@blamejs/core 0.8.0 → 0.8.5

package/lib/middleware/require-aal.js

@@ -76,7 +76,7 @@ function create(opts) {
           audit().safeEmit({
             action:  "auth.aal.denied",
             actor:   { clientIp: requestHelpers.clientIp(req), userId: req.user && req.user.id },
-            outcome: "fail",
+            outcome: "denied",
             metadata: {
               required: minimum,
               actual:   actual || null,
@@ -93,7 +93,7 @@ function create(opts) {
         audit().safeEmit({
           action:  "auth.aal.granted",
           actor:   { clientIp: requestHelpers.clientIp(req), userId: req.user && req.user.id },
-          outcome: "ok",
+          outcome: "success",
           metadata: { aal: actual, required: minimum, route: req.url },
         });
       } catch (_ignored) { /* drop-silent */ }

package/lib/middleware/require-mtls.js

@@ -0,0 +1,179 @@
+"use strict";
+/**
+ * requireMtls middleware — soft-enforcement gate for routes that
+ * require a client certificate.
+ *
+ * Operators terminate TLS at the framework's HTTPS server with
+ * `requestCert: true` (the framework already wires this when
+ * `b.app({ tlsOptions: { requestCert: true, ca: [...] } })` is
+ * configured). For routes that MUST receive an authenticated peer
+ * cert — e.g. the inbound side of an mTLS service mesh, OAuth 2.0
+ * mTLS Client Authentication (RFC 8705), or operator-specific
+ * service-to-service endpoints — wire this middleware in front of
+ * the route to reject any request that didn't present a valid
+ * client cert.
+ *
+ *   var requireMtls = b.middleware.requireMtls({
+ *     fingerprintAllowList: [
+ *       "AB:CD:EF:...",                 // colon-separated SHA3-512 hex
+ *     ],
+ *     denyList:             [],          // explicit revocations
+ *     onAuthenticated:      function (req, res, next) {
+ *       req.peerSubject = req.peerCert.subject;
+ *       next();
+ *     },
+ *     audit:                b.audit,
+ *   });
+ *   router.use("/internal", requireMtls);
+ *
+ * Failure modes (all reject 401):
+ *   - No peer cert presented (client did not negotiate mTLS)
+ *   - Peer cert present but unauthorized at TLS layer
+ *     (req.client.authorized === false)
+ *   - Fingerprint not on the operator-supplied allow-list
+ *   - Fingerprint on the operator-supplied deny-list
+ *
+ * Audit shape (when audit is wired): emits `mtls.required.allowed`
+ * (success) or `mtls.required.refused` (denied) with the peer-cert
+ * fingerprint + subject + reason in metadata. Drop-silent if no
+ * audit is wired.
+ *
+ * The fingerprint allow / deny comparison routes through
+ * b.crypto.isCertRevoked — both forms (lowercase hex / uppercase
+ * colon-separated) match. Allow-list of empty / null = "any
+ * peer cert authorized at the TLS layer"; specifying a non-empty
+ * allow-list ALSO requires the fingerprint to match.
+ */
+
+var defineClass = require("../framework-error").defineClass;
+var lazyRequire = require("../lazy-require");
+var validateOpts = require("../validate-opts");
+
+var crypto = lazyRequire(function () { return require("../crypto"); });
+var audit  = lazyRequire(function () { return require("../audit"); });
+
+var RequireMtlsError = defineClass("RequireMtlsError", { alwaysPermanent: true });
+
+function _normalizeFingerprintEntry(entry) {
+  if (typeof entry !== "string" || entry.length === 0) {
+    throw new RequireMtlsError("require-mtls/bad-fingerprint",
+      "fingerprint allow/deny entries must be non-empty strings " +
+      "(SHA3-512 hex or colon-separated form)");
+  }
+  return entry;
+}
+
+function create(opts) {
+  opts = opts || {};
+  validateOpts(opts, [
+    "fingerprintAllowList", "denyList",
+    "onAuthenticated", "audit",
+    "auditAction", "errorMessage",
+  ], "middleware.requireMtls");
+
+  var allowList = Array.isArray(opts.fingerprintAllowList)
+    ? opts.fingerprintAllowList.map(_normalizeFingerprintEntry) : null;
+  var denyList = Array.isArray(opts.denyList)
+    ? opts.denyList.map(_normalizeFingerprintEntry) : [];
+  var onAuthenticated = typeof opts.onAuthenticated === "function" ? opts.onAuthenticated : null;
