount is now a no-op (see idempotency below). · *Default CSRF auto-skips token-authenticated and cookieless requests* — The CSRF middleware gains a skipStateless option (default false; createApp's default wiring sets it true). When on, token validation is skipped for requests that carry an Authorization header or no Cookie header at all — such requests are not CSRF-able, because CSRF abuses a victim's ambient cookie credential and these have none. The token is still issued on safe methods so a later cookie-authenticated browser flow works. Cross-site form CSRF is unaffected: the browser auto-sends the victim's cookies, so an attack request always carries a Cookie header and is validated. · *Disabling a default security middleware is audited* — Passing false for one of the security-on-by-default middleware (for example middleware: { csrf: false }) now emits an app.middleware.disabled audit event naming the middleware, so a weakened posture leaves a trace in the audit chain rather than being silent.
+
+- v0.13.45 (2026-05-29) — **`b.cert` now fetches and staples a validated OCSP response per certificate, and validates declared compliance postures at create().** Two capabilities that b.cert documented but did not act on are now wired through. OCSP stapling: the cert manager fetches the leaf's OCSP response from the responder named in its Authority Information Access extension, validates it against the issuer (status, nonce, serial) via b.network.tls.ocsp, caches the DER, and exposes it on getContext().ocspResponse so a TLS server's OCSPRequest handler can staple it. The fetch runs in the background on a refresh timer and never blocks cert.start() — a slow or unreachable responder produces an audited per-certificate failure, not a stalled boot. Compliance postures: opts.compliance names are now validated against b.compliance.KNOWN_POSTURES at create() (an unknown name throws cert/unknown-compliance-posture instead of being silently recorded) and are surfaced on getContext().compliance for an auditor. Storage-confidentiality postures hold by construction because cert keys and certificates are always sealed at rest. The supporting composition primitive b.network.tls.ocsp.fetch (build request, POST to the responder through b.httpClient, validate the response) is now part of the public OCSP surface. **Added:** *b.network.tls.ocsp.fetch — fetch and validate an OCSP response* — The OCSP helper set previously built requests and evaluated responses but had no way to actually retrieve one. b.network.tls.ocsp.fetch({ leafPem, issuerPem, nonce?, timeoutMs? }) reads the responder URL from the leaf certificate's Authority Information Access extension, builds the request, POSTs it through b.httpClient (so the SSRF guard and pinned DNS apply), and validates the response against the issuer — returning the validated DER plus the parsed evaluation. It rejects when the leaf carries no OCSP responder URL or the response fails validation. · *b.cert staples a validated OCSP response per certificate* — With ocsp.stapling enabled (the default), the cert manager refreshes each certificate's OCSP response on a timer (ocsp.refreshMs, default 12h) and caches the validated DER. getContext(serverName).ocspResponse returns that DER for a TLS server to hand back from its OCSPRequest handler. The refresh runs in the background and is never on the path of cert.start(): an unreachable or slow responder is recorded as an audited cert.ocsp.refresh failure for that certificate and leaves the rest of the manager running. **Changed:** *opts.compliance posture names are validated at create()* — b.cert.create now checks each name in opts.compliance against b.compliance.KNOWN_POSTURES and throws cert/unknown-compliance-posture on an unrecognized name, so a typo is caught at construction rather than being silently recorded. The declared postures are surfaced on getContext().compliance. Cert keys and certificates are always sealed at rest, so storage-confidentiality postures are satisfied by construction.
+
 - v0.13.44 (2026-05-29) — **Error codes on the consent, compliance, and protocol namespaces now follow the namespace/kebab-case contract.** The framework's error contract is `err.code = "namespace/kebab-case"`, and the vast majority of namespaces already followed it. This release normalizes the holdouts: fifteen namespaces that threw bare UPPER_SNAKE codes with no namespace, and nine that used a camelCase namespace prefix. After this release every error these namespaces throw carries a `namespace/kebab-case` code, so an operator switching on `err.code` no longer has to special-case them. This is a breaking change for code that matches the old strings — pre-1.0, there is no compatibility shim, so update any `err.code` comparisons against the listed namespaces. A codebase check now enforces the convention so it cannot regress. A small set of older codes (the cluster, scheduler, circuit-breaker, object-store, and upload subsystems) is intentionally left for the 1.0 release, where it will carry a deprecation cycle. **Changed:** *Bare UPPER_SNAKE error codes are now namespaced (breaking)* — Fifteen namespaces threw bare UPPER_SNAKE error codes with no namespace prefix (for example `mcp` threw `BAD_JSON`, `BAD_ENVELOPE`, `BAD_METHOD`). Their `err.code` values are now `namespace/kebab-case` — `mcp/bad-json`, `mcp/bad-envelope`, and so on. The affected namespaces are `b.a2a`, `b.aiInput`, `b.aiPref`, `b.budr`, `b.contentCredentials`, `b.darkPatterns`, `b.fapi2`, `b.fdx`, `b.graphqlFederation`, `b.iabTcf`, `b.iabMspa`, `b.mcp`, `b.secCyber`, `b.sse`, and `b.tcpa10dlc`. Operators matching the old bare codes on `err.code` must update those comparisons; the error message text is unchanged. · *camelCase error-code namespaces are now kebab-case (breaking)* — Nine namespaces emitted error codes whose namespace segment was camelCase (for example `aiDp/bad-bound`, `argParser/flag-duplicate`). The namespace segment is now kebab-case to match every other code: `ai-dp/`, `ai-capability/`, `ai-quota/`, `arg-parser/`, `audit-sign/`, `auth-step-up/`, `ddl-change-control/`, `dr-runbook/`, `tenant-quota/`, and `boot-gates/`. The `b.*` API namespace keys themselves are unchanged (those remain camelCase, e.g. `b.argParser`); only the `err.code` string changed. Operators matching these `err.code` strings must update them. **Detectors:** *Error-code shape is enforced* — A codebase check now flags any error code constructed via `new XError(...)` or the per-class `factory(...)` whose value is a bare UPPER_SNAKE string or carries a camelCase namespace segment, so the `namespace/kebab-case` contract cannot silently regress. It correctly ignores native error constructors (whose first argument is the message, not a code).
 
