@blamejs/core 0.14.5 → 0.14.7

package/lib/middleware/dpop.js

@@ -40,6 +40,7 @@ var bCrypto = require("../crypto");
 var lazyRequire = require("../lazy-require");
 var requestHelpers = require("../request-helpers");
 var validateOpts = require("../validate-opts");
+var denyResponse = require("./deny-response").denyResponse;
 var { AuthError } = require("../framework-error");
 
 var dpop = lazyRequire(function () { return require("../auth/dpop"); });
@@ -49,20 +50,28 @@ var audit = lazyRequire(function () { return require("../audit"); });
 // of entropy after base64url, far above the spec's "unpredictable" bar).
 var DPOP_NONCE_BYTES = C.BYTES.bytes(24);
 
-function _writeUnauthorized(res, errorCode, description, freshNonce) {
-  if (res.headersSent) return;
+function _writeUnauthorized(req, res, errorCode, description, freshNonce, onDeny, problemMode) {
   var body = JSON.stringify({ error: errorCode, error_description: description });
   // RFC 9449 §7 — error code is invalid_dpop_proof OR use_dpop_nonce.
   var challenge = 'DPoP error="' + errorCode + '", error_description="' +
                   description.replace(/"/g, "'") + '"';
-  var headers = {                                                                  // HTTP 401 status
-    "Content-Type":     "application/json; charset=utf-8",
-    "Content-Length":   Buffer.byteLength(body),
+  var headers = {
     "WWW-Authenticate": challenge,
   };
   if (freshNonce) headers["DPoP-Nonce"] = freshNonce;
-  res.writeHead(401, headers);
-  res.end(body);
+  denyResponse(req, res, {
+    onDeny:        onDeny,
+    problem:       problemMode,
+    status:        401,                                                            // HTTP 401 status
+    info:          { status: 401, reason: errorCode, error_description: description },
+    problemCode:   "dpop-" + errorCode.replace(/_/g, "-"),
+    problemTitle:  "Unauthorized",
+    problemDetail: description,
+    problemExt:    { error: errorCode, error_description: description },
+    headers:       headers,
+    contentType:   "application/json; charset=utf-8",
+    body:          body,
+  });
 }
 
 // RFC 9449 §8 — server-issued DPoP-Nonce challenge. The framework
@@ -110,7 +119,7 @@ function _nonceManager(rotateSec) {
       if (previous && bCrypto.timingSafeEqual(n, previous.nonce)) return true;
       return false;
     },
-    // AUTH-36 — hot-reload coexistence. Operators redeploying without
+    // Hot-reload coexistence. Operators redeploying without
     // a clean process restart need a way to drain in-flight clients
     // before swapping the middleware instance. shutdown() returns no
     // fresh nonces and refuses every presented nonce, so the
@@ -147,7 +156,7 @@ function _reconstructHtu(req, mopts) {
   //
   // Default: ignore X-Forwarded-* and derive proto/host from the
   // socket. Operators with a confirmed-trusted front proxy opt in
-  // via opts.trustForwardedHeaders: true. (Audit 2026-05-11.)
+  // via opts.trustForwardedHeaders: true.
   mopts = mopts || {};
   var trustForwarded = mopts.trustForwardedHeaders === true;
   var proto;
@@ -201,6 +210,8 @@ function _reconstructHtu(req, mopts) {
  *     nonceRotateSec: number,
  *     requireNonce:   boolean,
  *     audit:          boolean,                      // default true
+ *     onDeny:         function(req, res, info): void,  // own the 401; info = { status, reason, error_description }
+ *     problemDetails: boolean,                      // default false — emit RFC 9457 application/problem+json instead of the default JSON envelope
  *   }
  *
  * @example
@@ -218,11 +229,13 @@ function create(opts) {
     "getAccessToken", "getNonce", "getHtu", "audit",
     "nonceStore", "nonceWindowSec", "nonceRotateSec", "requireNonce",
     // v0.9.4 — opt-in trust gate for X-Forwarded-Proto/Host when
-    // reconstructing htu. Default off (audit 2026-05-11); operators
+    // reconstructing htu. Default off; operators
     // with a confirmed-trusted front proxy set this to `true`.
-    "trustForwardedHeaders",
+    "trustForwardedHeaders", "onDeny", "problemDetails",
   ], "middleware.dpop");
 