+  var auditOn  = opts.audit !== false;
+  var actionBase = typeof opts.auditAction === "string" && opts.auditAction.length > 0
+    ? opts.auditAction : "mtls.required";
+  var errorMessage = typeof opts.errorMessage === "string" && opts.errorMessage.length > 0
+    ? opts.errorMessage : "client certificate required";
+
+  function _emit(outcome, metadata) {
+    if (!auditOn) return;
+    try {
+      audit().safeEmit({
+        action:   actionBase + (outcome === "success" ? ".allowed" : ".refused"),
+        outcome:  outcome,
+        metadata: metadata || {},
+      });
+    } catch (_e) { /* drop-silent — audit is best-effort, never blocks the request */ }
+  }
+
+  function _refuse(res, reason, metadata) {
+    _emit("denied", Object.assign({ reason: reason }, metadata || {}));
+    if (typeof res.writeHead === "function") {
+      res.writeHead(401, {
+        "Content-Type":     "application/json; charset=utf-8",
+        "WWW-Authenticate": "Mutual",
+        "Cache-Control":    "no-store",
+      });
+      res.end(JSON.stringify({ error: errorMessage, reason: reason }));
+    }
+  }
+
+  return function requireMtlsMiddleware(req, res, next) {
+    // Node's TLSSocket exposes:
+    //   req.client.authorized           — boolean, peer cert chain valid
+    //   req.client.authorizationError   — string when authorized=false
+    //   req.socket.getPeerCertificate() — the cert (raw + parsed fields)
+    // Behind a TLS-terminating proxy (e.g. nginx, envoy) operators
+    // pass the peer cert as a header (X-Client-Cert) and pre-populate
+    // req.peerCert before this middleware fires. We don't inject a
+    // proxy-header parser here — that's an operator-side decision tied
+    // to the chosen proxy's signing model.
+    var sock = req.socket || req.connection || null;
+    var authorized = sock && sock.authorized === true;
+    var peerCert = req.peerCert || null;
+    if (!peerCert && sock && typeof sock.getPeerCertificate === "function") {
+      try { peerCert = sock.getPeerCertificate(true) || null; }
+      catch (_e) { peerCert = null; }
+    }
+
+    if (!authorized) {
+      var authzError = (sock && sock.authorizationError) || "no-peer-cert";
+      return _refuse(res, "tls-unauthorized", { authorizationError: String(authzError) });
+    }
+    if (!peerCert || !peerCert.raw) {
+      return _refuse(res, "no-peer-cert", {});
+    }
+
+    // Compute fingerprint via the framework's SHA3-512 helper. Buffer
+    // form: peerCert.raw is the DER. Hex/colon both available for
+    // allow/deny matching.
+    var fp;
+    try {
+      fp = crypto().hashCertFingerprint(peerCert.raw);
+    } catch (e) {
+      return _refuse(res, "fingerprint-failed", { error: (e && e.message) || String(e) });
+    }
+
+    if (denyList.length > 0 && crypto().isCertRevoked(peerCert.raw, denyList)) {
+      return _refuse(res, "fingerprint-on-deny-list", {
+        fingerprint: fp.colon,
+        subject:     (peerCert.subject && peerCert.subject.CN) || null,
+      });
+    }
+    if (allowList && allowList.length > 0 && !crypto().isCertRevoked(peerCert.raw, allowList)) {
+      return _refuse(res, "fingerprint-not-allowed", {
+        fingerprint: fp.colon,
+        subject:     (peerCert.subject && peerCert.subject.CN) || null,
+      });
+    }
+
+    // Authenticated — attach the parsed peer cert + fingerprint to
+    // the request so downstream handlers don't have to re-parse, then
+    // emit success and call next (or operator's onAuthenticated hook).
+    req.peerCert        = peerCert;
+    req.peerFingerprint = fp;
+    _emit("success", {
+      fingerprint: fp.colon,
+      subject:     (peerCert.subject && peerCert.subject.CN) || null,
+    });
+    if (onAuthenticated) {
+      try { return onAuthenticated(req, res, next); }
+      catch (e) {
+        return _refuse(res, "on-authenticated-threw", { error: (e && e.message) || String(e) });
+      }
+    }
+    return next();
+  };
+}
+
+module.exports = {
+  create:           create,
+  RequireMtlsError: RequireMtlsError,
+};

