@blamejs/core 0.7.87 → 0.7.89

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.7.x
 
+- **0.7.89** (2026-05-06) — Three additive primitives bundled: TUS resumable uploads, WebAuthn Signal API, DPoP server-issued nonce challenge. **`b.middleware.tusUpload({ mountPath, store, ... })`** implements the [tus.io](https://tus.io) v1.0.0 resumable-upload protocol — POST creates uploads, HEAD reports offsets, PATCH appends chunks, DELETE terminates. Supported extensions: `creation`, `creation-with-upload`, `expiration`, `checksum`, `termination`. The `checksum` extension defaults to PQC-first algorithms (`sha3-512`, `shake256`) — operators add classical algorithms explicitly via `checksumAlgorithms`. A built-in `b.middleware.tusUpload.memoryStore({ maxSize })` ships for development; production operators implement the `{ create, head, append, setLength, terminate, purgeExpired, getBuffer }` shape against their object-store backend. Bounded chunk collection routes through `safeBuffer.boundedChunkCollector` (cap-enforced at push time, no 10-GiB pre-collect). Concatenation extension (parallel-chunk assembly) deferred — operators that need it compose against their store layer; re-open if a store-layer-only solution proves insufficient. **`b.auth.passkey.signalUnknownCredential` / `signalAllAcceptedCredentials` / `signalCurrentUserDetails`** add the W3C WebAuthn Signal API descriptor builders — when the browser implements `PublicKeyCredential.signal*`, operators emit the matching JSON descriptor to clean up stale passkeys, refresh user details, and surface revocations without forcing a re-registration. All three validate `rpId` / `userId` / `credentialId` shape (base64url) and refuse `name`/`displayName` longer than 256 chars. **`b.middleware.dpop({ requireNonce: true, nonceRotateSec? })`** implements RFC 9449 §8 server-issued DPoP-Nonce challenge — the middleware emits `DPoP-Nonce: <fresh>` on every 401 response, refuses proofs whose `nonce` claim isn't in the rolling current+previous pair, and refreshes the nonce on every successful response. The rolling-pair manager rotates without timers (lazy maybe-rotate on access); no operator nonce store needed. The `getNonce` callback path stays intact for operator-managed nonce flows.
+
+- **0.7.88** (2026-05-06) — `b.middleware.webAppManifest` + `b.middleware.assetlinks` — two static-content middlewares for PWA + Trusted Web Activity support. **`b.middleware.webAppManifest({ name, start_url, icons, ... })`** serves the W3C Web App Manifest at `/manifest.webmanifest` (and `/manifest.json` when `alsoAtJsonPath: true`). The framework JSON-serializes once at create() and serves with `Content-Type: application/manifest+json` per the W3C spec + `Cache-Control: public, max-age=86400` + `X-Content-Type-Options: nosniff`. The W3C-spec attribute set is allowlisted (name / short_name / description / start_url / scope / display / display_override / orientation / theme_color / background_color / icons / screenshots / shortcuts / categories / lang / dir / id / prefer_related_applications / related_applications) — typos throw at create. `name`, `start_url`, and at least one icon are required (W3C — installability minimum). HEAD + GET only. **`b.middleware.assetlinks({ statements })`** serves Digital Asset Links at `/.well-known/assetlinks.json` per Google's spec — used by Trusted Web Activity, Android App Links, Smart Lock for Passwords, WebAuthn for Android. Validates each statement carries `relation` (non-empty array) and `target` (object). Same Content-Type / Cache-Control / X-Content-Type-Options posture as the security.txt + manifest emitters.
+
 - **0.7.87** (2026-05-06) — Two route-guard middlewares for API hardening: `b.middleware.requireMethods` + `b.middleware.requireContentType`. **`b.middleware.requireMethods(["GET", "POST"])`** refuses any HTTP method outside the allowlist with `405 Method Not Allowed` + `Allow:` header listing the allowed methods (per RFC 9110 §15.5.6). Defends against unexpected verb routing — many CVE-class bugs trace to a route handler wired for GET that accidentally accepts arbitrary verbs (PROPFIND, OPTIONS, custom). **`b.middleware.requireContentType(["application/json"])`** refuses requests with a body (POST/PUT/PATCH by default) whose `Content-Type` isn't in the allowlist with `415 Unsupported Media Type` + `Accept:` header listing the allowed types (RFC 9110 §15.5.16). Defends against MIME-type confusion — a route that processes JSON shouldn't accept `application/x-www-form-urlencoded` even if the body parses. Both middlewares emit observability events (`middleware.requireMethods.denied` / `middleware.requireContentType.denied`) on every refusal for triage. Operators wanting to enforce content-type on idempotent verbs that DO carry bodies (rare DELETE-with-body shapes) override the default body-method list via `requireContentType(types, { methods })`.
 
 - **0.7.86** (2026-05-06) — `b.middleware.csrfProtect({ requireJsonContentType: true })` — strict-fetch mode for JSON-only API surfaces. State-changing requests (POST/PUT/PATCH/DELETE) without `Content-Type: application/json` are refused before the token check with `CSRF: state-changing requests require Content-Type: application/json.` and audit emission `csrf.denied` with `reason: "non-JSON content-type: ..."`. The browser's form-encoded POST shape is the canonical CSRF vector — a malicious page can `<form action="/transfer" method=POST>` a victim into a state-changing request without a preflight. An `application/json` body forces a CORS preflight (the browser refuses to skip it for non-simple Content-Type values), so an attacker without an operator-allowlisted CORS origin can't reach the route at all. Default `false` — operators with HTML form submissions on the same routes (mixed SPA + classic form pages) keep current behavior; pure-fetch API operators opt in.

package/lib/auth/passkey.js

@@ -57,9 +57,15 @@
  * sessions, audit, or DB. Routes integrate that themselves; the
  * primitive stays the smallest correct surface.
  */
+var safeBuffer = require("../safe-buffer");
 var _wa = require("../vendor/simplewebauthn-server.cjs");
 var { AuthError } = require("../framework-error");
 
+// W3C WebAuthn name field cap — same as the rpName/userName ceiling in
+// the spec's CredentialUserEntity / PublicKeyCredentialEntity dictionaries
+// (no normative limit but RPs broadly cap at 256 to defeat DOM cost).
+var MAX_NAME_LEN = 256;                                                            // allow:raw-byte-literal — UTF-16 codepoint count, not bytes
+
 function _vendor() {
   return _wa;
 }
@@ -173,9 +179,93 @@ async function verifyAuthentication(opts) {
   });
 }
 