+  var onDeny = typeof opts.onDeny === "function" ? opts.onDeny : null;
+  var problemMode = opts.problemDetails === true;
   var auditOn = opts.audit !== false;
   var algorithms = opts.algorithms;
   var iatWindowSec = opts.iatWindowSec;
@@ -265,16 +278,16 @@ function create(opts) {
   var middleware = async function dpopMiddleware(req, res, next) {
     var proofHeader = req.headers && req.headers.dpop;
     if (typeof proofHeader !== "string" || proofHeader.length === 0) {
-      return _writeUnauthorized(res,
+      return _writeUnauthorized(req, res,
         nonceMgr ? "use_dpop_nonce" : "invalid_dpop_proof",
-        "DPoP header required", _freshNonce());
+        "DPoP header required", _freshNonce(), onDeny, problemMode);
     }
     // RFC 9449 §4.1 — only ONE DPoP header value per request.
     if (Array.isArray(proofHeader)) {
-      return _writeUnauthorized(res, "invalid_dpop_proof",
-        "multiple DPoP headers are not allowed");
+      return _writeUnauthorized(req, res, "invalid_dpop_proof",
+        "multiple DPoP headers are not allowed", null, onDeny, problemMode);
     }
-    // AUTH-15 — RFC 9449 §4.1 single-value invariant. node:http
+    // RFC 9449 §4.1 single-value invariant. node:http
     // collapses repeated headers into a comma-joined string when the
     // client ships `DPoP: proof1, DPoP: proof2`; the Array.isArray
     // check above catches the multi-value array shape but a
@@ -283,13 +296,13 @@ function create(opts) {
     // verify() call below would only see the first one, leaving the
     // second unprocessed).
     if (proofHeader.indexOf(",") !== -1) {
-      return _writeUnauthorized(res, "invalid_dpop_proof",
-        "multiple DPoP proofs in one header value are not allowed");
+      return _writeUnauthorized(req, res, "invalid_dpop_proof",
+        "multiple DPoP proofs in one header value are not allowed", null, onDeny, problemMode);
     }
 
     var htu = (typeof opts.getHtu === "function" ? opts.getHtu(req) : _reconstructHtu(req, opts));
     if (!htu) {
-      return _writeUnauthorized(res, "invalid_dpop_proof", "could not reconstruct htu");
+      return _writeUnauthorized(req, res, "invalid_dpop_proof", "could not reconstruct htu", null, onDeny, problemMode);
     }
     var htm = (req.method || "").toUpperCase();
 
@@ -340,9 +353,9 @@ function create(opts) {
       if (e && (e.code === "auth-dpop/missing-nonce" || e.code === "auth-dpop/nonce-mismatch")) {
         errorCode = "use_dpop_nonce";
       }
-      return _writeUnauthorized(res, errorCode,
+      return _writeUnauthorized(req, res, errorCode,
         (e && e.message) || "DPoP proof verification failed",
-        _freshNonce());
+        _freshNonce(), onDeny, problemMode);
     }
 
     // Server-managed nonce check — payload MUST carry a recognized
@@ -360,8 +373,8 @@ function create(opts) {
             });
           } catch (_ignored) { /* drop-silent */ }
         }
-        return _writeUnauthorized(res, "use_dpop_nonce",
-          "DPoP-Nonce required (server-managed challenge)", _freshNonce());
+        return _writeUnauthorized(req, res, "use_dpop_nonce",
+          "DPoP-Nonce required (server-managed challenge)", _freshNonce(), onDeny, problemMode);
       }
     }
 
@@ -386,7 +399,7 @@ function create(opts) {
     return next();
   };
 
