@blamejs/core 0.8.0 → 0.8.4

package/lib/static.js

@@ -100,6 +100,12 @@ var DEFAULT_CONTENT_TYPES = {
 var DEFAULTS = Object.freeze({
   defaultMaxAge:                    DEFAULT_MAX_AGE_SEC,
   acceptRanges:                     true,
+  // Per-range byte cap — slowloris-range defense. A single Range
+  // request that asks for 1 GiB pins a worker on a long read; many
+  // concurrent requests asking for the same exhaust the process pool.
+  // The cap rejects ranges larger than maxRangeBytes with 416. Set to
+  // Infinity to opt out (audited reason).
+  maxRangeBytes:                    C.BYTES.mib(64),
   // Empty array = no MIME allowlist gate.
   allowedFileTypes:                 Object.freeze([]),
   // Bandwidth + concurrency caps default to 0 = "no cap". Operators opt
@@ -844,6 +850,12 @@ function create(opts) {
           return _writeError(res, HTTP.RANGE_NOT_SATISFIABLE, "range_not_satisfiable",
             "Range Not Satisfiable", { "Content-Range": "bytes */" + meta.size });
         }
+        if (range && cfg.maxRangeBytes !== Infinity && range.length > cfg.maxRangeBytes) {
+          stats.failures += 1;
+          _emitObs("staticServe.range_too_large", 1, { route: urlPath });
+          return _writeError(res, HTTP.RANGE_NOT_SATISFIABLE, "range_too_large",
+            "Range Not Satisfiable", { "Content-Range": "bytes */" + meta.size });
+        }
         if (range) {
           stats.rangeRequests += 1;
           _emitObs("staticServe.range_requests", 1, { route: urlPath });

package/lib/totp.js

@@ -134,6 +134,22 @@ function _resolveOpts(opts) {
     throw new AuthError("auth-totp/bad-alg",
       "algorithm must be one of " + SUPPORTED_ALGORITHMS.join(", ") + " (got: " + alg + ")");
   }
+  // SHA-256 is supported for back-compat with authenticator apps that
+  // don't yet honor SHA-512. Emit an audit signal each time it's
+  // selected so operator compliance dashboards see which accounts run
+  // on the weaker hash and can plan the migration.
+  if (alg === "sha256") {
+    setImmediate(function () {
+      try {
+        var auditMod = require("./audit");                                          // allow:inline-require — circular-load defense
+        auditMod.safeEmit({
+          action:   "auth.totp.algorithm_downgraded",
+          outcome:  "success",
+          metadata: { algorithm: alg, frameworkDefault: DEFAULT_ALGORITHM },
+        });
+      } catch (_e) { /* drop-silent */ }
+    });
+  }
   var digits = opts.digits != null ? opts.digits : DEFAULT_DIGITS;
   if (typeof digits !== "number" || digits < 6 || digits > 10) {
     throw new AuthError("auth-totp/bad-digits", "digits must be 6–10 (got: " + digits + ")");

package/lib/ws-client.js

@@ -58,6 +58,8 @@ var fwCrypto       = lazyRequire(function () { return require("./crypto"); });
 var websocket      = lazyRequire(function () { return require("./websocket"); });
 var audit          = lazyRequire(function () { return require("./audit"); });
 var networkTls     = lazyRequire(function () { return require("./network-tls"); });
+var safeJson       = lazyRequire(function () { return require("./safe-json"); });
+var ssrfGuard      = require("./ssrf-guard");
 var C              = require("./constants");
 var { defineClass } = require("./framework-error");
 
@@ -164,9 +166,27 @@ function connect(target, opts) {
     "maxMessageBytes", "maxFrameBytes",
     "handshakeTimeoutMs", "reconnect",
     "permessageDeflate", "audit", "origin",
-    "handshakeGuid",
+    "handshakeGuid", "allowInternal",
+    "parse", "parser",
+    "urlFor", "tlsOptsFor",
   ], "wsClient.connect");
 