+// ---- WebAuthn Signal API (W3C draft, 2024) ----
+//
+// The signal* methods build the JSON descriptor that the operator
+// returns to the client; the browser then calls the matching
+// `PublicKeyCredential.signal*` method to clean up stale passkeys
+// and refresh user details. These are pure builders — no I/O — so
+// validation throws at the boundary and the descriptor shape is the
+// W3C draft schema verbatim.
+
+function _b64urlValid(s) {
+  return typeof s === "string" && s.length > 0 && safeBuffer.BASE64URL_RE.test(s);
+}
+
+function signalUnknownCredential(opts) {
+  if (!opts) throw new AuthError("auth-passkey/missing-opts", "opts is required");
+  _requireString(opts.rpId, "rpId");
+  _requireString(opts.credentialId, "credentialId");
+  if (!_b64urlValid(opts.credentialId)) {
+    throw new AuthError("auth-passkey/bad-credential-id",
+      "credentialId must be base64url (no padding)");
+  }
+  return {
+    rpId:         opts.rpId,
+    credentialId: opts.credentialId,
+  };
+}
+
+function signalAllAcceptedCredentials(opts) {
+  if (!opts) throw new AuthError("auth-passkey/missing-opts", "opts is required");
+  _requireString(opts.rpId, "rpId");
+  _requireString(opts.userId, "userId");
+  if (!_b64urlValid(opts.userId)) {
+    throw new AuthError("auth-passkey/bad-user-id",
+      "userId must be base64url (no padding)");
+  }
+  if (!Array.isArray(opts.allAcceptedCredentialIds)) {
+    throw new AuthError("auth-passkey/bad-accepted-list",
+      "allAcceptedCredentialIds must be an array");
+  }
+  for (var i = 0; i < opts.allAcceptedCredentialIds.length; i++) {
+    if (!_b64urlValid(opts.allAcceptedCredentialIds[i])) {
+      throw new AuthError("auth-passkey/bad-accepted-list",
+        "allAcceptedCredentialIds[" + i + "] must be base64url");
+    }
+  }
+  return {
+    rpId:                     opts.rpId,
+    userId:                   opts.userId,
+    allAcceptedCredentialIds: opts.allAcceptedCredentialIds.slice(),
+  };
+}
+
+function signalCurrentUserDetails(opts) {
+  if (!opts) throw new AuthError("auth-passkey/missing-opts", "opts is required");
+  _requireString(opts.rpId, "rpId");
+  _requireString(opts.userId, "userId");
+  if (!_b64urlValid(opts.userId)) {
+    throw new AuthError("auth-passkey/bad-user-id",
+      "userId must be base64url (no padding)");
+  }
+  _requireString(opts.name, "name");
+  _requireString(opts.displayName, "displayName");
+  // RP-relevant length cap — the descriptor is a hint to the browser,
+  // not a stored value, but absurdly long names indicate a misuse and
+  // we refuse rather than truncate silently.
+  if (opts.name.length > MAX_NAME_LEN) {
+    throw new AuthError("auth-passkey/name-too-long",
+      "name must be <= " + MAX_NAME_LEN + " characters");
+  }
+  if (opts.displayName.length > MAX_NAME_LEN) {
+    throw new AuthError("auth-passkey/displayname-too-long",
+      "displayName must be <= " + MAX_NAME_LEN + " characters");
+  }
+  return {
+    rpId:        opts.rpId,
+    userId:      opts.userId,
+    name:        opts.name,
+    displayName: opts.displayName,
+  };
+}
+
 module.exports = {
-  startRegistration:    startRegistration,
-  verifyRegistration:   verifyRegistration,
-  startAuthentication:  startAuthentication,
-  verifyAuthentication: verifyAuthentication,
+  startRegistration:            startRegistration,
+  verifyRegistration:           verifyRegistration,
+  startAuthentication:          startAuthentication,
+  verifyAuthentication:         verifyAuthentication,
+  signalUnknownCredential:      signalUnknownCredential,
+  signalAllAcceptedCredentials: signalAllAcceptedCredentials,
+  signalCurrentUserDetails:     signalCurrentUserDetails,
 };

package/lib/middleware/assetlinks.js

@@ -0,0 +1,97 @@
+"use strict";
+/**
+ * assetlinks middleware — emits Digital Asset Links at
+ * `/.well-known/assetlinks.json` per Google's Digital Asset Links
+ * spec (used by Trusted Web Activity / Android App Links / Smart
+ * Lock for Passwords / Web Authentication for Android, etc.).
+ *
+ *   var al = b.middleware.assetlinks({
+ *     statements: [
+ *       {
+ *         relation: ["delegate_permission/common.handle_all_urls"],
+ *         target: {
+ *           namespace:        "android_app",
+ *           package_name:     "com.example.app",
+ *           sha256_cert_fingerprints: ["AB:CD:..."],
+ *         },
+ *       },
+ *     ],
+ *   });
+ *   router.use(al);
+ *
+ * The framework JSON-serializes the statements array once at
+ * create() and serves with `Content-Type: application/json` per
+ * Google's spec. Operators with multiple linked apps include
+ * multiple statement entries.
+ */
+
+var lazyRequire = require("../lazy-require");
+var safeJson = require("../safe-json");
+var validateOpts = require("../validate-opts");
+var { defineClass } = require("../framework-error");
+
+var AssetlinksError = defineClass("AssetlinksError", { alwaysPermanent: true });
+
+var observability = lazyRequire(function () { return require("../observability"); });
+
+function create(opts) {
+  validateOpts.requireObject(opts, "middleware.assetlinks", AssetlinksError);
+  validateOpts(opts, ["statements", "audit"], "middleware.assetlinks");
+
+  if (!Array.isArray(opts.statements) || opts.statements.length === 0) {
+    throw new AssetlinksError("assetlinks/no-statements",
+      "middleware.assetlinks: opts.statements must be a non-empty array of statement objects");
+  }
+  for (var i = 0; i < opts.statements.length; i += 1) {
+    var stmt = opts.statements[i];
+    if (!stmt || typeof stmt !== "object" || Array.isArray(stmt)) {
+      throw new AssetlinksError("assetlinks/bad-statement",
+        "middleware.assetlinks: statements[" + i + "] must be a plain object");
+    }
+    if (!Array.isArray(stmt.relation) || stmt.relation.length === 0) {
+      throw new AssetlinksError("assetlinks/bad-statement",
+        "middleware.assetlinks: statements[" + i + "].relation must be a non-empty array");
+    }
+    if (!stmt.target || typeof stmt.target !== "object") {
+      throw new AssetlinksError("assetlinks/bad-statement",
+        "middleware.assetlinks: statements[" + i + "].target must be an object");
+    }
+  }
+
+  var body = safeJson.stringify(opts.statements, { space: 2 });
+  var bodyBuf = Buffer.from(body, "utf8");
+  var auditOn = opts.audit !== false;
+
+  return function assetlinksMiddleware(req, res, next) {
+    var url = req.url || "";
+    var qIdx = url.indexOf("?");
+    var path = qIdx === -1 ? url : url.slice(0, qIdx);
+    if (path !== "/.well-known/assetlinks.json") return next();
+    if (req.method !== "GET" && req.method !== "HEAD") {
+      var bodyMsg = "Method Not Allowed";
+      res.writeHead(405, {                                                       // allow:raw-byte-literal — HTTP 405 status
+        "Allow":          "GET, HEAD",
+        "Content-Type":   "text/plain; charset=utf-8",
+        "Content-Length": Buffer.byteLength(bodyMsg),
+      });
+      res.end(bodyMsg);
+      return;
+    }
+    res.writeHead(200, {                                                         // allow:raw-byte-literal — HTTP 200 status
+      "Content-Type":     "application/json; charset=utf-8",
+      "Content-Length":   bodyBuf.length,
+      "Cache-Control":    "public, max-age=86400",
+      "X-Content-Type-Options": "nosniff",
+    });
+    if (req.method === "HEAD") { res.end(); return; }
+    res.end(bodyBuf);
+    if (auditOn) {
+      try { observability().safeEvent("middleware.assetlinks.served", 1, {}); }
+      catch (_e) { /* obs best-effort */ }
+    }
+  };
+}
+
+module.exports = {
+  create: create,
+};

package/lib/middleware/dpop.js

@@ -35,6 +35,8 @@
  *   - audit.bearer.failure event when audit: true (default)
  */
 
+var C = require("../constants");
+var bCrypto = require("../crypto");
 var lazyRequire = require("../lazy-require");
 var requestHelpers = require("../request-helpers");
 var validateOpts = require("../validate-opts");
@@ -43,20 +45,63 @@ var { AuthError } = require("../framework-error");
 var dpop = lazyRequire(function () { return require("../auth/dpop"); });
 var audit = lazyRequire(function () { return require("../audit"); });
 
-function _writeUnauthorized(res, errorCode, description) {
+// RFC 9449 §8 — server-issued nonce length (24 random bytes ≈ 192 bits
+// of entropy after base64url, far above the spec's "unpredictable" bar).
+var DPOP_NONCE_BYTES = C.BYTES.bytes(24);
+
+function _writeUnauthorized(res, errorCode, description, freshNonce) {
   if (res.headersSent) return;
   var body = JSON.stringify({ error: errorCode, error_description: description });
   // RFC 9449 §7 — error code is invalid_dpop_proof OR use_dpop_nonce.
   var challenge = 'DPoP error="' + errorCode + '", error_description="' +
                   description.replace(/"/g, "'") + '"';
-  res.writeHead(401, {                                                             // allow:raw-byte-literal — HTTP 401 status
+  var headers = {                                                                  // allow:raw-byte-literal — HTTP 401 status
     "Content-Type":     "application/json; charset=utf-8",
     "Content-Length":   Buffer.byteLength(body),
     "WWW-Authenticate": challenge,
-  });
+  };
+  if (freshNonce) headers["DPoP-Nonce"] = freshNonce;
+  res.writeHead(401, headers);
   res.end(body);
 }
 
