npm - @blamejs/core - Versions diffs - 0.14.6 → 0.14.8 - Mend

@blamejs/core 0.14.6 → 0.14.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (110) hide show

package/CHANGELOG.md +4 -0
package/README.md +3 -2
package/lib/a2a-tasks.js +6 -6
package/lib/agent-event-bus.js +4 -4
package/lib/agent-idempotency.js +6 -6
package/lib/agent-orchestrator.js +9 -9
package/lib/agent-posture-chain.js +10 -10
package/lib/agent-saga.js +6 -7
package/lib/agent-snapshot.js +8 -8
package/lib/agent-stream.js +3 -3
package/lib/agent-tenant.js +4 -4
package/lib/agent-trace.js +5 -5
package/lib/ai-disclosure.js +3 -3
package/lib/ai-input.js +1 -1
package/lib/app.js +2 -2
package/lib/archive-read.js +1 -1
package/lib/archive-tar-read.js +1 -1
package/lib/archive-wrap.js +5 -5
package/lib/audit-tools.js +65 -5
package/lib/audit.js +2 -2
package/lib/auth/acr-vocabulary.js +1 -1
package/lib/auth/ciba.js +4 -4
package/lib/auth/dpop.js +1 -1
package/lib/auth/fal.js +1 -1
package/lib/auth/fido-mds3.js +2 -3
package/lib/auth/jwt-external.js +2 -2
package/lib/auth/oauth.js +10 -10
package/lib/auth/oid4vci.js +8 -8
package/lib/auth/oid4vp.js +1 -1
package/lib/auth/openid-federation.js +6 -6
package/lib/auth/passkey.js +6 -6
package/lib/auth/saml.js +1 -1
package/lib/auth/sd-jwt-vc.js +3 -6
package/lib/backup/index.js +18 -18
package/lib/breach-deadline.js +3 -3
package/lib/cache.js +4 -4
package/lib/calendar.js +7 -7
package/lib/circuit-breaker.js +1 -1
package/lib/cms-codec.js +2 -2
package/lib/compliance.js +14 -14
package/lib/content-credentials.js +3 -3
package/lib/crypto-field.js +58 -21
package/lib/crypto.js +5 -6
package/lib/db-query.js +131 -9
package/lib/db.js +106 -22
package/lib/ddl-change-control.js +2 -2
package/lib/did.js +2 -2
package/lib/dsr.js +4 -4
package/lib/external-db.js +65 -17
package/lib/framework-schema.js +4 -4
package/lib/guard-cidr.js +1 -1
package/lib/guard-image.js +1 -1
package/lib/guard-list-id.js +2 -2
package/lib/guard-list-unsubscribe.js +2 -3
package/lib/guard-time.js +1 -1
package/lib/guard-xml.js +1 -1
package/lib/http-client-cache.js +1 -1
package/lib/iab-tcf.js +4 -4
package/lib/incident-report.js +150 -0
package/lib/json-schema.js +1 -1
package/lib/jtd.js +1 -1
package/lib/mail-auth.js +1 -1
package/lib/mail-bimi.js +1 -1
package/lib/mail-crypto-smime.js +2 -2
package/lib/mail-deploy.js +3 -3
package/lib/mail-server-managesieve.js +2 -2
package/lib/mail-server-mx.js +1 -1
package/lib/mail-server-pop3.js +2 -2
package/lib/mail-server-rate-limit.js +1 -1
package/lib/mail-server-submission.js +1 -1
package/lib/mail-store.js +1 -1
package/lib/mcp.js +7 -7
package/lib/mdoc.js +1 -1
package/lib/metrics.js +10 -10
package/lib/middleware/compose-pipeline.js +1 -1
package/lib/middleware/csrf-protect.js +1 -1
package/lib/middleware/dpop.js +5 -5
package/lib/middleware/idempotency-key.js +21 -22
package/lib/middleware/protected-resource-metadata.js +2 -2
package/lib/network-dns-resolver.js +2 -2
package/lib/network-dns.js +1 -2
package/lib/network-dnssec.js +2 -2
package/lib/network-smtp-policy.js +1 -1
package/lib/network-tls.js +1 -2
package/lib/network-tsig.js +3 -3
package/lib/outbox.js +1 -1
package/lib/pqc-agent.js +1 -1
package/lib/retention.js +1 -1
package/lib/retry.js +1 -1
package/lib/rfc3339.js +2 -2
package/lib/safe-archive.js +2 -2
package/lib/safe-decompress.js +1 -1
package/lib/safe-ical.js +2 -2
package/lib/safe-mime.js +1 -1
package/lib/self-update-standalone-verifier.js +1 -1
package/lib/self-update.js +2 -2
package/lib/standard-webhooks.js +3 -3
package/lib/static.js +1 -1
package/lib/stream-throttle.js +2 -2
package/lib/structured-fields.js +1 -1
package/lib/subject.js +2 -2
package/lib/vault/index.js +64 -1
package/lib/vault/rotate.js +19 -0
package/lib/vault/seal-pem-file.js +1 -1
package/lib/vendor-data.js +1 -1
package/lib/web-push-vapid.js +1 -1
package/lib/webhook.js +1 -1
package/lib/websocket.js +1 -1
package/package.json +1 -1
package/sbom.cdx.json +6 -6

