npm - @blamejs/core - Versions diffs - 0.7.107 → 0.8.4 - Mend

@blamejs/core 0.7.107 → 0.8.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (100) hide show

package/CHANGELOG.md +41 -1
package/NOTICE +17 -1
package/README.md +4 -3
package/index.js +15 -0
package/lib/asyncapi-bindings.js +160 -0
package/lib/asyncapi-traits.js +143 -0
package/lib/asyncapi.js +531 -0
package/lib/audit-sign.js +1 -1
package/lib/audit.js +68 -2
package/lib/auth/acr-vocabulary.js +265 -0
package/lib/auth/auth-time-tracker.js +111 -0
package/lib/auth/elevation-grant.js +306 -0
package/lib/auth/jwt.js +13 -0
package/lib/auth/lockout.js +16 -3
package/lib/auth/oauth.js +15 -1
package/lib/auth/password.js +22 -2
package/lib/auth/sd-jwt-vc-issuer.js +2 -2
package/lib/auth/sd-jwt-vc.js +7 -2
package/lib/auth/step-up-policy.js +335 -0
package/lib/auth/step-up.js +445 -0
package/lib/break-glass.js +53 -14
package/lib/cache-redis.js +1 -1
package/lib/cache.js +6 -1
package/lib/cli.js +3 -3
package/lib/cluster.js +24 -1
package/lib/compliance-ai-act-logging.js +190 -0
package/lib/compliance-ai-act-prohibited.js +205 -0
package/lib/compliance-ai-act-risk.js +189 -0
package/lib/compliance-ai-act-transparency.js +200 -0
package/lib/compliance-ai-act.js +558 -0
package/lib/compliance.js +12 -2
package/lib/config-drift.js +2 -2
package/lib/crypto-field.js +21 -1
package/lib/crypto.js +114 -1
package/lib/db.js +35 -4
package/lib/dev.js +30 -3
package/lib/dual-control.js +19 -1
package/lib/external-db.js +10 -0
package/lib/file-upload.js +30 -3
package/lib/flag-cache.js +136 -0
package/lib/flag-evaluation-context.js +135 -0
package/lib/flag-providers.js +279 -0
package/lib/flag-targeting.js +210 -0
package/lib/flag.js +284 -0
package/lib/guard-all.js +33 -16
package/lib/guard-csv.js +16 -2
package/lib/guard-html.js +35 -0
package/lib/guard-svg.js +20 -0
package/lib/http-client.js +57 -11
package/lib/inbox.js +391 -0
package/lib/log-stream-syslog.js +8 -0
package/lib/log-stream.js +1 -1
package/lib/mail-arc-sign.js +372 -0
package/lib/mail-auth.js +2 -0
package/lib/mail.js +40 -0
package/lib/middleware/ai-act-disclosure.js +166 -0
package/lib/middleware/asyncapi-serve.js +136 -0
package/lib/middleware/attach-user.js +25 -2
package/lib/middleware/bearer-auth.js +71 -6
package/lib/middleware/body-parser.js +13 -0
package/lib/middleware/cors.js +10 -0
package/lib/middleware/csrf-protect.js +34 -3
package/lib/middleware/dpop.js +3 -3
package/lib/middleware/flag-context.js +76 -0
package/lib/middleware/host-allowlist.js +1 -1
package/lib/middleware/index.js +15 -0
package/lib/middleware/openapi-serve.js +143 -0
package/lib/middleware/require-aal.js +2 -2
package/lib/middleware/require-step-up.js +186 -0
package/lib/middleware/trace-propagate.js +1 -1
package/lib/mtls-ca.js +23 -29
package/lib/mtls-engine-default.js +21 -1
package/lib/network-tls.js +21 -6
package/lib/object-store/sigv4-bucket-ops.js +41 -0
package/lib/observability-otlp-exporter.js +35 -2
package/lib/openapi-paths-builder.js +248 -0
package/lib/openapi-schema-walk.js +192 -0
package/lib/openapi-security.js +169 -0
package/lib/openapi-yaml.js +154 -0
package/lib/openapi.js +443 -0
package/lib/outbox.js +3 -3
package/lib/permissions.js +10 -1
package/lib/pqc-agent.js +22 -1
package/lib/pqc-software.js +195 -0
package/lib/pubsub.js +8 -4
package/lib/redact.js +26 -1
package/lib/retention.js +26 -0
package/lib/router.js +1 -0
package/lib/scheduler.js +57 -1
package/lib/session.js +3 -3
package/lib/ssrf-guard.js +19 -4
package/lib/static.js +12 -0
package/lib/totp.js +16 -0
package/lib/vault/index.js +3 -0
package/lib/vault-aad.js +259 -0
package/lib/vendor/MANIFEST.json +29 -0
package/lib/vendor/noble-post-quantum.cjs +18 -0
package/lib/ws-client.js +978 -0
package/package.json +1 -1
package/sbom.cyclonedx.json +6 -6