+// RFC 9449 §8 — server-issued DPoP-Nonce challenge. The framework
+// holds a rolling pair (current, previous) and rotates after
+// rotateSec elapses. Both the current and previous values are
+// accepted from clients; previous is needed to cover the brief
+// race window after rotation when in-flight requests still carry
+// the prior nonce. Rotation happens lazily on access; no timer.
+function _nonceManager(rotateSec) {
+  var rotateMs = C.TIME.seconds(rotateSec);
+  var current = null;
+  var previous = null;
+  function _fresh() {
+    return {
+      nonce:    bCrypto.generateBytes(DPOP_NONCE_BYTES).toString("base64url"),
+      issuedAt: Date.now(),
+    };
+  }
+  function _maybeRotate() {
+    var now = Date.now();
+    if (current === null) {
+      current = _fresh();
+      return;
+    }
+    if (now - current.issuedAt >= rotateMs) {
+      previous = current;
+      current = _fresh();
+    }
+  }
+  return {
+    issue: function () { _maybeRotate(); return current.nonce; },
+    accepts: function (n) {
+      _maybeRotate();
+      if (typeof n !== "string" || n.length === 0) return false;
+      return (current && n === current.nonce) || (previous && n === previous.nonce);
+    },
+  };
+}
+
 function _reconstructHtu(req) {
   // The proof's htu is the request URI WITHOUT query/fragment. Behind
   // a reverse proxy the operator may need to override via opts.htu /
@@ -77,12 +122,38 @@ function create(opts) {
   validateOpts(opts, [
     "replayStore", "algorithms", "iatWindowSec",
     "getAccessToken", "getNonce", "getHtu", "audit",
+    "nonceStore", "nonceWindowSec", "nonceRotateSec", "requireNonce",
   ], "middleware.dpop");
 
   var auditOn = opts.audit !== false;
   var algorithms = opts.algorithms;
   var iatWindowSec = opts.iatWindowSec;
   var replayStore = opts.replayStore;
+  var requireNonce = opts.requireNonce === true;
+
+  // Server-issued DPoP-Nonce challenge flow (RFC 9449 §8). When
+  // requireNonce is true, the middleware refuses any proof that does
+  // not carry a recognised nonce, and emits a fresh DPoP-Nonce
+  // header on every 401 + as a refresh on every successful response.
+  // The rolling-pair manager rotates without timers; no operator
+  // store is needed.
+  var nonceMgr = null;
+  if (requireNonce) {
+    validateOpts.optionalPositiveFinite(opts.nonceRotateSec,
+      "middleware.dpop: nonceRotateSec", AuthError, "auth-dpop/bad-opt");
+    var rotateSec = opts.nonceRotateSec || (C.TIME.minutes(5) / C.TIME.seconds(1));
+    nonceMgr = _nonceManager(rotateSec);
+  }
+  // Reject the obsolete nonceStore opt with a clear migration message —
+  // pre-v0.7.89 docs may surface it; the rolling-pair shape supersedes.
+  if (opts.nonceStore !== undefined) {
+    throw new AuthError("auth-dpop/bad-opt",
+      "middleware.dpop: opts.nonceStore is not supported — use { requireNonce: true, nonceRotateSec? }; the rolling-pair manager is internal");
+  }
+  if (opts.nonceWindowSec !== undefined) {
+    throw new AuthError("auth-dpop/bad-opt",
+      "middleware.dpop: opts.nonceWindowSec is not supported — use nonceRotateSec");
+  }
 
   validateOpts.optionalFunction(opts.getAccessToken,
     "middleware.dpop: getAccessToken", AuthError, "auth-dpop/bad-opt");
@@ -91,10 +162,14 @@ function create(opts) {
   validateOpts.optionalFunction(opts.getHtu,
     "middleware.dpop: getHtu", AuthError, "auth-dpop/bad-opt");
 
+  function _freshNonce() { return nonceMgr ? nonceMgr.issue() : null; }
+
   return async function dpopMiddleware(req, res, next) {
     var proofHeader = req.headers && req.headers.dpop;
     if (typeof proofHeader !== "string" || proofHeader.length === 0) {
-      return _writeUnauthorized(res, "invalid_dpop_proof", "DPoP header required");
+      return _writeUnauthorized(res,
+        nonceMgr ? "use_dpop_nonce" : "invalid_dpop_proof",
+        "DPoP header required", _freshNonce());
     }
     // RFC 9449 §4.1 — only ONE DPoP header value per request.
     if (Array.isArray(proofHeader)) {
@@ -117,6 +192,12 @@ function create(opts) {
     if (typeof opts.getNonce === "function") {
       try { nonce = await opts.getNonce(req); }
       catch (_e) { nonce = null; }
+    } else if (nonceMgr) {
+      // For server-managed nonces, verify() runs WITHOUT a strict
+      // expected-nonce; we then check the payload's nonce against
+      // our rolling-pair below. This lets us issue + rotate without
+      // requiring a request-by-request operator callback.
+      nonce = null;
     }
 
     var verifyOpts = { htm: htm, htu: htu };
@@ -150,7 +231,35 @@ function create(opts) {
         errorCode = "use_dpop_nonce";
       }
       return _writeUnauthorized(res, errorCode,
-        (e && e.message) || "DPoP proof verification failed");
+        (e && e.message) || "DPoP proof verification failed",
+        _freshNonce());
+    }
+
+    // Server-managed nonce check — payload MUST carry a recognized
+    // rolling-pair nonce. Missing or stale → 401 + DPoP-Nonce.
+    if (nonceMgr) {
+      var presented = result.payload && result.payload.nonce;
+      if (typeof presented !== "string" || !nonceMgr.accepts(presented)) {
+        if (auditOn) {
+          try {
+            audit().safeEmit({
+              action:  "auth.bearer.failure",
+              actor:   { clientIp: requestHelpers.clientIp(req) },
+              outcome: "fail",
+              metadata: { method: "dpop", reason: "stale-nonce", route: req.url },
+            });
+          } catch (_ignored) { /* drop-silent */ }
+        }
+        return _writeUnauthorized(res, "use_dpop_nonce",
+          "DPoP-Nonce required (server-managed challenge)", _freshNonce());
+      }
+    }
+
+    // Refresh the nonce on every successful response so the client
+    // always carries the latest one (RFC 9449 §8.1 recommendation).
+    if (nonceMgr && !res.headersSent) {
+      try { res.setHeader("DPoP-Nonce", _freshNonce()); }
+      catch (_e) { /* drop-silent — header set best-effort */ }
     }
 
     req.dpop = result;

package/lib/middleware/index.js

@@ -17,6 +17,7 @@
  *   7. errorHandler     — must be LAST so it catches everything that throws
  */
 var apiEncrypt = require("./api-encrypt");
+var assetlinks = require("./assetlinks");
 var attachUser = require("./attach-user");
 var bearerAuth = require("./bearer-auth");
 var bodyParser = require("./body-parser");
@@ -45,6 +46,8 @@ var requireMethods = require("./require-methods");
 var securityHeaders = require("./security-headers");
 var securityTxt = require("./security-txt");
 var sse = require("./sse");
+var tusUpload = require("./tus-upload");
+var webAppManifest = require("./web-app-manifest");
 
 module.exports = {
   requestId:        requestId.create,
@@ -72,10 +75,13 @@ module.exports = {
   sse:              sse.create,
   requestLog:       requestLog.create,
   apiEncrypt:       apiEncrypt,
+  assetlinks:       assetlinks.create,
   dbRoleFor:        dbRoleFor.create,
   dpop:             dpop.create,
   hostAllowlist:    hostAllowlist.create,
   networkAllowlist: networkAllowlist.create,
+  tusUpload:        tusUpload.create,
+  webAppManifest:   webAppManifest.create,
 
