@blamejs/core 0.7.107 → 0.8.4

package/lib/middleware/openapi-serve.js

@@ -0,0 +1,143 @@
+"use strict";
+/**
+ * openapi-serve middleware — expose an OpenAPI 3.1 document as a
+ * request-time JSON / YAML resource at a single mount point.
+ *
+ *   var openapi = b.openapi.create({ ... });
+ *   ...add paths / schemas / security...
+ *
+ *   var serve = b.middleware.openapiServe({
+ *     document: openapi,
+ *     pathJson: "/openapi.json",
+ *     pathYaml: "/openapi.yaml",
+ *     pretty:   true,
+ *     cacheControl: "public, max-age=300",
+ *   });
+ *   router.use(serve);
+ *
+ * The middleware ONLY responds to GET requests for the configured
+ * paths; everything else passes to next() unchanged. ETag is computed
+ * from the JSON-string SHA3-512 to allow conditional GET.
+ *
+ * If `accessControl: "public"` (the default), the middleware emits
+ * `Access-Control-Allow-Origin: *` so external doc tooling can fetch.
+ * For internal-only docs operators set `accessControl: "same-origin"`
+ * which omits the CORS header.
+ */
+
+var nodeCrypto    = require("crypto");
+var validateOpts  = require("../validate-opts");
+var lazyRequire   = require("../lazy-require");
+var { defineClass } = require("../framework-error");
+var OpenApiError = defineClass("OpenApiError", { alwaysPermanent: true });
+
+var openapiYaml   = lazyRequire(function () { return require("../openapi-yaml"); });
+var audit         = lazyRequire(function () { return require("../audit"); });
+
+function create(opts) {
+  opts = opts || {};
+  validateOpts(opts, [
+    "document", "pathJson", "pathYaml", "pretty",
+    "cacheControl", "accessControl", "audit",
+  ], "middleware.openapiServe");
+  if (!opts.document || typeof opts.document.toJson !== "function") {
+    throw new OpenApiError("openapi/bad-document",
+      "openapiServe: document must be a builder created via b.openapi.create()");
+  }
+  var pathJson      = opts.pathJson || "/openapi.json";
+  var pathYaml      = opts.pathYaml || "/openapi.yaml";
+  var pretty        = opts.pretty === true ? 2 : 0;
+  var cacheControl  = (typeof opts.cacheControl === "string" && opts.cacheControl.length > 0)
+    ? opts.cacheControl : "public, max-age=300";
+  var accessControl = opts.accessControl || "public";
+  var auditOn       = opts.audit !== false;
+
+  if (typeof pathJson !== "string" || pathJson.charAt(0) !== "/") {
+    throw new OpenApiError("openapi/bad-path",
+      "openapiServe: pathJson must start with '/' - got " + JSON.stringify(pathJson));
+  }
+  if (typeof pathYaml !== "string" || pathYaml.charAt(0) !== "/") {
+    throw new OpenApiError("openapi/bad-path",
+      "openapiServe: pathYaml must start with '/' - got " + JSON.stringify(pathYaml));
+  }
+
+  var cachedDoc       = null;
+  var cachedJsonStr   = null;
+  var cachedYamlStr   = null;
+  var cachedJsonEtag  = null;
+  var cachedYamlEtag  = null;
+
+  function _rebuild() {
+    cachedDoc      = opts.document.toJson();
+    cachedJsonStr  = JSON.stringify(cachedDoc, null, pretty);
+    cachedYamlStr  = openapiYaml().toYaml(cachedDoc);
+    cachedJsonEtag = '"' + nodeCrypto.createHash("sha3-512").update(cachedJsonStr).digest("base64url").slice(0, 24) + '"';
+    cachedYamlEtag = '"' + nodeCrypto.createHash("sha3-512").update(cachedYamlStr).digest("base64url").slice(0, 24) + '"';
+  }
+  _rebuild();
+
+  function _writeBody(req, res, body, etag, contentType) {
+    var requestEtag = (req.headers && req.headers["if-none-match"]) || null;
+    if (requestEtag && requestEtag === etag) {
+      res.writeHead(304, { "ETag": etag, "Cache-Control": cacheControl });          // allow:raw-byte-literal — HTTP 304
+      res.end();
+      return;
+    }
+    var headers = {
+      "Content-Type":   contentType,
+      "Content-Length": Buffer.byteLength(body),
+      "Cache-Control":  cacheControl,
+      "ETag":           etag,
+    };
+    if (accessControl === "public") {
+      headers["Access-Control-Allow-Origin"] = "*";
+    }
+    res.writeHead(200, headers);                                                    // allow:raw-byte-literal — HTTP 200
+    res.end(body);
+  }
+
+  var mw = function (req, res, next) {
+    if (typeof res.writeHead !== "function") return next();
+    var method = (req.method || "GET").toUpperCase();
+    if (method !== "GET" && method !== "HEAD") return next();
+    var pathname = req.pathname;
+    if (typeof pathname !== "string") {
+      var url = req.url || "";
+      var qIdx = url.indexOf("?");
+      pathname = qIdx === -1 ? url : url.slice(0, qIdx);
+    }
+    if (pathname === pathJson) {
+      _writeBody(req, res, cachedJsonStr, cachedJsonEtag, "application/json; charset=utf-8");
+      if (auditOn) {
+        try {
+          audit().safeEmit({
+            action:  "openapi.document.served",
+            outcome: "success",
+            actor:   null,
+            metadata: { format: "json", path: pathname, bytes: cachedJsonStr.length },
+          });
+        } catch (_e) { /* drop-silent */ }
+      }
+      return;
+    }
+    if (pathname === pathYaml) {
+      _writeBody(req, res, cachedYamlStr, cachedYamlEtag, "application/yaml; charset=utf-8");
+      if (auditOn) {
+        try {
+          audit().safeEmit({
+            action:  "openapi.document.served",
+            outcome: "success",
+            actor:   null,
+            metadata: { format: "yaml", path: pathname, bytes: cachedYamlStr.length },
+          });
+        } catch (_e) { /* drop-silent */ }
+      }
+      return;
+    }
+    return next();
+  };
+  mw.forceRebuild = _rebuild;
+  return mw;
+}
+
+module.exports = { create: create };

