@blamejs/core 0.14.5 → 0.14.6

package/lib/middleware/deny-response.js

@@ -0,0 +1,140 @@
+"use strict";
+/**
+ * Shared deny-path response writer for the request-lifecycle
+ * middlewares that refuse a request (401 / 403 / 405 / 415 / 429 /
+ * 451 / misdirected-request). Every deny-path middleware routes its
+ * refusal through `denyResponse` so a consumer gets one uniform way
+ * to shape it, instead of each middleware hardcoding its own body +
+ * Content-Type.
+ *
+ * Three resolution modes, checked in order:
+ *
+ *   1. `onDeny(req, res, info)` operator hook — when supplied, the
+ *      consumer owns the response. `info` carries the machine
+ *      `status` / `reason` plus the middleware-specific fields. The
+ *      hook is wrapped so a throw is audited (via `ctx.onThrow`) and
+ *      then falls through to the default write rather than crashing
+ *      the request that triggered the refusal. A hook that returns
+ *      without writing also falls through — the response can never
+ *      hang on a no-op hook.
+ *
+ *   2. `problem: true` — emit RFC 9457 `application/problem+json` by
+ *      composing `b.problemDetails`. The middleware supplies the
+ *      `type` / `title` / `detail` and any extension members; the
+ *      deny-path response headers (`Allow` / `WWW-Authenticate` /
+ *      `Retry-After` / `Accept`) are merged onto the problem
+ *      response so content negotiation does not drop them.
+ *
+ *   3. Default — the middleware's existing body + Content-Type. No
+ *      behavior change when neither knob is set.
+ *
+ * This is an internal helper (no public `b.*` surface); the consumer
+ * contract is the `onDeny` / `problemDetails` opts documented on each
+ * middleware that composes it.
+ */
+
+var problemDetails = require("../problem-details");
+
+function _isFn(x) { return typeof x === "function"; }
+
+function _mergeInto(target, extra) {
+  if (!extra || typeof extra !== "object") return target;
+  var keys = Object.keys(extra);
+  for (var i = 0; i < keys.length; i += 1) {
+    target[keys[i]] = extra[keys[i]];
+  }
+  return target;
+}
+
+/**
+ * Resolve a deny-path refusal through the uniform hook / problem+json
+ * / default chain. Returns whatever the `onDeny` hook returns when it
+ * owns the response, otherwise `undefined`.
+ *
+ * ctx fields:
+ *   onDeny:        function (req, res, info) | null  — operator hook
+ *   problem:       boolean   — emit application/problem+json
+ *   status:        number    — HTTP status (100..599)
+ *   info:          object    — passed verbatim to onDeny; also seeds
+ *                              the problem document (status / reason)
+ *   problemType:   string?   — RFC 9457 `type` (URI reference); when
+ *                              absent, built from `problemCode`
+ *   problemCode:   string?   — type-URI suffix; resolves to
+ *                              `<problemDetails base>/<code>` (the same
+ *                              `<base>/<code>` convention as fromError)
+ *   problemTitle:  string?   — RFC 9457 `title`
+ *   problemDetail: string?   — RFC 9457 `detail`
+ *   problemExt:    object?   — extra problem members (reserved names
+ *                              dropped); siblings per RFC 9457 §3.2
+ *   headers:       object?   — extra response headers (Allow /
+ *                              WWW-Authenticate / Retry-After / Accept
+ *                              / Cache-Control)
+ *   contentType:   string    — default-mode Content-Type
+ *   body:          string|Buffer — default-mode body
+ *   onThrow:       function (err) ? — audit sink when onDeny throws
+ */
+function denyResponse(req, res, ctx) {
+  var info = (ctx.info && typeof ctx.info === "object") ? ctx.info : {};
+
+  if (_isFn(ctx.onDeny)) {
+    try {
+      var returned = ctx.onDeny(req, res, info);
+      if (res.writableEnded) return returned;
+      // Hook ran but did not write — fall through to the default so
+      // the response can never hang on a no-op hook.
+    } catch (e) {
+      if (_isFn(ctx.onThrow)) {
+        try { ctx.onThrow(e); } catch (_e) { /* drop-silent */ }
+      }
+      if (res.writableEnded) return undefined;
+      // Hook threw before writing — fall through to the default.
+    }
+  }
+
+  if (res.writableEnded || !_isFn(res.writeHead)) return undefined;
+
+  var extra = (ctx.headers && typeof ctx.headers === "object") ? ctx.headers : null;
+
+  if (ctx.problem) {
+    var fields = { status: ctx.status };
+    if (ctx.problemType)   fields.type   = ctx.problemType;
+    if (ctx.problemTitle)  fields.title  = ctx.problemTitle;
+    if (ctx.problemDetail) fields.detail = ctx.problemDetail;
+    if (ctx.problemExt && typeof ctx.problemExt === "object") {
+      var ek = Object.keys(ctx.problemExt);
+      for (var i = 0; i < ek.length; i += 1) {
+        if (problemDetails.RESERVED_FIELDS.indexOf(ek[i]) === -1) {
+          fields[ek[i]] = ctx.problemExt[ek[i]];
+        }
+      }
+    }
+    var problem;
+    try {
+      problem = problemDetails.create(fields);
+    } catch (_e) {
+      // A bad extension shape (prototype-pollution key, out-of-range
+      // status) must not turn a refusal into a 500 — degrade to the
+      // bare status document.
+      problem = problemDetails.create({ status: ctx.status });
+    }
+    // Set the deny-path headers before respond() so content
+    // negotiation does not lose Allow / WWW-Authenticate / Retry-After.
+    if (extra) {
+      var hk = Object.keys(extra);
+      for (var h = 0; h < hk.length; h += 1) {
+        res.setHeader(hk[h], extra[hk[h]]);
+      }
+    }
+    problemDetails.respond(res, problem);
+    return undefined;
+  }
+
+  var head = _mergeInto({ "Content-Type": ctx.contentType }, extra);
+  res.writeHead(ctx.status, head);
+  res.end((ctx.body === undefined || ctx.body === null) ? "" : ctx.body);
+  return undefined;
+}
+
+module.exports = {
+  denyResponse: denyResponse,
+};

