@blamejs/core 0.7.83 → 0.7.84

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.7.x
 
+- **0.7.84** (2026-05-06) — `b.crypto.sri(content, { algorithm? })` — Subresource Integrity hash builder per W3C SRI 1.0. Operators emit `<script integrity="sha384-...">` and `<link integrity="sha384-...">` to defend against CDN compromise + ISP MITM injection — the browser refuses to load a resource whose actual hash diverges from the integrity attribute. Default algorithm is `sha384` (W3C §3.2 — collision margin without sha512's 64-byte overhead); `sha256` and `sha512` also accepted, anything else refused. Accepts `Buffer` / `Uint8Array` / `string` / array of those — array inputs emit multiple space-separated integrity tokens per W3C §3.3 multi-integrity (browser picks the strongest it recognizes). Returns the standard `sha###-<base64>` format ready to paste into the `integrity=""` attribute.
+
 - **0.7.83** (2026-05-06) — `b.auth.oauth.endSessionUrl()` (OpenID Connect RP-Initiated Logout) + `b.auth.oauth.pushAuthorizationRequest()` (RFC 9126 PAR). **`endSessionUrl({ idTokenHint?, postLogoutRedirectUri?, state?, logoutHint?, uiLocales?, clientId?, extraParams? })`** builds the URL the operator's `/logout` route redirects the user-agent to so the IdP terminates the session and bounces back to the operator's app. The IdP's `end_session_endpoint` is read from the OIDC discovery document or operator-supplied at `create({ endSessionEndpoint })`. **`pushAuthorizationRequest({ state?, nonce?, prompt?, loginHint?, maxAge?, extraParams? })`** POSTs the authorization-request parameters directly to the IdP's PAR endpoint (mTLS or client-secret authenticated) and returns `{ url, state, nonce, verifier, challenge, requestUri, expiresIn }` — the browser-side redirect URL is `<authorizationEndpoint>?client_id=...&request_uri=...`. Defends against authorization-request parameter tampering by an MITM at the user-agent + against URL-length overflow on long authorization requests (request_uri reference is short). The PAR endpoint is read from the discovery doc's `pushed_authorization_request_endpoint` or operator-supplied at `create({ pushedAuthorizationRequestEndpoint })`. Both helpers throw `auth-oauth/no-end-session-endpoint` / `auth-oauth/no-par-endpoint` when neither the discovery doc nor the operator opts supply the endpoint.
 
 - **0.7.82** (2026-05-06) — `b.mail.bimi` — BIMI record builder + verifier (RFC 9091). BIMI publishes a sender's brand logo URL in DNS so receiving MTAs can render it next to the message in supported clients (Gmail, Yahoo, Apple Mail). **`b.mail.bimi.recordShape({ logoUrl, vmcUrl?, selector? })`** produces the canonical `v=BIMI1; l=https://...; a=https://...` TXT-record string per RFC 9091 §4. Both `l=` (SVG logo URL) and `a=` (Verified Mark Certificate URL per RFC 9091 §6) are HTTPS-required (refuses `http://`). All field values are CR/LF/NUL/semicolon-screened so a hostile URL can't inject a record-separator into the published TXT. **`b.mail.bimi.fetchPolicy(domain, { selector?, dnsLookup? })`** queries `<selector>._bimi.<domain>` (default selector `"default"`) and returns the structured record `{ v, l, a }` or `null` when no policy is published / record is malformed. **`b.mail.bimi.parseRecord(text)`** parses any operator-supplied TXT body — semicolon-separated `key=value` pairs per RFC 9091 §4. The framework does NOT validate the SVG / VMC contents against the RFC §5/§6 profiles — operators feed those to their own asset pipeline; the fetch primitive is a thin DNS lookup that returns the structured record so an operator dashboard or SMTP send-time preflight can verify the publication. BIMI is layered on a passing DMARC posture (the receiver requires DMARC quarantine/reject); operators with the existing `b.mail.dmarc` posture set up benefit from BIMI rendering immediately on receivers that honor it.

package/lib/crypto.js

@@ -95,6 +95,46 @@ function kdf(input, outputLength) { return hash(input, "shake256", outputLength)
 function generateBytes(byteLength) { return Buffer.from(random(byteLength)); }
 function generateToken(byteLength) { return random(byteLength || 32).toString("hex"); }
 
+// ---- Subresource Integrity (W3C SRI 1.0) ----
+//
+// b.crypto.sri(content, { algorithm? }) — returns a `sha###-base64`
+// integrity attribute string operators paste into <script integrity="...">
+// or <link integrity="..."> tags. Defends against CDN compromise + ISP
+// MITM injection — the browser refuses to load the resource when its
+// hash diverges from the integrity attribute.
+//
+// W3C SRI 1.0 §3.2 lists sha256 / sha384 / sha512 as the supported
+// digest algorithms; sha384 is the recommended default (collision
+// margin without sha512's 64-byte overhead).
+//
+//   b.crypto.sri(scriptBuffer, { algorithm: "sha384" })
+//   → "sha384-AbCdEf...="
+//
+//   b.crypto.sri(["a", "b"], { algorithm: "sha384" })   // array → multi-hash
+//   → "sha384-X1... sha384-X2..."   (per W3C §3.3 multi-integrity)
+var SRI_ALGORITHMS = { "sha256": "sha256", "sha384": "sha384", "sha512": "sha512" };
+
+function sri(content, opts) {
+  opts = opts || {};
+  var algorithm = (opts.algorithm || "sha384").toLowerCase();
+  if (!SRI_ALGORITHMS[algorithm]) {
+    throw new Error("crypto.sri: unsupported algorithm '" + algorithm +
+      "' (W3C SRI 1.0 §3.2 supports sha256/sha384/sha512)");
+  }
+  // Array input — emit multiple integrity tokens space-separated per
+  // W3C §3.3 (browser picks the strongest one it recognizes).
+  if (Array.isArray(content)) {
+    return content.map(function (c) { return sri(c, opts); }).join(" ");
+  }
+  var buf;
+  if (Buffer.isBuffer(content)) buf = content;
+  else if (typeof content === "string") buf = Buffer.from(content, "utf8");
+  else if (content instanceof Uint8Array) buf = Buffer.from(content);
+  else throw new Error("crypto.sri: content must be a Buffer, Uint8Array, string, or array of those");
+  var digest = nodeCrypto.createHash(algorithm).update(buf).digest("base64");
+  return algorithm + "-" + digest;
+}
+
 // ---- Key generation ----
 function generateEncryptionKeyPair() {
   var mlkem = generateKeyPair("ml-kem-1024");
@@ -454,6 +494,7 @@ var SUPPORTED_KEM_ALGORITHMS = Object.freeze([
 ]);
 
 module.exports = {
+  sri:                          sri,
   // Hashing
   sha3Hash:                    sha3Hash,
   hmacSha3:                    hmacSha3,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.7.83",
+  "version": "0.7.84",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:2bb408b6-50d7-4fb3-acf9-332f7472bd70",
+  "serialNumber": "urn:uuid:4072392e-af80-4cf0-a9f7-095c0d6638e0",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-06T06:03:44.811Z",
+    "timestamp": "2026-05-06T06:11:44.785Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.7.83",
+      "bom-ref": "@blamejs/core@0.7.84",
       "type": "library",
       "name": "blamejs",
-      "version": "0.7.83",
+      "version": "0.7.84",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.7.83",
+      "purl": "pkg:npm/%40blamejs/core@0.7.84",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.7.83",
+      "ref": "@blamejs/core@0.7.84",
       "dependsOn": []
     }
   ]