@blamejs/core 0.14.5 → 0.14.6

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.14.x
 
+- v0.14.6 (2026-05-30) — **Access-refusal middleware can return RFC 9457 problem+json or a custom response, and several documented-but-uncallable APIs are now reachable.** Every access-refusal middleware — the auth gates (bearer, DPoP, mTLS, AAL, bound-key), CSRF, CORS, rate-limit, bot-guard, age-gate, the host and network allowlists, and the method and content-type gates — now accepts two uniform options: `problemDetails: true` returns an RFC 9457 `application/problem+json` body, and `onDeny(req, res, info)` hands the response to the caller. With neither set the refusal is byte-for-byte what it was, so this is a drop-in change that lets a service standardize one error envelope across its API instead of working around each middleware's hardcoded body. Alongside that: `b.middleware.requireBoundKey` is now exported (it was documented and tested but never wired into the middleware surface), `b.middleware.bearerAuth` accepts `requiredScopes` (previously rejected at construction, which made its scope-enforcement path unreachable), API-key refusals send the RFC 6750 challenge code that matches the failure, two documented call paths that named a missing namespace segment are corrected, and the release flow now flags stale GitHub Actions and vendored bundles — with a ready-to-paste pin — before a dependency PR is needed. **Added:** *Uniform `onDeny` and `problemDetails` options on every access-refusal middleware* — Each request-lifecycle middleware that refuses a request now takes `problemDetails: true` to emit an RFC 9457 `application/problem+json` body (composing `b.problemDetails`) and `onDeny(req, res, info)` to take over the response entirely; `info` carries the status, a machine reason, and the middleware-specific fields. The deny-path response headers (`Allow`, `WWW-Authenticate`, `Retry-After`, `Accept`) survive every mode. When neither option is set the response is unchanged. Covers `requireAuth`, `requireAal`, `requireMethods`, `requireContentType`, `requireMtls`, `requireBoundKey`, `bearerAuth`, `dpop`, `csrfProtect`, `fetchMetadata`, `botGuard`, `ageGate`, `hostAllowlist`, `networkAllowlist`, `cors`, `rateLimit`, and `dailyByteQuota` (whose existing `onExceeded` keeps working as an alias of `onDeny`). **Fixed:** *`b.middleware.requireBoundKey` is now callable* — The Bearer-API-key middleware was documented (with examples and tests) but never exported on `b.middleware`, so `b.middleware.requireBoundKey(...)` threw `undefined is not a function`. It is now wired into the middleware surface. · *`b.middleware.bearerAuth` accepts `requiredScopes`* — The RFC 6750 scope-enforcement path read `opts.requiredScopes`, but the option was rejected at construction with `unknown option`, making the 403 `insufficient_scope` behavior unreachable. `requiredScopes` is now an accepted option. · *RFC 6750 challenge codes on API-key refusals* — `b.middleware.requireBoundKey` now sends the `WWW-Authenticate` error code that matches the failure: `insufficient_scope` on a 403 missing-scope, `invalid_token` on an unknown or revoked token, and no error code on a 401 that presented no credentials (RFC 6750 §3). It previously sent `invalid_request` for every refusal. · *Corrected two documented call paths* — The compliance and network references named a path that dropped a namespace segment: the conformity-assessment scaffold is at `b.cra.report.conformityAssessment` (not `b.cra.conformityAssessment`), and the per-socket tuning helper is at `b.network.socket.applyToSocket` (not `b.network.applyToSocket`). The documented signatures now match the callable paths. · *GitHub Actions pins refreshed* — `github/codeql-action` 4.35.5 to 4.36.0, and `docker/login-action`, `docker/setup-buildx-action`, and `docker/setup-qemu-action` to their latest releases. **Detectors:** *`@primitive` reachability gate* — A new check resolves every documented `b.X.Y` primitive against the actual public surface and fails the build when a documented path is not callable (factory-instance shorthands excluded). This is the gate that would have caught the `requireBoundKey` and call-path issues above. · *Deny-path composition gate* — A new check requires every access-refusal middleware to route its refusal through the shared deny-response writer, so a future middleware cannot reintroduce a hardcoded body that locks callers out of `onDeny` / `problemDetails`. · *Actions and vendor currency in the release flow* — The release flow now fails the cut when a SHA-pinned GitHub Action or a vendored bundle is behind its latest upstream release. The actions report prints a ready-to-paste `owner/repo@<sha>  # vX.Y.Z` pin and every file and line that uses it, so the bump is copy-paste rather than an after-the-fact dependency PR. Transient registry or API errors stay advisory so a flaky network response does not block an unrelated release.
+
 - v0.14.5 (2026-05-30) — **Finished cleaning up the mislabeled byte-literal lint suppressions, with no API or behavior changes.** A follow-up to the byte-literal lint tightening. The remaining suppression comments that named the byte-literal check on values that are not byte sizes — JSON-RPC error codes, HTTP status codes, octet ranges, day-in-milliseconds constants — are removed, keeping their explanatory text and any correctly-named companion suppression. Every byte-literal suppression that remains is now on genuine 1024-scale byte arithmetic. Source-comment hygiene only. **Changed:** *Remaining mislabeled byte-literal suppressions removed* — The byte-literal lint was previously a check on any multiple-of-8 integer, so suppression comments naming it were scattered across non-byte values. The last of those (in a handful of files, in mixed comment formats) are now removed — their explanatory text is retained as plain comments, and any correctly-named companion suppression is kept. The only byte-literal suppressions that remain are on genuine 1024-scale byte arithmetic. No change to any exported API, error code, wire format, or runtime behavior.
 