package/lib/middleware/trace-propagate.js

@@ -85,7 +85,7 @@ function create(opts) {
         try {
           audit().safeEmit({
             action:   "system.trace.synthesised",
-            outcome:  "ok",
+            outcome:  "success",
             metadata: { route: req.url || "/", traceId: req.trace.traceId },
           });
         } catch (_e) { /* drop-silent — observability sink */ }

package/lib/mtls-ca.js

@@ -17,7 +17,7 @@
  *       caCert:         "ca.crt",
  *     },
  *     vault:            b.vault,         // optional; required when sealed
- *     caKeySealedMode:  "auto",          // "auto" | "required" | "disabled"
+ *     caKeySealedMode:  "required",      // "required" (default) | "disabled"
  *     generation:       1,               // current CA generation for OU=CAv{N}
  *     engine:           myCertEngine,    // optional — defaults to b.mtlsEngine
  *   });
@@ -27,10 +27,16 @@
  *   ca.key           CA private key (PEM, plaintext on disk)
  *   ca.key.sealed    CA private key (vault.seal of PEM bytes)
  *
- * caKeySealedMode:
- *   "auto"      load whichever exists (sealed if present, else plain)
- *   "required"  sealed file required; refuse plaintext
- *   "disabled"  plaintext required; refuse sealed
+ * caKeySealedMode (defaults to "required"):
+ *   "required"  sealed file required; refuse plaintext (default — vault
+ *               must be wired)
+ *   "disabled"  plaintext required; refuse sealed (dev-only opt-out;
+ *               operator must justify with audited reason)
+ *
+ * The legacy "auto" mode (load whichever exists, fall back to plaintext
+ * when no sealed file is present) was removed; it defaulted to writing
+ * plaintext on a fresh install, which is the inverse of the framework's
+ * security-defaults-on posture for at-rest key material.
  *
  * Generation tagging: every CA cert issued by the framework embeds a
  * "OU=CAv{N}" RDN in its subject DN. Status reads that back so an
@@ -114,7 +120,7 @@ var DEFAULT_PATHS = {
   crl:          "ca.crl",
 };
 
-var VALID_SEAL_MODES = { auto: 1, required: 1, disabled: 1 };
+var VALID_SEAL_MODES = { required: 1, disabled: 1 };
 
