@blamejs/core 0.13.46 → 0.14.1

package/CHANGELOG.md

@@ -6,6 +6,12 @@ Pre-1.0 the surface is intentionally evolving — every release may
 change something operators depend on. Read each entry before
 upgrading across more than a few patches at a time.
 
+## v0.14.x
+
+- v0.14.1 (2026-05-29) — **Correctness fixes: JAR request-object typ enforcement, byte-faithful PGP multipart/signed, and SAML InResponseTo binding.** A set of correctness fixes across the auth, mail-crypto, TLS, and encoder surfaces. The most important: JWT-secured authorization requests (RFC 9101) now require the request object to carry the registered `oauth-authz-req+jwt` typ, closing a cross-JWT-confusion vector; the PGP multipart/signed wrapper is now assembled byte-faithfully so non-ASCII signed content can't be corrupted; and SAML response verification now returns the InResponseTo of the SubjectConfirmation that actually validated. Two of these change behavior — see Changed — and are bug fixes rather than new features. **Changed:** *JAR parsing rejects untyped request objects (breaking)* — Following the typ enforcement above, a request object whose header omits `typ` is now refused. An authorization server whose clients sign request objects without the `oauth-authz-req+jwt` typ must update those clients to set it. · *PGP sign() returns multipartSigned as a Buffer (breaking)* — `b.mail.crypto.pgp.sign(...).multipartSigned` is now a Buffer instead of a string. The OpenPGP signature covers the signed-part bytes exactly, and a JS-string round trip through latin1/utf8 could corrupt non-ASCII signed content and break verification, so the RFC 3156 multipart/signed wrapper is now assembled as bytes. Code that wrote the previous string to the wire works unchanged when it writes the Buffer; code that did string operations on the value should treat it as a Buffer (its `indexOf` / `toString` still work). **Fixed:** *SAML response verification binds InResponseTo to the validated confirmation* — `verifyResponse` returned the InResponseTo of the first SubjectConfirmationData in the assertion rather than of the SubjectConfirmation that actually passed bearer validation. When a response carried more than one SubjectConfirmation, the returned value could come from a non-validated confirmation. It is now the InResponseTo of the confirmation that validated. · *checkServerIdentity9525 emits the documented CN-fallback audit code* — A CN-only legacy certificate (a Common Name present, no subjectAltName) is now refused by the exported `b.network.tls.checkServerIdentity9525` with the distinct `tls/pkix-cn-fallback-refused` code its documentation promised, so audit logs can tell a CN-only certificate apart from one carrying neither a SAN nor a CN (which still yields `tls/pkix-san-required`). The accept/refuse outcome is unchanged — both are refused; only the audit granularity improved. · *OIDC back-channel logout / JARM no longer accept dead override parameters* — `verifyBackchannelLogoutToken` and `parseJarmResponse` passed `acceptedAlgs` / `jwksUri` / `maxClockSkewMs` through to the ID-token verifier, which ignored them and applied the configured (create()-time) values. The pass-throughs are removed so the code no longer reads as if those can be overridden per call; the configured trust anchor was — and remains — what applies. · *Queue lease failures are logged* — The consumer loop's lease-acquisition error path swallowed the backend error silently; it now logs at debug so a flapping backend that has not yet tripped the circuit breaker is visible. · *Protobuf and ASN.1 encoders reject out-of-range tags* — The protobuf tag encoder rejected nothing and would have emitted a wrong tag for field numbers at or above 2^28 (where the 32-bit shift overflows); the ASN.1 context-tag writers silently truncated tag numbers above 30 (which require the multi-byte high-tag-number form). Both now throw a RangeError rather than encode silently-wrong output. The values these encoders serve are well within range, so no current caller is affected. · *oid4vci proofAlgorithms default documented accurately* — The documented default proof-algorithm list now matches the code (`["ES256", "ES384", "EdDSA"]`); the doc previously omitted EdDSA, which the runtime has always accepted by default. **Security:** *JAR request objects must carry the registered typ (RFC 9101)* — `b.auth.jar.parse` now requires the request-object JWS header to carry `typ: "oauth-authz-req+jwt"` (with or without the `application/` prefix); a request object with an absent or different typ is refused with `auth-jar/bad-typ`. RFC 9101 §10.8 specifies this media type precisely to stop a JWT minted for another purpose (an ID token, an access token, a logout token) and signed by the same client key from being replayed as a request object. The existing `iss` / `aud` / `client_id` bindings already constrained that; this restores the explicit type check as well. This is stricter than before — see Changed.
+
+- v0.14.0 (2026-05-29) — **Operator-configurable header and field names across SSE, request-id, rate-limit, age-gate, AI-Act disclosure, GraphQL federation, and the HTTP cache.** This release makes operator-facing identifiers that were hardcoded configurable. The framework already let operators rename most names (CSRF cookie/field, cookie parser, i18n header/query/cookie, mTLS CA name, and so on); this closes the remaining gaps so a custom or framework-specific name is never frozen. Every new option defaults to the value emitted today, so upgrading changes no behavior — these are additive knobs. It also fixes a request-id asymmetry (the response header is now written on the same name the inbound id is read from) and wires an SSE proxy-buffering option whose escape hatch was documented but never implemented. **Added:** *Configurable cache-status header on the HTTP client* — The outbound HTTP client annotated every cached response with a hardcoded `x-blamejs-cache: HIT|MISS|STALE|REVALIDATED` header. `b.httpClient.cache.create` now takes `statusHeader` (default "x-blamejs-cache") — pass a custom name (e.g. "x-cache") to rename it, or null/false to suppress it entirely. The decision remains available programmatically on `res.cacheStatus`. · *Configurable rate-limit header names* — `b.middleware.rateLimit` emitted the de-facto `X-RateLimit-Limit` / `X-RateLimit-Remaining` headers (which are not RFC-pinned). It now accepts `headerPrefix` (default "X-RateLimit-") so operators can match the unprefixed IETF-draft `RateLimit-*` names or an upstream gateway's convention; the limit/remaining pair is always built from the same prefix. · *Configurable age-gate and AI-Act disclosure header names* — `b.middleware.ageGate` now takes `privacyPostureHeader` (default "X-Privacy-Posture"; null/false to suppress), and `b.middleware.aiActDisclosure` takes `headerPrefix` (default "AI-Act-") that prefixes the emitted Notice / Article / Policy headers. The EU AI Act mandates the disclosure, not the HTTP spelling, so operators matching a downstream convention can rename these. · *Configurable GraphQL-federation replay-nonce header* — `b.graphqlFederation.guardSdl` read the replay nonce from the Apollo-vendor `x-apollographql-router-nonce` header with no override. It now accepts `nonceHeader` (default unchanged) so an operator fronting the gateway with a non-Apollo router can point the replay check at their own header. · *SSE proxy-buffering opt-out* — `b.sse.create` and `b.middleware.sse` set `X-Accel-Buffering: no` (the nginx hint that disables proxy buffering). They now accept `proxyBuffer` (default true) — pass false when not behind nginx, or when buffering is controlled at the load balancer, to suppress the nginx-specific header. The opt-out was previously referenced in the documentation but not implemented. **Fixed:** *Request-id middleware reflects the configured header name* — `b.log.middleware` read the inbound request id from a configurable `headerName` but always wrote the response on the literal `X-Request-Id`. An operator who set a custom `headerName` (e.g. `X-Correlation-Id`) therefore read from one header and emitted another. The response is now written on the same configured name; the default remains `X-Request-Id`, so deployments that did not set `headerName` are unaffected.
+
 ## v0.13.x
 