package/lib/pqc-software.js ADDED Viewed

@@ -0,0 +1,195 @@
+"use strict";
+/**
+ * b.pqcSoftware — pure-JS post-quantum primitives sourced from the
+ * vendored @noble/post-quantum bundle (lib/vendor/noble-post-quantum.cjs).
+ *
+ * Usable server-side and client-side. Ciphertexts are FIPS 203
+ * conformant in both directions — encapsulating with Node's WebCrypto
+ * ML-KEM-1024 (used by b.crypto.encrypt / b.middleware.apiEncrypt)
+ * decapsulates with b.pqcSoftware.ml_kem_1024 and vice versa.
+ *
+ * Operator wiring:
+ *
+ *   - Server-side: import b.pqcSoftware directly. Use it as the
+ *     primary PQC path on Node releases without the experimental
+ *     WebCrypto ML-KEM extension, or for reference-implementation
+ *     interop testing against Node WebCrypto / hardware HSMs.
+ *
+ *   - Client-side: re-bundle this module or import @noble/post-quantum
+ *     directly into the build that ships b.middleware.apiEncrypt.client.
+ *
+ * Defaults pin to the highest cat-5 level:
+ *
+ *   - DEFAULT_KEM         = ML-KEM-1024 (FIPS 203)
+ *   - DEFAULT_LATTICE_SIG = ML-DSA-87   (FIPS 204)
+ *   - DEFAULT_HASH_SIG    = SLH-DSA-SHAKE-256f (FIPS 205)
+ *
+ * Public surface (b.pqcSoftware.*):
+ *
+ *   .ml_kem_1024 / .ml_kem_768 / .ml_kem_512   — FIPS 203 KEM objects
+ *   .ml_dsa_87 / .ml_dsa_65 / .ml_dsa_44       — FIPS 204 lattice sig
+ *   .slh_dsa_shake_256f / 192f / 128f          — FIPS 205 (SHAKE)
+ *   .slh_dsa_sha2_256f / 192f / 128f           — FIPS 205 (SHA-2)
+ *
+ *   .DEFAULT_KEM         — alias to ml_kem_1024
+ *   .DEFAULT_LATTICE_SIG — alias to ml_dsa_87
+ *   .DEFAULT_HASH_SIG    — alias to slh_dsa_shake_256f
+ *
+ *   .isAvailable()    — boolean: is the vendored bundle loadable?
+ *   .listAlgorithms() — string[] of algorithm names
+ *
+ * Each KEM / signature object exposes `keygen()` / `encapsulate()` /
+ * `decapsulate()` (KEMs) or `keygen()` / `sign()` / `verify()`
+ * (signatures), matching the @noble/post-quantum API directly.
+ *
+ * Operators chaining this into other primitives:
+ *
+ *   var pqc = b.pqcSoftware;
+ *   var kp  = pqc.DEFAULT_KEM.keygen();
+ *   var enc = pqc.DEFAULT_KEM.encapsulate(kp.publicKey);
+ *   //  enc.cipherText / enc.sharedSecret
+ *
+ * Note on availability: the bundle is a build artifact in
+ * lib/vendor/noble-post-quantum.cjs. In tightly-locked deployments
+ * where operators stripped the vendor directory, .isAvailable()
+ * returns false and the module exposes a stub that throws on every
+ * primitive call.
+ */
+var { defineClass } = require("./framework-error");
+var PqcError = defineClass("PqcError", { alwaysPermanent: true });
+var _vendoredOnce = null;
+var _loadError    = null;
+function _load() {
+  if (_vendoredOnce !== null || _loadError !== null) return _vendoredOnce;
+  try {
+    // Inline-require: deliberate — the vendored bundle is loaded
+    // on-demand so deployments that strip lib/vendor/ still boot
+    // without crashing on first import of this module. Stub fallback
+    // is below.
+    _vendoredOnce = require("./vendor/noble-post-quantum.cjs"); // allow:inline-require — graceful-fallback shim
+    return _vendoredOnce;
+  } catch (e) {
+    _loadError = e;
+    _vendoredOnce = null;
+    return null;
+  }
+}
+function _stubFor(name) {
+  return {
+    info: { type: name, available: false },
+    keygen:      function () { _throwUnavailable(name); },
+    encapsulate: function () { _throwUnavailable(name); },
+    decapsulate: function () { _throwUnavailable(name); },