package/lib/standard-webhooks.js CHANGED Viewed

@@ -32,7 +32,7 @@ var { defineClass } = require("./framework-error");
 var StandardWebhooksError = defineClass("StandardWebhooksError", { alwaysPermanent: true });
-var DEFAULT_TOLERANCE_SEC = 300;                                                                      // allow:raw-time-literal — 5min default per StandardWebhooks §3.2
+var DEFAULT_TOLERANCE_SEC = 300;
 /**
  * @primitive b.standardWebhooks.sign
@@ -70,7 +70,7 @@ function sign(opts) {
   var id = opts.id || ("msg_" + bCrypto.generateToken(32));                                           // 32-char id token
   var timestamp = typeof opts.timestamp === "number"
     ? opts.timestamp
-    : Math.floor(Date.now() / 1000);                                                                  // allow:raw-time-literal — wall-clock seconds
+    : Math.floor(Date.now() / 1000);
   if (timestamp <= 0 || !isFinite(timestamp)) {
     throw new StandardWebhooksError("standard-webhooks/bad-timestamp",
       "sign: timestamp must be a positive finite integer");
@@ -148,7 +148,7 @@ function verify(opts) {
   numericBounds.requirePositiveFiniteIntIfPresent(opts.toleranceSec, "toleranceSec",
     StandardWebhooksError, "standard-webhooks/bad-tolerance");
   var tolerance = typeof opts.toleranceSec === "number" ? opts.toleranceSec : DEFAULT_TOLERANCE_SEC;
-  var nowSec = Math.floor(Date.now() / 1000);                                                         // allow:raw-time-literal — wall-clock seconds
+  var nowSec = Math.floor(Date.now() / 1000);
   if (Math.abs(nowSec - ts) > tolerance) {
     throw new StandardWebhooksError("standard-webhooks/timestamp-skew",
       "verify: timestamp skew " + Math.abs(nowSec - ts) + "s exceeds tolerance " + tolerance + "s");

package/lib/static.js CHANGED Viewed

@@ -216,7 +216,7 @@ function _resolveSafe(root, requestedPath) {
   // deposited disk content: shell-exec extensions (.exe / .bin / .so /
   // legitimate `<name>.<hash>.js` bundler output) are valid here. The
   // other balanced checks still reject the traversal + smuggling
-  // surface the user surfaced.
+  // surface.
   var fname = nodePath.basename(resolved);
   var rv = guardFilename().validate(fname, {
     profile:             "balanced",

package/lib/stream-throttle.js CHANGED Viewed

@@ -71,9 +71,9 @@ var StreamThrottleError = defineClass("StreamThrottleError", { alwaysPermanent:
 // (bytes/sec ↔ wait-ms). This is a unit-conversion constant, not a
 // memory cap or protocol-byte literal; the framework's C.TIME / C.BYTES
 // helpers don't apply.
-var MS_PER_SECOND = 1000;                                                                             // allow:raw-time-literal — ms/sec unit conversion
+var MS_PER_SECOND = 1000;
 var NS_PER_MS     = 1e6;                                                                              // ns/ms unit conversion
-var MS_PER_SECOND_HRTIME = 1000;                                                                      // allow:raw-time-literal — hrtime seconds→ms
+var MS_PER_SECOND_HRTIME = 1000;
 /**
  * @primitive b.streamThrottle.create