 - v0.14.4 (2026-05-30) — **Removed three pieces of dead code from the SAML, TLS, and JMAP surfaces; no API or behavior changes.** Cleanup of unreachable code. A reverse signature-algorithm lookup in the SAML verifier was never called — the actual verification path resolves the algorithm through the supported-signature table — so it is removed and a stale comment that referenced it is corrected. A leftover no-op placeholder in the TLS certificate re-encode path (a zero-length slice that was assigned and discarded) is removed, leaving the verbatim extension re-encode it sat next to. An unused JMAP well-known-path constant that existed only to be discarded is removed. None of this changes any exported API, error code, wire format, or runtime behavior. **Removed:** *Unreachable code in SAML, TLS, and JMAP* — Removed `_sigAlgFromUri` from the SAML module (a reverse alg lookup that was never called — the embedded XML-DSig verifier resolves the algorithm via the supported-signature table, and the redirect-binding path uses the forward `_sigAlgUrn`), a discarded zero-length-slice placeholder in the TLS certificate extension re-encode path, and an unused well-known-path constant in the JMAP server. Internal cleanup only — no change to any exported API, error code, wire format, or runtime behavior.

package/README.md

@@ -129,6 +129,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
   - CSRF protection — double-submit cookie + Origin/Referer cross-check; auto-skips Authorization-header / cookieless requests, which are not CSRF-able (`b.middleware.csrfProtect`)
   - CORS (W3C Private Network Access preflight refusal default + `allowPrivateNetwork` opt) and rate-limit are wired when configured via `middleware.cors` / `middleware.rateLimit`
   - `Cache-Control: no-store` on every 401 from `requireAuth` / `requireAal` / `requireStepUp` per RFC 9111 §5.2.2.5
+  - Every access-refusal layer takes a uniform `problemDetails: true` for an RFC 9457 `application/problem+json` body or `onDeny(req, res, info)` to render the refusal itself — so a service can standardize one error envelope across its API without working around hardcoded bodies (`b.problemDetails`)
 - **Additional middleware** to mount in your `routes` callback: compression, SSE, request logging, request-time DB role binding (`b.middleware.dbRoleFor`), in-process CIDR fence (`b.middleware.networkAllowlist`)
 - **Outbound HTTP client** — HTTP/1.1 + HTTP/2 with SSRF gate (cloud-metadata IPs hard-denied; private / loopback / link-local overridable per call); scheme + userinfo + per-host destination allowlist; redirects, multipart, interceptors, progress, encrypted cookie jar (`b.httpClient`, `b.ssrfGuard`, `b.safeUrl`)
 - **Network configurability (`b.network`)** — env-driven NTP / NTS (RFC 8915), IPv4/IPv6 NTP, DNS with IPv6 / DoH / DoT (private-CA pinning) / cache / lookup timeout; local DNSSEC signature verification (RFC 4035 — `b.network.dns.dnssec.verifyRrset` over a canonicalised RRset against RSA / ECDSA P-256·P-384 / Ed25519 DNSKEYs, plus DS-digest + key-tag, plus `verifyDenial` for NSEC / NSEC3 (RFC 5155) NXDOMAIN / NODATA proofs with iteration caps + Opt-Out handling, plus `verifyChain` to validate a full root→TLD→zone delegation chain against the pinned IANA root anchors) so a resolver client can verify both positive and negative answers instead of trusting the upstream AD bit; DANE / TLSA certificate matching (RFC 6698/7671 — `b.network.dns.dane.matchCertificate`) to pin a service's key through DNSSEC instead of a public CA; TSIG transaction signatures (RFC 8945 — `b.network.dns.tsig.sign` / `verify`) for shared-key HMAC authentication of zone transfers, dynamic updates, and query/response pairs, with constant-time MAC compare + fudge-window check (verified against dnspython); outbound HTTP proxy (`HTTP_PROXY` / `HTTPS_PROXY` / `NO_PROXY`); runtime DPI trust-store CA additions; application-level heartbeats; TCP socket defaults