package/lib/middleware/dpop.js

@@ -40,6 +40,7 @@ var bCrypto = require("../crypto");
 var lazyRequire = require("../lazy-require");
 var requestHelpers = require("../request-helpers");
 var validateOpts = require("../validate-opts");
+var denyResponse = require("./deny-response").denyResponse;
 var { AuthError } = require("../framework-error");
 
 var dpop = lazyRequire(function () { return require("../auth/dpop"); });
@@ -49,20 +50,28 @@ var audit = lazyRequire(function () { return require("../audit"); });
 // of entropy after base64url, far above the spec's "unpredictable" bar).
 var DPOP_NONCE_BYTES = C.BYTES.bytes(24);
 
-function _writeUnauthorized(res, errorCode, description, freshNonce) {
-  if (res.headersSent) return;
+function _writeUnauthorized(req, res, errorCode, description, freshNonce, onDeny, problemMode) {
   var body = JSON.stringify({ error: errorCode, error_description: description });
   // RFC 9449 §7 — error code is invalid_dpop_proof OR use_dpop_nonce.
   var challenge = 'DPoP error="' + errorCode + '", error_description="' +
                   description.replace(/"/g, "'") + '"';
-  var headers = {                                                                  // HTTP 401 status
-    "Content-Type":     "application/json; charset=utf-8",
-    "Content-Length":   Buffer.byteLength(body),
+  var headers = {
     "WWW-Authenticate": challenge,
   };
   if (freshNonce) headers["DPoP-Nonce"] = freshNonce;
-  res.writeHead(401, headers);
-  res.end(body);
+  denyResponse(req, res, {
+    onDeny:        onDeny,
+    problem:       problemMode,
+    status:        401,                                                            // HTTP 401 status
+    info:          { status: 401, reason: errorCode, error_description: description },
+    problemCode:   "dpop-" + errorCode.replace(/_/g, "-"),
+    problemTitle:  "Unauthorized",
+    problemDetail: description,
+    problemExt:    { error: errorCode, error_description: description },
+    headers:       headers,
+    contentType:   "application/json; charset=utf-8",
+    body:          body,
+  });
 }
 