-  // AUTH-36 — surface the nonce manager's lifecycle hooks on the
+  // Surface the nonce manager's lifecycle hooks on the
   // returned middleware so hot-reload deploys can drain in-flight
   // clients before swapping instances. shutdown() refuses every
   // subsequent proof + issues no fresh nonces; revoke() rotates the

package/lib/middleware/fetch-metadata.js

@@ -36,20 +36,25 @@
 var requestHelpers = require("../request-helpers");
 var validateOpts = require("../validate-opts");
 var lazyRequire = require("../lazy-require");
+var denyResponse = require("./deny-response").denyResponse;
 
 var audit = lazyRequire(function () { return require("../audit"); });
 var observability = lazyRequire(function () { return require("../observability"); });
 
 var DEFAULT_METHODS = Object.freeze(["POST", "PUT", "DELETE", "PATCH"]);
 
-function _writeReject(res, message) {
-  if (res.headersSent) return;
-  var body = JSON.stringify({ error: message });
-  res.writeHead(requestHelpers.HTTP_STATUS.FORBIDDEN, {
-    "Content-Type":   "application/json; charset=utf-8",
-    "Content-Length": Buffer.byteLength(body),
+function _writeReject(req, res, message, reason, onDeny, problemMode) {
+  denyResponse(req, res, {
+    onDeny:        onDeny,
+    problem:       problemMode,
+    status:        requestHelpers.HTTP_STATUS.FORBIDDEN,
+    info:          { status: 403, reason: reason },
+    problemCode:   "fetch-metadata-refused",
+    problemTitle:  "Forbidden",
+    problemDetail: message,
+    contentType:   "application/json; charset=utf-8",
+    body:          JSON.stringify({ error: message }),
   });
-  res.end(body);
 }
 
 /**
@@ -79,6 +84,8 @@ function _writeReject(res, message) {
  *     allowedNavigate: boolean,    // default true
  *     methods:         string[],   // default POST/PUT/DELETE/PATCH
  *     audit:           boolean,    // default true
+ *     onDeny:          function(req, res, info): void,  // own the 403; info = { status, reason }
+ *     problemDetails:  boolean,    // default false — emit RFC 9457 application/problem+json instead of the default JSON envelope
  *   }
  *
  * @example
@@ -95,9 +102,11 @@ function create(opts) {
   opts = opts || {};
   validateOpts(opts, [
     "allowSameSite", "allowCrossSite", "allowMissing",
-    "allowedDest", "allowedNavigate", "methods", "audit",
+    "allowedDest", "allowedNavigate", "methods", "audit", "onDeny", "problemDetails",
   ], "middleware.fetchMetadata");
 
+  var onDeny = typeof opts.onDeny === "function" ? opts.onDeny : null;
+  var problemMode = opts.problemDetails === true;
   var allowSameSite   = opts.allowSameSite !== false;
   var allowCrossSite  = opts.allowCrossSite === true;
   var allowMissing    = opts.allowMissing !== false;
@@ -135,7 +144,7 @@ function create(opts) {
       // Defer to other auth/CSRF layers per allowMissing.
       if (!allowMissing) {
         _emitDenied(req, "fetch-metadata-missing");
-        return _writeReject(res, "Fetch-metadata required.");
+        return _writeReject(req, res, "Fetch-metadata required.", "fetch-metadata-missing", onDeny, problemMode);
       }
       return next();
     }
@@ -144,7 +153,7 @@ function create(opts) {
     if (site === "none") {
       if (allowedNavigate) return next();
       _emitDenied(req, "navigate-disallowed");
-      return _writeReject(res, "Direct navigation not allowed for this method.");
+      return _writeReject(req, res, "Direct navigation not allowed for this method.", "navigation-not-allowed", onDeny, problemMode);
     }
 
     if (site === "same-origin") return next();
@@ -152,7 +161,7 @@ function create(opts) {
     if (site === "same-site") {
       if (allowSameSite) return next();
       _emitDenied(req, "same-site-disallowed");
-      return _writeReject(res, "Same-site request not allowed.");
+      return _writeReject(req, res, "Same-site request not allowed.", "same-site-not-allowed", onDeny, problemMode);
     }
 