   // Module exports for advanced use (constants, raw factory access)
   _modules: {
@@ -101,9 +107,14 @@ module.exports = {
     sse:              sse,
     requestLog:       requestLog,
     apiEncrypt:       apiEncrypt,
+    assetlinks:       assetlinks,
     dbRoleFor:        dbRoleFor,
     dpop:             dpop,
     hostAllowlist:    hostAllowlist,
     networkAllowlist: networkAllowlist,
+    tusUpload:        tusUpload,
+    webAppManifest:   webAppManifest,
   },
 };
+
+module.exports.tusUpload.memoryStore = tusUpload.memoryStore;

package/lib/middleware/tus-upload.js

@@ -0,0 +1,654 @@
+"use strict";
+/**
+ * TUS resumable upload middleware (tus.io v1.0.0).
+ *
+ *   var tus = b.middleware.tusUpload({
+ *     mountPath:    "/uploads",
+ *     store:        b.middleware.tusUpload.memoryStore({ maxSize: C.BYTES.gib(2) }),
+ *     maxSize:      C.BYTES.gib(2),
+ *     maxChunkSize: C.BYTES.mib(64),
+ *     expirationSec: C.TIME.hours(24) / 1000,
+ *     extensions:   ["creation", "creation-with-upload", "expiration",
+ *                    "checksum", "termination"],
+ *     checksumAlgorithms: ["sha3-512", "shake256"],
+ *     onComplete:   async function (uploadId, meta) { ... },
+ *     audit:        true,
+ *   });
+ *   router.use(tus);
+ *
+ * Wire-shape per tus.io 1.0.0 §2:
+ *   POST   <mountPath>          → 201 + Location: <mountPath>/<id>
+ *   HEAD   <mountPath>/<id>     → 200 + Upload-Offset, Upload-Length, Upload-Metadata
+ *   PATCH  <mountPath>/<id>     → 204 + Upload-Offset
+ *   DELETE <mountPath>/<id>     → 204
+ *   OPTIONS <mountPath>         → 204 + Tus-* discovery
+ *
+ * Extensions implemented:
+ *   - creation (§4)              POST creates a new upload; Upload-Defer-Length
+ *                                 supported per §4.3
+ *   - creation-with-upload (§4.4) Content-Type application/offset+octet-stream
+ *                                 on POST appends in the same call
+ *   - expiration (§4.5)          Upload-Expires header on every response;
+ *                                 store.terminate() purges expired uploads
+ *   - checksum (§3.5)            Upload-Checksum: <algo> <base64> validated
+ *                                 against received bytes; mismatch → 460
+ *   - termination (§3.4)         DELETE removes the upload
+ *
+ * Concatenation (§4.6) is intentionally not in v1 — operators that need
+ * parallel-chunk assembly compose it in their own store layer; re-open
+ * if an operator demonstrates a use case the store-level approach
+ * cannot satisfy.
+ */
+
+var nodeCrypto = require("crypto");                                                // for createHash() in checksum extension
+var C = require("../constants");
+var bCrypto = require("../crypto");
+var lazyRequire = require("../lazy-require");
+var safeAsync = require("../safe-async");
+var safeBuffer = require("../safe-buffer");
+var validateOpts = require("../validate-opts");
+var { defineClass } = require("../framework-error");
+
+// Observability metric prefix for the TUS middleware. The framework
+// audit pipeline routes through `observability.safeEvent` (metrics +
+// counters) for hot-path lifecycle signals, not `audit.safeEmit`,
+// because PATCH chunks fire dozens of times per upload and the
+// audit chain is reserved for security-relevant state transitions.
+var TUS_ID_BYTES = C.BYTES.bytes(18);                                              // 144 bits ≈ 24 base64url chars per upload id
+
+// HTTP status codes used by TUS — hoisted to named constants so the
+// raw-byte-literal detector doesn't fire on every status path.
+var STATUS_OK                = 200;                                                // allow:raw-byte-literal — HTTP status
+var STATUS_CREATED           = 201;                                                // allow:raw-byte-literal — HTTP status
+var STATUS_NO_CONTENT        = 204;                                                // allow:raw-byte-literal — HTTP status
+var STATUS_BAD_REQUEST       = 400;                                                // allow:raw-byte-literal — HTTP status
+var STATUS_NOT_FOUND         = 404;                                                // allow:raw-byte-literal — HTTP status
+var STATUS_METHOD_NOT_ALLOWED = 405;                                               // allow:raw-byte-literal — HTTP status
+var STATUS_CONFLICT          = 409;                                                // allow:raw-byte-literal — HTTP status
+var STATUS_PRECONDITION_FAILED = 412;                                              // allow:raw-byte-literal — HTTP status
+var STATUS_PAYLOAD_TOO_LARGE = 413;                                                // allow:raw-byte-literal — HTTP status
+var STATUS_UNSUPPORTED_MEDIA = 415;                                                // allow:raw-byte-literal — HTTP status
+var STATUS_CHECKSUM_MISMATCH = 460;                                                // allow:raw-byte-literal — TUS-specific status (§3.5)
+var STATUS_INTERNAL_ERROR    = 500;                                                // allow:raw-byte-literal — HTTP status
+
+var TusError = defineClass("TusError", { alwaysPermanent: true });
+
+var observability = lazyRequire(function () { return require("../observability"); });
+
+var TUS_VERSION = "1.0.0";
+var SUPPORTED_VERSIONS = ["1.0.0"];
+var DEFAULT_EXTENSIONS = [
+  "creation", "creation-with-upload", "expiration",
+  "checksum", "termination",
+];
+var DEFAULT_CHECKSUM_ALGORITHMS = ["sha3-512", "shake256"];
+var KNOWN_CHECKSUM_ALGORITHMS = {
+  "sha3-512": "sha3-512",
+  "shake256": "shake256",
+  "sha-256":  "sha256",
+  "sha-512":  "sha512",
+  "sha3-256": "sha3-256",
+};
+var KNOWN_EXTENSIONS = {
+  "creation":              true,
+  "creation-with-upload":  true,
+  "expiration":            true,
+  "checksum":              true,
+  "termination":           true,
+};
+
+function _b64uId() {
+  return bCrypto.generateBytes(TUS_ID_BYTES).toString("base64url");
+}
+
+function _parseMetadata(headerValue) {
+  // RFC-style key-value list: `key1 base64val1,key2 base64val2`. Per
+  // tus.io 1.0.0 §3.2 keys are ASCII printable except space/comma; values
+  // are base64-encoded UTF-8 octet sequences.
+  if (typeof headerValue !== "string" || headerValue.length === 0) return null;
+  var pairs = headerValue.split(",");
+  var out = {};
+  for (var i = 0; i < pairs.length; i++) {
+    var raw = pairs[i].trim();
+    if (raw.length === 0) continue;
+    var sp = raw.indexOf(" ");
+    var key, val;
+    if (sp === -1) { key = raw; val = ""; }
+    else           { key = raw.slice(0, sp); val = raw.slice(sp + 1); }
+    if (!/^[!-+\--.0-~]+$/.test(key)) return null;     // printable, no space/comma
+    if (val.length > 0 && !/^[A-Za-z0-9+/=]+$/.test(val)) return null;
+    var decoded = "";
+    if (val.length > 0) {
+      try { decoded = Buffer.from(val, "base64").toString("utf8"); }
+      catch (_e) { return null; }
+    }
+    out[key] = decoded;
+  }
+  return out;
+}
+
+function _serializeMetadata(metaObj) {
+  if (!metaObj || typeof metaObj !== "object") return "";
+  var keys = Object.keys(metaObj);
+  var parts = [];