package/lib/structured-fields.js CHANGED Viewed

@@ -542,7 +542,7 @@ function parse(input, type, opts) {
 function _serDecimal(v, E) {
   if (!isFinite(v)) throw E("structured-fields/serialize", "cannot serialize a non-finite decimal");
-  var n = Math.round(v * 1000) / 1000;                   // allow:raw-time-literal — RFC 8941 §4.1.5 decimal scale 10^3 (3 fractional digits), not a size or duration
+  var n = Math.round(v * 1000) / 1000;                   // allow:raw-time-literal — RFC 8941 4.1.5 decimal-scale 10^3 rounding; coincidental * 1000, not a duration, C.TIME N/A
   if (Math.abs(Math.trunc(n)).toString().length > 12) throw E("structured-fields/serialize", "decimal integer part exceeds 12 digits");   // §4.1.5 cap
   var s = n.toString();
   if (s.indexOf(".") === -1) s += ".0";                  // a Decimal must carry a fractional part

package/lib/subject.js CHANGED Viewed

@@ -362,7 +362,7 @@ function erase(subjectId, opts) {
 // ---- Crypto-shred erase (Art. 17 + WAL/replica residual closure) ----
 //
-// F-RTBF-3 — when a table opts into per-row keying via
+// When a table opts into per-row keying via
 // b.cryptoField.declarePerRowKey, this primitive deletes the
 // per-row K_row entries from _blamejs_per_row_keys, leaving any
 // residual ciphertext in WAL / replica / backup storage
@@ -477,7 +477,7 @@ function eraseHard(subjectId, opts) {
       totalDeleted += deleted;
       perTable[spec.name] = deleted;
       // REINDEX the table so B-tree pages holding the deleted row's
-      // index entries are rebuilt — closes the F-RTBF-2 residual class.
+      // index entries are rebuilt — closes the erase-vacuum residual class.
       try { db().runSql('REINDEX "' + spec.name + '"'); }                                        // table name comes from FRAMEWORK_SCHEMA
       catch (_e) { /* cluster mode / unsupported dialect */ }
     }