     // cross-site
@@ -164,7 +173,7 @@ function create(opts) {
                      ", dest=" + (dest || "?") + ")");
     try { observability().count("auth.fetch_metadata.cross_site_refused", 1, {}); }
     catch (_e) { /* best-effort */ }
-    return _writeReject(res, "Cross-site request refused.");
+    return _writeReject(req, res, "Cross-site request refused.", "cross-site-refused", onDeny, problemMode);
   };
 }
 

package/lib/middleware/host-allowlist.js

@@ -41,6 +41,7 @@
 var lazyRequire = require("../lazy-require");
 var requestHelpers = require("../request-helpers");
 var validateOpts = require("../validate-opts");
+var denyResponse = require("./deny-response").denyResponse;
 var { defineClass } = require("../framework-error");
 
 var HostAllowlistError = defineClass("HostAllowlistError", { alwaysPermanent: true });
@@ -102,6 +103,8 @@ function _matches(entry, actual) {
  *     denyStatus: number,     // default 421
  *     denyBody:   string,
  *     audit:      boolean,    // default true
+ *     onDeny:     function(req, res, info): void,  // own the refusal; info = { status, reason, host }
+ *     problemDetails: boolean, // default false — emit RFC 9457 application/problem+json instead of text/plain
  *   }
  *
  * @example
@@ -114,7 +117,7 @@ function _matches(entry, actual) {
 function create(opts) {
   validateOpts.requireObject(opts, "middleware.hostAllowlist", HostAllowlistError);
   validateOpts(opts, [
-    "hosts", "denyStatus", "denyBody", "audit",
+    "hosts", "denyStatus", "denyBody", "audit", "onDeny", "problemDetails",
   ], "middleware.hostAllowlist");
 
   if (!Array.isArray(opts.hosts) || opts.hosts.length === 0) {
@@ -134,6 +137,8 @@ function create(opts) {
   var denyStatus = (typeof opts.denyStatus === "number") ? opts.denyStatus : 421;  // HTTP 421 status
   var denyBody = typeof opts.denyBody === "string" ? opts.denyBody : "Misdirected Request";
   var auditOn = opts.audit !== false;
+  var onDeny = typeof opts.onDeny === "function" ? opts.onDeny : null;
+  var problemMode = opts.problemDetails === true;
 
   return function hostAllowlistMiddleware(req, res, next) {
     var raw = req.headers && req.headers.host;
@@ -141,7 +146,7 @@ function create(opts) {
       // RFC 7230 §5.4 — a request without a Host header is malformed
       // for HTTP/1.1; HTTP/2 maps :authority into req.headers.host
       // automatically. Reject either shape.
-      _deny(res, denyStatus, denyBody);
+      _deny(req, res, "missing-host", null);
       _emitDenied(req, "missing-host");
       return;
     }
@@ -151,20 +156,26 @@ function create(opts) {
       if (_matches(hosts[hi], actual)) { matched = true; break; }
     }
     if (!matched) {
-      _deny(res, denyStatus, denyBody);
+      _deny(req, res, "host-not-in-allowlist", actual);
       _emitDenied(req, "host-not-in-allowlist", actual);
       return;
     }
     return next();
   };
 
-  function _deny(res, status, body) {
+  function _deny(req, res, reason, host) {
     if (res.headersSent) return;
-    res.writeHead(status, {
-      "Content-Type":   "text/plain; charset=utf-8",
-      "Content-Length": Buffer.byteLength(body),
+    denyResponse(req, res, {
+      onDeny:        onDeny,
+      problem:       problemMode,
+      status:        denyStatus,
+      info:          { status: denyStatus, reason: reason, host: host },
+      problemCode:   "misdirected-request",
+      problemTitle:  "Misdirected Request",
+      problemDetail: "The request Host header is not served by this endpoint.",
+      contentType:   "text/plain; charset=utf-8",
+      body:          denyBody,
     });
-    res.end(body);
   }
 
