@blamejs/core 0.7.77 → 0.7.78

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.7.x
 
+- **0.7.78** (2026-05-06) — `b.cloudEvents.wrap` / `.parse` — CloudEvents 1.0 envelope (cloudevents.io/spec/v1.0). Vendor-neutral event-format spec adopted by AWS EventBridge, Knative, Azure Event Grid, Google Eventarc, Datadog, and the broader CNCF event ecosystem; operators wrap outbound events from webhook / pubsub / queue boundaries to interop with these consumers without each consumer learning a bespoke shape. **`b.cloudEvents.wrap({ source, type, data?, subject?, time?, id?, datacontenttype?, dataschema?, extensions? })`** produces a CloudEvents 1.0 envelope: required attributes (`id` auto-minted as RFC 4122 v4 UUID when omitted, `source`, `specversion="1.0"`, `type`, `time` auto-set to `new Date().toISOString()`), optional attributes (`subject`, `datacontenttype` auto-set to `"application/json"` when `data` is JSON-serializable or `"application/octet-stream"` when `data` is a `Buffer` — base64-encoded into `data_base64`, `dataschema`), plus operator-defined extension attributes that conform to the §3.1 naming rules (lowercase ASCII alnum, 1-20 chars). **`b.cloudEvents.parse(envelope)`** validates the envelope shape and returns a structured form with `extensions` surfaced as a separate object so consumers can route on operator-defined fields without grepping the envelope. Refuses `data` + `data_base64` together (CloudEvents §3.1.1), unsupported specversion, missing required attributes, malformed extension names. **Test cleanup**: the `testAuditSafeEmitRedacts` smoke fixture from v0.7.75 now registers the `test` audit namespace before emitting so the audit handler's noise log line ("namespace 'test' is not registered") doesn't appear in CI smoke output.
+
 - **0.7.77** (2026-05-06) — Argon2 switched from vendored prebuilds to Node's built-in `crypto.argon2*` (Node 24+). The framework's `lib/vendor/argon2/` directory (with the `argon2.cjs` bundle and the `prebuilds/` tree of platform-specific `.glibc.node` / `.musl.node` artifacts for darwin-arm64 / darwin-x64 / freebsd-arm64 / freebsd-x64 / linux-arm / linux-arm64 / linux-x64 / win32-x64) is **deleted**. New `lib/argon2-builtin.js` is a thin wrapper over `crypto.argon2Sync` that produces and parses the PHC string format (`$argon2id$v=19$m=...,t=...,p=...$<salt>$<hash>`). Wire-format compatibility preserved: existing rows in operator databases continue to verify. Behavior preserved: `b.auth.password.hash` / `.verify` / `.needsRehash` retain their async signatures and return shapes; `b.vault.wrap` and `b.backupCrypto.deriveKey` use the same `raw: true` path for raw-bytes output. Operators wanting to supply their own argon2 implementation (pinned upstream, hardware-accelerated, etc.) override at the call site via `opts.argon2` — the supplied object MUST expose the same `hash` / `verify` / `needsRehash` shape. Drops ~440 KB of platform-specific native prebuilds from the repository and shipped npm tarball; eliminates a supply-chain hop. The vendor manifest's `argon2` entry is removed; `scripts/vendor-update.sh argon2` now refuses with a pointer to `lib/argon2-builtin.js`.
 