 - v0.13.46 (2026-05-29) — **`createApp` now wires the documented security middleware ON by default — CSRF, CSP nonce, cookie parser, fetch-metadata, and body parser.** The README has long described a security middleware stack as "wired by createApp", but createApp only mounted request-ID, security-headers, and bot-guard by default — CSRF protection, the CSP nonce, the threat-aware cookie parser, the fetch-metadata guard, and the body parser were documented but not actually wired. This release closes that gap: createApp now mounts all of them by default, in dependency order (cookies, CSP nonce, fetch-metadata, then body parser, then CSRF last so it can read a body-field token). This is a behavior change — apps built with createApp now enforce CSRF on state-changing requests by default. Each layer is configurable via opts.middleware.<name> (operator cookie and field names flow straight through — nothing is hardcoded) or can be turned off with false, and disabling a security default now emits an app.middleware.disabled audit event. Every layer is idempotent: an operator who also mounts one of these inside opts.routes gets a no-op second mount rather than a double-apply. The default CSRF is a double-submit cookie that auto-skips requests carrying an Authorization header or no cookies at all, which are not CSRF-able, so token-authenticated API clients are not rejected. The README middleware list is now an accurate description of what createApp wires. **Added:** *Idempotent security middleware* — The cookie parser, CSP nonce, fetch-metadata, and CSRF middleware are now idempotent within a request: if one has already run (because createApp wired it and an operator also mounted it), the second instance is a no-op rather than re-parsing, re-generating a nonce, or issuing a second CSRF cookie. This lets an application compose its own middleware order on top of createApp's defaults without double-applying. The body parser already had this behavior. **Changed:** *createApp wires CSRF, CSP nonce, cookie parser, fetch-metadata, and body parser by default (breaking)* — Applications constructed with b.createApp now mount, in order: the threat-aware cookie parser, the CSP nonce generator, the fetch-metadata resource-isolation guard, the body parser (JSON / urlencoded / text / multipart), and CSRF protection — in addition to the request-ID, security-headers, and bot-guard layers already wired. The ordering guarantees CSRF runs after the body parser so a body-field token is available. This is a behavior change: state-changing requests (POST / PUT / DELETE / PATCH) that carry a session cookie are now CSRF-validated by default. Each layer is configured through opts.middleware.<name> (an object passes operator options straight through; cookie and field names are not hardcoded) or disabled with false. Operators who were mounting these middleware themselves inside opts.routes do not need to change anything — the second mount is now a no-op (see idempotency below). · *Default CSRF auto-skips token-authenticated and cookieless requests* — The CSRF middleware gains a skipStateless option (default false; createApp's default wiring sets it true). When on, token validation is skipped for requests that carry an Authorization header or no Cookie header at all — such requests are not CSRF-able, because CSRF abuses a victim's ambient cookie credential and these have none. The token is still issued on safe methods so a later cookie-authenticated browser flow works. Cross-site form CSRF is unaffected: the browser auto-sends the victim's cookies, so an attack request always carries a Cookie header and is validated. · *Disabling a default security middleware is audited* — Passing false for one of the security-on-by-default middleware (for example middleware: { csrf: false }) now emits an app.middleware.disabled audit event naming the middleware, so a weakened posture leaves a trace in the audit chain rather than being silent.

package/lib/asn1-der.js

@@ -321,6 +321,13 @@ function writeOid(dotted) {
 
 function writeContextExplicit(tagNumber, child) {
   // [N] EXPLICIT — context-specific class (0xA0 | tag) + constructed.
+  // Tag numbers > 30 need the multi-byte high-tag-number form, which this
+  // single-byte encoder does not emit — refuse rather than silently
+  // truncate via `& 0x1f`.
+  if (tagNumber < 0 || tagNumber > 30) {
+    throw new RangeError("asn1: context tag number " + tagNumber +
+      " out of range (0..30); high-tag-number form is not supported");
+  }
   var tagByte = 0xa0 | (tagNumber & 0x1f);                                       // allow:raw-byte-literal — context-specific constructed mask
   return writeNode(tagByte, child);
 }
@@ -331,6 +338,10 @@ function writeContextImplicit(tagNumber, value, opts) {
   // wrapping a structured value (e.g. IMPLICIT [0] OCTET STRING vs
   // IMPLICIT [0] SEQUENCE OF). Value is the raw inner bytes (already
   // encoded for constructed cases).
+  if (tagNumber < 0 || tagNumber > 30) {
+    throw new RangeError("asn1: context tag number " + tagNumber +
+      " out of range (0..30); high-tag-number form is not supported");
+  }
   var tagByte = 0x80 | (tagNumber & 0x1f);                                       // allow:raw-byte-literal — context-specific primitive mask
   if (opts && opts.constructed) tagByte |= 0x20;                                 // allow:raw-byte-literal — constructed bit
   return writeNode(tagByte, value);