   function _emitDenied(req, reason, actual) {

package/lib/middleware/idempotency-key.js

@@ -175,7 +175,7 @@ function memoryStore(opts) {
  *     headers. Requires `b.vault.init(...)` to have run; falls back to
  *     plain-text with a one-shot audit warning when vault isn't ready,
  *     so test-fixture / boot-script callers still work.
- *   - `aad: true` (since 0.9.58 — CRYPTO-1) — sealed columns are bound
+ *   - `aad: true` (since 0.9.58) — sealed columns are bound
  *     via Additional Authenticated Data to (table, k, column,
  *     schemaVersion) so a DB-write attacker can't copy a sealed
  *     header/body cell from one row to another (which previously
@@ -184,12 +184,12 @@ function memoryStore(opts) {
  *     detects the envelope shape; lazy re-seal on next `set()` upgrades
  *     each row to AAD form. Operators wanting a one-shot migration
  *     call `b.middleware.idempotencyKey.resealMigrate(store)`.
- *   - `fingerprintSeal: true` (since 0.9.58 — CRYPTO-4) — the request
+ *   - `fingerprintSeal: true` (since 0.9.58) — the request
  *     `fingerprint` column carries an HMAC under a vault-derived
  *     secret instead of a bare SHA3-256 of method+path+body. The
  *     compare path is constant-time so the column doubles as a
  *     mismatch oracle without offline-brute-force exposure.
- *   - `bodyFingerprintFallback: "deny"` (since 0.9.58 — SUBSTRATE-13) —
+ *   - `bodyFingerprintFallback: "deny"` (since 0.9.58) —
  *     when neither `bodyFingerprint` nor `req._rawBody`/`req.body` is
  *     populated for a body-bearing method, the middleware previously
  *     silently degraded the fingerprint to method+path. Set to
@@ -228,8 +228,8 @@ function memoryStore(opts) {
  *   init?:      boolean,  // default true — run CREATE TABLE IF NOT EXISTS at construction
  *   hashKeys?:  boolean,  // default true — store sha3-512 namespace-hash of the key, not the raw key
  *   seal?:      boolean,  // default true — seal headers + body via b.cryptoField when vault is ready
- *   aad?:       boolean,  // default true — AAD-bind seal to (table,k,column) so a DB-write attacker can't cross-row swap (CRYPTO-1)
- *   fingerprintSeal?: boolean, // default true — HMAC fingerprint under a vault-derived secret instead of bare sha3-256 (CRYPTO-4)
+ *   aad?:       boolean,  // default true — AAD-bind seal to (table,k,column) so a DB-write attacker can't cross-row swap
+ *   fingerprintSeal?: boolean, // default true — HMAC fingerprint under a vault-derived secret instead of bare sha3-256
  *
  * @example
  *   // single-process daemon, framework's internal sqlite, both defaults on:
@@ -264,11 +264,11 @@ function dbStore(opts) {
   var doInit   = opts.init     !== false;
   var hashKeys = opts.hashKeys !== false;
   var sealReq  = opts.seal     !== false;
-  // CRYPTO-1 — AAD-bind sealing to (table, k, column) by default.
+  // AAD-bind sealing to (table, k, column) by default.
   // Forms a defense-in-depth pair with seal: cross-row swap fails
   // Poly1305 even when the attacker controls the DB layer.
   var aadOn    = opts.aad      !== false;
-  // CRYPTO-4 — HMAC the fingerprint under a vault-derived secret by
+  // HMAC the fingerprint under a vault-derived secret by
   // default. Bare SHA3-256 of method+path+body is offline-brute-
   // forceable for any DB-dump attacker; HMAC under a vault secret
   // forces them to break the vault first.
@@ -297,7 +297,7 @@ function dbStore(opts) {
 
   // Register the table with cryptoField. registerTable is idempotent
   // — subsequent dbStore() calls with the same tableName re-declare
-  // the same sealedFields and no-op. CRYPTO-1: when aad is on,
+  // the same sealedFields and no-op. When aad is on,
   // (table, k, column) is threaded into the AEAD AAD so a DB-write
   // attacker can't copy a sealed value between rows.
   if (sealEnabled) {
@@ -309,7 +309,7 @@ function dbStore(opts) {
     });
   }
 
-  // CRYPTO-4 — derive a per-vault HMAC secret for fingerprint sealing.
+  // Derive a per-vault HMAC secret for fingerprint sealing.
   // The vault root key is the trust root; without it the secret is
   // unrecoverable. Lazy: only derived when fpSealOn is enabled AND the
   // vault is ready, so test fixtures that haven't initialized the
@@ -349,7 +349,7 @@ function dbStore(opts) {
   // so audit/forensic SELECTs don't have to unseal-everything. The
   // `k` column is selected even when not strictly needed for read
   // because cryptoField.unsealRow uses it as the rowId in AAD when
-  // the table is AAD-bound (CRYPTO-1).
+  // the table is AAD-bound.
   var stmtGet = db.prepare(
     "SELECT k, fingerprint, status_code, headers, body, expires_at FROM " +
     qTable + " WHERE k = ?");
@@ -372,7 +372,7 @@ function dbStore(opts) {
     return bCrypto.namespaceHash("idempotency-key", rawKey);
   }
 