package/lib/cra-report.js

@@ -190,8 +190,8 @@ function create(opts) {
 }
 
 /**
- * @primitive b.cra.conformityAssessment
- * @signature b.cra.conformityAssessment(opts)
+ * @primitive b.cra.report.conformityAssessment
+ * @signature b.cra.report.conformityAssessment(opts)
  * @since     0.8.77
  *
  * EU Cyber Resilience Act (Regulation 2024/2847) — Annex VIII
@@ -223,7 +223,7 @@ function create(opts) {
  *   }
  *
  * @example
- *   var dossier = b.cra.conformityAssessment({
+ *   var dossier = b.cra.report.conformityAssessment({
  *     manufacturer: { name: "Acme Inc.", address: "1 St", contact: "ce@acme.example" },
  *     product:      { name: "Widget Pro", identifier: "WID-001", version: "1.0", description: "..." },
  *     classification: "default",

package/lib/middleware/age-gate.js

@@ -38,6 +38,7 @@
 var defineClass = require("../framework-error").defineClass;
 var lazyRequire = require("../lazy-require");
 var validateOpts = require("../validate-opts");
+var denyResponse = require("./deny-response").denyResponse;
 
 var audit = lazyRequire(function () { return require("../audit"); });
 
@@ -72,6 +73,8 @@ var AgeGateError = defineClass("AgeGateError", { alwaysPermanent: true });
  *     errorMessage:       string,
  *     privacyPostureHeader: string,                     // default "X-Privacy-Posture"; null/false to suppress
  *     audit:              boolean,                      // default true
+ *     onDeny:             function(req, res, info): void,  // own the 451; info = { status, reason, age, classification, requireAge }
+ *     problemDetails:     boolean,                      // default false — emit RFC 9457 application/problem+json instead of the default JSON envelope
  *   }
  *
  * @example
@@ -89,6 +92,7 @@ function create(opts) {
   validateOpts(opts, [
     "audit", "getAge", "requireAge", "consentRequired",
     "hasParentalConsent", "skipPaths", "errorMessage", "privacyPostureHeader",
+    "onDeny", "problemDetails",
   ], "middleware.ageGate");
 
   if (typeof opts.getAge !== "function") {
@@ -105,6 +109,8 @@ function create(opts) {
   var auditOn = opts.audit !== false;
   var errorMessage = typeof opts.errorMessage === "string" && opts.errorMessage.length > 0
     ? opts.errorMessage : "service unavailable without parental consent";
+  var onDeny = typeof opts.onDeny === "function" ? opts.onDeny : null;
+  var problemMode = opts.problemDetails === true;
   // privacyPostureHeader (default "X-Privacy-Posture") names the response
   // header carrying the below-threshold classification. Pass null/false to
   // suppress it, or a string to rename it for a downstream convention.
@@ -168,13 +174,20 @@ function create(opts) {
       var hasConsent = hasParentalConsent ? !!hasParentalConsent(req) : false;
       if (!hasConsent) {
         _emitAudit("refused", "denied", { age: age, classification: classification, requireAge: requireAge });
-        if (!res.writableEnded && typeof res.writeHead === "function") {
-          res.writeHead(451, {                                                            // HTTP 451 Unavailable For Legal Reasons
-            "Content-Type":  "application/json; charset=utf-8",
-            "Cache-Control": "no-store, private",
-          });
-          res.end(JSON.stringify({ error: errorMessage, requireAge: requireAge, parentalConsent: false }));
-        }
+        denyResponse(req, res, {
+          onDeny:        onDeny,
+          problem:       problemMode,
+          status:        451,                                                             // HTTP 451 Unavailable For Legal Reasons
+          info:          { status: 451, reason: "parental-consent-required",
+            age: age, classification: classification, requireAge: requireAge },
+          problemCode:   "parental-consent-required",
+          problemTitle:  "Unavailable For Legal Reasons",
+          problemDetail: errorMessage,
+          problemExt:    { requireAge: requireAge, parentalConsent: false },
+          headers:       { "Cache-Control": "no-store, private" },
+          contentType:   "application/json; charset=utf-8",
+          body:          JSON.stringify({ error: errorMessage, requireAge: requireAge, parentalConsent: false }),
+        });
         return;
       }
     }

package/lib/middleware/bearer-auth.js

@@ -37,21 +37,34 @@
 var lazyRequire = require("../lazy-require");
 var requestHelpers = require("../request-helpers");
 var validateOpts = require("../validate-opts");
+var denyResponse = require("./deny-response").denyResponse;
 var { AuthError } = require("../framework-error");
 
 var audit = lazyRequire(function () { return require("../audit"); });
 var observability = lazyRequire(function () { return require("../observability"); });
 
