@blamejs/core 0.8.12 → 0.8.15

package/CHANGELOG.md

@@ -8,6 +8,12 @@ upgrading across more than a few patches at a time.
 
 ## v0.8.x
 
+- **0.8.15** (2026-05-08) — Transport-layer CVE absorption + AI-protocol primitives. **`b.sse`** — Server-Sent Events transport with newline-injection refusal in `event:` / `id:` / `data:` fields and the `Last-Event-ID` reconnect header (CVE-2026-33128 h3, CVE-2026-29085 Hono, CVE-2026-44217 sse-channel — three CVEs published in the same vulnerability class). Channel API: `channel.send({event,id,data,retry})` validates each field, refuses LF/CR/NUL, splits multi-line `data` into per-spec multiple `data:` lines, drives a `:keepalive` heartbeat with operator-tunable interval. `b.sse.serializeEvent({...})` exposes the encoder for buffered pipelines. **`b.mcp.serverGuard`** — Model Context Protocol server-side hardening. Bearer auth required by default (CVE-2026-33032 nginx-ui auth-bypass class), `redirect_uri` exact-match allowlist enforced per OAuth 2.1 / RFC 9700 §4.1.1 (CVE-2025-6514 mcp-remote OAuth RCE class), dynamic client-registration refused unless `allowDynamicRegister: true` with operator-supplied registration allowlist (confused-deputy class), tool/resource name allowlists at the guard layer. JSON-RPC 2.0 envelope validator. **`b.graphqlFederation.guardSdl`** — refuses `_service.sdl` / `_entities` probes without a router-token Bearer + optional single-use nonce; closes the schema-leak class where operators disable introspection thinking the schema is hidden. **`b.ai.input.classify`** — pattern-based prompt-injection classifier covering OWASP LLM01:2025 + NIST COSAIS RFI shapes: instruction-override / persona-jailbreak / role-reset markers / OpenAI system-tag templates / tool-call injection / exfil-callback / encoded-bypass (base64/rot13) / markdown+HTML smuggling / BIDI/zero-width/control char density. Severity-3 hits → `verdict: "malicious"`; 2+ severity-2 hits → `"suspicious"`; otherwise `"clean"`. Inline-on-every-request perf cost — no LLM, no network. **`b.a2a`** — A2A (Linux Foundation Agentic AI Foundation) v1.x signed agent-card primitive. `signCard` produces an envelope with a detached ML-DSA-87 signature over the SHA3-512 of the canonical-JSON serialization (RFC 8785-aligned); `verifyCard` validates signature + expiry + issuer match. Endpoints HTTPS-only (or localhost) at validation time. **`b.darkPatterns`** — FTC Negative Option Rule click-to-cancel UX-parity attestation primitive. `recordSignupFlow` / `recordCancelFlow` capture operator-attested click counts, CTA contrast / font weight, channel, confirmation steps; `assertParity` returns `{ ok, breaches }` against `ftc-2024` / `ca-sb942` / `strict` postures. `middleware({lookupAttestation, resourceIdFromReq})` refuses cancel-endpoint requests with HTTP 451 if no parity attestation is on file. **WebSocket control-frame size cap** — `lib/websocket.js` `_handleFrame` refuses any control frame (opcodes ≥ 0x8: CLOSE/PING/PONG) with payload length > 125 or `fin = false` (RFC 6455 §5.5). Closes the 2× outbound-bandwidth amplification class where a 1 MiB PING was echoed verbatim as PONG. **`b.requestHelpers.safeHeadersDistinct(req)`** — defensive accessor for `req.headersDistinct` that bypasses Node's faulty getter (Node CVE-2026-21710 — reading `__proto__` on the underlying header bag throws synchronously inside the getter, escaping handler-level try/catch). Computes the same null-prototype shape directly from `req.rawHeaders`. **TLS / SNI hardening** — `router.listen()` now wraps any operator-supplied `tlsOptions.SNICallback` so synchronous throws (Node CVE-2026-21637) become a clean async `(err, null)` callback rather than crashing the listener. Inbound TLS now defaults to `minVersion: "TLSv1.3"` when the operator's `tlsOptions` doesn't pin one (closes the gap where bare `{key, cert}` inherited Node's TLSv1.2 default). **httpClient identity decoding** — `b.httpClient` now sends `Accept-Encoding: identity` by default (h1 + h2 paths) — refuses compressed responses unless the operator explicitly opts in. Closes the undici unbounded-decompression amplification class (CVE-2026-22036). Operators that need compressed responses pass an explicit `Accept-Encoding` header. **Engine pin** — `engines.node` raised from `>=24.0.0` to `>=24.4.0` to ensure the undici fix is bundled.
+
+- **0.8.14** (2026-05-07) — `b.vault.sealPemFile` — auto-resealing wrapper for at-rest PEM files. Operators with ACME / Let's Encrypt renewals get fresh certs every 30-60 days; the renewal writes plaintext PEM to disk, signals the application to reload, and leaves the cleartext file unencrypted between the renewal write and the next manual re-seal. `b.vault.sealPemFile({ source, destination })` closes that window: the framework reads the source, vault-seals it, atomically writes `<destination>` (`.tmp` + `fsync` + `rename` + `fsyncDir`), and registers an `fs.watchFile` poll on the source. Every mtime change triggers an automatic re-seal — the operator-visible `<destination>.rewriting` marker is created before the rename and removed after, giving crash recovery a signal: when `sealPemFile()` starts and the marker is present, it re-seals from source idempotently. Returns `{ stop, generation, lastResealedAt, lastError, watching, forceReseal }` so operators can wire the watcher into existing lifecycle hooks (`b.appShutdown.addPhase({ name: "pem-watcher", run: () => watcher.stop() })`). `pollInterval` defaults to 2s — ACME renewal cadence is days, so polling latency is irrelevant against the renewal interval; operators with sub-second requirements override. `fs.watchFile` (the polling backend) is used instead of `fs.watch` (inotify / kqueue) because watchFile is consistent across platforms — Linux fires multiple change events per rename, macOS doesn't fire on renamed-into files, and the polling cadence is acceptable here.
+
+- **0.8.13** (2026-05-07) — Streaming multipart uploads + `onChunk` response hook on `b.httpClient`. **Streaming multipart** — `b.httpClient.request({ multipart: { files: [...] } })` now accepts file entries in three shapes: the existing `{ field, content: Buffer | string }` (in-memory), plus new `{ field, filePath: string }` (stream-from-disk via `fs.createReadStream`) and `{ field, stream: Readable, size?: number }` (operator-supplied stream). When every entry's size is statically resolvable (Buffer length / `fs.statSync().size` / explicit `opts.size`), the framework sets `Content-Length` and uses identity transfer; otherwise the framework omits the header and Node's HTTP layer falls back to chunked transfer. Closes the `Buffer.concat` OOM class on large uploads — the body is materialized one chunk at a time through a `Readable.from(asyncIterator)` that yields boundary headers, source bytes, and CRLF in order. Fast-path preserved: when no streaming source is involved, `_buildMultipartBody` still returns a single Buffer with a known `Content-Length`. **`onChunk(chunk)` response hook** — fires for each response data chunk in BOTH `responseMode: "buffer"` and `responseMode: "stream"`. Use case: hash bytes during pipe-to-disk without an extra Transform pass (`onChunk: (c) => hasher.update(c)`). Throws inside the hook are caught and dropped — a hash-mismatch detector can raise without breaking the pipe; callers surface the error through their own pipe handler. Verified-already-shipped during the v0.8.x framework-gap audit: `b.httpClient` `responseMode: "always-resolve"`, `onRedirect({from, to, hop, headersStripped, statusCode})` hook, `body: Readable` upload path; `b.cryptoField` derived-hash domain separation (`bj-<table>-<field>:` per-field namespace prefix matches the indexed-lookup requirement); `b.config` `redactKeys` allowlist + `redacted()` view.
+
 - **0.8.12** (2026-05-07) — WebSocket upgrade refuses credential-shaped query parameters by default. `validateUpgradeRequest(req, opts)` now scans the request URL for the credential-leak names `access_token`, `bearer`, `bearer_token`, `apikey`, `api_key`, `api-key`, `authorization` (case-insensitive, with percent-decoding) and refuses the upgrade with HTTP 400 when one is present. URL query strings leak through web-server access logs, browser history, the Referer header forwarded to third-party CDN / analytics, in-process / proxy log captures, and crash dumps — RFC 6750 §2.3 explicitly cautions against bearer tokens in URI query parameters for these reasons. Operators with a non-credential parameter that happens to share a credential-shaped name opt out per route via `opts.allowQueryAuthParams: true` with an audited operator reason. The refused list is deliberately narrow: overloaded names (`token`, `auth`, `key`, `session`) have non-credential meanings (CSRF tokens, file-share tokens, session-resume identifiers) and are NOT refused.
 