-  // CRYPTO-4 — emit / compare HMAC-shape fingerprints. The store
+  // Emit / compare HMAC-shape fingerprints. The store
   // round-trips the column as plain text (no transformation per-get);
   // sealing happens at MINT time (when the middleware builds the
   // fingerprint and hands it to set()). The store's responsibility is
@@ -391,7 +391,7 @@ function dbStore(opts) {
       if (sealEnabled) {
         try { liveRow = cryptoField.unsealRow(tableNameRaw, row); }
         catch (_unsealErr) {
-          // CRYPTO-13 — decryption failure used to delete the row,
+          // Decryption failure used to delete the row,
           // which let an attacker probe key presence via a "tamper +
           // observe subsequent SELECT" oracle. The fix: emit audit,
           // return null, do NOT delete. TTL sweeps stale rows out
@@ -407,7 +407,7 @@ function dbStore(opts) {
       }
       var headersObj;
       try {
-        // CRYPTO-22 — route through C.BYTES.mib(4); raw `4 * 1024 * 1024`
+        // Route through C.BYTES.mib(4); raw `4 * 1024 * 1024`
         // was a drift smell flagged by codebase-patterns. 4 MiB ceiling
         // unchanged.
         headersObj = safeJson.parse(liveRow.headers, { maxBytes: C.BYTES.mib(4) });
@@ -421,7 +421,6 @@ function dbStore(opts) {
         //      DELETING it would clobber another process's cache and
         //      turn a hit into a miss with potential side-effect re-
         //      execution. Treat as miss + LEAVE the row in place.
-        //      Per Codex P1 on PR #45.
         var lookedSealed = typeof liveRow.headers === "string" &&
           (liveRow.headers.indexOf("vault:") === 0 ||
            liveRow.headers.indexOf("vault.aad:") === 0);
@@ -456,7 +455,7 @@ function dbStore(opts) {
     delete: function (rawKey) {
       stmtDelete.run(_k(rawKey));
     },
-    // CRYPTO-4 — the middleware consults this hook to HMAC the
+    // The middleware consults this hook to HMAC the
     // method+path+body digest under a vault-derived secret before
     // insert + compare. Returns null when fpSeal is disabled OR the
     // vault wasn't ready at construction; the middleware then falls
@@ -466,7 +465,7 @@ function dbStore(opts) {
       return nodeCrypto.createHmac("sha3-256", fpHmacSecret)
         .update(preimageBytes).digest("hex");
     },
-    // CRYPTO-1 — operator helper: walk the table and reseal every row
+    // Operator helper: walk the table and reseal every row
     // under the AAD form. Existing v0.9.15-v0.9.57 rows continue to
     // read on a per-row basis (unsealRow auto-detects shape), but
     // operators wanting an explicit migration step call this once.
@@ -526,7 +525,7 @@ function _fingerprintRequest(req, bodyBytes, store) {
   // Fingerprint preimage = method + path + body. Per the draft §4.3,
   // a key+body mismatch is a client-side mistake; our preimage covers
   // method + path so a client reusing a key across different
-  // endpoints is also caught. CRYPTO-4: when the store exposes a
+  // endpoints is also caught. When the store exposes a
   // `fingerprintHmac` hook (dbStore with fingerprintSeal:true + vault
   // ready), the preimage is HMAC'd under a vault-derived secret so a
   // DB dump leaks neither the preimage nor a brute-forceable digest.
@@ -602,7 +601,7 @@ function _emitAudit(action, metadata, outcome) {
  *   requireIdempotencyKey: boolean,  // default: false — refuse missing-key
  *   bodyFingerprint:       function, // (req) => Buffer|string|object|null — operator-supplied body extractor
  *   maxBodyBytes:          number,   // default: 1 MiB — replay-cache body cap
- *   bodyFingerprintFallback: string, // default "deny" (SUBSTRATE-13) — when neither
+ *   bodyFingerprintFallback: string, // default "deny" — when neither
  *                                    // bodyFingerprint nor req._rawBody / req.body is
  *                                    // available for POST/PUT/PATCH, refuse with HTTP 400
  *                                    // idempotency/missing-body-fingerprint instead of
@@ -669,7 +668,7 @@ function create(opts) {
     opts.bodyFingerprint, "idempotencyKey.bodyFingerprint",
     IdempotencyError, "idempotency/bad-body-fingerprint"
   ) || null;
-  // SUBSTRATE-13 — default "deny" refuses body-bearing requests that
+  // Default "deny" refuses body-bearing requests that
   // arrive with neither req._rawBody / req.body NOR an operator-
   // supplied bodyFingerprint hook. The silent-degrade-to-method+path
   // path was a §4.3 violation (same key + different body returned
@@ -762,7 +761,7 @@ function create(opts) {
     // Misordered-mount detector — body-bearing method reached us
     // with neither a parsed body nor a raw-body buffer. Most likely
     // body-parser hasn't run yet, which used to silently degrade the
-    // fingerprint to method+path; SUBSTRATE-13 (v0.9.58) makes that
+    // fingerprint to method+path; v0.9.58 makes that
     // case refuse with HTTP 400 by default. The audit emit fires in
     // both fallback modes so operator review surfaces the
     // misconfiguration regardless of the chosen fallback.
@@ -929,8 +928,8 @@ function _redactKey(key) {
  * @related   b.middleware.idempotencyKey.dbStore
  *
  * One-shot operator helper that walks a dbStore's table and reseals
- * every row under the AAD-bound envelope shape introduced in v0.9.58
- * (CRYPTO-1). Existing v0.9.15-v0.9.57 rows continue to read on a
+ * every row under the AAD-bound envelope shape introduced in v0.9.58.
+ * Existing v0.9.15-v0.9.57 rows continue to read on a
  * per-row basis (unsealRow auto-detects shape) so a deploy without
  * this call is correct, but operators who want to upgrade in bulk
  * call this once after upgrading.