 // RFC 9449 §8 — server-issued DPoP-Nonce challenge. The framework
@@ -201,6 +210,8 @@ function _reconstructHtu(req, mopts) {
  *     nonceRotateSec: number,
  *     requireNonce:   boolean,
  *     audit:          boolean,                      // default true
+ *     onDeny:         function(req, res, info): void,  // own the 401; info = { status, reason, error_description }
+ *     problemDetails: boolean,                      // default false — emit RFC 9457 application/problem+json instead of the default JSON envelope
  *   }
  *
  * @example
@@ -220,9 +231,11 @@ function create(opts) {
     // v0.9.4 — opt-in trust gate for X-Forwarded-Proto/Host when
     // reconstructing htu. Default off (audit 2026-05-11); operators
     // with a confirmed-trusted front proxy set this to `true`.
-    "trustForwardedHeaders",
+    "trustForwardedHeaders", "onDeny", "problemDetails",
   ], "middleware.dpop");
 
+  var onDeny = typeof opts.onDeny === "function" ? opts.onDeny : null;
+  var problemMode = opts.problemDetails === true;
   var auditOn = opts.audit !== false;
   var algorithms = opts.algorithms;
   var iatWindowSec = opts.iatWindowSec;
@@ -265,14 +278,14 @@ function create(opts) {
   var middleware = async function dpopMiddleware(req, res, next) {
     var proofHeader = req.headers && req.headers.dpop;
     if (typeof proofHeader !== "string" || proofHeader.length === 0) {
-      return _writeUnauthorized(res,
+      return _writeUnauthorized(req, res,
         nonceMgr ? "use_dpop_nonce" : "invalid_dpop_proof",
-        "DPoP header required", _freshNonce());
+        "DPoP header required", _freshNonce(), onDeny, problemMode);
     }
     // RFC 9449 §4.1 — only ONE DPoP header value per request.
     if (Array.isArray(proofHeader)) {
-      return _writeUnauthorized(res, "invalid_dpop_proof",
-        "multiple DPoP headers are not allowed");
+      return _writeUnauthorized(req, res, "invalid_dpop_proof",
+        "multiple DPoP headers are not allowed", null, onDeny, problemMode);
     }
     // AUTH-15 — RFC 9449 §4.1 single-value invariant. node:http
     // collapses repeated headers into a comma-joined string when the
@@ -283,13 +296,13 @@ function create(opts) {
     // verify() call below would only see the first one, leaving the
     // second unprocessed).
     if (proofHeader.indexOf(",") !== -1) {
-      return _writeUnauthorized(res, "invalid_dpop_proof",
-        "multiple DPoP proofs in one header value are not allowed");
+      return _writeUnauthorized(req, res, "invalid_dpop_proof",
+        "multiple DPoP proofs in one header value are not allowed", null, onDeny, problemMode);
     }
 
     var htu = (typeof opts.getHtu === "function" ? opts.getHtu(req) : _reconstructHtu(req, opts));
     if (!htu) {
-      return _writeUnauthorized(res, "invalid_dpop_proof", "could not reconstruct htu");
+      return _writeUnauthorized(req, res, "invalid_dpop_proof", "could not reconstruct htu", null, onDeny, problemMode);
     }
     var htm = (req.method || "").toUpperCase();
 
@@ -340,9 +353,9 @@ function create(opts) {
       if (e && (e.code === "auth-dpop/missing-nonce" || e.code === "auth-dpop/nonce-mismatch")) {
         errorCode = "use_dpop_nonce";
       }
-      return _writeUnauthorized(res, errorCode,
+      return _writeUnauthorized(req, res, errorCode,
         (e && e.message) || "DPoP proof verification failed",
-        _freshNonce());
+        _freshNonce(), onDeny, problemMode);
     }
 