 - **0.8.11** (2026-05-07) — Three new state-and-federal regulatory primitives + a per-primitive test-coverage gate. **`b.breach.deadline` + `b.breach.report`** — all-50-states data-breach-notification deadline registry. `b.breach.deadline.forStates(states, detectedAt)` returns per-state `{ state, kind, dueBy, citation }` records (`kind: "as-soon-as-possible"` for AS-OF / `"hard-deadline"` for fixed-day deadlines like Texas / Florida / Maine). `b.breach.report.create()` opens a multi-state breach with a single record, tracks per-state filings via `fileNotice(id, state, ...)`, exposes `pending(id)` for dashboards, and auto-closes once every affected state has filed. Every transition records a `breach.report.*` audit event. Statutory citations + day counts wired in `lib/breach-deadline.js` per-state. **`b.ai.adverseDecision`** — wraps an operator-supplied `decide(subject)` predicate, automatically attaches a consumer-rights notice when the outcome is `"adverse"` / `"denied"` / `"rejected"`. Built-in regulation templates for `gdpr-22` (Article 22 automated-decision rights), `ai-act-86` (EU AI Act high-risk consumer recourse), `ecoa-1002.9` (US Equal Credit Opportunity Act adverse-action notice), `colorado-ai-act` (CO SB 24-205 §6-1-1701), `nyc-ll-144` (NYC Local Law 144 employment AEDT), `fcra-615` (US FCRA adverse action), and `operator-defined`. Notice carries `principalReasons` + `consumerRights: { requestData, requestExplanation, contestDecision, requestHumanReview }` shaped per regime. **`b.middleware.ageGate`** — request-level age-classification middleware. Operator-supplied `getAge(req)` returns the subject age (or null/undefined when unknown); middleware classifies as `"above-threshold"` / `"below-threshold"` / `"unknown"` against `consentRequired`, sets `X-Privacy-Posture` header, and refuses with 451 + audited reason when `requireAge` is set and `hasParentalConsent(req)` is unmet. Composes upstream of session / authn for COPPA / AADC / UK Children's Code postures. **Per-primitive test-coverage gate** — new `test/layer-0-primitives/test-coverage.test.js` walks every operator-facing `b.*` primitive and refuses release unless the primitive has at least one test reference (or an explicit `UNTESTED_BACKLOG` entry naming the reason). Closes the drift class where a primitive landed on `b.*` but never gained a unit test.