package/lib/middleware/index.js

@@ -53,6 +53,7 @@ var requireAal = require("./require-aal");
 var requireAuth = require("./require-auth");
 var requireContentType = require("./require-content-type");
 var ageGate = require("./age-gate");
+var requireBoundKey = require("./require-bound-key");
 var requireMethods = require("./require-methods");
 var requireMtls = require("./require-mtls");
 var requireStepUp = require("./require-step-up");
@@ -85,6 +86,7 @@ module.exports = {
   requireAuth:      requireAuth.create,
   requireContentType: requireContentType.create,
   ageGate:          ageGate.create,
+  requireBoundKey:  requireBoundKey.create,
   requireMethods:   requireMethods.create,
   requireMtls:      requireMtls.create,
   requireStepUp:    requireStepUp.create,
@@ -145,6 +147,7 @@ module.exports = {
     requireAuth:      requireAuth,
     requireContentType: requireContentType,
     ageGate:          ageGate,
+    requireBoundKey:  requireBoundKey,
     requireMethods:   requireMethods,
     requireMtls:      requireMtls,
     requireStepUp:    requireStepUp,

package/lib/middleware/network-allowlist.js

@@ -48,6 +48,7 @@ var lazyRequire = require("../lazy-require");
 var requestHelpers = require("../request-helpers");
 var ssrfGuard = require("../ssrf-guard");
 var validateOpts = require("../validate-opts");
+var denyResponse = require("./deny-response").denyResponse;
 var { defineClass } = require("../framework-error");
 
 var audit = lazyRequire(function () { return require("../audit"); });
@@ -98,6 +99,8 @@ function _validateCidr(cidr) {
  *     denyStatus:   number,     // default 404
  *     denyBody:     string,     // default "Not Found"
  *     audit:        object,
+ *     onDeny:       function(req, res, info): void,  // own the refusal; info = { status, reason, clientIp, route }
+ *     problemDetails: boolean,  // default false — emit RFC 9457 application/problem+json instead of text/plain
  *   }
  *
  * @example
@@ -113,7 +116,7 @@ function create(opts) {
   opts = opts || {};
   validateOpts(opts, [
     "paths", "allowedCidrs", "deniedCidrs", "trustProxy",
-    "denyStatus", "denyBody", "audit",
+    "denyStatus", "denyBody", "audit", "onDeny", "problemDetails",
   ], "middleware.networkAllowlist");
 