 function _resolvePaths(dataDir, paths) {
   var p = Object.assign({}, DEFAULT_PATHS, paths || {});
@@ -161,10 +167,11 @@ function create(opts) {
   }
   var paths = _resolvePaths(opts.dataDir, opts.paths);
   var vault = opts.vault || null;
-  var caKeySealedMode = (opts.caKeySealedMode || "auto").toLowerCase();
+  var caKeySealedMode = (opts.caKeySealedMode || "required").toLowerCase();
   if (!VALID_SEAL_MODES[caKeySealedMode]) {
     throw new MtlsCaError("mtls-ca/bad-mode",
-      "caKeySealedMode must be 'auto', 'required', or 'disabled'");
+      "caKeySealedMode must be 'required' or 'disabled' " +
+      "(legacy 'auto' was removed — it defaulted to plaintext-on-disk)");
   }
   var generation = typeof opts.generation === "number" && opts.generation >= 1
     ? Math.floor(opts.generation) : 1;
@@ -230,23 +237,10 @@ function create(opts) {
       }
       return Buffer.from(pem, "utf8");
     }
-    if (caKeySealedMode === "disabled") {
-      if (!hasPlain) {
-        throw new MtlsCaError("mtls-ca/plain-required",
-          "CA_KEY_SEALED='disabled' but " + paths.caKey + " does not exist");
-      }
-      return fs.readFileSync(paths.caKey);
-    }
-    // auto: prefer sealed if it exists (defense-in-depth default)
-    if (hasSealed) {
-      _requireVault("sealed CA key load");
-      var sealedBytesA = fs.readFileSync(paths.caKeySealed, "utf8").trim();
-      var pemA = vault.unseal(sealedBytesA);
-      if (!pemA) {
-        throw new MtlsCaError("mtls-ca/unseal-failed",
-          "vault.unseal of " + paths.caKeySealed + " returned empty");
-      }
-      return Buffer.from(pemA, "utf8");
+    // disabled: plaintext only.
+    if (!hasPlain) {
+      throw new MtlsCaError("mtls-ca/plain-required",
+        "caKeySealedMode='disabled' but " + paths.caKey + " does not exist");
     }
     return fs.readFileSync(paths.caKey);
   }
@@ -260,10 +254,10 @@ function create(opts) {
   }
 
   // Atomic commit: write .tmp + atomic rename for both key and cert.
-  // Honors caKeySealedMode — when 'required', the key is vault-sealed
-  // before the on-disk write so plaintext PEM never touches the
-  // filesystem; when 'disabled', it goes to disk as PEM. 'auto'
-  // defaults to plaintext-on-disk.
+  // Honors caKeySealedMode — when 'required' (the default), the key is
+  // vault-sealed before the on-disk write so plaintext PEM never touches
+  // the filesystem; when 'disabled', it goes to disk as PEM with the
+  // operator's audited reason on record.
   function commit(opts2) {
     if (!opts2 || typeof opts2.caKeyPem !== "string" || typeof opts2.caCertPem !== "string") {
       throw new MtlsCaError("mtls-ca/bad-commit",

package/lib/mtls-engine-default.js

@@ -134,7 +134,27 @@ async function _selectAlgorithm() {
   for (var i = 0; i < ALG_CANDIDATES.length; i++) {
     var c = ALG_CANDIDATES[i];
     var ok = await _probeCandidate(c);
-    if (ok) { _selectedAlg = c; return c; }
+    if (ok) {
+      _selectedAlg = c;
+      // Emit an audit row at first probe so operators see which
+      // algorithm landed without having to call b.mtlsCa.status().
+      // Pre-PQC ecosystems land on the ECDSA-P384 bridge silently;
+      // this puts the choice on the chain so compliance dashboards
+      // alert when an operator's deployment hasn't yet picked up the
+      // PQ-signed-cert capability the framework would otherwise
+      // prefer.
+      setImmediate(function () {
+        try {
+          var auditMod = require("./audit");                                          // allow:inline-require — circular-load defense
+          auditMod.safeEmit({
+            action:   "mtls.engine.algorithm_selected",
+            outcome:  "success",
+            metadata: { label: c.label, posture: c.posture, candidatesProbed: i + 1 },
+          });
+        } catch (_e) { /* drop-silent */ }
+      });
+      return c;
+    }
   }
   // Should never happen — ECDSA-P384-SHA384 is universal.
   throw new MtlsEngineError("mtls-engine/no-algorithm",

package/lib/network-tls.js

@@ -26,7 +26,7 @@ var STATE = {
   cas:             [],
   systemTrust:     false,
   baselineFingerprints: null,
-  tlsKeyShares:    ["X25519MLKEM768", "X25519", "secp256r1"],
+  tlsKeyShares:    ["SecP384r1MLKEM1024", "X25519MLKEM768", "X25519"],
 };
 