package/README.md

@@ -47,7 +47,9 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 - **HTTP** — router with schema-validated routes + OpenAPI publication; full middleware stack (CSRF, CORS, rate-limit, security headers, CSP nonce, body parser, compression, SSE, request log, request-time DB role binding via `b.middleware.dbRoleFor`, in-process CIDR fence via `b.middleware.networkAllowlist`) wired by `createApp`; HTTP/1.1 + HTTP/2 outbound client with SSRF gate (cloud-metadata IPs hard-denied unconditionally; private / loopback / link-local overridable per call), scheme + userinfo + per-host (wildcard / per-method) destination allowlist, redirects, multipart, interceptors, progress, encrypted cookie jar (`b.httpClient`, `b.ssrfGuard`, `b.safeUrl`); operator-tunable network configurability — env-driven NTP / NTS (RFC 8915 authenticated time), IPv4-or-IPv6 NTP servers, DNS with IPv6 / DoH / DoT (private-CA trust pinning via `opts.ca`) / cache / lookup timeout, outbound HTTP proxy (`HTTP_PROXY` / `HTTPS_PROXY` / `NO_PROXY`), runtime DPI trust-store CA additions, application-level heartbeats, TCP socket defaults (`b.network`).
 - **Defensive parsers** — `b.safeJson`, `b.safeBuffer`, `b.safeSql`, `b.safeSchema`, `b.parsers` (XML / TOML / YAML / .env), `b.config` (schema-validated env), `b.fileType` magic-byte content classification with deny-on-upload categories (image / document / archive / executable / etc.).
 - **Content-safety gates** — `b.gateContract` uniform composition contract (mode posture / hooks / forensic snapshot / decision cache / runtime cap). Family members: `b.guardCsv` (formula injection ASCII + full-width prefixes, dangerous-function denylist, bidi / homoglyph / control / null / BOM / zero-width detection, dialect ambiguity, CSV-bombs, numeric precision, schema-bound serializer); `b.guardHtml` (XSS / mXSS / DOM-clobbering / dangerous-tag / event-handler-family / dangerous-URL-scheme with entity-decode / CSS-injection in style attribute / IE conditional comments + token-level sanitize + always-correct `escapeText` / `escapeAttr` entity encoders); `b.guardSvg` (script / foreignObject / animation-element href hijack / DOCTYPE billion-laughs / XXE / SVGZ / cross-origin `<use>` SSRF / event-handlers + token-level sanitize). `b.guardArchive` (zip-slip / symlink + hardlink escape / decompression-ratio bombs (per-entry + aggregate) / nested-archive depth / duplicate-entry / case-insensitive collision / encryption-claim mismatch / format-claim mismatch via magic-byte detection — composes `b.guardFilename` for per-entry-name validation); `b.guardJson` (source-level prototype-pollution detection, duplicate-key, NaN/Infinity, JSON5 syntax, BOM, bidi, numeric-precision-loss, top-level-key allowlist, depth/breadth/array/string/node-count caps); `b.guardYaml` (deserialization-tag RCE via language-specific tag prefixes, billion-laughs alias recursion, Norway-problem implicit booleans, leading-zero octals, multi-document streams, duplicate keys, merge-key chains, depth+anchor+node caps); `b.guardXml` (XXE / billion-laughs / external-entity / parameter-entity / XInclude / xsi:schemaLocation / processing-instruction / CDATA / XML-signature-wrapping detection — DOCTYPE refused at all profile levels); `b.guardMarkdown` (source-level scan run BEFORE any markdown renderer sees the input — dangerous URL schemes in inline links + images + autolinks + reference-link definitions with HTML-entity decode bypass; whitespace-tolerant dangerous-tag matching per CVE-2026-30838; front-matter; HTML comments; code-fence language injection; catastrophic emphasis-run ReDoS per CVE-2025-6493 class; inline DOCTYPE; depth + link + image + autolink + ref-def caps); `b.guardEmail` (single-address + full RFC 822/5322 message validation — SMTP smuggling per CVE-2023-51764 / 51765 / 51766 / CVE-2026-32178 class via bare-CR + bare-LF + smuggled SMTP verbs; CRLF header injection; IDN homograph mixed-script domains with operator-opt-in `allowedScripts`; Punycode flag; display-name spoofing; IP-literal addresses; RFC 5322 comment syntax; multi-@; RFC 5321 length caps + RFC 5322 line cap; BOM injection). Filename safety: `b.guardFilename` (path traversal raw + percent-encoded + overlong-UTF-8 + null-byte truncation + Windows reserved names + NTFS ADS + RTLO bidi spoofing + shell-exec / double-extension detection — standalone, wires into `b.fileUpload` via `filenameSafety`). All members ship strict / balanced / permissive profiles plus hipaa / pci-dss / gdpr / soc2 compliance postures. `b.guardAll` is the registry + aggregator: every shipped guard ON by default; opt-out per guard with audited reason via `exceptFor: { name: { reason } }`. **As of v0.7.12, `b.fileUpload` and `b.staticServe` wire `b.guardAll.byExtension({ profile: "strict" })` automatically + `b.fileUpload` also wires `b.guardFilename.gate({ profile: "strict" })` as `filenameSafety`** — defense-in-depth applied without any explicit operator wiring. Operators opt out per host-primitive via `contentSafety: null` / `filenameSafety: null` (audited at create() with operator-supplied reason).