package/lib/auth/jar.js

@@ -130,6 +130,17 @@ async function parse(jar, opts) {
     audience:    opts.audience,
     clockSkewMs: opts.clockSkewMs,
   });
+  // RFC 9101 §10.8 — the request object MUST be explicitly typed so a JWT
+  // minted for another purpose (id_token / access-token / logout-token)
+  // and signed by the same client key cannot be replayed here as a request
+  // object (cross-JWT confusion). Require the registered media type, with or
+  // without the "application/" prefix; an absent or mismatched typ is refused.
+  var jarTyp = verified.header && verified.header.typ;
+  if (jarTyp !== JAR_TYP && jarTyp !== "application/" + JAR_TYP) {
+    throw new AuthJarError("auth-jar/bad-typ",
+      "jar.parse: request object header.typ must be \"" + JAR_TYP +
+      "\" (RFC 9101 §10.8 — cross-JWT-confusion defense)");
+  }
   var payload = verified.claims;
 
   // RFC 9101 §5.2 — the request object MUST carry a client_id claim,

package/lib/auth/oauth.js

@@ -836,10 +836,10 @@ function create(opts) {
     // only in claim validation (no nonce, audience = clientId, no
     // ID-token-specific claims). We wrap verifyIdToken with the
     // skip-nonce flag and apply JARM-specific claim checks below.
+    // verifyIdToken applies the create()-level accepted algorithms / JWKS /
+    // clock-skew; only the JARM-specific skip-nonce flag is passed here.
     var verified = await verifyIdToken(responseJwt, {
       skipNonceCheck: true,
-      acceptedAlgs:   jopts.acceptedAlgs,
-      maxClockSkewMs: jopts.maxClockSkewMs,
     });
     var c = verified.claims;
     // Per JARM §4: `iss` MUST match the OP issuer; `aud` MUST contain
@@ -1419,12 +1419,10 @@ function create(opts) {
     }
     // Reuse verifyIdToken's signature-verification path. It looks up
     // the IdP JWKS and checks the JWS — same trust anchor.
+    // verifyIdToken applies the create()-level issuer / clientId / accepted
+    // algorithms / JWKS / clock-skew — the same trust anchor as id_tokens.
+    // Only the per-call logout-token semantics are passed here.
     var verified = await verifyIdToken(logoutToken, {
-      issuer:         issuer,
-      clientId:       clientId,
-      acceptedAlgs:   vopts.acceptedAlgs,
-      jwksUri:        vopts.jwksUri,
-      maxClockSkewMs: vopts.maxClockSkewMs,
       // Logout tokens have no nonce — disable the nonce check that
       // verifyIdToken would otherwise enforce on id_tokens.
       skipNonceCheck: true,

package/lib/auth/oid4vci.js

@@ -240,7 +240,7 @@ function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedClientId
  *     tokenEndpoint:              string,                // public URL for /token (re-used by the pre-auth flow)
  *     sdJwtIssuer:                <b.auth.sdJwtVc.issuer instance>, // mints the SD-JWT VC
  *     supportedCredentials:       { [id]: { format, vct, claims, ... } },
- *     proofAlgorithms:            string[],              // default ["ES256", "ES384"]
+ *     proofAlgorithms:            string[],              // default ["ES256", "ES384", "EdDSA"]
  *     preAuthCodeTtlMs?:          number,                // default 5m
  *     accessTokenTtlMs?:          number,                // default 15m
  *     cNonceTtlMs?:               number,                // default 5m

package/lib/auth/saml.js

@@ -596,6 +596,10 @@ function create(opts) {
     var confirmations = _findAllChildren(subject, "SubjectConfirmation", SAML_NS.assertion);
     var bearerOk = false;
     var hokOk = false;
+    // InResponseTo of the SubjectConfirmation that actually passed bearer
+    // validation — captured so the returned value can't be sourced from a
+    // different (non-validated) confirmation when several are present.
+    var matchedInResponseTo = null;
     var hokFingerprint = null;
     // Holder-of-Key SubjectConfirmation per SAML 2.0 Profile §3.1
     // (urn:oasis:names:tc:SAML:2.0:cm:holder-of-key). The IdP binds
@@ -721,6 +725,7 @@ function create(opts) {
             "AuthnRequest ID (replay defense)");
         }
       }
+      matchedInResponseTo = inResponseTo;
       bearerOk = true;
       break;
     }
@@ -787,8 +792,7 @@ function create(opts) {
       sessionIndex:    sessionIndex,
       attributes:      attributes,
       audience:        audience,
-      inResponseTo:    bearerOk ? _attr(_findChild(_findChild(subject, "SubjectConfirmation", SAML_NS.assertion),
-                                       "SubjectConfirmationData", SAML_NS.assertion), "InResponseTo") : null,
+      inResponseTo:    bearerOk ? matchedInResponseTo : null,
       issuer:          issuer,
     };
   }

