@blamejs/core 0.7.78 → 0.7.80

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.7.x
 
+- **0.7.80** (2026-05-06) — `b.middleware.securityTxt` (RFC 9116) + SQLite `secure_delete=ON` at DB boot. **`b.middleware.securityTxt({ contact, expires, encryption?, policy?, ack?, preferredLanguages?, hiring?, canonical?, alsoAtRoot?, audit? })`** serves a static body at `/.well-known/security.txt` (and root `/security.txt` when `alsoAtRoot: true`) per RFC 9116. Operators wire it on their app so security researchers know where to find the disclosure policy. The `Contact:` and `Expires:` fields are REQUIRED per §2.5; the framework throws at config-time when either is missing AND when `expires` is in the past (RFC 9116 §2.5.5). All field values are CR/LF/NUL-screened (header injection defense). Body is built once at create() and served with `Content-Length` + `Cache-Control: public, max-age=86400` + `X-Content-Type-Options: nosniff`. **SQLite `PRAGMA secure_delete=ON`** is now applied at `b.db.init` time alongside the existing PRAGMA block. SQLite normally just unlinks rows from the B-tree; the underlying page bytes survive on disk until a new write reuses the slot. With `secure_delete=ON`, freed pages are overwritten with zeros so a forensic recovery against the encrypted database file can't reconstruct deleted rows. The cost is one extra write per delete — already dominated by the framework's audit-chain emissions on every DSR erase / cascade fan-out.
+
+- **0.7.79** (2026-05-06) — PQC TLS handshake key shares + DB hardening sweep (3 items). **`b.network.tls.pqc`** — operator-facing TLS 1.3 key-share configuration. The framework's app-layer envelope has been PQC-first since v0.7.28 (ML-KEM-1024 + X25519 hybrid for sealed records); this slice extends PQC posture down to the **TLS handshake itself**. `b.network.tls.pqc.setKeyShares(["X25519MLKEM768", "X25519", "secp256r1"])` configures the TLS 1.3 key-share groups the framework's `https.Server` / `https.Agent` advertises. The first listed group is the operator priority; the peer picks the first mutually supported entry. **`X25519MLKEM768`** is the IETF draft-kwiatkowski-tls-ecdhe-mlkem-02 hybrid KEM that negotiates post-quantum + classical in one handshake — forward-secrecy survives both classical-CRQC and future quantum cryptanalysis. Default list is `["X25519MLKEM768", "X25519", "secp256r1"]` so the framework attempts hybrid first, falls back to classical X25519 with peers that don't support the hybrid (most of the public web today), and to `secp256r1` for legacy peers. **`b.network.tls.applyToContext({ base })`** now threads the configured key-share list through as the `groups` option to Node's TLS context (operators who explicitly set `groups` in their `base` config keep the override). Operators wanting classical-only call `b.network.tls.pqc.setKeyShares(["X25519"])`; calling `.resetKeyShares()` restores the default. Requires Node 24+ with OpenSSL 3.5+ for the X25519MLKEM768 group; older Node falls back silently to the classical entries. **DB hardening: PRAGMA integrity_check at boot** — `b.db.init` now runs `PRAGMA integrity_check` after the existing PRAGMA block and refuses boot if SQLite reports anything other than `"ok"`. Catches B-tree corruption at boot rather than letting it surface mid-query when the engine stumbles on a bad page. Skip via `opts.skipIntegrityCheck: true` for tmpfs-only fixtures (audited reason). **DB hardening: migration-lock holder ID boot token** — `lib/external-db-migrate.js:_lockHolderId()` now appends a per-process random 8-byte boot token, so a recycled PID-on-hostname slot after a container restart can't be misattributed back to the new boot when reading stale lock rows. Closes the PID-reuse-across-container-restart concurrent-ownership window flagged in the v0.7.67 audit batch.
+
 - **0.7.78** (2026-05-06) — `b.cloudEvents.wrap` / `.parse` — CloudEvents 1.0 envelope (cloudevents.io/spec/v1.0). Vendor-neutral event-format spec adopted by AWS EventBridge, Knative, Azure Event Grid, Google Eventarc, Datadog, and the broader CNCF event ecosystem; operators wrap outbound events from webhook / pubsub / queue boundaries to interop with these consumers without each consumer learning a bespoke shape. **`b.cloudEvents.wrap({ source, type, data?, subject?, time?, id?, datacontenttype?, dataschema?, extensions? })`** produces a CloudEvents 1.0 envelope: required attributes (`id` auto-minted as RFC 4122 v4 UUID when omitted, `source`, `specversion="1.0"`, `type`, `time` auto-set to `new Date().toISOString()`), optional attributes (`subject`, `datacontenttype` auto-set to `"application/json"` when `data` is JSON-serializable or `"application/octet-stream"` when `data` is a `Buffer` — base64-encoded into `data_base64`, `dataschema`), plus operator-defined extension attributes that conform to the §3.1 naming rules (lowercase ASCII alnum, 1-20 chars). **`b.cloudEvents.parse(envelope)`** validates the envelope shape and returns a structured form with `extensions` surfaced as a separate object so consumers can route on operator-defined fields without grepping the envelope. Refuses `data` + `data_base64` together (CloudEvents §3.1.1), unsupported specversion, missing required attributes, malformed extension names. **Test cleanup**: the `testAuditSafeEmitRedacts` smoke fixture from v0.7.75 now registers the `test` audit namespace before emitting so the audit handler's noise log line ("namespace 'test' is not registered") doesn't appear in CI smoke output.
 
