@blamejs/core 0.8.25 → 0.8.27

package/index.js

@@ -102,6 +102,8 @@ var a2a = require("./lib/a2a");
 var darkPatterns = require("./lib/dark-patterns");
 var budr = require("./lib/budr");
 var secCyber = require("./lib/sec-cyber");
+var iabTcf = require("./lib/iab-tcf");
+var fapi2 = require("./lib/fapi2");
 var safeUrl = require("./lib/safe-url");
 var safeRedirect = require("./lib/safe-redirect");
 var pick = require("./lib/pick");
@@ -291,6 +293,8 @@ module.exports = {
   darkPatterns:     darkPatterns,
   budr:             budr,
   secCyber:         secCyber,
+  iabTcf:           iabTcf,
+  fapi2:            fapi2,
   safeUrl:          safeUrl,
   safeRedirect:     safeRedirect,
   pick:             pick,

package/lib/audit.js

@@ -240,6 +240,8 @@ var FRAMEWORK_NAMESPACES = [
   "darkpatterns", // b.darkPatterns (darkPatterns.attest / cancel-blocked)
   "budr",       // b.budr (budr.declared)
   "seccyber",   // b.secCyber (seccyber.eight_k_artifact)
+  "iabtcf",     // b.iabTcf (iabtcf.refused / iabtcf.accepted)
+  "fapi2",      // b.fapi2 (fapi2.posture_asserted)
 ];
 var registeredNamespaces = new Set(FRAMEWORK_NAMESPACES);
 

package/lib/fapi2.js

@@ -0,0 +1,165 @@
+"use strict";
+/**
+ * b.fapi2 — Financial-grade API 2.0 Final conformance posture.
+ *
+ * FAPI 2.0 Final (https://openid.net/specs/fapi-2_0-security-profile-FINAL.html)
+ * is the OpenID Foundation's security profile for financial / banking
+ * APIs. It composes existing IETF + OAuth standards into a single
+ * profile that operators MUST satisfy to interoperate with FAPI 2.0
+ * client deployments. The composition (per §5):
+ *
+ *   - PAR (Pushed Authorization Requests, RFC 9126) — REQUIRED
+ *   - PKCE with S256 (RFC 7636) — REQUIRED, PLAIN refused
+ *   - Sender-constrained tokens via DPoP (RFC 9449) OR mTLS (RFC 8705)
+ *     — REQUIRED, exactly one
+ *   - Authorization-server issuer in callback (RFC 9207) — REQUIRED
+ *   - TLS 1.2+ with FAPI-approved cipher suites (TLS 1.3 default)
+ *   - JAR (JWT-secured Authorization Request, RFC 9101) when
+ *     request-object signed
+ *
+ * The framework already ships every component primitive. FAPI 2.0
+ * conformance is therefore a posture-coordination problem: the
+ * operator declares the deployment is FAPI-bound, and the framework
+ * asserts that every primitive in the chain is configured per the
+ * profile.
+ *
+ * Public API:
+ *
+ *   b.fapi2.assertConformance(opts) -> { conformant, findings }
+ *     opts:
+ *       senderConstraint: "dpop" | "mtls" — REQUIRED.
+ *       parRequired:      bool, default true.
+ *       pkceMethod:       must be "S256" (default; refuses "plain").
+ *       requireIssuerInCallback: bool, default true.
+ *       requireJarOnSignedRequests: bool, default true.
+ *
+ *     Returns:
+ *       conformant: bool — every check passed.
+ *       findings:   Array<{ requirement, status, detail? }>
+ *
+ *   b.fapi2.assertOAuthConfig(oauthOpts) -> void
+ *     Inspects an `b.auth.oauth.create(opts)` configuration object
+ *     and throws Fapi2Error if any FAPI 2.0 mandate is violated:
+ *       - PKCE absent / non-S256
+ *       - state / nonce missing (auto-mint default OK)
+ *       - Sender-constraint absent
+ *
+ *   b.fapi2.posture() -> "fapi-2.0" | null
+ *     Returns "fapi-2.0" when b.compliance.set("fapi-2.0") was
+ *     called, else null. Convenience for code that branches on the
+ *     posture without calling b.compliance.current() directly.
