@blamejs/core 0.8.0 → 0.8.5

package/CHANGELOG.md

@@ -8,6 +8,32 @@ upgrading across more than a few patches at a time.
 
 ## v0.8.x
 
+- **0.8.5** (2026-05-06) — Vendor-currency CI gate + `b.middleware.requireMtls` primitive. **Vendor-currency check** — `scripts/check-vendor-currency.js` + new CI job in `ci.yml` assert every npm-mapped vendored bundle in `lib/vendor/MANIFEST.json` matches the latest published version on the npm registry. Per-component check on meta-bundles (e.g. `peculiar-pki` → `@peculiar/x509` + `pkijs`). Master-branch corpus entries (`SecLists`) are checked against the GitHub Commits API for the bundled file's path on the source repo's default branch — if the upstream has commits newer than the manifest's `bundledAt` date, the gate fails. Registry errors stay advisory unless `BLAMEJS_VENDOR_CURRENCY_STRICT=1`. Operators run locally with `npm run check:vendor-currency`. **`b.middleware.requireMtls`** — new soft-enforcement middleware that rejects requests without an authenticated client certificate. Composes with `b.crypto.hashCertFingerprint` / `isCertRevoked` (added in v0.8.4) so operators pass `fingerprintAllowList: [...]` and `denyList: [...]` and the middleware does the constant-time match. `req.peerCert` + `req.peerFingerprint` are attached for downstream handlers. Audits `mtls.required.allowed` / `mtls.required.refused` with reason metadata.
+
+- **0.8.4** (2026-05-06) — Supply-chain scanner findings + outbound HTTP posture + npm-publish unblock. **Outbound network surface** — `b.observability.otlpExporter` no longer defaults to `globalThis.fetch`; the default transport is now `b.httpClient` (`node:https` through the framework's PQC-hybrid agent + cert-pinning + SSRF guard). The prior default leaked an outbound network surface that supply-chain scanners flagged because it sat outside the framework's TLS posture; operators on fetch-only edge runtimes still override via `opts.fetchImpl`. **Dev-mode child-process isolation** — `b.dev.create()` now lazy-requires `child_process` (was top-level — flagged on every install regardless of whether `b.dev` was used) and refuses to construct when `NODE_ENV=production` unless the operator passes `opts.allowProduction:true` with an audited reason. A misconfigured production deploy that accidentally wires the dev-mode restart loop now crashes loudly at boot rather than spawning shells on every save. **Outbound posture additions** — `b.httpClient.request` adds `responseMode: "always-resolve"` (every response resolves with `{statusCode, headers, body}` regardless of HTTP status) plus `onRedirect({from, to, hop, headersStripped, statusCode, method})` hook (operators can throw to abort or rewrite the redirect chain). `b.wsClient.connect` adds `urlFor(attempt)` and `tlsOptsFor(attempt)` per-dial overrides for between-reconnect URL / TLS rotation; the new URL is re-validated through `ssrfGuard` so a hostile upstream can't redirect a reconnecting client at a private address. `b.wsClient` swallows post-`close()` `ECONNRESET` / `EPIPE` so a clean shutdown doesn't surface a noisy unhandled-error event. `b.pqcAgent.create({ ecdhCurve })` accepts a caller-supplied stricter list — operators can drop a group from the framework default but cannot widen with non-PQ groups (the prior hardcoded value blocked legitimate per-deployment narrowing). **Crypto helpers** — `b.crypto.hashCertFingerprint(pem|der)` returns `{ hex, colon }` SHA3-512 digests and `b.crypto.isCertRevoked(pemOrDer, denyList)` does a constant-time match. **Scheduler surface** — `b.scheduler.register(name, intervalMs, fn)` shorthand for the every-N-ms registration shape; `b.scheduler.getStatus()` returns an aggregate health surface for probes / dashboards (started flag, isLeader, per-task list, totals). **npm-publish unblock** — `test/layer-0-primitives/sd-jwt-vc.test.js` was asserting `DEFAULT_ALG === "ES256"` after v0.8.1 flipped the default to `ML-DSA-87`; the assertion now matches the lib (and `DEFAULT_HASH_ALG` for `sha3-512`). v0.8.1 / v0.8.2 / v0.8.3 all failed the npm-publish gate on this single test; this release re-enables the publish workflow.
+
+- **0.8.3** (2026-05-06) — Release-gate fixes + post-v0.8.2 hardening. Wiki primitive-section validator gate flagged `b.middleware.csrfProtect` opts-key drift — the `requireOrigin` opt added in v0.8.1 wasn't documented in the wiki seeder; now listed alongside `checkOrigin` / `allowedOrigins`. Gitleaks secret-scan gate flagged `{ privateKey, cipherText }` KEM-envelope shapes in `lib/crypto.js` error messages + `CHANGELOG.md` v0.8.0 entry as generic-api-key false positives — `.gitleaks.toml` adds an explicit regex allowlist for the parameter-name shape and pins the v0.8.0 commit fingerprints. Functional additions: `b.httpClient.request` adds `responseMode: "always-resolve"` opt — every request resolves with `{ statusCode, headers, body }` regardless of HTTP status (operators using the framework as an inbound-proxy upstream no longer have to wrap each call in a try/catch to recover the body of a 4xx/5xx). `b.wsClient` swallows post-close `ECONNRESET` / `EPIPE` errors so a clean `close()` doesn't surface a noisy unhandled-error event when the kernel races the FIN with an in-flight write. `SECURITY.md` documents the `allowInternal: true` test-pattern (legitimate same-host integration tests opt in explicitly with audited reason — never as a production default).
+
+- **0.8.2** (2026-05-06) — eslint fixes for v0.8.1 npm-publish gate. `lib/guard-csv.js` bidi-prefix regex now uses explicit `\uXXXX` escapes (was tripping `no-irregular-whitespace` + `no-misleading-character-class` on the literal-codepoint form). `lib/redact.js` URL-bearer-query detector drops a redundant `\-` escape inside a character class. Functional behaviour unchanged from 0.8.1.
+
+- **0.8.1** (2026-05-06) — Hardening sweep across audit emission, crypto defaults, auth bypass closure, storage / SQLi, HTTP/network surface, supply-chain pin, and observability gaps. Defense-in-depth fixes — no new operator-facing primitives.
+
+  **Audit emission** — `audit.safeEmit` now normalises non-canonical outcomes (`ok` / `fail` / `warning` / `duplicate` / `skip` → `success` / `failure`) and replaces hyphens in action-name segments with underscores. The strict regex enforced by `audit.record` was silently dropping events from `b.flag` / `b.outbox` / `b.inbox` / `b.session` (idle / absolute / fingerprint-drift) / `b.db` (integrity-check) / `b.compliance.aiAct` (every Annex III biometric-id log on the operator-facing kinds with hyphens) / `b.config-drift` (low-severity drift) / `b.log-stream` (sink-failure) / `b.pubsub` (publish + publish-failed — also fixes a positional-signature bug at the call site). Two new `codebase-patterns` detectors (`audit-action-with-hyphen`, `non-canonical-audit-outcome`) catch new sites at gate time. Chain-write integrity failures now emit `system.audit.chain_write_dropped` to observability so operators alerting on rate-drop see something even when audit itself is the broken sink.
+
+  **Crypto defaults** — `b.mtlsCa` `caKeySealedMode` default flipped from `"auto"` to `"required"`; the legacy `"auto"` mode (load whichever exists, fall back to plaintext when no sealed file pre-exists) is removed. Operators wanting plaintext explicitly opt in via `caKeySealedMode: "disabled"` with audited reason. `b.network.tls` default key-share preference list now leads with `SecP384r1MLKEM1024` (the highest-PQ hybrid registered in `TLS_GROUP_PREFERENCE`) and drops `secp256r1` (P-256 was forbidden as a default per the framework's PQC-first hard rule). `b.auth.sdJwtVc` defaults to `ML-DSA-87` + `sha3-512`; the previous `ES256` + `sha-256` defaults shipped classical P-256 + SHA-256 credentials operators would have to re-issue at the EU eIDAS deadline. `b.crypto.encrypt` now emits `system.crypto.hybrid_disabled` audit when called with only an ML-KEM public key (silent fallback to KEM-only used to mask the missing P-384 leg). `b.auth.totp` emits `auth.totp.algorithm_downgraded` audit on every SHA-256 enrolment / verification.
+
