@blamejs/core 0.7.74 → 0.7.75

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.7.x
 
+- **0.7.75** (2026-05-06) — Audit-emit redaction pipeline. `b.audit.safeEmit` now scrubs the `actor` / `reason` / `metadata` fields through `b.redact.redact()` before they hit the audit handler. Operators who pass `metadata: { reason: e.message }` from a caught error could land DB connection strings, bearer tokens, JWT compact-serialization fixtures, AWS access keys, PEM private keys, SSH keys, credit cards, and SSNs in audit rows; the redact pipeline catches the common shapes (sensitive field names + value-shape detectors) and replaces them with markers (`[REDACTED]`, `[REDACTED-CONN-STRING]`, `[REDACTED-JWT]`, `[REDACTED-PEM]`, `[REDACTED-AWS-KEY]`, `[REDACTED-CC]`, `[REDACTED-SSN]`, `[REDACTED-SEALED]`, `[REDACTED-SSH-KEY]`). The `b.redact` primitive existed in lib/ since v0.4.x but was dead code — `audit.safeEmit` previously passed metadata through unchanged. New connection-string detector matches `protocol://user:pass@host` shapes that surface in error messages from external-DB / SMTP / HTTP drivers (RFC 3986 generic syntax). Drop-silent on redact failure — the pipeline never breaks the caller's audit attempt.
+
 - **0.7.74** (2026-05-06) — Email receive-side parity: DMARC aggregate (RUA) report parser + ARC trust evaluation + Authentication-Results header builder + TLS-RPT receive-side report parser. Closes the "framework can send mail compliantly but can't receive compliantly" gap. **`b.mail.dmarc.parseAggregateReport(xmlBytes, { contentType? })`** parses RFC 7489 §7.2 aggregate XML reports through the framework's existing `lib/parsers/safe-xml.js` (the existing security-focused XML parser handles XXE / DOCTYPE / entity-expansion defenses by default). Auto-detects gzip via magic bytes (`0x1f 0x8b`) or `Content-Type: application/gzip`. Returns `{ reportMetadata, policyPublished, records, totals }` with per-record source-IP / count / policy-evaluated dispositions / identifiers / DKIM + SPF auth results, plus aggregated `messages` / `aligned` / `notAligned` totals operators want for dashboards. Caps report size at 8 MiB and records-per-report at 10 000. **`b.mail.arc.evaluate(rfc822, { trustedSealers })`** wraps the existing `arc.verify` cryptographic chain check with the operator-side trust decision: given a passing chain, did any hop in the chain belong to a sealer the operator trusts? Returns `{ chainStatus, trusted, trustedHop, trustedDomain }` walking hops most-recent-first so the deepest trusted sealer wins. **`b.mail.authResults.emit({ authservId, results, fold? })`** builds the RFC 8601 Authentication-Results header value — operators consume per-method results from `b.mail.spf.verify` / `b.mail.dmarc.evaluate` / `b.mail.arc.verify`, hand them to `.emit`, and the framework formats the conformant header string with method-specific properties (`smtp.mailfrom`, `header.d`, `header.from`, `policy.iprev`, `policy.ip`, `policy.tls`). Refuses unknown methods / results at config-mistake time. **`b.network.smtp.tlsRpt.parseReport(body, { contentType? })`** is the receive-side counterpart to `tlsRpt.recordShape` / `tlsRpt.submit` — accepts a Buffer or string, auto-detects gzip, parses JSON, validates the RFC 8460 §4.4 required-fields shape (`organization-name`, `date-range`, `report-id`, `policies`), aggregates `total-successful-session-count` / `total-failure-session-count` across policies. Caps report size at 8 MiB and policies-per-report at 1024.
 
 - **0.7.73** (2026-05-06) — `b.auth.aal` + `b.middleware.requireAal({ minimum })` — NIST SP 800-63-4 Authentication Assurance Level bands. **`b.auth.aal.fromMethods({ password, totp, webauthn, ... })`** combines a set of operator-asserted authenticator methods into the resulting band: `AAL1` (single factor — memorized secret OR single-factor cryptographic), `AAL2` (multi-factor — memorized secret + OTP/SMS/hardware/mTLS), `AAL3` (phishing-resistant multi-factor — WebAuthn / passkey / hardware-+-PIN). Recognized methods: `password`, `pin`, `totp`, `sms`, `webauthn`, `passkey`, `hardware`, `mtls`. **`b.middleware.requireAal({ minimum, getAal?, audit?, realm? })`** gates routes by the request's AAL band — reads `req.user.aal` by default (or operator-supplied `getAal(req)`), compares against the minimum, returns 401 with `WWW-Authenticate: AAL-StepUp realm="...", required="AAL2"` on insufficient assurance. The bespoke scheme name signals to the operator's frontend that a step-up flow should be triggered (re-prompt for TOTP / passkey) without reusing the generic `Bearer` challenge namespace. Audit emits `auth.aal.granted` / `auth.aal.denied` (drop-silent on observability sink failure). The framework leaves AMR/ACR claim emission to the operator's IdP; the new `b.auth.aal.AMR` constants object provides consistent OIDC-conformant strings for operators emitting access tokens with AAL info. Also exposes `b.auth.aal.meets(actual, required)` for ad-hoc band comparisons outside the middleware. **CI vendor-manifest gate fix**: vendor files now have an explicit `.gitattributes` `lib/vendor/** -text binary` declaration so git never rewrites line endings between Windows and Linux checkouts. The `lib/vendor/noble-ciphers.cjs` file was renormalized to LF on disk and re-hashed in `lib/vendor/MANIFEST.json`. Closes the v0.7.65–0.7.72 npm-publish.yml smoke-test failures (`vendor manifest: @noble/ciphers :: server hash matches`).