 - **0.7.77** (2026-05-06) — Argon2 switched from vendored prebuilds to Node's built-in `crypto.argon2*` (Node 24+). The framework's `lib/vendor/argon2/` directory (with the `argon2.cjs` bundle and the `prebuilds/` tree of platform-specific `.glibc.node` / `.musl.node` artifacts for darwin-arm64 / darwin-x64 / freebsd-arm64 / freebsd-x64 / linux-arm / linux-arm64 / linux-x64 / win32-x64) is **deleted**. New `lib/argon2-builtin.js` is a thin wrapper over `crypto.argon2Sync` that produces and parses the PHC string format (`$argon2id$v=19$m=...,t=...,p=...$<salt>$<hash>`). Wire-format compatibility preserved: existing rows in operator databases continue to verify. Behavior preserved: `b.auth.password.hash` / `.verify` / `.needsRehash` retain their async signatures and return shapes; `b.vault.wrap` and `b.backupCrypto.deriveKey` use the same `raw: true` path for raw-bytes output. Operators wanting to supply their own argon2 implementation (pinned upstream, hardware-accelerated, etc.) override at the call site via `opts.argon2` — the supplied object MUST expose the same `hash` / `verify` / `needsRehash` shape. Drops ~440 KB of platform-specific native prebuilds from the repository and shipped npm tarball; eliminates a supply-chain hop. The vendor manifest's `argon2` entry is removed; `scripts/vendor-update.sh argon2` now refuses with a pointer to `lib/argon2-builtin.js`.

package/lib/db.js

@@ -681,6 +681,37 @@ async function init(opts) {
   // structured `foreignKeys` declarations actually constrain writes.
   runSql(database, "PRAGMA foreign_keys=ON");
 