-function _writeUnauthorized(res, scheme, message, realm) {
-  if (res.headersSent) return;
-  var body = JSON.stringify({ error: message });
-  var challenge = scheme + (realm ? ' realm="' + realm + '"' : "");
-  res.writeHead(401, {                                                           // HTTP 401 status
-    "Content-Type":     "application/json; charset=utf-8",
-    "Content-Length":   Buffer.byteLength(body),
-    "WWW-Authenticate": challenge,
+// Shared 401/403 refusal writer for every bearer-auth deny path —
+// routes through denyResponse so a consumer can override via onDeny
+// or emit RFC 9457 application/problem+json via problemDetails.
+function _refuse(req, res, status, challenge, bodyObj, reason, problemExt, onDeny, problemMode) {
+  denyResponse(req, res, {
+    onDeny:        onDeny,
+    problem:       problemMode,
+    status:        status,
+    info:          Object.assign({ status: status, reason: reason }, problemExt || {}),
+    problemCode:   "bearer-" + reason,
+    problemTitle:  status === 403 ? "Forbidden" : "Unauthorized",
+    problemDetail: typeof bodyObj.error === "string" ? bodyObj.error : ("bearer authentication failed: " + reason),
+    problemExt:    problemExt || null,
+    headers:       { "WWW-Authenticate": challenge },
+    contentType:   "application/json; charset=utf-8",
+    body:          JSON.stringify(bodyObj),
   });
-  res.end(body);
+}
+
+function _writeUnauthorized(req, res, scheme, message, realm, onDeny, problemMode) {
+  var challenge = scheme + (realm ? ' realm="' + realm + '"' : "");
+  _refuse(req, res, 401, challenge, { error: message }, "unauthorized", null, onDeny, problemMode);
 }
 
 // Three-state extractor: { state: "absent" } when no Authorization
@@ -102,10 +115,13 @@ function _extractToken(req, scheme) {
  *     verify:         async function(token): user|null,  // required
  *     scheme:         string,    // default "Bearer"; some ops use "Token"
  *     realm:          string,
+ *     requiredScopes: string[],  // RFC 6750 §3 — refuse 403 insufficient_scope when the verified token lacks one
  *     errorMessage:   string,
  *     tokenAttachKey: string,
  *     userAttachKey:  string,
  *     audit:          boolean,   // default true
+ *     onDeny:         function(req, res, info): void,  // own the 401/403; info = { status, reason, ... }
+ *     problemDetails: boolean,   // default false — emit RFC 9457 application/problem+json instead of the default JSON envelope
  *   }
  *
  * @example
@@ -122,7 +138,7 @@ function create(opts) {
   opts = opts || {};
   validateOpts(opts, [
     "verify", "audit", "scheme", "errorMessage", "realm",
-    "tokenAttachKey", "userAttachKey",
+    "tokenAttachKey", "userAttachKey", "requiredScopes", "onDeny", "problemDetails",
   ], "middleware.bearerAuth");
 
   if (typeof opts.verify !== "function") {
@@ -131,6 +147,8 @@ function create(opts) {
       "the verification path (b.apiKey.verify / b.auth.jwt.verifyExternal / custom)");
   }
   var auditOn       = opts.audit !== false;
+  var onDeny        = typeof opts.onDeny === "function" ? opts.onDeny : null;
+  var problemMode   = opts.problemDetails === true;
   var scheme        = opts.scheme || "Bearer";
   var errorMessage  = opts.errorMessage || "Bearer token required.";
   var realm         = opts.realm || null;
@@ -197,13 +215,8 @@ function create(opts) {
       if (!res.headersSent) {
         var malformedChallenge = scheme + ' error="invalid_request"' +
           (realm ? ', realm="' + realm + '"' : "");
-        var malformedBody = JSON.stringify({ error: errorMessage });
-        res.writeHead(401, {                                                     // HTTP 401 status
-          "Content-Type":     "application/json; charset=utf-8",
-          "Content-Length":   Buffer.byteLength(malformedBody),
-          "WWW-Authenticate": malformedChallenge,
-        });
-        res.end(malformedBody);
+        _refuse(req, res, 401, malformedChallenge, { error: errorMessage },       // HTTP 401 status
+          "malformed-authorization", null, onDeny, problemMode);
       }
       return;
     }
@@ -221,13 +234,8 @@ function create(opts) {
       var challenge = scheme + ' error="invalid_token"' +
         (realm ? ', realm="' + realm + '"' : "");
       if (!res.headersSent) {
-        var body = JSON.stringify({ error: errorMessage });
-        res.writeHead(401, {                                                     // HTTP 401 status
-          "Content-Type":     "application/json; charset=utf-8",
-          "Content-Length":   Buffer.byteLength(body),
-          "WWW-Authenticate": challenge,
-        });
-        res.end(body);
+        _refuse(req, res, 401, challenge, { error: errorMessage },                // HTTP 401 status
+          "invalid-token", null, onDeny, problemMode);
       }
       return;
     }
@@ -235,7 +243,7 @@ function create(opts) {
     if (!user) {
       _emitAudit("auth.bearer.failure", "failure", req, "verifier-returned-null");
       _emitObs("auth.bearer.rejected", 1, { reason: "verifier-null" });
-      _writeUnauthorized(res, scheme, errorMessage, realm);
+      _writeUnauthorized(req, res, scheme, errorMessage, realm, onDeny, problemMode);
       return;
     }
 