+    sign:        function () { _throwUnavailable(name); },
+    verify:      function () { _throwUnavailable(name); },
+  };
+}
+function _throwUnavailable(name) {
+  throw new PqcError("pqc-software/unavailable",
+    "b.pqcSoftware." + name + ": vendored bundle lib/vendor/noble-post-quantum.cjs " +
+    "could not be loaded (" + (_loadError && _loadError.message || "unknown") + ") — " +
+    "if this is a deliberately-stripped deployment, use Node WebCrypto ML-KEM " +
+    "(b.crypto.encrypt / decrypt) instead. To restore: " +
+    "scripts/vendor-update.sh @noble/post-quantum");
+}
+function _accessor(name) {
+  var bundle = _load();
+  if (!bundle) return _stubFor(name);
+  var algo = bundle[name];
+  if (!algo) return _stubFor(name);
+  return algo;
+}
+function isAvailable() {
+  return _load() !== null;
+}
+function listAlgorithms() {
+  if (!isAvailable()) return [];
+  return [
+    "ml_kem_512", "ml_kem_768", "ml_kem_1024",
+    "ml_dsa_44",  "ml_dsa_65",  "ml_dsa_87",
+    "slh_dsa_sha2_128f",  "slh_dsa_sha2_192f",  "slh_dsa_sha2_256f",
+    "slh_dsa_shake_128f", "slh_dsa_shake_192f", "slh_dsa_shake_256f",
+  ];
+}
+// Each accessor delegates to the bundle on demand. Naming follows
+// the framework's underscore-separated convention; the bundle uses
+// the same names with `_` already, so they map 1:1.
+var pqc = {
+  PqcError:  PqcError,
+  isAvailable:    isAvailable,
+  listAlgorithms: listAlgorithms,
+};
+Object.defineProperty(pqc, "ml_kem_512", {
+  enumerable: true,
+  get: function () { return _accessor("ml_kem512"); },
+});
+Object.defineProperty(pqc, "ml_kem_768", {
+  enumerable: true,
+  get: function () { return _accessor("ml_kem768"); },
+});
+Object.defineProperty(pqc, "ml_kem_1024", {
+  enumerable: true,
+  get: function () { return _accessor("ml_kem1024"); },
+});
+Object.defineProperty(pqc, "ml_dsa_44", {
+  enumerable: true,
+  get: function () { return _accessor("ml_dsa44"); },
+});
+Object.defineProperty(pqc, "ml_dsa_65", {
+  enumerable: true,
+  get: function () { return _accessor("ml_dsa65"); },
+});
+Object.defineProperty(pqc, "ml_dsa_87", {
+  enumerable: true,
+  get: function () { return _accessor("ml_dsa87"); },
+});
+Object.defineProperty(pqc, "slh_dsa_sha2_128f", {
+  enumerable: true,
+  get: function () { return _accessor("slh_dsa_sha2_128f"); },
+});
+Object.defineProperty(pqc, "slh_dsa_sha2_192f", {
+  enumerable: true,
+  get: function () { return _accessor("slh_dsa_sha2_192f"); },
+});
+Object.defineProperty(pqc, "slh_dsa_sha2_256f", {
+  enumerable: true,
+  get: function () { return _accessor("slh_dsa_sha2_256f"); },
+});
+Object.defineProperty(pqc, "slh_dsa_shake_128f", {
+  enumerable: true,
+  get: function () { return _accessor("slh_dsa_shake_128f"); },
+});
+Object.defineProperty(pqc, "slh_dsa_shake_192f", {
+  enumerable: true,
+  get: function () { return _accessor("slh_dsa_shake_192f"); },
+});
+Object.defineProperty(pqc, "slh_dsa_shake_256f", {
+  enumerable: true,
+  get: function () { return _accessor("slh_dsa_shake_256f"); },
+});
+// Security-first defaults — highest level wins.
+Object.defineProperty(pqc, "DEFAULT_KEM", {
+  enumerable: true,
+  get: function () { return _accessor("ml_kem1024"); },
+});
+Object.defineProperty(pqc, "DEFAULT_LATTICE_SIG", {
+  enumerable: true,
+  get: function () { return _accessor("ml_dsa87"); },
+});
+Object.defineProperty(pqc, "DEFAULT_HASH_SIG", {
+  enumerable: true,
+  get: function () { return _accessor("slh_dsa_shake_256f"); },
+});
+module.exports = pqc;