package/lib/graphql-federation.js

@@ -116,6 +116,7 @@ function _readBody(req, errorClass) {
  *   publicSchemaOk:   boolean,                                       // default false — explicit override to publish the SDL
  *   routerToken:      string,                                        // required unless publicSchemaOk; 32+ chars
  *   nonceStore:       { has(nonce): bool, remember(nonce, ttlMs) },  // optional — replay protection
+ *   nonceHeader:      string,                                        // default "x-apollographql-router-nonce" — request header carrying the replay nonce
  *   nonceTtlMs:       number,                                        // default 5 minutes
  *   errorClass:       Function,                                      // default GraphqlFederationError
  *   audit:            boolean,                                       // default true
@@ -141,6 +142,12 @@ function guardSdl(opts) {
   numericBounds.requirePositiveFiniteIntIfPresent(opts.nonceTtlMs, "graphqlFederation.guardSdl: opts.nonceTtlMs", errorClass, "BAD_TTL");
   var nonceTtlMs = opts.nonceTtlMs || C.TIME.minutes(5);
   var auditOn = opts.audit !== false;
+  // The replay nonce is read from the Apollo-router convention header by
+  // default, but `x-apollographql-router-nonce` is a vendor name, not a
+  // spec one — operators fronting the gateway with a different router send
+  // the nonce under their own header. Lowercased to match Node's header keys.
+  var nonceHeader = (typeof opts.nonceHeader === "string" && opts.nonceHeader.length > 0)
+    ? opts.nonceHeader.toLowerCase() : "x-apollographql-router-nonce";
 
   function _emitDenied(req, reason, metadata) {
     if (!auditOn) return;
@@ -190,7 +197,7 @@ function guardSdl(opts) {
         }
 
         if (nonceStore) {
-          var nonce = req.headers && req.headers["x-apollographql-router-nonce"];
+          var nonce = req.headers && req.headers[nonceHeader];
           if (typeof nonce !== "string" || nonce.length < NONCE_MIN_LEN || nonce.length > NONCE_MAX_LEN) {
             _emitDenied(req, "missing nonce", {});
             return _refuse(res, 401, "graphql federation: nonce required");

package/lib/http-client-cache.js

@@ -545,6 +545,7 @@ function memoryStore(opts) {
  *   revalidateInBackground: true,          // s-w-r kicks off background revalidation
  *   audit:                  undefined,     // audit sink with safeEmit({...})
  *   observability:          undefined,     // optional { event, safeEvent }
+ *   statusHeader:           "x-blamejs-cache", // response header carrying the cache decision; null/false to suppress, or a custom name (e.g. "x-cache")
  *
  * @example
  *   var cache = b.httpClient.cache.create({
@@ -585,6 +586,21 @@ function create(opts) {
   var revalidateBackground = opts.revalidateInBackground !== false;  // default true
   var audit               = opts.audit || null;
   var obs                 = opts.observability || null;
+  // statusHeader (default "x-blamejs-cache") names the response header that
+  // carries the cache decision (MISS/HIT/STALE/REVALIDATED). The decision is
+  // also on res.cacheStatus programmatically. Pass null/false to suppress the
+  // header, or a string to rename it (e.g. "x-cache"). Lowercased for the wire.
+  var statusHeader;
+  if (opts.statusHeader === null || opts.statusHeader === false) {
+    statusHeader = null;
+  } else if (opts.statusHeader === undefined) {
+    statusHeader = "x-blamejs-cache";
+  } else if (typeof opts.statusHeader === "string" && opts.statusHeader.length > 0) {
+    statusHeader = opts.statusHeader.toLowerCase();
+  } else {
+    throw _hcErr("httpclient/cache-bad-opts",
+      "cache.create: statusHeader must be a non-empty string, or null/false to suppress");
+  }
 
   function _emit(action, outcome, metadata) {
     if (!audit || typeof audit.safeEmit !== "function") return;
@@ -825,6 +841,7 @@ function create(opts) {
     store:                  store,
     audit:                  audit,
     observability:          obs,
+    statusHeader:           statusHeader,
 
     // ---- Lookup / store / revalidation flow ----
     //

package/lib/http-client.js

@@ -849,9 +849,12 @@ function _cacheEligibleMethod(method) {
 
 // Wrap an outbound headers object with the framework's cache-decision
 // markers. Mutates a copy; never the original.
-function _withCacheHeaders(res, status, ageSeconds) {
+function _withCacheHeaders(res, status, ageSeconds, statusHeader) {
   var headers = Object.assign({}, res.headers || {});
-  headers["x-blamejs-cache"] = status;
+  // statusHeader defaults to "x-blamejs-cache"; the cache instance can rename
+  // it or set it null to suppress (the decision is also on res.cacheStatus).
+  var name = (statusHeader === undefined) ? "x-blamejs-cache" : statusHeader;
+  if (name) headers[name] = status;
   if (typeof ageSeconds === "number" && ageSeconds >= 0) {
     headers["age"] = String(Math.floor(ageSeconds));
   }
@@ -893,7 +896,7 @@ function _runWithCache(opts, maxRedirects, runAfter) {
     catch (_e) { /* drop-silent */ }
     return _doNetwork(null).then(function (boxed) {
       _maybeStore(cache, method, opts.url, requestHeaders, boxed.res);
-      return runAfter(boxed.finalOpts, _withCacheHeaders(boxed.res, "MISS"));
+      return runAfter(boxed.finalOpts, _withCacheHeaders(boxed.res, "MISS", undefined, cache.statusHeader));
     });
   }
 
@@ -907,7 +910,7 @@ function _runWithCache(opts, maxRedirects, runAfter) {
     catch (_e2) { /* drop-silent */ }
     return _doNetwork(null).then(function (boxed) {
       _maybeStore(cache, method, opts.url, requestHeaders, boxed.res);
-      return runAfter(boxed.finalOpts, _withCacheHeaders(boxed.res, "MISS"));
+      return runAfter(boxed.finalOpts, _withCacheHeaders(boxed.res, "MISS", undefined, cache.statusHeader));
     });
   }
 