+  **Auth bypass closure** — `b.breakGlass` `policy.requireScope` is now actually enforced at `grant()` time (was accepted, persisted, and surfaced via `policyGet` but never consulted). `b.permissions` `requireMfa: true` defaults to a 15-minute `mfaWindowMs` floor when neither route nor role supplies one (a stolen long-lived cookie with stale `mfaAt` no longer walks past the gate). `b.middleware.attachUser` now threads `req` through `session.verify` so the documented fingerprint-drift / IP-UA pin / anomaly-score defenses actually fire on the standard middleware path. `b.middleware.bearerAuth` returns 401 with `WWW-Authenticate: Bearer error="invalid_request"` when an `Authorization` header is present but doesn't parse against the configured scheme (was falling through to cookie-session); `realm` is CRLF-validated at create-time. `b.bearerAuth` sets `req._bearerAuthHandled` after success so `b.middleware.attachUser` skips re-reading the same header. `b.breakGlass.unsealRow` SELECTs the target row before incrementing `rowsConsumed` so a typo'd row id no longer exhausts a `maxRowsPerGrant: 1` grant. `b.auth.password` HIBP path fail-closes when more than half the response lines are unparseable (poisoned-mirror defense). `b.auth.jwt.sign` auto-mints a `jti` when `expiresInSec` is set and the operator didn't supply one; the silent-replay-window where the verifier was configured for replay-defense but the token shipped without a jti is closed. `b.auth.oauth.exchangeCode` requires `nonce` on OIDC flows when `authorizationUrl()` produced one (silent skip on operator-forgot-to-thread is closed; explicit `skipNonceCheck: true` for legacy IdPs). `b.auth.lockout` cache-error signal now also rides the audit chain (was observability-only — a deployment with no observability + a degraded cache had no signal that brute-force protection was disabled). `b.middleware.csrfProtect` cookie regex tightened from `{2,}` to `{64}` hex chars (matches `forms.generateCsrfToken` output length so a sibling-subdomain XSS can't plant `csrf=ab` and submit matching `X-CSRF-Token`); new `requireOrigin: true` opt for browser-only routes; `csrf.bad_cookie_value` audit on planted-short-cookie refusals.
+
+  **Storage / SQLi** — `b.retention` calls `safeSql.validateIdentifier` on every operator-supplied table name, age field, soft-delete field, legal-hold field, and cascade FK before reaching SQL string concatenation (operator-config-fed name like `users"; DROP TABLE audit_log;--` no longer breaks out of the quoted identifier). `b.db` at-rest `db.enc` envelope binds `(data dir, node identity)` AAD so two deployments sharing the operator passphrase can't swap `db.enc` files; old envelopes still decrypt via a one-release backwards-compat fallback. `b.externalDb` `SET LOCAL` GUC values capped at 4 KiB (prevents log bloat / parser pressure from operator-controlled tenant-id payloads). `b.cache` set path swapped from `JSON.stringify` to `safeJson.stringify` (refuses Buffer / circular / Date round-trip ambiguity). `b.objectStore.setObjectRetention` does a `getObjectRetention` pre-check and refuses client-side when the existing retention mode is `COMPLIANCE` and the operator (or attacker with `s3:PutObjectRetention`) tries to shorten it or pass `bypassGovernance: true`. `b.inbox` rejects NUL + C0 controls in `messageId` / `source` (closes the dedupe-collision attack on truncating drivers).
+
+  **HTTP / network** — `b.wsClient.connect` now wires `b.ssrfGuard` symmetric to `b.httpClient` (cloud-metadata / private / loopback / link-local / reserved IPs are hard-deny by default; `allowInternal: true` opts in for legitimate internal targets). `b.wsClient` outbound `tls.connect` explicitly pins `minVersion: "TLSv1.3"` matching every other outbound TLS site. `b.app` HTTP/2 server pins `maxOutstandingPings: 10` (CVE-2019-9512 ping-flood class). `b.middleware.cors` always appends `Vary: Origin` when the request carried an Origin (closes the cache-poisoning surface where unmatched-origin responses could be served from a previously-matched cache entry). `b.staticServe` adds `maxRangeBytes` cap (default 64 MiB) — refuses single-range requests larger than the cap with 416 (slowloris-range defense). `b.middleware.bodyParser` per-part header bytes now count toward `totalSize` (closes the 120 × 16 KiB amplification surface for many-parts uploads). `b.ssrfGuard` `_ipv4ToInt` strict octet validation refuses non-numeric segments instead of silently coercing to 0 (closes the CIDR-typo collapse-to-0.0.0.0 footgun). `b.cluster` heartbeat picks up ±20% per-tick jitter on followers (closes the thundering-herd lease-acquire race on lease expiry); `MIN_LEASE_TTL` bumped from 5s to 10s.
+
+  **Supply-chain** — `scripts/vendor-update.sh` now auto-runs `scripts/refresh-vendor-manifest.js` so MANIFEST.json sha256 hashes track the on-disk bundle without a separate operator step.
+
+  **Content-safety** — `b.guardHtml._extractScheme` + `b.guardSvg._extractScheme` now decode HTML5 named entities (`	` / `
` / `:` / `/` / etc.) before scheme-allowlist matching (closes the `java	script:` bypass class). `b.guardCsv` strips ZWSP / RTLO / LRM / RLM / BOM at cell-start before the formula-prefix scan (closes the bidi-prefix formula-injection bypass). `b.guardAll._verifyParity` now walks `STANDALONE_GUARDS` too (filename / domain / uuid / cidr / time / mime / jwt / oauth / graphql / shell / regex / jsonpath / template / image / pdf / auth) so missing PROFILES / COMPLIANCE_POSTURES on a standalone guard surfaces at boot rather than at `b.guardAll.allGuards()` lookup. `b.fileUpload._checkAllowedFileType` cross-checks the operator-supplied claimed MIME against magic-byte detection and refuses on family mismatch. `b.mail` attachment validation now wires `b.guardFilename.validate({ profile: "strict" })` + magic-byte / claimed-MIME cross-check (defense-in-depth on outbound mail attachments).
+
+  **Observability** — `b.redact` SENSITIVE_FIELDS now covers `x-api-key` / `x-apikey` / `x_api_key` / `api-key` (substring-match via lowercased field-name was missing the hyphen + underscore variants) plus DPoP / OAuth 2.1 fields (`jwk`, `dpop`, `proof`, `assertion`, `client_assertion`, `id_token_hint`, `code_verifier`, `client_secret`, `refresh_token`, `access_token`); new value-shape detector redacts query-string `?token=` / `?access_token=` / `?api_key=` patterns inside URL fields. `b.logStream` syslog sink strips CR / LF from MSG content per RFC 5424 §6.4 (closes the SIEM-record-injection surface where an operator-controlled `record.message` could spawn a fake separate-priority record). `b.compliance.set` rejection emits `compliance.posture.set_rejected` audit on `unknown-posture` and `already-set` paths.
+
 - **0.8.0** (2026-05-06) — Minor release. New: **`b.mail.arc.sign({ rfc822, instance, authservId, domain, selector, privateKey, algorithm, cv, authResults, headersToSign, timestamp })`** ships the relay-side RFC 8617 ARC chain construction (companion to `b.mail.arc.verify`); produces AAR + AMS + AS headers, prepends them in RFC-recommended order; enforces cv= rules (`i=1` requires `cv=none`, `i>=2` requires `cv=pass`/`cv=fail`); chain-gap detection (`i=N` requires N-1 prior hops); rsa-sha256 + ed25519-sha256 algorithms; CRLF-injection refused on operator-supplied authResults; audit emission `dkim.arc.signed`. **`b.inbox.create({ externalDb, table, retentionDays, audit })`** transactional dedupe-on-receive (companion to `b.outbox`); guarantees exactly-once handling by recording every (source, messageId) pair in the same transaction as the business state change — duplicate delivery short-circuits via the (source, message_id) PRIMARY KEY constraint; high-level `handle(opts, fn)` API wraps externalDb.transaction; low-level `recordReceive` / `markProcessed` for operators managing transactions directly; `declareSchema` / `sweep(retentionDays)` / `getStats` / `isFresh`; postgres + sqlite dialect support; audit emissions `inbox.received` / `handled` / `handle_failed` / `swept`. **`b.openapi.parse(jsonStringOrObject)`** + **`b.asyncapi.parse(jsonStringOrObject)`** validate external specs (currently only the build path existed); returns `{ doc, errors[], valid }`; covers version, info, paths/channels/operations, response.description, path-parameter required:true, dangling security references. **`b.crypto.decryptMlkem768X25519(ciphertext, { privateKey, x25519PrivateKey })`** symmetric named helper alongside the existing `encryptMlkem768X25519`; rejects ciphertexts under any other KEM ID at the head with a clear error rather than the generic dispatch path. **`b.wsClient`** hardening + extensions: `handshakeGuid` opt mirrors the server (operators with non-RFC-6455 GUIDs); decompression-bomb defense via `zlib.inflateRawSync` `maxOutputLength` cap (small compressed frame can no longer expand to GBs); fatal UTF-8 validation on text frames + close-frame reasons (RFC 6455 §5.6); RFC 6455 §5.5 control-frame ≤125-byte cap + FIN=1 enforcement; RSV1-on-continuation rejection (RFC 7692 §6.1); permanent-error classifier so 4xx handshake responses / accept-mismatch / bad-subprotocol / bad-upgrade / bad-status-line / message-too-big skip reconnect (no auth-failure hammering); `close(code, reason)` truncates >123-byte UTF-8 reasons at codepoint boundaries; permessage-deflate `server_max_window_bits` parsing with [8, 15] range enforcement; audit metadata enrichment — `bytesSent` / `bytesReceived` / `attempt` / `peerCertFingerprint` / `serverWindowBits` / `tls` / `permanent` flag. **`client.cancelReconnect()`** new operator API stops in-flight reconnect timers — `close()` mid-reconnect now also cancels the pending timer rather than returning early on the closed state; CRLF validation on the operator-supplied `Origin:` header matches the existing custom-header validation. **`b.vault.aad`** + **`b.wsClient`** + integration test from v0.7.114 are also part of this minor since v0.7.114 was the patch immediately preceding the version bump.
 