 - **0.7.76** (2026-05-06) — CVE-class web hardening sweep — Trojan Source (CVE-2021-42574) log defense + drive-by-MIME attachment opt for `staticServe`. **Trojan Source defense** in `b.log` output: every log line now post-processes Unicode bidi / format-control characters (U+061C / U+200E-200F / U+202A-202E / U+2066-2069) into their `\uXXXX` literal escape on the wire so a hostile log message can't re-order the visible line in a TTY / syslog / file reader. JSON.stringify alone does NOT escape these codepoints, so a captured-error message containing `U+202E` (RIGHT-TO-LEFT OVERRIDE) survives into the log surface and silently flips visible field/key associations. The escape applies to the entire serialized JSON line including any extras / bound-context fields. **`staticServe.create({ safeAttachmentForRiskyMimes: true })`** — opt-in flag that adds `Content-Disposition: attachment` to responses whose Content-Type is in the risky-inline-MIME set (`text/html`, `text/xml`, `application/xml`, `application/xhtml+xml`, `image/svg+xml`, `application/javascript`, `text/javascript`, `application/x-javascript`). Defends against drive-by execution of user-uploaded HTML / JS / SVG (CVE-2017-15012 SVG XSS / CVE-2009-1312 HTML drive-by class). Default `false` — operators serving framework asset bundles continue to render inline; operators serving user-content directories opt in. Filename is RFC 5987-encoded (ASCII filename + `filename*=UTF-8''...`) so non-ASCII filenames survive without allowing CR/LF header injection.

package/index.js

@@ -211,6 +211,7 @@ var fileUpload = require("./lib/file-upload");
 var dualControl = require("./lib/dual-control");
 var retention = require("./lib/retention");
 var network = require("./lib/network");
+var cloudEvents = require("./lib/cloud-events");
 
 module.exports = {
   crypto:           crypto,
@@ -357,6 +358,7 @@ module.exports = {
   dualControl:      dualControl,
   retention:        retention,
   network:          network,
+  cloudEvents:      cloudEvents,
   ntpCheck:         ntpCheck,
   version:          constants.version,
 };