 - v0.13.43 (2026-05-29) — **LTS window stated consistently as 24 months, experimental primitives declared semver-exempt, and stale version references cleaned up.** Documentation and operator-facing string hygiene ahead of the 1.0 stability contract. The LTS support window is now stated as 24 months everywhere (GOVERNANCE.md and the LTS calendar previously disagreed — 24 vs 18). The LTS calendar gains an explicit clause that primitives marked experimental are exempt from the stability/LTS contract, so operators can tell at a glance which surfaces may change between minors. Several error messages and doc blocks that pinned to long-past version numbers ("lands in v0.10.9", "not supported in v0.12.7", "ships in v0.6.45+") are restated version-agnostically with their escape hatch, and the S/MIME module now points operators at the live PGP encrypt/decrypt path for confidentiality today. No API or behavior changes. **Changed:** *LTS support window is consistently 24 months* — `GOVERNANCE.md` promised a 24-month LTS window while `LTS-CALENDAR.md` and `SECURITY.md` stated 18 — a six-month contradiction in the single most load-bearing number of the support contract. All three now state 24 months of security-only patches per major. The calendar table and the supported-versions prose are aligned. · *Experimental primitives are declared exempt from the stability contract* — `LTS-CALENDAR.md` now states explicitly that primitives documented as experimental (shown as "experimental" on their wiki page, and via the `experimental` segment in namespaces like `b.jose.jwe.experimental`) are not covered by the stability contract or the LTS window — they may change signature, behavior, or wire format, or be removed, in any minor without a deprecation cycle. This lets the framework ship primitives that track in-flight standards without freezing an unsettled format, and tells operators precisely which surfaces are not yet frozen. **Fixed:** *Stale version references removed from operator-facing errors and docs* — Error messages and documentation that pinned to long-past versions are restated version-agnostically with the relevant escape hatch: ZIP64 and unsupported-compression errors in archive reading, the CMS AuthEnvelopedData / fielded-decoder notes, the mTLS CRL-engine error, the safe-archive format-detection summary (which also now correctly lists the supported zip / tar / tar.gz set rather than claiming only zip), and the AI-content IPTC-reader note. None changed behavior; they no longer read as broken promises against the published version history. · *S/MIME confidentiality deferral points to the working PGP path* — `b.mail.crypto.smime` ships sign + verify; encrypt/decrypt is deferred. The deferral note previously cited an open-ended internal condition; it now names the escape hatch directly — use `b.mail.crypto.pgp.encrypt` / `decrypt` for mail confidentiality today — and states the concrete trigger that would re-open S/MIME-specific (X.509-recipient) encryption. · *Governance doc no longer references an internal file operators cannot see* — `GOVERNANCE.md` cited a rule number in a contributor-only file that does not ship in the repository. The deprecation-policy statement is now self-contained.

package/README.md

@@ -114,25 +114,22 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 - **CMS codec** — RFC 5652 Cryptographic Message Syntax encoder + decoder with PQC signers (ML-DSA-65 / ML-DSA-87 / SLH-DSA-SHAKE-256f; RFC 9909 + 9881) and KEMRecipientInfo recipients (ML-KEM-1024; RFC 9629 + 9936); ChaCha20-Poly1305 content encryption (RFC 8103) so Efail-class malleability cannot apply (`b.cms`)
 - **Stream throttle** — shared token-bucket bandwidth limiter (RFC 2697 srTCM shape); N concurrent `node:stream` pipelines draw from one operator-configured `bytesPerSec` budget (`b.streamThrottle`)
 - **TLS-RPT receiver** — RFC 8460 inbound aggregate-report ingest; HTTPS POST handler + §4.4 schema parser with gzip-bomb / ratio-bomb / depth-bomb defenses (`b.mail.deploy.parseTlsRptReport` / `b.mail.deploy.tlsRptIngestHttp`)
-- **TLS / channel binding** — RFC 9266 TLS-Exporter token-to-session pinning (`b.tlsExporter`); RFC 9162 CT v2 inclusion-proof verification (`b.network.tls.ct.verifyInclusion`); RFC 8555 ACME + RFC 9773 ARI for 47-day certs with `{ jitter: true }` fleet-scheduling (`b.acme.renewIfDue`); draft-aaron-acme-profiles (`acme.listProfiles()` + `newOrder({ profile })`); draft-ietf-acme-dns-account-label (`acme.dnsAccount01ChallengeRecord(token, { identifier })`); RFC 8470 0-RTT inbound posture refuse / replay-cache (`b.router.create({tls0Rtt})`); RFC 9794 SecP256r1MLKEM768 in preferred-group order (`b.network.tls.preferredGroups`)
+- **TLS / channel binding** — RFC 9266 TLS-Exporter token-to-session pinning (`b.tlsExporter`); RFC 9162 CT v2 inclusion-proof verification (`b.network.tls.ct.verifyInclusion`); RFC 8555 ACME + RFC 9773 ARI for 47-day certs with `{ jitter: true }` fleet-scheduling (`b.acme.renewIfDue`); draft-aaron-acme-profiles (`acme.listProfiles()` + `newOrder({ profile })`); draft-ietf-acme-dns-account-label (`acme.dnsAccount01ChallengeRecord(token, { identifier })`); RFC 8470 0-RTT inbound posture refuse / replay-cache (`b.router.create({tls0Rtt})`); RFC 9794 SecP256r1MLKEM768 in preferred-group order (`b.network.tls.preferredGroups`); RFC 6960 OCSP stapling — the cert manager (`b.cert`) fetches + validates each managed certificate's OCSP response (`b.network.tls.ocsp.fetch`) on a refresh cadence and exposes it on the served context for a TLS server's `OCSPRequest` handler to staple
 - **mTLS CA** — pure-JS, issues clientAuth / serverAuth / dual-EKU certs with SAN; auto-detects highest-PQC signature alg (today ECDSA-P384-SHA384; self-upgrades to SLH-DSA / ML-DSA when X.509 ecosystem catches up); PQC TLS gates inbound + outbound (`b.mtlsCa`, `b.pqcGate`, `b.pqcAgent`)
 ### HTTP
 