+  // Per-dial state-injection callbacks. Both fire on every connect
+  // attempt (initial + each reconnect) so operators can rotate
+  // bearer tokens, DNS targets, or TLS material between hops without
+  // tearing the client down.
+  //   urlFor(attempt) -> string                — overrides target URL
+  //   tlsOptsFor(attempt) -> object            — overrides TLS opts
+  // attempt is a 0-based hop index; 0 is the initial dial.
+  if (opts.urlFor != null && typeof opts.urlFor !== "function") {
+    throw new WsClientError("ws-client/bad-url-for",
+      "wsClient.connect: urlFor must be a function");
+  }
+  if (opts.tlsOptsFor != null && typeof opts.tlsOptsFor !== "function") {
+    throw new WsClientError("ws-client/bad-tls-opts-for",
+      "wsClient.connect: tlsOptsFor must be a function");
+  }
+
   // Operators with a non-RFC-6455 GUID (private protocols on top of
   // the WebSocket framing layer, framework-specific handshake variants)
   // pass a custom handshakeGuid. The server-side b.websocket already
@@ -219,8 +239,29 @@ function connect(target, opts) {
     permessageDeflate:  permessageDeflate,
     auditOn:            auditOn,
     handshakeGuid:      handshakeGuid,
+    allowInternal:      opts.allowInternal,
+    parse:              opts.parse || null,
+    parser:             typeof opts.parser === "function" ? opts.parser : null,
+    urlFor:             typeof opts.urlFor === "function" ? opts.urlFor : null,
+    tlsOptsFor:         typeof opts.tlsOptsFor === "function" ? opts.tlsOptsFor : null,
+  });
+  // SSRF gate — refuse private / loopback / link-local / cloud-metadata /
+  // reserved IP destinations by default. Symmetric to b.httpClient. The
+  // returned `ips` are pinned through tls.connect / net.connect so the
+  // actual TCP connect targets the validated address (closes the DNS-
+  // rebinding TOCTOU window). Cloud-metadata IPs are unconditional
+  // hard-deny — `allowInternal: true` does not bypass them.
+  var hostnameForUrl = parsed.protocol === "wss:" ? "https:" : "http:";
+  var probeUrl = new url.URL(hostnameForUrl + "//" + parsed.host + parsed.pathname + parsed.search);
+  ssrfGuard.checkUrl(probeUrl, {
+    allowInternal: opts.allowInternal,
+    errorClass:    WsClientError,
+  }).then(function (result) {
+    client._ssrfPinnedIps = result && result.ips;
+    client._dial();
+  }).catch(function (e) {
+    setImmediate(function () { client._handleSocketError(e); });
   });
-  client._dial();
   return client;
 }
 
@@ -278,13 +319,74 @@ class WsClient extends EventEmitter {
     var opts = this._opts;
     this._readyState = "connecting";
 
-    var parsed = opts.parsedUrl;
+    // Per-dial overrides — urlFor swaps the target URL, tlsOptsFor
+    // overrides TLS material. Both fire every dial including reconnects
+    // so callers can rotate state. urlFor's result is re-validated
+    // through ssrfGuard so a hostile upstream can't direct the client
+    // at a private address mid-reconnect.
+    var attempt = this._reconnectAttempt || 0;
+    var dialTarget = opts.target;
+    var dialParsed = opts.parsedUrl;
+    if (typeof opts.urlFor === "function") {
+      try {
+        var nextTarget = opts.urlFor(attempt);
+        if (typeof nextTarget === "string" && nextTarget.length > 0 && nextTarget !== dialTarget) {
+          dialParsed = _parseUrl(nextTarget);
+          dialTarget = nextTarget;
+          var probeProto = dialParsed.protocol === "wss:" ? "https:" : "http:";
+          var probeUrl = new url.URL(probeProto + "//" + dialParsed.host + dialParsed.pathname + dialParsed.search);
+          var probe = ssrfGuard.checkUrl(probeUrl, {
+            allowInternal: opts.allowInternal,
+            errorClass:    WsClientError,
+          });
+          this._ssrfPinnedIps = probe && probe.ips ? probe.ips : null;
+        }
+      } catch (e) {
+        return self._handleSocketError(e);
+      }
+    }
+
+    var dialTlsOpts = opts.tlsOpts;
+    if (typeof opts.tlsOptsFor === "function") {
+      try {
+        var override = opts.tlsOptsFor(attempt);
+        if (override && typeof override === "object") {
+          dialTlsOpts = Object.assign({}, opts.tlsOpts || {}, override);
+        }
+      } catch (e) {
+        return self._handleSocketError(e);
+      }
+    }
+
+    var parsed = dialParsed;
     var port = parsed.port ? parseInt(parsed.port, 10) :
                (parsed.protocol === "wss:" ? 443 : 80);                                  // allow:raw-byte-literal — TLS / HTTP default port
     var host = parsed.hostname;
 