package/lib/cloud-events.js

@@ -0,0 +1,210 @@
+"use strict";
+/**
+ * CloudEvents 1.0 envelope (cloudevents.io/spec/v1.0).
+ *
+ * A vendor-neutral event-format spec adopted by AWS EventBridge,
+ * Knative, Azure Event Grid, Google Eventarc, Datadog, and the
+ * CNCF event ecosystem. Operators wrap outbound events from
+ * webhook / pubsub / queue boundaries to interop with these
+ * consumers without each consumer having to learn a bespoke shape.
+ *
+ *   var ce = b.cloudEvents.wrap({
+ *     source: "/services/orders",
+ *     type:   "com.example.order.created",
+ *     subject: "order/o-1234",
+ *     data:    { id: "o-1234", total: 4250 },
+ *   });
+ *   // → {
+ *   //     specversion: "1.0",
+ *   //     id:          "<auto-uuid-v4>",
+ *   //     source:      "/services/orders",
+ *   //     type:        "com.example.order.created",
+ *   //     time:        "2026-05-06T...",
+ *   //     subject:     "order/o-1234",
+ *   //     datacontenttype: "application/json",
+ *   //     data:        { id: "o-1234", total: 4250 },
+ *   //   }
+ *
+ *   var ce = b.cloudEvents.parse(envelope);   // throws on shape violation
+ *
+ * Spec compliance — REQUIRED attributes (CloudEvents §3.1):
+ *   id, source, specversion, type
+ *
+ * OPTIONAL attributes:
+ *   datacontenttype, dataschema, subject, time, data, data_base64
+ *
+ * Operator-defined extension attributes are passed through unchanged
+ * if they conform to the spec's naming rules (lowercase ASCII letters
+ * + digits, length 1–20).
+ */
+
+var nodeCrypto = require("crypto");
+var validateOpts = require("./validate-opts");
+var { defineClass } = require("./framework-error");
+
+var CloudEventsError = defineClass("CloudEventsError", { alwaysPermanent: true });
+
+var SPECVERSION = "1.0";
+
+// CloudEvents §3.1 — required string attributes.
+var REQUIRED_ATTRS = ["id", "source", "specversion", "type"];
+
+// CloudEvents §3.1 — known optional attributes (other strings get
+// passed through as extension attributes if they conform to the
+// naming rules).
+var KNOWN_OPTIONAL_ATTRS = {
+  datacontenttype: 1,
+  dataschema:      1,
+  subject:         1,
+  time:            1,
+  data:            1,
+  data_base64:     1,
+};
+
+// CloudEvents §3.1 attribute naming — lowercase letters + digits,
+// length 1-20.
+var EXT_ATTR_NAME_RE = /^[a-z0-9]{1,20}$/;
+
+function _isoNow() { return new Date().toISOString(); }
+
+function _genId() {
+  // RFC 4122 v4 UUID — 16 random bytes with version + variant bits.
+  return nodeCrypto.randomUUID();
+}
+
+// ---- wrap ----
+
+function wrap(opts) {
+  validateOpts.requireObject(opts, "cloudEvents.wrap", CloudEventsError);
+  validateOpts.requireNonEmptyString(opts.source,
+    "cloudEvents.wrap: source", CloudEventsError, "cloud-events/bad-source");
+  validateOpts.requireNonEmptyString(opts.type,
+    "cloudEvents.wrap: type", CloudEventsError, "cloud-events/bad-type");
+  validateOpts.optionalNonEmptyString(opts.id,
+    "cloudEvents.wrap: id", CloudEventsError, "cloud-events/bad-id");
+  validateOpts.optionalNonEmptyString(opts.subject,
+    "cloudEvents.wrap: subject", CloudEventsError, "cloud-events/bad-subject");
+  validateOpts.optionalNonEmptyString(opts.time,
+    "cloudEvents.wrap: time", CloudEventsError, "cloud-events/bad-time");
+  validateOpts.optionalNonEmptyString(opts.datacontenttype,
+    "cloudEvents.wrap: datacontenttype", CloudEventsError, "cloud-events/bad-datacontenttype");
+  validateOpts.optionalNonEmptyString(opts.dataschema,
+    "cloudEvents.wrap: dataschema", CloudEventsError, "cloud-events/bad-dataschema");
+
+  var out = {
+    specversion: SPECVERSION,
+    id:          opts.id || _genId(),
+    source:      opts.source,
+    type:        opts.type,
+    time:        opts.time || _isoNow(),
+  };
+  if (opts.subject !== undefined && opts.subject !== null) out.subject = opts.subject;
+  if (opts.dataschema !== undefined && opts.dataschema !== null) out.dataschema = opts.dataschema;
+
+  // data — choose JSON vs binary based on Buffer-ness; auto-set
+  // datacontenttype when caller doesn't supply one.
+  if (opts.data !== undefined) {
+    if (Buffer.isBuffer(opts.data)) {
+      out.data_base64 = opts.data.toString("base64");
+      out.datacontenttype = opts.datacontenttype || "application/octet-stream";
+    } else {
+      out.data = opts.data;
+      out.datacontenttype = opts.datacontenttype || "application/json";
+    }
+  } else if (opts.datacontenttype) {
+    out.datacontenttype = opts.datacontenttype;
+  }
+
+  // Extension attributes — operator-defined, must conform to the