     // Server-managed nonce check — payload MUST carry a recognized
@@ -360,8 +373,8 @@ function create(opts) {
             });
           } catch (_ignored) { /* drop-silent */ }
         }
-        return _writeUnauthorized(res, "use_dpop_nonce",
-          "DPoP-Nonce required (server-managed challenge)", _freshNonce());
+        return _writeUnauthorized(req, res, "use_dpop_nonce",
+          "DPoP-Nonce required (server-managed challenge)", _freshNonce(), onDeny, problemMode);
       }
     }
 

package/lib/middleware/fetch-metadata.js

@@ -36,20 +36,25 @@
 var requestHelpers = require("../request-helpers");
 var validateOpts = require("../validate-opts");
 var lazyRequire = require("../lazy-require");
+var denyResponse = require("./deny-response").denyResponse;
 
 var audit = lazyRequire(function () { return require("../audit"); });
 var observability = lazyRequire(function () { return require("../observability"); });
 
 var DEFAULT_METHODS = Object.freeze(["POST", "PUT", "DELETE", "PATCH"]);
 
-function _writeReject(res, message) {
-  if (res.headersSent) return;
-  var body = JSON.stringify({ error: message });
-  res.writeHead(requestHelpers.HTTP_STATUS.FORBIDDEN, {
-    "Content-Type":   "application/json; charset=utf-8",
-    "Content-Length": Buffer.byteLength(body),
+function _writeReject(req, res, message, reason, onDeny, problemMode) {
+  denyResponse(req, res, {
+    onDeny:        onDeny,
+    problem:       problemMode,
+    status:        requestHelpers.HTTP_STATUS.FORBIDDEN,
+    info:          { status: 403, reason: reason },
+    problemCode:   "fetch-metadata-refused",
+    problemTitle:  "Forbidden",
+    problemDetail: message,
+    contentType:   "application/json; charset=utf-8",
+    body:          JSON.stringify({ error: message }),
   });
-  res.end(body);
 }
 
 /**
@@ -79,6 +84,8 @@ function _writeReject(res, message) {
  *     allowedNavigate: boolean,    // default true
  *     methods:         string[],   // default POST/PUT/DELETE/PATCH
  *     audit:           boolean,    // default true
+ *     onDeny:          function(req, res, info): void,  // own the 403; info = { status, reason }
+ *     problemDetails:  boolean,    // default false — emit RFC 9457 application/problem+json instead of the default JSON envelope
  *   }
  *
  * @example
@@ -95,9 +102,11 @@ function create(opts) {
   opts = opts || {};
   validateOpts(opts, [
     "allowSameSite", "allowCrossSite", "allowMissing",
-    "allowedDest", "allowedNavigate", "methods", "audit",
+    "allowedDest", "allowedNavigate", "methods", "audit", "onDeny", "problemDetails",
   ], "middleware.fetchMetadata");
 
+  var onDeny = typeof opts.onDeny === "function" ? opts.onDeny : null;
+  var problemMode = opts.problemDetails === true;
   var allowSameSite   = opts.allowSameSite !== false;
   var allowCrossSite  = opts.allowCrossSite === true;
   var allowMissing    = opts.allowMissing !== false;
@@ -135,7 +144,7 @@ function create(opts) {
       // Defer to other auth/CSRF layers per allowMissing.
       if (!allowMissing) {
         _emitDenied(req, "fetch-metadata-missing");
-        return _writeReject(res, "Fetch-metadata required.");
+        return _writeReject(req, res, "Fetch-metadata required.", "fetch-metadata-missing", onDeny, problemMode);
       }
       return next();
     }
@@ -144,7 +153,7 @@ function create(opts) {
     if (site === "none") {
       if (allowedNavigate) return next();
       _emitDenied(req, "navigate-disallowed");
-      return _writeReject(res, "Direct navigation not allowed for this method.");
+      return _writeReject(req, res, "Direct navigation not allowed for this method.", "navigation-not-allowed", onDeny, problemMode);
     }
 
     if (site === "same-origin") return next();
@@ -152,7 +161,7 @@ function create(opts) {
     if (site === "same-site") {
       if (allowSameSite) return next();
       _emitDenied(req, "same-site-disallowed");
-      return _writeReject(res, "Same-site request not allowed.");
+      return _writeReject(req, res, "Same-site request not allowed.", "same-site-not-allowed", onDeny, problemMode);
     }
 