 - **0.7.114** (2026-05-06) — `b.vault.aad` AAD-bound sealed columns + `b.wsClient` outbound WebSocket client. **`b.vault.aad.seal(plaintext, aadParts)`** / **`b.vault.aad.unseal(value, aadParts)`** binds the seal to an AAD tuple `(table, rowId, column, schemaVersion)` so the AEAD tag fails on any decrypt where the AAD differs — copy-paste between rows, replay across schema-version bumps, and table-mismatch attacks all surface as a refused decrypt. Symmetric key derived per-row via SHAKE256 over `("vault.aad/v1/" || vault-root || canonical-AAD)` with the AAD threaded into XChaCha20-Poly1305's tag. `buildColumnAad` / `buildContextAad` helpers produce canonical (sorted-keys, length-prefixed) AAD bytes; `reseal(value, fromAad, toAad)` re-binds a value to a new context after authenticating the source. Audit emissions: `vault.aad.sealed` / `vault.aad.unseal_failed`. **`b.wsClient.connect(url, opts)`** ships the outbound RFC 6455 WebSocket client — companion to `b.websocket` (server-side). HTTP/1.1 Upgrade with Sec-WebSocket-Key generation + Sec-WebSocket-Accept verification (rejects on hash mismatch); subprotocol + permessage-deflate (RFC 7692) negotiation; client-side frame masking (RFC 6455 §5.3); TLS via `b.network.tls.pqc` (X25519MLKEM768 hybrid handshake, security-defaults-on); heartbeat ping/pong with pongDeadline tracking; auto-reconnect with exponential-backoff + full jitter; CRLF-injection defense on operator-supplied headers; configurable `maxMessageBytes` / `maxFrameBytes` / `pingMs` / `pongMs` / `handshakeTimeoutMs` / `reconnect: { maxAttempts, baseMs, maxMs }`. EventEmitter API: `open` / `message` / `close` / `error` / `reconnecting`. Reuses `FrameParser` and `serializeFrame` from `lib/websocket.js` so the wire layer is identical to the server. **Integration test** `test/integration/ws-client-roundtrip.test.js` boots a real `http.Server` driven by `b.websocket` primitives and dials it with `b.wsClient`, exercising plain ws:// handshake + subprotocol negotiation + text/binary echo + ping/pong heartbeat + close round-trip + permessage-deflate compress/inflate end-to-end. Audit emissions: `wsclient.connected` / `wsclient.closed` / `wsclient.error`.