package/lib/pubsub.js CHANGED Viewed

@@ -379,16 +379,20 @@ function create(opts) {
           ? rv.remote : 1;
       } catch (e) {
         if (auditOn) {
-          try { audit().safeEmit("system.pubsub.publish-failed", {
-            channel: channel, error: (e && e.message) || String(e),
+          try { audit().safeEmit({
+            action: "system.pubsub.publish_failed",
+            outcome: "failure",
+            metadata: { channel: channel, error: (e && e.message) || String(e) },
           }); } catch (_e) { /* */ }
         }
         throw e;
       }
     }
     if (auditOn) {
-      try { audit().safeEmit("system.pubsub.publish", {
-        channel: channel, localDispatched: local, remoteWritten: remote,
+      try { audit().safeEmit({
+        action: "system.pubsub.publish",
+        outcome: "success",
+        metadata: { channel: channel, localDispatched: local, remoteWritten: remote },
       }); } catch (_e) { /* */ }
     }
     return { local: local, remote: remote };

package/lib/redact.js CHANGED Viewed

@@ -35,6 +35,14 @@ var SENSITIVE_FIELDS = [
   "card_number", "cardnumber", "cvc", "cvv", "pin",
   "privatekey", "private_key", "passphrase", "session", "sid",
   "_authtoken", "auth_token", "bearer", "cookie",
+  // Header-shaped variants of api-key — substring matching against a
+  // lowercased field name treats hyphen + underscore + dot as
+  // literal, so each header form needs its own entry.
+  "x-api-key", "x_api_key", "x-apikey", "api-key",
+  // DPoP / OAuth 2.1 / OIDC proof-of-possession + selective-disclosure
+  // fields — operator-error metadata logging often carries these.
+  "jwk", "dpop", "proof", "assertion", "client_assertion", "id_token_hint",
+  "code_verifier", "client_secret", "refresh_token", "access_token",
   // Vault-sealed values (don't log even though they're encrypted —
   // operational logs aren't a place to leak ciphertext shape either)
   // matched separately by value detector below
@@ -74,6 +82,20 @@ var VALUE_DETECTORS = [
     },
     replacement: "[REDACTED-JWT]",
   },
+  {
+    // URL with bearer-shaped query parameter — the parent field is
+    // typically `url` or `referer`, neither of which the field-name
+    // pass redacts. Replace the whole querystring after the marker
+    // so the path stays useful for log triage.
+    name:        "url-bearer-query",
+    test:        function (v) {
+      return typeof v === "string" &&
+        /^[a-zA-Z][a-zA-Z0-9+.-]*:\/\/[^\s]*[?&#](?:access_token|id_token|token|api_key|apikey)=/.test(v);
+    },
+    replacement: function (v) {
+      return String(v).replace(/(access_token|id_token|token|api_key|apikey)=[^&#]*/g, "$1=[REDACTED]");
+    },
+  },
   {
     name:        "pem",
     test:        function (v) { return typeof v === "string" && /-----BEGIN [A-Z ]+-----/.test(v); },
@@ -151,7 +173,10 @@ function _redactValue(value) {
   if (typeof value !== "string") return value;
   var allDetectors = VALUE_DETECTORS.concat(customDetectors);
   for (var i = 0; i < allDetectors.length; i++) {
-    if (allDetectors[i].test(value)) return allDetectors[i].replacement;
+    if (allDetectors[i].test(value)) {
+      var rep = allDetectors[i].replacement;
+      return typeof rep === "function" ? rep(value) : rep;
+    }
   }
   return value;
 }