package/lib/vault/index.js CHANGED Viewed

@@ -102,11 +102,12 @@ function resolvePaths(dataDir) {
     plaintext:         nodePath.join(dataDir, "vault.key"),
     sealed:            nodePath.join(dataDir, "vault.key.sealed"),
     derivedHashSalt:   nodePath.join(dataDir, "vault.derived-hash-salt"),
+    derivedHashMacKey: nodePath.join(dataDir, "vault.derived-hash-mac.sealed"),
   };
 }
 // derivedHashSalt — per-deployment salt for crypto-field
-// derivedHashes (D-H1). Pre-v0.8.42 the deterministic
+// derivedHashes. Pre-v0.8.42 the deterministic
 // sha3(namespace + plaintext) shape allowed cross-deployment
 // rainbow + cross-table correlation; binding a 32-byte
 // per-deployment salt closes that class without breaking
@@ -175,6 +176,66 @@ function getDerivedHashSalt() {
   return _cachedDerivedHashSalt;
 }
+// derivedHashMacKey — per-deployment SECRET key for crypto-field's
+// keyed (hmac-shake256) derived-hash mode. Unlike the salt, this is
+// SEALED at rest (vault.derived-hash-mac.sealed), so an attacker with
+// disk access alone cannot recompute the keyed digest and correlate
+// low-entropy plaintexts. Like the salt, it is keypair-bound and
+// survives a passphrase-only rotation; an ENVELOPE rotation re-seals it
+// because it is registered in rotate's additionalSealed sweep.
+function _readOrCreateDerivedHashMacKey() {
+  if (!paths) {
+    throw new VaultError("vault/not-initialized",
+      "vault.getDerivedHashMacKey() requires init()");
+  }
+  if (nodeFs.existsSync(paths.derivedHashMacKey)) {
+    var sealed = atomicFile.readSync(paths.derivedHashMacKey, { encoding: "utf8" }).trim();
+    var b64 = unseal(sealed);
+    var key = Buffer.from(b64, "base64");
+    if (key.length !== 32) {                                                        // 32-byte (256-bit) MAC key
+      throw new VaultError("vault/derived-hash-mac-key-corrupted",
+        "vault.derived-hash-mac key must unseal to exactly 32 bytes; got " + key.length);
+    }
+    return key;
+  }
+  var nodeCrypto = require("node:crypto");
+  var raw = nodeCrypto.randomBytes(32);                                            // 32-byte MAC key
+  atomicFile.writeSync(paths.derivedHashMacKey, seal(raw.toString("base64")), { fileMode: 0o600 });
+  log("generated per-deployment derivedHash MAC key at " + paths.derivedHashMacKey);
+  return raw;
+}
+var _cachedDerivedHashMacKey = null;
+/**
+ * @primitive b.vault.getDerivedHashMacKey
+ * @signature b.vault.getDerivedHashMacKey()
+ * @since     0.14.7
+ * @related   b.vault.getDerivedHashSalt, b.cryptoField.registerTable
+ *
+ * Returns the 32-byte per-deployment SECRET key that backs crypto-
+ * field's keyed (`hmac-shake256`) derived-hash mode. Generated once on
+ * first use, SEALED at rest (`vault.derived-hash-mac.sealed`, mode
+ * `0o600`) so disk access alone does not expose it, and re-sealed by an
+ * envelope vault rotation. Distinct from `getDerivedHashSalt`, which is
+ * a non-secret salt stored in plaintext.
+ *
+ * Throws `VaultError("vault/not-initialized")` before `init()`, or
+ * `vault/derived-hash-mac-key-corrupted` if the sealed file does not
+ * unseal to exactly 32 bytes.
+ *
+ * @example
+ *   await b.vault.init({ dataDir: "/var/lib/blamejs", mode: "plaintext" });
+ *   var k = b.vault.getDerivedHashMacKey();
+ *   k.length;           // → 32
+ *   Buffer.isBuffer(k); // → true
+ */
+function getDerivedHashMacKey() {
+  if (_cachedDerivedHashMacKey === null) {
+    _cachedDerivedHashMacKey = _readOrCreateDerivedHashMacKey();
+  }
+  return _cachedDerivedHashMacKey;
+}
 // ---- Init dispatch ----
 /**
@@ -620,6 +681,7 @@ module.exports = {
   seal:                  seal,
   unseal:                unseal,
   getDerivedHashSalt:    getDerivedHashSalt,
+  getDerivedHashMacKey:  getDerivedHashMacKey,
   _zeroizeAndReplace:    _zeroizeAndReplace,
   aad:                   vaultAad,
   getKeysJson:           getKeysJson,
@@ -633,6 +695,7 @@ module.exports = {
   _resetForTest:         function () {
     if (currentPassphrase) safeBuffer.secureZero(currentPassphrase);
     keys = null; initialized = false; currentPassphrase = null; paths = null; currentMode = null;
+    _cachedDerivedHashSalt = null; _cachedDerivedHashMacKey = null;
   },
   _getKeysForTest:       function () { return keys; },
   _getPathsForTest:      function () { return paths; },

package/lib/vault/rotate.js CHANGED Viewed

@@ -651,6 +651,25 @@ async function rotate(opts) {
       _reSealValue(current, oldKeys, newKeys), { mode: 0o600 });
   }
+  // 3b. Framework-managed crypto-field derived-hash files — always
+  // rotated regardless of operator opts.paths, so the staging copy is
+  // complete. The plaintext salt is copied verbatim; the SEALED MAC key
+  // (keyed hmac-shake256 mode) is re-sealed under the new keypair so an
+  // envelope rotation doesn't orphan it (a passphrase-only rotation
+  // re-seals to the same value since the keypair is unchanged).
+  var saltSrc = nodePath.join(dataDir, "vault.derived-hash-salt");
+  if (nodeFs.existsSync(saltSrc)) {
+    nodeFs.copyFileSync(saltSrc, nodePath.join(stagingDir, "vault.derived-hash-salt"));
+  }
+  var macSrc = nodePath.join(dataDir, "vault.derived-hash-mac.sealed");
+  if (nodeFs.existsSync(macSrc)) {
+    var macCurrent = nodeFs.readFileSync(macSrc, "utf8").trim();
+    if (macCurrent.indexOf(C.VAULT_PREFIX) === 0) {
+      nodeFs.writeFileSync(nodePath.join(stagingDir, "vault.derived-hash-mac.sealed"),
+        _reSealValue(macCurrent, oldKeys, newKeys), { mode: 0o600 });
+    }
+  }
   // 4. decrypt + rotate + re-encrypt db.enc
   _emit(progress, { phase: "rotate_db" });
   var encDbPath = nodePath.join(dataDir, paths.encryptedDb);