package/lib/audit-sign.js

@@ -90,7 +90,7 @@ var SIGNING_KEY_SCHEMA = {
   properties: {
     publicKey:  { type: "string" },
     privateKey: { type: "string" },
-    algorithm:  { type: "string" },     // optional; missing = legacy ml-dsa-87
+    algorithm:  { type: "string" },     // load-time-required — _initPlaintext + _initWrapped both throw KEY_FILE_MISSING_ALG / UNWRAPPED_MISSING_ALG when the field is absent (legacy implicit-default-to-ml-dsa-87 was removed in the pre-v1 compat-shim sweep). Schema's `required` keeps publicKey + privateKey only so the runtime checks fire with the precise error codes operators have wired alerting on.
   },
 };
 

package/lib/audit.js

@@ -206,6 +206,8 @@ var FRAMEWORK_NAMESPACES = [
   "cache",      // b.cache
   "compliance", // b.compliance (compliance.posture.set / cleared)
   "config",     // b.configDrift (config.baseline.captured / config.drift.detected / config.baseline.tamper / config.baseline.unreadable)
+  "csrf",       // b.middleware.csrfProtect (csrf.bad_cookie_value)
+  // (system.crypto.hybrid_disabled rides under "system" so no separate namespace)
   "db",         // b.db / b.middleware.dbRoleFor / b.externalDb.runAs
                 //   (role-switching, RLS-shaped events)
   "dkim",       // b.mail.dkim (DKIM-Signature generation events)
@@ -213,6 +215,7 @@ var FRAMEWORK_NAMESPACES = [
   "dsr",        // b.dsr (Data Subject Rights workflow: dsr.ticket.* / dsr.source.*)
   "dual",       // b.dualControl (dual.grant.requested / approved / denied / consumed / expired / self_approval_denied)
   "mail",       // b.mail (b.mail-bounce uses "system.mail.*")
+  "mtls",       // b.mtlsCa engine algorithm-selection audit (mtls.engine.algorithm_selected)
   "network",    // b.middleware.networkAllowlist (network.gate.denied)
   "notify",     // b.notify
   "objectstore", // b.objectStore.bucketOps (objectstore.bucket.* / objectstore.object.*)
@@ -702,10 +705,12 @@ function _ensureHandler() {
       // into a database that no longer represents the chain those
       // items were emitted against. Early-exit drops them; the
       // alternative is silent corruption of the next chain.
+      var droppedThisBatch = 0;
       for (var i = 0; i < batch.length; i++) {
         if (ctx && ctx.isShutdown && ctx.isShutdown()) return;
         try { await record(batch[i]); }
         catch (e) {
+          droppedThisBatch += 1;
           // Per-item failure shouldn't drop the whole batch; log and
           // continue. The handler's onError gets called for batch-
           // wide failures only.
@@ -714,6 +719,14 @@ function _ensureHandler() {
             " (action=" + (batch[i] && batch[i].action) + ")");
         }
       }
+      // Surface chain-write integrity failures via observability so
+      // operators alerting on rate-drop see something. The audit
+      // chain itself can't carry the signal — the chain is what's
+      // broken — so observability is the only sink left.
+      if (droppedThisBatch > 0) {
+        observability.safeEvent("system.audit.chain_write_dropped",
+          droppedThisBatch, { batchSize: batch.length });
+      }
     },
   });
   return _auditHandler;
@@ -723,6 +736,53 @@ function emit(event) {
   _ensureHandler().emit(event);
 }
 