package/lib/middleware/require-aal.js

@@ -76,7 +76,7 @@ function create(opts) {
           audit().safeEmit({
             action:  "auth.aal.denied",
             actor:   { clientIp: requestHelpers.clientIp(req), userId: req.user && req.user.id },
-            outcome: "fail",
+            outcome: "denied",
             metadata: {
               required: minimum,
               actual:   actual || null,
@@ -93,7 +93,7 @@ function create(opts) {
         audit().safeEmit({
           action:  "auth.aal.granted",
           actor:   { clientIp: requestHelpers.clientIp(req), userId: req.user && req.user.id },
-          outcome: "ok",
+          outcome: "success",
           metadata: { aal: actual, required: minimum, route: req.url },
         });
       } catch (_ignored) { /* drop-silent */ }

package/lib/middleware/require-step-up.js

@@ -0,0 +1,186 @@
+"use strict";
+/**
+ * require-step-up middleware — gate routes per RFC 9470 OAuth 2.0
+ * Step-Up Authentication Challenge.
+ *
+ * Mounted AFTER attachUser / bearerAuth so the request carries the
+ * already-verified token claims.
+ *
+ *   var sensitiveStepUp = b.middleware.requireStepUp({
+ *     requirement: { acr: "high", maxAge: 300 },
+ *     realm:       "billing-api",
+ *   });
+ *   router.use("/billing/transfer", sensitiveStepUp);
+ *
+ * Failure shape (per RFC 9470 §3):
+ *   401 Unauthorized
+ *   WWW-Authenticate: Bearer error="insufficient_user_authentication",
+ *     error_description="...", acr_values="high", max_age="300"
+ *   Content-Type: application/json
+ *   { "error": "insufficient_user_authentication", "error_description": "..." }
+ *
+ * Operators with their own elevation grants pass `acceptGrant: true`
+ * and `grantHeader: "X-Step-Up-Grant"` (default) — the middleware
+ * checks for a valid b.auth.stepUp.grant token before evaluating the
+ * normal claims-based requirement, so a multi-step flow doesn't get
+ * step-up-prompted on every action.
+ *
+ * Options:
+ *   {
+ *     requirement:    { acr / acrValues / maxAge / requiredAmr / phishingResistant },
+ *     getClaims:      function(req) { return req.user.claims; },
+ *     realm:          "api",
+ *     audit:          true,
+ *     acceptGrant:    true,                         // default
+ *     grantHeader:    "X-Step-Up-Grant",            // default
+ *     grantScope:     null,                         // narrow grant by scope
+ *   }
+ *
+ * NEVER weaken the security default to fix a broken caller. Operators
+ * configure their IdP to emit `acr` / `auth_time` / `amr` correctly;
+ * the middleware does not silently default these to "good enough" on a
+ * missing claim.
+ */
+
+var lazyRequire    = require("../lazy-require");
+var validateOpts   = require("../validate-opts");
+var requestHelpers = require("../request-helpers");
+var { AuthError }  = require("../framework-error");
+
+var stepUp         = lazyRequire(function () { return require("../auth/step-up"); });
+var elevation      = lazyRequire(function () { return require("../auth/elevation-grant"); });
+var audit          = lazyRequire(function () { return require("../audit"); });
+
+var DEFAULT_GRANT_HEADER = "x-step-up-grant";
+
+function _defaultGetClaims(req) {
+  if (!req || typeof req !== "object") return null;
+  if (req.user && req.user.claims && typeof req.user.claims === "object") {
+    return req.user.claims;
+  }
+  if (req.user && typeof req.user === "object") {
+    return req.user;
+  }
+  return null;
+}
+
+function _writeChallenge(res, challenge, body, statusCode) {
+  if (res.headersSent) return;
+  var json = JSON.stringify(body);
+  res.writeHead(statusCode, {                                                      // allow:raw-byte-literal — HTTP status passthrough
+    "Content-Type":     "application/json; charset=utf-8",
+    "Content-Length":   Buffer.byteLength(json),
+    "WWW-Authenticate": challenge,
+  });
+  res.end(json);
+}
+
+function create(opts) {
+  opts = opts || {};
+  validateOpts(opts, [
+    "requirement", "getClaims", "realm", "audit",
+    "acceptGrant", "grantHeader", "grantScope", "errorDescription",
+  ], "middleware.requireStepUp");
+
+  if (!opts.requirement || typeof opts.requirement !== "object") {
+    throw new AuthError("auth-stepUp/bad-requirement",