+ *
+ * The framework does NOT replace operator OAuth configuration —
+ * `b.auth.oauth.create(...)` is still where the operator declares
+ * client + scopes + redirect URIs. b.fapi2.assertOAuthConfig is the
+ * boot-time gate that refuses to start a FAPI-declared deployment
+ * if any mandate is missing.
+ */
+
+var compliance = require("./compliance");
+var audit = require("./audit");
+var { defineClass } = require("./framework-error");
+var Fapi2Error = defineClass("Fapi2Error", { alwaysPermanent: true });
+
+var SENDER_CONSTRAINTS = ["dpop", "mtls"];
+
+function assertConformance(opts) {
+  if (!opts || typeof opts !== "object") {
+    throw Fapi2Error.factory("BAD_OPTS",
+      "fapi2.assertConformance: opts required");
+  }
+  if (SENDER_CONSTRAINTS.indexOf(opts.senderConstraint) === -1) {
+    throw Fapi2Error.factory("BAD_SENDER_CONSTRAINT",
+      "fapi2.assertConformance: senderConstraint must be 'dpop' or 'mtls'");
+  }
+  var parRequired = opts.parRequired !== false;
+  var pkceMethod = opts.pkceMethod || "S256";
+  if (pkceMethod !== "S256") {
+    throw Fapi2Error.factory("BAD_PKCE",
+      "fapi2.assertConformance: PKCE method must be S256 (FAPI 2.0 §5.3.1.1) — got '" +
+      pkceMethod + "'");
+  }
+  var requireIssuer = opts.requireIssuerInCallback !== false;
+  var requireJar    = opts.requireJarOnSignedRequests !== false;
+
+  var findings = [];
+  findings.push({ requirement: "pkce-s256",          status: "satisfied",
+    detail: "PKCE S256 declared (FAPI 2.0 §5.3.1.1)" });
+  findings.push({ requirement: "par-required",       status: parRequired ? "satisfied" : "WAIVED",
+    detail: parRequired
+      ? "PAR (RFC 9126) declared required (FAPI 2.0 §5.3.2.2)"
+      : "PAR waived by operator — non-conformant unless authorization-server is FAPI-1 fallback" });
+  findings.push({ requirement: "sender-constraint", status: "satisfied",
+    detail: opts.senderConstraint + " — FAPI 2.0 §5.3.2.5" });
+  findings.push({ requirement: "issuer-in-callback", status: requireIssuer ? "satisfied" : "WAIVED",
+    detail: requireIssuer
+      ? "Issuer in callback (RFC 9207) required"
+      : "Issuer-in-callback waived — IdP-mix-up class still open" });
+  findings.push({ requirement: "jar-signed-requests", status: requireJar ? "satisfied" : "WAIVED",
+    detail: requireJar
+      ? "JAR (RFC 9101) required for signed authorization requests"
+      : "JAR waived for signed authorization requests" });
+
+  var conformant = findings.every(function (f) { return f.status === "satisfied"; });
+
+  audit.safeEmit({
+    action:   "fapi2.posture_asserted",
+    outcome:  conformant ? "success" : "warning",
+    metadata: {
+      senderConstraint:  opts.senderConstraint,
+      parRequired:       parRequired,
+      pkceMethod:        pkceMethod,
+      requireIssuer:     requireIssuer,
+      requireJar:        requireJar,
+      conformant:        conformant,
+    },
+  });
+
+  return { conformant: conformant, findings: findings };
+}
+
+function assertOAuthConfig(oauthOpts) {
+  if (!oauthOpts || typeof oauthOpts !== "object") {
+    throw Fapi2Error.factory("BAD_OAUTH_OPTS",
+      "fapi2.assertOAuthConfig: oauth opts required");
+  }
+  // PKCE — refuse pkce: false (b.auth.oauth.create already does this,
+  // but check explicitly for FAPI clarity).