+// Outcome normalization — drop-silent on a strict `outcome` mismatch
+// dropped a class of audit rows across the framework (every
+// non-{success, failure, denied} outcome from b.flag / b.outbox /
+// b.inbox / b.session / b.db / b.config-drift / b.compliance-aiAct
+// landed in the handler's catch-and-log path instead of the chain).
+// safeEmit owns the normalization; record() stays strict so direct
+// callers see the typo loudly.
+var OUTCOME_NORMALIZE = {
+  ok:        "success",
+  okay:      "success",
+  pass:      "success",
+  passed:    "success",
+  success:   "success",
+  succeeded: "success",
+  warn:      "success",
+  warning:   "success",
+  duplicate: "success",
+  skip:      "success",
+  skipped:   "success",
+  fail:      "failure",
+  failed:    "failure",
+  failure:   "failure",
+  err:       "failure",
+  error:     "failure",
+  denied:    "denied",
+  refused:   "denied",
+  deny:      "denied",
+};
+
+function _normalizeOutcome(o) {
+  if (typeof o !== "string") return "success";
+  var n = OUTCOME_NORMALIZE[o.toLowerCase()];
+  return n || "success";
+}
+
+// Hyphens in action segments fall outside the underscore-only
+// regex enforced by record(). Replace at the segment boundary so
+// "compliance.aiact.biometric-id-categorisation" lands as
+// "compliance.aiact.biometric_id_categorisation" and reaches the
+// chain instead of dropping. The action namespace prefix (the part
+// before the first dot) is left strict — namespaces are
+// operator-registered and should be plain identifiers.
+function _normalizeAction(action) {
+  if (typeof action !== "string") return action;
+  return action.replace(/-/g, "_");
+}
+
 // safeEmit — fire-and-forget audit emit with safe defaults + try/catch.
 //
 // Most modules wrap emit() in their own _emit helper that fills in
@@ -761,9 +821,9 @@ function safeEmit(event) {
     } catch (_e) { /* fall through with original values */ }
     _ensureHandler().emit({
       actor:     actor,
-      action:    event.action,
+      action:    _normalizeAction(event.action),
       resource:  event.resource || null,
-      outcome:   event.outcome  || "success",
+      outcome:   _normalizeOutcome(event.outcome),
       reason:    reason,
       metadata:  metadata,
       requestId: event.requestId || null,

package/lib/auth/jwt.js

@@ -147,6 +147,19 @@ async function sign(claims, opts) {
   if (typeof opts.expiresInSec === "number" && payload.exp === undefined) {
     payload.exp = nowSec + opts.expiresInSec;
   }
+  // Auto-mint jti when the token has an expiry but no operator-set
+  // jti. The replay-defense path on verify() requires every replay-
+  // protected token to carry a jti; without auto-mint, an operator
+  // who configured replayStore on verify but forgot to set jti on
+  // sign produces tokens that never replay-protect — and the
+  // failure surfaces only at first replay attempt (via the
+  // verifier's "missing-jti" throw). Auto-mint closes the silent
+  // hole; operators who explicitly want a deterministic jti pass
+  // opts.jti themselves.
+  if (payload.exp !== undefined && payload.jti === undefined) {
+    var fwCryptoJti = require("../crypto");                                // allow:inline-require — circular-load defense (crypto imports jwt? no — but use lazy form to keep parity)
+    payload.jti = fwCryptoJti.generateBytes(C.BYTES.bytes(16)).toString("base64url");
+  }
   if (typeof opts.notBeforeSec === "number" && payload.nbf === undefined) {
     payload.nbf = nowSec + opts.notBeforeSec;
   }

package/lib/auth/lockout.js

@@ -227,12 +227,25 @@ function create(opts) {
     } catch (_e) { /* audit best-effort */ }
   }
 
+  // Cache failures fail-OPEN by design (per the framework's
+  // documented brute-force-lockout posture — rather than crash the
+  // request, allow the attempt). The signal MUST land somewhere
+  // visible regardless of operator wiring: observability picks it up
+  // when wired, and audit picks it up when wired. Without the audit
+  // path a deployment running with no observability + a degraded
+  // cache silently gets brute-force-protection-disabled.
+  function _signalCacheError(op) {
+    _emitObs("auth.lockout.cache_error", { namespace: namespace, op: op });
+    _emitAudit("auth.lockout.cache_error", "<system>", "failure",
+      { namespace: namespace, op: op }, null);
+  }
+
   async function _readState(key) {
     try {
       var raw = await cache.get(_scopedKey(key));
       return raw || null;
     } catch (_e) {
-      _emitObs("auth.lockout.cache_error", { namespace: namespace, op: "get" });
+      _signalCacheError("get");
       return null;
     }
   }
@@ -241,7 +254,7 @@ function create(opts) {
     try {
       await cache.set(_scopedKey(key), state, { ttlMs: ttlMs });
     } catch (_e) {
-      _emitObs("auth.lockout.cache_error", { namespace: namespace, op: "set" });
+      _signalCacheError("set");
     }
   }
 