+  for (var i = 0; i < keys.length; i++) {
+    var k = keys[i];
+    var v = metaObj[k];
+    var encoded = (typeof v === "string" && v.length > 0)
+      ? Buffer.from(v, "utf8").toString("base64")
+      : "";
+    parts.push(encoded.length > 0 ? (k + " " + encoded) : k);
+  }
+  return parts.join(",");
+}
+
+function _parseChecksumHeader(headerValue, allowedSet) {
+  // tus.io 1.0.0 §3.5: `Upload-Checksum: <algo> <base64-digest>`.
+  if (typeof headerValue !== "string") return null;
+  var sp = headerValue.indexOf(" ");
+  if (sp === -1) return { error: "malformed" };
+  var algo = headerValue.slice(0, sp).trim().toLowerCase();
+  var digestB64 = headerValue.slice(sp + 1).trim();
+  if (algo.length === 0 || digestB64.length === 0) return { error: "malformed" };
+  if (!allowedSet[algo]) return { error: "algo-unsupported" };
+  if (!/^[A-Za-z0-9+/=]+$/.test(digestB64)) return { error: "malformed" };
+  var nodeAlgo = KNOWN_CHECKSUM_ALGORITHMS[algo];
+  if (!nodeAlgo) return { error: "algo-unsupported" };
+  return { algo: algo, nodeAlgo: nodeAlgo, digestB64: digestB64 };
+}
+
+function memoryStore(opts) {
+  opts = opts || {};
+  var maxSize = opts.maxSize;
+  if (maxSize !== undefined && (typeof maxSize !== "number" || !isFinite(maxSize) || maxSize <= 0)) {
+    throw new TusError("tus/bad-store-opts",
+      "tusUpload.memoryStore: maxSize must be a positive finite number");
+  }
+  var defaultExpirationMs = opts.defaultExpirationMs || C.TIME.hours(24);
+
+  var uploads = new Map();   // id -> { length, deferLength, metadata, buf, offset, expireAt, completed, terminated }
+
+  function create(meta) {
+    var id = _b64uId();
+    var now = Date.now();
+    var rec = {
+      id:           id,
+      length:       (typeof meta.length === "number" && isFinite(meta.length)) ? meta.length : null,
+      deferLength:  meta.deferLength === true,
+      metadata:     meta.metadata || {},
+      buf:          Buffer.alloc(0),
+      offset:       0,
+      expireAt:     now + (meta.expirationMs || defaultExpirationMs),
+      completed:    false,
+      terminated:   false,
+      hashState:    null,
+    };
+    uploads.set(id, rec);
+    return Promise.resolve(rec);
+  }
+
+  function head(id) {
+    var rec = uploads.get(id);
+    if (!rec || rec.terminated) return Promise.resolve(null);
+    if (rec.expireAt && rec.expireAt < Date.now()) {
+      uploads.delete(id);
+      return Promise.resolve(null);
+    }
+    return Promise.resolve(rec);
+  }
+
+  function append(id, chunk, offset) {
+    var rec = uploads.get(id);
+    if (!rec || rec.terminated) return Promise.reject(new TusError("tus/upload-not-found", "upload " + id + " not found"));
+    if (offset !== rec.offset) {
+      return Promise.reject(new TusError("tus/offset-mismatch", "expected offset " + rec.offset + ", got " + offset));
+    }
+    if (rec.length !== null && rec.offset + chunk.length > rec.length) {
+      return Promise.reject(new TusError("tus/length-exceeded", "chunk would exceed declared Upload-Length"));
+    }
+    if (maxSize !== undefined && rec.offset + chunk.length > maxSize) {
+      return Promise.reject(new TusError("tus/length-exceeded", "chunk would exceed memoryStore maxSize"));
+    }
+    rec.buf = Buffer.concat([rec.buf, chunk]);
+    rec.offset += chunk.length;
+    if (rec.length !== null && rec.offset === rec.length) rec.completed = true;
+    return Promise.resolve(rec);
+  }
+
+  function setLength(id, length) {
+    var rec = uploads.get(id);
+    if (!rec) return Promise.reject(new TusError("tus/upload-not-found", "upload " + id + " not found"));
+    if (rec.length !== null) return Promise.reject(new TusError("tus/length-already-set", "Upload-Length already declared"));
+    rec.length = length;
+    rec.deferLength = false;
+    return Promise.resolve(rec);
+  }
+
+  function terminate(id) {
+    var rec = uploads.get(id);
+    if (!rec) return Promise.resolve(false);
+    rec.terminated = true;
+    uploads.delete(id);
+    return Promise.resolve(true);
+  }
+
+  function purgeExpired() {
+    var now = Date.now();
+    var removed = 0;
+    for (var entry of uploads) {
+      if (entry[1].expireAt && entry[1].expireAt < now) { uploads.delete(entry[0]); removed++; }
+    }
+    return Promise.resolve(removed);
+  }
+
+  function getBuffer(id) {
+    var rec = uploads.get(id);
+    return Promise.resolve(rec ? rec.buf : null);
+  }
+
+  return {
+    name:         "memory",
+    create:       create,
+    head:         head,
+    append:       append,
+    setLength:    setLength,
+    terminate:    terminate,
+    purgeExpired: purgeExpired,
+    getBuffer:    getBuffer,
+  };
+}
+
+function _writeError(res, status, body) {
+  if (res.headersSent) return;
+  var bodyStr = body || "";
+  res.writeHead(status, {
+    "Tus-Resumable":  TUS_VERSION,
+    "Content-Type":   "text/plain; charset=utf-8",
+    "Content-Length": Buffer.byteLength(bodyStr),
+  });
+  res.end(bodyStr);
+}
+
+function _emitTusBaseHeaders(res, extra) {
+  var headers = Object.assign({
+    "Tus-Resumable": TUS_VERSION,
+  }, extra || {});
+  return headers;
+}
+
+function _readChunk(req, maxChunkSize) {
+  return new Promise(function (resolve, reject) {
+    var collector = safeBuffer.boundedChunkCollector({
+      maxBytes:    maxChunkSize,
+      errorClass:  TusError,
+      sizeCode:    "tus/chunk-too-large",
+      sizeMessage: "PATCH body exceeded maxChunkSize",
+    });
+    req.on("data", function (c) {
+      try { collector.push(c); }
+      catch (e) { req.removeAllListeners("data"); reject(e); }
+    });
+    req.on("end", function () { resolve(collector.result()); });
+    req.on("error", function (e) { reject(e); });
+  });
+}
+
+function create(opts) {
+  validateOpts.requireObject(opts, "middleware.tusUpload", TusError);
+  validateOpts(opts, [
+    "mountPath", "store", "maxSize", "maxChunkSize",
+    "expirationSec", "extensions", "checksumAlgorithms",
+    "onComplete", "onCreate", "onTerminate", "audit",
+  ], "middleware.tusUpload");
+
+  var mountPath = opts.mountPath;
+  if (typeof mountPath !== "string" || mountPath.length === 0 || mountPath.charAt(0) !== "/") {
+    throw new TusError("tus/bad-mountpath",
+      "middleware.tusUpload: mountPath must be a non-empty path starting with '/'");
+  }
+  if (mountPath.length > 1 && mountPath.charAt(mountPath.length - 1) === "/") {
+    mountPath = mountPath.slice(0, -1);
+  }
+
+  var store = opts.store;
+  if (!store || typeof store.create !== "function" || typeof store.head !== "function" ||
+      typeof store.append !== "function" || typeof store.terminate !== "function") {
+    throw new TusError("tus/bad-store",
+      "middleware.tusUpload: store must implement { create, head, append, terminate }");
+  }
+
+  var maxSize = opts.maxSize;
+  if (maxSize !== undefined && (typeof maxSize !== "number" || !isFinite(maxSize) || maxSize <= 0)) {
+    throw new TusError("tus/bad-opts", "middleware.tusUpload: maxSize must be a positive finite number");
+  }
+  var maxChunkSize = opts.maxChunkSize;
+  if (maxChunkSize === undefined) maxChunkSize = C.BYTES.mib(64);