+  if (oauthOpts.pkce === false) {
+    throw Fapi2Error.factory("PKCE_DISABLED",
+      "fapi2.assertOAuthConfig: PKCE is disabled — FAPI 2.0 §5.3.1.1 mandates S256");
+  }
+  if (oauthOpts.pkceMethod && oauthOpts.pkceMethod !== "S256") {
+    throw Fapi2Error.factory("PKCE_NOT_S256",
+      "fapi2.assertOAuthConfig: PKCE method '" + oauthOpts.pkceMethod +
+      "' is not S256 (FAPI 2.0 §5.3.1.1)");
+  }
+  // Sender-constraint required
+  var hasDpop = oauthOpts.dpop === true || oauthOpts.senderConstraint === "dpop";
+  var hasMtls = oauthOpts.mtls === true || oauthOpts.senderConstraint === "mtls";
+  if (!hasDpop && !hasMtls) {
+    throw Fapi2Error.factory("NO_SENDER_CONSTRAINT",
+      "fapi2.assertOAuthConfig: FAPI 2.0 §5.3.2.5 requires sender-constrained tokens via DPoP OR mTLS — neither declared");
+  }
+  if (hasDpop && hasMtls) {
+    throw Fapi2Error.factory("BOTH_SENDER_CONSTRAINTS",
+      "fapi2.assertOAuthConfig: declare exactly one of DPoP / mTLS — both creates over-binding ambiguity");
+  }
+  // PAR
+  if (oauthOpts.par === false) {
+    throw Fapi2Error.factory("PAR_DISABLED",
+      "fapi2.assertOAuthConfig: PAR is disabled — FAPI 2.0 §5.3.2.2 mandates Pushed Authorization Requests");
+  }
+}
+
+function posture() {
+  return compliance.current() === "fapi-2.0" ? "fapi-2.0" : null;
+}
+
+module.exports = {
+  assertConformance:  assertConformance,
+  assertOAuthConfig:  assertOAuthConfig,
+  posture:            posture,
+  SENDER_CONSTRAINTS: SENDER_CONSTRAINTS.slice(),
+  Fapi2Error:         Fapi2Error,
+};

package/lib/iab-tcf.js

@@ -0,0 +1,356 @@
+"use strict";
+/**
+ * b.iabTcf — IAB Europe Transparency & Consent Framework v2.3 consent
+ * string parser + disclosedVendors validator.
+ *
+ * Required by TCF Policy v2.3 §III.B.5 (CMP MUST signal which vendors
+ * received disclosure regardless of consent state). Deadline 2026-02-28
+ * is past — Google Ads + every major DSP rejects v2.2-shaped strings
+ * since that date. EU/UK adtech operators that didn't migrate are
+ * losing inventory.
+ *
+ * Consent-string format (TCF v2.3 spec, §A):
+ *   Base64URL-no-pad of segments separated by `.`:
+ *     Core | DisclosedVendors | (AllowedVendors) | PublisherTC
+ *
+ *   Core segment carries: cmpVersion=2, version=4 (TCF v2.3),
+ *   created/lastUpdated, cmpId, vendorListVersion, policyVersion=4,
+ *   special-feature-opts-in, purpose-consents, purpose-LIs, vendor
+ *   consents bitmap, vendor LIs bitmap, publisher restrictions.
+ *
+ *   DisclosedVendors segment (REQUIRED in v2.3): bitmap of every
+ *   vendor disclosed to the user (regardless of consent). v2.2
+ *   strings omit this segment entirely.
+ *
+ * Public API:
+ *
+ *   iabTcf.parseString(tcString) -> {
+ *     core: { version, cmpId, vendorListVersion, policyVersion,
+ *             createdAt, lastUpdatedAt, vendorConsents, vendorLIs,
+ *             ... },
+ *     disclosedVendors: { present, vendorIds: Set<int> } | null,
+ *     allowedVendors:   { present, vendorIds: Set<int> } | null,
+ *     publisherTC:      { present, ... } | null,
+ *     errors:           Array<string>,
+ *   }
+ *
+ *   iabTcf.requireV23Disclosed(tcString) -> void
+ *     Throws iabTcf.IabTcfError on:
+ *       - missing DisclosedVendors segment (v2.2 string)
+ *       - core.version !== 4 (TCF v2.3 = version 4 in the spec
+ *         encoding; v2.2 = version 2 or 3 depending on revision —
+ *         the framework refuses anything not v=4 under v2.3 posture)
+ *       - core.policyVersion !== 4 (TCF Policy v2.3 = policyVersion 4)
+ *
+ *   iabTcf.checkVendor(parsed, vendorId) -> {
+ *     consented: bool,        — vendor id in vendorConsents
+ *     legitimate: bool,       — vendor id in vendorLIs
+ *     disclosed: bool,        — vendor id in disclosedVendors
+ *   }
+ *
+ * Operator workflow:
+ *   var parsed = b.iabTcf.parseString(tcString);
+ *   b.iabTcf.requireV23Disclosed(tcString);   // refuses v2.2
+ *   var verdict = b.iabTcf.checkVendor(parsed, 755); // Google
+ *   if (!verdict.consented && !verdict.legitimate) refuseAdRequest();
+ *
+ * The framework does NOT bundle the IAB Global Vendor List (it's a
+ * versioned JSON published at https://vendor-list.consensu.org/v3/
+ * vendor-list.json that operators fetch and refresh themselves).