 - **Router + API specs** — schema-validated routes; OpenAPI publication (`b.openapi`) + AsyncAPI publication for event/streaming (`b.asyncapi`)
-- **Middleware stack (wired by `createApp`)**
-  - CSRF protection
-  - CORS with W3C Private Network Access preflight refusal default + `allowPrivateNetwork` opt
-  - Rate-limit
+- **Middleware stack (`createApp`)** — security layers wired ON by default (Core Rule §3); each is configurable via `middleware.<name>` (operator cookie / field names flow straight through — nothing static is baked in) or opt-out with `false` (disabling a default is audited via `app.middleware.disabled`). Ordered so each layer has what it needs (cookies + CSP nonce + fetch-metadata, then body parser, then CSRF last):
+  - Request-ID tagging and bot-guard
   - Security headers with `Permissions-Policy` defaults denying storage-access / browsing-topics / private-aggregation / controlled-frame
-  - CSP nonce
-  - Body parser — JSON / urlencoded / text / multipart; multipart file parts stream to a tmp dir or buffer in memory (`storage: "memory"`) for read-only / serverless filesystems
-  - Compression
-  - SSE
-  - Request log
   - Threat-aware cookie parser (`b.middleware.cookies`)
-  - Request-time DB role binding (`b.middleware.dbRoleFor`)
-  - In-process CIDR fence (`b.middleware.networkAllowlist`)
+  - CSP nonce — generated per request, merged into the CSP (`b.middleware.cspNonce`)
+  - Fetch-metadata resource-isolation guard (`b.middleware.fetchMetadata`)
+  - Body parser — JSON / urlencoded / text / multipart; multipart file parts stream to a tmp dir or buffer in memory (`storage: "memory"`) for read-only / serverless filesystems
+  - CSRF protection — double-submit cookie + Origin/Referer cross-check; auto-skips Authorization-header / cookieless requests, which are not CSRF-able (`b.middleware.csrfProtect`)
+  - CORS (W3C Private Network Access preflight refusal default + `allowPrivateNetwork` opt) and rate-limit are wired when configured via `middleware.cors` / `middleware.rateLimit`
   - `Cache-Control: no-store` on every 401 from `requireAuth` / `requireAal` / `requireStepUp` per RFC 9111 §5.2.2.5
+- **Additional middleware** to mount in your `routes` callback: compression, SSE, request logging, request-time DB role binding (`b.middleware.dbRoleFor`), in-process CIDR fence (`b.middleware.networkAllowlist`)
 - **Outbound HTTP client** — HTTP/1.1 + HTTP/2 with SSRF gate (cloud-metadata IPs hard-denied; private / loopback / link-local overridable per call); scheme + userinfo + per-host destination allowlist; redirects, multipart, interceptors, progress, encrypted cookie jar (`b.httpClient`, `b.ssrfGuard`, `b.safeUrl`)
 - **Network configurability (`b.network`)** — env-driven NTP / NTS (RFC 8915), IPv4/IPv6 NTP, DNS with IPv6 / DoH / DoT (private-CA pinning) / cache / lookup timeout; local DNSSEC signature verification (RFC 4035 — `b.network.dns.dnssec.verifyRrset` over a canonicalised RRset against RSA / ECDSA P-256·P-384 / Ed25519 DNSKEYs, plus DS-digest + key-tag, plus `verifyDenial` for NSEC / NSEC3 (RFC 5155) NXDOMAIN / NODATA proofs with iteration caps + Opt-Out handling, plus `verifyChain` to validate a full root→TLD→zone delegation chain against the pinned IANA root anchors) so a resolver client can verify both positive and negative answers instead of trusting the upstream AD bit; DANE / TLSA certificate matching (RFC 6698/7671 — `b.network.dns.dane.matchCertificate`) to pin a service's key through DNSSEC instead of a public CA; TSIG transaction signatures (RFC 8945 — `b.network.dns.tsig.sign` / `verify`) for shared-key HMAC authentication of zone transfers, dynamic updates, and query/response pairs, with constant-time MAC compare + fudge-window check (verified against dnspython); outbound HTTP proxy (`HTTP_PROXY` / `HTTPS_PROXY` / `NO_PROXY`); runtime DPI trust-store CA additions; application-level heartbeats; TCP socket defaults
 - **Error pages** — operator-rendered, no app-frame leakage (`b.errorPage`)