@@ -923,7 +926,7 @@ function _runWithCache(opts, maxRedirects, runAfter) {
       body:       Buffer.isBuffer(entry.body) ? Buffer.from(entry.body) : entry.body,
       cacheStatus: "HIT",
     };
-    return Promise.resolve(runAfter(opts, _withCacheHeaders(hitRes, "HIT", age)));
+    return Promise.resolve(runAfter(opts, _withCacheHeaders(hitRes, "HIT", age, cache.statusHeader)));
   }
 
   // 4. Stale or must-revalidate. Within stale-while-revalidate or
@@ -957,7 +960,7 @@ function _runWithCache(opts, maxRedirects, runAfter) {
         /* background revalidation best-effort; swallow */
       });
     });
-    return Promise.resolve(runAfter(opts, _withCacheHeaders(staleRes, "STALE", ageStale)));
+    return Promise.resolve(runAfter(opts, _withCacheHeaders(staleRes, "STALE", ageStale, cache.statusHeader)));
   }
 
   // 5. Inline conditional revalidation. Build If-None-Match /
@@ -974,11 +977,11 @@ function _runWithCache(opts, maxRedirects, runAfter) {
                       : (rev.refreshed || entry).body,
         cacheStatus: "REVALIDATED",
       };
-      return runAfter(opts, _withCacheHeaders(revRes, "REVALIDATED", ageRev));
+      return runAfter(opts, _withCacheHeaders(revRes, "REVALIDATED", ageRev, cache.statusHeader));
     }
     if (rev.kind === "fresh-response") {
       _maybeStore(cache, method, opts.url, requestHeaders, rev.res);
-      return runAfter(rev.finalOpts || opts, _withCacheHeaders(rev.res, "MISS"));
+      return runAfter(rev.finalOpts || opts, _withCacheHeaders(rev.res, "MISS", undefined, cache.statusHeader));
     }
     // rev.kind === "error" — try stale-if-error.
     var sieMs = (evaluation.sieWindowMs || 0);
@@ -994,7 +997,7 @@ function _runWithCache(opts, maxRedirects, runAfter) {
         body:       Buffer.isBuffer(entry.body) ? Buffer.from(entry.body) : entry.body,
         cacheStatus: "STALE",
       };
-      return runAfter(opts, _withCacheHeaders(sieRes, "STALE", ageErr));
+      return runAfter(opts, _withCacheHeaders(sieRes, "STALE", ageErr, cache.statusHeader));
     }
     return Promise.reject(rev.error);
   });

package/lib/log.js

@@ -376,7 +376,12 @@ function create(opts) {
 
     function middleware(mwOpts) {
       mwOpts = mwOpts || {};
-      var headerName = (mwOpts.headerName || "x-request-id").toLowerCase();
+      // Read and write the SAME header. The raw form keeps the operator's
+      // casing (or the canonical "X-Request-Id" default) for the response;
+      // the lowercased form matches Node's request-header keys for the read.
+      var rawHeaderName = (typeof mwOpts.headerName === "string" && mwOpts.headerName.length > 0)
+        ? mwOpts.headerName : "X-Request-Id";
+      var headerName = rawHeaderName.toLowerCase();
       var setOnRes   = mwOpts.setHeader !== false;
       var generate   = typeof mwOpts.generate === "function"
         ? mwOpts.generate
@@ -395,7 +400,7 @@ function create(opts) {
         id = safeBuffer.stripCrlf(String(id));
         req.id = id;
         if (setOnRes && typeof res.setHeader === "function") {
-          try { res.setHeader("X-Request-Id", id); } catch (_e) { /* header may be locked */ }
+          try { res.setHeader(rawHeaderName, id); } catch (_e) { /* header may be locked */ }
         }
         runWithRequestId(id, function () { next(); });
       };

package/lib/mail-crypto-pgp.js

@@ -84,7 +84,7 @@
  *       audit:          opts.audit,            // optional b.audit handle
  *     });
  *     // → { armored: "-----BEGIN PGP SIGNATURE----- ...",
- *     //     multipartSigned: "Content-Type: multipart/signed; ...",
+ *     //     multipartSigned: <Buffer ...>,   // RFC 3156 wrapper bytes
  *     //     signedAt:        epochSeconds, fingerprint: "abcd..." }
  *
  *     var rv = b.mail.crypto.pgp.verify({
@@ -564,19 +564,27 @@ function sign(opts) {
   // key/cert material flows through createSign/verify, not this path.
   // allow:raw-randombytes-token — boundary string, not auth credential
   var boundary = "blamejs-pgp-" + nodeCrypto.randomBytes(12).toString("hex");
-  var multipartSigned =
-    'Content-Type: multipart/signed; micalg="pgp-' + hashName + '"; ' +
-    'protocol="application/pgp-signature"; boundary="' + boundary + '"\r\n' +
-    "\r\n" +
-    "--" + boundary + "\r\n" +
-    (Buffer.isBuffer(message) ? message.toString("binary") : message) +
-    "\r\n--" + boundary + "\r\n" +
-    'Content-Type: application/pgp-signature; name="signature.asc"\r\n' +
-    "Content-Description: OpenPGP digital signature\r\n" +
-    'Content-Disposition: attachment; filename="signature.asc"\r\n' +
-    "\r\n" +
-    armored +
-    "--" + boundary + "--\r\n";
+  // The OpenPGP signature covers the signed-part bytes exactly, so the
+  // multipart/signed wrapper is assembled as a Buffer — a JS-string round
+  // trip through latin1/utf8 could corrupt non-ASCII signed content and
+  // break signature verification. `multipartSigned` is therefore a Buffer.
+  var messageBytes = Buffer.isBuffer(message) ? message : Buffer.from(message, "utf8");
+  var multipartSigned = Buffer.concat([
+    Buffer.from(
+      'Content-Type: multipart/signed; micalg="pgp-' + hashName + '"; ' +
+      'protocol="application/pgp-signature"; boundary="' + boundary + '"\r\n' +
+      "\r\n" +
+      "--" + boundary + "\r\n", "utf8"),
+    messageBytes,
+    Buffer.from(
+      "\r\n--" + boundary + "\r\n" +
+      'Content-Type: application/pgp-signature; name="signature.asc"\r\n' +
+      "Content-Description: OpenPGP digital signature\r\n" +
+      'Content-Disposition: attachment; filename="signature.asc"\r\n' +
+      "\r\n" +
+      armored +
+      "--" + boundary + "--\r\n", "utf8"),
+  ]);
 