@@ -249,7 +262,7 @@ function create(opts) {
     try {
       await cache.del(_scopedKey(key));
     } catch (_e) {
-      _emitObs("auth.lockout.cache_error", { namespace: namespace, op: "del" });
+      _signalCacheError("del");
     }
   }
 

package/lib/auth/oauth.js

@@ -482,6 +482,20 @@ function create(opts) {
       throw new OAuthError("auth-oauth/no-verifier",
         "exchangeCode: opts.verifier is required when PKCE is on (default)");
     }
+    // Nonce enforcement on OIDC paths. authorizationUrl() always
+    // emits a nonce when isOidc; if the operator forgot to thread it
+    // through to exchangeCode, _normalizeTokens silently skipped the
+    // nonce check on the ID token and a captured token from another
+    // browser session could be replayed without detection. Throw
+    // loudly so the operator sees the bug at config time, not at
+    // first-replay-attempt time.
+    if (isOidc && eopts.nonce === undefined && eopts.skipNonceCheck !== true) {
+      throw new OAuthError("auth-oauth/no-nonce",
+        "exchangeCode: nonce is required on OIDC flows. Pass the " +
+        "value returned from authorizationUrl() through to exchangeCode " +
+        "({ code, state, verifier, nonce }). Operators with a deliberate " +
+        "no-nonce flow must pass `skipNonceCheck: true` (audited reason).");
+    }
     var endpoint = await _resolveEndpoint("tokenEndpoint");
     var body = new URLSearchParams();
     body.set("grant_type",   "authorization_code");
@@ -492,7 +506,7 @@ function create(opts) {
     if (eopts.verifier) body.set("code_verifier", eopts.verifier);
 
     var tokens = await _postForm(endpoint, body);
-    return await _normalizeTokens(tokens, { nonce: eopts.nonce });
+    return await _normalizeTokens(tokens, { nonce: eopts.nonce, skipNonceCheck: eopts.skipNonceCheck });
   }
 
   async function refreshAccessToken(refreshToken) {

package/lib/auth/password.js

@@ -448,20 +448,40 @@ function policy(opts) {
       }
       var bodyText = Buffer.isBuffer(resp.body) ? resp.body.toString("utf8") : String(resp.body);
       var lines = bodyText.split(/\r?\n/);
+      var goodLines = 0;
+      var badLines = 0;
       for (var li = 0; li < lines.length; li++) {
         var line = lines[li].trim();
         if (line.length === 0) continue;
         var colon = line.indexOf(":");
-        if (colon < 0) continue;
+        if (colon < 0) { badLines += 1; continue; }
         var hashSuffix = line.slice(0, colon).toUpperCase();
         var count = parseInt(line.slice(colon + 1), 10);
+        if (!isFinite(count)) { badLines += 1; continue; }
+        goodLines += 1;
         if (timingSafeEqual(Buffer.from(hashSuffix, "utf8"), Buffer.from(suffix, "utf8")) &&
-            isFinite(count) && count >= p.breachThreshold) {
+            count >= p.breachThreshold) {
           return _fail("breached",
             "plaintext appears in HaveIBeenPwned with count " + count +
             " (threshold " + p.breachThreshold + ")");
         }
       }
+      // If a hostile / poisoned mirror returned a response shaped like
+      // HIBP but with mostly-unparseable counts, the original loop
+      // skipped them silently and reported breachCheckCount=0 — i.e.
+      // the operator saw "looks fine" against a body that was never
+      // actually verifiable. When more than half the lines fail to
+      // parse, treat the response as unverifiable and apply the
+      // operator's fail-closed posture.
+      if (goodLines + badLines > 0 && badLines * 2 > goodLines) {
+        if (p.failClosed) {
+          return _fail("breach-check-failed",
+            "HIBP response was mostly-unparseable (good=" + goodLines +
+            ", bad=" + badLines + ") — possible poisoned mirror");
+        }
+        return _ok({ breachCheckSkipped: true,
+          breachCheckSkipReason: "hibp-response-mostly-unparseable" });
+      }
       return _ok({ breachCheckCount: 0 });
     }
     return _ok();

package/lib/auth/sd-jwt-vc-issuer.js

@@ -95,7 +95,7 @@ function create(opts) {
       "issuer.create: activeKid \"" + activeKid + "\" is not in the keys array");
   }
   var defaultTtlMs = opts.defaultTtlMs || C.TIME.days(90);
-  var defaultHashAlg = opts.defaultHashAlg || "sha-256";
+  var defaultHashAlg = opts.defaultHashAlg || "sha3-512";
   var auditOn = opts.auditOn !== false;
 
   var stats = {
@@ -137,7 +137,7 @@ function create(opts) {
       claims:               spec.claims || {},
       selectivelyDisclosed: spec.selectivelyDisclosed || [],
       issuerKey:            key.privateKey,
-      algorithm:            key.algorithm || "ES256",
+      algorithm:            key.algorithm || "ML-DSA-87",
       hashAlg:              spec.hashAlg || defaultHashAlg,
       ttlMs:                spec.ttlMs || defaultTtlMs,
       holderKey:            spec.holderKey || null,

package/lib/auth/sd-jwt-vc.js

@@ -80,8 +80,13 @@ var SUPPORTED_HASH_ALGS = Object.freeze({
   "sha3-512": "sha3-512",
 });
 
-var DEFAULT_ALG = "ES256";
-var DEFAULT_HASH_ALG = "sha-256";
+// Defaults are PQC-first per the framework's hard rule §2 — operators
+// who must interop with ES256-only verifiers today opt in via the
+// `compatibilityProfile: "spec-default"` shape on the issuer/holder
+// surfaces, OR pass `algorithm: "ES256"` + `hashAlg: "sha-256"`
+// explicitly with an audited reason.
+var DEFAULT_ALG = "ML-DSA-87";
+var DEFAULT_HASH_ALG = "sha3-512";
 
 function _b64uEncode(str) {
   return Buffer.from(str, "utf8").toString("base64url");

package/lib/break-glass.js

@@ -693,6 +693,45 @@ async function grant(opts) {
       "grant: no authenticated actor on request (req.user.id / req.apiKey.id required)", true);
   }
 