+ * `parsed.core.vendorListVersion` is the version the consent string
+ * was signed against — operators load that version from their cache.
+ */
+
+var audit = require("./audit");
+var { defineClass } = require("./framework-error");
+var IabTcfError = defineClass("IabTcfError", { alwaysPermanent: true });
+
+// TCF v2.3 spec values.
+var TCF_V23_CORE_VERSION   = 4;                                                                // allow:raw-byte-literal — TCF spec version, not bytes
+var TCF_V23_POLICY_VERSION = 4;                                                                // allow:raw-byte-literal — TCF policy version, not bytes
+// SEGMENT_TYPE_CORE = 0 documented but not declared as a const — the
+// core segment is identified positionally (segment[0]) not by the
+// 3-bit type prefix the secondary segments use.
+var SEGMENT_TYPE_DISCLOSED_VENDORS = 1;                                                        // allow:raw-byte-literal — TCF segment-type marker, not bytes
+var SEGMENT_TYPE_ALLOWED_VENDORS   = 2;                                                        // allow:raw-byte-literal — TCF segment-type marker, not bytes
+var SEGMENT_TYPE_PUBLISHER_TC      = 3;                                                        // allow:raw-byte-literal — TCF segment-type marker, not bytes
+var MAX_TC_STRING_BYTES = 64 * 1024;                                                           // allow:raw-byte-literal — request-payload cap
+
+// base64url decode (no padding) → Buffer.
+function _b64urlDecode(s) {
+  var padded = s.replace(/-/g, "+").replace(/_/g, "/");
+  var pad = padded.length % 4;
+  if (pad === 2) padded += "==";
+  else if (pad === 3) padded += "=";
+  else if (pad === 1) throw IabTcfError.factory("BAD_BASE64",
+    "iabTcf: base64url segment has invalid length");
+  return Buffer.from(padded, "base64");
+}
+
+// Bit-level reader over a Buffer.
+function _bitReader(buf) {
+  var bitOffset = 0;
+  var totalBits = buf.length * 8;                                                             // allow:raw-byte-literal — bits per byte
+  function read(n) {
+    if (bitOffset + n > totalBits) {
+      throw IabTcfError.factory("BAD_LENGTH",
+        "iabTcf: read past end of segment (offset=" + bitOffset + " want=" + n + " total=" + totalBits + ")");
+    }
+    var v = 0;
+    for (var i = 0; i < n; i += 1) {
+      var byteIdx = (bitOffset + i) >> 3;
+      var bitIdx  = 7 - ((bitOffset + i) & 7);                                                  // allow:raw-byte-literal — high-bit-first ordering
+      v = (v << 1) | ((buf[byteIdx] >> bitIdx) & 1);
+    }
+    bitOffset += n;
+    return v;
+  }
+  function readBitField(n) {
+    // Returns Set<int> of 1-based positions where the bit is set.