   // Audit (drop-silent — never crash the request that triggered us).
   _audit(opts.audit, "mail.crypto.pgp.sign", "success", {

package/lib/middleware/age-gate.js

@@ -70,6 +70,7 @@ var AgeGateError = defineClass("AgeGateError", { alwaysPermanent: true });
  *     hasParentalConsent: function(req): boolean,
  *     skipPaths:          string[],
  *     errorMessage:       string,
+ *     privacyPostureHeader: string,                     // default "X-Privacy-Posture"; null/false to suppress
  *     audit:              boolean,                      // default true
  *   }
  *
@@ -87,7 +88,7 @@ function create(opts) {
   opts = opts || {};
   validateOpts(opts, [
     "audit", "getAge", "requireAge", "consentRequired",
-    "hasParentalConsent", "skipPaths", "errorMessage",
+    "hasParentalConsent", "skipPaths", "errorMessage", "privacyPostureHeader",
   ], "middleware.ageGate");
 
   if (typeof opts.getAge !== "function") {
@@ -104,6 +105,17 @@ function create(opts) {
   var auditOn = opts.audit !== false;
   var errorMessage = typeof opts.errorMessage === "string" && opts.errorMessage.length > 0
     ? opts.errorMessage : "service unavailable without parental consent";
+  // privacyPostureHeader (default "X-Privacy-Posture") names the response
+  // header carrying the below-threshold classification. Pass null/false to
+  // suppress it, or a string to rename it for a downstream convention.
+  var privacyPostureHeader;
+  if (opts.privacyPostureHeader === null || opts.privacyPostureHeader === false) {
+    privacyPostureHeader = null;
+  } else if (typeof opts.privacyPostureHeader === "string" && opts.privacyPostureHeader.length > 0) {
+    privacyPostureHeader = opts.privacyPostureHeader;
+  } else {
+    privacyPostureHeader = "X-Privacy-Posture";
+  }
 
   function _shouldSkip(req) {
     if (skipPaths.length === 0) return false;
@@ -148,7 +160,7 @@ function create(opts) {
       if (typeof res.setHeader === "function") {
         res.setHeader("Cache-Control",   "private, no-store");
         res.setHeader("Referrer-Policy", "no-referrer");
-        res.setHeader("X-Privacy-Posture", classification);
+        if (privacyPostureHeader) res.setHeader(privacyPostureHeader, classification);
       }
     }
 

package/lib/middleware/ai-act-disclosure.js

@@ -66,6 +66,7 @@ var audit     = lazyRequire(function () { return require("../audit"); });
  *     mode:         "header"|"html",   // default "header"
  *     lang:         string,            // default "en"
  *     skipHeader:   string,            // default "x-skip-ai-act"
+ *     headerPrefix: string,            // default "AI-Act-" — prefixes the Notice/Article/Policy disclosure headers
  *     audit:        boolean,           // default true
  *   }
  *
@@ -83,7 +84,7 @@ function create(opts) {
   opts = opts || {};
   validateOpts(opts, [
     "kind", "deployerName", "policyUri", "mode",
-    "audit", "lang", "skipHeader",
+    "audit", "lang", "skipHeader", "headerPrefix",
   ], "middleware.aiActDisclosure");
 
   var mode = (opts.mode === "html") ? "html" : "header";
@@ -99,6 +100,12 @@ function create(opts) {
   var skipHeader = (typeof opts.skipHeader === "string" && opts.skipHeader.length > 0)
     ? opts.skipHeader.toLowerCase()
     : "x-skip-ai-act";
+  // headerPrefix (default "AI-Act-") names the emitted disclosure headers as
+  // <prefix>Notice / <prefix>Article / <prefix>Policy. The EU AI Act mandates
+  // the disclosure, not the HTTP spelling — operators matching a downstream
+  // convention pass their own prefix (e.g. "X-AI-").
+  var headerPrefix = (typeof opts.headerPrefix === "string" && opts.headerPrefix.length > 0)
+    ? opts.headerPrefix : "AI-Act-";
 
   return function aiActDisclosureMiddleware(req, res, next) {
     var headers = req.headers || {};
@@ -118,10 +125,10 @@ function create(opts) {
         return origWriteHead.apply(res, arguments);
       }
       var article = _articleFor(opts.kind || "ai-interaction");
-      _setHeader(res, "AI-Act-Notice",  opts.kind || "ai-interaction");
-      _setHeader(res, "AI-Act-Article", article);
+      _setHeader(res, headerPrefix + "Notice",  opts.kind || "ai-interaction");
+      _setHeader(res, headerPrefix + "Article", article);
       if (typeof opts.policyUri === "string" && opts.policyUri.length > 0) {
-        _setHeader(res, "AI-Act-Policy", opts.policyUri);
+        _setHeader(res, headerPrefix + "Policy", opts.policyUri);
       }
       injected = true;
       return origWriteHead.apply(res, arguments);