     // cross-site
@@ -164,7 +173,7 @@ function create(opts) {
                      ", dest=" + (dest || "?") + ")");
     try { observability().count("auth.fetch_metadata.cross_site_refused", 1, {}); }
     catch (_e) { /* best-effort */ }
-    return _writeReject(res, "Cross-site request refused.");
+    return _writeReject(req, res, "Cross-site request refused.", "cross-site-refused", onDeny, problemMode);
   };
 }
 

package/lib/middleware/host-allowlist.js

@@ -41,6 +41,7 @@
 var lazyRequire = require("../lazy-require");
 var requestHelpers = require("../request-helpers");
 var validateOpts = require("../validate-opts");
+var denyResponse = require("./deny-response").denyResponse;
 var { defineClass } = require("../framework-error");
 
 var HostAllowlistError = defineClass("HostAllowlistError", { alwaysPermanent: true });
@@ -102,6 +103,8 @@ function _matches(entry, actual) {
  *     denyStatus: number,     // default 421
  *     denyBody:   string,
  *     audit:      boolean,    // default true
+ *     onDeny:     function(req, res, info): void,  // own the refusal; info = { status, reason, host }
+ *     problemDetails: boolean, // default false — emit RFC 9457 application/problem+json instead of text/plain
  *   }
  *
  * @example
@@ -114,7 +117,7 @@ function _matches(entry, actual) {
 function create(opts) {
   validateOpts.requireObject(opts, "middleware.hostAllowlist", HostAllowlistError);
   validateOpts(opts, [
-    "hosts", "denyStatus", "denyBody", "audit",
+    "hosts", "denyStatus", "denyBody", "audit", "onDeny", "problemDetails",
   ], "middleware.hostAllowlist");
 
   if (!Array.isArray(opts.hosts) || opts.hosts.length === 0) {
@@ -134,6 +137,8 @@ function create(opts) {
   var denyStatus = (typeof opts.denyStatus === "number") ? opts.denyStatus : 421;  // HTTP 421 status
   var denyBody = typeof opts.denyBody === "string" ? opts.denyBody : "Misdirected Request";
   var auditOn = opts.audit !== false;
+  var onDeny = typeof opts.onDeny === "function" ? opts.onDeny : null;
+  var problemMode = opts.problemDetails === true;
 
   return function hostAllowlistMiddleware(req, res, next) {
     var raw = req.headers && req.headers.host;
@@ -141,7 +146,7 @@ function create(opts) {
       // RFC 7230 §5.4 — a request without a Host header is malformed
       // for HTTP/1.1; HTTP/2 maps :authority into req.headers.host
       // automatically. Reject either shape.
-      _deny(res, denyStatus, denyBody);
+      _deny(req, res, "missing-host", null);
       _emitDenied(req, "missing-host");
       return;
     }
@@ -151,20 +156,26 @@ function create(opts) {
       if (_matches(hosts[hi], actual)) { matched = true; break; }
     }
     if (!matched) {
-      _deny(res, denyStatus, denyBody);
+      _deny(req, res, "host-not-in-allowlist", actual);
       _emitDenied(req, "host-not-in-allowlist", actual);
       return;
     }
     return next();
   };
 
-  function _deny(res, status, body) {
+  function _deny(req, res, reason, host) {
     if (res.headersSent) return;
-    res.writeHead(status, {
-      "Content-Type":   "text/plain; charset=utf-8",
-      "Content-Length": Buffer.byteLength(body),
+    denyResponse(req, res, {
+      onDeny:        onDeny,
+      problem:       problemMode,
+      status:        denyStatus,
+      info:          { status: denyStatus, reason: reason, host: host },
+      problemCode:   "misdirected-request",
+      problemTitle:  "Misdirected Request",
+      problemDetail: "The request Host header is not served by this endpoint.",
+      contentType:   "text/plain; charset=utf-8",
+      body:          denyBody,
     });
-    res.end(body);
   }
 