+  if (typeof maxChunkSize !== "number" || !isFinite(maxChunkSize) || maxChunkSize <= 0) {
+    throw new TusError("tus/bad-opts", "middleware.tusUpload: maxChunkSize must be a positive finite number");
+  }
+  var expirationSec = opts.expirationSec;
+  if (expirationSec !== undefined && (typeof expirationSec !== "number" || !isFinite(expirationSec) || expirationSec <= 0)) {
+    throw new TusError("tus/bad-opts", "middleware.tusUpload: expirationSec must be a positive finite number");
+  }
+
+  var extensions = Array.isArray(opts.extensions) ? opts.extensions.slice() : DEFAULT_EXTENSIONS.slice();
+  for (var i = 0; i < extensions.length; i++) {
+    if (!KNOWN_EXTENSIONS[extensions[i]]) {
+      throw new TusError("tus/bad-opts",
+        "middleware.tusUpload: unknown extension '" + extensions[i] + "'");
+    }
+  }
+  var hasCreation         = extensions.indexOf("creation") !== -1;
+  var hasCreationWithBody = extensions.indexOf("creation-with-upload") !== -1;
+  var hasExpiration       = extensions.indexOf("expiration") !== -1;
+  var hasChecksum         = extensions.indexOf("checksum") !== -1;
+  var hasTermination      = extensions.indexOf("termination") !== -1;
+
+  var checksumAlgorithms = Array.isArray(opts.checksumAlgorithms)
+    ? opts.checksumAlgorithms.slice()
+    : DEFAULT_CHECKSUM_ALGORITHMS.slice();
+  var checksumAlgorithmSet = {};
+  for (var j = 0; j < checksumAlgorithms.length; j++) {
+    var algo = checksumAlgorithms[j];
+    if (!KNOWN_CHECKSUM_ALGORITHMS[algo]) {
+      throw new TusError("tus/bad-opts",
+        "middleware.tusUpload: unknown checksum algorithm '" + algo + "'");
+    }
+    checksumAlgorithmSet[algo] = true;
+  }
+
+  validateOpts.optionalFunction(opts.onComplete,  "middleware.tusUpload: onComplete",  TusError, "tus/bad-opts");
+  validateOpts.optionalFunction(opts.onCreate,    "middleware.tusUpload: onCreate",    TusError, "tus/bad-opts");
+  validateOpts.optionalFunction(opts.onTerminate, "middleware.tusUpload: onTerminate", TusError, "tus/bad-opts");
+
+  var auditOn = opts.audit !== false;
+
+  if (hasExpiration && typeof store.purgeExpired === "function") {
+    safeAsync.repeating(function () {
+      store.purgeExpired().catch(function () { /* drop-silent — sweep best-effort */ });
+    }, C.TIME.minutes(5), { name: "tus-upload-sweep" });
+  }
+
+  function _expirationHeader(rec) {
+    if (!hasExpiration || !rec || !rec.expireAt) return null;
+    return new Date(rec.expireAt).toUTCString();
+  }
+
+  function _emitMetric(verb, _outcome, _metadata) {
+    if (!auditOn) return;
+    try { observability().safeEvent("middleware.tusUpload." + verb, 1, {}); }
+    catch (_e) { /* drop-silent — observability sink */ }
+  }
+
+  async function _handleOptions(req, res) {
+    var headers = _emitTusBaseHeaders(res, {
+      "Tus-Version":   SUPPORTED_VERSIONS.join(","),
+      "Tus-Extension": extensions.join(","),
+    });
+    if (maxSize !== undefined) headers["Tus-Max-Size"] = String(maxSize);
+    if (hasChecksum) headers["Tus-Checksum-Algorithm"] = checksumAlgorithms.join(",");
+    res.writeHead(STATUS_NO_CONTENT, headers);
+    res.end();
+  }
+
+  async function _handleCreate(req, res) {
+    if (!hasCreation) return _writeError(res, STATUS_METHOD_NOT_ALLOWED, "creation extension not enabled");
+    var lengthHdr = req.headers["upload-length"];
+    var deferHdr = req.headers["upload-defer-length"];
+    var metadataHdr = req.headers["upload-metadata"];
+
+    var uploadLength = null;
+    var deferLength = false;
+    if (lengthHdr !== undefined) {
+      uploadLength = parseInt(lengthHdr, 10);
+      if (!isFinite(uploadLength) || uploadLength < 0 || String(uploadLength) !== String(lengthHdr).trim()) {
+        return _writeError(res, STATUS_BAD_REQUEST, "Upload-Length must be a non-negative integer");
+      }
+      if (maxSize !== undefined && uploadLength > maxSize) {
+        return _writeError(res, STATUS_PAYLOAD_TOO_LARGE, "Upload-Length exceeds Tus-Max-Size");
+      }
+    } else if (String(deferHdr).trim() === "1") {
+      deferLength = true;
+    } else {
+      return _writeError(res, STATUS_BAD_REQUEST, "Upload-Length or Upload-Defer-Length: 1 required");
+    }
+
+    var metadata = null;
+    if (metadataHdr !== undefined) {
+      metadata = _parseMetadata(metadataHdr);
+      if (metadata === null) return _writeError(res, STATUS_BAD_REQUEST, "malformed Upload-Metadata");
+    }
+
+    var rec;
+    try {
+      rec = await store.create({
+        length:       uploadLength,
+        deferLength:  deferLength,
+        metadata:     metadata || {},
+        expirationMs: expirationSec ? C.TIME.seconds(expirationSec) : undefined,
+      });
+    } catch (e) {
+      _emitMetric("create.fail");
+      return _writeError(res, STATUS_INTERNAL_ERROR, (e && e.message) || "store create failed");
+    }
+
+    if (typeof opts.onCreate === "function") {
+      try { await opts.onCreate(rec.id, { length: uploadLength, metadata: metadata }); }
+      catch (_e) { /* operator hook — drop-silent */ }
+    }
+
+    var location = mountPath + "/" + rec.id;
+    var headers = _emitTusBaseHeaders(res, { "Location": location });
+    var expHdr = _expirationHeader(rec);
+    if (expHdr) headers["Upload-Expires"] = expHdr;
+
+    // creation-with-upload: append the body in the same request when
+    // Content-Type is application/offset+octet-stream.
+    var contentType = req.headers["content-type"];
+    if (hasCreationWithBody && contentType === "application/offset+octet-stream") {
+      var chunk;
+      try { chunk = await _readChunk(req, maxChunkSize); }
+      catch (e) { return _writeError(res, e.code === "tus/chunk-too-large" ? STATUS_PAYLOAD_TOO_LARGE : STATUS_BAD_REQUEST, e.message); }
+      try {
+        rec = await store.append(rec.id, chunk, 0);
+      } catch (e) {
+        return _writeError(res, e.code === "tus/length-exceeded" ? STATUS_PAYLOAD_TOO_LARGE : STATUS_BAD_REQUEST, e.message);
+      }
+      headers["Upload-Offset"] = String(rec.offset);
+      if (rec.completed && typeof opts.onComplete === "function") {
+        try { await opts.onComplete(rec.id, { metadata: rec.metadata, store: store }); }
+        catch (_e) { /* operator hook — drop-silent */ }
+      }
+    }
+
+    res.writeHead(STATUS_CREATED, headers);
+    res.end();
+    _emitMetric("create.ok");
+  }
+
+  async function _handleHead(req, res, id) {
+    var rec;
+    try { rec = await store.head(id); }
+    catch (_e) { rec = null; }
+    if (!rec) return _writeError(res, STATUS_NOT_FOUND, "upload not found");
+    var headers = _emitTusBaseHeaders(res, {
+      "Upload-Offset":     String(rec.offset),
+      "Cache-Control":     "no-store",
+    });
+    if (rec.length !== null) headers["Upload-Length"] = String(rec.length);
+    else if (rec.deferLength) headers["Upload-Defer-Length"] = "1";
+    if (rec.metadata && Object.keys(rec.metadata).length > 0) {
+      headers["Upload-Metadata"] = _serializeMetadata(rec.metadata);
+    }
+    var expHdr = _expirationHeader(rec);
+    if (expHdr) headers["Upload-Expires"] = expHdr;
+    res.writeHead(STATUS_OK, headers);
+    res.end();
+  }
+