package/lib/app.js

@@ -92,6 +92,7 @@
 var nodeFs = require("node:fs");
 var nodePath = require("node:path");
 var appShutdown = require("./app-shutdown");
+var audit = require("./audit");
 var C = require("./constants");
 var cluster = require("./cluster");
 var db = require("./db");
@@ -103,13 +104,28 @@ var queue = require("./queue");
 var routerMod = require("./router");
 var vault = require("./vault");
 
-function _resolveMiddlewareOpt(value, allowDefault) {
+function _resolveMiddlewareOpt(value, allowDefault, name) {
   // value can be:
   //   false          — operator opted out
   //   undefined      — fall back to allowDefault (mount with empty opts)
   //   true           — explicit opt-in with default opts
   //   object         — explicit opts
-  if (value === false) return null;
+  if (value === false) {
+    // Operator explicitly disabled this middleware. When it's one of the
+    // security-on-by-default layers (allowDefault), leave an audit trace
+    // so the weakened posture is visible — Core Rule §3 security defaults
+    // shouldn't be silently opt-out-able. Drop-silent observability sink.
+    if (allowDefault && name) {
+      try {
+        audit.safeEmit({
+          action:   "app.middleware.disabled",
+          outcome:  "success",
+          metadata: { middleware: name },
+        });
+      } catch (_e) { /* drop-silent — by design */ }
+    }
+    return null;
+  }
   if (value === undefined) return allowDefault ? {} : null;
   if (value === true) return {};
   if (value && typeof value === "object") return value;
@@ -196,21 +212,55 @@ async function createApp(opts) {
   });
   router.use(orchestrator.middleware());
 
-  var requestIdOpts = _resolveMiddlewareOpt(mwConfig.requestId, true);
+  var requestIdOpts = _resolveMiddlewareOpt(mwConfig.requestId, true, "requestId");
   if (requestIdOpts) router.use(middleware.requestId(requestIdOpts));
 
-  var securityHeadersOpts = _resolveMiddlewareOpt(mwConfig.securityHeaders, true);
+  var securityHeadersOpts = _resolveMiddlewareOpt(mwConfig.securityHeaders, true, "securityHeaders");
   if (securityHeadersOpts) router.use(middleware.securityHeaders(securityHeadersOpts));
 
-  var corsOpts = _resolveMiddlewareOpt(mwConfig.cors, false);
+  var corsOpts = _resolveMiddlewareOpt(mwConfig.cors, false, "cors");
   if (corsOpts) router.use(middleware.cors(corsOpts));
 
-  var botGuardOpts = _resolveMiddlewareOpt(mwConfig.botGuard, true);
+  var botGuardOpts = _resolveMiddlewareOpt(mwConfig.botGuard, true, "botGuard");
   if (botGuardOpts) router.use(middleware.botGuard(botGuardOpts));
 
-  var rateLimitOpts = _resolveMiddlewareOpt(mwConfig.rateLimit, false);
+  var rateLimitOpts = _resolveMiddlewareOpt(mwConfig.rateLimit, false, "rateLimit");
   if (rateLimitOpts) router.use(middleware.rateLimit(rateLimitOpts));
 
+  // Security middleware wired ON by default (Core Rule §3). Each reads its
+  // config from opts.middleware.<name>: pass `false` to opt out (audited
+  // via _resolveMiddlewareOpt), or an object to customize — operator cookie
+  // / field names flow straight through, nothing static is baked in.
+  // Ordered so each layer has what it needs: cookies + cspNonce +
+  // fetchMetadata first, then bodyParser (so csrf can read a body-field
+  // token), then csrfProtect last. Every layer is idempotent — if an
+  // operator also mounts one of these inside opts.routes, the second mount
+  // is a no-op rather than a double-apply.
+  var cookiesOpts = _resolveMiddlewareOpt(mwConfig.cookies, true, "cookies");
+  if (cookiesOpts) router.use(middleware.cookies(cookiesOpts));
+
+  var cspNonceOpts = _resolveMiddlewareOpt(mwConfig.cspNonce, true, "cspNonce");
+  if (cspNonceOpts) router.use(middleware.cspNonce(cspNonceOpts));
+
+  var fetchMetadataOpts = _resolveMiddlewareOpt(mwConfig.fetchMetadata, true, "fetchMetadata");
+  if (fetchMetadataOpts) router.use(middleware.fetchMetadata(fetchMetadataOpts));
+
+  var bodyParserOpts = _resolveMiddlewareOpt(mwConfig.bodyParser, true, "bodyParser");
+  if (bodyParserOpts) router.use(middleware.bodyParser(bodyParserOpts));
+
+  var csrfOpts = _resolveMiddlewareOpt(mwConfig.csrf, true, "csrf");
+  if (csrfOpts) {
+    // Defaults: double-submit cookie (unless the operator chose a token
+    // lookup or their own cookie config) + skip validation for stateless
+    // token-API / cookieless requests. Operator config overrides both.
+    var csrfDefaults = { skipStateless: true };
+    if (csrfOpts.tokenLookup === undefined && csrfOpts.cookie === undefined) {
+      csrfDefaults.cookie = true;
+    }
+    csrfOpts = Object.assign(csrfDefaults, csrfOpts);
+    router.use(middleware.csrfProtect(csrfOpts));
+  }
+
   // ---- 6. Operator routes ----
   if (typeof opts.routes === "function") {
     opts.routes(router);