@@ -260,16 +268,9 @@ function create(opts) {
           var scopeChallenge = scheme + ' error="insufficient_scope"' +
             ', scope="' + opts.requiredScopes.join(" ") + '"' +
             (realm ? ', realm="' + realm + '"' : "");
-          var scopeBody = JSON.stringify({
-            error: "insufficient_scope",
-            required: opts.requiredScopes.slice(),
-          });
-          res.writeHead(403, {                                                     // HTTP 403 status
-            "Content-Type":     "application/json; charset=utf-8",
-            "Content-Length":   Buffer.byteLength(scopeBody),
-            "WWW-Authenticate": scopeChallenge,
-          });
-          res.end(scopeBody);
+          _refuse(req, res, 403, scopeChallenge,                                    // HTTP 403 status
+            { error: "insufficient_scope", required: opts.requiredScopes.slice() },
+            "insufficient-scope", { required: opts.requiredScopes.slice() }, onDeny, problemMode);
         }
         return;
       }

package/lib/middleware/bot-guard.js

@@ -51,6 +51,7 @@ var DEFAULT_BLOCKED_AGENTS = [
 var lazyRequire = require("../lazy-require");
 var requestHelpers = require("../request-helpers");
 var validateOpts = require("../validate-opts");
+var denyResponse = require("./deny-response").denyResponse;
 var { defineClass } = require("../framework-error");
 var audit = lazyRequire(function () { return require("../audit"); });
 
@@ -112,6 +113,8 @@ function _xffIpFor(trustProxy) {
  *     skipPaths:     string[],
  *     statusOnBlock: number,            // default 403
  *     bodyOnBlock:   string,
+ *     onDeny:        function(req, res, info): void,  // own the block response; info = { status, reason }
+ *     problemDetails: boolean,          // default false — emit RFC 9457 application/problem+json instead of text/plain
  *     trustProxy:    boolean|number,
  *   }
  *
@@ -128,7 +131,7 @@ function create(opts) {
   opts = opts || {};
   validateOpts(opts, [
     "mode", "onlyForHtml", "allowedAgents", "blockedAgents",
-    "skipPaths", "statusOnBlock", "bodyOnBlock", "trustProxy",
+    "skipPaths", "statusOnBlock", "bodyOnBlock", "onDeny", "problemDetails", "trustProxy",
   ], "middleware.botGuard");
   var trustProxy = opts.trustProxy === true || typeof opts.trustProxy === "number"
     ? opts.trustProxy : false;
@@ -144,6 +147,8 @@ function create(opts) {
   var skipPaths = opts.skipPaths || [];
   var statusOnBlock = opts.statusOnBlock || 403;
   var bodyOnBlock = opts.bodyOnBlock !== undefined ? opts.bodyOnBlock : "Forbidden";
+  var onDeny = typeof opts.onDeny === "function" ? opts.onDeny : null;
+  var problemMode = opts.problemDetails === true;
 
   function _shouldSkip(req) {
     var path = req.pathname || req.url || "/";
@@ -240,10 +245,17 @@ function create(opts) {
     } catch (_e) { /* audit best-effort */ }
 