   function _emitDenied(req, reason, actual) {

package/lib/middleware/index.js

@@ -53,6 +53,7 @@ var requireAal = require("./require-aal");
 var requireAuth = require("./require-auth");
 var requireContentType = require("./require-content-type");
 var ageGate = require("./age-gate");
+var requireBoundKey = require("./require-bound-key");
 var requireMethods = require("./require-methods");
 var requireMtls = require("./require-mtls");
 var requireStepUp = require("./require-step-up");
@@ -85,6 +86,7 @@ module.exports = {
   requireAuth:      requireAuth.create,
   requireContentType: requireContentType.create,
   ageGate:          ageGate.create,
+  requireBoundKey:  requireBoundKey.create,
   requireMethods:   requireMethods.create,
   requireMtls:      requireMtls.create,
   requireStepUp:    requireStepUp.create,
@@ -145,6 +147,7 @@ module.exports = {
     requireAuth:      requireAuth,
     requireContentType: requireContentType,
     ageGate:          ageGate,
+    requireBoundKey:  requireBoundKey,
     requireMethods:   requireMethods,
     requireMtls:      requireMtls,
     requireStepUp:    requireStepUp,

package/lib/middleware/network-allowlist.js

@@ -48,6 +48,7 @@ var lazyRequire = require("../lazy-require");
 var requestHelpers = require("../request-helpers");
 var ssrfGuard = require("../ssrf-guard");
 var validateOpts = require("../validate-opts");
+var denyResponse = require("./deny-response").denyResponse;
 var { defineClass } = require("../framework-error");
 
 var audit = lazyRequire(function () { return require("../audit"); });
@@ -98,6 +99,8 @@ function _validateCidr(cidr) {
  *     denyStatus:   number,     // default 404
  *     denyBody:     string,     // default "Not Found"
  *     audit:        object,
+ *     onDeny:       function(req, res, info): void,  // own the refusal; info = { status, reason, clientIp, route }
+ *     problemDetails: boolean,  // default false — emit RFC 9457 application/problem+json instead of text/plain
  *   }
  *
  * @example
@@ -113,7 +116,7 @@ function create(opts) {
   opts = opts || {};
   validateOpts(opts, [
     "paths", "allowedCidrs", "deniedCidrs", "trustProxy",
-    "denyStatus", "denyBody", "audit",
+    "denyStatus", "denyBody", "audit", "onDeny", "problemDetails",
   ], "middleware.networkAllowlist");
 
   if (!Array.isArray(opts.paths) || opts.paths.length === 0) {
@@ -156,6 +159,23 @@ function create(opts) {
   var denyBody     = typeof opts.denyBody === "string" ? opts.denyBody : "Not Found";
   var auditOn      = opts.audit !== false && opts.audit != null;
   var auditInstance = opts.audit === true ? null : opts.audit;  // null → use lazy-required default
+  var onDeny       = typeof opts.onDeny === "function" ? opts.onDeny : null;
+  var problemMode  = opts.problemDetails === true;
+
+  function _deny(req, res, ip, route) {
+    _emitDeny(req, ip, route);
+    denyResponse(req, res, {
+      onDeny:        onDeny,
+      problem:       problemMode,
+      status:        denyStatus,
+      info:          { status: denyStatus, reason: "ip-not-in-allowlist", clientIp: ip, route: route },
+      problemCode:   "network-gate-denied",
+      problemTitle:  denyBody,
+      problemDetail: "Access to this resource is restricted by network policy.",
+      contentType:   "text/plain",
+      body:          denyBody,
+    });
+  }
 
   function _emitDeny(req, ip, route) {
     if (!auditOn) return;
@@ -196,9 +216,7 @@ function create(opts) {
     if (!ip) {
       // Fail closed: a request we can't even derive an IP for shouldn't
       // bypass the gate.
-      _emitDeny(req, "<unknown>", pathname);
-      res.writeHead(denyStatus, { "Content-Type": "text/plain" });
-      res.end(denyBody);
+      _deny(req, res, "<unknown>", pathname);
       return;
     }
 