+    var ids = new Set();
+    for (var i = 0; i < n; i += 1) {
+      if (read(1) === 1) ids.add(i + 1);
+    }
+    return ids;
+  }
+  function pos() { return bitOffset; }
+  function setPos(n) { bitOffset = n; }
+  function remaining() { return totalBits - bitOffset; }
+  return { read: read, readBitField: readBitField, pos: pos, setPos: setPos, remaining: remaining, totalBits: totalBits };
+}
+
+function _parseCore(buf) {
+  var r = _bitReader(buf);
+  var version            = r.read(6);                                                          // allow:raw-byte-literal — TCF spec field width, not bytes
+  var createdRaw         = r.read(36);                                                         // allow:raw-byte-literal — TCF spec field width
+  var lastUpdatedRaw     = r.read(36);                                                         // allow:raw-byte-literal — TCF spec field width
+  var cmpId              = r.read(12);                                                         // allow:raw-byte-literal — TCF spec field width
+  var cmpVersion         = r.read(12);                                                         // allow:raw-byte-literal — TCF spec field width
+  var consentScreen      = r.read(6);                                                          // allow:raw-byte-literal — TCF spec field width
+  // ConsentLanguage (12 bits = 2 chars × 6 bits, ASCII A-Z mapped 0-25)
+  var lang0 = r.read(6);                                                                       // allow:raw-byte-literal — TCF spec field width
+  var lang1 = r.read(6);                                                                       // allow:raw-byte-literal — TCF spec field width
+  var consentLanguage = String.fromCharCode(0x41 + lang0) + String.fromCharCode(0x41 + lang1); // allow:raw-byte-literal — ASCII 'A' offset
+  var vendorListVersion  = r.read(12);                                                         // allow:raw-byte-literal — TCF spec field width
+  var policyVersion      = r.read(6);                                                          // allow:raw-byte-literal — TCF spec field width
+  var isServiceSpecific  = r.read(1) === 1;
+  var useNonStandardStacks = r.read(1) === 1;
+  var specialFeatureOptins = r.readBitField(12);                                               // allow:raw-byte-literal — TCF spec field width
+  var purposesConsent      = r.readBitField(24);                                               // allow:raw-byte-literal — TCF spec field width
+  var purposesLI           = r.readBitField(24);                                               // allow:raw-byte-literal — TCF spec field width
+  var purposeOneTreatment  = r.read(1) === 1;
+  var publisherCC          = String.fromCharCode(0x41 + r.read(6)) + String.fromCharCode(0x41 + r.read(6)); // allow:raw-byte-literal — TCF spec field width
+  // MaxVendorIdConsent + ranged fields skipped for compactness — the
+  // framework's defensive parse only extracts the top-level shape +
+  // the vendorConsents/LIs bitmaps when present.
+  var vendorConsents = _parseVendorSection(r);
+  var vendorLIs      = _parseVendorSection(r);
+  return {
+    version:               version,
+    createdAt:             createdRaw * 100,                                                   // allow:raw-time-literal — TCF spec deciseconds → ms
+    lastUpdatedAt:         lastUpdatedRaw * 100,                                               // allow:raw-time-literal — TCF spec deciseconds → ms
+    cmpId:                 cmpId,
+    cmpVersion:            cmpVersion,
+    consentScreen:         consentScreen,
+    consentLanguage:       consentLanguage,
+    vendorListVersion:     vendorListVersion,
+    policyVersion:         policyVersion,
+    isServiceSpecific:     isServiceSpecific,
+    useNonStandardStacks:  useNonStandardStacks,
+    specialFeatureOptins:  specialFeatureOptins,
+    purposesConsent:       purposesConsent,
+    purposesLI:            purposesLI,
+    purposeOneTreatment:   purposeOneTreatment,
+    publisherCC:           publisherCC,
+    vendorConsents:        vendorConsents,
+    vendorLIs:             vendorLIs,
+  };
+}
+
+// Vendor section: MaxVendorId (16 bits) + IsRangeEncoding (1 bit) +
+// either bitmap (MaxVendorId bits) or RangeEntries.