package/lib/retention.js CHANGED Viewed

@@ -58,6 +58,7 @@
 var C = require("./constants");
 var lazyRequire = require("./lazy-require");
 var validateOpts = require("./validate-opts");
+var safeSql = require("./safe-sql");
 var { defineClass } = require("./framework-error");
 var audit = lazyRequire(function () { return require("./audit"); });
@@ -66,6 +67,21 @@ var cryptoField = require("./crypto-field");
 var RetentionError = defineClass("RetentionError", { alwaysPermanent: true });
 var _err = RetentionError.factory;
+// Identifier-level SQLi defense: every operator-supplied table name,
+// column name, and cascade FK must pass safeSql.validateIdentifier
+// before reaching SQL string concatenation. Without this gate a
+// rule registered with `table: 'users"; DROP TABLE audit_log;--'`
+// would break out of the quoted-identifier wrap and execute the
+// embedded statement.
+function _validateRuleIdentifier(value, label) {
+  try {
+    safeSql.validateIdentifier(value, { allowReserved: true });
+  } catch (e) {
+    throw _err("BAD_RULE",
+      label + " is not a safe SQL identifier: " + (e && e.message || String(e)));
+  }
+}
 function _validateRule(rule) {
   if (!rule || typeof rule !== "object") {
     throw _err("BAD_RULE", "rule must be an object");
@@ -76,9 +92,11 @@ function _validateRule(rule) {
   if (typeof rule.table !== "string" || rule.table.length === 0) {
     throw _err("BAD_RULE", "rule.table (string) is required");
   }
+  _validateRuleIdentifier(rule.table, "rule.table");
   if (typeof rule.ageField !== "string" || rule.ageField.length === 0) {
     throw _err("BAD_RULE", "rule.ageField (string) is required");
   }
+  _validateRuleIdentifier(rule.ageField, "rule.ageField");
   if (typeof rule.ttlMs !== "number" || !isFinite(rule.ttlMs) || rule.ttlMs <= 0) {
     throw _err("BAD_RULE", "rule.ttlMs must be a positive finite number");
   }
@@ -99,10 +117,16 @@ function _validateRule(rule) {
       (typeof rule.softDeleteField !== "string" || rule.softDeleteField.length === 0)) {
     throw _err("BAD_RULE", "rule.softDeleteField must be a non-empty string");
   }
+  if (rule.softDeleteField !== undefined) {
+    _validateRuleIdentifier(rule.softDeleteField, "rule.softDeleteField");
+  }
   if (rule.legalHoldField !== undefined &&
       (typeof rule.legalHoldField !== "string" || rule.legalHoldField.length === 0)) {
     throw _err("BAD_RULE", "rule.legalHoldField must be a non-empty string");
   }
+  if (rule.legalHoldField !== undefined) {
+    _validateRuleIdentifier(rule.legalHoldField, "rule.legalHoldField");
+  }
   if (rule.cascade !== undefined) {
     if (!Array.isArray(rule.cascade) || rule.cascade.length === 0) {
       throw _err("BAD_RULE", "rule.cascade must be a non-empty array of { table, foreignKey } entries");
@@ -113,6 +137,8 @@ function _validateRule(rule) {
           typeof c.foreignKey !== "string" || c.foreignKey.length === 0) {
         throw _err("BAD_RULE", "rule.cascade[" + ci + "] must be { table: string, foreignKey: string }");
       }
+      _validateRuleIdentifier(c.table, "rule.cascade[" + ci + "].table");
+      _validateRuleIdentifier(c.foreignKey, "rule.cascade[" + ci + "].foreignKey");
     }
   }
   if (rule.stages !== undefined) {

package/lib/router.js CHANGED Viewed

@@ -651,6 +651,7 @@ class Router {
         maxHeaderListPairs:        100,                                            // allow:raw-byte-literal — CVE-2024-27983 CONTINUATION-flood cap
         maxSettings:               32,                                             // allow:raw-byte-literal — SETTINGS-frame entry ceiling
         peerMaxConcurrentStreams:  100,                                            // allow:raw-byte-literal — peer-side stream cap
+        maxOutstandingPings:       10,                                             // allow:raw-byte-literal — CVE-2019-9512 ping-flood cap (pin to Node default rather than letting it drift)
         unknownProtocolTimeout:    C.TIME.seconds(10),
       }, tlsOptions), requestHandler);
     } else {