-- **Communication** — WebSockets with channel/room fan-out across cluster replicas (`b.websocket`, `b.websocketChannels`); outbound WebSocket client (RFC 6455) with PQC-TLS handshake, permessage-deflate negotiation with decompression-bomb cap, fatal UTF-8 validation, control-frame size + FIN enforcement, permanent-error classifier that skips reconnect on 4xx handshake / accept mismatch / bad-subprotocol, exponential-backoff with full jitter (`b.wsClient`); generic distributed pub/sub with cluster-table / Redis PUB/SUB / custom backends (`b.pubsub`); mail with multipart + attachments + DKIM + calendar invites + bounce intake (`b.mail`, `b.mailBounce`); inbound mail authentication — SPF / DMARC / ARC verify + ARC chain signing for relays (`b.mail.spf`, `b.mail.dmarc`, `b.mail.arc`); generic notification dispatcher with operator-supplied transports (`b.notify`); chunked file uploads with per-chunk SHA3-512 verification + atomic finalize + tombstone cleanup (`b.fileUpload`).
+- **Communication** — WebSockets with channel/room fan-out across cluster replicas + RFC 6455 §5.5 control-frame size + FIN enforcement on inbound (defends 1 MiB-PING-echoed-as-PONG 2× amplification class) (`b.websocket`, `b.websocketChannels`); outbound WebSocket client (RFC 6455) with PQC-TLS handshake, permessage-deflate negotiation with decompression-bomb cap, fatal UTF-8 validation, control-frame size + FIN enforcement, permanent-error classifier that skips reconnect on 4xx handshake / accept mismatch / bad-subprotocol, exponential-backoff with full jitter (`b.wsClient`); generic distributed pub/sub with cluster-table / Redis PUB/SUB / custom backends (`b.pubsub`); Server-Sent Events with newline-injection refusal in `event:` / `id:` / `data:` / `Last-Event-ID` per CVE-2026-33128 / 29085 / 44217 class (`b.sse`, `b.middleware.sse`); mail with multipart + attachments + DKIM + calendar invites + bounce intake (`b.mail`, `b.mailBounce`); inbound mail authentication — SPF / DMARC / ARC verify + ARC chain signing for relays (`b.mail.spf`, `b.mail.dmarc`, `b.mail.arc`); generic notification dispatcher with operator-supplied transports (`b.notify`); chunked file uploads with per-chunk SHA3-512 verification + atomic finalize + tombstone cleanup (`b.fileUpload`).
+- **AI / agentic** — Model Context Protocol server-guard with bearer auth + redirect_uri allowlist + dynamic-register refusal + tool/resource allowlists (CVE-2026-33032 / CVE-2025-6514 / confused-deputy class) (`b.mcp.serverGuard`); GraphQL Federation `_service.sdl` trust-boundary with router-token + nonce store (`b.graphqlFederation`); prompt-injection input classifier (OWASP LLM01:2025 / NIST COSAIS RFI) (`b.ai.input.classify`); A2A signed agent-card primitive (Linux Foundation Agentic AI Foundation v1.x, ML-DSA-87) (`b.a2a`).
+- **FTC compliance** — click-to-cancel UX-parity attestation with `ftc-2024` / `ca-sb942` / `strict` postures (`b.darkPatterns`).
 - **Observability** — tamper-evident audit chain with SLH-DSA-signed checkpoints, metrics, tracing (OTel pass-through when wired), PII redaction, log-stream sinks (local file rotation, generic webhook, OTLP/HTTP-JSON OR OTLP/gRPC to an OTel collector, AWS CloudWatch Logs via SigV4 with optional autoCreate, RFC 5424 syslog over UDP/TCP/TLS), OTLP/HTTP-JSON exporter for traces + metrics (`b.audit`, `b.metrics`, `b.tracing`, `b.redact`, `b.logStream`, `b.otelExport`); operator-callable boot-time security policy assertions (`b.security.assertProduction`) and tamper-evident config-baseline drift detection signed with the audit-signing key (`b.configDrift`).
 - **i18n** — CLDR plural rules, Accept-Language negotiation, Intl formatters, RTL (`b.i18n`).
 - **Format helpers** — RFC 4180 CSV with Excel formula-injection prevention (`b.csv`), RFC 9562 UUID v4 + v7 (`b.uuid`), URL-safe slugs (`b.slug`), TZ-aware datetime (`b.time`), ZIP creation (`b.archive`), HMAC-signed cursor pagination (`b.pagination`), HTML form rendering + validation + CSRF (`b.forms`).