+function _parseVendorSection(r) {
+  var maxVendorId    = r.read(16);                                                             // allow:raw-byte-literal — TCF spec field width
+  var isRangeEncoding = r.read(1) === 1;
+  var ids = new Set();
+  if (isRangeEncoding) {
+    var numEntries = r.read(12);                                                               // allow:raw-byte-literal — TCF spec field width
+    for (var i = 0; i < numEntries; i += 1) {
+      var isRange = r.read(1) === 1;
+      var startVendorId = r.read(16);                                                          // allow:raw-byte-literal — TCF spec field width
+      if (isRange) {
+        var endVendorId = r.read(16);                                                          // allow:raw-byte-literal — TCF spec field width
+        for (var v = startVendorId; v <= endVendorId; v += 1) ids.add(v);
+      } else {
+        ids.add(startVendorId);
+      }
+    }
+  } else {
+    for (var b = 0; b < maxVendorId; b += 1) {
+      if (r.read(1) === 1) ids.add(b + 1);
+    }
+  }
+  return { maxVendorId: maxVendorId, ids: ids };
+}
+
+// DisclosedVendors / AllowedVendors segments share the same shape:
+// SegmentType (3 bits) + MaxVendorId + IsRangeEncoding + section.
+function _parseSecondaryVendorSegment(buf, expectedType) {
+  var r = _bitReader(buf);
+  var segType = r.read(3);                                                                     // allow:raw-byte-literal — TCF spec field width
+  if (segType !== expectedType) {
+    throw IabTcfError.factory("BAD_SEGMENT_TYPE",
+      "iabTcf: expected segment type " + expectedType + ", got " + segType);
+  }
+  return _parseVendorSection(r);
+}
+
+function parseString(tcString) {
+  if (typeof tcString !== "string" || tcString.length === 0) {
+    throw IabTcfError.factory("BAD_INPUT",
+      "iabTcf.parseString: tcString must be a non-empty string");
+  }
+  if (tcString.length > MAX_TC_STRING_BYTES) {
+    throw IabTcfError.factory("INPUT_TOO_LARGE",
+      "iabTcf.parseString: tcString exceeds " + MAX_TC_STRING_BYTES + " bytes");
+  }
+  var segments = tcString.split(".");
+  var coreBuf;
+  try { coreBuf = _b64urlDecode(segments[0]); }
+  catch (e) {
+    throw IabTcfError.factory("BAD_CORE",
+      "iabTcf.parseString: core segment base64url decode failed: " + e.message);
+  }
+  var core = _parseCore(coreBuf);
+
+  var disclosedVendors = null;
+  var allowedVendors   = null;
+  var publisherTC      = null;
+  var errors           = [];
+
+  for (var i = 1; i < segments.length; i += 1) {
+    var segBuf;
+    try { segBuf = _b64urlDecode(segments[i]); }
+    catch (e) {
+      errors.push("segment[" + i + "] base64 decode: " + e.message);
+      continue;
+    }
+    if (segBuf.length === 0) continue;
+    var segType = (segBuf[0] >> 5) & 0x07;                                                     // allow:raw-byte-literal — TCF segment-type lives in top 3 bits
+    try {
+      if (segType === SEGMENT_TYPE_DISCLOSED_VENDORS) {
+        disclosedVendors = { present: true, vendorIds: _parseSecondaryVendorSegment(segBuf, SEGMENT_TYPE_DISCLOSED_VENDORS).ids };
+      } else if (segType === SEGMENT_TYPE_ALLOWED_VENDORS) {
+        allowedVendors = { present: true, vendorIds: _parseSecondaryVendorSegment(segBuf, SEGMENT_TYPE_ALLOWED_VENDORS).ids };
+      } else if (segType === SEGMENT_TYPE_PUBLISHER_TC) {
+        publisherTC = { present: true };
+      } else {
+        errors.push("segment[" + i + "] unknown type: " + segType);
+      }
+    } catch (e) {
+      errors.push("segment[" + i + "] parse: " + e.message);
+    }
+  }
+
+  return {
+    core:             core,
+    disclosedVendors: disclosedVendors,
+    allowedVendors:   allowedVendors,
+    publisherTC:      publisherTC,
+    errors:           errors,
+  };
+}
+
+function requireV23Disclosed(tcString, opts) {
+  opts = opts || {};