package/lib/audit.js

@@ -243,6 +243,7 @@ var FRAMEWORK_NAMESPACES = [
   "auth", "system", "audit", "consent", "subject",
   // Per-primitive namespaces — keep alphabetical
   "apikey",     // b.apiKey
+  "app",        // b.createApp (app.middleware.disabled — a security-default middleware was opted out at construction)
   "backup",     // b.backup
   "breakglass", // b.breakGlass — column-policy / row-enforcement step-up auth (audit namespace lowercased per the validator's `namespace.verb` rule, same convention as b.apiKey → apikey.*)
   "cache",      // b.cache

package/lib/cert.js

@@ -22,9 +22,9 @@
  *     - `b.acme.create`         → ACME orders, JWS, ARI fetch
  *     - `b.vault.seal`          → sealed-disk persistence of certs + keys + account material
  *     - `b.safeAsync.repeating` → renewal scheduler with drop-silent error path
- *     - `b.network.tls.ocsp`    → server-side stapling helpers
+ *     - `b.network.tls.ocsp`    → fetches + caches a validated OCSP response per cert for server-side stapling
  *     - `b.audit`               → cert.* lifecycle audit chain
- *     - `b.compliance`          → posture refusals (e.g. plaintext storage refused under HIPAA / PCI)
+ *     - `b.compliance`          → validates the declared posture names; storage-confidentiality postures hold because keys/certs are always sealed at rest
  *
  *   Does NOT ship the challenge-solver implementations (HTTP-01 server,
  *   DNS provider integrations, TLS-ALPN-01 socket). Those are operator-
@@ -60,6 +60,7 @@ var acme          = lazyRequire(function () { return require("./acme"); });
 var vault         = lazyRequire(function () { return require("./vault"); });
 var audit         = lazyRequire(function () { return require("./audit"); });
 var networkTls    = lazyRequire(function () { return require("./network-tls"); });
+var compliance    = lazyRequire(function () { return require("./compliance"); });
 var bCrypto       = lazyRequire(function () { return require("./crypto"); });
 
 var CertError = defineClass("CertError");
@@ -222,7 +223,7 @@ function _createSealedDiskStorage(opts) {
  *     refreshMs:  number,             // default 12h — OCSP-response cache lifetime
  *   },
  *   audit:    boolean | object,       // default true — emit cert.* lifecycle events via b.audit.safeEmit
- *   compliance: Array<string>,         // optional — posture refusals (e.g. ["hipaa"]); refuses plaintext storage etc.
+ *   compliance: Array<string>,         // optional — posture names (e.g. ["hipaa"]); validated against b.compliance.KNOWN_POSTURES (throws on an unknown name) + surfaced on getContext().compliance. Cert keys/certs are always sealed at rest, so storage-confidentiality postures hold by construction.
  *
  * @example
  *   var mgr = b.cert.create({
@@ -383,13 +384,31 @@ function create(opts) {
 
   // ---- Audit + compliance ----
   var auditEnabled = opts.audit !== false;
-  var compliance = Array.isArray(opts.compliance) ? opts.compliance.slice() : [];
+  var compliancePostures = Array.isArray(opts.compliance) ? opts.compliance.slice() : [];
+  // Validate posture names against the framework catalog so a typo is
+  // caught at create() rather than silently ignored. The cert manager
+  // satisfies the storage-confidentiality postures (HIPAA / PCI-DSS /
+  // GDPR …) by construction — keys + certs are always sealed at rest
+  // (storage.type is enforced to "sealed-disk"), so there is no plaintext-
+  // storage state for a posture to fail to. The postures are recorded +
+  // surfaced on the served context for an auditor.
+  if (compliancePostures.length > 0) {
+    var knownPostures = compliance().KNOWN_POSTURES;
+    compliancePostures.forEach(function (p) {
+      if (knownPostures.indexOf(p) === -1) {
+        throw new CertError("cert/unknown-compliance-posture",
+          "cert.create: opts.compliance posture '" + p + "' is not a known posture; " +
+          "see b.compliance.KNOWN_POSTURES");
+      }
+    });
+  }
 
   // ---- Internal state ----
   var emitter = new EventEmitter();
-  var loadedContexts = Object.create(null);   // name → { cert, key, ca, expiresAt, fingerprintSha256, sniNames }
+  var loadedContexts = Object.create(null);   // name → { cert, key, ca, expiresAt, fingerprintSha256, sniNames, ocspResponse }
   var acmeClient = null;
   var scheduler = null;
+  var ocspTimer = null;
   var stopped = false;
 
   function _emitAudit(action, outcome, metadata) {
@@ -689,6 +708,39 @@ function create(opts) {
     }
   }
 