package/index.js

@@ -94,6 +94,12 @@ var httpClient = require("./lib/http-client");
 httpClient.encrypted = require("./lib/middleware/api-encrypt").httpClient;
 httpClient.cookieJar = require("./lib/http-client-cookie-jar");
 var websocket = require("./lib/websocket");
+var sse = require("./lib/sse");
+var mcp = require("./lib/mcp");
+var graphqlFederation = require("./lib/graphql-federation");
+var aiInput = require("./lib/ai-input");
+var a2a = require("./lib/a2a");
+var darkPatterns = require("./lib/dark-patterns");
 var safeUrl = require("./lib/safe-url");
 var safeRedirect = require("./lib/safe-redirect");
 var pick = require("./lib/pick");
@@ -255,7 +261,7 @@ module.exports = {
   nis2:             { report: require("./lib/nis2-report") },
   gdpr:             { ropa: require("./lib/gdpr-ropa") },
   breach:           require("./lib/breach-deadline"),
-  ai:               { adverseDecision: require("./lib/ai-adverse-decision") },
+  ai:               { adverseDecision: require("./lib/ai-adverse-decision"), input: aiInput },
   queue:            queue,
   logStream:        logStream,
   redact:           redact,
@@ -276,6 +282,11 @@ module.exports = {
   frameworkError:   frameworkError,
   httpClient:       httpClient,
   websocket:        websocket,
+  sse:              sse,
+  mcp:              mcp,
+  graphqlFederation: graphqlFederation,
+  a2a:              a2a,
+  darkPatterns:     darkPatterns,
   safeUrl:          safeUrl,
   safeRedirect:     safeRedirect,
   pick:             pick,