package/lib/audit.js

@@ -44,6 +44,7 @@ var { generateToken } = require("./crypto");
 var cryptoField = require("./crypto-field");
 var handlers = require("./handlers");
 var { boot } = require("./log");
+var redact = require("./redact");
 var safeAsync = require("./safe-async");
 var C = require("./constants");
 var lazyRequire = require("./lazy-require");
@@ -734,13 +735,30 @@ function safeEmit(event) {
   if (!event || typeof event !== "object") return;
   if (typeof event.action !== "string") return;  // can't emit without an action
   try {
+    // Scrub credentials before they hit the audit handler. Operators
+    // who pass `metadata: { reason: e.message }` from a caught error
+    // can land DB connection strings, bearer tokens, and JWT compact-
+    // serialization fixtures in audit rows; redact.redact() catches the
+    // common shapes (sensitive field names + value-shape detectors:
+    // credit-card / JWT / PEM / AWS key / SSN / connection string) and
+    // replaces them with markers. Same pass also applies to actor +
+    // reason so the entire event surface is consistent. Drop-silent on
+    // redact failure — never break the caller's audit attempt.
+    var actor = event.actor || {};
+    var reason = event.reason || null;
+    var metadata = event.metadata || null;
+    try {
+      actor = redact.redact(actor);
+      if (reason !== null) reason = redact.redact(reason);
+      if (metadata !== null) metadata = redact.redact(metadata);
+    } catch (_e) { /* fall through with original values */ }
     _ensureHandler().emit({
-      actor:     event.actor    || {},
+      actor:     actor,
       action:    event.action,
       resource:  event.resource || null,
       outcome:   event.outcome  || "success",
-      reason:    event.reason   || null,
-      metadata:  event.metadata || null,
+      reason:    reason,
+      metadata:  metadata,
       requestId: event.requestId || null,
     });
   } catch (_e) { /* audit best-effort — never break the caller */ }

package/lib/redact.js

@@ -23,6 +23,8 @@
  *   redact.MARKER                            → '[REDACTED]'
  */
 
+var C = require("./constants");
+
 var DEFAULT_MARKER = "[REDACTED]";
 
 // Field names that are always redacted, regardless of value contents.
@@ -97,6 +99,22 @@ var VALUE_DETECTORS = [
     test:        function (v) { return typeof v === "string" && /^\d{3}-?\d{2}-?\d{4}$/.test(v); },
     replacement: "[REDACTED-SSN]",
   },
+  {
+    // Connection-string credential leak — matches `protocol://user:pass@host`
+    // shapes that surface in error messages / metadata.reason fields when
+    // an external-DB driver drops its connect URL into an Error.message.
+    // Replacement preserves the host part for operator triage but redacts
+    // the credentials.
+    name:        "connection-string",
+    test:        function (v) {
+      if (typeof v !== "string" || v.length < C.BYTES.bytes(8)) return false; // bound BEFORE regex test
+      if (v.length > C.BYTES.kib(8)) return false;
+      // user may be empty (e.g. redis://:password@host); password
+      // segment is required to flag this as a credentialed URI.
+      return /\b[a-zA-Z][a-zA-Z0-9+.-]*:\/\/[^\s:/?#]*:[^\s@/?#]+@/.test(v);
+    },
+    replacement: "[REDACTED-CONN-STRING]",
+  },
 ];
 
 var sensitiveFieldsSet = new Set(SENSITIVE_FIELDS);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.7.74",
+  "version": "0.7.75",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:a82c1893-13c0-448e-a951-71bc3d182da3",
+  "serialNumber": "urn:uuid:029bc278-cc4e-40cb-9b56-3102289527e4",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-06T03:56:40.534Z",
+    "timestamp": "2026-05-06T04:13:02.729Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.7.74",
+      "bom-ref": "@blamejs/core@0.7.75",
       "type": "library",
       "name": "blamejs",
-      "version": "0.7.74",
+      "version": "0.7.75",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.7.74",
+      "purl": "pkg:npm/%40blamejs/core@0.7.75",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.7.74",
+      "ref": "@blamejs/core@0.7.75",
       "dependsOn": []
     }
   ]