package/lib/scheduler.js CHANGED Viewed

@@ -682,8 +682,63 @@ function create(opts) {
     started = false;
   }
-  return {
+  // Shorthand for the common interval-based registration shape:
+  //   register("rotate-keys", C.TIME.minutes(5), runFn)
+  // is equivalent to schedule({ name, every: 300000, run: runFn }).
+  // Operators wanting cron expressions or job-queue dispatch keep
+  // using schedule() — register() is the every-N-ms direct-function
+  // path. Returns the scheduler instance for method chaining.
+  function register(name, intervalMs, fn) {
+    if (typeof name !== "string" || name.length === 0) {
+      throw _err("INVALID_NAME", "scheduler.register: name must be a non-empty string", true);
+    }
+    if (typeof intervalMs !== "number" || !Number.isFinite(intervalMs) || intervalMs < C.TIME.seconds(1)) {
+      throw _err("INVALID_SPEC",
+        "scheduler.register: intervalMs must be a finite number ≥ 1000", true);
+    }
+    if (typeof fn !== "function") {
+      throw _err("INVALID_SPEC", "scheduler.register: fn must be a function", true);
+    }
+    schedule({ name: name, every: intervalMs, run: fn });
+    return facade;
+  }
+  // Operator-facing health surface — every task with its lifecycle
+  // counters plus an aggregate. Probes / dashboards / readiness gates
+  // get a single object they can serialize. This is `list()` plus
+  // started state and aggregate stats.
+  function getStatus() {
+    var taskList = list();
+    var aggregate = {
+      total:          taskList.length,
+      running:        0,
+      withErrors:     0,
+      totalFires:     0,
+      totalMisses:    0,
+      nonLeaderSkips: 0,
+      tickClaimLost:  0,
+    };
+    for (var i = 0; i < taskList.length; i++) {
+      var t = taskList[i];
+      if (t.running)        aggregate.running        += 1;
+      if (t.lastError)      aggregate.withErrors     += 1;
+      aggregate.totalFires      += t.fires || 0;
+      aggregate.totalMisses     += t.misses || 0;
+      aggregate.nonLeaderSkips  += t.nonLeaderSkips || 0;
+      aggregate.tickClaimLost   += t.tickClaimLost || 0;
+    }
+    return {
+      started:   started,
+      isLeader:  _isLeaderHere(),
+      tasks:     taskList,
+      aggregate: aggregate,
+    };
+  }
+  var facade = {
     schedule:      schedule,
+    register:      register,
+    getStatus:     getStatus,
     start:         start,
     stop:          stop,
     list:          list,
@@ -695,6 +750,7 @@ function create(opts) {
     },
     _resetForTest: _resetForTest,
   };
+  return facade;
 }
 module.exports = {

package/lib/session.js CHANGED Viewed

@@ -238,7 +238,7 @@ async function verify(token, verifyOpts) {
     if ((nowMs - lastActivity) > idleMs) {
       try {
         audit.safeEmit({
-          action: "auth.session.expired_idle", outcome: "warning",
+          action: "auth.session.expired_idle", outcome: "success",
           metadata: { idleMs: nowMs - lastActivity, threshold: idleMs },
         });
       } catch (_ignored) { /* audit best-effort */ }
@@ -253,7 +253,7 @@ async function verify(token, verifyOpts) {
     if ((nowMs - createdAt) > absMs) {
       try {
         audit.safeEmit({
-          action: "auth.session.expired_absolute", outcome: "warning",
+          action: "auth.session.expired_absolute", outcome: "success",
           metadata: { ageMs: nowMs - createdAt, threshold: absMs },
         });
       } catch (_ignored) { /* audit best-effort */ }
@@ -334,7 +334,7 @@ async function verify(token, verifyOpts) {
       try {
         audit.safeEmit({
           action:   "auth.session.fingerprint_drift",
-          outcome:  "warning",
+          outcome:  "success",
           metadata: { hasUserId: !!unsealed.userId,
             anomalyScore: fingerprintAnomalyScore },
         });