   if (!Array.isArray(opts.paths) || opts.paths.length === 0) {
@@ -156,6 +159,23 @@ function create(opts) {
   var denyBody     = typeof opts.denyBody === "string" ? opts.denyBody : "Not Found";
   var auditOn      = opts.audit !== false && opts.audit != null;
   var auditInstance = opts.audit === true ? null : opts.audit;  // null → use lazy-required default
+  var onDeny       = typeof opts.onDeny === "function" ? opts.onDeny : null;
+  var problemMode  = opts.problemDetails === true;
+
+  function _deny(req, res, ip, route) {
+    _emitDeny(req, ip, route);
+    denyResponse(req, res, {
+      onDeny:        onDeny,
+      problem:       problemMode,
+      status:        denyStatus,
+      info:          { status: denyStatus, reason: "ip-not-in-allowlist", clientIp: ip, route: route },
+      problemCode:   "network-gate-denied",
+      problemTitle:  denyBody,
+      problemDetail: "Access to this resource is restricted by network policy.",
+      contentType:   "text/plain",
+      body:          denyBody,
+    });
+  }
 
   function _emitDeny(req, ip, route) {
     if (!auditOn) return;
@@ -196,9 +216,7 @@ function create(opts) {
     if (!ip) {
       // Fail closed: a request we can't even derive an IP for shouldn't
       // bypass the gate.
-      _emitDeny(req, "<unknown>", pathname);
-      res.writeHead(denyStatus, { "Content-Type": "text/plain" });
-      res.end(denyBody);
+      _deny(req, res, "<unknown>", pathname);
       return;
     }
 
@@ -208,9 +226,7 @@ function create(opts) {
     for (var dii = 0; dii < deniedCidrs.length; dii++) {
       try {
         if (ssrfGuard.cidrContains(deniedCidrs[dii], ip)) {
-          _emitDeny(req, ip, pathname);
-          res.writeHead(denyStatus, { "Content-Type": "text/plain" });
-          res.end(denyBody);
+          _deny(req, res, ip, pathname);
           return;
         }
       } catch (_e) { /* skip malformed at runtime — caught at config */ }
@@ -222,9 +238,7 @@ function create(opts) {
       } catch (_e) { /* skip malformed at runtime — caught at config */ }
     }
     if (!allowed) {
-      _emitDeny(req, ip, pathname);
-      res.writeHead(denyStatus, { "Content-Type": "text/plain" });
-      res.end(denyBody);
+      _deny(req, res, ip, pathname);
       return;
     }
     return next();

package/lib/middleware/protected-resource-metadata.js

@@ -94,7 +94,7 @@ function create(opts) {
       "middleware/protected-resource-metadata/no-as",
       "authorizationServers must be a non-empty array of issuer URLs");
   }
-  // AUTH-17 — RFC 9728 §3 + RFC 8414 §3.1: authorizationServers entries
+  // RFC 9728 §3 + RFC 8414 §3.1: authorizationServers entries
   // are issuer URLs and MUST be https://. Pre-v0.9.x only required
   // non-empty string, so an operator typo could ship `http://idp.test`
   // (or, worse, `javascript:` / `data:`) to clients via the well-known
@@ -156,7 +156,7 @@ function create(opts) {
   if (opts.dpopBoundAccessTokensRequired === true) doc.dpop_bound_access_tokens_required = true;
   if (opts.mtlsBoundAccessTokensRequired === true) doc.tls_client_certificate_bound_access_tokens = true;
 
-  // AUTH-18 — RFC 9728 §3.2 signed_metadata. Operators with an
+  // RFC 9728 §3.2 signed_metadata. Operators with an
   // anti-tamper requirement pass `signMetadata: { key, alg, kid }`;
   // the middleware emits `application/jwt` carrying the JWS-signed
   // metadata. Default output remains cleartext `application/json`.