+  // Scope-gate enforcement — when the policy declares requireScope,
+  // the actor must carry the named scope (or matching wildcard via
+  // b.permissions.match) before the framework will mint a grant.
+  // Without this, every TOTP-passing actor could glass-unseal PHI
+  // even when the operator explicitly declared `requireScope:
+  // "phi:admin"`.
+  if (policy.requireScope) {
+    var actorScopes = (opts.req && opts.req.user && Array.isArray(opts.req.user.scopes))
+      ? opts.req.user.scopes
+      : ((opts.req && opts.req.apiKey && Array.isArray(opts.req.apiKey.scopes))
+        ? opts.req.apiKey.scopes
+        : []);
+    var scopeOk = false;
+    for (var sci = 0; sci < actorScopes.length; sci += 1) {
+      if (actorScopes[sci] === policy.requireScope) { scopeOk = true; break; }
+      // Wildcard support: "phi:*" matches "phi:admin" and "phi:read".
+      if (typeof actorScopes[sci] === "string" &&
+          actorScopes[sci].length > 0 &&
+          actorScopes[sci].charAt(actorScopes[sci].length - 1) === "*") {
+        var prefix = actorScopes[sci].slice(0, -1);
+        if (typeof policy.requireScope === "string" &&
+            policy.requireScope.indexOf(prefix) === 0) {
+          scopeOk = true; break;
+        }
+      }
+    }
+    if (!scopeOk) {
+      audit.safeEmit({
+        action:   "breakglass.grant.requested",
+        outcome:  "denied",
+        actor:    actor,
+        reason:   "missing-scope",
+        metadata: { table: table, requireScope: policy.requireScope },
+      });
+      throw new BreakGlassError("breakglass/missing-scope",
+        "grant: actor does not carry required scope '" + policy.requireScope + "'", true);
+    }
+  }
+
   // Factor verification + lockout
   var factorType = opts.factor && opts.factor.type;
   if (!factorType || policy.factors.indexOf(factorType) === -1) {
@@ -897,6 +936,20 @@ async function unsealRow(grantHandle, table, rowId, opts) {
       grantRow.maxRowsPerGrant + " allowed rows", true);
   }
 
+  // SELECT-before-increment — fetch the target row FIRST. If the row
+  // doesn't exist (operator typo, race with row-deletion, etc.), the
+  // grant should not be consumed. Without this ordering, a single
+  // typo against `maxRowsPerGrant: 1` (the default) exhausts the
+  // grant and forces the operator to re-do the step-up ceremony.
+  var rows = await clusterStorage.executeAll(
+    "SELECT * FROM " + '"' + table + '"' + " WHERE _id = ?",
+    [String(rowId)]
+  );
+  if (!rows || rows.length === 0) {
+    throw new BreakGlassError("breakglass/row-not-found",
+      "unsealRow: " + table + "[" + rowId + "] not found", true);
+  }
+
   // Increment rowsConsumed (atomic UPDATE with WHERE rowsConsumed < cap
   // so concurrent unseals can't both pass the runtime check above).
   var updateRes = await clusterStorage.execute(
@@ -925,20 +978,6 @@ async function unsealRow(grantHandle, table, rowId, opts) {
       "unsealRow: grant " + grantHandle.id + " was exhausted by a concurrent read", true);
   }
   void updateRes;
-
-  // Fetch + unseal the target row. Model A goes straight through
-  // cryptoField; Model B reads the row, lets cryptoField unseal the
-  // non-glass-locked columns, and then decryptCell handles the
-  // glass-locked columns separately (their ciphertext was written
-  // by encryptCell at app-write time, not by cryptoField.sealRow).
-  var rows = await clusterStorage.executeAll(
-    "SELECT * FROM " + '"' + table + '"' + " WHERE _id = ?",
-    [String(rowId)]
-  );
-  if (!rows || rows.length === 0) {
-    throw new BreakGlassError("breakglass/row-not-found",
-      "unsealRow: " + table + "[" + rowId + "] not found", true);
-  }
   var policy = await policyGet(table);
   var unsealedRow;
   if (policy && policy.cryptographic) {

package/lib/cache-redis.js

@@ -96,7 +96,7 @@ function create(cfg) {
 
   async function set(key, value, expiresAt, meta) {
     await _ensureConnected();
-    var json = JSON.stringify(value);
+    var json = safeJson.stringify(value);
 
     // Drop any prior tag membership for this key (tags may have changed
     // across sets). The reverse-tag set tells us which tag SETs need

package/lib/cache.js

@@ -491,7 +491,12 @@ function _clusterBackend(cfg) {
   }
 
   async function set(key, value, expiresAt, meta) {
-    var json = JSON.stringify(value);
+    // safeJson.stringify refuses Buffer / circular / Date round-trip
+    // ambiguity that vanilla JSON.stringify silently flattens. The
+    // failure mode without this is "cache returns a structurally-
+    // changed value, app code treats it as the original" — a subtle
+    // freshness bug that's hard to debug.
+    var json = safeJson.stringify(value);
     var storedExpires = (expiresAt === Infinity) ? Number.MAX_SAFE_INTEGER : expiresAt;
     var now = clock();
     var ck = _composedKey(key);

package/lib/cli.js

@@ -1370,9 +1370,9 @@ async function _runMtls(args, ctx) {
   if (vaultMode !== "wrapped" && vaultMode !== "plaintext") {
     return report.error("--vault-mode must be 'wrapped' or 'plaintext'", 2);
   }
-  var sealedMode = args.flags["sealed-mode"] || "auto";
-  if (["auto", "required", "disabled"].indexOf(sealedMode) === -1) {
-    return report.error("--sealed-mode must be 'auto', 'required', or 'disabled'", 2);
+  var sealedMode = args.flags["sealed-mode"] || "required";
+  if (["required", "disabled"].indexOf(sealedMode) === -1) {
+    return report.error("--sealed-mode must be 'required' or 'disabled'", 2);
   }
 
   var booted;

package/lib/cluster.js

@@ -69,7 +69,17 @@ var vault = lazyRequire(function () { return require("./vault"); });
 
 var DEFAULT_LEASE_TTL    = C.TIME.seconds(30);
 var DEFAULT_HEARTBEAT    = C.TIME.seconds(10);
-var MIN_LEASE_TTL        = C.TIME.seconds(5);
+// MIN_LEASE_TTL bumped from 5s → 10s. With 5s leases + 1s heartbeats,
+// a network glitch + GC pause can leave the old leader believing it
+// still holds the lease (4s remaining on its clock) while a new
+// leader has already acquired. Old-leader writes during that window
+// only land on framework state with a fencingToken WHERE clause
+// (audit-tip CHECK catches it); operator-supplied writes through
+// b.externalDb.transaction outside the audit chain DON'T carry the
+// clause and can be accepted by both leaders. 10s leaves more room
+// for the framework's audit-tip fencing to catch the split-brain
+// before consequential writes reach durable state.
+var MIN_LEASE_TTL        = C.TIME.seconds(10);
 var MIN_HEARTBEAT        = C.TIME.seconds(1);
 