+  // PRAGMA secure_delete=ON — SQLite normally just unlinks rows from
+  // the B-tree; the underlying page bytes survive on disk until a new
+  // write reuses the slot. With secure_delete=ON, freed pages are
+  // overwritten with zeros so a forensic recovery against the file
+  // can't reconstruct deleted rows. The cost is one extra write per
+  // delete, which the framework's audit-and-DSR-erase path already
+  // dominates with audit-chain emissions and cascade fan-out.
+  runSql(database, "PRAGMA secure_delete=ON");
+
+  // PRAGMA integrity_check — refuse boot on B-tree corruption (per
+  // audit-batch finding). SQLite returns "ok" for a healthy database;
+  // any other result means corruption. Catching it at boot beats
+  // stumbling on it later in a query that hits the bad page. Skip
+  // when opts.skipIntegrityCheck is set (e.g. tmpfs-only fixtures).
+  if (opts.skipIntegrityCheck !== true) {
+    var integrityRows = [];
+    try {
+      // .all-style read; runSql is for statements without rows.
+      integrityRows = database.prepare("PRAGMA integrity_check").all();
+    } catch (e) {
+      throw new DbError("db/integrity-check-failed",
+        "PRAGMA integrity_check failed at boot: " + ((e && e.message) || String(e)));
+    }
+    if (integrityRows.length !== 1 ||
+        !integrityRows[0] || integrityRows[0].integrity_check !== "ok") {
+      throw new DbError("db/integrity-check-failed",
+        "PRAGMA integrity_check reported corruption: " +
+        JSON.stringify(integrityRows));
+    }
+  }
+
   // Refuse app schema entries that collide with framework-reserved names
   for (var ri = 0; ri < opts.schema.length; ri++) {
     if (RESERVED_TABLE_NAMES.has(opts.schema[ri].name)) {

package/lib/external-db-migrate.js

@@ -86,8 +86,16 @@ function _err(code, message) {
   return new ExternalDbMigrateError(code, message);
 }
 
+// Boot-token suffix ensures _lockHolderId() is unique across container
+// restarts even if the OS recycles a PID into the same hostname slot —
+// without it, a stolen-and-released migration lock could be wrongly
+// attributed back to the new boot. The token is process-scoped so
+// every replica picks a fresh one at module load.
+var _BOOT_TOKEN = require("node:crypto").randomBytes(8).toString("hex");          // allow:raw-byte-literal — boot-id token entropy
+
 function _lockHolderId() {
-  return String(process.pid) + "@" + (require("node:os").hostname() || "unknown");
+  return String(process.pid) + "@" +
+    (require("node:os").hostname() || "unknown") + "@" + _BOOT_TOKEN;
 }
 
 async function _ensureTrackingTable(xdb) {

package/lib/middleware/index.js

@@ -40,6 +40,7 @@ var requestLog = require("./request-log");
 var requireAal = require("./require-aal");
 var requireAuth = require("./require-auth");
 var securityHeaders = require("./security-headers");
+var securityTxt = require("./security-txt");
 var sse = require("./sse");
 
 module.exports = {
@@ -62,6 +63,7 @@ module.exports = {
   compression:      compression.create,
   cookies:          cookies.create,
   cspNonce:         cspNonce.create,
+  securityTxt:      securityTxt.create,
   sse:              sse.create,
   requestLog:       requestLog.create,
   apiEncrypt:       apiEncrypt,
@@ -87,6 +89,7 @@ module.exports = {
     health:           health,
     compression:      compression,
     cspNonce:         cspNonce,
+    securityTxt:      securityTxt,
     sse:              sse,
     requestLog:       requestLog,
     apiEncrypt:       apiEncrypt,