package/lib/a2a.js

@@ -0,0 +1,272 @@
+"use strict";
+/**
+ * A2A (Agent-to-Agent) v1.x signed agent-card primitive.
+ *
+ * Linux Foundation Agentic AI Foundation A2A protocol — agents
+ * advertise their capabilities, identity, endpoints, and policies via
+ * an "agent card" that another agent fetches before initiating
+ * collaboration. The 1.x protocol moved to required signed cards: the
+ * card is a JSON document signed (detached signature) by the issuing
+ * agent's identity key. Verifiers reject unsigned or expired cards.
+ *
+ * Public API:
+ *
+ *   a2a.signCard(card, privateKeyPem, opts) -> { card, signature, signedAt, expiresAt }
+ *     Canonicalizes the card and returns a signed envelope. The
+ *     signature is over the SHA3-512 hash of the canonical-JSON
+ *     serialization (RFC 8785). Algorithm is whatever's pinned in
+ *     privateKeyPem (defaults to ML-DSA-87 per framework crypto
+ *     defaults). opts:
+ *       ttlMs    — default 24 hours.
+ *       audit    — bool, default true.
+ *       errorClass — A2aError by default.
+ *
+ *   a2a.verifyCard(envelope, publicKeyPem, opts) -> { valid, claims, reason? }
+ *     Verifies the signature, expiry, and required-fields shape.
+ *     opts:
+ *       maxBytes  — card cap (default 64 KiB).
+ *       clockSkewMs — allowance on expiresAt (default 5 minutes).
+ *       expectedIssuer — optional string; refuse if card.issuer !== this.
+ *
+ *   a2a.canonicalize(card) -> string
+ *     RFC 8785-aligned canonical JSON (sorted keys, no whitespace).
+ *     Exposed for operators that store the canonical form alongside
+ *     the signature.
+ *
+ *   a2a.createCard(opts) -> card
+ *     Convenience constructor:
+ *       opts: { issuer, agentId, capabilities, endpoints, policies, contact, version }
+ *     All fields validated for shape.
+ */
+
+var crypto = require("./crypto");
+var canonicalJson = require("./canonical-json");
+var C = require("./constants");
+var nb = require("./numeric-bounds");
+var audit = require("./audit");
+var { A2aError } = require("./framework-error");
+
+var REQUIRED_CARD_FIELDS = ["issuer", "agentId", "capabilities", "version"];
+var ID_MAX     = 256;                                                                       // allow:raw-byte-literal — string-length cap, not bytes
+var SEMVER_MAX = 64;                                                                        // allow:raw-byte-literal — string-length cap, not bytes
+var CAP_NAME_MAX = 128;                                                                     // allow:raw-byte-literal — string-length cap, not bytes
+var SHAKE256_BYTES = 64;                                                                    // allow:raw-byte-literal — SHA3-512 output is 64 bytes (FIPS 202)
+var ID_RE     = /^[a-zA-Z0-9._:/-]{1,256}$/;
+var SEMVER_RE = /^[0-9]+\.[0-9]+(?:\.[0-9]+)?(?:-[A-Za-z0-9.-]+)?$/;
+
+function _validateCardShape(card, errorClass) {
+  if (!card || typeof card !== "object" || Array.isArray(card)) {
+    throw errorClass.factory("BAD_CARD",
+      "a2a: card must be an object");
+  }
+  for (var i = 0; i < REQUIRED_CARD_FIELDS.length; i += 1) {
+    var f = REQUIRED_CARD_FIELDS[i];
+    if (typeof card[f] === "undefined" || card[f] === null) {
+      throw errorClass.factory("MISSING_FIELD",
+        "a2a: card." + f + " is required");
+    }
+  }
+  if (typeof card.issuer !== "string" || card.issuer.length > ID_MAX || !ID_RE.test(card.issuer)) {
+    throw errorClass.factory("BAD_FIELD",
+      "a2a: card.issuer shape (must match " + ID_RE + ")");
+  }
+  if (typeof card.agentId !== "string" || card.agentId.length > ID_MAX || !ID_RE.test(card.agentId)) {
+    throw errorClass.factory("BAD_FIELD",
+      "a2a: card.agentId shape");
+  }
+  if (typeof card.version !== "string" || card.version.length > SEMVER_MAX || !SEMVER_RE.test(card.version)) {
+    throw errorClass.factory("BAD_FIELD",
+      "a2a: card.version must be semver");
+  }
+  if (!Array.isArray(card.capabilities)) {
+    throw errorClass.factory("BAD_FIELD",
+      "a2a: card.capabilities must be an array");
+  }
+  for (var c = 0; c < card.capabilities.length; c += 1) {
+    var cap = card.capabilities[c];
+    if (typeof cap !== "string" || cap.length === 0 || cap.length > CAP_NAME_MAX) {
+      throw errorClass.factory("BAD_FIELD",
+        "a2a: card.capabilities[" + c + "] must be 1-128 char string");
+    }
+  }
+  if (card.endpoints !== undefined) {
+    if (!Array.isArray(card.endpoints)) {
+      throw errorClass.factory("BAD_FIELD",
+        "a2a: card.endpoints must be an array");
+    }
+    for (var e = 0; e < card.endpoints.length; e += 1) {
+      var ep = card.endpoints[e];
+      if (!ep || typeof ep !== "object" || typeof ep.url !== "string") {
+        throw errorClass.factory("BAD_FIELD",
+          "a2a: card.endpoints[" + e + "] must have a string url");
+      }
+      if (!/^https:\/\//.test(ep.url) && !/^http:\/\/(localhost|127\.0\.0\.1|\[::1\])/.test(ep.url)) {
+        throw errorClass.factory("INSECURE_ENDPOINT",
+          "a2a: card.endpoints[" + e + "].url must be HTTPS (or localhost)");
+      }
+    }
+  }
+}
+
+function canonicalize(card) {
+  return canonicalJson.stringify(card);
+}
+
+function createCard(opts) {
+  opts = opts || {};
+  var card = {
+    issuer:       opts.issuer,