 function _normalizePem(pem) {
@@ -301,7 +301,7 @@ function expiryMonitor(opts) {
         try {
           audit().safeEmit({
             action:  "network.tls.ca.expiring",
-            outcome: "warn",
+            outcome: "success",
             metadata: {
               count:   rows.length,
               labels:  rows.map(function (r) { return r.label; }),
@@ -375,9 +375,9 @@ function applyToContext(opts) {
 //   resetKeyShares()                                  → restores default
 
 var DEFAULT_PQC_KEY_SHARES = Object.freeze([
-  "X25519MLKEM768",                                                              // hybrid KEM, draft-kwiatkowski-tls-ecdhe-mlkem-02
-  "X25519",                                                                      // classical fallback
-  "secp256r1",                                                                   // legacy peers
+  "SecP384r1MLKEM1024",                                                          // highest-PQC hybrid (codepoint 0x11ED, draft-kwiatkowski-tls-ecdhe-mlkem-02)
+  "X25519MLKEM768",                                                              // mid-PQC hybrid (codepoint 0x11EC, IETF/Cloudflare/Chrome interop)
+  "X25519",                                                                      // classical fallback (modern non-PQC peers)
 ]);
 
 function _validateKeyShare(name) {
@@ -990,9 +990,24 @@ function buildOcspRequest(opts) {
   var serial = _extractLeafSerial(opts.leafCertDer);
   // CertID hashes — SHA-1 per RFC 6960 §4.1.1 (the only universally
   // supported algorithm; SHA-256 in OCSP requests is RFC 6960 §4.3
-  // optional and many responders reject).
+  // optional and many responders reject). The hash isn't security-
+  // critical here — it's a name/key lookup, not an integrity check —
+  // but operator compliance dashboards alerting on "anywhere in the
+  // framework that touches SHA-1" need a signal. Emit an audit row
+  // on every OCSP request build so the algorithm choice is visible
+  // in the chain.
   var nameHash = nodeCrypto.createHash("sha1").update(iss.issuerNameDer).digest();
   var keyHash  = nodeCrypto.createHash("sha1").update(iss.issuerKey).digest();
+  setImmediate(function () {
+    try {
+      var auditMod = require("./audit");                                            // allow:inline-require — circular-load defense (audit imports network-tls)
+      auditMod.safeEmit({
+        action:   "network.tls.ocsp.certid_built",
+        outcome:  "success",
+        metadata: { hashAlgorithm: "sha1", note: "RFC 6960 §4.1.1 — non-security-critical lookup hash" },
+      });
+    } catch (_e) { /* drop-silent */ }
+  });
   // hashAlgorithm AlgorithmIdentifier ::= SEQUENCE { algorithm OID, NULL }
   var algId = asn1.writeSequence([asn1.writeOid(OID_SHA1), asn1.writeNull()]);
   var certId = asn1.writeSequence([