package/lib/middleware/security-txt.js

@@ -0,0 +1,132 @@
+"use strict";
+/**
+ * security-txt middleware — RFC 9116 /.well-known/security.txt emitter.
+ *
+ * Operators wire this on their app so security researchers know where
+ * to find the disclosure policy. The middleware serves a static body
+ * at `/.well-known/security.txt` (and root `/security.txt` when
+ * opts.alsoAtRoot is true) per RFC 9116 §3 ("Format" — text/plain
+ * with one field per line, "Field: value" pairs).
+ *
+ *   var txt = b.middleware.securityTxt({
+ *     contact:   ["mailto:security@example.com", "https://example.com/security/report"],
+ *     expires:   "2027-01-01T00:00:00Z",
+ *     encryption:["https://example.com/pgp.asc"],
+ *     policy:    "https://example.com/security/policy",
+ *     ack:       "https://example.com/security/hall-of-fame",
+ *     preferredLanguages: ["en"],
+ *   });
+ *   router.use(txt);
+ *
+ * Per RFC 9116 §2.5, `Contact:` and `Expires:` are REQUIRED. The
+ * middleware throws at config-time when either is missing.
+ *
+ * Per §2.5.1, `Expires:` MUST be a future timestamp; the framework
+ * also throws when the operator-supplied `expires` is in the past.
+ */
+
+var lazyRequire = require("../lazy-require");
+var validateOpts = require("../validate-opts");
+var { defineClass } = require("../framework-error");
+
+var SecurityTxtError = defineClass("SecurityTxtError", { alwaysPermanent: true });
+
+var observability = lazyRequire(function () { return require("../observability"); });
+
+function _arrayOfStrings(value, label) {
+  if (value === undefined || value === null) return [];
+  var arr = Array.isArray(value) ? value : [value];
+  for (var i = 0; i < arr.length; i += 1) {
+    if (typeof arr[i] !== "string" || arr[i].length === 0) {
+      throw new SecurityTxtError("security-txt/bad-" + label,
+        label + "[" + i + "] must be a non-empty string");
+    }
+    if (/[\r\n\0]/.test(arr[i])) {
+      throw new SecurityTxtError("security-txt/bad-" + label,
+        label + "[" + i + "] contains forbidden CR/LF/NUL");
+    }
+  }
+  return arr;
+}
+
+function _isoFuture(s) {
+  if (typeof s !== "string" || s.length === 0) return false;
+  var d = new Date(s);
+  if (isNaN(d.getTime())) return false;
+  return d.getTime() > Date.now();
+}
+
+function create(opts) {
+  validateOpts.requireObject(opts, "middleware.securityTxt", SecurityTxtError);
+  validateOpts(opts, [
+    "contact", "expires", "encryption", "policy", "ack",
+    "preferredLanguages", "hiring", "canonical",
+    "alsoAtRoot", "audit",
+  ], "middleware.securityTxt");
+
+  var contact = _arrayOfStrings(opts.contact, "contact");
+  if (contact.length === 0) {
+    throw new SecurityTxtError("security-txt/no-contact",
+      "middleware.securityTxt: contact is required (RFC 9116 §2.5.3)");
+  }
+  validateOpts.requireNonEmptyString(opts.expires,
+    "middleware.securityTxt: expires", SecurityTxtError, "security-txt/no-expires");
+  if (!_isoFuture(opts.expires)) {
+    throw new SecurityTxtError("security-txt/expires-in-past",
+      "middleware.securityTxt: expires must be a future ISO 8601 timestamp (got '" + opts.expires + "')");
+  }
+  var encryption = _arrayOfStrings(opts.encryption, "encryption");
+  var policy     = _arrayOfStrings(opts.policy,     "policy");
+  var ack        = _arrayOfStrings(opts.ack,        "ack");
+  var canonical  = _arrayOfStrings(opts.canonical,  "canonical");
+  var hiring     = _arrayOfStrings(opts.hiring,     "hiring");
+  var prefLangs  = _arrayOfStrings(opts.preferredLanguages, "preferredLanguages");
+
+  // Build the body once at create time — the response is identical
+  // for every request and the Content-Length is known up front.
+  var lines = [];
+  for (var i = 0; i < contact.length; i += 1) lines.push("Contact: " + contact[i]);
+  lines.push("Expires: " + opts.expires);
+  for (var ei = 0; ei < encryption.length; ei += 1) lines.push("Encryption: " + encryption[ei]);
+  for (var pi = 0; pi < policy.length; pi += 1) lines.push("Policy: " + policy[pi]);
+  for (var ai = 0; ai < ack.length; ai += 1) lines.push("Acknowledgments: " + ack[ai]);
+  for (var ci = 0; ci < canonical.length; ci += 1) lines.push("Canonical: " + canonical[ci]);
+  for (var hi = 0; hi < hiring.length; hi += 1) lines.push("Hiring: " + hiring[hi]);
+  if (prefLangs.length > 0) lines.push("Preferred-Languages: " + prefLangs.join(", "));
+  var body = lines.join("\n") + "\n";
+  var bodyBuf = Buffer.from(body, "utf8");
+  var alsoAtRoot = opts.alsoAtRoot === true;
+
+  return function securityTxtMiddleware(req, res, next) {
+    var url = req.url || "";
+    // Strip query string for the path comparison.
+    var qIdx = url.indexOf("?");
+    var path = qIdx === -1 ? url : url.slice(0, qIdx);
+    var matches = (path === "/.well-known/security.txt") ||
+                  (alsoAtRoot && path === "/security.txt");
+    if (!matches) return next();
+    if (req.method !== "GET" && req.method !== "HEAD") {
+      res.writeHead(405, {                                                       // allow:raw-byte-literal — HTTP 405 status
+        "Allow":          "GET, HEAD",
+        "Content-Type":   "text/plain; charset=utf-8",
+        "Content-Length": 18,                                                    // allow:raw-byte-literal — len of "Method Not Allowed"
+      });
+      res.end("Method Not Allowed");
+      return;
+    }
+    res.writeHead(200, {                                                         // allow:raw-byte-literal — HTTP 200 status
+      "Content-Type":     "text/plain; charset=utf-8",
+      "Content-Length":   bodyBuf.length,
+      "Cache-Control":    "public, max-age=86400",
+      "X-Content-Type-Options": "nosniff",
+    });
+    if (req.method === "HEAD") { res.end(); return; }
+    res.end(bodyBuf);
+    try { observability().safeEvent("middleware.securityTxt.served", 1, { path: path }); }
+    catch (_e) { /* obs best-effort */ }
+  };
+}
+
+module.exports = {
+  create: create,
+};