package/lib/middleware/rate-limit.js

@@ -364,6 +364,7 @@ function _resolveBackend(opts) {
  *     statusOnLimit:   number,           // default 429
  *     bodyOnLimit:     string,           // default "Too Many Requests"
  *     header:          boolean,          // default true
+ *     headerPrefix:    string,           // default "X-RateLimit-" — builds <prefix>Limit / <prefix>Remaining (e.g. "RateLimit-" for the IETF draft names)
  *     skipPaths:       Array<string|RegExp>,
  *     scope:           "global"|"per-route",
  *     backend:         "memory"|"cluster"|{ take, reset },
@@ -390,7 +391,7 @@ function _resolveBackend(opts) {
 function create(opts) {
   opts = opts || {};
   validateOpts(opts, [
-    "keyFn", "statusOnLimit", "bodyOnLimit", "header", "skipPaths", "scope",
+    "keyFn", "statusOnLimit", "bodyOnLimit", "header", "headerPrefix", "skipPaths", "scope",
     "backend", "trustProxy", "algorithm",
     // memory backend (token-bucket)
     "burst", "refillPerSecond",
@@ -404,6 +405,14 @@ function create(opts) {
   var statusOnLimit = opts.statusOnLimit || 429;
   var bodyOnLimit = opts.bodyOnLimit !== undefined ? opts.bodyOnLimit : "Too Many Requests";
   var emitHeaders = opts.header !== false;
+  // headerPrefix (default "X-RateLimit-") builds the limit/remaining header
+  // names as <prefix>Limit / <prefix>Remaining. The X-RateLimit-* family is a
+  // de-facto convention, not RFC-pinned — operators matching the IETF draft
+  // pass "RateLimit-", or a gateway's own prefix. Kept as a matched pair.
+  var headerPrefix = (typeof opts.headerPrefix === "string" && opts.headerPrefix.length > 0)
+    ? opts.headerPrefix : "X-RateLimit-";
+  var limitHeader = headerPrefix + "Limit";
+  var remainingHeader = headerPrefix + "Remaining";
   var skipPaths = opts.skipPaths || [];
   // Throw at create(): each entry must be a string prefix or a RegExp.
   // Anything else would crash _shouldSkip with TypeError on the first request.
@@ -429,8 +438,8 @@ function create(opts) {
 
   function _writeBlocked(req, res, k, verdict) {
     if (emitHeaders && typeof res.setHeader === "function") {
-      res.setHeader("X-RateLimit-Limit", String(verdict.limit));
-      res.setHeader("X-RateLimit-Remaining", String(verdict.remaining));
+      res.setHeader(limitHeader, String(verdict.limit));
+      res.setHeader(remainingHeader, String(verdict.remaining));
       if (verdict.retryAfter > 0) res.setHeader("Retry-After", String(verdict.retryAfter));
     }
     try {
@@ -459,8 +468,8 @@ function create(opts) {
 
     function _handle(verdict) {
       if (emitHeaders && typeof res.setHeader === "function") {
-        res.setHeader("X-RateLimit-Limit", String(verdict.limit));
-        res.setHeader("X-RateLimit-Remaining", String(verdict.remaining));
+        res.setHeader(limitHeader, String(verdict.limit));
+        res.setHeader(remainingHeader, String(verdict.remaining));
       }
       if (!verdict.allowed) return _writeBlocked(req, res, k, verdict);
       next();

package/lib/middleware/sse.js

@@ -90,6 +90,7 @@ function _formatEvent(msg) {
  *   {
  *     heartbeatMs: number|false,   // default 15000
  *     headers:     object,         // extra response headers
+ *     proxyBuffer: boolean,        // default true — sets X-Accel-Buffering: no; false to suppress
  *   }
  *
  * @example
@@ -105,13 +106,17 @@ function create(handler, opts) {
     throw new Error("middleware.sse: handler must be a function (channel, req) => ...");
   }
   opts = opts || {};
-  validateOpts(opts, ["heartbeatMs", "headers"], "middleware.sse");
+  validateOpts(opts, ["heartbeatMs", "headers", "proxyBuffer"], "middleware.sse");
   var heartbeatMs = opts.heartbeatMs === false ? 0
     : (opts.heartbeatMs != null ? opts.heartbeatMs : DEFAULT_HEARTBEAT_MS);
   if (heartbeatMs !== 0 && (typeof heartbeatMs !== "number" || !isFinite(heartbeatMs) || heartbeatMs <= 0)) {
     throw new Error("middleware.sse: heartbeatMs must be a positive finite number or false");
   }
   var extraHeaders = opts.headers || {};
+  // proxyBuffer (default true) sets `X-Accel-Buffering: no` (the nginx hint
+  // that disables proxy buffering). Pass false when not behind nginx, or
+  // when buffering is controlled at the load balancer, to suppress it.
+  var proxyBuffer = opts.proxyBuffer !== false;
 
   return async function sseMiddleware(req, res) {
     if (typeof res.writeHead !== "function" || typeof res.write !== "function") {
@@ -119,13 +124,14 @@ function create(handler, opts) {
       // unusual. Fail closed rather than silently dropping the handler.
       throw new Error("middleware.sse: res does not support writeHead/write — wire SSE only on HTTP routes");
     }
-    var headers = Object.assign({
-      "Content-Type":     "text/event-stream; charset=utf-8",
-      "Cache-Control":    "no-cache, no-transform",
-      "Connection":       "keep-alive",
-      // Disable nginx response buffering when terminating behind it.
-      "X-Accel-Buffering": "no",
-    }, extraHeaders);
+    var baseHeaders = {
+      "Content-Type":  "text/event-stream; charset=utf-8",
+      "Cache-Control": "no-cache, no-transform",
+      "Connection":    "keep-alive",
+    };
+    // Disable nginx response buffering when terminating behind it.
+    if (proxyBuffer) baseHeaders["X-Accel-Buffering"] = "no";
+    var headers = Object.assign(baseHeaders, extraHeaders);
     // Append Vary: Accept so a proxy doesn't serve a cached non-SSE
     // response on the same URL to a future client.
     res.writeHead(requestHelpers.HTTP_STATUS.OK, headers);