+    agentId:      opts.agentId,
+    version:      opts.version || "1.0.0",
+    capabilities: Array.isArray(opts.capabilities) ? opts.capabilities.slice() : [],
+  };
+  if (opts.endpoints) card.endpoints = opts.endpoints;
+  if (opts.policies)  card.policies  = opts.policies;
+  if (opts.contact)   card.contact   = opts.contact;
+  if (opts.metadata)  card.metadata  = opts.metadata;
+  _validateCardShape(card, A2aError);
+  return card;
+}
+
+function signCard(card, privateKeyPem, opts) {
+  opts = opts || {};
+  var errorClass = opts.errorClass || A2aError;
+  var auditOn = opts.audit !== false;
+  _validateCardShape(card, errorClass);
+
+  if (typeof privateKeyPem !== "string" || privateKeyPem.length === 0) {
+    throw errorClass.factory("BAD_KEY",
+      "a2a.signCard: privateKeyPem required");
+  }
+
+  nb.requirePositiveFiniteIntIfPresent(opts.ttlMs, "a2a.signCard: opts.ttlMs", errorClass, "BAD_TTL");
+  var ttlMs = opts.ttlMs || C.TIME.hours(24);
+  var signedAt = Date.now();
+  var expiresAt = signedAt + ttlMs;
+
+  var envelopePayload = {
+    card:      card,
+    signedAt:  signedAt,
+    expiresAt: expiresAt,
+  };
+  var canonical = canonicalize(envelopePayload);
+  var digest = crypto.shake256
+    ? crypto.shake256(Buffer.from(canonical, "utf8"), SHAKE256_BYTES)
+    : null;
+  var dataToSign = digest ? digest : Buffer.from(canonical, "utf8");
+  var signature = crypto.sign(dataToSign, privateKeyPem);
+
+  if (auditOn) {
+    audit.safeEmit({
+      action:   "a2a.card_signed",
+      outcome:  "success",
+      metadata: { issuer: card.issuer, agentId: card.agentId, expiresAt: expiresAt },
+    });
+  }
+
+  return {
+    card:      card,
+    signedAt:  signedAt,
+    expiresAt: expiresAt,
+    signature: signature.toString("base64"),
+  };
+}
+
+function verifyCard(envelope, publicKeyPem, opts) {
+  opts = opts || {};
+  var errorClass = opts.errorClass || A2aError;
+  nb.requirePositiveFiniteIntIfPresent(opts.maxBytes, "a2a.verifyCard: opts.maxBytes", errorClass, "BAD_MAX_BYTES");
+  nb.requireNonNegativeFiniteIntIfPresent(opts.clockSkewMs, "a2a.verifyCard: opts.clockSkewMs", errorClass, "BAD_SKEW");
+  var maxBytes = opts.maxBytes || C.BYTES.kib(64);
+  var clockSkewMs = opts.clockSkewMs !== undefined ? opts.clockSkewMs : C.TIME.minutes(5);
+  var expectedIssuer = typeof opts.expectedIssuer === "string" ? opts.expectedIssuer : null;
+  var auditOn = opts.audit !== false;
+
+  if (!envelope || typeof envelope !== "object") {
+    return { valid: false, claims: null, reason: "envelope-not-object" };
+  }
+  if (!envelope.card || !envelope.signature ||
+      typeof envelope.signedAt !== "number" || typeof envelope.expiresAt !== "number") {
+    return { valid: false, claims: null, reason: "envelope-shape" };
+  }
+  try { _validateCardShape(envelope.card, errorClass); }
+  catch (e) {
+    return { valid: false, claims: null, reason: "card-shape:" + e.code };
+  }
+  if (expectedIssuer && envelope.card.issuer !== expectedIssuer) {
+    if (auditOn) {
+      audit.safeEmit({
+        action:   "a2a.card_rejected",
+        outcome:  "denied",
+        reason:   "issuer-mismatch",
+        metadata: { expected: expectedIssuer, got: envelope.card.issuer },
+      });
+    }
+    return { valid: false, claims: null, reason: "issuer-mismatch" };
+  }
+
+  var now = Date.now();
+  if (envelope.expiresAt + clockSkewMs < now) {
+    if (auditOn) {
+      audit.safeEmit({
+        action:   "a2a.card_rejected",
+        outcome:  "denied",
+        reason:   "expired",
+        metadata: { expiresAt: envelope.expiresAt, now: now },
+      });
+    }
+    return { valid: false, claims: null, reason: "expired" };
+  }
+  if (envelope.signedAt - clockSkewMs > now) {
+    return { valid: false, claims: null, reason: "future-signed" };
+  }
+
+  var canonical = canonicalize({
+    card:      envelope.card,
+    signedAt:  envelope.signedAt,
+    expiresAt: envelope.expiresAt,
+  });
+  if (Buffer.byteLength(canonical, "utf8") > maxBytes) {
+    return { valid: false, claims: null, reason: "card-too-large" };
+  }
+  var digest = crypto.shake256
+    ? crypto.shake256(Buffer.from(canonical, "utf8"), SHAKE256_BYTES)
+    : null;
+  var dataToVerify = digest ? digest : Buffer.from(canonical, "utf8");
+  var sigBuf;
+  try { sigBuf = Buffer.from(envelope.signature, "base64"); }
+  catch (_e) {
+    return { valid: false, claims: null, reason: "signature-base64-bad" };
+  }
+  var ok = crypto.verify(dataToVerify, sigBuf, publicKeyPem);
+  if (!ok) {
+    if (auditOn) {
+      audit.safeEmit({
+        action:   "a2a.card_rejected",
+        outcome:  "denied",
+        reason:   "signature-mismatch",
+        metadata: { issuer: envelope.card.issuer, agentId: envelope.card.agentId },
+      });
+    }
+    return { valid: false, claims: null, reason: "signature-mismatch" };
+  }
+  if (auditOn) {
+    audit.safeEmit({
+      action:   "a2a.card_verified",
+      outcome:  "success",
+      metadata: { issuer: envelope.card.issuer, agentId: envelope.card.agentId },
+    });
+  }
+  return {
+    valid:  true,
+    claims: envelope.card,
+    reason: null,
+  };
+}
+
+module.exports = {
+  signCard:     signCard,
+  verifyCard:   verifyCard,
+  canonicalize: canonicalize,
+  createCard:   createCard,
+};