package/lib/network-tls.js

@@ -17,10 +17,15 @@ var observability = lazyRequire(function () { return require("./observability");
 var audit = lazyRequire(function () { return require("./audit"); });
 var asn1 = require("./asn1-der");
 
+// STATE.tlsKeyShares is initialized to the default PQC group list at
+// module load — operator setKeyShares() overrides; resetKeyShares()
+// restores the default. Empty array means "fall back to Node's TLS
+// default groups" (operator opt-out).
 var STATE = {
   cas:             [],
   systemTrust:     false,
   baselineFingerprints: null,
+  tlsKeyShares:    ["X25519MLKEM768", "X25519", "secp256r1"],
 };
 
 function _normalizePem(pem) {
@@ -267,9 +272,77 @@ function applyToContext(opts) {
     }
   }
   if (caStrings.length > 0) base.ca = caStrings;
+  // PQC TLS handshake — apply the operator-configured key-share groups
+  // (default ["X25519MLKEM768", "X25519"]) so https.Server / https.Agent
+  // negotiate the hybrid KEM with peers that support it and fall back
+  // to classical X25519 with peers that don't. Operators who explicitly
+  // pass `groups` in their base config keep the override.
+  if (base.groups === undefined && STATE.tlsKeyShares.length > 0) {
+    base.groups = STATE.tlsKeyShares.join(":");
+  }
   return base;
 }
 