package/lib/network-tls.js

@@ -3066,9 +3066,13 @@ function checkServerIdentity9525(host, cert) {
   }
   var rawSan = cert.subjectaltname;
   if (typeof rawSan !== "string" || rawSan.length === 0) {
-    // RFC 9525 §6.4.4 forbids CN fallback. If there's no SAN we refuse,
-    // never inspect cert.subject.CN — a CN-only cert violates the
-    // modern PKIX baseline and the operator chose the strict checker.
+    // RFC 9525 §6.4.4 forbids CN fallback. A CN-only legacy cert (CN
+    // present, no SAN) surfaces the distinct `tls/pkix-cn-fallback-refused`
+    // code so audit logs can tell it apart from a cert carrying neither;
+    // a cert with no SAN and no CN falls through to `tls/pkix-san-required`.
+    // Both refuse — we never fall back to matching on the Common Name.
+    var cnRefusal = _refuseCnFallback(host, cert);
+    if (cnRefusal) return cnRefusal;
     return new NetworkTlsError("tls/pkix-san-required",
       "checkServerIdentity9525: certificate has no subjectAltName " +
       "extension (RFC 9525 §6.4.4 forbids Common Name fallback)");
@@ -3117,10 +3121,11 @@ function _refuseCnFallback(host, cert) {
   return null;
 }
 
-// Public combined verifier — applies both the SAN-required check and
-// the CN-fallback explicit refusal so operators get the more specific
-// of the two error codes when applicable. checkServerIdentity9525 is
-// the drop-in name; this internal helper is what `connect` wires in.
+// Explicit combined verifier kept for tests + callers that want the
+// CN-fallback / SAN-required split spelled out. The exported drop-in
+// `checkServerIdentity9525` already performs the CN-fallback refusal in
+// its no-SAN branch, so the `_refuseCnFallback` call here is a redundant
+// (idempotent) belt-and-suspenders; the more specific code wins either way.
 function _checkServerIdentityStrict(host, cert) {
   var cnRefusal = _refuseCnFallback(host, cert);
   if (cnRefusal) return cnRefusal;

package/lib/protobuf-encoder.js

@@ -82,6 +82,14 @@ function _writeVarint(value) {
 }
 
 function _tag(fieldNumber, wireType) {
+  // `fieldNumber << 3` uses JS's 32-bit signed shift, which overflows and
+  // emits a wrong tag once fieldNumber reaches 2^28. Reject anything outside
+  // the safe single-shift range rather than encode silently wrong — the OTLP
+  // schema this serves uses small field numbers well within it.
+  if (fieldNumber < 1 || fieldNumber > 268435455) {  // 2^28 - 1
+    throw new RangeError("protobuf: field number " + fieldNumber +
+      " out of range (1..2^28-1)");
+  }
   return _writeVarint((fieldNumber << 3) | wireType);
 }
 

package/lib/queue.js

@@ -417,8 +417,10 @@ function consume(queueName, handler, opts) {
       }
       var jobs;
       try { jobs = await b.lease(queueName, leaseDurationMs, slots); }
-      catch {
-        // Backend down (breaker open, etc.) — back off
+      catch (e) {
+        // Backend down (breaker open, etc.) — log + back off so a flapping
+        // backend that hasn't yet tripped the breaker is still visible.
+        log.debug("lease-failed", { op: "b.lease", queue: queueName, error: e.message });
         await _pollSleep(pollIntervalMs);
         continue;
       }

package/lib/sse.js

@@ -27,6 +27,11 @@
  *                        input (default SseError)
  *       audit          — bool, default true. Emit SSE lifecycle audit
  *                        events.
+ *       proxyBuffer    — bool, default true. Sets `X-Accel-Buffering:
+ *                        no` (the nginx hint that disables proxy
+ *                        buffering of the stream). Pass false when not
+ *                        behind nginx, or when buffering is handled at
+ *                        the load balancer, to suppress the header.
  *
  *   channel.send({ event, id, data, retry })
  *     Writes a single SSE event. Each field is validated; LF/CR/NUL
@@ -236,18 +241,20 @@ function create(req, res, opts) {
       JSON.stringify(heartbeatMs) + ")");
   }
   var auditOn = opts.audit !== false;
+  // proxyBuffer (default true) sets `X-Accel-Buffering: no` — the nginx hint
+  // that defeats proxy buffering of the event stream. Operators not behind
+  // nginx, or whose buffering is controlled at the load balancer, pass
+  // proxyBuffer: false to suppress the nginx-specific header.
+  var proxyBuffer = opts.proxyBuffer !== false;
 
   var lastEventId = _readLastEventId(req);
 
   // Headers. text/event-stream is the contract; Cache-Control: no-cache
-  // and Connection: keep-alive (h1) are the operationally required
-  // pair. X-Accel-Buffering: no defeats nginx-style proxy buffering;
-  // operators behind a proxy that doesn't honor this set proxyBuffer:
-  // false on their LB.
+  // and Connection: keep-alive (h1) are the operationally required pair.
   if (typeof res.setHeader === "function") {
     res.setHeader("Content-Type",      "text/event-stream; charset=utf-8");
     res.setHeader("Cache-Control",     "no-cache, no-transform");
-    res.setHeader("X-Accel-Buffering", "no");
+    if (proxyBuffer) res.setHeader("X-Accel-Buffering", "no");
     // Connection: keep-alive only meaningful on h1; h2 streams stay
     // open until either side closes. node:http2 surfaces res.stream
     // (h2 ServerHttp2Stream) where setHeader works the same.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.13.46",
+  "version": "0.14.1",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:f993db8e-7dd3-41d0-95bd-33ee9d07ab8f",
+  "serialNumber": "urn:uuid:5ae2d0f7-e30f-4d02-90d0-975129430c5f",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-30T02:44:28.905Z",
+    "timestamp": "2026-05-30T05:49:41.774Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.13.46",
+      "bom-ref": "@blamejs/core@0.14.1",
       "type": "application",
       "name": "blamejs",
-      "version": "0.13.46",
+      "version": "0.14.1",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.13.46",
+      "purl": "pkg:npm/%40blamejs/core@0.14.1",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.13.46",
+      "ref": "@blamejs/core@0.14.1",
       "dependsOn": []
     }
   ]