+  // Split a PEM chain into individual certificate blocks (leaf first).
+  function _splitPemChain(pem) {
+    return pem.match(/-----BEGIN CERTIFICATE-----[\s\S]+?-----END CERTIFICATE-----/g) || [];
+  }
+
+  // Fetch + cache a validated OCSP response for one managed cert, for
+  // server-side stapling. Fail-soft: a responder error, or no issuer in the
+  // served chain, leaves any prior staple in place and never throws — an
+  // absent staple degrades gracefully (clients fall back to their own
+  // revocation checking). The validated DER is exposed on
+  // getContext().ocspResponse for the operator's TLS server to staple via
+  // its 'OCSPRequest' handler.
+  async function _refreshOcspFor(name) {
+    var ctx = loadedContexts[name];
+    if (!ctx || !ocspStapling) return;
+    var chain = _splitPemChain(ctx.cert);
+    if (chain.length < 2) return;   // no issuer in the served chain
+    try {
+      // allow:raw-outbound-http — b.network.tls.ocsp.fetch composes b.httpClient internally (SSRF guard + pinned DNS); not a raw outbound call
+      var rv = await networkTls().ocsp.fetch({ leafPem: chain[0], issuerPem: chain[1] });
+      ctx.ocspResponse = rv.ocspDer;
+      _emitAudit("cert.ocsp.refreshed", "success", { name: name });
+    } catch (e) {
+      _emitAudit("cert.ocsp.refresh-failed", "failure",
+        { name: name, error: (e && e.message) || String(e) });
+    }
+  }
+
+  async function _refreshAllOcsp() {
+    var keys = Object.keys(loadedContexts);
+    for (var i = 0; i < keys.length; i += 1) { await _refreshOcspFor(keys[i]); }
+  }
+
   async function start() {
     if (stopped) {
       throw new CertError("cert/already-stopped",
@@ -706,12 +758,21 @@ function create(opts) {
         await _renewCheckOne(certsByName[keys[ki]]);
       }
     }, renewIntervalMs, { name: "cert-renew" });
+    // 3. OCSP stapling. The initial fetch runs in the background so a slow
+    //    responder never delays start(); the staple becomes available
+    //    shortly after, and the timer refreshes on the configured cadence.
+    if (ocspStapling) {
+      _refreshAllOcsp().catch(function () { /* per-cert errors already audited */ });
+      ocspTimer = safeAsync.repeating(_refreshAllOcsp, ocspRefreshMs, { name: "cert-ocsp" });
+    }
   }
 
   async function stop() {
     stopped = true;
     if (scheduler && typeof scheduler.stop === "function") scheduler.stop();
     scheduler = null;
+    if (ocspTimer && typeof ocspTimer.stop === "function") ocspTimer.stop();
+    ocspTimer = null;
   }
 
   function getContext(name) {
@@ -729,6 +790,11 @@ function create(opts) {
       key:                ctx.key,
       expiresAt:          ctx.expiresAt,
       fingerprintSha256:  ctx.fingerprintSha256,
+      // The cached, validated OCSP response (DER Buffer) when ocsp.stapling
+      // is on and a response has been fetched; null otherwise. Staple it
+      // from the TLS server's 'OCSPRequest' handler: cb(null, ocspResponse).
+      ocspResponse:       ctx.ocspResponse || null,
+      compliance:         compliancePostures.slice(),
     };
   }
 
@@ -798,10 +864,6 @@ function create(opts) {
   function off(event, handler)  { emitter.off(event, handler);   return this; }
   function once(event, handler) { emitter.once(event, handler);  return this; }
 
-  // Suppress unused-warnings for ocsp + compliance until those branches
-  // wire up in v0.11.23+ follow-up.
-  void ocspStapling; void ocspRefreshMs; void compliance; void networkTls;
-
   return {
     start:        start,
     stop:         stop,

package/lib/middleware/cookies.js

@@ -89,6 +89,10 @@ function create(opts) {
   var audit = opts.audit || null;
 
   return function cookiesMiddleware(req, res, next) {
+    // Idempotent: if an earlier cookies middleware already parsed the jar
+    // this request (e.g. createApp wired it AND an operator mounted it
+    // again), don't re-parse — keep the first jar.
+    if (req.cookieJar !== undefined) return next();
     var header = req && req.headers ? req.headers.cookie : "";
     var rv = cookies.parseSafe(header || "", {
       maxHeaderBytes: maxHeaderBytes,

package/lib/middleware/csp-nonce.js

@@ -333,6 +333,10 @@ function create(opts) {
   }
 
   function cspNonce(req, res, next) {
+    // Idempotent: if an earlier cspNonce middleware already set a nonce on
+    // this request, keep it — re-generating would desync the header nonce
+    // from the one templates already rendered against.
+    if (req[property] !== undefined) return next();
     // Generate the nonce. Cheap (16 bytes from getrandom → SHAKE256 →
     // base64 encode); do it always for consistency unless `always:
     // false` was set explicitly.

package/lib/middleware/csrf-protect.js

@@ -261,6 +261,7 @@ function _writeReject(res, message) {
  *     requireJsonContentType: boolean,
  *     trustProxy:             boolean|number,
  *     audit:                  boolean,
+ *     skipStateless:          boolean,   // default false — skip validation for Authorization-header / cookieless (not-CSRF-able) requests
  *   }
  *
  * @example
@@ -278,7 +279,7 @@ function create(opts) {
   validateOpts(opts, [
     "cookie", "tokenLookup", "fieldName", "headerName", "methods", "audit",
     "trustProxy", "checkOrigin", "allowedOrigins", "requireJsonContentType",
-    "requireOrigin",
+    "requireOrigin", "skipStateless",
   ], "middleware.csrfProtect");
   var trustProxy = opts.trustProxy === true || typeof opts.trustProxy === "number"
     ? opts.trustProxy : false;
@@ -335,6 +336,19 @@ function create(opts) {
   // is opt-in rather than silent.
   var requireOriginOpt = opts.requireOrigin === true;
 