package/lib/vault/seal-pem-file.js CHANGED Viewed

@@ -81,7 +81,7 @@ var SealPemFileError = defineClass("SealPemFileError", { alwaysPermanent: true }
 // doesn't sneak past the watcher. Operators with extremely-quiet
 // renewal cycles can override via opts.pollInterval; the cost of
 // 500ms polling on an idle PEM file is ~2 stat() syscalls/sec.
-var DEFAULT_POLL_MS = 500;                                                         // allow:raw-time-literal — 500ms watchFile cadence (sub-second)
+var DEFAULT_POLL_MS = 500;
 // PEM files are tiny — 4 KiB for an ECDSA key, ~8 KiB for a 4096-bit
 // RSA key, ~64 KiB for a long cert chain. Cap at 1 MiB so an operator

package/lib/vendor-data.js CHANGED Viewed

@@ -306,7 +306,7 @@ function _loadAndVerify(name) {
 // Memoized — "sha256:" + sha256(pemToRaw(PUBKEY_PEM)). Matches the
 // canonical fingerprint shape `scripts/vendor-data-gen.js` writes into
 // each .data.js's `metadata.publicKeyFingerprint`. Computed lazily on
-// first verify (also lazily by verifyAll at boot). CRYPTO-11 — every
+// first verify (also lazily by verifyAll at boot). Every
 // per-entry verify cross-checks this against the entry's declared
 // `meta.publicKeyFingerprint` so a pubkey-swap attack fails before
 // signature verify even runs.

package/lib/web-push-vapid.js CHANGED Viewed

@@ -134,7 +134,7 @@ function buildVapidAuthHeader(opts) {
       "buildVapidAuthHeader: subscription.endpoint is not a parseable URL");
   }
   var aud = endpointUrl.origin;
-  var now = Math.floor(Date.now() / 1000);                                                            // allow:raw-time-literal — wall-clock seconds for JWT exp
+  var now = Math.floor(Date.now() / 1000);
   // Inline JWT sign with ES256 — VAPID strictly mandates ECDSA-P256
   // (RFC 8292 §3.1). The framework jwt.sign is PQC-first and refuses
   // ES256 by design; VAPID is a wire-protocol constraint outside

package/lib/webhook.js CHANGED Viewed

@@ -955,7 +955,7 @@ function sign(input) {
     }
     ts = Math.floor(input.timestamp);
   } else {
-    ts = Math.floor(Date.now() / 1000);                                                                // allow:raw-time-literal — unix-seconds conversion, Stripe spec uses seconds-not-ms
+    ts = Math.floor(Date.now() / 1000);
   }
   var hex = _hmacSha256Hex(secretBytes, ts + "." + bodyStr);
   return "t=" + ts + ",v1=" + hex;

package/lib/websocket.js CHANGED Viewed

@@ -191,7 +191,7 @@ var CLOSE_GRACE_MS            = C.TIME.seconds(2);
 function _isValidCloseCode(code) {
   if (code === 1004 || code === 1005 || code === 1006 || code === 1015) return false;        // RFC 6455 §7.4.2 reserved codes
   if (code >= 1000 && code <= 1011) return true;                                              // allow:raw-time-literal — code is a numeric, not seconds
-  if (code >= 3000 && code <= 4999) return true;                                              // allow:raw-time-literal — code is a numeric, not seconds
+  if (code >= 3000 && code <= 4999) return true;                                              // allow:raw-time-literal — WebSocket close-code range bound (RFC 6455 7.4.2); coincidental multiple-of-60, C.TIME N/A
   return false;
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.14.6",
+  "version": "0.14.8",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json CHANGED Viewed

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:ba3e9bdd-f642-4d42-a03c-794d89554a0a",
+  "serialNumber": "urn:uuid:013c541c-8703-45e9-9154-89bc05b3998c",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-30T16:30:23.236Z",
+    "timestamp": "2026-05-30T23:34:15.711Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.14.6",
+      "bom-ref": "@blamejs/core@0.14.8",
       "type": "application",
       "name": "blamejs",
-      "version": "0.14.6",
+      "version": "0.14.8",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.14.6",
+      "purl": "pkg:npm/%40blamejs/core@0.14.8",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.14.6",
+      "ref": "@blamejs/core@0.14.8",
       "dependsOn": []
     }
   ]