+      "middleware.requireStepUp: opts.requirement must be an object");
+  }
+  validateOpts.optionalFunction(opts.getClaims,
+    "middleware.requireStepUp: getClaims", AuthError, "auth-stepUp/bad-opt");
+
+  var realm        = (typeof opts.realm === "string" && opts.realm.length > 0)
+    ? opts.realm : "api";
+  var auditOn      = opts.audit !== false;
+  var getClaims    = (typeof opts.getClaims === "function")
+    ? opts.getClaims : _defaultGetClaims;
+  var acceptGrant  = opts.acceptGrant !== false;
+  var grantHeader  = (typeof opts.grantHeader === "string" && opts.grantHeader.length > 0)
+    ? opts.grantHeader.toLowerCase() : DEFAULT_GRANT_HEADER;
+  var grantScope   = (typeof opts.grantScope === "string" && opts.grantScope.length > 0)
+    ? opts.grantScope : null;
+  var errorDesc    = (typeof opts.errorDescription === "string" && opts.errorDescription.length > 0)
+    ? opts.errorDescription : null;
+
+  // Pre-validate the requirement so operator typos surface at boot, not
+  // on the first hot-path request.
+  var probe = stepUp().evaluate({ claims: { acr: "0" }, requirement: opts.requirement });
+  if (probe.error === "bad_requirement" || probe.error === "unknown_acr") {
+    throw new AuthError("auth-stepUp/bad-requirement",
+      "middleware.requireStepUp: " + (probe.reason || probe.error));
+  }
+
+  return function requireStepUpMiddleware(req, res, next) {
+    var headers = req.headers || {};
+
+    // Path 1: operator-issued elevation grant — short-circuit success.
+    if (acceptGrant) {
+      var grantToken = headers[grantHeader] || null;
+      if (typeof grantToken === "string" && grantToken.length > 0) {
+        var verifyOpts = {};
+        if (grantScope) verifyOpts.scope = grantScope;
+        var grantResult = elevation().verify(grantToken, verifyOpts);
+        if (grantResult.ok) {
+          if (auditOn) {
+            try {
+              audit().safeEmit({
+                action:  "auth.stepup.satisfied",
+                outcome: "success",
+                actor:   { userId: grantResult.payload.sub,
+                           clientIp: requestHelpers.clientIp(req) },
+                metadata: {
+                  reason: "grant",
+                  jti:    grantResult.payload.jti || null,
+                  scope:  grantResult.payload.scope,
+                  route:  req.url || null,
+                },
+              });
+            } catch (_e) { /* drop-silent */ }
+          }
+          if (req.user) req.user.stepUp = { byGrant: true, payload: grantResult.payload };
+          return next();
+        }
+        // Invalid grant — fall through to claims-based path; emit signal.
+        if (auditOn) {
+          try {
+            audit().safeEmit({
+              action:  "auth.stepup.grant.rejected",
+              outcome: "denied",
+              actor:   { clientIp: requestHelpers.clientIp(req) },
+              metadata: { error: grantResult.error, reason: grantResult.reason },
+            });
+          } catch (_e) { /* drop-silent */ }
+        }
+      }
+    }
+
+    // Path 2: claims-based evaluation.
+    var claims = getClaims(req);
+    var result = stepUp().evaluate({ claims: claims, requirement: opts.requirement });
+
+    if (result.ok) {
+      if (auditOn) stepUp().emitAuditSatisfied("requireStepUp", opts.requirement, result.presented, req);
+      if (req.user) req.user.stepUp = { byClaims: true, presented: result.presented };
+      return next();
+    }
+
+    if (auditOn) stepUp().emitAuditRequired("requireStepUp", opts.requirement, result.presented, req);
+
+    var challenge = stepUp().buildChallenge({
+      requirement:      opts.requirement,
+      realm:            realm,
+      error:            stepUp().INSUFFICIENT_USER_AUTHENTICATION,
+      errorDescription: errorDesc || undefined,
+    });
+    _writeChallenge(res,
+      challenge,
+      {
+        error:             stepUp().INSUFFICIENT_USER_AUTHENTICATION,
+        error_description: errorDesc || "A higher level of authentication is required",
+      },
+      401                                                                                  // allow:raw-byte-literal — HTTP 401
+    );
+  };
+}
+
+module.exports = { create: create };