     if (res.writableEnded) return;
-    if (typeof res.writeHead === "function") {
-      res.writeHead(statusOnBlock, { "Content-Type": "text/plain" });
-      res.end(bodyOnBlock);
-    }
+    denyResponse(req, res, {
+      onDeny:        onDeny,
+      problem:       problemMode,
+      status:        statusOnBlock,
+      info:          { status: statusOnBlock, reason: hit },
+      problemCode:   "bot-blocked",
+      problemTitle:  "Forbidden",
+      problemDetail: "The request was identified as automated traffic and refused.",
+      contentType:   "text/plain",
+      body:          bodyOnBlock,
+    });
     // Don't call next() — terminate the chain
   };
 }

package/lib/middleware/cors.js

@@ -55,6 +55,7 @@ var audit = lazyRequire(function () { return require("../audit"); });
 var requestHelpers = require("../request-helpers");
 var safeUrl = require("../safe-url");
 var validateOpts = require("../validate-opts");
+var denyResponse = require("./deny-response").denyResponse;
 var { defineClass } = require("../framework-error");
 
 // CORS audit events use the proxy-aware client IP only when the
@@ -185,6 +186,8 @@ function _isSameOrigin(req, originHeader, configuredSiteOrigins, trustProxy, str
  *     refuseUnknown:    boolean,    // default true
  *     strictNullOrigin: boolean,    // default true
  *     trustProxy:       boolean|number,
+ *     onDeny:           function(req, res, info): void,  // own every refusal; info = { status, reason, origin, header? }
+ *     problemDetails:   boolean,    // default false — emit RFC 9457 application/problem+json instead of text/plain
  *   }
  *
  * @example
@@ -202,7 +205,7 @@ function create(opts) {
   validateOpts(opts, [
     "origins", "siteOrigin", "methods", "headers", "exposeHeaders",
     "credentials", "maxAgeSeconds", "refuseUnknown", "trustProxy",
-    "strictNullOrigin", "allowPrivateNetwork",
+    "strictNullOrigin", "allowPrivateNetwork", "onDeny", "problemDetails",
   ], "middleware.cors");
   var trustProxy = opts.trustProxy === true || typeof opts.trustProxy === "number"
     ? opts.trustProxy : false;
@@ -269,6 +272,22 @@ function create(opts) {
   // header). Operators with a no-referrer page producing legitimate
   // Origin: null on same-origin POSTs flip to false explicitly.
   var strictNullOrigin = opts.strictNullOrigin !== false;
+  var onDeny = typeof opts.onDeny === "function" ? opts.onDeny : null;
+  var problemMode = opts.problemDetails === true;
+
+  function _refuse(req, res, reason, body, ext) {
+    denyResponse(req, res, {
+      onDeny:        onDeny,
+      problem:       problemMode,
+      status:        requestHelpers.HTTP_STATUS.FORBIDDEN,
+      info:          Object.assign({ status: 403, reason: reason }, ext || {}),
+      problemCode:   "cors-refused",
+      problemTitle:  "Forbidden",
+      problemDetail: body,
+      contentType:   "text/plain",
+      body:          body,
+    });
+  }
 
   return function cors(req, res, next) {
     var origin = req.headers && req.headers.origin;
@@ -302,9 +321,8 @@ function create(opts) {
             requestId: req.requestId,
           });
         } catch (_e) { /* audit best-effort */ }
-        if (typeof res.writeHead === "function") {
-          res.writeHead(requestHelpers.HTTP_STATUS.FORBIDDEN, { "Content-Type": "text/plain" });
-          res.end("CORS: origin not allowed");
+        if (typeof res.writeHead === "function" || onDeny) {
+          _refuse(req, res, "origin-not-allowed", "CORS: origin not allowed", { origin: origin });
           return;
         }
       }
@@ -333,10 +351,9 @@ function create(opts) {
           var asked = requestHelpers.parseListHeader(requestedHdrs, { lowercase: true });
           for (var ah = 0; ah < asked.length; ah++) {
             if (allowedHeadersSet.indexOf(asked[ah]) === -1) {
-              if (typeof res.writeHead === "function") {
-                res.writeHead(requestHelpers.HTTP_STATUS.FORBIDDEN, { "Content-Type": "text/plain" });
-                res.end("CORS: requested header '" + asked[ah] + "' not in allow-list");
-              }
+              _refuse(req, res, "requested-header-not-allowed",
+                "CORS: requested header '" + asked[ah] + "' not in allow-list",
+                { origin: origin, header: asked[ah] });
               return;
             }
           }
@@ -357,10 +374,9 @@ function create(opts) {
             res.setHeader("Access-Control-Allow-Private-Network", "true");
           }
         } else {
-          if (typeof res.writeHead === "function") {
-            res.writeHead(requestHelpers.HTTP_STATUS.FORBIDDEN, { "Content-Type": "text/plain" });
-            res.end("CORS: Private Network Access not permitted (set allowPrivateNetwork:true with audited reason to opt in)");
-          }
+          _refuse(req, res, "private-network-not-permitted",
+            "CORS: Private Network Access not permitted (set allowPrivateNetwork:true with audited reason to opt in)",
+            { origin: origin });
           return;
         }
       }