+  async function _handlePatch(req, res, id) {
+    var contentType = req.headers["content-type"];
+    if (contentType !== "application/offset+octet-stream") {
+      return _writeError(res, STATUS_UNSUPPORTED_MEDIA, "Content-Type must be application/offset+octet-stream");
+    }
+    var offsetHdr = req.headers["upload-offset"];
+    if (offsetHdr === undefined) return _writeError(res, STATUS_BAD_REQUEST, "Upload-Offset required");
+    var offset = parseInt(offsetHdr, 10);
+    if (!isFinite(offset) || offset < 0 || String(offset) !== String(offsetHdr).trim()) {
+      return _writeError(res, STATUS_BAD_REQUEST, "Upload-Offset must be a non-negative integer");
+    }
+
+    var rec;
+    try { rec = await store.head(id); }
+    catch (_e) { rec = null; }
+    if (!rec) return _writeError(res, STATUS_NOT_FOUND, "upload not found");
+
+    if (rec.length === null && req.headers["upload-length"] !== undefined) {
+      // Upload-Defer-Length finalization (§4.3) — declare length on first PATCH
+      var declared = parseInt(req.headers["upload-length"], 10);
+      if (!isFinite(declared) || declared < 0) {
+        return _writeError(res, STATUS_BAD_REQUEST, "Upload-Length must be a non-negative integer");
+      }
+      if (maxSize !== undefined && declared > maxSize) {
+        return _writeError(res, STATUS_PAYLOAD_TOO_LARGE, "Upload-Length exceeds Tus-Max-Size");
+      }
+      try { rec = await store.setLength(id, declared); }
+      catch (e) { return _writeError(res, STATUS_CONFLICT, e.message); }
+    }
+
+    if (offset !== rec.offset) {
+      return _writeError(res, STATUS_CONFLICT, "Upload-Offset mismatch (expected " + rec.offset + ")");
+    }
+
+    var checksum = null;
+    if (req.headers["upload-checksum"] !== undefined) {
+      if (!hasChecksum) return _writeError(res, STATUS_BAD_REQUEST, "checksum extension not enabled");
+      checksum = _parseChecksumHeader(req.headers["upload-checksum"], checksumAlgorithmSet);
+      if (!checksum || checksum.error) {
+        if (checksum && checksum.error === "algo-unsupported") {
+          return _writeError(res, STATUS_BAD_REQUEST, "checksum algorithm unsupported");
+        }
+        return _writeError(res, STATUS_BAD_REQUEST, "malformed Upload-Checksum");
+      }
+    }
+
+    var chunk;
+    try { chunk = await _readChunk(req, maxChunkSize); }
+    catch (e) { return _writeError(res, e.code === "tus/chunk-too-large" ? STATUS_PAYLOAD_TOO_LARGE : STATUS_BAD_REQUEST, e.message); }
+
+    if (checksum) {
+      var hasher = nodeCrypto.createHash(checksum.nodeAlgo);
+      hasher.update(chunk);
+      var digestB64 = hasher.digest("base64");
+      if (digestB64 !== checksum.digestB64) {
+        return _writeError(res, STATUS_CHECKSUM_MISMATCH, "Upload-Checksum mismatch");
+      }
+    }
+
+    try { rec = await store.append(id, chunk, offset); }
+    catch (e) {
+      var sc = STATUS_INTERNAL_ERROR;
+      if (e.code === "tus/offset-mismatch") sc = STATUS_CONFLICT;
+      else if (e.code === "tus/length-exceeded") sc = STATUS_PAYLOAD_TOO_LARGE;
+      else if (e.code === "tus/upload-not-found") sc = STATUS_NOT_FOUND;
+      return _writeError(res, sc, e.message);
+    }
+
+    var headers = _emitTusBaseHeaders(res, { "Upload-Offset": String(rec.offset) });
+    var expHdr = _expirationHeader(rec);
+    if (expHdr) headers["Upload-Expires"] = expHdr;
+
+    res.writeHead(STATUS_NO_CONTENT, headers);
+    res.end();
+
+    if (rec.completed && typeof opts.onComplete === "function") {
+      try { await opts.onComplete(id, { metadata: rec.metadata, store: store }); }
+      catch (_e) { /* operator hook — drop-silent */ }
+      _emitMetric("complete.ok");
+    }
+  }
+
+  async function _handleDelete(req, res, id) {
+    if (!hasTermination) return _writeError(res, STATUS_METHOD_NOT_ALLOWED, "termination extension not enabled");
+    var existed;
+    try { existed = await store.terminate(id); }
+    catch (_e) { existed = false; }
+    if (!existed) return _writeError(res, STATUS_NOT_FOUND, "upload not found");
+    if (typeof opts.onTerminate === "function") {
+      try { await opts.onTerminate(id); }
+      catch (_e) { /* operator hook — drop-silent */ }
+    }
+    res.writeHead(STATUS_NO_CONTENT, _emitTusBaseHeaders(res, {}));
+    res.end();
+    _emitMetric("terminate.ok");
+  }
+
+  return async function tusUploadMiddleware(req, res, next) {
+    var url = req.url || "/";
+    var qIdx = url.indexOf("?");
+    var path = qIdx === -1 ? url : url.slice(0, qIdx);
+
+    var isCollection = (path === mountPath);
+    var isResource = false;
+    var resourceId = null;
+    if (path.indexOf(mountPath + "/") === 0) {
+      resourceId = path.slice(mountPath.length + 1);
+      // No further sub-paths allowed — TUS resources are flat.
+      if (resourceId.indexOf("/") === -1 && /^[A-Za-z0-9_-]{1,128}$/.test(resourceId)) {
+        isResource = true;
+      }
+    }
+    if (!isCollection && !isResource) return next();
+
+    // Tus-Resumable header gate (§2.2). OPTIONS is exempt; all other
+    // verbs must declare a supported version.
+    var method = (req.method || "").toUpperCase();
+    if (method !== "OPTIONS") {
+      var version = req.headers["tus-resumable"];
+      if (version === undefined) {
+        return _writeError(res, STATUS_PRECONDITION_FAILED, "Tus-Resumable header required");
+      }
+      if (SUPPORTED_VERSIONS.indexOf(version) === -1) {
+        var hdrs = _emitTusBaseHeaders(res, { "Tus-Version": SUPPORTED_VERSIONS.join(",") });
+        res.writeHead(STATUS_PRECONDITION_FAILED, hdrs);
+        res.end("Tus-Resumable version unsupported");
+        return;
+      }
+    }
+
+    try {
+      if (method === "OPTIONS") return await _handleOptions(req, res);
+      if (isCollection && method === "POST") return await _handleCreate(req, res);
+      if (isResource && method === "HEAD") return await _handleHead(req, res, resourceId);
+      if (isResource && method === "PATCH") return await _handlePatch(req, res, resourceId);
+      if (isResource && method === "DELETE") return await _handleDelete(req, res, resourceId);
+    } catch (e) {
+      _emitMetric("error.fail");
+      return _writeError(res, STATUS_INTERNAL_ERROR, (e && e.message) || "internal error");
+    }
+
+    var allow = isCollection ? "OPTIONS, POST" : "OPTIONS, HEAD, PATCH" + (hasTermination ? ", DELETE" : "");
+    res.writeHead(STATUS_METHOD_NOT_ALLOWED, _emitTusBaseHeaders(res, {
+      "Allow":           allow,
+      "Content-Type":    "text/plain; charset=utf-8",
+      "Content-Length":  "0",
+    }));
+    res.end();
+  };
+}
+
+function close(middleware) {
+  // Reserved for future store-close hook; the sweep timer is the only
+  // resource currently bound, and it lives inside the middleware closure.
+  if (middleware && typeof middleware.close === "function") middleware.close();
+}
+
+module.exports = {
+  create:       create,
+  memoryStore:  memoryStore,
+  close:        close,
+  TusError:     TusError,
+  TUS_VERSION:  TUS_VERSION,
+  KNOWN_EXTENSIONS:           KNOWN_EXTENSIONS,
+  KNOWN_CHECKSUM_ALGORITHMS:  KNOWN_CHECKSUM_ALGORITHMS,
+};