+  // skipStateless — skip token VALIDATION for requests that carry an
+  // Authorization header (bearer / token auth) or no Cookie header at
+  // all. Such requests are not CSRF-able: CSRF abuses a victim's ambient
+  // cookie credential, and a token-authenticated or cookieless request
+  // has none to abuse. The token is still ISSUED on safe methods so a
+  // later cookie-authenticated browser flow on the same app works. Default
+  // false (strict — every state-changing request is validated). createApp
+  // wires its default csrf with this on so mixed browser-form + token-API
+  // surfaces don't reject legitimate API clients. Cross-site form CSRF is
+  // unaffected: the browser auto-sends the victim's cookies, so the attack
+  // request always carries a Cookie header and is validated.
+  var skipStateless = opts.skipStateless === true;
+
   // Cookie issuance config (only when opts.cookie is set).
   var cookieCfg = null;
   if (hasCookie) {
@@ -436,6 +450,12 @@ function create(opts) {
   }
 
   return function csrfProtect(req, res, next) {
+    // Idempotent: a second csrf mount this request (e.g. createApp wired
+    // it AND an operator mounted it again) is a no-op — the first instance
+    // already issued + validated.
+    if (req._csrfApplied) return next();
+    req._csrfApplied = true;
+
     // Issue/refresh the token on EVERY request (safe + state-changing)
     // when running in cookie mode — templates rendered after a POST
     // (e.g. error response) still need req.csrfToken populated.
@@ -443,6 +463,14 @@ function create(opts) {
 
     if (methods.indexOf(req.method) === -1) return next();
 
+    // Stateless / token-authenticated requests are not CSRF-able — the
+    // token was still issued above for any later browser flow.
+    if (skipStateless) {
+      var hasAuthHeader = !!(req.headers && req.headers.authorization);
+      var hasCookieHeader = !!(req.headers && req.headers.cookie);
+      if (hasAuthHeader || !hasCookieHeader) return next();
+    }
+
     // requireJsonContentType — refuse before the token check.
     if (requireJsonCt) {
       var ct = req.headers && req.headers["content-type"];

package/lib/middleware/fetch-metadata.js

@@ -120,6 +120,9 @@ function create(opts) {
   }
 
   return function fetchMetadata(req, res, next) {
+    // Idempotent: a second fetch-metadata mount this request is a no-op.
+    if (req._fetchMetadataChecked) return next();
+    req._fetchMetadataChecked = true;
     if (methods.indexOf(req.method) === -1) return next();
 
     var headers = req.headers || {};

package/lib/network-tls.js

@@ -20,6 +20,7 @@ var NetworkTlsError = defineClass("NetworkTlsError", { alwaysPermanent: true });
 var observability = lazyRequire(function () { return require("./observability"); });
 var audit = lazyRequire(function () { return require("./audit"); });
 var networkDns = lazyRequire(function () { return require("./network-dns"); });
+var httpClient = lazyRequire(function () { return require("./http-client"); });
 var asn1 = require("./asn1-der");
 
 // STATE.tlsKeyShares is initialized to the default PQC group list at
@@ -1194,9 +1195,10 @@ function evaluateOcspResponse(ocspDer, opts) {
 //
 // Constructs a DER-encoded OCSPRequest for a single (leafCertDer,
 // issuerCertDer) pair, optionally with an RFC 8954 nonce extension.
-// Operators send the returned `requestDer` to the OCSP responder URL
-// (e.g. via b.httpClient with `Content-Type: application/ocsp-request`)
-// and pass `nonce` to `ocsp.evaluate(responseDer, { expectedNonce })`
+// `ocsp.fetch` composes this with `b.httpClient` to POST the request to
+// the cert's responder and return a validated response; operators who
+// need the raw request (custom transport, batched requests) call this
+// directly and pass `nonce` to `ocsp.evaluate(responseDer, { expectedNonce })`
 // to defend against replay attacks.
 //
 // Nonce DEFAULT ON — defense in depth. RFC 6960 §4.4.1 marks nonce
@@ -1291,8 +1293,10 @@ function buildOcspRequest(opts) {
   // framework that touches SHA-1" need a signal. Emit an audit row
   // on every OCSP request build so the algorithm choice is visible
   // in the chain.
-  var nameHash = nodeCrypto.createHash("sha1").update(iss.issuerNameDer).digest();
-  var keyHash  = nodeCrypto.createHash("sha1").update(iss.issuerKey).digest();
+  // lgtm[js/weak-cryptographic-algorithm] — RFC 6960 §4.1.1 CertID lookup hash over the PUBLIC issuer name; a name/key lookup, not an integrity or secrecy operation. SHA-256 CertIDs are §4.3-optional and rejected by most responders.
+  var nameHash = nodeCrypto.createHash("sha1").update(iss.issuerNameDer).digest(); // lgtm[js/weak-cryptographic-algorithm]
+  // lgtm[js/weak-cryptographic-algorithm] — RFC 6960 §4.1.1 CertID lookup hash over the PUBLIC issuer key; a name/key lookup, not an integrity or secrecy operation.
+  var keyHash  = nodeCrypto.createHash("sha1").update(iss.issuerKey).digest(); // lgtm[js/weak-cryptographic-algorithm]
   setImmediate(function () {
     try {
       var auditMod = require("./audit");                                            // allow:inline-require — circular-load defense (audit imports network-tls)
@@ -1339,6 +1343,77 @@ function buildOcspRequest(opts) {
   return { requestDer: requestDer, nonce: nonceBytes };
 }
 