+  var auditOn = opts.audit !== false;
+  var parsed;
+  try { parsed = parseString(tcString); }
+  catch (e) {
+    if (auditOn) {
+      audit.safeEmit({
+        action:   "iabtcf.refused",
+        outcome:  "denied",
+        reason:   "parse_failure",
+        metadata: { error: e.message },
+      });
+    }
+    throw e;
+  }
+  if (parsed.core.version !== TCF_V23_CORE_VERSION) {
+    if (auditOn) {
+      audit.safeEmit({
+        action:   "iabtcf.refused",
+        outcome:  "denied",
+        reason:   "wrong_core_version",
+        metadata: { coreVersion: parsed.core.version, required: TCF_V23_CORE_VERSION },
+      });
+    }
+    throw IabTcfError.factory("WRONG_CORE_VERSION",
+      "iabTcf: core version " + parsed.core.version + " not v2.3 (required " +
+      TCF_V23_CORE_VERSION + ")");
+  }
+  if (parsed.core.policyVersion !== TCF_V23_POLICY_VERSION) {
+    if (auditOn) {
+      audit.safeEmit({
+        action:   "iabtcf.refused",
+        outcome:  "denied",
+        reason:   "wrong_policy_version",
+        metadata: { policyVersion: parsed.core.policyVersion, required: TCF_V23_POLICY_VERSION },
+      });
+    }
+    throw IabTcfError.factory("WRONG_POLICY_VERSION",
+      "iabTcf: policy version " + parsed.core.policyVersion + " not v2.3 (required " +
+      TCF_V23_POLICY_VERSION + ")");
+  }
+  if (!parsed.disclosedVendors || !parsed.disclosedVendors.present) {
+    if (auditOn) {
+      audit.safeEmit({
+        action:   "iabtcf.refused",
+        outcome:  "denied",
+        reason:   "missing_disclosed_vendors",
+        metadata: {},
+      });
+    }
+    throw IabTcfError.factory("MISSING_DISCLOSED_VENDORS",
+      "iabTcf: TC string lacks DisclosedVendors segment (TCF v2.3 §III.B.5 — REQUIRED since 2026-02-28)");
+  }
+  if (auditOn) {
+    audit.safeEmit({
+      action:   "iabtcf.accepted",
+      outcome:  "success",
+      metadata: {
+        cmpId:               parsed.core.cmpId,
+        vendorListVersion:   parsed.core.vendorListVersion,
+        disclosedVendorCount: parsed.disclosedVendors.vendorIds.size,
+      },
+    });
+  }
+  return parsed;
+}
+
+function checkVendor(parsed, vendorId) {
+  if (!parsed || !parsed.core) {
+    throw IabTcfError.factory("BAD_PARSED",
+      "iabTcf.checkVendor: parsed object required (call parseString first)");
+  }
+  if (typeof vendorId !== "number" || !isFinite(vendorId) || vendorId < 1 ||
+      Math.floor(vendorId) !== vendorId) {
+    throw IabTcfError.factory("BAD_VENDOR_ID",
+      "iabTcf.checkVendor: vendorId must be a positive integer");
+  }
+  return {
+    consented:   parsed.core.vendorConsents.ids.has(vendorId),
+    legitimate:  parsed.core.vendorLIs.ids.has(vendorId),
+    disclosed:   parsed.disclosedVendors && parsed.disclosedVendors.vendorIds.has(vendorId) || false,
+  };
+}
+
+module.exports = {
+  parseString:           parseString,
+  requireV23Disclosed:   requireV23Disclosed,
+  checkVendor:           checkVendor,
+  IabTcfError:           IabTcfError,
+  TCF_V23_CORE_VERSION:  TCF_V23_CORE_VERSION,
+  TCF_V23_POLICY_VERSION: TCF_V23_POLICY_VERSION,
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.8.25",
+  "version": "0.8.27",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:a6056d34-71d3-41f1-a99f-80454c5b2780",
+  "serialNumber": "urn:uuid:7acc2751-65c7-408f-8206-0688a7f5439e",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-07T13:31:44.359Z",
+    "timestamp": "2026-05-07T13:52:40.926Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.8.25",
+      "bom-ref": "@blamejs/core@0.8.27",
       "type": "library",
       "name": "blamejs",
-      "version": "0.8.25",
+      "version": "0.8.27",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.8.25",
+      "purl": "pkg:npm/%40blamejs/core@0.8.27",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.8.25",
+      "ref": "@blamejs/core@0.8.27",
       "dependsOn": []
     }
   ]