package/lib/object-store/sigv4-bucket-ops.js

@@ -897,6 +897,47 @@ function create(config) {
     _validateRetention(opts);
     validateOpts(opts, ["mode", "retainUntil", "bypassGovernance", "req", "actor"],
       "bucketOps.setObjectRetention");
+    // COMPLIANCE-mode defense-in-depth: refuse client-side when the
+    // operator (or attacker with the s3:PutObjectRetention permission)
+    // tries to shorten an existing COMPLIANCE retention or pass
+    // bypassGovernance against COMPLIANCE. Real S3 also refuses but
+    // MinIO and other S3-compatible backends are implementation-
+    // dependent; the framework's job is defense-in-depth, not
+    // passthrough. Adds one RTT (the GET) to every PUT — acceptable.
+    //
+    // The pre-check is a soft gate: when the backend can't surface the
+    // existing retention (parse error, no-such-object, etc.), the
+    // framework falls through to the PUT and lets the backend's own
+    // enforcement handle it. The pre-check is value-add, not
+    // load-bearing.
+    return getObjectRetention(name, key).then(function (existing) {
+      if (existing && existing.mode === "COMPLIANCE") {
+        if (opts.bypassGovernance === true) {
+          throw new ObjectStoreError("objectstore/compliance-bypass-refused",
+            "setObjectRetention: bypassGovernance refused — existing retention mode is COMPLIANCE (cannot be bypassed by anyone, including root)", true);
+        }
+        if (opts.retainUntil && existing.retainUntil &&
+            opts.retainUntil.getTime() < existing.retainUntil.getTime()) {
+          throw new ObjectStoreError("objectstore/compliance-shortening-refused",
+            "setObjectRetention: cannot shorten COMPLIANCE retention (existing=" +
+            existing.retainUntil.toISOString() + ", proposed=" +
+            opts.retainUntil.toISOString() + ")", true);
+        }
+      }
+      return _doSetRetention(name, key, opts);
+    }, function (e) {
+      // Re-throw the framework's own COMPLIANCE refusals; everything
+      // else (parse errors, transient network errors, malformed
+      // backend responses) falls through to the PUT.
+      if (e && typeof e.code === "string" &&
+          e.code.indexOf("objectstore/compliance-") === 0) {
+        throw e;
+      }
+      return _doSetRetention(name, key, opts);
+    });
+  }
+
+  function _doSetRetention(name, key, opts) {
     var bodyXml = _buildRetentionXml(opts);
     var bodyBuf = Buffer.from(bodyXml, "utf8");
     var url = _objectUrl(name, key, { retention: "" });

package/lib/observability-otlp-exporter.js

@@ -41,6 +41,33 @@ var { defineClass } = require("./framework-error");
 var OtlpExporterError = defineClass("OtlpExporterError", { alwaysPermanent: true });
 
 var observability = lazyRequire(function () { return require("./observability"); });
+var httpClient    = lazyRequire(function () { return require("./http-client"); });
+
+// Default OTLP transport — uses the framework's own b.httpClient
+// (node:https through the PQC-hybrid agent + cert-pinning + SSRF
+// guard) rather than globalThis.fetch. Operators with a sidecar
+// collector that must be addressed via fetch (Cloudflare Workers,
+// Deno, fetch-only edge runtimes) override fetchImpl explicitly.
+// Returning a fetch-shaped { ok, status } so the existing _post
+// path stays the same regardless of which transport ran.
+function _defaultFetchImpl(endpoint, init) {
+  var hc = httpClient();
+  return hc.request({
+    url:           endpoint,
+    method:        init && init.method  ? init.method  : "POST",
+    headers:       init && init.headers ? init.headers : {},
+    body:          init && init.body    ? init.body    : "",
+    timeoutMs:     0,
+    responseMode:  "always-resolve",
+    allowInternal: true,
+  }).then(function (res) {
+    var status = res && res.statusCode;
+    return {
+      ok:     status >= 200 && status < 300,                                       // allow:raw-byte-literal — HTTP status ranges
+      status: status,
+    };
+  });
+}
 
 var DEFAULT_BATCH_SIZE         = 200;                                              // allow:raw-byte-literal — OTLP recommended batch
 var DEFAULT_MAX_QUEUE_SIZE     = 4096;                                             // allow:raw-byte-literal — operator-side queue cap
@@ -206,10 +233,16 @@ function create(opts) {
   var maxAttempts = opts.maxAttempts || DEFAULT_MAX_ATTEMPTS;
   var backoffInitial = opts.backoffInitialMs || DEFAULT_BACKOFF_INITIAL_MS;
   var backoffMax     = opts.backoffMaxMs     || DEFAULT_BACKOFF_MAX_MS;
-  var fetchImpl  = opts.fetchImpl    || ((typeof globalThis.fetch === "function") ? globalThis.fetch.bind(globalThis) : null);
+  // Default transport is the framework's b.httpClient (node:https +
+  // PQC-hybrid agent + SSRF guard). globalThis.fetch was the prior
+  // default; it leaked an outbound network surface that supply-chain
+  // scanners flagged because nothing in the framework's TLS posture
+  // wired through it. Operators on fetch-only runtimes still override
+  // by passing opts.fetchImpl.
+  var fetchImpl  = opts.fetchImpl || _defaultFetchImpl;
   if (typeof fetchImpl !== "function") {
     throw new OtlpExporterError("otlp/no-fetch",
-      "otlpExporter.create: fetchImpl required (globalThis.fetch unavailable)");
+      "otlpExporter.create: opts.fetchImpl must be a function (override the framework default)");
   }
 