package/lib/middleware/csrf-protect.js

@@ -70,6 +70,7 @@ var lazyRequire = require("../lazy-require");
 var forms = require("../forms");
 var requestHelpers = require("../request-helpers");
 var validateOpts = require("../validate-opts");
+var denyResponse = require("./deny-response").denyResponse;
 var audit = lazyRequire(function () { return require("../audit"); });
 
 var DEFAULT_FIELD_NAME    = "_csrf";
@@ -218,15 +219,18 @@ function _checkOriginAllowed(req, allowedOrigins, isHttpsFn, requireOrigin) {
   return null;
 }
 
-function _writeReject(res, message) {
-  if (typeof res.writeHead === "function") {
-    var body = JSON.stringify({ error: message });
-    res.writeHead(requestHelpers.HTTP_STATUS.FORBIDDEN, {
-      "Content-Type":   "application/json; charset=utf-8",
-      "Content-Length": Buffer.byteLength(body),
-    });
-    res.end(body);
-  }
+function _writeReject(req, res, message, reason, onDeny, problemMode) {
+  denyResponse(req, res, {
+    onDeny:        onDeny,
+    problem:       problemMode,
+    status:        requestHelpers.HTTP_STATUS.FORBIDDEN,
+    info:          { status: 403, reason: reason },
+    problemCode:   "csrf-refused",
+    problemTitle:  "Forbidden",
+    problemDetail: message,
+    contentType:   "application/json; charset=utf-8",
+    body:          JSON.stringify({ error: message }),
+  });
 }
 
 /**
@@ -262,6 +266,8 @@ function _writeReject(res, message) {
  *     trustProxy:             boolean|number,
  *     audit:                  boolean,
  *     skipStateless:          boolean,   // default false — skip validation for Authorization-header / cookieless (not-CSRF-able) requests
+ *     onDeny:                 function(req, res, info): void,  // own the 403; info = { status, reason }
+ *     problemDetails:         boolean,   // default false — emit RFC 9457 application/problem+json instead of the default JSON envelope
  *   }
  *
  * @example
@@ -279,8 +285,10 @@ function create(opts) {
   validateOpts(opts, [
     "cookie", "tokenLookup", "fieldName", "headerName", "methods", "audit",
     "trustProxy", "checkOrigin", "allowedOrigins", "requireJsonContentType",
-    "requireOrigin", "skipStateless",
+    "requireOrigin", "skipStateless", "onDeny", "problemDetails",
   ], "middleware.csrfProtect");
+  var onDeny = typeof opts.onDeny === "function" ? opts.onDeny : null;
+  var problemMode = opts.problemDetails === true;
   var trustProxy = opts.trustProxy === true || typeof opts.trustProxy === "number"
     ? opts.trustProxy : false;
   var _isHttps = _isHttpsFor(trustProxy);
@@ -477,7 +485,7 @@ function create(opts) {
       var bare = (typeof ct === "string" ? ct.split(";")[0].trim().toLowerCase() : "");
       if (bare !== "application/json") {
         _emitDenied(req, "non-JSON content-type: " + (bare || "<absent>"));
-        return _writeReject(res, "CSRF: state-changing requests require Content-Type: application/json.");
+        return _writeReject(req, res, "CSRF: state-changing requests require Content-Type: application/json.", "content-type-required", onDeny, problemMode);
       }
     }
 
@@ -489,7 +497,7 @@ function create(opts) {
       var originReason = _checkOriginAllowed(req, allowedOrigins, _isHttps, requireOriginOpt);
       if (originReason !== null) {
         _emitDenied(req, "origin/referer: " + originReason);
-        return _writeReject(res, "CSRF cross-origin request refused.");
+        return _writeReject(req, res, "CSRF cross-origin request refused.", "cross-origin-refused", onDeny, problemMode);
       }
     }
 
@@ -499,7 +507,7 @@ function create(opts) {
     }
     if (!expected) {
       _emitDenied(req, cookieCfg ? "no token cookie issued yet" : "no expected token in session");
-      return _writeReject(res, "CSRF token mismatch.");
+      return _writeReject(req, res, "CSRF token mismatch.", "token-mismatch", onDeny, problemMode);
     }
 