package/lib/ssrf-guard.js CHANGED Viewed

@@ -140,10 +140,25 @@ var CLOUD_METADATA_IPS = [
 function _ipv4ToInt(ip) {
   var parts = ip.split(".");
-  return ((parts[0] | 0) << 24 >>> 0) +
-         ((parts[1] | 0) << 16) +
-         ((parts[2] | 0) << 8) +
-          (parts[3] | 0);
+  if (parts.length !== 4) return NaN;
+  var nums = [0, 0, 0, 0];
+  for (var i = 0; i < 4; i += 1) {
+    var s = parts[i];
+    // Strict octet validation: each segment must be 1-3 ASCII digits
+    // representing 0-255. The previous `parts[i] | 0` coerced
+    // anything non-numeric to 0 silently — exposed via cidrContains
+    // (network-allowlist) where a typo'd CIDR could collapse to
+    // 0.0.0.0/16 with no signal.
+    if (typeof s !== "string" || s.length === 0 || s.length > 3) return NaN;
+    if (!/^\d{1,3}$/.test(s)) return NaN;
+    var n = parseInt(s, 10);
+    if (n < 0 || n > 255) return NaN;
+    nums[i] = n;
+  }
+  return ((nums[0] << 24) >>> 0) +
+         (nums[1] << 16) +
+         (nums[2] << 8) +
+          nums[3];
 }
 function _ipv6ToBytes(ip) {

package/lib/static.js CHANGED Viewed

@@ -100,6 +100,12 @@ var DEFAULT_CONTENT_TYPES = {
 var DEFAULTS = Object.freeze({
   defaultMaxAge:                    DEFAULT_MAX_AGE_SEC,
   acceptRanges:                     true,
+  // Per-range byte cap — slowloris-range defense. A single Range
+  // request that asks for 1 GiB pins a worker on a long read; many
+  // concurrent requests asking for the same exhaust the process pool.
+  // The cap rejects ranges larger than maxRangeBytes with 416. Set to
+  // Infinity to opt out (audited reason).
+  maxRangeBytes:                    C.BYTES.mib(64),
   // Empty array = no MIME allowlist gate.
   allowedFileTypes:                 Object.freeze([]),
   // Bandwidth + concurrency caps default to 0 = "no cap". Operators opt
@@ -844,6 +850,12 @@ function create(opts) {
           return _writeError(res, HTTP.RANGE_NOT_SATISFIABLE, "range_not_satisfiable",
             "Range Not Satisfiable", { "Content-Range": "bytes */" + meta.size });
         }
+        if (range && cfg.maxRangeBytes !== Infinity && range.length > cfg.maxRangeBytes) {
+          stats.failures += 1;
+          _emitObs("staticServe.range_too_large", 1, { route: urlPath });
+          return _writeError(res, HTTP.RANGE_NOT_SATISFIABLE, "range_too_large",
+            "Range Not Satisfiable", { "Content-Range": "bytes */" + meta.size });
+        }
         if (range) {
           stats.rangeRequests += 1;
           _emitObs("staticServe.range_requests", 1, { route: urlPath });

package/lib/totp.js CHANGED Viewed

@@ -134,6 +134,22 @@ function _resolveOpts(opts) {
     throw new AuthError("auth-totp/bad-alg",
       "algorithm must be one of " + SUPPORTED_ALGORITHMS.join(", ") + " (got: " + alg + ")");
   }
+  // SHA-256 is supported for back-compat with authenticator apps that
+  // don't yet honor SHA-512. Emit an audit signal each time it's
+  // selected so operator compliance dashboards see which accounts run
+  // on the weaker hash and can plan the migration.
+  if (alg === "sha256") {
+    setImmediate(function () {
+      try {
+        var auditMod = require("./audit");                                          // allow:inline-require — circular-load defense
+        auditMod.safeEmit({
+          action:   "auth.totp.algorithm_downgraded",
+          outcome:  "success",
+          metadata: { algorithm: alg, frameworkDefault: DEFAULT_ALGORITHM },
+        });
+      } catch (_e) { /* drop-silent */ }
+    });
+  }
   var digits = opts.digits != null ? opts.digits : DEFAULT_DIGITS;
   if (typeof digits !== "number" || digits < 6 || digits > 10) {
     throw new AuthError("auth-totp/bad-digits", "digits must be 6–10 (got: " + digits + ")");

package/lib/vault/index.js CHANGED Viewed

@@ -290,10 +290,13 @@ function getMode() {
   return currentMode;
 }
+var vaultAad = require("../vault-aad");
 module.exports = {
   init:                  init,
   seal:                  seal,
   unseal:                unseal,
+  aad:                   vaultAad,
   getKeysJson:           getKeysJson,
   getCurrentPassphrase:  getCurrentPassphrase,
   getMode:               getMode,