+// ---- PQC TLS key shares (RFC draft-ietf-tls-hybrid-design) ----
+//
+// b.network.tls.pqc.setKeyShares(["X25519MLKEM768", "X25519"]) — set the
+// TLS 1.3 key-share groups the framework's https.Server / https.Agent
+// will advertise. The first listed group is the priority; the peer
+// picks the first mutually supported entry. Hybrid groups
+// (X25519MLKEM768) negotiate post-quantum + classical in one
+// handshake so forward-secrecy survives both classical-CRQC and
+// future quantum cryptanalysis.
+//
+//   getKeyShares()                                    → string[] (current)
+//   setKeyShares(["X25519MLKEM768", "X25519"])        → string[] (after)
+//   resetKeyShares()                                  → restores default
+
+var DEFAULT_PQC_KEY_SHARES = Object.freeze([
+  "X25519MLKEM768",                                                              // hybrid KEM, draft-kwiatkowski-tls-ecdhe-mlkem-02
+  "X25519",                                                                      // classical fallback
+  "secp256r1",                                                                   // legacy peers
+]);
+
+function _validateKeyShare(name) {
+  if (typeof name !== "string" || name.length === 0 || name.length > C.BYTES.bytes(64)) {  // bound
+    throw new TlsTrustError("tls/bad-key-share",
+      "tls.pqc.setKeyShares: each entry must be a non-empty string up to 64 chars");
+  }
+  // RFC draft-ietf-tls-hybrid-design + IANA TLS Group Registry only
+  // emit alphanumeric + underscore identifiers. Refuse `:` (the join
+  // separator) outright so an operator can't smuggle a second entry
+  // through one slot.
+  if (!/^[A-Za-z0-9_]+$/.test(name)) {
+    throw new TlsTrustError("tls/bad-key-share",
+      "tls.pqc.setKeyShares: '" + name + "' has illegal characters " +
+      "(must match [A-Za-z0-9_]+)");
+  }
+}
+
+function setKeyShares(list) {
+  if (!Array.isArray(list) || list.length === 0) {
+    throw new TlsTrustError("tls/bad-key-shares",
+      "tls.pqc.setKeyShares: must be a non-empty array of group names");
+  }
+  for (var i = 0; i < list.length; i += 1) _validateKeyShare(list[i]);
+  STATE.tlsKeyShares = list.slice();
+  return getKeyShares();
+}
+
+function getKeyShares() { return STATE.tlsKeyShares.slice(); }
+
+function resetKeyShares() {
+  STATE.tlsKeyShares = DEFAULT_PQC_KEY_SHARES.slice();
+  return getKeyShares();
+}
+
+var pqc = Object.freeze({
+  setKeyShares:           setKeyShares,
+  getKeyShares:           getKeyShares,
+  resetKeyShares:         resetKeyShares,
+  DEFAULT_KEY_SHARES:     DEFAULT_PQC_KEY_SHARES,
+});
+
 function getCaPems() {
   return STATE.cas.map(function (e) { return e.pem; });
 }
@@ -307,6 +380,7 @@ function _resetForTest() {
   STATE.cas = [];
   STATE.systemTrust = false;
   STATE.baselineFingerprints = null;
+  STATE.tlsKeyShares = DEFAULT_PQC_KEY_SHARES.slice();
 }
 
 // ---- OCSP / OCSP-stapling wrappers around node:tls ----------------
@@ -1492,6 +1566,7 @@ module.exports = {
   getCaPems:           getCaPems,
   ocsp:                ocsp,
   ct:                  ct,
+  pqc:                 pqc,
   TlsTrustError:       TlsTrustError,
   _resetForTest:       _resetForTest,
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.7.78",
+  "version": "0.7.80",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:357e4142-2f9f-4e03-8132-644e87b5224e",
+  "serialNumber": "urn:uuid:1dbeaa45-dcef-4b96-9342-08799488a713",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-06T05:12:59.485Z",
+    "timestamp": "2026-05-06T05:36:24.642Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.7.78",
+      "bom-ref": "@blamejs/core@0.7.80",
       "type": "library",
       "name": "blamejs",
-      "version": "0.7.78",
+      "version": "0.7.80",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.7.78",
+      "purl": "pkg:npm/%40blamejs/core@0.7.80",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.7.78",
+      "ref": "@blamejs/core@0.7.80",
       "dependsOn": []
     }
   ]