package/lib/middleware/trace-propagate.js

@@ -85,7 +85,7 @@ function create(opts) {
         try {
           audit().safeEmit({
             action:   "system.trace.synthesised",
-            outcome:  "ok",
+            outcome:  "success",
             metadata: { route: req.url || "/", traceId: req.trace.traceId },
           });
         } catch (_e) { /* drop-silent — observability sink */ }

package/lib/mtls-ca.js

@@ -17,7 +17,7 @@
  *       caCert:         "ca.crt",
  *     },
  *     vault:            b.vault,         // optional; required when sealed
- *     caKeySealedMode:  "auto",          // "auto" | "required" | "disabled"
+ *     caKeySealedMode:  "required",      // "required" (default) | "disabled"
  *     generation:       1,               // current CA generation for OU=CAv{N}
  *     engine:           myCertEngine,    // optional — defaults to b.mtlsEngine
  *   });
@@ -27,10 +27,16 @@
  *   ca.key           CA private key (PEM, plaintext on disk)
  *   ca.key.sealed    CA private key (vault.seal of PEM bytes)
  *
- * caKeySealedMode:
- *   "auto"      load whichever exists (sealed if present, else plain)
- *   "required"  sealed file required; refuse plaintext
- *   "disabled"  plaintext required; refuse sealed
+ * caKeySealedMode (defaults to "required"):
+ *   "required"  sealed file required; refuse plaintext (default — vault
+ *               must be wired)
+ *   "disabled"  plaintext required; refuse sealed (dev-only opt-out;
+ *               operator must justify with audited reason)
+ *
+ * The legacy "auto" mode (load whichever exists, fall back to plaintext
+ * when no sealed file is present) was removed; it defaulted to writing
+ * plaintext on a fresh install, which is the inverse of the framework's
+ * security-defaults-on posture for at-rest key material.
  *
  * Generation tagging: every CA cert issued by the framework embeds a
  * "OU=CAv{N}" RDN in its subject DN. Status reads that back so an
@@ -114,7 +120,7 @@ var DEFAULT_PATHS = {
   crl:          "ca.crl",
 };
 