   var queue = [];

package/lib/outbox.js

@@ -308,7 +308,7 @@ function create(opts) {
       " SET status = 'dead', attempts = $1, last_error = $2 WHERE id = $3",
       [attempts + 1, String(errMsg).slice(0, 1024), id]                            // allow:raw-byte-literal — error-message char cap
     );
-    _emitAudit("system.outbox.deadletter", "fail", { id: id, attempts: attempts + 1 });
+    _emitAudit("system.outbox.deadletter", "failure", { id: id, attempts: attempts + 1 });
     _emitMetric("dead-letter", 1);
   }
 
@@ -353,7 +353,7 @@ function create(opts) {
         .catch(function () { /* drop-silent — see _processOnce */ })
         .finally(function () { inFlight = null; });
     }, pollIntervalMs, { name: name + "-publisher" });
-    _emitAudit("system.outbox.started", "ok", { name: name });
+    _emitAudit("system.outbox.started", "success", { name: name });
   }
 
   async function stop() {
@@ -365,7 +365,7 @@ function create(opts) {
     if (inFlight) {
       try { await inFlight; } catch (_e) { /* drop-silent */ }
     }
-    _emitAudit("system.outbox.stopped", "ok", { name: name });
+    _emitAudit("system.outbox.stopped", "success", { name: name });
   }
 
   async function pendingCount() {

package/lib/permissions.js

@@ -491,8 +491,17 @@ function create(opts) {
       }
 
       if (enforceMfa) {
+        // Window floor — when neither route nor role supplies an
+        // explicit mfaWindowMs, default to 15 minutes. Without this
+        // floor, a stolen long-lived cookie carrying an old `mfaAt`
+        // walks past every requireMfa: true gate. Operators who want
+        // an explicit no-window pass-through must say so via
+        // mfaWindowMs: Infinity (audited reason).
+        if (enforceWindowMs === null) {
+          enforceWindowMs = C.TIME.minutes(15);
+        }
         var mfaOk = actor.mfaAuthenticated === true;
-        if (mfaOk && enforceWindowMs !== null) {
+        if (mfaOk && enforceWindowMs !== null && enforceWindowMs !== Infinity) {
           var mfaAt = typeof actor.mfaAt === "number" ? actor.mfaAt : 0;
           if (Date.now() - mfaAt > enforceWindowMs) {
             mfaOk = false;

package/lib/pqc-agent.js

@@ -48,7 +48,28 @@ var DEFAULT_OPTS = {
 function _buildAgentOpts(opts) {
   opts = opts || {};
   var merged = Object.assign({}, DEFAULT_OPTS, opts);
-  merged.ecdhCurve  = C.TLS_GROUP_CURVE_STR;
+  // Caller may narrow the framework's curve preference list (drop a
+  // group, keep the remaining ones in framework-preferred order) but
+  // cannot widen it. A caller-supplied `ecdhCurve` string is parsed
+  // into groups and every group must appear in TLS_GROUP_PREFERENCE,
+  // otherwise the agent build refuses. The empty narrowing is a
+  // misconfig — TLS won't negotiate a key share — so reject too.
+  if (typeof opts.ecdhCurve === "string" && opts.ecdhCurve.length > 0) {
+    var requested = opts.ecdhCurve.split(":");
+    for (var rgi = 0; rgi < requested.length; rgi++) {
+      if (C.TLS_GROUP_PREFERENCE.indexOf(requested[rgi]) === -1) {
+        throw new TypeError(
+          "pqc-agent: opts.ecdhCurve='" + opts.ecdhCurve + "' includes '" +
+          requested[rgi] + "' which is not in the framework PQC-hybrid " +
+          "preference (" + C.TLS_GROUP_CURVE_STR + "); construct an " +
+          "https.Agent directly to negotiate weaker groups."
+        );
+      }
+    }
+    merged.ecdhCurve = requested.join(":");
+  } else {
+    merged.ecdhCurve = C.TLS_GROUP_CURVE_STR;
+  }
   merged.minVersion = "TLSv1.3";
   if (networkTls && typeof networkTls.applyToContext === "function") {
     merged = networkTls.applyToContext({ base: merged });