@@ -208,9 +226,7 @@ function create(opts) {
     for (var dii = 0; dii < deniedCidrs.length; dii++) {
       try {
         if (ssrfGuard.cidrContains(deniedCidrs[dii], ip)) {
-          _emitDeny(req, ip, pathname);
-          res.writeHead(denyStatus, { "Content-Type": "text/plain" });
-          res.end(denyBody);
+          _deny(req, res, ip, pathname);
           return;
         }
       } catch (_e) { /* skip malformed at runtime — caught at config */ }
@@ -222,9 +238,7 @@ function create(opts) {
       } catch (_e) { /* skip malformed at runtime — caught at config */ }
     }
     if (!allowed) {
-      _emitDeny(req, ip, pathname);
-      res.writeHead(denyStatus, { "Content-Type": "text/plain" });
-      res.end(denyBody);
+      _deny(req, res, ip, pathname);
       return;
     }
     return next();

package/lib/middleware/rate-limit.js

@@ -62,6 +62,7 @@ var requestHelpers = require("../request-helpers");
 var safeAsync = require("../safe-async");
 var validateOpts = require("../validate-opts");
 var clusterStorage = require("../cluster-storage");
+var denyResponse = require("./deny-response").denyResponse;
 
 var audit  = lazyRequire(function () { return require("../audit"); });
 var logger = lazyRequire(function () { return require("../log").boot("rate-limit"); });
@@ -363,6 +364,8 @@ function _resolveBackend(opts) {
  *     keyFn:           function(req): string,
  *     statusOnLimit:   number,           // default 429
  *     bodyOnLimit:     string,           // default "Too Many Requests"
+ *     onDeny:          function(req, res, info): void,  // own the refusal response; info = { status, reason, limit, remaining, retryAfter, key }
+ *     problemDetails:  boolean,          // default false — emit RFC 9457 application/problem+json instead of text/plain
  *     header:          boolean,          // default true
  *     headerPrefix:    string,           // default "X-RateLimit-" — builds <prefix>Limit / <prefix>Remaining (e.g. "RateLimit-" for the IETF draft names)
  *     skipPaths:       Array<string|RegExp>,
@@ -391,7 +394,8 @@ function _resolveBackend(opts) {
 function create(opts) {
   opts = opts || {};
   validateOpts(opts, [
-    "keyFn", "statusOnLimit", "bodyOnLimit", "header", "headerPrefix", "skipPaths", "scope",
+    "keyFn", "statusOnLimit", "bodyOnLimit", "onDeny", "problemDetails",
+    "header", "headerPrefix", "skipPaths", "scope",
     "backend", "trustProxy", "algorithm",
     // memory backend (token-bucket)
     "burst", "refillPerSecond",
@@ -404,6 +408,8 @@ function create(opts) {
   var keyFn = opts.keyFn || _clientIp;
   var statusOnLimit = opts.statusOnLimit || 429;
   var bodyOnLimit = opts.bodyOnLimit !== undefined ? opts.bodyOnLimit : "Too Many Requests";
+  var onDeny = typeof opts.onDeny === "function" ? opts.onDeny : null;
+  var problemMode = opts.problemDetails === true;
   var emitHeaders = opts.header !== false;
   // headerPrefix (default "X-RateLimit-") builds the limit/remaining header
   // names as <prefix>Limit / <prefix>Remaining. The X-RateLimit-* family is a
@@ -455,10 +461,21 @@ function create(opts) {
         requestId: req.requestId,
       });
     } catch (_e) { /* audit best-effort */ }
-    if (typeof res.writeHead === "function") {
-      res.writeHead(statusOnLimit, { "Content-Type": "text/plain" });
-      res.end(bodyOnLimit);
-    }
+    var retryAfter = verdict.retryAfter > 0 ? verdict.retryAfter : null;
+    denyResponse(req, res, {
+      onDeny:        onDeny,
+      problem:       problemMode,
+      status:        statusOnLimit,
+      info:          { status: statusOnLimit, reason: "rate-limit-exceeded",
+        limit: verdict.limit, remaining: verdict.remaining,
+        retryAfter: verdict.retryAfter, key: k },
+      problemCode:   "rate-limit-exceeded",
+      problemTitle:  "Too Many Requests",
+      problemDetail: "Request rate limit exceeded; retry after the indicated interval.",
+      problemExt:    retryAfter !== null ? { retryAfter: retryAfter } : null,
+      contentType:   "text/plain",
+      body:          bodyOnLimit,
+    });
   }
 
   var middleware = function rateLimit(req, res, next) {