     function _onError(err) { self._handleSocketError(err); }
 
+    // Pin the connect to the SSRF-validated IPs returned by
+    // ssrfGuard.checkUrl — closes the DNS-rebinding TOCTOU window where
+    // the gate resolves a public IP and the kernel re-resolves to a
+    // private one between the check and the connect.
+    var pinnedIps = self._ssrfPinnedIps || null;
+    var lookup = null;
+    if (pinnedIps && pinnedIps.length > 0) {
+      lookup = function (h, lookupOpts, cb) {
+        // Node's lookup callback signatures:
+        //   (err, address, family) for legacy { all: false } (default)
+        //   (err, addresses)        for { all: true }
+        if (typeof lookupOpts === "function") { cb = lookupOpts; lookupOpts = {}; }
+        var first = pinnedIps[0];
+        if (lookupOpts && lookupOpts.all) {
+          return cb(null, pinnedIps.map(function (ip) {
+            return { address: ip.address, family: ip.family };
+          }));
+        }
+        return cb(null, first.address, first.family);
+      };
+    }
+
     var socket;
     if (parsed.protocol === "wss:") {
       var tls = require("tls");                                                          // allow:inline-require — node:tls only on TLS path
@@ -294,7 +396,8 @@ class WsClient extends EventEmitter {
         servername:   host,
         rejectUnauthorized: true,
         minVersion:   "TLSv1.3",
-      }, opts.tlsOpts || {});
+      }, dialTlsOpts || {});
+      if (lookup) tlsOpts.lookup = lookup;
       try {
         var pqcShares = networkTls().pqc.getKeyShares();
         if (Array.isArray(pqcShares) && pqcShares.length > 0 && !tlsOpts.curves) {
@@ -303,7 +406,9 @@ class WsClient extends EventEmitter {
       } catch (_e) { /* drop-silent — tls module pre-init or non-Node */ }
       socket = tls.connect(tlsOpts);
     } else {
-      socket = net.connect({ host: host, port: port });
+      var netOpts = { host: host, port: port };
+      if (lookup) netOpts.lookup = lookup;
+      socket = net.connect(netOpts);
     }
     this._socket = socket;
     socket.on("error", _onError);
@@ -406,8 +511,17 @@ class WsClient extends EventEmitter {
     }
     var status = parseInt(match[1], 10);
     if (status !== 101) {                                                                 // allow:raw-byte-literal — HTTP 101
-      this._handleSocketError(new WsClientError("ws-client/bad-status",
-        "handshake response status was " + status + " (expected 101 Switching Protocols)"));
+      // Body bytes after the header section are the server's
+      // explanation. Surface them on the error so callers can branch
+      // on the status code and inspect the body without re-parsing
+      // the message string.
+      var bodyText = "";
+      try { bodyText = rest.toString("utf8"); } catch (_e) { /* drop-silent */ }
+      var statusErr = new WsClientError("ws-client/bad-status",
+        "handshake response status was " + status + " (expected 101 Switching Protocols)");
+      statusErr.status = status;
+      statusErr.body = bodyText;
+      this._handleSocketError(statusErr);
       return;
     }
 
@@ -624,7 +738,29 @@ class WsClient extends EventEmitter {
           return;
         }
       }
-      this.emit("message", data, isBinary);
+      // Auto-parse text frames as JSON when the operator opted in via
+      // `parse: "json"` or supplied `parser: fn`. JSON-only protocols
+      // (most modern WS APIs) get a typed message argument without a
+      // wrapper layer; parse failures surface as 'error' events
+      // rather than crashing the message handler.
+      var parsed = data;
+      var parsedOk = true;
+      if (!isBinary && this._opts.parse === "json") {
+        try { parsed = safeJson().parse(data, { maxBytes: this._opts.maxMessageBytes }); }
+        catch (e) {
+          parsedOk = false;
+          this.emit("error", new WsClientError("ws-client/json-parse",
+            "text frame is not valid JSON: " + ((e && e.message) || String(e))));
+        }
+      } else if (!isBinary && typeof this._opts.parser === "function") {
+        try { parsed = this._opts.parser(data); }
+        catch (e) {
+          parsedOk = false;
+          this.emit("error", new WsClientError("ws-client/parser-failed",
+            "operator parser threw: " + ((e && e.message) || String(e))));
+        }
+      }
+      if (parsedOk) this.emit("message", parsed, isBinary);
     }
   }
 
@@ -741,12 +877,25 @@ class WsClient extends EventEmitter {
   }
 
   _handleSocketError(err) {
+    // Swallow post-close socket errors. After a consumer-initiated
+    // close() the framework waits for the server to send back its
+    // close frame; if the server tears down its end with an
+    // ECONNRESET / EPIPE / "premature close" instead of a graceful
+    // close frame, the underlying socket emits an error that bubbles
+    // up here. From the consumer's perspective the close already
+    // happened — surfacing a "socket error" event after `close` was
+    // called is noise that hides real bugs.
+    if (this._closed && err && (
+        err.code === "ECONNRESET" || err.code === "EPIPE" ||
+        err.code === "ECONNABORTED" || err.code === "ERR_STREAM_PREMATURE_CLOSE")) {
+      return;
+    }
     var permanent = _isPermanentError(err);
     if (this._opts.auditOn) {
       try {
         audit().safeEmit({
           action:  "wsclient.error",
-          outcome: "fail",
+          outcome: "failure",
           actor:   null,
           metadata: {
             host:     this._opts.parsedUrl.host,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.8.0",
+  "version": "0.8.4",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:4bde75d4-1385-4f13-b927-d67aa27d910d",
+  "serialNumber": "urn:uuid:91e8b760-7fe3-4fef-a317-8b1e4f8cc238",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-06T18:52:54.402Z",
+    "timestamp": "2026-05-06T22:02:35.725Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.8.0",
+      "bom-ref": "@blamejs/core@0.8.4",
       "type": "library",
       "name": "blamejs",
-      "version": "0.8.0",
+      "version": "0.8.4",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.8.0",
+      "purl": "pkg:npm/%40blamejs/core@0.8.4",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.8.0",
+      "ref": "@blamejs/core@0.8.4",
       "dependsOn": []
     }
   ]