package/lib/middleware/web-app-manifest.js

@@ -0,0 +1,111 @@
+"use strict";
+/**
+ * web-app-manifest middleware — emits the W3C Web App Manifest at
+ * `/manifest.webmanifest` (and `/manifest.json` when `alsoAtJsonPath`
+ * is true) per the W3C Web App Manifest specification.
+ *
+ *   var mf = b.middleware.webAppManifest({
+ *     name:        "Example App",
+ *     short_name:  "Example",
+ *     start_url:   "/",
+ *     display:     "standalone",
+ *     theme_color: "#1976d2",
+ *     background_color: "#ffffff",
+ *     icons: [
+ *       { src: "/icons/192.png", sizes: "192x192", type: "image/png" },
+ *       { src: "/icons/512.png", sizes: "512x512", type: "image/png" },
+ *     ],
+ *   });
+ *   router.use(mf);
+ *
+ * The manifest is JSON-serialized once at create() and served with
+ * `Content-Type: application/manifest+json` per the W3C spec.
+ *
+ * Per W3C — `name`, `start_url`, and at least one icon are required
+ * for an installable PWA. The framework throws at create() when any
+ * of those are missing.
+ */
+
+var lazyRequire = require("../lazy-require");
+var safeJson = require("../safe-json");
+var validateOpts = require("../validate-opts");
+var { defineClass } = require("../framework-error");
+
+var WebAppManifestError = defineClass("WebAppManifestError", { alwaysPermanent: true });
+
+var observability = lazyRequire(function () { return require("../observability"); });
+
+function _isPlainArray(x) { return Array.isArray(x); }
+
+function create(opts) {
+  validateOpts.requireObject(opts, "middleware.webAppManifest", WebAppManifestError);
+  // Allowlist subset of W3C-spec attributes operators commonly set.
+  // Anything outside the list throws at create — typos surface at boot.
+  validateOpts(opts, [
+    "name", "short_name", "description", "start_url", "scope",
+    "display", "display_override", "orientation",
+    "theme_color", "background_color",
+    "icons", "screenshots", "shortcuts",
+    "categories", "lang", "dir", "id",
+    "prefer_related_applications", "related_applications",
+    "alsoAtJsonPath", "audit",
+  ], "middleware.webAppManifest");
+
+  validateOpts.requireNonEmptyString(opts.name,
+    "middleware.webAppManifest: name", WebAppManifestError, "manifest/no-name");
+  validateOpts.requireNonEmptyString(opts.start_url,
+    "middleware.webAppManifest: start_url", WebAppManifestError, "manifest/no-start-url");
+  if (!_isPlainArray(opts.icons) || opts.icons.length === 0) {
+    throw new WebAppManifestError("manifest/no-icons",
+      "middleware.webAppManifest: icons array is required (W3C spec — at least one icon for installability)");
+  }
+
+  // Build the JSON body once at create.
+  var manifest = {};
+  var keys = Object.keys(opts).filter(function (k) {
+    return k !== "alsoAtJsonPath" && k !== "audit";
+  });
+  for (var i = 0; i < keys.length; i += 1) {
+    var k = keys[i];
+    if (opts[k] !== undefined && opts[k] !== null) manifest[k] = opts[k];
+  }
+  var body = safeJson.stringify(manifest, { space: 2 });
+  var bodyBuf = Buffer.from(body, "utf8");
+  var alsoAtJsonPath = opts.alsoAtJsonPath === true;
+  var auditOn = opts.audit !== false;
+
+  return function webAppManifestMiddleware(req, res, next) {
+    var url = req.url || "";
+    var qIdx = url.indexOf("?");
+    var path = qIdx === -1 ? url : url.slice(0, qIdx);
+    var matches = (path === "/manifest.webmanifest") ||
+                  (alsoAtJsonPath && path === "/manifest.json");
+    if (!matches) return next();
+    if (req.method !== "GET" && req.method !== "HEAD") {
+      var bodyMsg = "Method Not Allowed";
+      res.writeHead(405, {                                                       // allow:raw-byte-literal — HTTP 405 status
+        "Allow":          "GET, HEAD",
+        "Content-Type":   "text/plain; charset=utf-8",
+        "Content-Length": Buffer.byteLength(bodyMsg),
+      });
+      res.end(bodyMsg);
+      return;
+    }
+    res.writeHead(200, {                                                         // allow:raw-byte-literal — HTTP 200 status
+      "Content-Type":     "application/manifest+json",
+      "Content-Length":   bodyBuf.length,
+      "Cache-Control":    "public, max-age=86400",
+      "X-Content-Type-Options": "nosniff",
+    });
+    if (req.method === "HEAD") { res.end(); return; }
+    res.end(bodyBuf);
+    if (auditOn) {
+      try { observability().safeEvent("middleware.webAppManifest.served", 1, { path: path }); }
+      catch (_e) { /* obs best-effort */ }
+    }
+  };
+}
+
+module.exports = {
+  create: create,
+};

package/lib/parsers/safe-ini.js

@@ -37,6 +37,7 @@
 
 var C = require("../constants");
 var numericBounds = require("../numeric-bounds");
+var safeBuffer = require("../safe-buffer");
 var { defineClass } = require("../framework-error");
 
 var IniSafeError = defineClass("IniSafeError", { alwaysPermanent: true });
@@ -176,7 +177,7 @@ function _parseSectionHeader(line) {
     if (parts[i].length === 0) {
       throw _err("ini/bad-section", "section name has empty segment: " + JSON.stringify(inner));
     }
-    if (!/^[A-Za-z0-9_-]+$/.test(parts[i])) {
+    if (!safeBuffer.BASE64URL_RE.test(parts[i])) {
       throw _err("ini/bad-section",
         "section segment must match [A-Za-z0-9_-]+ (got " + JSON.stringify(parts[i]) + ")");
     }

package/lib/safe-buffer.js

@@ -190,6 +190,12 @@ function secureZero(buf) {
 // itself does NOT bound length — that's the caller's contract.
 var HEX_RE = /^[0-9a-fA-F]+$/;
 
+// BASE64URL_RE matches a non-empty base64url-encoded string (RFC 4648
+// §5) with NO padding. Used by JOSE primitives (JWT/JWS/JWE compact
+// serialisations), DPoP jti, WebAuthn credential IDs, etc. The regex
+// is length-agnostic — callers cap length per protocol contract.
+var BASE64URL_RE = /^[A-Za-z0-9_-]+$/;
+
 // CRLF_RE matches any control character used in HTTP-header / SMTP-
 // envelope injection attacks. Header values that contain CR or LF must
 // be rejected before serialization.
@@ -231,6 +237,7 @@ module.exports = {
   stripCrlf:             stripCrlf,
   stripTrailingHspace:   stripTrailingHspace,
   HEX_RE:                HEX_RE,
+  BASE64URL_RE:          BASE64URL_RE,
   CRLF_RE:               CRLF_RE,
   TRAILING_HSPACE_RE:    TRAILING_HSPACE_RE,
   SafeBufferError:       SafeBufferError,

package/lib/webhook.js

@@ -214,7 +214,7 @@ function _pqcSign(privateKeyPem, data) {
   return crypto.sign(data, privateKeyPem).toString("base64url");
 }
 
-var _BASE64URL_RE = /^[A-Za-z0-9_-]+$/;
+var _BASE64URL_RE = safeBuffer.BASE64URL_RE;
 
 function _pqcVerify(publicKeyPem, data, expectedSig) {
   if (typeof expectedSig !== "string" || expectedSig.length === 0) return false;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.7.87",
+  "version": "0.7.89",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:96ee5394-43c1-471e-98e9-f3b59c96f3e0",
+  "serialNumber": "urn:uuid:bdcc6997-3839-40c9-b595-95e5fcf57410",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-06T06:37:03.759Z",
+    "timestamp": "2026-05-06T07:34:42.532Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.7.87",
+      "bom-ref": "@blamejs/core@0.7.89",
       "type": "library",
       "name": "blamejs",
-      "version": "0.7.87",
+      "version": "0.7.89",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.7.87",
+      "purl": "pkg:npm/%40blamejs/core@0.7.89",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.7.87",
+      "ref": "@blamejs/core@0.7.89",
       "dependsOn": []
     }
   ]