package/lib/pubsub.js

@@ -379,16 +379,20 @@ function create(opts) {
           ? rv.remote : 1;
       } catch (e) {
         if (auditOn) {
-          try { audit().safeEmit("system.pubsub.publish-failed", {
-            channel: channel, error: (e && e.message) || String(e),
+          try { audit().safeEmit({
+            action: "system.pubsub.publish_failed",
+            outcome: "failure",
+            metadata: { channel: channel, error: (e && e.message) || String(e) },
           }); } catch (_e) { /* */ }
         }
         throw e;
       }
     }
     if (auditOn) {
-      try { audit().safeEmit("system.pubsub.publish", {
-        channel: channel, localDispatched: local, remoteWritten: remote,
+      try { audit().safeEmit({
+        action: "system.pubsub.publish",
+        outcome: "success",
+        metadata: { channel: channel, localDispatched: local, remoteWritten: remote },
       }); } catch (_e) { /* */ }
     }
     return { local: local, remote: remote };

package/lib/redact.js

@@ -35,6 +35,14 @@ var SENSITIVE_FIELDS = [
   "card_number", "cardnumber", "cvc", "cvv", "pin",
   "privatekey", "private_key", "passphrase", "session", "sid",
   "_authtoken", "auth_token", "bearer", "cookie",
+  // Header-shaped variants of api-key — substring matching against a
+  // lowercased field name treats hyphen + underscore + dot as
+  // literal, so each header form needs its own entry.
+  "x-api-key", "x_api_key", "x-apikey", "api-key",
+  // DPoP / OAuth 2.1 / OIDC proof-of-possession + selective-disclosure
+  // fields — operator-error metadata logging often carries these.
+  "jwk", "dpop", "proof", "assertion", "client_assertion", "id_token_hint",
+  "code_verifier", "client_secret", "refresh_token", "access_token",
   // Vault-sealed values (don't log even though they're encrypted —
   // operational logs aren't a place to leak ciphertext shape either)
   // matched separately by value detector below
@@ -74,6 +82,20 @@ var VALUE_DETECTORS = [
     },
     replacement: "[REDACTED-JWT]",
   },
+  {
+    // URL with bearer-shaped query parameter — the parent field is
+    // typically `url` or `referer`, neither of which the field-name
+    // pass redacts. Replace the whole querystring after the marker
+    // so the path stays useful for log triage.
+    name:        "url-bearer-query",
+    test:        function (v) {
+      return typeof v === "string" &&
+        /^[a-zA-Z][a-zA-Z0-9+.-]*:\/\/[^\s]*[?&#](?:access_token|id_token|token|api_key|apikey)=/.test(v);
+    },
+    replacement: function (v) {
+      return String(v).replace(/(access_token|id_token|token|api_key|apikey)=[^&#]*/g, "$1=[REDACTED]");
+    },
+  },
   {
     name:        "pem",
     test:        function (v) { return typeof v === "string" && /-----BEGIN [A-Z ]+-----/.test(v); },
@@ -151,7 +173,10 @@ function _redactValue(value) {
   if (typeof value !== "string") return value;
   var allDetectors = VALUE_DETECTORS.concat(customDetectors);
   for (var i = 0; i < allDetectors.length; i++) {
-    if (allDetectors[i].test(value)) return allDetectors[i].replacement;
+    if (allDetectors[i].test(value)) {
+      var rep = allDetectors[i].replacement;
+      return typeof rep === "function" ? rep(value) : rep;
+    }
   }
   return value;
 }