-var VALID_SEAL_MODES = { auto: 1, required: 1, disabled: 1 };
+var VALID_SEAL_MODES = { required: 1, disabled: 1 };
 
 function _resolvePaths(dataDir, paths) {
   var p = Object.assign({}, DEFAULT_PATHS, paths || {});
@@ -161,10 +167,11 @@ function create(opts) {
   }
   var paths = _resolvePaths(opts.dataDir, opts.paths);
   var vault = opts.vault || null;
-  var caKeySealedMode = (opts.caKeySealedMode || "auto").toLowerCase();
+  var caKeySealedMode = (opts.caKeySealedMode || "required").toLowerCase();
   if (!VALID_SEAL_MODES[caKeySealedMode]) {
     throw new MtlsCaError("mtls-ca/bad-mode",
-      "caKeySealedMode must be 'auto', 'required', or 'disabled'");
+      "caKeySealedMode must be 'required' or 'disabled' " +
+      "(legacy 'auto' was removed — it defaulted to plaintext-on-disk)");
   }
   var generation = typeof opts.generation === "number" && opts.generation >= 1
     ? Math.floor(opts.generation) : 1;
@@ -230,23 +237,10 @@ function create(opts) {
       }
       return Buffer.from(pem, "utf8");
     }
-    if (caKeySealedMode === "disabled") {
-      if (!hasPlain) {
-        throw new MtlsCaError("mtls-ca/plain-required",
-          "CA_KEY_SEALED='disabled' but " + paths.caKey + " does not exist");
-      }
-      return fs.readFileSync(paths.caKey);
-    }
-    // auto: prefer sealed if it exists (defense-in-depth default)
-    if (hasSealed) {
-      _requireVault("sealed CA key load");
-      var sealedBytesA = fs.readFileSync(paths.caKeySealed, "utf8").trim();
-      var pemA = vault.unseal(sealedBytesA);
-      if (!pemA) {
-        throw new MtlsCaError("mtls-ca/unseal-failed",
-          "vault.unseal of " + paths.caKeySealed + " returned empty");
-      }
-      return Buffer.from(pemA, "utf8");
+    // disabled: plaintext only.
+    if (!hasPlain) {
+      throw new MtlsCaError("mtls-ca/plain-required",
+        "caKeySealedMode='disabled' but " + paths.caKey + " does not exist");
     }
     return fs.readFileSync(paths.caKey);
   }
@@ -260,10 +254,10 @@ function create(opts) {
   }
 
   // Atomic commit: write .tmp + atomic rename for both key and cert.
-  // Honors caKeySealedMode — when 'required', the key is vault-sealed
-  // before the on-disk write so plaintext PEM never touches the
-  // filesystem; when 'disabled', it goes to disk as PEM. 'auto'
-  // defaults to plaintext-on-disk.
+  // Honors caKeySealedMode — when 'required' (the default), the key is
+  // vault-sealed before the on-disk write so plaintext PEM never touches
+  // the filesystem; when 'disabled', it goes to disk as PEM with the
+  // operator's audited reason on record.
   function commit(opts2) {
     if (!opts2 || typeof opts2.caKeyPem !== "string" || typeof opts2.caCertPem !== "string") {
       throw new MtlsCaError("mtls-ca/bad-commit",

package/lib/mtls-engine-default.js

@@ -134,7 +134,27 @@ async function _selectAlgorithm() {
   for (var i = 0; i < ALG_CANDIDATES.length; i++) {
     var c = ALG_CANDIDATES[i];
     var ok = await _probeCandidate(c);
-    if (ok) { _selectedAlg = c; return c; }
+    if (ok) {
+      _selectedAlg = c;
+      // Emit an audit row at first probe so operators see which
+      // algorithm landed without having to call b.mtlsCa.status().
+      // Pre-PQC ecosystems land on the ECDSA-P384 bridge silently;
+      // this puts the choice on the chain so compliance dashboards
+      // alert when an operator's deployment hasn't yet picked up the
+      // PQ-signed-cert capability the framework would otherwise
+      // prefer.
+      setImmediate(function () {
+        try {
+          var auditMod = require("./audit");                                          // allow:inline-require — circular-load defense
+          auditMod.safeEmit({
+            action:   "mtls.engine.algorithm_selected",
+            outcome:  "success",
+            metadata: { label: c.label, posture: c.posture, candidatesProbed: i + 1 },
+          });
+        } catch (_e) { /* drop-silent */ }
+      });
+      return c;
+    }
   }
   // Should never happen — ECDSA-P384-SHA384 is universal.
   throw new MtlsEngineError("mtls-engine/no-algorithm",