 var initialized      = false;
@@ -476,7 +486,20 @@ async function _tryAcquire() {
 
 async function _heartbeat() {
   if (!initialized) return;
+  // ±20% per-tick jitter on followers — without it, N followers
+  // polling on a deterministic cadence all fire _tryAcquire at the
+  // same wall-clock instant on lease expiry, producing thundering-
+  // herd INSERT/UPDATE pressure on the leader-election row at
+  // exactly the worst time. Leader-renewal path doesn't jitter
+  // (a missed renewal hands the lease to a follower; the timing
+  // budget is in `leaseTtl - heartbeatMs`, not in the jitter
+  // window).
   if (!lease) {
+    var jitterMs = Math.floor(Math.random() * (heartbeatMs * 0.4));            // allow:math-random-noncrypto — heartbeat jitter, not security-bearing
+    if (jitterMs > 0) {
+      await safeAsync.sleep(jitterMs);
+    }
+    if (!initialized) return;
     // Not currently leader — try to acquire (lease may have expired
     // on the previous holder).
     await _tryAcquire();

package/lib/compliance-ai-act-logging.js

@@ -125,11 +125,15 @@ function emit(event) {
       "compliance.aiAct.logging.emit: event must be an object");
   }
   // Funnel into the framework audit chain so the record rides the
-  // tamper-evident PQC-signed chain.
+  // tamper-evident PQC-signed chain. The operator-facing kind vocabulary
+  // (from RFC-style slug identifiers in the AI-Act-Notice header — e.g.
+  // "biometric-id-categorisation") carries hyphens; the audit action
+  // namespace uses underscores, so the kind is rewritten before emit.
   try {
+    var kindCanonical = String(event.kind || "log").replace(/-/g, "_");
     audit().safeEmit({
-      action:   "compliance.aiact." + (event.kind || "log"),
-      outcome:  event.outcome === "ok" ? "success" : (event.outcome || "success"),
+      action:   "compliance.aiact." + kindCanonical,
+      outcome:  event.outcome || "success",
       actor:    event.actor || null,
       metadata: event,
     });

package/lib/compliance.js

@@ -67,11 +67,11 @@ var KNOWN_POSTURES = Object.freeze([
 
 var STATE = { posture: null, setAt: null };
 
-function _emitAudit(action, metadata) {
+function _emitAudit(action, metadata, outcome) {
   try {
     audit().safeEmit({
       action:   action,
-      outcome:  "success",
+      outcome:  outcome || "success",
       metadata: metadata,
     });
   } catch (_e) { /* audit best-effort */ }
@@ -84,11 +84,19 @@ function set(posture) {
       JSON.stringify(posture));
   }
   if (KNOWN_POSTURES.indexOf(posture) === -1) {
+    _emitAudit("compliance.posture.set_rejected",
+      { reason: "unknown-posture", posture: posture }, "denied");
     throw new ComplianceError("compliance/unknown-posture",
       "compliance.set: unknown posture '" + posture + "'; expected one of " +
       KNOWN_POSTURES.join(", "));
   }
   if (STATE.posture && STATE.posture !== posture) {
+    // Audit the rejection so an attacker (or operator misconfig) trying
+    // to downgrade an already-set posture produces a chain row
+    // operators can alert on.
+    _emitAudit("compliance.posture.set_rejected",
+      { reason: "already-set", current: STATE.posture, attempted: posture },
+      "denied");
     throw new ComplianceError("compliance/already-set",
       "compliance.set: posture is already '" + STATE.posture + "' (set at " +
       new Date(STATE.setAt).toISOString() + "). Runtime switches are " +

package/lib/config-drift.js

@@ -193,7 +193,7 @@ function create(opts) {
     if (existing && existing.unreadable) {
       _emit("config.baseline.unreadable",
         { sidecar: sidecarPath, reason: "sidecar present but malformed or wrong version" },
-        "warning");
+        "failure");
       _writeSidecar(snapshot, newDigest);
       return { signed: true, drifted: false, tamper: false, previousAt: null, reason: "sidecar-unreadable-rewritten" };
     }
@@ -260,7 +260,7 @@ function create(opts) {
         keysRemoved:       diff.removed,
         severity:          severity,
       },
-      severity === "high" ? "failure" : "warning");
+      severity === "high" ? "failure" : "success");
     _writeSidecar(snapshot, newDigest);
     return {
       signed:      true,

package/lib/crypto-field.js

@@ -116,7 +116,27 @@ function unsealRow(table, row) {
   for (var i = 0; i < s.sealedFields.length; i++) {
     var field = s.sealedFields[i];
     if (out[field]) {
-      var unsealed = vault.unseal(out[field]);
+      var unsealed;
+      try {
+        unsealed = vault.unseal(out[field]);
+      } catch (e) {
+        // A DB-write attacker who can write `vault:<crafted>`
+        // payloads to sealed columns can force ML-KEM
+        // decapsulation on attacker-controlled bytes via this read
+        // path. Surface the failure as a chain row so operators
+        // alert on burst patterns; null the field so downstream
+        // code sees "no value" instead of crashing the request.
+        try {
+          var auditMod = require("./audit");                                          // allow:inline-require — circular-load defense
+          auditMod.safeEmit({
+            action:   "system.crypto.unseal_failed",
+            outcome:  "failure",
+            metadata: { table: table, field: field, rowId: row && row._id || null,
+                        reason: (e && e.message) || String(e) },
+          });
+        } catch (_e) { /* drop-silent */ }
+        unsealed = null;
+      }
       // If the value wasn't actually sealed, vault.unseal returns the input
       // unchanged — keep the original.
       out[field] = unsealed !== undefined && unsealed !== null ? unsealed : out[field];