+  // §3.1 naming rules (lowercase ASCII alnum, 1-20 chars).
+  if (opts.extensions !== undefined && opts.extensions !== null) {
+    validateOpts.optionalPlainObject(opts.extensions,
+      "cloudEvents.wrap: extensions", CloudEventsError, "cloud-events/bad-extensions");
+    var extKeys = Object.keys(opts.extensions);
+    for (var i = 0; i < extKeys.length; i += 1) {
+      var k = extKeys[i];
+      // bound BEFORE regex test — k.length > 0 && k.length <= 20
+      if (typeof k !== "string" || k.length === 0 || k.length > 20 || !EXT_ATTR_NAME_RE.test(k)) {
+        throw new CloudEventsError("cloud-events/bad-extension-name",
+          "cloudEvents.wrap: extension '" + k + "' must match [a-z0-9]{1,20}");
+      }
+      if (REQUIRED_ATTRS.indexOf(k) !== -1 || KNOWN_OPTIONAL_ATTRS[k]) {
+        throw new CloudEventsError("cloud-events/extension-conflicts-with-spec",
+          "cloudEvents.wrap: extension '" + k + "' conflicts with a spec attribute");
+      }
+      out[k] = opts.extensions[k];
+    }
+  }
+  return out;
+}
+
+// ---- parse ----
+
+function parse(envelope) {
+  if (!envelope || typeof envelope !== "object" || Array.isArray(envelope)) {
+    throw new CloudEventsError("cloud-events/bad-envelope",
+      "cloudEvents.parse: envelope must be a plain object");
+  }
+  for (var i = 0; i < REQUIRED_ATTRS.length; i += 1) {
+    var k = REQUIRED_ATTRS[i];
+    if (typeof envelope[k] !== "string" || envelope[k].length === 0) {
+      throw new CloudEventsError("cloud-events/missing-required",
+        "cloudEvents.parse: required attribute '" + k + "' missing or empty (CloudEvents §3.1)");
+    }
+  }
+  if (envelope.specversion !== SPECVERSION) {
+    throw new CloudEventsError("cloud-events/unsupported-specversion",
+      "cloudEvents.parse: specversion='" + envelope.specversion +
+      "' is not supported (this primitive implements CloudEvents 1.0)");
+  }
+  if (envelope.data !== undefined && envelope.data_base64 !== undefined) {
+    throw new CloudEventsError("cloud-events/data-conflict",
+      "cloudEvents.parse: envelope has both 'data' and 'data_base64' (CloudEvents §3.1.1)");
+  }
+
+  // Decode binary data if the envelope used base64 mode.
+  var decodedData = envelope.data;
+  if (envelope.data_base64 !== undefined) {
+    if (typeof envelope.data_base64 !== "string") {
+      throw new CloudEventsError("cloud-events/bad-data-base64",
+        "cloudEvents.parse: data_base64 must be a string");
+    }
+    try { decodedData = Buffer.from(envelope.data_base64, "base64"); }
+    catch (e) {
+      throw new CloudEventsError("cloud-events/bad-data-base64",
+        "cloudEvents.parse: data_base64 decode failed: " + ((e && e.message) || String(e)));
+    }
+  }
+
+  // Surface extension attributes separately so consumers can route on
+  // operator-defined fields without grepping the envelope.
+  var extensions = {};
+  var keys = Object.keys(envelope);
+  for (var j = 0; j < keys.length; j += 1) {
+    var key = keys[j];
+    if (REQUIRED_ATTRS.indexOf(key) !== -1) continue;
+    if (KNOWN_OPTIONAL_ATTRS[key]) continue;
+    extensions[key] = envelope[key];
+  }
+
+  return {
+    specversion:     envelope.specversion,
+    id:              envelope.id,
+    source:          envelope.source,
+    type:            envelope.type,
+    time:            envelope.time || null,
+    subject:         envelope.subject || null,
+    datacontenttype: envelope.datacontenttype || null,
+    dataschema:      envelope.dataschema || null,
+    data:            decodedData,
+    extensions:      extensions,
+  };
+}
+
+module.exports = {
+  wrap:             wrap,
+  parse:            parse,
+  SPECVERSION:      SPECVERSION,
+  REQUIRED_ATTRS:   REQUIRED_ATTRS,
+  CloudEventsError: CloudEventsError,
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.7.77",
+  "version": "0.7.78",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:3d6aa43b-6da6-44c8-a687-434e93ef3b07",
+  "serialNumber": "urn:uuid:357e4142-2f9f-4e03-8132-644e87b5224e",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-06T04:48:07.561Z",
+    "timestamp": "2026-05-06T05:12:59.485Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.7.77",
+      "bom-ref": "@blamejs/core@0.7.78",
       "type": "library",
       "name": "blamejs",
-      "version": "0.7.77",
+      "version": "0.7.78",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.7.77",
+      "purl": "pkg:npm/%40blamejs/core@0.7.78",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.7.77",
+      "ref": "@blamejs/core@0.7.78",
       "dependsOn": []
     }
   ]