package/lib/network-tls.js

@@ -26,7 +26,7 @@ var STATE = {
   cas:             [],
   systemTrust:     false,
   baselineFingerprints: null,
-  tlsKeyShares:    ["X25519MLKEM768", "X25519", "secp256r1"],
+  tlsKeyShares:    ["SecP384r1MLKEM1024", "X25519MLKEM768", "X25519"],
 };
 
 function _normalizePem(pem) {
@@ -301,7 +301,7 @@ function expiryMonitor(opts) {
         try {
           audit().safeEmit({
             action:  "network.tls.ca.expiring",
-            outcome: "warn",
+            outcome: "success",
             metadata: {
               count:   rows.length,
               labels:  rows.map(function (r) { return r.label; }),
@@ -375,9 +375,9 @@ function applyToContext(opts) {
 //   resetKeyShares()                                  → restores default
 
 var DEFAULT_PQC_KEY_SHARES = Object.freeze([
-  "X25519MLKEM768",                                                              // hybrid KEM, draft-kwiatkowski-tls-ecdhe-mlkem-02
-  "X25519",                                                                      // classical fallback
-  "secp256r1",                                                                   // legacy peers
+  "SecP384r1MLKEM1024",                                                          // highest-PQC hybrid (codepoint 0x11ED, draft-kwiatkowski-tls-ecdhe-mlkem-02)
+  "X25519MLKEM768",                                                              // mid-PQC hybrid (codepoint 0x11EC, IETF/Cloudflare/Chrome interop)
+  "X25519",                                                                      // classical fallback (modern non-PQC peers)
 ]);
 
 function _validateKeyShare(name) {
@@ -990,9 +990,24 @@ function buildOcspRequest(opts) {
   var serial = _extractLeafSerial(opts.leafCertDer);
   // CertID hashes — SHA-1 per RFC 6960 §4.1.1 (the only universally
   // supported algorithm; SHA-256 in OCSP requests is RFC 6960 §4.3
-  // optional and many responders reject).
+  // optional and many responders reject). The hash isn't security-
+  // critical here — it's a name/key lookup, not an integrity check —
+  // but operator compliance dashboards alerting on "anywhere in the
+  // framework that touches SHA-1" need a signal. Emit an audit row
+  // on every OCSP request build so the algorithm choice is visible
+  // in the chain.
   var nameHash = nodeCrypto.createHash("sha1").update(iss.issuerNameDer).digest();
   var keyHash  = nodeCrypto.createHash("sha1").update(iss.issuerKey).digest();
+  setImmediate(function () {
+    try {
+      var auditMod = require("./audit");                                            // allow:inline-require — circular-load defense (audit imports network-tls)
+      auditMod.safeEmit({
+        action:   "network.tls.ocsp.certid_built",
+        outcome:  "success",
+        metadata: { hashAlgorithm: "sha1", note: "RFC 6960 §4.1.1 — non-security-critical lookup hash" },
+      });
+    } catch (_e) { /* drop-silent */ }
+  });
   // hashAlgorithm AlgorithmIdentifier ::= SEQUENCE { algorithm OID, NULL }
   var algId = asn1.writeSequence([asn1.writeOid(OID_SHA1), asn1.writeNull()]);
   var certId = asn1.writeSequence([