     // Header path first — covers JSON / AJAX / multipart cases.
@@ -517,7 +525,7 @@ function create(opts) {
 
     if (!forms.verifyCsrfToken(submitted || "", expected)) {
       _emitDenied(req, "submitted token does not match expected");
-      return _writeReject(res, "CSRF token mismatch.");
+      return _writeReject(req, res, "CSRF token mismatch.", "token-mismatch", onDeny, problemMode);
     }
 
     return next();

package/lib/middleware/daily-byte-quota.js

@@ -41,6 +41,7 @@ var defineClass = require("../framework-error").defineClass;
 var lazyRequire = require("../lazy-require");
 var networkByteQuota = require("../network-byte-quota");
 var validateOpts = require("../validate-opts");
+var denyResponse = require("./deny-response").denyResponse;
 
 var audit = lazyRequire(function () { return require("../audit"); });
 var observability = lazyRequire(function () { return require("../observability"); });
@@ -76,7 +77,9 @@ function _defaultGetKey(req) {
  *     bytesPerDay: number,                            // required, positive, finite
  *     getKey:      function(req): string|null,        // default: req client IP
  *     cache:       object,                            // null = in-memory single-node
- *     onExceeded:  function(req, res, info): void,
+ *     onDeny:      function(req, res, info): void,    // own the 429; info = { status, reason, quota, total, retryAfterSec }
+ *     onExceeded:  function(req, res, info): void,    // legacy alias for onDeny
+ *     problemDetails: boolean,                        // default false — emit RFC 9457 application/problem+json instead of the default JSON envelope
  *     skipPaths:   string[],
  *     now:         function(): number,
  *     audit:       boolean,                           // default true
@@ -94,7 +97,7 @@ function create(opts) {
   opts = opts || {};
   validateOpts(opts, [
     "bytesPerDay", "cache", "getKey", "audit",
-    "onExceeded", "skipPaths", "now",
+    "onDeny", "onExceeded", "problemDetails", "skipPaths", "now",
   ], "middleware.dailyByteQuota");
 
   if (typeof opts.bytesPerDay !== "number" || !isFinite(opts.bytesPerDay) || opts.bytesPerDay <= 0) {
@@ -105,7 +108,11 @@ function create(opts) {
   var bytesPerDay = opts.bytesPerDay;
   var getKey = typeof opts.getKey === "function" ? opts.getKey : _defaultGetKey;
   var auditOn = opts.audit !== false;
-  var onExceeded = typeof opts.onExceeded === "function" ? opts.onExceeded : null;
+  // onDeny is the canonical hook across the deny-path middleware
+  // family; onExceeded is the original name kept working as an alias.
+  var onDeny = typeof opts.onDeny === "function" ? opts.onDeny
+    : (typeof opts.onExceeded === "function" ? opts.onExceeded : null);
+  var problemMode = opts.problemDetails === true;
   var skipPaths = Array.isArray(opts.skipPaths) ? opts.skipPaths.slice() : [];
   var now = typeof opts.now === "function" ? opts.now : function () { return Date.now(); };
 
@@ -169,22 +176,29 @@ function create(opts) {
       _emitMetric("refused", 1, { reason: "quota-exceeded" });
       _emitAudit("refused", "denied", { key: key, total: total, quota: bytesPerDay });
       var info = {
+        status:          429,
+        reason:          "quota-exceeded",
         quota:           bytesPerDay,
         total:           total,
         retryAfterSec:   Math.ceil(C.TIME.hours(1) / C.TIME.seconds(1)),
       };
-      if (onExceeded) {
-        try { return onExceeded(req, res, info); }
-        catch (e) { _emitAudit("on_exceeded_threw", "failure", { error: (e && e.message) || String(e) }); }
-      }
-      if (!res.writableEnded) {
-        res.writeHead(429, {
-          "Content-Type":  "application/json; charset=utf-8",
+      denyResponse(req, res, {
+        onDeny:        onDeny,
+        problem:       problemMode,
+        status:        429,
+        info:          info,
+        problemCode:   "daily-byte-quota-exceeded",
+        problemTitle:  "Too Many Requests",
+        problemDetail: "Daily byte quota exceeded; retry after the indicated interval.",
+        problemExt:    { quota: bytesPerDay, total: total, retryAfter: info.retryAfterSec },
+        headers:       {
           "Retry-After":   String(info.retryAfterSec),
           "Cache-Control": "no-store",
-        });
-        res.end(JSON.stringify({ error: "quota-exceeded", quota: bytesPerDay, total: total }));
-      }
+        },
+        contentType:   "application/json; charset=utf-8",
+        body:          JSON.stringify({ error: "quota-exceeded", quota: bytesPerDay, total: total }),
+        onThrow:       function (e) { _emitAudit("on_exceeded_threw", "failure", { error: (e && e.message) || String(e) }); },
+      });
       return;
     }