package/lib/ai-input.js

@@ -0,0 +1,151 @@
+"use strict";
+/**
+ * AI input classifier for prompt-injection detection on operator
+ * input flowing into LLM prompts. OWASP LLM01:2025 + NIST COSAIS RFI.
+ *
+ * Public API:
+ *   aiInput.classify(input, opts) -> { verdict, signals, features, confidence }
+ *   aiInput.refuseIfMalicious(input, opts) -> result | throws
+ *
+ * Severity 3 = malicious-by-default; 2 = suspicious. Verdict is
+ * "malicious" with any severity-3 hit, "suspicious" with 2+ severity-2
+ * hits, otherwise "clean".
+ */
+
+var C = require("./constants");
+var nb = require("./numeric-bounds");
+var audit = require("./audit");
+var { AiInputError } = require("./framework-error");
+
+var SAMPLE_TRUNC = 80;                                                                       // allow:raw-byte-literal — sample truncation length, not bytes
+var CONFIDENCE_BASE = 60;                                                                    // allow:raw-byte-literal — confidence percentage base / allow:raw-time-literal — not seconds
+
+var PATTERNS = [
+  { id: "ignore-prior-instructions", severity: 3, re:
+    /\b(?:ignore|disregard|forget|bypass|override|skip|drop)\b[\s\S]{0,40}\b(?:prior|previous|above|all|earlier|prev|original|system|instructions?|prompt|context|rules?|directives?|guidelines?)\b/i },
+  { id: "act-as-different-system",   severity: 3, re:
+    /\byou\s+(?:are|will\s+be|must\s+be)\s+(?:now|from\s+now\s+on)?\s*(?:a|an)\s+\w{2,40}/i },
+  { id: "jailbreak-persona",         severity: 3, re:
+    /\b(?:DAN|do\s+anything\s+now|developer\s+mode|sudo\s+mode|jailbroken|unfiltered|uncensored|unrestricted)\b/i },
+  { id: "role-reset-marker",         severity: 3, re:
+    /<\s*\/?\s*(?:system|user|assistant|sys|im_(?:start|end)|\|im_(?:start|end)\|)\s*>/i },
+  { id: "openai-system-tag",         severity: 3, re:
+    /\b(?:<\|im_start\|>|<\|im_end\|>|\[INST\]|\[\/INST\]|<\|user\|>|<\|assistant\|>|<\|system\|>)\b/ },
+  { id: "tool-call-injection",       severity: 3, re:
+    /\b(?:tool|function|action)\s*[:=]\s*["']?(?:exec|eval|read_file|exfil|leak|extract)\b/i },
+  { id: "exfil-callback",            severity: 3, re:
+    /\b(?:send|post|fetch|exfil|leak|paste|forward)\b[\s\S]{0,40}(?:secret|key|token|password|cred|env|\.ssh|private)/i },
+  { id: "base64-marker-around-instructions", severity: 2, re:
+    /(?:[A-Za-z0-9+/]{40,}={0,2})\s+(?:means|decodes?\s+to|=)/i },                          // allow:raw-byte-literal — regex repetition floor, not bytes
+  { id: "rot13-shape",               severity: 2, re:
+    /\b(?:rot13|rotcipher|cipher|caesar)\s*[:=]\s*[a-zA-Z]{20,}/i },
+  { id: "markdown-injection",        severity: 2, re:
+    /!\[[^\]]{0,40}\]\((?:javascript:|data:|file:)/i },
+  { id: "html-script-shape",         severity: 2, re:
+    /<script[\s>]|on\w+\s*=\s*["'][^"']*\b(?:fetch|xhr|eval|location)\b/i },
+  { id: "stop-helping",              severity: 2, re:
+    /\b(?:stop|cease|quit)\s+(?:helping|assisting|following)\b/i },
+  { id: "now-instead",               severity: 2, re:
+    /\b(?:instead|rather|now\s+do|new\s+task)\b[\s\S]{0,40}\b(?:of|than)\b/i },
+];
+
+function _featuresOf(input) {
+  var bidi = 0, zw = 0, ctrl = 0;
+  for (var i = 0; i < input.length; i += 1) {
+    var cp = input.charCodeAt(i);
+    if ((cp >= 0x202a && cp <= 0x202e) || (cp >= 0x2066 && cp <= 0x2069)) bidi++;
+    else if (cp === 0x200b || cp === 0x200c || cp === 0x200d || cp === 0xfeff || cp === 0x2060) zw++;
+    else if (cp < 0x20 && cp !== 0x09 && cp !== 0x0a && cp !== 0x0d) ctrl++;
+    else if (cp === 0x7f) ctrl++;
+  }
+  return {
+    length:    input.length,
+    lines:     input.split("\n").length,
+    bidiCount: bidi,
+    zwCount:   zw,
+    ctrlCount: ctrl,
+  };
+}
+
+function classify(input, opts) {
+  opts = opts || {};
+  var errorClass = opts.errorClass || AiInputError;
+  nb.requirePositiveFiniteIntIfPresent(opts.maxBytes, "aiInput.classify: opts.maxBytes", errorClass, "BAD_MAX_BYTES");
+  var maxBytes = opts.maxBytes || C.BYTES.kib(64);
+  var auditOn = opts.audit !== false;
+
+  if (typeof input !== "string") {
+    throw errorClass.factory("BAD_INPUT",
+      "aiInput.classify: input must be a string");
+  }
+  var byteLen = Buffer.byteLength(input, "utf8");
+  if (byteLen > maxBytes) {
+    throw errorClass.factory("INPUT_TOO_LARGE",
+      "aiInput.classify: input exceeds " + maxBytes + " bytes (got " + byteLen + ")");
+  }
+
+  var features = _featuresOf(input);
+  var signals = [];
+
+  for (var i = 0; i < PATTERNS.length; i += 1) {
+    var p = PATTERNS[i];
+    var m = p.re.exec(input);
+    if (m) {
+      signals.push({
+        id:       p.id,
+        severity: p.severity,
+        sample:   m[0].slice(0, SAMPLE_TRUNC),
+      });
+    }
+  }
+
+  if (features.bidiCount > 0)  signals.push({ id: "bidi-controls",       severity: 2, sample: null });
+  if (features.zwCount > 5)    signals.push({ id: "zero-width-density",  severity: 2, sample: null });
+  if (features.ctrlCount > 0)  signals.push({ id: "control-chars",       severity: 2, sample: null });
+
+  var sev3 = 0, sev2 = 0;
+  for (var j = 0; j < signals.length; j += 1) {
+    if (signals[j].severity === 3) sev3++;
+    else if (signals[j].severity === 2) sev2++;
+  }
+  var verdict = sev3 > 0 ? "malicious" : (sev2 >= 2 ? "suspicious" : "clean");
+  var confidence = sev3 === 0 && sev2 === 0 ? 0 : Math.min(100, CONFIDENCE_BASE + sev3 * 15 + sev2 * 5);                                // allow:raw-byte-literal — confidence ceiling 100, not bytes/seconds
+
+  if (auditOn && verdict !== "clean") {
+    audit.safeEmit({
+      action:   "aiinput.classify",
+      outcome:  verdict === "malicious" ? "denied" : "warning",
+      metadata: {
+        verdict:    verdict,
+        signalIds:  signals.map(function (s) { return s.id; }),
+        confidence: confidence,
+        length:     features.length,
+      },
+    });
+  }
+
+  return {
+    verdict:    verdict,
+    signals:    signals,
+    features:   features,
+    confidence: confidence,
+  };
+}
+
+function refuseIfMalicious(input, opts) {
+  opts = opts || {};
+  var errorClass = opts.errorClass || AiInputError;
+  var result = classify(input, opts);
+  if (result.verdict === "malicious") {
+    throw errorClass.factory("MALICIOUS_INPUT",
+      "aiInput: input flagged as malicious (signals: " +
+      result.signals.map(function (s) { return s.id; }).join(", ") + ")");
+  }
+  return result;
+}
+
+module.exports = {
+  classify:           classify,
+  refuseIfMalicious:  refuseIfMalicious,
+  PATTERN_IDS:        PATTERNS.map(function (p) { return p.id; }),
+};

package/lib/audit.js

@@ -232,6 +232,12 @@ var FRAMEWORK_NAMESPACES = [
                 //              tick/task events use "system.scheduler.*")
   "seeders",    // b.seeders
   "webhook",    // b.webhook
+  "sse",        // b.sse (sse.channel_opened / closed / injection_refused)
+  "mcp",        // b.mcp.serverGuard (mcp.auth.* / mcp.tool.* / mcp.resource.* / mcp.register.* / mcp.envelope.*)
+  "graphqlfederation", // b.graphqlFederation.guardSdl (sdl-refused / sdl-allowed)
+  "aiinput",    // b.ai.input.classify (aiInput.classify)
+  "a2a",        // b.a2a (a2a.card_signed / verified / rejected)
+  "darkpatterns", // b.darkPatterns (darkPatterns.attest / cancel-blocked)
 ];
 var registeredNamespaces = new Set(FRAMEWORK_NAMESPACES);