+// _ocspResponderUrl — pull the OCSP responder URL out of a cert's
+// Authority Information Access extension. node:crypto exposes it as a
+// multi-line string ("OCSP - URI:http://...\nCA Issuers - URI:...\n").
+function _ocspResponderUrl(x509) {
+  var ia = x509 && x509.infoAccess;
+  if (typeof ia !== "string") return null;
+  var m = ia.match(/OCSP\s*-\s*URI:(\S+)/i);
+  return m ? m[1].trim() : null;
+}
+
+// fetch — POST a freshly-built OCSPRequest to the cert's responder and
+// return the validated, known-good response bytes. Composes buildRequest +
+// b.httpClient + evaluate, completing the server-side-stapling fetch path
+// (the response is what a TLS server staples via its 'OCSPRequest' handler).
+// The responder URL is taken from the leaf cert's AIA extension unless
+// opts.responderUrl overrides it. Throws TlsTrustError on any failure
+// (no responder, transport error, non-good certStatus, signature mismatch);
+// callers that staple should treat a throw as "no staple this cycle".
+async function fetchOcspResponse(opts) {
+  opts = opts || {};
+  if (typeof opts.leafPem !== "string" || typeof opts.issuerPem !== "string") {
+    throw new TlsTrustError("tls/ocsp-bad-input",
+      "ocsp.fetch: opts.leafPem and opts.issuerPem (PEM strings) are required");
+  }
+  var leafX, issuerX;
+  try {
+    leafX = new nodeCrypto.X509Certificate(opts.leafPem);
+    issuerX = new nodeCrypto.X509Certificate(opts.issuerPem);
+  } catch (e) {
+    throw new TlsTrustError("tls/ocsp-bad-cert",
+      "ocsp.fetch: could not parse leaf/issuer PEM: " + ((e && e.message) || String(e)));
+  }
+  var responderUrl = opts.responderUrl || _ocspResponderUrl(leafX);
+  if (!responderUrl) {
+    throw new TlsTrustError("tls/ocsp-no-responder",
+      "ocsp.fetch: cert has no AIA OCSP responder URL; pass opts.responderUrl");
+  }
+  var built = buildOcspRequest({
+    leafCertDer: leafX.raw, issuerCertDer: issuerX.raw,
+    nonce: opts.nonce, nonceLen: opts.nonceLen,
+  });
+  var res;
+  try {
+    res = await httpClient().request({
+      url:          responderUrl,
+      method:       "POST",
+      headers:      { "content-type": "application/ocsp-request", "accept": "application/ocsp-response" },
+      body:         built.requestDer,
+      responseMode: "buffer",
+      timeoutMs:    opts.timeoutMs || C.TIME.seconds(10),
+    });
+  } catch (e) {
+    throw new TlsTrustError("tls/ocsp-fetch-failed",
+      "ocsp.fetch: responder request to " + responderUrl + " failed: " + ((e && e.message) || String(e)));
+  }
+  if (res.status !== 200 || !Buffer.isBuffer(res.body) || res.body.length === 0) {
+    throw new TlsTrustError("tls/ocsp-fetch-bad-status",
+      "ocsp.fetch: responder returned status " + res.status + " with an empty/non-buffer body");
+  }
+  var evald = evaluateOcspResponse(res.body, {
+    issuerPem:     opts.issuerPem,
+    serialHex:     opts.serialHex || null,
+    expectedNonce: opts.nonce === false ? null : built.nonce,
+  });
+  if (!evald.ok) {
+    throw new TlsTrustError("tls/ocsp-not-good",
+      "ocsp.fetch: response is not good: " + (evald.errors || []).join("; "));
+  }
+  return { ocspDer: res.body, evaluation: evald, responderUrl: responderUrl };
+}
+
 var ocsp = Object.freeze({
   // Connect with OCSP requested. Returns { authorized, ocspBytes,
   // peerCert }. requireStapled: true makes empty / not-stapled responses
@@ -1379,6 +1454,7 @@ var ocsp = Object.freeze({
   },
   parseResponse:        parseOcspResponse,
   evaluate:             evaluateOcspResponse,
+  fetch:                fetchOcspResponse,
   // buildRequest — construct a DER-encoded OCSPRequest for a single
   // (leafCertDer, issuerCertDer) pair. RFC 8954 nonce extension is ON
   // by default (16 random bytes; opts.nonceLen overrides within RFC

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.13.44",
+  "version": "0.13.46",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:43cf0213-9944-42ad-9695-86dbc4acd548",
+  "serialNumber": "urn:uuid:f993db8e-7dd3-41d0-95bd-33ee9d07ab8f",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-30T00:54:18.743Z",
+    "timestamp": "2026-05-30T02:44:28.905Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.13.44",
+      "bom-ref": "@blamejs/core@0.13.46",
       "type": "application",
       "name": "blamejs",
-      "version": "0.13.44",
+      "version": "0.13.46",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.13.44",
+      "purl": "pkg:npm/%40blamejs/core@0.13.46",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.13.44",
+      "ref": "@blamejs/core@0.13.46",
       "dependsOn": []
     }
   ]