package/lib/object-store/sigv4-bucket-ops.js

@@ -897,6 +897,47 @@ function create(config) {
     _validateRetention(opts);
     validateOpts(opts, ["mode", "retainUntil", "bypassGovernance", "req", "actor"],
       "bucketOps.setObjectRetention");
+    // COMPLIANCE-mode defense-in-depth: refuse client-side when the
+    // operator (or attacker with the s3:PutObjectRetention permission)
+    // tries to shorten an existing COMPLIANCE retention or pass
+    // bypassGovernance against COMPLIANCE. Real S3 also refuses but
+    // MinIO and other S3-compatible backends are implementation-
+    // dependent; the framework's job is defense-in-depth, not
+    // passthrough. Adds one RTT (the GET) to every PUT — acceptable.
+    //
+    // The pre-check is a soft gate: when the backend can't surface the
+    // existing retention (parse error, no-such-object, etc.), the
+    // framework falls through to the PUT and lets the backend's own
+    // enforcement handle it. The pre-check is value-add, not
+    // load-bearing.
+    return getObjectRetention(name, key).then(function (existing) {
+      if (existing && existing.mode === "COMPLIANCE") {
+        if (opts.bypassGovernance === true) {
+          throw new ObjectStoreError("objectstore/compliance-bypass-refused",
+            "setObjectRetention: bypassGovernance refused — existing retention mode is COMPLIANCE (cannot be bypassed by anyone, including root)", true);
+        }
+        if (opts.retainUntil && existing.retainUntil &&
+            opts.retainUntil.getTime() < existing.retainUntil.getTime()) {
+          throw new ObjectStoreError("objectstore/compliance-shortening-refused",
+            "setObjectRetention: cannot shorten COMPLIANCE retention (existing=" +
+            existing.retainUntil.toISOString() + ", proposed=" +
+            opts.retainUntil.toISOString() + ")", true);
+        }
+      }
+      return _doSetRetention(name, key, opts);
+    }, function (e) {
+      // Re-throw the framework's own COMPLIANCE refusals; everything
+      // else (parse errors, transient network errors, malformed
+      // backend responses) falls through to the PUT.
+      if (e && typeof e.code === "string" &&
+          e.code.indexOf("objectstore/compliance-") === 0) {
+        throw e;
+      }
+      return _doSetRetention(name, key, opts);
+    });
+  }
+
+  function _doSetRetention(name, key, opts) {
     var bodyXml = _buildRetentionXml(opts);
     var bodyBuf = Buffer.from(bodyXml, "utf8");
     var url = _objectUrl(name, key, { retention: "" });

package/lib/observability-otlp-exporter.js

@@ -41,6 +41,33 @@ var { defineClass } = require("./framework-error");
 var OtlpExporterError = defineClass("OtlpExporterError", { alwaysPermanent: true });
 
 var observability = lazyRequire(function () { return require("./observability"); });
+var httpClient    = lazyRequire(function () { return require("./http-client"); });
+
+// Default OTLP transport — uses the framework's own b.httpClient
+// (node:https through the PQC-hybrid agent + cert-pinning + SSRF
+// guard) rather than globalThis.fetch. Operators with a sidecar
+// collector that must be addressed via fetch (Cloudflare Workers,
+// Deno, fetch-only edge runtimes) override fetchImpl explicitly.
+// Returning a fetch-shaped { ok, status } so the existing _post
+// path stays the same regardless of which transport ran.
+function _defaultFetchImpl(endpoint, init) {
+  var hc = httpClient();
+  return hc.request({
+    url:           endpoint,
+    method:        init && init.method  ? init.method  : "POST",
+    headers:       init && init.headers ? init.headers : {},
+    body:          init && init.body    ? init.body    : "",
+    timeoutMs:     0,
+    responseMode:  "always-resolve",
+    allowInternal: true,
+  }).then(function (res) {
+    var status = res && res.statusCode;
+    return {
+      ok:     status >= 200 && status < 300,                                       // allow:raw-byte-literal — HTTP status ranges
+      status: status,
+    };
+  });
+}
 
 var DEFAULT_BATCH_SIZE         = 200;                                              // allow:raw-byte-literal — OTLP recommended batch
 var DEFAULT_MAX_QUEUE_SIZE     = 4096;                                             // allow:raw-byte-literal — operator-side queue cap
@@ -206,10 +233,16 @@ function create(opts) {
   var maxAttempts = opts.maxAttempts || DEFAULT_MAX_ATTEMPTS;
   var backoffInitial = opts.backoffInitialMs || DEFAULT_BACKOFF_INITIAL_MS;
   var backoffMax     = opts.backoffMaxMs     || DEFAULT_BACKOFF_MAX_MS;
-  var fetchImpl  = opts.fetchImpl    || ((typeof globalThis.fetch === "function") ? globalThis.fetch.bind(globalThis) : null);
+  // Default transport is the framework's b.httpClient (node:https +
+  // PQC-hybrid agent + SSRF guard). globalThis.fetch was the prior
+  // default; it leaked an outbound network surface that supply-chain
+  // scanners flagged because nothing in the framework's TLS posture
+  // wired through it. Operators on fetch-only runtimes still override
+  // by passing opts.fetchImpl.
+  var fetchImpl  = opts.fetchImpl || _defaultFetchImpl;
   if (typeof fetchImpl !== "function") {
     throw new OtlpExporterError("otlp/no-fetch",
-      "otlpExporter.create: fetchImpl required (globalThis.fetch unavailable)");
+      "otlpExporter.create: opts.fetchImpl must be a function (override the framework default)");
   }
 
   var queue = [];